RE: Products Liability and Innovation. Was: ...
Black Unicorn[SMTP:unicorn@schloss.li]
From: "Eugene Leitl" <Eugene.Leitl@lrz.uni-muenchen.de>
On Mon, 13 Aug 2001, Trei, Peter wrote:
I hate to say this, but until software developers are held (at least at the corporate level) in some way liable for their failures, there will be little or no improvement in the situation.
I think this is the wrong approach to the situation. Making people liable stifles innovation.
I think 30+ years of active products liability jurisprudence might disagree with you. Just in the automotive world and off the top of my head: Automatic Breaking Systems, designed failure points (crumple zones), 6mph bumpers, "safety glass," shoulder belts, passive belts, air bags and a host of other technologies or innovations that may or may not have been developed "but for" litigation are most probably the result of strict liability in products liability cases. The effect is to make safety profitable- or more accurately, to make unsafety unprofitable. See generally Posner, Hallman and the "Chicago School of Law and Economics," an entire movement in legal thought centered on the idea that you are very wrong about the effect of liability on innovation.
Now less I be misinterpreted, misworded, misquoted and misunderstood by the various misanthropic types here:
Do I think that software should have products liability attached to it? No. Do I think strict liability stifles innovation? No.
[I hate to post something that makes it look as if I'm doing further BU bashing (which is not my intention), but:...] When all you have is a hammer, everything looks like a nail. There are other groups which can apply pressure than lawyers, courts and Men with Guns. Auditors and insurance companies come to mind. Schneier has noted how improvements in safe (as in a secure metal box) technology was driven not by losses, not by customers, nor by lawsuits, but rather by insurance requirements. 'You're running your ecommerce site on IIS? Ok, that's 10% extra on your premiums." (This is already starting to happen). Peter Trei
----- Original Message ----- From: "Trei, Peter" <ptrei@rsasecurity.com> To: "Eugene Leitl" <Eugene.Leitl@lrz.uni-muenchen.de>; "'Black Unicorn'" <unicorn@schloss.li> Cc: <cypherpunks@minder.net> Sent: Monday, August 13, 2001 10:14 AM Subject: RE: Products Liability and Innovation. Was: ...
Black Unicorn[SMTP:unicorn@schloss.li]
[On products liability, strict liability and innovation]:
The effect is to make safety profitable- or more accurately, to make unsafety unprofitable. See generally Posner, Hallman and the "Chicago School of Law and Economics," an entire movement in legal thought centered on the idea that you are very wrong about the effect of liability on innovation.
Now less I be misinterpreted, misworded, misquoted and misunderstood by the various misanthropic types here:
Do I think that software should have products liability attached to it? No. Do I think strict liability stifles innovation? No.
[I hate to post something that makes it look as if I'm doing further BU bashing (which is not my intention), but:...]
Bash all you want as long as you do it in an educated way.
When all you have is a hammer, everything looks like a nail.
With a hammer as big as litigation in the United States, everything might as well be a nail. I take no position on the good or ill of this particular state of affairs.
There are other groups which can apply pressure than lawyers, courts and Men with Guns. Auditors and insurance companies come to mind.
Both of which are just extensions of the possibility of loss through products liability suits and other legal liability. The plaintiff's lawyer is key in the mix in all of these examples. Auditors are the passthrough to investors and other interested parties of information which might indicate the company's vulnerability to such a suit. Auditors drive their customers to adopt these practices because they have a fiduciary duty to draw attention to the potentia l harm and because they are the authority to define standard practices. Insurance companies heighten their standards to adjust coverage premiums based on the company's potential vulnerability to such a suit. They judge these vulnerabilities based on the babble and/or blessings of the auditors. Exercise for the student: Name three market forces which might cause the innovation of air bags as a safety feature which are not litigation related. (Hint: it's a hard problem- it's also a pointless one because air bags were finally brought to market- they had existed for years- specifically because of 3 law suits in the United States). Do a little leg work. Who first deployed airbags in their cars in the U.S.? When? That should tell you quite a lot about how they got there.
Schneier has noted how improvements in safe (as in a secure metal box) technology was driven not by losses, not by customers, nor by lawsuits, but rather by insurance requirements.
Which are in turn driven by losses, lawsuits and again by extension of those: customer requirements. It all comes down to what the insurance company expects to have to pay in policies and what they expect to get in premiums. What they have to pay is based on loss expectations. Those loss expectations are heightened by threat of legal liability. Those payments are irritating to the customer. The customer does a basic analysis: When is my break even point for the investment I am going to make in improved metal boxes vs. the decrease in premiums I expect as a result? It's basic econ. Very basic. Are you really trying to assert that legal liability- perceived or actual- is not the driving force behind product development in these areas in the United States? You might want to read some Posner before you comment again. (See Also Generally: Bank Robberies and Bank Security Precautions, T.H. Hannan, A Theory of Economic Loss in the Law of Torts, M.J. Rizzo, Accumulating Damages in Litigation: The Roles of Uncertainty and Interest Rates, J.M. Patell, R.L. Weil and M.A. Wolfson).
'You're running your ecommerce site on IIS? Ok, that's 10% extra on your premiums." (This is already starting to happen).
It's been happening for years, except it comes under the careful auspice of a "SAS70 Audit" (Statement on Auditing Standards No. 70) and not a blatant MS bashing fest. SAS70 had information security provisions in it as early as 1995 or 1996. Why? Because the ABA and the AICPA- who despite much mutual animus often get together to discuss such things- thought it a good idea to introduce infosec as a section into the standard report format. (I was, _very tangentially_, involved in some of that. These were the days of Michael Baum, Verisign and the ABA, Stewart Baker, Export Control, AICPA and the Commissioners for Uniform State Law). And why not? For the ABA- it meant the possibility of servicing clients with respect to shareholder derivative suits and other liability for information security "negligence" now that a standard has been articulated. It also meant that proactive litigation preparation was a possibility. (One Baker & McKenzie Partner, Gary Fresen did effectively nothing else but this stuff for Baker from 1996-1998). For the AICPA- it meant the possibility of including what was then thought of as a lucrative professional services practice (Information Security Consulting) in their consulting side offerings. All of the large accounting firms spawned an information security practice about 1995-1996 if they didn't already have risk management groups which could address the areas. Again, it was the threat of liability that drove all these developments, and hence at least partially drove the huge market for firewalls, PKI hype and (frankly) helped to make RSA what it is today. (What, you thought it was all Bidzos' genius?) The pattern has always been the same. Some clever 17 year old exposes weakness, exploits it. Papers go nuts. Shareholders whine and some sue. Insurance companies and auditors slowly take note, adjust standards. Market responds with new products and lots of hype. This is the evolution of security. Always has been. You think that Checkpoint Software got where it got because consumers suddenly wanted a bunch of innovation for no reason at all other than it was Monday afternoon and there was nothing interesting on www.memepool.com?
Peter Trei
participants (2)
-
Black Unicorn -
Trei, Peter