On 13 Aug 2001, at 9:42, Black Unicorn wrote:
----- Original Message ----- From: "Eugene Leitl" <Eugene.Leitl@lrz.uni-muenchen.de> To: "Trei, Peter" <ptrei@rsasecurity.com> Cc: <cypherpunks@lne.com>; "Faustine" <a3495@cotse.com>;
<jamesd@echeque.com>
Sent: Monday, August 13, 2001 7:49 AM Subject: RE: Traceable Infrastructure is as vulnerable as traceable messages.
On Mon, 13 Aug 2001, Trei, Peter wrote:
I hate to say this, but until software developers are held (at least at the corporate level) in some way liable for their failures, there will be little or no improvement in the situation.
I think this is the wrong approach to the situation. Making people
----- Original Message ----- From: <georgemw@speakeasy.net> To: <cypherpunks@lne.com> Sent: Monday, August 13, 2001 12:34 PM Subject: Re: Products Liability and Innovation. liable
stifles innovation.
I think 30+ years of active products liability jurisprudence might disagree with you. Just in the automotive world and off the top of my head: Automatic Breaking Systems, designed failure points (crumple zones), 6mph bumpers, "safety glass," shoulder belts, passive belts, air bags and a host of other technologies or innovations that may or may not have been developed "but for" litigation are most probably the result of strict liability in products liability cases.
Well, nobody can say with certainty exactly what would have happened in contrary-to-fact situations, and litigation will probably encourage some innovations while discouraging others,
Points all taken.
but it seems to me that litigation is highly unlikely to encourage innovation overall; it seems to me that you are much more likely to lose a case if your product is hazardous in a way that distinguishes itself from the industry standard, even if it's safer overall, and in any case most potential innovations don't have anything to do with increasing safety.
Points also taken.
In a more or less unregulated market, consumers are free to value product safety as they choose. Legislation which, say, mandates air bags appears to assume that consumers tend to undervalue their own safety, a proposition I object to on philosophical grounds. Liability works more or less the same way.
Think of it this way. The proposition that the strict liability doctrine makes is that certain activities are "ultra hazardous." One of these is product design. Strict liability- essentially the proposition that no showing of negligence is required for the plaintiff to prevail- is generally thought of as a mechanism to allocate the risk onto the market actor. Economically speaking this is intended to spur the innovator to "self insure" or to design safety (safety from litigation anyhow) into the product, or at least have a strong regard for it during the development process. This in contrast to the negligence standard- where the innovator has to have been shown to be willfully negligent in design and therefore a good portion of the risk of the product development is shifted back to the end user. The theory is that if your goal is to reduce accidents and claims you allow the market to incorporate that sort of risk (which in early innovation looks a lot like an externality) into the innovation process. Activities, it is argued, which cannot be made sufficiently safe to be economically viable in the market will not be undertaken because the market will not support such activities. Proponents of products liability point to this in justifying the policy. (Critics primarily point to the unfairness of assigning liability to actors who have not acted negligently). The showing for a plaintiff for products liability works something like this, although admittedly this is very simplified: 1. Plaintiff used the product according to directions. 2. Plaintiff was injured. That's pretty much it. This is why safety is a big deal in automobile design and why gun manufacturers have managed to duck major products liability issues for the most part (misuse). Since automobile design flaws of sufficient magnitude can cause death and big money law suits, the market has incorporated that component of the risk into the design cost of the product either ex ante (during the design process) or ex post (by compensating the aggrieved parties). Costs are shifted onto the market when they are passed on (ex ante or ex post) in the form of product cost. This is the way that strict liability specifically, and the legal process in general, tends to spur on innovation.
The effect is to make safety profitable- or more accurately, to make unsafety unprofitable.
Right. Safety at all costs. The cost of safety is already too high in most industries IMNSHO.
Well, I would argue that it is self adjusted by the market when we are talking about products liability. The market has put a price on safety by forcing producers either to design safe, and limit ex post costs incurred by litigation in favor of ex ante costs, or minimize safety spending and catch the costs ex post. Either way the costs are spread over the market and at least mostly linked to the actual effect of safety provisions in reducing harm/accidents/etc. If a mini-van is too costly to make "safe" then it will not be produced. That's the point of strict liability. Force the actor to spend more time evaluating the wisdom of the action. This often necessitates more R&D and hence more innovation. (Faster airbags, better seat belts, etc.) Saying "the cost of safety is already too high" is probably misplaced- at least in this isolated example of automotive manufacture. Mr. May says in a related post:
Bringing strict liability into the world of security and crypto would result in the usual market distortions. As an example, one might expect a "recommended security standard," decided upon by industry committees (with government, probably the NSA, involvement). Like airbags, this would then be mandated to be included in all Net connectivity and related products. Vendors would scramble to meet this requirement. And probably some form of escrow ("to help resolve disputes," "for the children") would be mandated-in. And of course it probably couldn't be "too strong."
Standards only really come into play in a negligence, as opposed to strict liability, setting. With strict liability standards are not part of the discussion. For software or security the strict liability argument by the plaintiff would go: 1. Plaintiff installed Firewall 1 correctly. 2. Plaintiff was hacked. Liability insues. (This is an obvious simplification, but not by much). All of Mr. May's other points are valid. Even the imposition of a general standard for negligence (the reasonable sysadmin standard?) would be a bit of a headache. I'm a little surprised we haven't seen more of this because it effectively means that the first big case where someone sues on infosec grounds will require the court to DEVISE a standard. That would be bad. Very bad. As it stands now big firms can blame their auditors. "But we DID a SAS70, what more could we have done" and probably get off scott free. As for strict liability, this would be an absolute disaster, which is why I don't expect to see it ever applied. (Stranger things have happened though). This liability issue has been batted around the list a few times over the last couple (many) years. I found this bit which I wrote about strict liability to the list back in 1996:
A lot of the decision whether to apply strict liability or negligence is going to be based on where you believe the costs should be shifted. Strict liability shifts the costs onto the person engaging the activity. The actor will increase his own costs to the extent he can still conduct the activity and still reduce the number of times he is called into court and damages are awarded against him. He will, of course, take no more care than his damages might be.
[...]
It's interesting to note the argument that in the age of insurance, it really makes no difference who you put the costs on as society as a whole ends up footing the bill anyway.
The more things change...
See generally Posner, Hallman and the "Chicago School of Law and Economics," an entire movement in legal thought centered on the idea that you are very wrong about the effect of liability on innovation.
An entire movement dedicated to the idea that Eugene is very wrong? Now I'm jealous, I can be as wrong as him, wronger even.
Now less I be misinterpreted, misworded, misquoted and misunderstood by
Well, in so far as he was standing for the concept that innovation was in no way ever connected to litigation, the Chicago School would disagree with him quite sternly. (The Chicago School is unamused?) the
various misanthropic types here:
Do I think that software should have products liability attached to it? No. Do I think strict liability stifles innovation? No.
On behalf of my fellow misanthropes, thanks for the clarification.
Sure. Anything I can do to help further the understanding of misanthropes on the list, I am happy to do.
George