Microsoft security suit raises thorny questions

A lawsuit faulting Microsoft for security defects in its products has added a new front in the software giant's battle against vulnerabilities in its software.

The proposed class-action suit, filed this week in Los Angeles Superior Court, comes as the company is admitting that its reliance on software patches for fixing security problems hasn't worked. The suit contends that by failing to secure its software, Microsoft subjected its customers to having their private data made public. The lawsuit was filed on behalf of Marcy Hamilton, a Los Angeles resident, who claims a flaw allowed a digital thief to steal her personal information.

Microsoft said Friday that it plans to fight the action on several legal grounds, noting that it has invested considerable resources in responding to problems and trying to prevent future vulnerabilities.

"It is pretty clear that Microsoft has made security a priority," said company spokesman Sean Sundwall.

However, those efforts have failed to stop a rash of recent attacks, with the company itself set to announce next week a revised strategy that moves beyond the notion that customers will take responsibility for patching their own systems.

On the legal front, Microsoft's first step will be to fight the effort to have the case certified as a class-action suit. The company is expected to point out that not everyone hit by hackers has been affected in the same way--a pretty good argument, according to one legal expert, who wished to remain anonymous.

"Each person is going to be vastly differently affected by the theft of personal information," said the lawyer, who regularly fights such class-action suits.

Microsoft is also taking issue with the notion that it is liable for the actions of hackers, saying the company has taken reasonable steps to secure its software. In January 2001, Microsoft kicked off its Trustworthy Computing Initiative, a companywide move to increase the security of its products, better handle customer privacy, and repair the giant's tarnished image in those areas. Next week, Microsoft also intends to announce new plans for helping users of its products more easily secure their systems.

From a legal standpoint, the lawsuit raises a number of key issues, including whether Microsoft faces special obligations because of its monopoly position in the operating systems market.

Historically, courts have upheld software makers' right to subject customers to license agreements that waive the right to sue over defects. One law professor recently said that unless someone is killed or injured, it is basically impossible to win a case against a software publisher.

No choice and no rights?
But those bringing the suit argue that Microsoft may not enjoy the same right to make such a restrictive contract, since consumers have limited choices when it comes to choosing the operating system for their PC.

"If you had 20 vendors of a product, and there was broad consumer and business choice, and people could evaluate them on their merit, that would be one factual setting," said Dana Taschner, the Newport Beach, Calif., attorney who filed the case against Microsoft. "Instead, you have one company that is dominating the marketplace to such an extent that you really have no choice."

Taschner argues that customers should not be forced to give up their rights by a monopolist.

"The majority of consumers use this product (Windows), but the contract provides that there are no warranties or promises, essentially it's 'buyer beware,'" Taschner said.

Microsoft dismissed the issues, saying that its license agreement is typical of software makers, and furthermore, that it is those that write viruses, not legitimate software makers, that are liable for any damage.

"We do have a responsibility to make software as secure as possible," Sundwall said. But "the problems caused by viruses...are the result of criminal attacks," he said

Still, Microsoft can't completely dodge the responsibility for the insecurity of the omnipresent Windows PC, said Bruce Schneier, CTO of Counterpane Internet Security.

"To me it is clear that Microsoft doesn't bear 100 percent of the responsibility for worms and viruses," Schneier said, "but they aren't zero percent" responsible either. Schneier is one of seven well-known security professionals who authored a report arguing that Microsoft's dominance endangers national security. Several arguments in the suit against the software giant mirror those in the security report.

Sundwall declined to say whether the report was responsible for the suit.

"I can't comment to the motives of the people who wrote the report," Sundwall said. The suit "certainly appears to mirror that paper," he said.

The suit also represents an important test for a new California law that requires e-commerce companies to warn consumers when their personal information may have been stolen.

"It's a fairly new law," Sundwall said. "Ultimately these things have to be court tested."

Taschner said that his suit stemmed from a person who came to his office saying her identity had been stolen as a result of a recent virus.

"Garden-variety consumers are not aware of the catastrophic consequences of being attacked," Taschner said. "We thought this was the appropriate time to present this type of issue, because there is a noted escalation of these types of problems."