How responsible is the vendor of a crypto-enabled product?

Greg Broiles gbroiles at netbox.com
Thu Feb 15 15:28:24 PST 2001 

On Thu, Feb 15, 2001 at 03:49:14PM -0600, Roy M. Silvernail wrote:
> 
> I got into an interesting conversation today.  Here's the question:  if 
> a vendor rolls out a net-enabled product that features a crypto-
> secured interface, what kind of liability do they face if the interface 
> security is breached?  In particular, we were discussing machine 
> controls and the recent incident where it was discovered that one 
> manufacturer was fielding a GPIB control card with TCP/IP 
> Ethernet and no security at all. 
> 
> If a net-connected and secured machine were hacked and death or 
> personal injury resulted, does that make the manufacturer an 
> accessory to manslaughter?  Would having a provably good (or 
> provably bad) security layer mitigate this?

See, generally, Cem Kaner's _Bad Software_ or 
<http://www.badsoftware.com>.

The short answer is that liability is very unlikely, especially in a
consumer device scenario - both because of the traditional lack of
warranties for software, and because of the unlikelihood of the
injury. Generally, products don't need to be designed with criminal
activity of third parties in mind - and products which are safety-
essential are probably sold plastered with warnings about verifying
proper operation before critical use, which are intended to shift
the legal (and moral) burden from the manufacturer to the end user.

If I were the plaintiff's attorney, I'd try really hard to use
advertising/marketing statements about the security of the 
products to create an express warranty (other than the weak one
that the company's lawyers will have written) .. dunno if that
would work or not, but it would be fun to try. 

On the other hand, look at what product liability suits did to
the amateur aircraft industry - for some time, I understand that
Cessna simply stopped making new planes, because it just wasn't
economical to stay in business. If software didn't have an 
"as-is" warranty - or if software publishers were forced to stand
behind their products in a meaningful fashion, with support and/or
service, recalls, and all of that, buying a computer would look
more like buying a car and less like buying a gun. (where pretty
much the entire enterprise involves some amount of danger,
though the product liability people have sure given it a good
try.) 

The money which would be paid to plaintiffs, or provided in 
services to them, has got to come from somewhere - either
shareholders or customers, corporations are just leaky money
pipes shipping the stuff between those two endpoints. 

--
Greg Broiles gbroiles at netbox.com
PO Box 897
Oakland CA 94604

More information about the cypherpunks-legacy mailing list