Microsoft has a little liability problem called Windows. Many are no doubt aware of a would-be class-action lawsuit launched last week in California. The suit targets Microsoft over security problems. The plaintiff is a woman who had her identity stolen. Details are
here. (NYTimes, free registration required)Editorial Notice: All opinions are those of the author and not necessarily those of osnews.com
#@%* Lawyers
My first reaction was #@%* lawyers and stupid class-action suits. But as the NY Times article indicates, there could be more to it this time. Software makers have always managed to avoid warranty and product liability problems by licensing rather than selling their wares. There are two assumptions about this in the software business. The first is that these issues cannot be evaded forever. The second is that nothing will actually change until someone figures out how to overturn the End User License Agreement (EULA) in court.
What’s different in this case from previous software suits are the participants, the basis of the suit and the political climate. A little background is in order for non-US readers. The American legal system is peculiar. There are reasons why it works the way it does. Americans have ceded to the courts much of the power accorded to Government agencies in other countries. There is a lot wrong with this approach, but it does have a few positives. It does provide an avenue for the little guy to prevail over the big. And that happens often enough to give the process credibility. Without going too far into it, we can observe that lawsuits are a regular feature of American business life.
Get Rich Quick
For an ambitious trial lawyer, the best road to fame and riches is the class-action suit. A lawyer can go to court on behalf of a particular client and seek class-action status. If granted, the lawyer gets to represent not only that client, but all others with the same complaint within the court’s jurisdiction. This tool was developed to deal with complex cases where the alleged wrongdoing effected many, many people. For example, there was a class-action suit that represented the interests of all women that received defective silicone breast implants. Usually everyone in the “class” gets the option of signing on to the settlement or going to court on their own if they think they can do better. The class-action appeals to lawyers, who can get rich. It appeals to courts, who deal with one case rather than thousands. And it appeals to aggrieved citizens, who can avoid being defeated piecemeal by wealthy corporations.
If a lawyer can launch a lawsuit and get it certified as a class-action, they’ve made a start on the road to fame and fortune. They still have to win the case, or establish an expectation that they will. This is a risky undertaking that has bankrupted not a few law firms. To get the biggest payoff, the lawyer has to take the case on a contingency basis. The client(s) don’t pay the lawyer a cent. Instead, the lawyer gets a percentage of the payout. The lawyer finances the legal costs of fighting the case. This can easily run into the millions. There was an excellent book (and a pretty good movie) called “A Civil Action” that told the story of a law firm that went under trying to win a class-action suit. The movie “Erin Brockovich” also told the mostly true story of a class-action lawsuit from the lawyer’s perspective. Keep in mind that it is a Hollywood movie. And that the story it tells is as typical of class-action suits as Julia Roberts is of single mothers.
The combination of contingency fees and class-action suits have created a legal sub-industry. There are law firms that prospect for such suits. They find a group of people damaged in some way by someone, then go to court seeking class-action status. The lawyers behind the Microsoft suit have had successful class-action product liability suits before. They know what they are doing. That guarantees nothing, but one has to take the initiative seriously.
Classy?
The suit’s first hurdle is getting certified as a class-action. Microsoft has its best chance to beat the suit here. They have a potent argument. Not all California Windows users had their identity stolen or their computers hacked. And not all the victims of identity theft or hacking can attribute the cause to Windows. The counter-argument is that it makes no difference. Microsoft can’t evade responsibility because their products are not 100% faulty. This could go either way, and a failure to gain class-action status will be the end of it. There is no way to tell right now how this will pan out.
If the suit does get certified as a class-action, there is the EULA to deal with. The legal status of the EULA is not entirely clear, but it has held up in a few previous suits. They were all reasonably narrow industry cases. Nobody has made a really credible consumer based attack on the EULA before. The law firm has come up with the novel argument that because MS is a monopoly, they can’t use a restrictive license as a shield. Since consumer’s effectively have no choice but to buy Windows when they buy a computer, they are not in a position to enter into the licensing agreement freely. And that MS’s conduct in releasing shoddy products is so reprehensible the EULA shouldn’t be able to protect them. They also say that the upgrade process is so complex and inept that a normal person can’t possibly ensure they have a secure computer. With MS back into the “patching the patches” routine, this is a powerful argument. One re-enforced by the apparent IE security hole that permitted crackers to steal the source code for Half-Life 2. One can hear the speech to the jury, “If a development company like Valve can’t secure their Windows machines due to MS negligence, then what chance does the consumer have?”
Time of the Season
Microsoft has yet to answer the suit in court. But if their legal strategy is anything like their PR strategy, they’re dead. So far, an MS spokesperson has said “The complaint misses the bigger point, which is that the problems caused by viruses and other attacks are caused by criminal acts by the people writing the viruses.” And “It is pretty clear that Microsoft has made security a priority.” Or as the lawyers will translate for the jury, “the problem isn’t our faulty product, its the people who exploit our faulty product”, and “we haven’t done anything wrong and we won’t do it again”. Both are tacit admissions of guilt.
Judges, on the whole, are remarkably fair and clear-minded. But they still swim in the same sea as the rest of us. They are not immune to changes in the character of the water. This summer has been disastrous for Microsoft. The conviction that they cannot or will not make a secure operating system has taken hold in the mass media. As has the idea that MS security blunders are responsible for a great deal of financial and emotional damage. This suit itself is symptomatic of that perception. If the perception did not exist, this law firm would be prospecting in more promising places. At some point, some judge and jury will accept the argument that MS cannot make billions selling an essential product used by everyone with no warranty whatsoever. This law firm is betting that now is that time.
The rest of us in the software business are now on notice. We cannot continue to get away with ship-now-and-fix-later as a development strategy. The day before the filing of this suit was the last day anyone doing business in the US could claim they didn’t think product liability could apply to them. If this suit is successful, any products introduced after its initiation will be held to a much higher standard. Fewer features, better stability and effective security need to start going into products as of now.
“What “choice” do I have if I want to share documents with others in a professional business context (consulting for example). Can I choose to send clients Openoffice documents when they use Word? Stop being so naive.”
How about just saving the document as a word .doc from OpenOffice? Just a thought since OO handles all the MS formats, including .doc, .xls, .ppt, etc.
If someone stole my car.. should i sue the car company? i think not.. how about the security device company.? maybe pretty doubtful. does MS have to take more responsibility than anyone else in any normal situation?
Have you ever smoked? If so you should know that it is dangerous. Suing MS is as stupid as suing Philip Morris. When I started smoking I was very young but I have known that it is bad for my health. After several years I quit smoking (no patches). I would never accuse PM for my loss of health, because I knew what I was doing. Suing PM would mean that I am so stupid that I dont understand risk involved. With MS it is similar, In most cases one really does not need to use MS products. But even if it is necessary then there are means to self protect. I dont belive that it is possible to fix Windows. Not with the code used until now. They would have to start from scratch and probably MS could not afford it (it is question of time, not money).
Everybody heard about Half Life 2 leak. The company should fire IT guys responsible for deploying OE where confidentiality is most important.
appleforever:
in OO.org one can set ms Word as default document format to save. You really dont know what the hell are you talking about. Introducing panic and conspiracy theory is simply stupid.
In the past few years, there should be a Linux distro appearing at least once on major mainstream PC magazines as their cover mounted DVD/CDs. By this time the consumer has ample time to choose an alternative OS.
Not too long ago, the German c’t magazine had (a version without Gnome and development tools) Knoppix 3.1 on their cover CD. If people forgot to eject that cd after use in Windows, they would get a KDE desktop the next time they started their PC. But I doubt if this has helped much… It would be a start when an important PC firm (Dell or so) would start with LindowsPC’s or something like that.
And I do think Microsoft has a monopoly. For a normal consumer, it is not practical to choose another OS, because it works different and/or isn’t compatible. And as long as that’s the case, it’s a monopoly I think. If Honnywall has 95% of the market because they use proprietary wall plugs with 845 pins, so that those 5% using devices with standard EEC-plugs need to get special converters and adapters to use them, wouldn’t you call *that* a monopoly?
They would have to start from scratch and probably MS could not afford it (it is question of time, not money).
The problem with starting from scratch isn’t just a question of time. It also involves whether or not you could actually get a new product up and running that is equivalent to (both in features and number of bugs) or better than your existing product in a reasonable time. Chances are, any time you rewrite a piece of software from scratch, that you’ll not only introduce new bugs, but reintroduce previously fixed bugs.
On the other hand, they could selectively rewrite (or to use a buzzword, refactor) portions of the code with security in mind. The latter not only takes less time, but is more effective at producing secure code and maintaining the existing feature set (and user interface). This still takes time to do completely, but you aren’t starting from scratch with a complete unknown, and you’re improving your existing product, so you don’t have to re-develop old features.
I don’t know why people harp on software defects so much. Everything that mankind builds or creates has flaws.
When I was a teen, I worked for my father’s construction company building schools, churches and office buildings. You have a time frame and a budget and “good-enough” is the best you can hope for. Residential construction is even worse since the guidlines for residential building are a lot more relaxed.
It’s the same with software. You have a timeframe and a budget and “good-enough” is all that you can expect.
Regardless of your profession, I think you have to admit that you aren’t perfect and neither is your work. If you believe otherwise, you are deceiving yourself.
As much as I dislike MS they are a necessary part of the economy, for now. Yes, they should make their software more secure. Enough said on that. But is the argument about technology or human nature in general?
I also believe that mankind in recent years has embraced the habit of finger-pointing to relieve oneself of much personal responsibility regarding everything in general. This has mushroomed into a feeding frenzy with various lawsuits launched daily for assinine reasons.
I’m not the sharpest knife in the drawer but this is what makes sense to me…
When you throw bill’s or correspondence with your name and other info into your garbage, have you shredded them? rendered them unreadable? If not someone can steal your ID in this manner. It happens every day. Now is the Glad garbage bag company responsible, or the sanitation service that did not get to your dumpster for 3 days?
Didn’t pump up your tires to recommended pressure and had a blowout at high speed? Is this your fault, if there was no ther defect with the manufacture of the tire?
Didn’t replace the batteries in your smoke detector and didn’t heed the warnings….your fault?
Finally used that rubber that’s been in your wallet for 5 years and now a baby is on the way….your fault?
Yes, many lawsuits are legit but sometimes look to see if you should first be pointing that finger that finger in your own direction. Thanks. Yeowww, just spilled my piping hot Starbuck’s on my lap. Now where is my lawywer’s number?
i see – bugs are all faults of management cutting corners, someone else skipping feasibility study, etc, etc.
is there anything the programmers are responsible for ? or are they just drones doing what they are told ?
in my experience i am yet to see a programmer showing a least bit of shame when being confronted with his/her bug. “Oh, come on, what’s the fuss, it is just a bug…” – is a normal reaction. And you will never hear “…sorry…” .
this is unthinkable in any other industry – but programmers and their companies somehow managed to indemnify themselves…