Making Microsoft Pay for Windows' Shoddy Security

-- By AndreiVoinigescu - 07 Apr 2009

Introduction

Conficker is the latest in a series of malware exploiting security vulnerabilities in the Windows operating system and other commonly-used Microsoft software. The 'worm' has managed to infect at least nine million computers worldwide, including government and military networks. It has created a vast network of zombie machines--a botnet--which awaits instructions from the worm's creator. Like all botnets, it could be used to generate spam messages, to overload websites and networked services in denial-of-service attacks, and to fetch sensitive data from the infected machines. Given its unprecedented spread, the Conficker botnet might even be able to orchestrate the internet equivalent of the 9/11 or Pearl Harbor attacks.

Lost productivity caused by malware and the costs of anti-malware measures is in the billions, and rising. Cellphone companies and governmental agencies who favor a move towards walled private networks with built-in layers for perfect identification, surveillance and enforcement have seized upon the cost of malware as part of their rhetoric. If a cyber-9/11 really does come to pass, it probably won't take long for legislation eliminating the last vestiges of network openness and anonymity to be pushed through.

But class action litigation could provide an alternative; a way to force software vendors to internalize more of the costs of malware prevention and cleanup, to steal the walled network movement's thunder. The vast majority of malware is written to exploit vulnerabilities in Microsoft code, bugs that often are not easy for outsiders to discover, and only Microsoft can patch. Could an enterprising plaintiff's lawyer make Microsoft pay? We need a legal theory for liability strong enough to stimulate salutatory changes in the software ecosystem but narrow enough not to impose blanket liability for security vulnerabilities on every programmer who publicly releases code.

Seeking a Remedy in Contract Law

The natural place to look for a remedy when commercial software fails to live up to the security and reliability expectations of its users is contract law. Not surprisingly, the EULA for Windows Vista (typical of such EULAs) disclaims liability for "consequential, lost profits, special, indirect or incidental damages" as well as liability caused by "the acts of others." Given that this is a mass-market form contract and that Microsoft enjoys a somewhat dominant position in the operating system market, there's a plausible argument that these clauses are procedurally unconscionabl; a contract of adhesion--see Comb v. PayPal Inc. for analogous circumstances. Of course, substantial unconscionability will be harder to establish.

And substantial unconscionability is really the problem: it necessitates a case-by-case inquiry, informed by the particular circumstances of the complainant. This will complicate the class-certification process. Worse, it will introduce a heavy dose of uncertainty into the question of liability. Even if a court is willing to find unconscionability and rewrite the contract ex post, what sort of warranties will judges create? Limited warranties whose existence and content is subject to judicial discretion might not be strong enough an incentive to trigger the significant overhaul in security practices that is needed.

Tort Law to the Rescue?

Tort liability is a better avenue for forcing software companies to absorb the costs of the security vulnerabilities in their products. Malware, after all, exploits design flaws and shoddy programming and quality assurance practices during the software development cycle. The EULA's damages limitations would fall out of the picture, since tort liability can't be contractually disclaimed. However, for a tort claim to succeed, whether sounding in negligence or for design defect, one would have to show that Microsoft could be handling Windows' security vulnerabilities in a better way, and that tort law is the appropriate mechanism for distributing the costs of malware among the various parties involved.

Negligence/Defective Design

Both the negligence and the defective design risk-utility inquiries seek to balance the effectiveness of whatever other precautions the manufacturer could have taken against the costs and disadvantages of those precautions. Microsoft can substantially reduce the security danger Windows-based computers pose to the network ecosystem without any significant investment by making its source code available and permitting users to write and distribute their own patches. More eyes would be available to spot vulnerabilities, and peer review of design decisions involving security compromises often produces more elegant alternative solutions. Unofficial patches would decrease the response time for known issues, especially when dealing low-priority fixes that affect only a fraction of users.

Years of experience with FOSS software in the e-commerce realm suggests that the benefits of openness outweigh its downsides. Secrecy is not much of an obstacle for hackers who can repeatedly probe a networked machine for vulnerabilities, but it does slow down coordinated response to vulnerabilities once discovered. Ultimately, Microsoft isn't in the business of providing security fixes; copyright law would still protect its operating system from outright copying or derivation even if the source code is released.

Getting Past the Economic Loss Rule

Establishing negligent security practices is not enough; the economic injury rule might still bar recovery. As the theory goes, malware-related losses are purely economical, the result of dissapointed consumer expectations about the reliability and security of the software they run. And since consumer expectations are the core concern of contract law, tort should be kept out of it; the parties can allocate the risks of security-related software failure among themselves. All true--but only where privity exists between the software vendor and the person suffering the economic loss. Spam and denial-of-service attacks, however, are a burden on all networked users. Tort law is meant to deal exactly with this sort of situation where the transaction costs of allocating risk ex-anti among all affected parties are too high.

Many states recognize an exception to the economic loss rule where a product causes damage to property other then itself. This exception can be stretched to cover malware by borrowing the definition of damages used in the context of electronic trespass to chattels, where cases like Ebay, Inc. v. Bidder's Edge, Inc. treat unauthorized deprivation of network bandwith and processing time as an actionable harm to property.

Conclusion

The point of all of this isn't to give Microsoft its just deserts. If a lawsuit succeeds in forcing them to internalize some of the costs of combating malware, those costs will only be passed on to the consumer. A higher price for Windows might encourage free software adoption, but I suspect the effect will be marginal; most consumers are not aware of the true cost of a Windows license because the cost is folded into the price of new hardware. Hopefully, however, a credible threat of class action litigation will convince more software vendors to abandon attempts at security through obscurity, and to democratize the patching of vulnerabilities. Holding software vendors liable for negligent security practices should go a long way towards securing both the network and the devices attached to it. It may also ensure that the knowledge embodied in the source code is available to any mind curious enough to learn it, and that the inner workings of the technology regulating greater and greater portions of our lives remain transparent.

---

Perhaps a minor first point, but I think linking to a blog that makes fun of the Conficker "threat" is hardly the way to establish that it is in fact a threat.

For substance, I'm curious as to how you would respond to the argument that when Windows is used "as directed," namely with Windows Defender active, Auto-updates, third-party virus scan, Windows Firewall, and User Account Control ... that the threat of virus / spyware infection is quite minimal. (Indeed, in Vista various warnings will now be provided if these systems are disabled, thus reducing the mystery behind keeping one's system safe, though earlier versions did not have such warning)

It seems, to me at least, that smart computing has a large effect on whether a PC is able to avoid being turned into a zombie, either by running recommended security measures (as listed above), or by not running random .exe files sent by strangers, with the subject line "ILOVEYOU."

-- JonathanBonilla - 11 Apr 2009

Jonathan -- good point about the link. I had linked Wired blog as shorthand to aggregate a number of different articles about the Conficker worm, but I can see how it undercuts my argument. On further consideration, I've revised that paragraph.

Your raise two interesting substantive points, both arguments which Microsoft would probably seize upon if sued. I will concede that 'smart computing' reduces the risk from malware substantially. As may warnings -- though I would argue that the over-reliance on warning dialogs in Vista is actually detrimental to security, since the annoyance factor convinces many users to just turn the warnings off or subconsciously ignore them.

Can Microsoft discharge its duty of care/design responsibilities with warnings and partial fixes? I would argue that it can't, though I think this is an unsettled area of tort law. But it seems to me that claiming 'my product is pretty safe, and in any case, I warn users of the danger' shouldn't be enough when you can take additional precautions that have a favorable cost:benefit ratio.

After Microsoft patched some of the NetBIOS? vulnerabilities the Conficker worm was using to spread, the worm modified its behavior to take spread via USB drives. Windows sets the autorun on by default for USB drives, though users can disable it manually. Changing the default to off seems like the kind of design decision that would increase security at minimal cost. Should Microsoft be able to ignore changes like that by merely warning users about the danger of autorun?

-- AndreiVoinigescu - 14 Apr 2009

• As a lawyer for people who make software, I'm not sure why I want compulsory warranties. As you make clear yourself, the task of security-testing and patch distribution can be a third-party service generating value and therefore compelling payment, for FOSS. Third-party warranties are worth allowing for, in a market where no vendor warrants mass-market software with respect to security. Imposing warranties on a market that uniformly shuns them is likely to have some pretty substantial side-effects, which you don't make any attempt to estimate or allow for.

• From Microsoft's point of view, requiring publication of Windows source code would be to take the predominant part of the product's value. That's obviously excessive even in relation to the harm done, unless you have somehow decided that software unlike everything else should be sold on terms that prohibit limitation of liability for consequential economic harms, which is an eye-popping act of legal discrimination against software industries. This is about Adobe, too, after all, and--in light, for example, of the OpenSSL fiasco over at Debian--about us.

• At the end of the day, it seems to me, you are making an antitrust complaint: MS as monopolist has produced low-quality goods, and has deprived the consumer at every turn of the opportunity to use interoperable software of higher quality that MS could find any way, fair or foul, to drive out of the market. Now you are trying to impose liability for the resulting low security of the network on MS. I'm not sure why you aren't also trying to impose the lost worktime costs, global warming costs, the landfill costs, and many other costs arising from the poor performance, instability, bloat, unnecessary hardware obsolescence and other similarly expensive and disgraceful features of monopoly software. Maybe you too over-emphasize the whole cyberwar schtick?

• From my point of view, the question of policy should be made on the assumption that the Free World, not MS, will be the dominant supplier of software at the end of the next decade. The solution is not tort liability for economic harms arising from security breaches, but a system of scecurity laboratories funded as all educational activity is funded and as commercial activities are funded, all providing patches to the copyleft commons, thus ensuring rapid and effective immunological adaptation. Getting there is not about making and destroying tort rules to distort the market against MS, but rather about urging people to replace insecure software, like MS products, with securer software, made by freedom.