Products Liability and Innovation. Was: ...

Black Unicorn unicorn at schloss.li
Mon Aug 13 10:55:04 PDT 2001


----- Original Message -----
From: "Trei, Peter" <ptrei at rsasecurity.com>
To: "Eugene Leitl" <Eugene.Leitl at lrz.uni-muenchen.de>; "'Black Unicorn'"
<unicorn at schloss.li>
Cc: <cypherpunks at minder.net>
Sent: Monday, August 13, 2001 10:14 AM
Subject: RE: Products Liability and Innovation. Was: ...


> > Black Unicorn[SMTP:unicorn at schloss.li]

[On products liability, strict liability and innovation]:

> > The effect is to make safety profitable- or more accurately,
> > to make unsafety unprofitable.  See generally Posner, Hallman and the
> > "Chicago School of Law and Economics," an entire movement in legal
> > thought centered on the idea that you are very wrong about the effect
> > of liability on innovation.
> >
> > Now less I be misinterpreted, misworded, misquoted and misunderstood by
> > the various misanthropic types here:
> >
> > Do I think that software should have products liability attached to it?
> > No.  Do I think strict liability stifles innovation?  No.
> >
> [I hate to post something that makes it look as if I'm doing further
> BU bashing (which is not my intention), but:...]

Bash all you want as long as you do it in an educated way.

> When all you have is a hammer, everything looks like a nail.

With a hammer as big as litigation in the United States, everything might as
well be a nail.  I take no position on the good or ill of this particular
state of affairs.

> There are
> other groups which can apply pressure than lawyers, courts and Men
> with Guns.  Auditors and insurance companies come to mind.

Both of which are just extensions of the possibility of loss through products
liability suits and other legal liability.  The plaintiff's lawyer is key in
the mix in all of these examples.  Auditors are the passthrough to investors
and other interested parties of information which might indicate the company's
vulnerability to such a suit.  Auditors drive their customers to adopt these
practices because they have a fiduciary duty to draw attention to the potentia
l harm and because they are the authority to define standard practices.
Insurance companies heighten their standards to adjust coverage premiums based
on the company's potential vulnerability to such a suit.  They judge these
vulnerabilities based on the babble and/or blessings of the auditors.

Exercise for the student:  Name three market forces which might cause the
innovation of air bags as a safety feature which are not litigation related.
(Hint: it's a hard problem- it's also a pointless one because air bags were
finally brought to market- they had existed for years- specifically because of
3 law suits in the United States).  Do a little leg work.  Who first deployed
airbags in their cars in the U.S.?  When?  That should tell you quite a lot
about how they got there.

> Schneier has noted how improvements in safe (as in a secure metal box)
> technology was driven not by losses, not by customers, nor by lawsuits,
> but rather by insurance requirements.

Which are in turn driven by losses, lawsuits and again by extension of those:
customer requirements.  It all comes down to what the insurance company
expects to have to pay in policies and what they expect to get in premiums.
What they have to pay is based on loss expectations.  Those loss expectations
are heightened by threat of legal liability.  Those payments are irritating to
the customer.  The customer does a basic analysis:  When is my break even
point for the investment I am going to make in improved metal boxes vs. the
decrease in premiums I expect as a result?  It's basic econ.  Very basic.  Are
you really trying to assert that legal liability- perceived or actual- is not
the driving force behind product development in these areas in the United
States?  You might want to read some Posner before you comment again.  (See
Also Generally:  Bank Robberies and Bank Security Precautions, T.H. Hannan, A
Theory of Economic Loss in the Law of Torts, M.J. Rizzo, Accumulating Damages
in Litigation: The Roles of Uncertainty and Interest Rates, J.M. Patell, R.L.
Weil and M.A. Wolfson).

> 'You're running your ecommerce site on IIS? Ok, that's 10% extra on your
> premiums." (This is already starting to happen).

It's been happening for years, except it comes under the careful auspice of a
"SAS70 Audit" (Statement on Auditing Standards No. 70) and not a blatant MS
bashing fest.  SAS70 had information security provisions in it as early as
1995 or 1996.  Why?  Because the ABA and the AICPA- who despite much mutual
animus often get together to discuss such things- thought it a good idea to
introduce infosec as a section into the standard report format.  (I was, _very
tangentially_, involved in some of that.  These were the days of Michael Baum,
Verisign and the ABA, Stewart Baker, Export Control, AICPA and the
Commissioners for Uniform State Law).  And why not?  For the ABA- it meant the
possibility of servicing clients with respect to shareholder derivative suits
and other liability for information security "negligence" now that a standard
has been articulated.  It also meant that proactive litigation preparation was
a possibility.  (One Baker & McKenzie Partner, Gary Fresen did effectively
nothing else but this stuff for Baker from 1996-1998).  For the AICPA- it
meant the possibility of including what was then thought of as a lucrative
professional services practice (Information Security Consulting) in their
consulting side offerings.  All of the large accounting firms spawned an
information security practice about 1995-1996 if they didn't already have risk
management groups which could address the areas.

Again, it was the threat of liability that drove all these developments, and
hence at least partially drove the huge market for firewalls, PKI hype and
(frankly) helped to make RSA what it is today.  (What, you thought it was all
Bidzos' genius?)

The pattern has always been the same.  Some clever 17 year old exposes
weakness, exploits it.  Papers go nuts.  Shareholders whine and some sue.
Insurance companies and auditors slowly take note, adjust standards.  Market
responds with new products and lots of hype.  This is the evolution of
security.  Always has been.  You think that Checkpoint Software got where it
got because consumers suddenly wanted a bunch of innovation for no reason at
all other than it was Monday afternoon and there was nothing interesting on
www.memepool.com?

> Peter Trei





More information about the cypherpunks-legacy mailing list