North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Compromised machines liable for damage?
Jason Frisvold wrote:
I am not a lawyer, but I believe there is a significant difference in the liability that ensues from knowingly selling a defective product, and from giving something away for free. Matt gave away FormMail for free. When Matt wrote FormMail open relays were common on the internet. His Perl scripts were similar in security and utility to other software at the time. Once it became known how this type of software could be abused, *then* he had an obligation (moral obligation if not strictly legal obligation) to stop distributing the old insecure scripts, which is what he did.On 12/27/05, Marshall Eubanks <[email protected]> wrote:But, what constitutes an exploit severe enough to warrant liability ofThere was a lot of discussion about this in the music / technology / legal community at the time of the Sony root exploit CD's - which I and others thought fully opened Sony for liability for 2nd party attacks. (I.e., if a hacker uses the Sony root kit to exploit your machine, then Sony is probably liable, regardless of the EULA. They put it in there; they made the attack possible.) IANAL, but I believe that if a vendor has even a partial liability, they can be liable for the whole.
(Researching FormMail history, I found a page that suggested fixing the FormMail problem by replacing the FormMail scripts with PhP scripts. :-)
Personally, I feel that is a person "grossly misuses" a product and isIf you tell someone "be careful, that coffee is hot and may burn you" most people will equate "burn" with "might cause some temporary pain or perhaps a minor blister" and not with "I will spend 2 weeks in the hospital with 3rd degree burns and require skin grafts and have over $20k in medical bills". Stella assumed the coffee she was served was served was at a normal hot coffee temperature, hot enough to perhaps hurt a bit if spilled but NOT so hot as to cause severe and disfiguring burns. See:
McDonalds also said during discovery that, based on a consultants
advice, it held its coffee at between 180 and 190 degrees fahrenheit to
maintain optimum taste. He admitted that he had not evaluated the
safety ramifications at this temperature. Other establishments sell
coffee at substantially lower temperatures, and coffee served at home is
generally 135 to 140 degrees."
McDonalds intentionally served the coffee hotter than was safe, hotter than was safe for *drinking* (the purpose of the product) and ignored the dangers this presented and the prior cases of damage it caused.
Back to the topic of computers and software that damages other computers over the network:
Most people expect that their operating system and browser will work securely, not that it will let intruders steal their data, compromise their privacy, and inflict damage on others. Just as McDonalds was held liable for repeatedly intentionally selling coffee they knew was being served too hot and capable of causing much greater harm than the buyer was aware of, IMHO so should a software company be held liable for repeatedly knowingly selling defective software, especially when that software causes damage to 3rd parties who have not agreed to the EULA.