Jason Frisvold wrote:
On 12/27/05, Marshall Eubanks <tme@multicasttech.com> wrote:
There was a lot of discussion about this in the music / technology / legal community at the time of the Sony root exploit CD's - which I and others thought fully opened Sony for liability for 2nd party attacks. (I.e., if a hacker uses the Sony root kit to exploit your machine, then Sony is probably liable, regardless of the EULA. They put it in there; they made the attack possible.) IANAL, but I believe that if a vendor has even a partial liability, they can be liable for the whole.
But, what constitutes an exploit severe enough to warrant liability of this type? For instance, let's look at some scripts ... formmail is a perfect example. First, there was no "real" EULA. I'm definitely not a laywer, but I would think that would open up the writer to all sorts of liability... Anyways, the script was, obviously, flawed. Spammers took notice and used that script to spam all over the place. This hurt the hoster of the script, the people who were spammed, and probably the ISPs that wasted the bandwidth carrying the spam.
So, should the writer of the script be sued for this? Is he liable for damages?
I am not a lawyer, but I believe there is a significant difference in the liability that ensues from knowingly selling a defective product, and from giving something away for free. Matt gave away FormMail for free. When Matt wrote FormMail open relays were common on the internet. His Perl scripts were similar in security and utility to other software at the time. Once it became known how this type of software could be abused, *then* he had an obligation (moral obligation if not strictly legal obligation) to stop distributing the old insecure scripts, which is what he did. (Researching FormMail history, I found a page that suggested fixing the FormMail problem by replacing the FormMail scripts with PhP scripts. :-)
Personally, I feel that is a person "grossly misuses" a product and is hurt as a result, they deserve it. Within some acceptable reason, of course. One expects that if you place a cup of coffee in your lap, that you just purchased, I might add, that it may burn you if it spills.
If you tell someone "be careful, that coffee is hot and may burn you" most people will equate "burn" with "might cause some temporary pain or perhaps a minor blister" and not with "I will spend 2 weeks in the hospital with 3rd degree burns and require skin grafts and have over $20k in medical bills". Stella assumed the coffee she was served was served was at a normal hot coffee temperature, hot enough to perhaps hurt a bit if spilled but NOT so hot as to cause severe and disfiguring burns. See: <http://www.lectlaw.com/files/cur78.htm> <quote> McDonalds also said during discovery that, based on a consultants advice, it held its coffee at between 180 and 190 degrees fahrenheit to maintain optimum taste. He admitted that he had not evaluated the safety ramifications at this temperature. Other establishments sell coffee at substantially lower temperatures, and coffee served at home is generally 135 to 140 degrees." </quote> McDonalds intentionally served the coffee hotter than was safe, hotter than was safe for *drinking* (the purpose of the product) and ignored the dangers this presented and the prior cases of damage it caused. Back to the topic of computers and software that damages other computers over the network: Most people expect that their operating system and browser will work securely, not that it will let intruders steal their data, compromise their privacy, and inflict damage on others. Just as McDonalds was held liable for repeatedly intentionally selling coffee they knew was being served too hot and capable of causing much greater harm than the buyer was aware of, IMHO so should a software company be held liable for repeatedly knowingly selling defective software, especially when that software causes damage to 3rd parties who have not agreed to the EULA. jc