--On December 27, 2005 10:39:38 AM -0500 Jason Frisvold <xenophage0@gmail.com> wrote:
On 12/27/05, Marshall Eubanks <tme@multicasttech.com> wrote:
There was a lot of discussion about this in the music / technology / legal community at the time of the Sony root exploit CD's - which I and others thought fully opened Sony for liability for 2nd party attacks. (I.e., if a hacker uses the Sony root kit to exploit your machine, then Sony is probably liable, regardless of the EULA. They put it in there; they made the attack possible.) IANAL, but I believe that if a vendor has even a partial liability, they can be liable for the whole.
But, what constitutes an exploit severe enough to warrant liability of this type? For instance, let's look at some scripts ... formmail is a perfect example. First, there was no "real" EULA. I'm definitely not a laywer, but I would think that would open up the writer to all sorts of liability... Anyways, the script was, obviously, flawed. Spammers took notice and used that script to spam all over the place. This hurt the hoster of the script, the people who were spammed, and probably the ISPs that wasted the bandwidth carrying the spam.
It's not just about the severity of the exploit. What did you pay for formmail? Did the author have a "duty to care"? If money did not change hands, then, liability becomes much more difficult unless you can show gross negligence. Further, since formmail is provided in source form, the server owner could have fully evaluated it for vulnerability prior to deploying it. Thus, even if there is some liablity, it primarily falls to the person/organization who placed the script in use on the server, not the author.
So, should the writer of the script be sued for this? Is he liable for damages? If that's the case, then I'm gonna hang up my programming hat and go hide in a closet somewhere. I'm far from perfect and, while I'm relatively sure there are none, exploitable bugs *might* exist in my software. Or, perhaps, the exploit exists in a library I used. I've written a lot of PHP code, perhaps PHP has the flaw.. Am I still liable, or is PHP now liable?
Again, it all boils down to whether money changed hands or not. If you didn't get paid for your script, you probably aren't liable. Since PHP is free (and there's not really a legal entity to sue for it anyway), PHP probably isn't liable.
This has scary consequences if it becomes a blanket argument. Alternatively, if the programmer is made aware of the problem and does nothing, then perhaps they should be held accountable. But, then, what happens to "old" software that is no longer maintained?
Look at it another way... If the software is open source, then, there is no requirement for the author to maintain it as any end user has all the tools necessary to develop and deploy a fix. In the case of closed software, liability may be the only tool society has to protect itself from the negligence of the author(s). What is the liability situation for, say, a Model T car if it runs over someone? Can Ford still be held liable if he accident turns out to be caused by a known design flaw in the car? (I don't know the answer, but, I suspect that it would be the same for "old" software).
I suspect that eventually EULA's will prove to be weak reeds, in much the same way that manufacturers may be liable when bad things happen, even if the product is being grossly misused. My intuition says that unfortunately somebody is going to have to die to establish this, as part of a wrongful death suit. With the explosion in VOIP use, this is probably only a matter of time.
Personally, I feel that is a person "grossly misuses" a product and is hurt as a result, they deserve it. Within some acceptable reason, of course. One expects that if you place a cup of coffee in your lap, that you just purchased, I might add, that it may burn you if it spills. Or, if you puncture a can of hair spray near an open fire, you may experience a slight burning sensation a few seconds later.
The first one here is not your best choice of examples. It turns out that in that suit, McDonalds was violating ANSI/ISO standards and handing out liquids that were hotter than the industry considers "safe". There is a major difference in the level of injury that occurs above a certain temperature (I think it's 180F if memory serves), and, their coffee was shown to be well above that. They had been repeatedly informed of this problem prior to the incident and had refused to do anything about it. Yes, you expect to get burned, and, if you keep the coffee below a serving temperature of 180F, then, there's no liability. However, serving it above 180F is not "reasonable and prudent" and that is why the jury found for the plaintiff. In general, if the gross act of stupidity was reasonably foreseeable, the manufacturer has a "duty to care" to make some attempt to mitigate or prevent the customer from taking such action. That's why toasters all come with warnings about unplugging them before you stick a fork in them. That's why every piece of electronic equipment says "No user serviceable parts inside" and "Warning risk of electric shock".
People, use your brains. Next we'll have someone suing craftsman when they chop their leg off because there was no label on the saw that said "don't place running saw in lap" ... Come on, how stupid can you be? I apparently wouldn't make a good judge because I'd laugh most of these cases right out of the courtroom! Reasonable precaution should be expected of all people.
Actually, there are several such warnings on saws for just that reason, so, that is history, not prediction. The letter of the law does expect the plaintiff to have been reasonable and prudent. Judges are not really the problem here. Unfortunately, our cultural tendency to feel for the underdog leads to a jury pool that often doesn't see "An idiot who chopped off his leg by sticking the saw in his lap vs. a company that builds nice saws." They see "The poor defenseless carpenter vs. the evil giant corporation profiting from his misery." They feel for the carpenter and the only option they have to help him is to take money from the corporation. Owen -- If it wasn't crypto-signed, it probably didn't come from me.