More Liability Issues. Was: Re: Products Liability and Innovation.

Black Unicorn unicorn at schloss.li
Mon Aug 13 13:33:38 PDT 2001


----- Original Message -----
From: <georgemw at speakeasy.net>
To: <cypherpunks at lne.com>
Sent: Monday, August 13, 2001 12:34 PM
Subject: Re: Products Liability and Innovation.


> On 13 Aug 2001, at 9:42, Black Unicorn wrote:
>
> >
> > ----- Original Message -----
> > From: "Eugene Leitl" <Eugene.Leitl at lrz.uni-muenchen.de>
> > To: "Trei, Peter" <ptrei at rsasecurity.com>
> > Cc: <cypherpunks at lne.com>; "Faustine" <a3495 at cotse.com>;
<jamesd at echeque.com>
> > Sent: Monday, August 13, 2001 7:49 AM
> > Subject: RE: Traceable Infrastructure is as vulnerable as traceable
messages.
> >
> > > On Mon, 13 Aug 2001, Trei, Peter wrote:
> > >
> > > > I hate to say this, but until software developers are held (at least
> > > > at the corporate level) in some way liable for their failures, there
> > > > will be little or no improvement in the situation.
> > >
> > > I think this is the wrong approach to the situation. Making people
liable
> > > stifles innovation.
> >
> > I think 30+ years of active products liability jurisprudence might
disagree
> > with you.  Just in the automotive world and off the top of my head:
Automatic
> > Breaking Systems, designed failure points (crumple zones), 6mph bumpers,
> > "safety glass," shoulder belts, passive belts, air bags and a host of
other
> > technologies or innovations that may or may not have been developed "but
for"
> > litigation are most probably the result of strict liability in products
> > liability cases.
>
> Well,  nobody can say with certainty exactly what would have
> happened in contrary-to-fact situations,  and litigation will
> probably encourage some innovations while discouraging others,

Points all taken.

> but it seems to me that litigation is highly unlikely to encourage
> innovation overall;  it seems to me that you are much more likely to
> lose a case if your product is hazardous in a way that
> distinguishes itself from the industry standard,  even if it's
> safer overall,  and in any case most potential innovations don't
> have anything to do with increasing safety.

Points also taken.

> In a more or less unregulated market,  consumers are
> free to value product safety as they choose.  Legislation which,
> say,  mandates air bags appears to assume that consumers tend
> to undervalue their own safety, a proposition I object to
> on philosophical grounds.  Liability works more or less the same
> way.

Think of it this way.  The proposition that the strict liability doctrine
makes is that certain activities are "ultra hazardous."  One of these is
product design.  Strict liability- essentially the proposition that no showing
of negligence is required for the plaintiff to prevail- is generally thought
of as a mechanism to allocate the risk onto the market actor.  Economically
speaking this is intended to spur the innovator to "self insure" or to design
safety (safety from litigation anyhow) into the product, or at least have a
strong regard for it during the development process.  This in contrast to the
negligence standard- where the innovator has to have been shown to be
willfully negligent in design and therefore a good portion of the risk of the
product development is shifted back to the end user.

The theory is that if your goal is to reduce accidents and claims you allow
the market to incorporate that sort of risk (which in early innovation looks a
lot like an externality) into the innovation process.  Activities, it is
argued, which cannot be made sufficiently safe to be economically viable in
the market will not be undertaken because the market will not support such
activities.  Proponents of products liability point to this in justifying the
policy.  (Critics primarily point to the unfairness of assigning liability to
actors who have not acted negligently).

The showing for a plaintiff for products liability works something like this,
although admittedly this is very simplified:

1.  Plaintiff used the product according to directions.
2.  Plaintiff was injured.

That's pretty much it.  This is why safety is a big deal in automobile design
and why gun manufacturers have managed to duck major products liability issues
for the most part (misuse).   Since automobile design flaws of sufficient
magnitude can cause death and big money law suits, the market has incorporated
that component of the risk into the design cost of the product either ex ante
(during the design process) or ex post (by compensating the aggrieved
parties).  Costs are shifted onto the market when they are passed on (ex ante
or ex post) in the form of product cost.

This is the way that strict liability specifically, and the legal process in
general, tends to spur on innovation.

> >The effect is to make safety profitable- or more accurately,
> > to make unsafety unprofitable.
>
> Right.  Safety at all costs.  The cost of safety is already too
> high in most industries IMNSHO.

Well, I would argue that it is self adjusted by the market when we are talking
about products liability.  The market has put a price on safety by forcing
producers either to design safe, and limit ex post costs incurred by
litigation in favor of ex ante costs, or minimize safety spending and catch
the costs ex post.  Either way the costs are spread over the market and at
least mostly linked to the actual effect of safety provisions in reducing
harm/accidents/etc.  If a mini-van is too costly to make "safe" then it will
not be produced.  That's the point of strict liability.  Force the actor to
spend more time evaluating the wisdom of the action.  This often necessitates
more R&D and hence more innovation.  (Faster airbags, better seat belts, etc.)
Saying "the cost of safety is already too high" is probably misplaced- at
least in this isolated example of automotive manufacture.

Mr. May says in a related post:

> Bringing strict liability into the world of security and crypto would
> result in the usual market distortions. As an example, one might expect
> a "recommended security standard," decided upon by industry committees
> (with government, probably the NSA, involvement). Like airbags, this
> would then be mandated to be included in all Net connectivity and
> related products. Vendors would scramble to meet this requirement. And
> probably some form of escrow ("to help resolve disputes," "for the
> children") would be mandated-in. And of course it probably couldn't be
> "too strong."

Standards only really come into play in a negligence, as opposed to strict
liability, setting.  With strict liability standards are not part of the
discussion.  For software or security the strict liability argument by the
plaintiff would go:

1.  Plaintiff installed Firewall 1 correctly.
2.  Plaintiff was hacked.

Liability insues.  (This is an obvious simplification, but not by much).

All of Mr. May's other points are valid.  Even the imposition of a general
standard for negligence (the reasonable sysadmin standard?) would be a bit of
a headache.  I'm a little surprised we haven't seen more of this because it
effectively means that the first big case where someone sues on infosec
grounds will require the court to DEVISE a standard.  That would be bad.  Very
bad.  As it stands now big firms can blame their auditors.  "But we DID a
SAS70, what more could we have done" and probably get off scott free.

As for strict liability, this would be an absolute disaster, which is why I
don't expect to see it ever applied.  (Stranger things have happened though).
This liability issue has been batted around the list a few times over the last
couple (many) years.  I found this bit which I wrote about strict liability to
the list back in 1996:

> A lot of the decision whether to apply strict liability or negligence is
> going to be based on where you believe the costs should be shifted.
> Strict liability shifts the costs onto the person engaging the activity.
> The actor will increase his own costs to the extent he can still conduct
> the activity and still reduce the number of times he is called into court
> and damages are awarded against him.  He will, of course, take no more
> care than his damages might be.

[...]

> It's interesting to note the argument that in the age of insurance, it
> really makes no difference who you put the costs on as society as a whole
> ends up footing the bill anyway.

The more things change...

> > See generally Posner, Hallman and the "Chicago
> > School of Law and Economics," an entire movement in legal thought centered
on
> > the idea that you are very wrong about the effect of liability on
innovation.
>
> An entire movement dedicated to the idea that Eugene is
> very wrong?  Now I'm jealous,  I can be as wrong as him,
> wronger even.

Well, in so far as he was standing for the concept that innovation was in no
way ever connected to litigation, the Chicago School would disagree with him
quite sternly.  (The Chicago School is unamused?)

> > Now less I be misinterpreted, misworded, misquoted and misunderstood by
the
> > various misanthropic types here:
> >
> > Do I think that software should have products liability attached to it?
No.
> > Do I think strict liability stifles innovation?  No.
>
> On behalf of my fellow misanthropes,  thanks for the clarification.

Sure.  Anything I can do to help further the understanding of misanthropes on
the list, I am happy to do.

> George





More information about the cypherpunks-legacy mailing list