MALWARE LIABILITY William S. Greenwell | Anthony Aiello | Dean Bushey
advertisement
MALWARE LIABILITY William S. Greenwell | Anthony Aiello | Dean Bushey CS 851 – Malware October 5, 2004 Overview Theory of Tort Law Liability Models Objectives of Tort Law Malware & Liability 7/27/2016 Authors Users Service Providers Software Vendors Malware Liability 2 Theory of Tort Law tort, n. Injury, wrong. Obs. 1. Physical injury or pain; torment. A false or wrong statement. Obs. Rare. a. b. 2. Eng. Law. The breach of a duty imposed by law, whereby some person acquires a right of action for damages. Oxford English Dictionary, 2nd ed. 7/27/2016 Malware Liability 4 Tort Law Settles disputes between private parties: Available remedies: Plantiff – victim of an alleged wrong (petitioner) Defendant – alleged agent of the wrong Monetary relief – defendant must pay damages Injunctive relief – defendant must desist Torts may be intentional or accidental. 7/27/2016 Malware Liability 5 Elements of a Tort Wrong – violation of a duty not to harm or not to impose risks upon others Harm – setback of one’s legitimate interest Appropriate relationship between the injurer’s wrong and the harm to the victim 7/27/2016 Malware Liability 6 Ex: Reckless Driving HARM 7/27/2016 Malware Liability 7 Wrongs vs. Wrongdoings A wrongdoing is an act committed without justification or cause. Wrongdoings reflect badly on the agent. A wrong is a breach of a duty or violation of the rights of another. 7/27/2016 Wrongs may be justifiable or excusable. Wrongs are not necessarily wrongdoings. Malware Liability 8 Duty of Care In strict liability, duty of care may be discharged only by not harming others. Amount of care taken is irrelevant. In fault liability, duty may be discharged by: Not harming others; or Not acting recklessly, negligently, or intentionally. - or Faults are both wrongs and wrongdoings. 7/27/2016 Malware Liability 9 Two Theories of Tort Law Economic Analysis Maximize efficiency to prevent harm. Corrective Justice Recompense the victim. 7/27/2016 Malware Liability 10 Theory #1: Economic Analysis Goal: Impose rules to achieve the greatest impact on incidence reduction at lowest cost. He who is best able to prevent recurrences should bear the costs of harm. Who should bear the costs of accidents not worth preventing? 7/27/2016 Malware Liability 11 Faults & Negligence Fault – failure to consider others’ interests and to adjust one’s conduct accordingly. Negligence – failure to take cost-justified precautions to prevent harm. Cost-Justified Precaution Cost(Precaution) < Cost(Harm) × P[Harm] 7/27/2016 Malware Liability 12 Economic Analysis: Strict Liability The agent bears all the costs. The rational agent considers: costs & benefits of precautions available to him costs of harm he is likely to inflict on others Agents take cost-justified precautions, just as they would with fault liability. Strict liability is efficient in one-party accidents. 7/27/2016 Malware Liability 13 Economic Analysis: Fault Liability Assume agents are rational. If agents are never at fault, then victims will bear the costs of all accidents. They will always take cost-justifiable precautions. They will never be negligent. Victims take precautions to prevent accidents. Victims pay for accidents not worth preventing. Fault liability is efficient in two-party accidents. 7/27/2016 Malware Liability 14 Vicarious Liability Liability may attach vicariously to a defendant for a tort committed by another. Vicarious liability may attach if: The defendant supervised the tortfeasor. - or The defendant’s negligence created the context in which the tort was committed, and; The tortfeasor’s act was foreseeable. 7/27/2016 Malware Liability 15 Theory #2: Corrective Justice Agents who harm incur a duty of repair. The agent owns the untoward outcome. The agent must pay for the costs it imposes. Duty of repair is not meant to be punitive. Has the agent satisfied the necessary conditions to impose on him a duty to repair the plaintiff's loss? 7/27/2016 Malware Liability 16 No Punishment Intended Punishments are criminal sanctions. Punishments incurred through blame. Only the agent may discharge the “debt.” Agent cannot be insured against punishment. Duty of repair is a debt of repayment. 7/27/2016 Duty incurred through ownership of harm. Debt may be discharged by third parties. Agent may buy insurance to guard against duty. Malware Liability 17 Conditions for Duty of Repair 1. Agent had a prior duty to consider interests of another and to adjust his conduct accordingly. 2. Agent failed to do so. 3. 4. Agent’s failure to do so resulted (in an appropriate way) in harm to another. Consequent harm may be charged to the agent as his doing (outcome responsibility). 7/27/2016 Malware Liability 18 Corrective Justice: Constraints An agent is only liable to those to whom he owed a duty not to harm through his actions. A victim’s injury must be foreseeable risk. Ex: Stowaway aboard an aircraft Appropriate causal connection must exist between agent’s wrong and victim’s harm. 7/27/2016 Ex: Pilot calls in sick, replacement crashes plane. Malware Liability 19 Malware & Liability Malware & Duty of Care Source’s duty to target ` Software Vendor Malware Author Internet Service Provider ` User 7/27/2016 User Malware Liability 21 Malware Author Liability 7/27/2016 Malware Liability 23 COMPUTER VIRUS MAKING TO BE PROSECUTED AS HATE CRIME FOR TARGETING STUPID PEOPLE Systems Administrators Now On Front Lines of Bias Crime "In a hate crime, the offender is motivated by the victim's personal characteristics, and in the case of email viruses, the maker is clearly singling out those who open email attachments when they've been told a thousand times not to," said California Attorney General Bill Lockyer. "Like any other segment of the population, people of stupidity need protection from bias." 7/27/2016 Malware Liability 24 Pennsylvania Law Outlaws Computer Viruses E-vandals who spread computer viruses could face up to seven years in jail and will be forced to reimburse virus "victims" for any damages caused by their technological terrors under the legislation, which Pennsylvania Gov. Tom Ridge signed into law May 26, 2000. Fines under the statute could be virtually limitless, because the law would force computer criminals to cover not only the cost of fixing and replacing damaged equipment, but would also make them liable for any costs incurred because of lost profits caused by computer "downtime 7/27/2016 Malware Liability 25 HOW SEVERE OF PENALTY? THE SINGAPORE SOLUTION 7/27/2016 Malware Liability 26 CYBER SECURITY ENHANCEMENT ACT OF 2002. (i) the potential and actual loss resulting from the offense; (ii) the level of sophistication and planning involved in the offense; (iii) whether the offense was committed for purposes of commercial advantage or private financial benefit; (iv) whether the defendant acted with malicious intent to cause harm in committing the offense; (v) the extent to which the offense violated the privacy rights of individuals harmed; (vi) whether the offense involved a computer used by the government in furtherance of national defense, national security, or the administration of justice; (vii) whether the violation was intended to or had the effect of significantly interfering with or disrupting a critical infrastructure; and (viii) whether the violation was intended to or had the effect of creating a threat to public health or safety, or injury to any person; 7/27/2016 Malware Liability 27 User Liability What are reasonable steps the user should be expected to take What about waivers and or user agreements? (Can I sue for negligence if I get burned by coffee that was too hot) What about patches that the user fails to install? What if the user continually downloads garbage from the web has he relieved the OS writer any? What about international boundaries/law? CAVEOT EMPTOR?? 7/27/2016 Malware Liability 29 ISP Liability ISP Duty of Care ISPs have a duty of care to the users connected through the ISP’s services. ISPs explicitly disclaim liability in their service agreements. 7/27/2016 Malware Liability 31 EARTHLINK SHALL HAVE NO LIABILITY WHATSOEVER FOR ANY CLAIMS, LOSSES, ACTIONS, DAMAGES, SUITS, OR PROCEEDINGS RESULTING FROM: OTHER USERS ACCESSING YOUR COMPUTER; SECURITY BREACHES; EAVESDROPPING; DENIAL OF SERVICE ATTACKS; INTERCEPTION OF TRAFFIC SENT OR RECEIVED USING THE SERVICES; YOUR RELIANCE ON OR USE OF THE EQUIPMENT OR SERVICES, OR THE MISTAKES, OMISSION, INTERRUPTIONS, DELETION OF FILES, ERRORS, DEFECTS, DELAYS IN OPERATION, TRANSMISSIONS, OR ANY FAILURE OF PERFORMANCE OF THE EQUIPMENT OR SERVICES;THE USE OF THE EQUIPMENT OR SERVICES BY YOU OR A THIRD PARTY THAT INFRINGES THE COPYRIGHT, PATENT, TRADEMARK,TRADE SECRET, CONFIDENTIALITY, PRIVACY, OR OTHER INDUSTRIAL OR INTELLECTUAL PROPERTY RIGHTS, PROPRIETARY RIGHTS OR CONTRACTUAL RIGHTS OF ANY THIRD PARTY; THE ACCURACY, COMPLETENESS,AND USEFULNESS OF ALL SERVICES, PRODUCTS,AND OTHER INFORMATION,AND THE QUALITY AND MERCHANTABILITY OF ALL MERCHANDISE PROVIDED THROUGH THE SERVICE OR THE INTERNET. THE FOREGOING LIMITATION APPLIES TO THE ACTS, OMISSIONS, NEGLIGENCE AND GROSS NEGLIGENCE OF EARTHLINK, ITS OFFICERS, EMPLOYEES, AGENTS, CONTRACTORS OR REPRESENTATIVES WHICH, BUT FOR THIS PROVISION, WOULD GIVE RISE TO THE CAUSE OF ACTION AGAINST EARTHLINK IN CONTRACT, TORT, OR ANY OTHER LEGAL DOCTRINE.YOUR SOLE AND EXCLUSIVE REMEDIES UNDER THIS AGREEMENT ARE AS EXPRESSLY SET OUT IN THIS AGREEMENT. 7/27/2016 Malware Liability 32 ISP Liability Should ISPs be allowed to disclaim liability? If not: 7/27/2016 Should they be held to Strict Liability? or, Should they be held to Fault Liability? Malware Liability 33 Arguments For Liability Their network was causal to the spread of the infection. If the network had been adequately protected, the infection could not have propagated. 7/27/2016 Malware Liability 34 Against Strict Liability Is it reasonable to expect invulnerable networks? Is it economically viable to demand invulnerable networks? 7/27/2016 Malware Liability 35 Against Fault Liability Who determines if the ISP was negligent? The courts? On what basis? A group of experts? Which group? What happens when technology changes? Will this, in fact, lower the quality of protection? 7/27/2016 The ISP may just meet the standard and not want to go any further. Malware Liability 36 ISP Liability Summary They enable the spread of infection. If we disallow liability to be disclaimed: Strict Liability Fault Liability 7/27/2016 Are invulnerable networks possible? Are invulnerable networks economical? What is negligence? Who decides? What affect will this have? Malware Liability 37 Software Vendor Liability SHOULD WE PROSECUTE?? In Out of the Crisis, Deming named seven "deadly diseases." Number 7 was "Excessive costs of liability, swelled by lawyers that work on contingency fees." LAWYERS WOULD ANSWER: Software quality is often abysmally low Software publishers routinely ship products with known defects, sometimes very serious defects. The law puts pressure on companies who don't care about their customers. It empowers quality advocates. I became a lawyer because I think that liability for bad quality is part of the cure, not one of the diseases. Kaner, J.D., Ph.D. www.badsoftware.com 7/27/2016 Malware Liability 39 LAWYER ANSWER CONTINUED Put legal pressure on companies to improve their products because they can do it relatively (relative to customers) cheaply. …it costs the company a great deal less to fix the bug than the total cost to customers. (Among lawyers, this is called the principle of the "least cost avoider." You put the burden of managing a risk on the person who can manage it most cheaply.) Losses and lawsuits are less likely when companies make better products, advertise them more honestly, and warn customers of potential hazards and potential failures more effectively. The legal system decides for you what risks companies and customers can take. This drives schedules and costs and the range of products that are available on the market. 7/27/2016 Malware Liability 40 BUT…. This is supposed to be a free country. It should be possible for a buyer to say to a seller, "Please, make the product sooner, cheaper, and less reliable. I promise not to sue you.“ Sellers rely on contracts and laws that make it harder for customers to sue sellers. Customers and sellers rely on insurance contracts to provide compensation when the seller or customer negligently makes or uses the product in a way that causes harm or loss. This approach respects the freedom of people to make their own deals, without much government interference. The government role in the commercial model is to determine what agreement the parties made, and then to enforce it. (Among lawyers, this is called the principle of "freedom of contract.") 7/27/2016 Malware Liability 41 But... Does a consumer buying a Microsoft product have bargaining power? "license agreements" Limited liability “notices” Some of these "agreements" even ban customers from publishing magazine reviews 7/27/2016 Malware Liability 42 Software Vendor Duty of Care Software vendors have a duty of care to the users of their products. Like ISPs, software vendors disclaim this duty of care explicitly. 7/27/2016 they even disclaim merchantability they even disclaim negligence Malware Liability 43 DISCLAIMER OF WARRANTIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND ITS SUPPLIERS PROVIDE TO YOU THE OS COMPONENTS, AND ANY (IF ANY) SUPPORT SERVICES RELATED TO THE OS COMPONENTS ("SUPPORT SERVICES") AS IS AND WITH ALL FAULTS; AND MICROSOFT AND ITS SUPPLIERS HEREBY DISCLAIM WITH RESPECT TO THE OS COMPONENTS AND SUPPORT SERVICES ALL WARRANTIES AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY (IF ANY) WARRANTIES OR CONDITIONS OF OR RELATED TO: TITLE, NON-INFRINGEMENT, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, LACK OF VIRUSES, ACCURACY OR COMPLETENESS OF RESPONSES, RESULTS, LACK OF NEGLIGENCE OR LACK OF WORKMANLIKE EFFORT, QUIET ENJOYMENT, QUIET POSSESSION, AND CORRESPONDENCE TO DESCRIPTION. THE ENTIRE RISK ARISING OUT OF USE OR PERFORMANCE OF THE OS COMPONENTS AND ANY SUPPORT SERVICES REMAINS WITH YOU. 7/27/2016 Malware Liability 44 EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR: LOSS OF PROFITS, LOSS OF CONFIDENTIAL OR OTHER INFORMATION, BUSINESS INTERRUPTION, PERSONAL INJURY, LOSS OF PRIVACY, FAILURE TO MEET ANY DUTY (INCLUDING OF GOOD FAITH OR OF REASONABLE CARE), NEGLIGENCE, AND ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE OS COMPONENTS OR THE SUPPORT SERVICES, OR THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS SUPPLEMENTAL EULA, EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7/27/2016 Malware Liability 45 For Liability There is a notion of merchantability that applies to anything sold for profit. Why should software be allowed to disclaim fitness for any purpose? In other domains, there are clear safety considerations that are imposed on products 7/27/2016 Why should software be any different? Malware Liability 46 For Liability In other domains, once a safety-related defect has been identified, it is expected that manufacturers will not build their products with known safety-related defects. Why should software be different? Shouldn’t we require that software manufacturers not write code with, for example, buffer overrun errors? 7/27/2016 Malware Liability 47 For Liability Why can software manufacturers disclaim liability even if their code is actually malicious? How does that differ from a telephone causing your TV to explode when the telephone is activated? 7/27/2016 Malware Liability 48 Against Strict Liability Undecidability poses a significant challenge: 7/27/2016 any non-trivial property of a Turing Machine is, in general, undecidable. Malware Liability 49 Against Fault Liability Who decides when they have discharged their liability? What does such a decision imply? 7/27/2016 Malware Liability 50
