June 15, 2024

Should End-Users Be Liable for Security Breaches?

Eric Rescorla reports that, in a talk at WEIS, Dan Geer predicted (or possibly advocated) that end-users will be held liable for security breaches in their machines that cause harm to others.

As Eric notes, there is a good theoretical argument for this:

There are two kinds of costs to not securing your computer:

  • Internal costs: the costs to you of having your own machine broken into.
  • External costs: the costs to others of having your machine being broken into, primarily your machine being used as a platform for other attacks.

Currently, the only incentive you currently have is the internal costs. That incentive clearly isn’t that strong, as lots of people don’t upgrade their systems. The point of liability is to get you to also bear the external costs, which helps give you the right incentive to secure your systems.

Eric continues, astutely, by wondering whether it’s actually worthwhile, economically, for users to spend lots of money and effort trying to secure their systems. If the cost of securing your computer exceeds the cost (internal and external) of not doing so, then the optimal choice is simply to accept the cost of breaches; and that’s what you’ll do, even if you’re liable.

There’s at least one more serious difficulty with end-user liability. Today, many intrusions into end-user machines lead to the installation of “bots” that the intruder uses later to send spam, launch denial of service attacks, or make other mischief. The harm caused by these bots is often diffuse.

For example, suppose Alice’s machine is compromised and the intruder uses it to send 100,000 spam emails, each of which costs its recipient five cents to delete. Alice’s insecurity has led to $5,000 of total harm. But who is going to sue Alice? No individual has suffered more than a few cents’ worth of harm. Even if all of the affected parties can somehow put together an action against Alice, the administrative and legal costs of the action (not to mention the cost of identifying Alice in the first place) will be much more than $5,000. In aggregate, all of the world’s Alices may be causing plenty of harm, but the costs of holding each particular Alice responsible may be excessive.

So, to the extent that the external costs of end-user insecurity are diffuse, end-user liability may do very little good. Maybe there is another way to internalize the external costs of end-user insecurity; but I’m not sure what it might be.


  1. And Even More on End-User Liability

    Ed Felten follows-up on his post yesterday about end-user liability, discussing some of the comments (some of mine included), and making some additional observations. It’s a good discussion, and I’m glad it’s going on. That said, I have a few prelimina…

  2. More on End-User Liability

    My post yesterday on end-user liability for security breaches elicited some interesting responses. Several people debated the legal question of whether end-users are already liable under current law. I don’t know the answer to that question, and my pos…

  3. The slide entitled “Field Repairs”, which is number 18.

    Quoth Geer:

    Thus we come to a discussion of formal liability and the high likelihood that in the short term such discussion will focus on patch-state as a proxy for culpability either in the sense of patching being evidence of due care or the lack of patching, particularly within substantial enterprises, being evidence of an attractive nuisance (like an unfenced swimming pool).

  4. I’m trying to find which slide argues the case for end-user liability. Which of the 57 slides mentions it?

    Next point: ISPs are currently encouraged to transit attack traffic, because (if the estimates are right) ISPs increase revenue by transiting mal-traffic. If we want to experiment with solutions, how about eliminating this incentive for ISPs by holding them liable for any attack traffic they transit? Liability doesn’t have to be measured in terms of loss. It could just be a large fine for exceeding their established “pollution quotas”.

  5. Does not Alice already have a duty of care?

    To act as a reasonably prudent computer owner and upgrade her OS as patches and fixes become available.

    And if Alice fails to upgrade her OS as a reasonably prudent computer owner, then has she not breached the appropriate standard of care?

    And is it not reasonably forseeable that if Alice fails to upgrade her OS, others will suffer damage in the event her computer becomes infected and begins spewing spam?

    And if Alice fails to act as a reasonably prudent computer owner by upgrading her OS as appropriate is she not liable for the damages suffered by other ‘Net users who are obliged to deal with the spam sent from from her computer?

    The basis for this position? The legal theory of negligence and with the concept of ‘joint liability’ does not the maker of the OS share some of the responsibility, if for example a patch is not developed in advance?

    True, the individual may not be able to realistically make a claim.

    But is there not a statutory remedy available to internet access services against Alice under paragraph 7 (g) of the Can-Spam Act of 2003 presuming the spam is non-compliant?

    Which remedy could be combined with the claim in negligence?

  6. Chris Tunnell says

    EKR: It depends on implementation. I assume some people would want it so right after they hit send on the compose window, their computer starts cramming to get the message to the recipient as soon as possible.

    But then again, as you said, low thread priority works too.

    I meant “solution” in terms of it preventing scammers from bankrupting David.

    John: Possible, if they keep the keys in the car and the door open… many times…

  7. Is a car owner responsible for the damage done by someone who steals their car and crashes it into a crowd of preschoolers?

    Should they be?

  8. The slides from Dan’s talk are now at the WEIS 2004 site
    web site.

    He, unsurprisingly, said many insightful things, and did so in an entirely engaging manner.

  9. The above assumes that such malware is the result of an unpatched or otherwise unprotected system. New viruses, worms, and the like are released constantly that exploit previously unknown (or at least unpatched) vulnerabilities. So Alice may be completely patched and protected but spread the infection anyway. Can she still be considered liable?

    Also, even if Alice’s computer was not protected, she probably got infected from someone else. Is she any more or less guilty than Bob in Cleveland who passed it to her? Indeed, in most cases there is not a single point of infection, no “Typhoid Alice.” The malware is released into the wild, and hits many hundreds or thousands of vulnerable computers virtually simultaneously, the order of which is based solely on the vagaries of internet routing.

    I believe this idea, like email postage, is one that looks kind of good on paper but doesn’t really hold up to scrutiny. The better solution is OS software that prevents malware from installing/running in the first place.

  10. Doh. That should say “idle” instead of “iidel”

  11. Chris,

    Actually, I don’t think you’re right about proof of work in this case. It’s pretty easy to build an application which uses a lot of CPU time but doesn’t impact user experience because it only does stuff in idle periods. Remember that your computer is iidel most of the time.

  12. Chris Tunnell says

    David: The solution to your argument would be to use computational cycles instead of money. This way, the infected would notice their machine acting slow and remove the program after sending only a few messages.

    Also, most programs (that I know of) that spam in the background do not use the same method of mailing that the user uses. In the case of spamming, the spammer distributing the program doesn’t want people to notify the zombie that they are infected by mearly replying.

    Seth: I also have doubts with this, but I think that Microsoft releasing more secure products could only do so much. We still have the problem of the spammer with a fast connection (until they are tracked down).

    The price wouldn’t diffuse so much if we did this at the buisness level. Instead of tracking per-user spamming, we have company A say, “We recieved X many emails from company B, and this cost us X*.01 dollars. We are suing you for this amount”

    If companies started going after one another, then they would have an incentive to prevent spam/viruses from leaving thier network.

  13. To Be, or Not to Be (liable, that is)

    There has been some recent interest expressed in the idea that computer owners could, perhaps should, be liable to others when their computers are somehow used to “injure” those users. Ed Felten has a post on this today, discussing a post by Eric Resco…

  14. I’m not a laywer, but I think that IF we go down that path, the magic words are “class action” and “statutory damages”.

    Remember, for copyright infringement, the actual harm may be minimal, but the law provides up to *$150,000* FOR EACH VIOLATION.

    So a law firm would go aggregate a few claims, send a nasty letter asking for a zillion bucks, settle for a few thousand, and keep almost all of the money as fees.

    I have my doubts that this is a good idea, though I can see it appealing to certain types of thought. Much better, in my view, to have Microsoft release a more secure product by default.

  15. David Bolton says

    This reminds me of the Bill Gates proposal for an anti-spam charge of 1c per email sent. If my totally patched PC is compromised by a previously unknown exploit and sends out 50,000 emails, am I responsible for the $500 bill or is Microsoft if its a flaw in their software? Ie despite due diligence and through no fault of mine, I get the bill?

    The problem is there is no all encompassing ‘watchdog’ software that can point out- “Did you know that your pc is sending out 50 emails a second- ok/cancel?”- with the power and processing speed, pcs can inflict a lot of damage in a short time without their owners noticing. Firewalls do this to a degree but possibly not enough.