On 12/27/05, Marshall Eubanks <tme@multicasttech.com> wrote:
There was a lot of discussion about this in the music / technology / legal community at the time of the Sony root exploit CD's - which I and others thought fully opened Sony for liability for 2nd party attacks. (I.e., if a hacker uses the Sony root kit to exploit your machine, then Sony is probably liable, regardless of the EULA. They put it in there; they made the attack possible.) IANAL, but I believe that if a vendor has even a partial liability, they can be liable for the whole.
But, what constitutes an exploit severe enough to warrant liability of this type? For instance, let's look at some scripts ... formmail is a perfect example. First, there was no "real" EULA. I'm definitely not a laywer, but I would think that would open up the writer to all sorts of liability... Anyways, the script was, obviously, flawed. Spammers took notice and used that script to spam all over the place. This hurt the hoster of the script, the people who were spammed, and probably the ISPs that wasted the bandwidth carrying the spam. So, should the writer of the script be sued for this? Is he liable for damages? If that's the case, then I'm gonna hang up my programming hat and go hide in a closet somewhere. I'm far from perfect and, while I'm relatively sure there are none, exploitable bugs *might* exist in my software. Or, perhaps, the exploit exists in a library I used. I've written a lot of PHP code, perhaps PHP has the flaw.. Am I still liable, or is PHP now liable? This has scary consequences if it becomes a blanket argument. Alternatively, if the programmer is made aware of the problem and does nothing, then perhaps they should be held accountable. But, then, what happens to "old" software that is no longer maintained?
I suspect that eventually EULA's will prove to be weak reeds, in much the same way that manufacturers may be liable when bad things happen, even if the product is being grossly misused. My intuition says that unfortunately somebody is going to have to die to establish this, as part of a wrongful death suit. With the explosion in VOIP use, this is probably only a matter of time.
Personally, I feel that is a person "grossly misuses" a product and is hurt as a result, they deserve it. Within some acceptable reason, of course. One expects that if you place a cup of coffee in your lap, that you just purchased, I might add, that it may burn you if it spills. Or, if you puncture a can of hair spray near an open fire, you may experience a slight burning sensation a few seconds later. People, use your brains. Next we'll have someone suing craftsman when they chop their leg off because there was no label on the saw that said "don't place running saw in lap" ... Come on, how stupid can you be? I apparently wouldn't make a good judge because I'd laugh most of these cases right out of the courtroom! Reasonable precaution should be expected of all people.
Regards Marshall Eubanks
-- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com