Do Manufacturers Have Any Responsibility?

From Issue #76
August 2000

Aug 01, 2000 By Peter H. Salus

Industry News

This spring's outbreak of viruses has caused me to think about the burden that should be borne by a manufacturer. There is both a moral and a legal accountability any manufacturer has to its customers.

I'll readily admit that I don't use any Microsoft products: in fact, none of my machines has a DOS or a Windows partition. And I think early 1997 was the last time I sat down at an x86 box running Windows. But this spring's outbreak of viruses has caused me to think about the burden that should be borne by a manufacturer.

Any manufacturer has both a moral and a legal accountability to its customers. The various manufacturers of automobiles, children's toys and tobacco products, for example, have learned painful lessons about accountability through product liability suits.

“ILOVEYOU” and “Killer Resume” exploit holes in Microsoft Outlook that any less-avaricious company would have tried to stop several software generations ago. (I might note that the first RFC concerning security is 602 (December 1973), and was written by Bob Metcalfe, the inventor of Ethernet.) In my view, Microsoft has willfully ignored customer security for at least 20 years.

As Gene Spafford (Purdue University) has pointed out, even though Microsoft (and the tobacco companies) sell products that customers appear to want to buy,

does that make the tobacco companies less culpable for selling a product they know to be dangerous? Does it matter that the consumers shell out money willingly for the product? (Even those who have some idea of the danger believe they have no control or choice.)
There is a fundamental question involved in the area of informed consent. If the consumers actually understood the technology and the risks posed by their choices, and if they actually were able to make an unconstrained choice, would they make the purchases? If not, there is a moral (and potentially, legal) obligation for the vendor to make wise decisions on their behalf.

Gerald Shifrin (on the IP mailing list) noted:

As an ordinary non-attorney consumer of computer products, it seems reasonable to me to expect that my software should ask permission before sending email to everyone in my address book or performing a mass deletion or modification of my files. If vendors like Microsoft allow or assist unsolicited foreign email to perform these acts, they are, at least in my mind, guilty of gross negligence.

Well, yes.

In fact, I found it puzzling that after “Melissa” and then “ILOVEYOU” and now “Killer Resume”, the newspapers aren't noting mass filings of product liability suits against Microsoft. If the world's economy can be brought to its knees by very simple code delivered via e-mail to PCs running Outlook or Observer or Explorer, then parts of that economy should be holding the manufacturer responsible.

Kevin G. Barkes (on the IP mailing list) posted:

Another real-world analogy: you're tooling down the Interstate in your Chevy and hit a bump in the road. The doors fall off and the engine explodes. You have the ambulance driver stop at the dealership on the way to the trauma center so you can chew out the service manager. He sneers at you condescendingly and points to a paragraph of six-point type buried in a totally unrelated portion of the owners' manual:
The doors of your car will fall off and the engine will explode when you hit a bump while traveling on an Interstate highway. One of our engineers thought this feature would be neat and we have added it at no extra charge to you. If you disagree (you weenie), you can disable this feature by performing the following procedure. First, obtain three chickens, two brown recluse spiders, a length of nylon rope and a virgin ...

Barkes points out that “Melissa” and “ILOVEYOU” were “badly-written programs created by rank amateurs”. What would happen if a really malicious first-rate programmer wanted to target Microsoft Outlook or Outlook Express?

Another list member said this about Spafford's posting:

To further agree with Gene's point about tobacco and “what consumers want”, let me suggest that at any one point the market offers only a tiny subset of what is possible to create for consumers. Mere selection cannot create possibilities that are not developed or invented. Monopolies distort the creation of selections—in particular in systems' properties like security.

Because of its installed base dominance, Microsoft's primary drive for innovation comes from a need to motivate an orderly “upgrade” revenue stream, while at the same time blocking competitors from entering the market to take that revenue away. That means innovations will be small, incremental, and extremely easy for customers to adopt.

By the time you read this, all questions on the DoJ's case against Microsoft will have been answered, pending a decade of appeals. But even a partly knowledgeable reaction on the part of customers may well put Microsoft into the product liability dock, and send Outlook and its kin the way of the Chevy Corvair.

Peter H. Salus, the author of A Quarter Century of UNIX and Casting the Net, is an LJ contributing editor. He can be reached at peter@usenix.org.

email: peter@usenix.org

______________________

White Paper

More Resources

Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More


Making Linux and Android Get Along (It's Not as Hard as It Sounds)	May 16, 2013
Drupal Is a Framework: Why Everyone Needs to Understand This	May 15, 2013
Home, My Backup Data Center	May 13, 2013
Non-Linux FOSS: Seashore	May 10, 2013
Trying to Tame the Tablet	May 08, 2013
Dart: a New Web Programming Experience	May 07, 2013

Enter to Win an Adafruit Prototyping Pi Plate Kit for Raspberry Pi

It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.

Fill out the fields below to enter to win this week's prize-- a Prototyping Pi Plate Kit for Raspberry Pi.

Congratulations to our winners so far:

5-8-13, Pi Starter Pack: Jack Davis
5-15-13, Pi Model B 512MB RAM: Patrick Dunn
Next winner announced on 5-21-13!

Full Name: *

Email: *

Job Title: *

Country: *

Free Webinar: Linux Backup and Recovery

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Register now for this free webinar.