A legal fix for software flaws?

Software vendors are largely protected from product defect claims. But the latest round of virus attacks has critics calling for new liability laws.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
7 min read
Thomas Leavitt, a system administrator and veteran of three Silicon Valley start-ups, has dealt with computer worms and viruses before.

But the severity of last week's Sobig.F and MSBlast.D attacks got him thinking harder than ever about a cure. Finding and punishing their anonymous authors would be a start. But shouldn't Microsoft also be partly to blame?

"Civil engineers very rarely make a mistake, and when they do it's a career-ending one," Leavitt said. "The software we're using at this point has the potential to create damage as bad or worse."

Microsoft's security failings may draw repeated beatings in the court of public opinion, but they will likely never be tested in a court of law unless current product liability statutes are rewritten, legal experts agree.

Problems with physical products routinely yield multimillion-dollar verdicts and settlements in litigation-happy America. But software vendors are largely protected from product defect claims thanks to unusual exemptions enshrined in typical software licenses--boilerplate known in the industry as End User License Agreements (EULAs) or "shrink-wrap" licenses, so called because they're often printed inside the shrink-wrapped box containing the product or incorporated into the software itself.

These agreements normally take effect as a condition of installing software, and they ordinarily require customers to waive their right to sue over alleged defects. Such EULAs have been repeatedly upheld by the courts.

"Unless someone is injured or dies, it is almost impossible to successfully sue a software publisher for defective software," said Cem Kaner, an attorney and professor of computer science at the Florida Institute of Technology. "The serious proposals to change software law have primarily been to reduce software vendors' liability even further. The most recent battles involve embedded software. You might soon discover that when you buy a car, the body is covered by one set of laws but the software that controls your brakes, fuel injectors, etc., is covered by a different set of laws that are more manufacturer friendly."

Microsoft's security practices have been in the spotlight before over alleged lapses, but the astonishing speed with which Sobig.F and MSBlast.D overwhelmed corporate networks has put the finest point on the problem in years.

A plague of viruses
Computer Economics, a research company based in Carlsbad, Calif., predicted that some 75 new computer viruses will be identified this month, including MSBLast.D and Sobig.F. The company put the cost of computer attacks in August 2003 at about $2 billion. That's a record pace, the company reported, although well below the damage estimated from 2000's Lovebug virus, the worst in history with an estimated $8 billion in damage from lost productivity and system restoration costs.

Microsoft's security problems were further underscored last week when the software giant revealed additional vulnerabilities in Internet Explorer and Windows, reminded users of a patch to fix a vulnerability disclosed last month that was used by MSBlast.D, and suggested that it may make security patches install automatically in the future.

Microsoft did not respond to phone calls seeking comment.

Liability exemptions for software vendors have survived despite persistent bugs and increasingly severe consequences. A programmer's decision not to restrict zeros from acceptable input disabled the U.S. Navy's USS Yorktown, a missile cruiser, in 1997. A nuclear power plant in Ohio was hit in January by the Slammer worm, although the attack reportedly posed no safety hazard, as the plant had already been shut down. And the New York Times was hard hit by last week's batch of malicious code.

Such repeated failures are leading some irked security experts to press for changes in software liability law to better motivate companies to fix buggy and insecure code.

"If the laws got changed that forced software makers to be held liable--criminally, civilly, financially--for their products, we'd see a marked increase in product quality, security and stability," said Richard Forno, an author and security consultant. "The EULA is the slickest 'Get out of jail free card' I can think of in recent years."

MSBlast.D takes advantage of a critical security hole that could allow an attacker to take control of computers running any version of Windows except Windows ME. A group of Polish hackers and independent security consultants known as the Last Stage of Delirium discovered the flaw and worked with Microsoft to fix it. Microsoft issued a patch to plug the vulnerability in July, but many users failed to install it, leading the software giant to suggest that it may resort to automatic software updates in the future.

When software goes bad
Programmers tend to defend the current state of affairs by saying that security is a very difficult problem to solve. Most programming languages were designed with speed, not security, in mind. They also argue that programming is a difficult task to begin with. Current software is brittle and runs into problems if it encounters even one error. In addition, software engineering is a young discipline compared with traditional forms of engineering.

But critics say its time to stop coddling software companies and create real incentives for improvement.

"Unfortunately, the only way to effect change in the software makers' philosophy to business is to hit them where it hurts, namely, in the pocketbook," Forno said. "All it takes is a few large (customers) to say 'enough is enough' and move to an alternative operating environment, and it'll be all the incentive Microsoft needs to revamp its products quickly and effectively."

The Florida Institute of Technology's Kaner, who has written a book titled "Bad Software: What To Do When Software Fails," said that he favors new laws that would take moderate steps, such as requiring companies to disclose known defects in their products and telling potential customers what might trigger the problems.

When dealing with monopolistic companies such as Microsoft, Kaner said, stricter laws may be necessary: "The problem is more difficult in monopoly markets because disclosure can't create a competitive impact. The monopolist might release a product with appalling defects, but if the customer has no other vendor to go to, there's not much pressure on the monopolist to make it better."

New laws
Such changes would require a major overhaul of current software liability statutes and case law, which provide general immunity for technology vendors accused of selling defective products.

In a 1994 case brought against IBM, the Transport Corporation of America sued over a disk drive failure that cost it an estimated $473,079 in business interruptions. The 8th U.S. Circuit Court of Appeals sided with the computer company, saying "IBM properly disclaimed implied warranties" in the contract that its customers signed. The same federal court said a year later, in a second case, Rockport Pharmacy v. Digital Simplistics, that a Kansas company that sold software to pharmacies was not liable for programming problems. The judges rejected claims for breach of contract and negligence.

EULAs remain somewhat controversial among individual end users, but judges tend to view them as legitimate agreements that are just as valid as any other form of a contract. Probably the most influential case has been ProCD v. Zeidenberg, in which the 7th U.S. Circuit Court of Appeals in 1996 upheld a "shrink-wrap" agreement.

Written by the noted jurist Frank Easterbrook, the opinion said: "ProCD proposed a contract that a buyer would accept by using the software after having an opportunity to read the license at leisure. This Zeidenberg did. He had no choice, because the software splashed the license on the screen and would not let him proceed without indicating acceptance."

While no law prohibits a software vendor from drafting a EULA that permits customers to seek damages through the courts, nearly all such agreements tend to immunize the company instead.

R. Polk Wagner, an assistant professor at the University of Pennsylvania Law School, said "in theory there might be liability for these sorts of serious deficiencies, especially if Microsoft knew or should have known about them prior to the release of the relevant software product." But in practice, he added, "this is one of the features of shrink-wrap licensing: software companies can and do generally disclaim all such liability. And at least for now, courts seem willing to uphold these contracts."

Proposed changes to software liability laws have pushed to expand, rather than pull back, liability protection. One legislative proposal called the Uniform Computer Information Transactions Act (UCITA) would eliminate any remaining doubts about the validity of shrink-wrap agreements by explicitly allowing software publishers to sell their products 'as is' and to disclaim liability for defects. But it has stalled in state legislatures.

Of course, Congress could always veer in the opposite direction and curb the scope of shrink-wrap agreements. But one probable consequence of changing the law would be an increase in the cost of software: Firms would have to spend more money testing their products, or spend more money purchasing liability insurance, or both.

Sonia Arrison, a technology policy analyst at the free-market Pacific Research Institute in San Francisco, says one reason the current state of the law is reasonable is that "software is inherently different from (physical products such as) tires since it's more difficult to know beforehand what vulnerabilities will occur."

Even some victims of serious software failures remain skeptical of new laws that would open up software vendors to civil judgments.

Leavitt, the system administrator with the clogged in-box, says he's leery of asking Congress or state legislatures to intervene despite headaches caused by last week's attacks.

"As a legal solution, it's probably likely to create as much of a mess as anything it would fix," Leavitt said. "I'm a little bit nervous about letting the Congress loose and letting them define the liabilities. I have some doubts about their competence in such matters."