North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Compromised machines liable for damage?

  • From: Steven M. Bellovin
  • Date: Tue Dec 27 08:05:01 2005

In message <[email protected]n.c
om>, "Hannigan, Martin" writes:

>In the general sense, possibly, but where there are lawyers there is =
>always discoragement.
>Suing people with no money is easy, but it does stop them from =
>contributing in most cases. There are always a few who like getting =
>sued. RIAA has shown companies will widescale sue so your argument is =
>suspect, IMO..

I've spent a *lot* of time talking to lawyers about this.  In fact, a few 
years ago I (together with an attorney I know) tried to organize a "moot
court" liability trial of a major vendor for a security flaw.  (It 
ended up being a conference on the issue.)

The reason there have not been any lawsuits against vendors is because 
of license agreements -- every software license I've ever read, 
including the GPL, disclaims all warranties, liability, etc.  It's not 
clear to me that that would stand up with a consumer plaintiff, as opposed
to a business; that hasn't been litigated.  I tried to get around that 
problem for the moot court by looking at third parties who were injured 
by a problem in a software package they hadn't licensed -- think 
Slammer, for example, which took out the Internet for everyone.

The issue of liability based on operational practices is untested.  As 
I concluded in that book chapter from 1994, I (and the attorneys who 
helped me (a lot) with it) felt that there may very well be cause for a 
lawsuit.  However, to the best of my knowledge there have been no court 
rulings on this issue.  Unless and until that happens, we're just 
guessing.  I'll give two short quotes that illustrate why I'm concerned.
This one is from a standard textbook on tort law:

        The standard of conduct imposed by the law is an external one,  
        based upon what society demands generally of its members,
        rather than upon the actor's personal morality or individual  
        sense of right and wrong.  A failure to conform to the standard
        is negligence, therefore, even if it is due to clumsiness,
        stupidity, forgetfulness, an excitable temperament, or even
        sheer ignorance.  An honest blunder, or a mistaken belief that 
        no damage will result, may absolve the actor from moral blame,
        but the harm to others is still as great, and the actor's
        individual standards must give way in this area of the law to
        those of the public.  In other words, society may require of a
        person not to be awkward or a fool.

The second, a quote from a 1932 (U.S.) Court of Appeals opinion, was 
for a case where some barges sank because the tugboat pulling them had 
no radio receivers, and hence didn't know the weather forecast:

	Indeed in most cases reasonable prudence is in face common 
	prudence; but strictly it is never its measure; a whole 
	calling may have unduly lagged in the adoption of new and available 
	devices.  It may never set its own tests, however persuasive be its 
	usages.  Courts must in the end say what is required; there are 
	precautions so imperative that even their universal disregard will 
	not excuse their omission. ...  But here there was no custom at all 
	as to receiving sets; some had them, some did not; the most that 
	can be urged is that they had not yet become general.  
	Certainly in such a case we need not pause; when some have thought
	a device necessary, at least we may say that they were 
	right, and the others too slack.  
	We hold [against] the tugs therefore because [if] they had been 
	properly equipped, they would have got the Arlington [weather]
	reports.  The injury was a direct consequence of this 

Again, though, this has never been litigated for ISP-type issues.