more on Deworming the Internet -- addressing market failure in computer security

[David Farber <dave () farber net>]

Begin forwarded message:

From: jean_camp <jean_camp () harvard edu>
Date: November 23, 2004 2:47:59 PM EST
To: dave () farber net
Subject: Re: [IP] Deworming the Internet -- addressing market failure  
in computer security

This is not, frankly, good scholarship. The issues addressed here in a  
cursory way have been addressed in depth in a considerable literature  
that has been ignored.

The descriptions of possible foundations for torts under California law  
are informative. In particular the finding that software providers have  
no duty to provide reliable software is an interesting read. Of course  
the part that decries the problems with liability all assume that  
software manufacturers never have a simple duty but rather are  
immediately hit with strict liability. Burning straw men is fun in the  
open desert, but more is expected of policy arguments.

For example, the call for bounties is listed as Larry's and not  
footnoted. That is because the first calls came from outside the legal  
literature. (Yes, there is a literature not written by lawyers.) Stuart  
Schechter wrote that up and yes there were Microsoft people who saw his  
paper well before the bounty was offered. There was even a Boston Globe  
article that mentions' Stuart's work cited - but not Stuart's work.

As for the market for vulnerabilities, and the related work, there are  
at least a dozen solid (ignored) works.  I particularly recommend the  
work of Rahul at CMU Heinz or the group at UMD. Instead we get the  
Detroit News and the Washington Monthly. Despite the fact that Vairan  
has published explicitly on information security economics, the author  
found only "Information Rules" .  All the economics work, all the  
theory that would inform this paper remains unaddressed. Three security  
papers. Pitiful. Why use research when we have USA Today!

Finally, liability is one of the reasons for free software businesses.  
They give you someone to sue. They make guarantees about the  
reliability and interoperability of software. They offer branding and  
trust.  Contributions to free software and open code could be covered  
by good samaritan clauses that hold those who contribute to open source  
and free software projects for no profit, and perhaps limited to  
software under some licenses. Of course, the paper has ONE PARAGRAPH on  
this radical finding, and then notes it only applies "absent  safe  
harbor".

This paper reads as if the author had a conclusion, did some cursory  
research (I would guess a lexis search on popular press and a legal  
search) and then used, unread, the references to support the  
unwarranted conclusion. Even his own words don't support his conclusion  
- after decrying liability on the basis that it _must_ _mean_ strict  
liability he effectively proposes, standards for software providers are  
suggested. Perhaps failure to meet the standards would create - viola-  
liability!

This is not  an academic paper. This is a  quotable conclusion in  
verbose but fruitless search of an intellectual  foundation.

-Jean



On Nov 21, 2004, at 11:25 AM, David Farber wrote:

> Begin forwarded message:
>
> From: Douglas Barnes <salguod () mail utexas edu>
> Date: November 20, 2004 10:48:55 AM EST
> To: dave () farber net
> Subject: Deworming the Internet -- addressing market failure in  
> computer security
>
>
> Dave--
>
> I thought IP folks might be interested in a paper I've written which  
> is just
> now available on SSRN.  In part it's a response to the periodic calls  
> for
> "liability" (notably from Bruce Schneier) as a mechanism for solving
> computer problems.  The upshot is that I think Bruce is right that  
> there is
> a need for a regulatory response, but that extending, say, tort  
> liability to
> software would be a disaster.  In addition to my more complicated law &
> economics argument for why this is, I point out in passing that  
> ordinary
> tort liability could crush open source software, which has the  
> potential to
> act as a positive force in addressing the underlying market failure.
>
> Links and abstract below.  Comments welcome.
>
> Cheers,
>
> Douglas Barnes
>
> ===========
>
> http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID622364_code402123.pdf? 
> abstra
> ctid=622364&mirid=1 or http://papers.ssrn.com/abstract=622364
>
> Abstract:
> Both law enforcement and markets for software standards have failed to  
> solve
> the problem of software that is vulnerable to infection by
> network-transmitted worms. Consequently, regulatory attention should  
> turn to
> the publishers of worm-vulnerable software. Although ordinary tort  
> liability
> for software publishers may seem attractive, it would interact in
> unpredictable ways with the winner-take-all nature of competition among
> publishers of mass-market, internet-connected software. More tailored
> solutions are called for, including mandatory "bug bounties" for those  
> who
> find potential vulnerabilities in software, minimum quality standards  
> for
> software, and, once the underlying market failure is remedied,  
> liability for
> end users who persist in using worm-vulnerable software.
>
>
> -------------------------------------
> You are subscribed as Jean_Camp () harvard edu
> To manage your subscription, go to
>  http://v2.listbox.com/member/?listname=ip
>
> Archives at:  
> http://www.interesting-people.org/archives/interesting-people/

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/