<<< Date Index >>>     <<< Thread Index >>>

[IP] more on Deworming the Internet -- addressing market failure in computer security





Begin forwarded message:

From: Douglas Barnes <salguod@xxxxxxxxxxxxxxx>
Date: November 23, 2004 9:35:47 PM EST
To: jean_camp@xxxxxxxxxxx
Cc: dave@xxxxxxxxxx
Subject: RE: [IP] more on Deworming the Internet -- addressing market failure in computer security

Prof. Camp,
 
You raise some good points, and I thank you for pointing me in the direction of some sources that I overlooked.  One lesson I've learned from this -- my first foray in publishing an academic article -- is that it would have been very valuable to circulate drafts more widely before publication.  I had some trepidation about that, but clearly it would have been better to get this sort of feedback when there was time to do something about it.  My bad.
 
Before addressing your specific points, I want to establish some context.  Law reviews are student-run publications, and the members of law review write "notes" in their second year of law school (in my case, that was last year) which are finished shortly after spring break, and are selected for publication in the summer.  These notes are written in addition to quite full academic loads and substantial time commitments to the editorial process of the law review. 
  
It's clear from a quick look at some of the sources you mention that, in the process of writing a paper spanning three disciplines, I overlooked some important work which covered some similar ground.  In particular, my command of the economics literature isn't very strong, but will hopefully improve over time (I feel it improving already ...).  My knowledge of the CS literature is slightly better, and I also rely on my personal experience in that area.  But while I seem to have reinvented the wheel in a few places, it still appears to be round.
 
You have a good time with my use of popular news sources, but bear in mind that for my audience -- a broad cross-section of legal practitioners and academics -- one of my primary hurdles was convincing them that this was an interesting and relevant topic.  In other places where I cite popular news sources, I am discussing the existence and nature of popular discussion and debate.  I notice that the Kannan et al. working paper on vulnerabilities, which you allude to and which I should have cited, also makes use of popular media sources for similar purposes.   
  
You also suggest that I came to this project with a conclusion firmly in mind.  Hardly.  I started with the idea of making a call for judicial expansion of tort liability, inspired by popular calls for "liability."  As I worked through the structure of the market in software of the sort afflicted by worms and viruses, I began to realize that any software publisher that tried to compete by building in good security would tend to get crushed, while a less conscientious publisher would be willing to absorb very large amounts of liability in exchange for winning the standards competition.  I also began to worry about the implications for open source software, which, absent a statutory approach, would simply hang over the heads of developers -- while the doctrine evolved, it would be far from clear that judges would come up with a safe harbor for open source software.   Yes, open-source businesses might, in some cases, provide a more attractive target for lawsuits than open-source contributors, but those contributors would still be on the hook.   Although I don't mention this -- and perhaps should have -- it's fairly obvious that a plaintiffs' lawyer might very well decide to go after both the businesses and the contributors. 
  
Another concern I came to see -- and which I express in the paper -- is that the ad-hoc expansion of tort liability would lead to unpredictable standards and damage awards.  Tort law is developed on a state-by-state basis, and the prospect of fifty different standards evolving on the fly would not be a very stable target for those thinking of continuing to develop software.  This is entirely different from the result of a national standards-setting process which -- as I clearly state -- the software industry could and should be involved with developing (as other industries are involved in their own regulation).  Yes, this might bottom out in a form of tailored liability, but more importantly it would allow the kind of ex-ante planning that would enable software publishers to avoid the race to the bottom without creating anything like the same degree of unpredictability.
 
Best regards,
 
Douglas Barnes
 
 
> -----Original Message-----
> From: owner-ip@xxxxxxxxxxxxxx
> [mailto:owner-ip@xxxxxxxxxxxxxx] On Behalf Of David Farber
> Sent: Tuesday, November 23, 2004 4:31 PM
> To: Ip
> Subject: [IP] more on Deworming the Internet -- addressing
> market failure in computer security
>
>
>
>
> Begin forwarded message:
>
> From: jean_camp <jean_camp@xxxxxxxxxxx>
> Date: November 23, 2004 2:47:59 PM EST
> To: dave@xxxxxxxxxx
> Subject: Re: [IP] Deworming the Internet -- addressing market
> failure 
> in computer security
>
> This is not, frankly, good scholarship. The issues addressed
> here in a 
> cursory way have been addressed in depth in a considerable
> literature 
> that has been ignored.
>
> The descriptions of possible foundations for torts under
> California law 
> are informative. In particular the finding that software
> providers have 
> no duty to provide reliable software is an interesting read.
> Of course 
> the part that decries the problems with liability all assume that 
> software manufacturers never have a simple duty but rather are 
> immediately hit with strict liability. Burning straw men is
> fun in the 
> open desert, but more is expected of policy arguments.
>
> For example, the call for bounties is listed as Larry's and not 
> footnoted. That is because the first calls came from outside
> the legal 
> literature. (Yes, there is a literature not written by
> lawyers.) Stuart 
> Schechter wrote that up and yes there were Microsoft people
> who saw his 
> paper well before the bounty was offered. There was even a
> Boston Globe 
> article that mentions' Stuart's work cited - but not Stuart's work.
>
> As for the market for vulnerabilities, and the related work,
> there are 
> at least a dozen solid (ignored) works.  I particularly
> recommend the 
> work of Rahul at CMU Heinz or the group at UMD. Instead we get the 
> Detroit News and the Washington Monthly. Despite the fact
> that Vairan 
> has published explicitly on information security economics,
> the author 
> found only "Information Rules" .  All the economics work, all the 
> theory that would inform this paper remains unaddressed.
> Three security 
> papers. Pitiful. Why use research when we have USA Today!
>
> Finally, liability is one of the reasons for free software
> businesses. 
> They give you someone to sue. They make guarantees about the 
> reliability and interoperability of software. They offer
> branding and 
> trust.  Contributions to free software and open code could be
> covered 
> by good samaritan clauses that hold those who contribute to
> open source 
> and free software projects for no profit, and perhaps limited to 
> software under some licenses. Of course, the paper has ONE
> PARAGRAPH on 
> this radical finding, and then notes it only applies "absent  safe 
> harbor".
>
> This paper reads as if the author had a conclusion, did some cursory 
> research (I would guess a lexis search on popular press and a legal 
> search) and then used, unread, the references to support the 
> unwarranted conclusion. Even his own words don't support his
> conclusion 
> - after decrying liability on the basis that it _must_ _mean_ strict 
> liability he effectively proposes, standards for software
> providers are 
> suggested. Perhaps failure to meet the standards would create
> - viola- 
> liability!
>
> This is not  an academic paper. This is a  quotable conclusion in 
> verbose but fruitless search of an intellectual  foundation.
>
> -Jean
>
>
>
> On Nov 21, 2004, at 11:25 AM, David Farber wrote:
>
> >
> >
> > Begin forwarded message:
> >
> > From: Douglas Barnes <salguod@xxxxxxxxxxxxxxx>
> > Date: November 20, 2004 10:48:55 AM EST
> > To: dave@xxxxxxxxxx
> > Subject: Deworming the Internet -- addressing market failure in
> > computer security
> >
> >
> > Dave--
> >
> > I thought IP folks might be interested in a paper I've
> written which 
> > is just
> > now available on SSRN.  In part it's a response to the
> periodic calls 
> > for
> > "liability" (notably from Bruce Schneier) as a mechanism for solving
> > computer problems.  The upshot is that I think Bruce is right that 
> > there is
> > a need for a regulatory response, but that extending, say, tort 
> > liability to
> > software would be a disaster.  In addition to my more
> complicated law &
> > economics argument for why this is, I point out in passing that 
> > ordinary
> > tort liability could crush open source software, which has the 
> > potential to
> > act as a positive force in addressing the underlying market failure.
> >
> > Links and abstract below.  Comments welcome.
> >
> > Cheers,
> >
> > Douglas Barnes
> >
> > ===========
> >
> >
> http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID622364_code402
123.pdf?
> abstra
> ctid=622364&mirid=1 or http://papers.ssrn.com/abstract=622364
>
> Abstract:
> Both law enforcement and markets for software standards have failed to 
> solve
> the problem of software that is vulnerable to infection by
> network-transmitted worms. Consequently, regulatory attention should 
> turn to
> the publishers of worm-vulnerable software. Although ordinary tort 
> liability
> for software publishers may seem attractive, it would interact in
> unpredictable ways with the winner-take-all nature of competition among
> publishers of mass-market, internet-connected software. More tailored
> solutions are called for, including mandatory "bug bounties" for those 
> who
> find potential vulnerabilities in software, minimum quality standards 
> for
> software, and, once the underlying market failure is remedied, 
> liability for
> end users who persist in using worm-vulnerable software.
>
>
> -------------------------------------
> You are subscribed as Jean_Camp@xxxxxxxxxxx
> To manage your subscription, go to
>  http://v2.listbox.com/member/?listname=ip
>
> Archives at: 
> http://www.interesting-people.org/archives/interesting-people/
>

-------------------------------------
You are subscribed as cman@xxxxxx
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/