Should Microsoft Be Fined? 2

[PCLine]

So Micro$oft have done it again ~ they have got a product that someone has been able to hack.

http://news.bbc.co.uk/1/hi/technology/3013665.stm

With 200 million passport acconts having been vulnerable for the past 7 months and a potentional $11,000 dollar fine for each security lapse ~ has the world gone mad to rely on the security of Micro$oft $oftware ~ has Micro$oft gone mad to think they can ever be secure?

Legally, micr$oft may be held to account. But should they be ethically held to account for someone "cracking" their security if it is shown that they had or have done everything they could to ensure the security of that product. Or is it the mere fact that they release a "secure" product that makes them "ethically" liable for subsequent security breaches?

All the best.

 

[PCLine]

*potential

Also, why is it that spelling mistakes never jump out at you until after you send the message :~/

 

[CajunCenturion]

Since Microsoft agreed to take reasonable steps to protect Passport accounts, and agreed to pay fines if it failed, then there certainly is potentially a case. The issue tho, is whether "failing in its duty" means a failure to protect the accounts, or a failure to take reasonable steps to protect the accounts. And if MS were found to be guilty, would it be considered one lapse that affected x number of accounts, or x number of lapses. Obviously this becomes an interpretation of legaleeze in the agreement, the exact wording of which I don't have.

I think it would be far more effective, and just, if the inviduals whose accounts were hacked were to pursue civil litigation for damages against Microsoft. This type of action would make Microsoft liable (if successfully proven) to the people. The people speak with a much louder voice than does any government.

I'd like to see civil action persued, if for no other reason, than to being to address the jurisdictional issues. If someone's account in Norway or Japan is affected, then which court has jurisdiction, and who has the binding force over the judgement.

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[PCLine]

Thanks CajunCenturion for the quick response.

Your answer brings another question to mind. Is it ethical to allow a company as large as MS or any other company for that matter to escape State or other (appropriate) Institution's santions for their failings and palm it off to individuals to pursue civil claims. That does limit the potential for sanctions (at least in the UK) than perhaps it does in the US. Are we playing into the hands of big business by saying to the "little man" come after "me" if you can?

All the best.

 

[sleipnir214]

It looks to me like Mi¢ro$oft failed in its duty to protect Passport accounts. Thus it is probably liable for damages to customers. This is actually a separate matter from any fines imposed by the FTC.

But CajunCenturion is right -- the sticky wicket is figuring out which court system would have authority.

<sarcasm>
<imitation of Mr. Rogers' voice>
Can you say &quot;open Pandora's box&quot;? Sure...I knew you could.
</imitation>
</sarcasm>

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[CajunCenturion]

I don't think the two are mutually exclusive. The people are free to pursue civil action as the State is free to pursue its own legal recourse. There is no reason that both cannot happen.

I also think there are probably too many attornies who would drool at the thought of leading a class action suit against Microsoft with potentially millions of plaintiffs to represent.

As far as the limiting of sanctions, the interesting question would be under whose rules (UK [or wherever] for the plaintiff or USA [or wherever] for the defendant) would the civil action be conducted. To me that's a very important legal question yet to be answered.

To be honest, and not to be taken as a defense of Microsoft, one has to question whether you can hold Microsoft responsible. The hacker, not MS, is the one who actualy committed the crime. We don't (at least not yet) hold the gun manufacturer responsible when someone commits an armed robbery, or the auto manufacturer liable for the drunk driver. This then leads to the legal question, can Microsoft be found of guilty of culpatory negligence due to product defect.

Before we jump to say categorically &quot;yes&quot;, let's consider the legal precedent that would be set. In so many words, &quot;The Software Manufacturer can be held legally liable if a bug in their software can be exploited for criminal gain&quot;. To all of us programmers out there, who write software for a living - how would you feel about living with the legal hammer over your head that if a bug, any bug, in your code could be exploited by some criminal, that you could be held legally responsible? I think we need to be very very careful before we set that precedent.

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[PCLine]

Thanks guys for the responses.

As a matter of passing interest your point about gun manufacturers not being held accountable reminded me of a story I had read in the distant past

http://news.bbc.co.uk/1/hi/world/americas/1476639.stm

All the best.

 

[sleipnir214]

The comparison of the current Mi&cent;ro$oft/Passport debacle to the liability issues of gun manufacturers is a flawed analogy.

Guns are specifically designed to kill things -- it is, after all, their primary purpose. If a person is killed with one, the manufacturer has actually created a correctly-functioning product.

In the case of Passport, the problem exists because the product did not function correctly.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[CajunCenturion]

That's true, guns are designed to kill things, but not designed and manufactured for the purposes of committing a crime. But you are correct in that the use of the gun for a crime is not dependant on a product defect. And that is a fundamental difference I agree.

So does that imply that if a software product is misused (hacked) in the commission of a crime, and that misuse is through the exploitation a software defect (bug), that the software manufacturer can be help criminaly liable for culpatory negligence? I can certainly accept that civil recourse is plausible, but criminal?

If a bank's ATM malfunctions, and because of that malfunction, people steal money, can the ATM manufacturer be held criminally culpable for the theft?

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[spewn]

in one answer: no.

remember, if it can be built, it can be taken apart.

the issue here would be to invite (and even challenge) people to hack microsoft or any other company's software. if microsoft is held liable for their product, say...hotmail, to be 100% crack-proof, then if it does get hacked they would be liable for any damages that arise for the breach of security. given this example, those who are up for the challenge would constantly be trying to crack the code. that wouldn't be fair to microsoft.

same issue with cd's/dvd's/etc...the record companies shouldn't be trying to sue the people that download songs and/or crack codes to copy movies...by your argument, the artists in fact should sue the record companies for not ensuring their works are 100% secure. if someone can create software to 'open' the code for copying, shouldn't it be on the recording company? and then the recording company would in turn sue the manufacturer of the cd/dvd, and the &quot;passing the buck&quot; shell game ensues...

but i do agree that there should be some assurance of security with privacy on the internet...but again, if it can be built, it can be taken apart.

- g

 

[sleipnir214]

spewn:
There is a difference between a product that makes no claims as to its security (a CD) versus a product that specifically exists to secure information (Passport).

A defective CD is an unplayable CD. If you get one of those, then the manufacturer is ultimately responsible for its replacement. Though this does not happen often any more, when CDs first came out it was not uncommon to buy one that no player could read. This in particularly interesting in modern times. Manufacturers have produced disks with copy-protection schemes installed that prevent users from legitimately playing the disk.


CajunCenturion:
Not criminal, unless the action of the software publisher is sufficiently aggregious (documented defects went uncorrected, new software is sold with old existing defects in place, etc.) [Does this sound like any software vendor we know?]

If an ATM had an enormous, exploitable security hole, yes, the manufacturer should be held liable.

There have been problems with security of ATMs. One of the first installed in Zurich [or was it Vienna? anyway...] was installed in a bank branch on the rail line of part of the city's electric tram system. The hot line above the street had a junction at the corner that caused the overhead commutator to spark when it went past the bank. Every time a tram sparked, the ATM spit out money.

There were also some early ATMs in the New York area that required you to explicitly log out of the ATM after it returned your card. Thieves were exploiting this to steal money from customers' accounts.

Unfortunately, I don't know if the manufacturer was ever held liable in either case.


Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[KornGeek]

I we begin holding software companies liable for defects, free offerings (hotmail, etc) will dry up because they won't be worth the risk, and software prices will skyrocket to cover the liability insurance.

I don't think it's worth it.

 

[sleipnir214]

Not necessarily. I, for one, am not proposing that we all start suing for every little thing that we find wrong in our copies of OmniDocument. [There's no product by that name, right?]

But I do think a software developer should be held liable if defects prevent his software from fulfilling its primary purpose. In the specific example of this thread, the software flaws of Passport prevented it from performing its stated purpose: securing the digital information about a person.


Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[KornGeek]

Do we then begin holding deadbolt manufacturers liable if somebody picks their locks or pries a door open with a crowbar?

I think it sets a dangerous precedent.

 

[sleipnir214]

Was the deadbolt in question produced in such a way that design or manufacturing flaws kept it from performing its purpose? If so, absolutely.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[dgillz]

There is a differnce between &quot;liable&quot; and &quot;criminal&quot;. Liable by definition is a civil issue. &quot;Criminal&quot; means that you could go to jail, or in some cases (murder), you could get the chair.

Also &quot;liable&quot; means you are responsible for the damages, thats all. (although there are punitive damamges, which is another story altogether). I could produce and distribute a defective product, but if the fact that it was defective did not cost you anything, You would have no civil case against me - my liability would be zero.

For example, if Bill Gates walks up to you and rips your shirt, and a homeless bum does tha same, the damages are IDENTICAL. They are both liable to repair or replace the shirt (again I am putting punitive damages aside here).

Fines, which are typically imposed by govermental agencies under the guise of spreading the money to the &quot;victims&quot; are a whole different ball game. If I produced and distributed the same defective product, and it was contrary to some law or regulation, I can be fined, even is there are no real civil damages, as in it did not cost you any money.



Software Sales, Training, Implementation and Support for Exact Macola, eSynergy, and Crystal Reports

http://www.trianglepartners.com

dgilsdorf@trianglepartners.com

 

[Kjonnnn]

Here's a better analogy:

If you buy an alarm for you home, and the door and windows are protected.

Is the alarm liable it someone discovers a way in?
Say they bypass the windows and doors and cut through the roof.
Is that something should have thought of and be liable for? Even if they think before hand that someone can cut a hole in the roof and come in, should they still be liable? Or will they not be liable if they give you the disclaimer, &quot;Out alarm system will give you security, provided no one cuts through the roof or digs in from the foundation.

Is any thing 100% secure? Would it pass the &quot;reasonable man&quot; test?

 

[sleipnir214]

Kjonnnn:

A better analogy would be that when you tell your alarm system to arm, it really waits 15 minutes before doing so.

Would the alarm company be liable if you were robbed during that 15-minute window?



Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[skiflyer]

Actually, on this particular bug, the better analogy seems to be... if the alarm company forgot a window.

The hack into this system was scarily simple.

-Rob

 

[lionelhill]

Listen to Korngeek. The point about hotmail is that I don't have to pay one penny to use it. No one in their right mind will ever provide a free service of any sort if they run the risk of being sued by unhappy users.
And who pays the fine anyway? Anything that costs microsoft, costs microsoft customers, and that means me and you.
Yes, we all love to see the mighty brought low, but is this really such a good thing?