North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: product liability (was: Virus Update)

  • From: Daniel Senie
  • Date: Tue May 09 16:59:34 2000

Stephen Kowalchuk wrote:
> 
> Greetings,
> 
> > As such, I would argue that M$ release of a product with such widely known
> > exploitable vulnerabilities into a the market including customers of any
> > given relay service entity may, indeed, create standing for that service
> > entity to sue M$ on the basis of costs incurred due to M$ negligence and
> > negligent business practices.
> >
> > Owen
> 
> While this is true, license agreements for most software products indicate that
> the product is expressly sold "as-is", and that you agree explicitly that the
> manufacturer is not responsible.  This would most likely kill any product
> liability lawsuits, especially because the product performs to specification.

I think you, and several others, are missing one key point. One class of
injured party, namely the ISPs who had to deal with servers overloaded by
the created spam, never bought the Microsoft software, nor are they (in
most cases, I suspect) using ANYTHING written by Microsoft in the course of
providing services to clients.

With that in mind, the ISPs are not party to the "as-is" license. The ISPs
could sue their own customers for using Microsoft software which contains
dangerous features and defaults, or they might be able to sue Microsoft for
releasing software damaging to the Internet infrastructure.

> 
> Trying to sue Microsoft for producing software with varying levels of security
> (defaulted to the lowest security level) is like trying to sue an automobile
> manufacturer because their cars are easy to steal.  While it may be possible to
> seek damages under lemon laws, if the car performs as specified there is little
> one can say except "damn, that's a stupid way to build a car..."

Actually, I think it's a lot like the States suing the tobacco companies for
producing a product which creates high medicaid bills. If Microsoft was aware
of the potential for damage, and did nothing, and the ISPs suffered as a result
they're not unlike the States who had to pick up the tab for someone else's use
of a dangerous product.

> 
> I think the best way to stop the poor security in MS products is to vote with
> your wallet.  I'll grant that sometimes this is impractical, but it is IMHO the
> only way to guide any software manufacturer to the features and functionalities
> that consumers truly need.  The only problem with this logic is that Microsoft
> still has a long list of ill-informed and poorly-educated consumers to chew on
> before they run out of steam.

The ISPs could, I suppose, block all POP and SMTP traffic from Outlook Express clients,
and block all web requests from Internet Explorer. Neither is really practical. How
else do you propose ISPs vote with their wallets?

-- 
-----------------------------------------------------------------
Daniel Senie                                        [email protected]
Amaranth Networks Inc.                    http://www.amaranth.com