| |
| META TOPICPARENT | name="FirstPaper%25" |
|---|
Making Microsoft Pay for Windows' Shoddy Security | | |
Introduction | |
<
< | Conficker was hypothesized by some as the progenitor of a cyber-9/11. Since its initial discovery in November, the worm, which targets vulnerabilities in the network code of all versions of Microsoft Windows in common use, has managed to infect at least nine million computers worldwide, including French, British and German military networks. These computers--a vast network of zombie machines, or botnet--await instructions from the worm's creator. Botnets are commonly used to generate spam messages, to overload and thus block access to certain websites or networked services in denial-of-service attacks, or to fetch sensitive data (such as passwords and credit card information) from the machines they infest. The lost productivity caused by malware and the costs of anti-malware measures is staggering, and rising: $13.3 billion in 2006, up from $3.3 billion in 1997. It plays an essential part in the rhetoric employed by those who want to chip away at anonymity on the internet: cellphone companies and governmental agencies who favor a move towards walled private networks with built-in layers for perfect identification, surveillance and enforcement. If a cyber-9/11 really does come to pass, it probably won't take long for legislation eliminating the last vestiges of network openness and anonymity to be pushed through. | >
> | Conficker was hypothesized by some as the progenitor of a cyber-9/11. The worm, which targets vulnerabilities in the network code of all versions of Microsoft Windows in common use, has managed to infect at least nine million computers worldwide, including government and military networks. It has created a vast network of zombie machines--a botnet--which awaits instructions from the worm's creator. Like all botnets, it could be used to generate spam messages, to overload websites and networked services in denial-of-service attacks, and to fetch sensitive data from the infected machines. | | | | |
<
< | But litigation--class action lawsuits on behalf of the owners of infected computers--could provide an alternative; a way to force Microsoft and other proprietary software companies to internalize more of the costs of malware prevention and cleanup. The vast majority of malware is written to exploit vulnerabilities in Microsoft code, bugs that often are not easy for outsiders to discover, and only Microsoft can patch. While such an outcome, in Microsoft's case, might be both the most economically efficient result and the most appealing to intrinsic fairness, those seeking to initiate such lawsuits should be cautious. As I outline below, there are several legal hurdles that a class action lawsuit must overcome. The legal theories we adopt in such litigation must be narrow enough so that we do not end up imposing blanket liability for security vulnerabilities on every programmer who publicly releases code. | >
> | Lost productivity caused by malware and the costs of anti-malware measures is in the billions, and rising. Cellphone companies and governmental agencies who favor a move towards walled private networks with built-in layers for perfect identification, surveillance and enforcement have seized upon the cost of malware as part of their rhetoric. If a cyber-9/11 really does come to pass, it probably won't take long for legislation eliminating the last vestiges of network openness and anonymity to be pushed through.
But class action litigation could provide an alternative; a way to force software vendors to internalize more of the costs of malware prevention and cleanup, to steal the walled network movement's thunder. The vast majority of malware is written to exploit vulnerabilities in Microsoft code, bugs that often are not easy for outsiders to discover, and only Microsoft can patch. Could an enterprising plaintiff's lawyer make Microsoft pay?
We need a legal theory for liability strong enough to stimulate salutatory changes in the software ecosystem but narrow enough not to impose blanket liability for security vulnerabilities on every programmer who publicly releases code. | | | Seeking a Remedy in Contract Law | |
<
< | The natural place to look for a remedy when commercial software fails to live up to the security and reliability expectations of its users is contract law. Not surprisingly, the EULA for Windows Vista (typical of such EULAs) disclaims liability for "consequential, lost profits, special, indirect or incidental damages" as well as liability caused by "the acts of others." Since the EULA is a form contract and since Microsoft enjoys a somewhat dominant position in the operating system market, there might be a plausible argument that these clauses are procedurally unconscionable as a contract of adhesion (see Comb v. PayPal Inc. for a comparable situation), but substantial unconscionability will be harder to establish. But a theory of unconscionably necessitates a case-by-case inquiry, informed by the particular circumstances of the complainant. This will complicate the class-certification process. Worse, it will introduce a heavy dose of judicial discretion into the question of liability. Even if a court is willing to find unconscionability and rewrite the contract ex post, what sort of warranties will judges create? Limited warranties contingent on a judicial discretion might not be strong enough an incentive to trigger the significant overhaul in security practices that is needed. | >
> | The natural place to look for a remedy when commercial software fails to live up to the security and reliability expectations of its users is contract law. Not surprisingly, the EULA for Windows Vista (typical of such EULAs) disclaims liability for "consequential, lost profits, special, indirect or incidental damages" as well as liability caused by "the acts of others." Given that this is a mass-market form contract and that Microsoft enjoys a somewhat dominant position in the operating system market, there's a plausible argument that these clauses are procedurally unconscionabl; a contract of adhesion--see Comb v. PayPal Inc. for analogous circumstances. Of course, substantial unconscionability will be harder to establish.
And there's another problem: unconscionably necessitates a case-by-case inquiry, informed by the particular circumstances of the complainant. This will complicate the class-certification process. Worse, it will introduce a heavy dose of uncertainty into the question of liability. Even if a court is willing to find unconscionability and rewrite the contract ex post, what sort of warranties will judges create? Limited warranties whose existence and content is subject to judicial discretion might not be strong enough an incentive to trigger the significant overhaul in security practices that is needed. | | | Tort Law to the Rescue? |
|