On Thu, 22 Feb 1996, Bill Frantz wrote:
At 20:54 AM 2/20/96 -0500, C. Bradford Biddle <biddle@pwa.acusd.edu> wrote:
---------- Forwarded message ----------
DIGITAL SIGNATURE LEGISLATION: SOME REASONS FOR CONCERN
[...]
LIABILITY
[...]
The question I have is, does "reasonable care" include keeping your machine "virus free"?
A very good question, and one not answered by the Utah Act. The answer to the question of what constitutes reasonable care for holders of private keys will have to be addressed through the long, expensive, and inelegant process of common law evolution: court case after court case after court case slowly providing an answer. In contrast, the duties of certification authorities are explicitly described in the Act.
There is a second troubling policy choice relating to liability. The Utah Act limits the potential liability of one actor in the infrastructure -- the certification authority -- to a fixed amount (termed a "suitable guarantee" and determined by a complex formula or by administrative rule).
The historic precedent is the liability limit on nuclear power plants.
An interesting point, which can be spun several ways. The nuclear industry has been able to externalize the immense costs of waste storage, etc. Would the same investments have been made in nuclear energy if the nuclear industry was forced to internalize all of the costs it generates, including the costs of potential accidents? Probably not. I suspect that you could find people who would argue that the liability limits have had very good consequences (i.e., promoting investment in an ultimately beneficial technology) and others who would say that the current state of the nuclear industry points out the harm in allowing an industry to externalize costs.
For both these problems, a relatively low liability limit would force people to use other techniques (e.g. old style signed contracts) for large transactions. While we are working the bugs out of a new technology, with new standards of "reasonable care", everyone might win if the risks are limited.
Agreed. Letting market forces sort out the most appropriate risk allocations may be the best solution. This isn't really what the Utah Act does, however.
Regards - Bill
------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA
Thank you for your thoughtful comments. Brad Brad Biddle, Legal Intern <biddle@acusd.edu> Privacy Rights Clearinghouse, Ctr for Public Interest Law http://pwa.acusd.edu/~prc For the record: Someone else who responded to my post on the Cypherpunks list referred to me as "Dr. Biddle." I think they were misled by Phil Agre's characterization of me as an "academic" in his introduction to my article. (Or perhaps just dazzled by the force of my arguments). I am, in fact, a law *student*, not a law professor.