My post yesterday on end-user liability for security breaches elicited some interesting responses.
Several people debated the legal question of whether end-users are already liable under current law. I don’t know the answer to that question, and my post yesterday was more in the nature of a hypothetical than a statement about current law. Rob Heverly, who appears to be a lawyer, says that because there is, in general, no duty to protect strangers from harm, end-users are not liable under current law for harm to others caused by intruders. Others say an unprotected machine may be an attractive nuisance. I’ll leave it to the lawyers to duke that one out.
Others objected that it would be unfair to hold liable an end-user, if that user took all reasonable protective steps, or if he failed to take some extra step. To see why this objection might be wrong, consider a hypothetical where an attacker breaks into Alice’s machine, and uses it to cause harm to Bob. It seems unfair to make Alice pay for this harm. But the alternative is to leave Bob to pay for it, which may be even more unfair, depending on circumstances. From a theoretical standpoint, it makes sense to send the bill to the party who was best situated to prevent the harm. If that turns out to be Alice, then one can argue that she should be liable for the harm. And this argument is plausible even if Alice has very little power address the harm – as long as Bob has even less power to address it.
Others objected that novice users would be unable to protect themselves. That’s true, but by itself it’s not a good argument against liability. Imposing liability would cause many novice users to get help, by hiring competent people to manage their systems. If an end-user can spend $N to reduce the expected harm to others by more than $N, then we want them to do so.
Others objected that liability for breaches would be a kind of reverse lottery, with a few unlucky users being hit with large bills, because their systems happened to be used to cause serious harm, while other similarly situated users got off scot-free. The solution to this problem is insurance, which is an effective mechanism for spreading this kind of risk. (Eventually, this might be a standard rider on homeowner’s or renter’s insurance policies.) Insurance companies would also have the resources to study whether particular products or practices increase or reduce expected liability. They might impose a surcharge on people who use a risky operating system, or provide a discount for the use of effective defensive tools. This, in turn, would give end-users economic incentives to make socially beneficial choices.
Finally, some people responded to my statement that liability might work poorly where harm is diffuse. Seth Finkelstein suggested class actions suits as a remedy. Class actions would make sense where the aggregate harm is large and the victims easy to identify. Rob Heverly suggests that large institutions like companies or universities would be likely lawsuit targets, because their many computers might cause enough harm to make a suit worthwhile. Both are good points, but I still believe that a great deal of harm – perhaps the majority – would be effectively shielded from recovery because of the costs of investigation and enforcement.
Peter, I think part of the problem is that while an attorney could make that argument, the EULA’s also contain a clause that indemnifies the software maker from any damage, loss (monetary or otherwise), or liability if the software fails or what not. The following is taken from the microsoft EULA:
Congratulations on totally dodging the real culprits in this issue.
>From a theoretical standpoint, it makes sense
>to send the bill to the party who was best
>situated to prevent the harm.
That would be the authors of the software. I supose that a crafty attorney could look at the EULAs and make the case that since the code is still *owned* by the vendor, and never owned by the alleged purchaser, that the ownership of the liability of the defective software also lies at the feet of the software vendor. Or is that just another externality everyone has to pay? By communalizing the responsibility while privatizing the profits.
Ed Felten wrote:
>From a theoretical standpoint, it makes sense
>to send the bill to the party who was best
>situated to prevent the harm.
Even in both theory and practice that person is always going to be the victim. In fact, it is why they are called “victims”.
>[insurance]
If any insurance policies will be made out about this, they will be signed by _possible victims_. This is no different from home insurance policies that protect the home owners from various forms of loss (fire, theft, etc) — as opposed to these same home owners firing off lawsuits against those who make sledgehammers that can batter down doors, those who leave rocks lying around where they can be easily picked up and thrown through windows, the neighbours who “should” have kept a lookout while the owner was away, or even the government itself, which is arguably in the best position of all to “prevent the harm” (if it is not, then why does it exist?)
And Even More on End-User Liability
Ed Felten follows-up on his post yesterday about end-user liability, discussing some of the comments (some of mine included), and making some additional observations. It’s a good discussion, and I’m glad it’s going on. That said, I have a few prelimina…
Why hold the end user liable at all? It may be a dumb question, but it’s one we have to ask. It might be reasonable to analogize this to the physical world. If Alice buys a car that had some serious flaws, for instance the wheel has a tendency to fly off if the lug nuts are loosened at all, and does nothing to protect against this happening, is she liable when the wheel goes through Bob’s Bocce Ball Bargain Basement window and wrecks $1000 of merchandise? If she isn’t liable, is the Motorcar Service? What if the Motorcar Service has Alice sign a EULA first that indemnifies them from liability despite the fact that they acknowledge that their product had deficiencies when they sold it to her?
Now let’s say that Motorcar Services puts out a fix for the tire problem, but there have been concerns about their fixes causing more problems in the past than they solve. Is Alice obligated to pick this up as soon as possible? At this point, Alice would be undoubtedly liable for any problems.
So I’ve lost my train of thought here, but I still think trickle-down liability would be the best (those who had the best ability to stop the problem are the most liable). It encourages everyone to be as vigilant as possible.