Computers, Privacy & the Constitution

Making Microsoft Pay for Windows' Shoddy Security

-- By AndreiVoinigescu - 07 Apr 2009

Introduction

Conficker was hypothesized by some as the progenitor of a cyber-9/11. The worm, which targets vulnerabilities in the network code of all versions of Microsoft Windows in common use, has managed to infect at least nine million computers worldwide, including government and military networks. It has created a vast network of zombie machines--a botnet--which awaits instructions from the worm's creator. Like all botnets, it could be used to generate spam messages, to overload websites and networked services in denial-of-service attacks, and to fetch sensitive data from the infected machines.

Lost productivity caused by malware and the costs of anti-malware measures is in the billions, and rising. Cellphone companies and governmental agencies who favor a move towards walled private networks with built-in layers for perfect identification, surveillance and enforcement have seized upon the cost of malware as part of their rhetoric. If a cyber-9/11 really does come to pass, it probably won't take long for legislation eliminating the last vestiges of network openness and anonymity to be pushed through.

But class action litigation could provide an alternative; a way to force software vendors to internalize more of the costs of malware prevention and cleanup, to steal the walled network movement's thunder. The vast majority of malware is written to exploit vulnerabilities in Microsoft code, bugs that often are not easy for outsiders to discover, and only Microsoft can patch. Could an enterprising plaintiff's lawyer make Microsoft pay? We need a legal theory for liability strong enough to stimulate salutatory changes in the software ecosystem but narrow enough not to impose blanket liability for security vulnerabilities on every programmer who publicly releases code.

Seeking a Remedy in Contract Law

The natural place to look for a remedy when commercial software fails to live up to the security and reliability expectations of its users is contract law. Not surprisingly, the EULA for Windows Vista (typical of such EULAs) disclaims liability for "consequential, lost profits, special, indirect or incidental damages" as well as liability caused by "the acts of others." Given that this is a mass-market form contract and that Microsoft enjoys a somewhat dominant position in the operating system market, there's a plausible argument that these clauses are procedurally unconscionabl; a contract of adhesion--see Comb v. PayPal Inc. for analogous circumstances. Of course, substantial unconscionability will be harder to establish.

And substantial unconscionability is really the problem: it necessitates a case-by-case inquiry, informed by the particular circumstances of the complainant. This will complicate the class-certification process. Worse, it will introduce a heavy dose of uncertainty into the question of liability. Even if a court is willing to find unconscionability and rewrite the contract ex post, what sort of warranties will judges create? Limited warranties whose existence and content is subject to judicial discretion might not be strong enough an incentive to trigger the significant overhaul in security practices that is needed.

Tort Law to the Rescue?

Tort liability is a better avenue for forcing software companies to absorb the costs of the security vulnerabilities in their products. Malware, after all, exploits design flaws and shoddy programming and quality assurance practices during the software development cycle. The EULA's damages limitations would fall out of the picture, since tort liability can't be contractually disclaimed. However, for a tort claim to succeed, whether sounding in negligence or for design defect, one would have to show that Microsoft could be handling Windows' security vulnerabilities in a better way, and that tort law is the appropriate mechanism for distributing the costs of malware among the various parties involved.

Negligence/Defective Design

Both the negligence and the defective design risk-utility inquiries seek to balance the effectiveness of whatever other precautions the manufacturer could have taken against the costs and disadvantages of those precautions. Microsoft can substantially reduce the security danger Windows-based computers pose to the network ecosystem without any significant investment by making its source code available and permitting users to write and distribute their own patches. More eyes would be available to spot vulnerabilities, and peer review of design decisions involving security compromises often produces more elegant alternative solutions. Unofficial patches would decrease the response time for known issues, especially when dealing low-priority fixes that affect only a fraction of users.

Years of experience with FOSS software in the e-commerce realm suggests that the benefits of openness outweigh its downsides. Secrecy is not much of an obstacle for hackers who can repeatedly probe a networked machine for vulnerabilities, but it does slow down coordinated response to vulnerabilities once discovered. Ultimately, Microsoft isn't in the business of providing security fixes; copyright law would still protect its operating system from outright copying or derivation even if the source code is released.

Getting Past the Economic Loss Rule

Establishing negligent security practices is not enough; the economic injury rule might still bar recovery. As the theory goes, malware-related losses are purely economical, the result of dissapointed consumer expectations about the reliability and security of the software they run. And since consumer expectations are the core concern of contract law, tort should be kept out of it; the parties can allocate the risks of security-related software failure among themselves. All true--but only where privity exists between the software vendor and the person suffering the economic loss. Spam and denial-of-service attacks, however, are a burden on all networked users. Tort law is meant to deal exactly with this sort of situation where the transaction costs of allocating risk ex-anti among all affected parties are too high.

Many states recognize an exception to the economic loss rule where a product causes damage to property other then itself. This exception can be stretched to cover malware by borrowing the definition of damages used in the context of electronic trespass to chattels, where cases like Ebay, Inc. v. Bidder's Edge, Inc. treat unauthorized deprivation of network bandwith and processing time as an actionable harm to property.

Conclusion

The point of all of this isn't to give Microsoft its just deserts. If a lawsuit succeeds in forcing them to internalize some of the costs of combating malware, those costs will only be passed on to the consumer. A higher price for Windows might encourage free software adoption, but I suspect the effect will be marginal; most consumers are not aware of the true cost of a Windows license because the cost is folded into the price of new hardware. Hopefully, however, a credible threat of class action litigation will convince more software vendors to abandon attempts at security through obscurity, and to democratize the patching of vulnerabilities. Holding software vendors liable for negligent security practices should go a long way towards securing both the network and the devices attached to it. It may also ensure that the knowledge embodied in the source code is available to any mind curious enough to learn it, and that the inner workings of the technology regulating greater and greater portions of our lives remain transparent.

 

Navigation

Webs Webs

r9 - 10 Apr 2009 - 20:39:52 - AndreiVoinigescu
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM