The reason there have not been any lawsuits against vendors is
because
of license agreements -- every software license I've ever read,
including the GPL, disclaims all warranties, liability, etc. It's
not
clear to me that that would stand up with a consumer plaintiff, as
opposed
to a business; that hasn't been litigated. I tried to get around
that
problem for the moot court by looking at third parties who were
injured
by a problem in a software package they hadn't licensed -- think
Slammer, for example, which took out the Internet for everyone.
Yes, I think this is the only way it will work. Plaintiffs that
are not
subject to the EULA will have to sue the manufacturer of vulnerable
software installed on remote systems that attack their site.
Otherwise,
the liability waivers they signed make it much harder. Of course,
interestingly,
automobile manufacturers cannot get around having to build cars that
meet safety standards regardless of waivers customers may sign.
Perhaps
what we need first is a consortium to agree on a set of standards for
software security followed by someone like Ralph Nader doing the
"Unsafe at any clockspeed" campaign.
The issue of liability based on operational practices is
untested. As
I concluded in that book chapter from 1994, I (and the attorneys who
helped me (a lot) with it) felt that there may very well be cause
for a
lawsuit. However, to the best of my knowledge there have been no
court
rulings on this issue. Unless and until that happens, we're just
guessing. I'll give two short quotes that illustrate why I'm
concerned.
This one is from a standard textbook on tort law:
Yep... I think that is true. However, unless and until someone
steps up
and actually does it (and frankly, I think the effective strategy here
would be coordinating a large number of injured parties in small
offices
and residences to sue in small claims court at roughly the same time),
all we'll be able to do is guess.
The standard of conduct imposed by the law is an external
one,
based upon what society demands generally of its members,
rather than upon the actor's personal morality or individual
sense of right and wrong. A failure to conform to the
standard
is negligence, therefore, even if it is due to clumsiness,
stupidity, forgetfulness, an excitable temperament, or even
sheer ignorance. An honest blunder, or a mistaken belief
that
no damage will result, may absolve the actor from moral
blame,
but the harm to others is still as great, and the actor's
individual standards must give way in this area of the law to
those of the public. In other words, society may require
of a
person not to be awkward or a fool.
So, does that mean that if most of society is ignorant enough to
tolerate
insecure buggy software, we must accept that as the standard for
software
performance? That is an unfortunately low barrier indeed for a
profession
like software development. In general, professional liability is
different
from general civil liability. Once money changes hands, you have a
much
greater "duty to care" about the potential harm caused by your
"product"
than an individual citizen.
For example, a guy that pours gasoline into his gopher holes and
lights
it is an idiot. However, as long as everything he blows up is his own
and he harms noone else, he's still just an idiot, but, not liable.
However, if he packages gas cans and matches together and sells them
with instructions as a "Gopher Eradication Kit", he gets to be liable
for the damage to all the houses of all the people dumb enough to
use his product, and, any neighbors unfortunate enough to live within
the blast radii.
Let's face it, some software vendors are selling the moral equivalent
of a minivan with no seatbelts and no airbags.
The second, a quote from a 1932 (U.S.) Court of Appeals opinion, was
for a case where some barges sank because the tugboat pulling them
had
no radio receivers, and hence didn't know the weather forecast:
Indeed in most cases reasonable prudence is in face common
prudence; but strictly it is never its measure; a whole
calling may have unduly lagged in the adoption of new and available
devices. It may never set its own tests, however persuasive be its
usages. Courts must in the end say what is required; there are
precautions so imperative that even their universal disregard will
not excuse their omission. ... But here there was no custom at all
as to receiving sets; some had them, some did not; the most that
can be urged is that they had not yet become general.
Certainly in such a case we need not pause; when some have thought
a device necessary, at least we may say that they were
right, and the others too slack.
...
We hold [against] the tugs therefore because [if] they had been
properly equipped, they would have got the Arlington [weather]
reports. The injury was a direct consequence of this
unseaworthiness.
Again, though, this has never been litigated for ISP-type issues.
Those will be interesting cases as well if they are ever tested,
but, I
think they will actually be more complex than injured third parties
suing software VENDORS over vulnerable software which later caused
harm. Again, I think that the David v. Goliath nature of the majority
of injured parties v. software vendors means that a large highly
visible class action or high-profile suit is unlikely to meet with
much success. However, given the relatively low risks associated
with filing in small claims court in most jurisdictions and
extremely low filing costs associated, I think it would be very
interesting to see a coordinated attack of this nature played out
in the small claims courts across the country. Even if the software
vendors were able to win each and every case, the costs of fighting
them would be impressive and would send a pretty clear message that
we, as a society, are fed up and won't take it any more.
Owen