Computers, Privacy & the Constitution

Making Microsoft Pay for Windows' Shoddy Security

-- By AndreiVoinigescu - 07 Apr 2009

Introduction

Conficker was hypothesized by some as the progenitor of a cyber-9/11. Since its initial discovery in November, the worm, which targets vulnerabilities in the network code of all versions of Microsoft Windows in common use, has managed to infect at least nine million computers worldwide, including French, British and German military networks. These computers--a vast network of zombie machines, or botnet--await instructions from the worm's creator. Botnets are commonly used to generate spam messages, to overload and thus block access to certain websites or networked services in denial-of-service attacks, or to fetch sensitive data (such as passwords and credit card information) from the machines they infest. The lost productivity caused by malware and the costs of anti-malware measures is staggering, and rising: $13.3 billion in 2006, up from $3.3 billion in 1997. It plays an essential part in the rhetoric employed by those who want to chip away at anonymity on the internet: cellphone companies and governmental agencies who favor a move towards walled private networks with built-in layers for perfect identification, surveillance and enforcement. If a cyber-9/11 really does come to pass, it probably won't take long for legislation eliminating the last vestiges of network openness and anonymity to be pushed through.

But litigation--class action lawsuits on behalf of the owners of infected computers--could provide an alternative; a way to force Microsoft and other proprietary software companies to internalize more of the costs of malware prevention and cleanup. The vast majority of malware is written to exploit vulnerabilities in Microsoft code, bugs that often are not easy for outsiders to discover, and only Microsoft can patch. While such an outcome, in Microsoft's case, might be both the most economically efficient result and the most appealing to intrinsic fairness, those seeking to initiate such lawsuits should be cautious. As I outline below, there are several legal hurdles that a class action lawsuit must overcome. The legal theories we adopt in such litigation must be narrow enough so that we do not end up imposing blanket liability for security vulnerabilities on every programmer who publicly releases code.

Seeking a Remedy in Contract Law

The natural place to look for a remedy when commercial software fails to live up to the security and reliability expectations of its users is contract law. Not surprisingly, the EULA for Windows Vista (typical of such EULAs) disclaims liability for "consequential, lost profits, special, indirect or incidental damages" as well as liability caused by "the acts of others." Since the EULA is a form contract and since Microsoft enjoys a somewhat dominant position in the operating system market, there might be a plausible argument that these clauses are procedurally unconscionable as a contract of adhesion (see Comb v. PayPal Inc. for a comparable situation), but substantial unconscionability will be harder to establish. But a theory of unconscionably necessitates a case-by-case inquiry, informed by the particular circumstances of the complainant. This will complicate the class-certification process. Worse, it will introduce a heavy dose of judicial discretion into the question of liability. Even if a court is willing to find unconscionability and rewrite the contract ex post, what sort of warranties will judges create? Limited warranties contingent on a judicial discretion might not be strong enough an incentive to trigger the significant overhaul in security practices that is needed.

Tort Law to the Rescue?

Tort liability is a better avenue for forcing software companies to absorb the costs of the security vulnerabilities in their products. Malware, after all, exploits design flaws and shoddy programming and quality assurance practices during the software development cycle. The EULA's damages limitations would fall out of the picture, since tort liability can't be contractually disclaimed. However, for a tort claim to succeed, whether sounding in negligence or for design defect, one would have to show that Microsoft could be handling Windows' security vulnerabilities in a better way, and that tort law is the appropriate mechanism for distributing the costs of malware among the various parties involved.

Negligence/Defective Design

Both the negligence and the defective design risk-utility inquiries seek to balance the effectiveness of whatever other precautions the manufacturer could have taken against the costs and disadvantages of those precautions. Microsoft can substantially reduce the security danger Windows-based computers pose to the network ecosystem without any significant investment by making its source code available and permitting users to write and distribute their own patches. More eyes would be available to spot vulnerabilities, and unofficial patches would decrease the response time for known issues, especially when dealing low-priority fixes that affect only a fraction of users. Microsoft isn't in the business of providing security fixes, and copyright law would still protect its operating system from outright copying or derivation even if the source code is released. And while hackers might have an easier time exploiting vulnerabilities with access to the source code, years of experience with FOSS software in the e-commerce realm suggests that the benefits of openness outweigh its downsides.

Getting Past the Economic Loss Rule

Thus, we have a straightforward argument that Microsoft's anti-malware measures are negligent. But the economic injury rule might still bar recovery. As the theory goes, malware-related losses are purely economical, the result of dissapointed consumer expectations about the reliability and security of the software they run. And since consumer expectations are the core concern of contract law, tort should be kept out of it; the parties can allocate the risks of security-related software failure among themselves.

There may be merits to such an approach where privity exists between the software vendor and the person suffering the economic loss. But vulnerabilities in Windows machines are used to create botnets, and the spam and denial-of-service attacks these botnets generate burden all networked users. Tort law is meant to deal exactly with this sort of situation where the transaction costs of allocating risk ex-anti among all affected parties are too high.

Many states recognize an exception to the economic loss rule where a product causes damage to property other then itself. This exception can be stretched to cover malware by borrowing the definition of damages used in the context of electronic trespass to chattels, where cases like Ebay, Inc. v. Bidder's Edge, Inc. treat unauthorized deprivation of network bandwith and processing time as an actionable harm to property.

Conclusion

The point of all of this isn't to give Microsoft its just deserts. If a lawsuit succeeds in forcing them to internalize some of the costs of combatting malware, those costs will only be passed on to the consumer. While this result would be desirable if the higher cost of windows products led to greater adoption of free software, such market correction is improbable. Most consumers are not aware of the true cost of a Windows license because the cost is folded into the price of new hardware. Hopefully, however, a credible threat of class action litigation will convince proprietary software companies to abandon attempts at security through obscurity in favor of making their source code available (and, even better, licensing their users to patch security vulnerabilities themselves on a limited non-commercial basis). Adopting such a practice would make a big difference in the long run towards securing both the network and the devices attached to it. It would ensure that the knowledge embodied in the source code is available to any mind curious enough to learn it, and that the inner workings of the technology responsible for controlling greater and greater portions of our lives stay transparent.

Navigation

Webs Webs

r6 - 09 Apr 2009 - 21:47:26 - AndreiVoinigescu
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM