Begin forwarded message: From: jean_camp <jean_camp@xxxxxxxxxxx> Date: November 23, 2004 2:47:59 PM EST To: dave@xxxxxxxxxxSubject: Re: [IP] Deworming the Internet -- addressing market failure in computer security
This is not, frankly, good scholarship. The issues addressed here in a cursory way have been addressed in depth in a considerable literature that has been ignored.
The descriptions of possible foundations for torts under California law are informative. In particular the finding that software providers have no duty to provide reliable software is an interesting read. Of course the part that decries the problems with liability all assume that software manufacturers never have a simple duty but rather are immediately hit with strict liability. Burning straw men is fun in the open desert, but more is expected of policy arguments.
For example, the call for bounties is listed as Larry's and not footnoted. That is because the first calls came from outside the legal literature. (Yes, there is a literature not written by lawyers.) Stuart Schechter wrote that up and yes there were Microsoft people who saw his paper well before the bounty was offered. There was even a Boston Globe article that mentions' Stuart's work cited - but not Stuart's work.
As for the market for vulnerabilities, and the related work, there are at least a dozen solid (ignored) works. I particularly recommend the work of Rahul at CMU Heinz or the group at UMD. Instead we get the Detroit News and the Washington Monthly. Despite the fact that Vairan has published explicitly on information security economics, the author found only "Information Rules" . All the economics work, all the theory that would inform this paper remains unaddressed. Three security papers. Pitiful. Why use research when we have USA Today!
Finally, liability is one of the reasons for free software businesses. They give you someone to sue. They make guarantees about the reliability and interoperability of software. They offer branding and trust. Contributions to free software and open code could be covered by good samaritan clauses that hold those who contribute to open source and free software projects for no profit, and perhaps limited to software under some licenses. Of course, the paper has ONE PARAGRAPH on this radical finding, and then notes it only applies "absent safe harbor".
This paper reads as if the author had a conclusion, did some cursory research (I would guess a lexis search on popular press and a legal search) and then used, unread, the references to support the unwarranted conclusion. Even his own words don't support his conclusion - after decrying liability on the basis that it _must_ _mean_ strict liability he effectively proposes, standards for software providers are suggested. Perhaps failure to meet the standards would create - viola- liability!
This is not an academic paper. This is a quotable conclusion in verbose but fruitless search of an intellectual foundation.
-Jean On Nov 21, 2004, at 11:25 AM, David Farber wrote:
Begin forwarded message: From: Douglas Barnes <salguod@xxxxxxxxxxxxxxx> Date: November 20, 2004 10:48:55 AM EST To: dave@xxxxxxxxxxSubject: Deworming the Internet -- addressing market failure in computer securityDave--I thought IP folks might be interested in a paper I've written which is just now available on SSRN. In part it's a response to the periodic calls for"liability" (notably from Bruce Schneier) as a mechanism for solvingcomputer problems. The upshot is that I think Bruce is right that there is a need for a regulatory response, but that extending, say, tort liability tosoftware would be a disaster. In addition to my more complicated law &economics argument for why this is, I point out in passing that ordinary tort liability could crush open source software, which has the potential toact as a positive force in addressing the underlying market failure. Links and abstract below. Comments welcome. Cheers, Douglas Barnes ===========http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID622364_code402123.pdf? abstractid=622364&mirid=1 or http://papers.ssrn.com/abstract=622364 Abstract:Both law enforcement and markets for software standards have failed to solvethe problem of software that is vulnerable to infection bynetwork-transmitted worms. Consequently, regulatory attention should turn to the publishers of worm-vulnerable software. Although ordinary tort liabilityfor software publishers may seem attractive, it would interact in unpredictable ways with the winner-take-all nature of competition among publishers of mass-market, internet-connected software. More tailoredsolutions are called for, including mandatory "bug bounties" for those who find potential vulnerabilities in software, minimum quality standards for software, and, once the underlying market failure is remedied, liability forend users who persist in using worm-vulnerable software. ------------------------------------- You are subscribed as Jean_Camp@xxxxxxxxxxx To manage your subscription, go to http://v2.listbox.com/member/?listname=ipArchives at: http://www.interesting-people.org/archives/interesting-people/
------------------------------------- You are subscribed as roessler@xxxxxxxxxxxxxxxxxx To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/