| |
| META TOPICPARENT | name="FirstPaper%25" |
|---|
Making Microsoft Pay for Windows' Shoddy Security |
| | The natural place to look for a remedy when commercial software fails to live up to the security and reliability expectations of its users is contract law. Not surprisingly, the EULA for Windows Vista (typical of such EULAs) disclaims liability for "consequential, lost profits, special, indirect or incidental damages" as well as liability caused by "the acts of others." Given that this is a mass-market form contract and that Microsoft enjoys a somewhat dominant position in the operating system market, there's a plausible argument that these clauses are procedurally unconscionabl; a contract of adhesion--see Comb v. PayPal Inc. for analogous circumstances. Of course, substantial unconscionability will be harder to establish. |
|
<
< | And there's another problem: unconscionably necessitates a case-by-case inquiry, informed by the particular circumstances of the complainant. This will complicate the class-certification process. Worse, it will introduce a heavy dose of uncertainty into the question of liability. Even if a court is willing to find unconscionability and rewrite the contract ex post, what sort of warranties will judges create? Limited warranties whose existence and content is subject to judicial discretion might not be strong enough an incentive to trigger the significant overhaul in security practices that is needed. |
>
> | And substantial unconscionability is really the problem: it necessitates a case-by-case inquiry, informed by the particular circumstances of the complainant. This will complicate the class-certification process. Worse, it will introduce a heavy dose of uncertainty into the question of liability. Even if a court is willing to find unconscionability and rewrite the contract ex post, what sort of warranties will judges create? Limited warranties whose existence and content is subject to judicial discretion might not be strong enough an incentive to trigger the significant overhaul in security practices that is needed. |
| | Tort Law to the Rescue?
Tort liability is a better avenue for forcing software companies to absorb the costs of the security vulnerabilities in their products. Malware, after all, exploits design flaws and shoddy programming and quality assurance practices during the software development cycle. The EULA's damages limitations would fall out of the picture, since tort liability can't be contractually disclaimed. However, for a tort claim to succeed, whether sounding in negligence or for design defect, one would have to show that Microsoft could be handling Windows' security vulnerabilities in a better way, and that tort law is the appropriate mechanism for distributing the costs of malware among the various parties involved.
Negligence/Defective Design |
|
<
< | Both the negligence and the defective design risk-utility inquiries seek to balance the effectiveness of whatever other precautions the manufacturer could have taken against the costs and disadvantages of those precautions. Microsoft can substantially reduce the security danger Windows-based computers pose to the network ecosystem without any significant investment by making its source code available and permitting users to write and distribute their own patches. More eyes would be available to spot vulnerabilities, and unofficial patches would decrease the response time for known issues, especially when dealing low-priority fixes that affect only a fraction of users. Microsoft isn't in the business of providing security fixes, and copyright law would still protect its operating system from outright copying or derivation even if the source code is released. And while hackers might have an easier time exploiting vulnerabilities with access to the source code, years of experience with FOSS software in the e-commerce realm suggests that the benefits of openness outweigh its downsides. |
>
> | Both the negligence and the defective design risk-utility inquiries seek to balance the effectiveness of whatever other precautions the manufacturer could have taken against the costs and disadvantages of those precautions. Microsoft can substantially reduce the security danger Windows-based computers pose to the network ecosystem without any significant investment by making its source code available and permitting users to write and distribute their own patches. More eyes would be available to spot vulnerabilities, and peer review of design decisions involving security compromises often produces more elegant alternative solutions. Unofficial patches would decrease the response time for known issues, especially when dealing low-priority fixes that affect only a fraction of users. |
| | |
|
<
< | Getting Past the Economic Loss Rule
Thus, we have a straightforward argument that Microsoft's anti-malware measures are negligent. But the economic injury rule might still bar recovery. As the theory goes, malware-related losses are purely economical, the result of dissapointed consumer expectations about the reliability and security of the software they run. And since consumer expectations are the core concern of contract law, tort should be kept out of it; the parties can allocate the risks of security-related software failure among themselves. |
>
> | Years of experience with FOSS software in the e-commerce realm suggests that the benefits of openness outweigh its downsides. Secrecy is not much of an obstacle for hackers who can repeatedly probe a networked machine for vulnerabilities, but it does slow down coordinated response to vulnerabilities once discovered. Ultimately, Microsoft isn't in the business of providing security fixes; copyright law would still protect its operating system from outright copying or derivation even if the source code is released. |
| | |
|
<
< | There may be merits to such an approach where privity exists between the software vendor and the person suffering the economic loss. But vulnerabilities in Windows machines are used to create botnets, and the spam and denial-of-service attacks these botnets generate burden all networked users. Tort law is meant to deal exactly with this sort of situation where the transaction costs of allocating risk ex-anti among all affected parties are too high. |
>
> | Getting Past the Economic Loss Rule
Establishing negligent security practices is not enough; the economic injury rule might still bar recovery. As the theory goes, malware-related losses are purely economical, the result of dissapointed consumer expectations about the reliability and security of the software they run. And since consumer expectations are the core concern of contract law, tort should be kept out of it; the parties can allocate the risks of security-related software failure among themselves. All true--but only where privity exists between the software vendor and the person suffering the economic loss. Spam and denial-of-service attacks, however, are a burden on all networked users. Tort law is meant to deal exactly with this sort of situation where the transaction costs of allocating risk ex-anti among all affected parties are too high. |
| | Many states recognize an exception to the economic loss rule where a product causes damage to property other then itself. This exception can be stretched to cover malware by borrowing the definition of damages used in the context of electronic trespass to chattels, where cases like Ebay, Inc. v. Bidder's Edge, Inc. treat unauthorized deprivation of network bandwith and processing time as an actionable harm to property.
Conclusion |
|
<
< | The point of all of this isn't to give Microsoft its just deserts. If a lawsuit succeeds in forcing them to internalize some of the costs of combatting malware, those costs will only be passed on to the consumer. While this result would be desirable if the higher cost of windows products led to greater adoption of free software, such market correction is improbable. Most consumers are not aware of the true cost of a Windows license because the cost is folded into the price of new hardware. Hopefully, however, a credible threat of class action litigation will convince proprietary software companies to abandon attempts at security through obscurity in favor of making their source code available (and, even better, licensing their users to patch security vulnerabilities themselves on a limited non-commercial basis). Adopting such a practice would make a big difference in the long run towards securing both the network and the devices attached to it. It would ensure that the knowledge embodied in the source code is available to any mind curious enough to learn it, and that the inner workings of the technology responsible for controlling greater and greater portions of our lives stay transparent. |
>
> | The point of all of this isn't to give Microsoft its just deserts. If a lawsuit succeeds in forcing them to internalize some of the costs of combating malware, those costs will only be passed on to the consumer. A higher price for Windows might encourage free software adoption, but I suspect the effect will be marginal; most consumers are not aware of the true cost of a Windows license because the cost is folded into the price of new hardware. Hopefully, however, a credible threat of class action litigation will convince more software vendors to abandon attempts at security through obscurity, and to democratize the patching of vulnerabilities. Holding software vendors liable for negligent security practices should go a long way towards securing both the network and the devices attached to it. It may also ensure that the knowledge embodied in the source code is available to any mind curious enough to learn it, and that the inner workings of the technology regulating greater and greater portions of our lives remain transparent. |
| | |