Should Microsoft Be Liable for Bugs in Its Products?

Rating:

(0)

Paul Thurrott

Windows IT Pro

InstantDoc ID #40473

A growing number of analysts, tech industry reporters, IT decision makers, systems administrators, and other users of Microsoft products are starting to ask the same question: Should Microsoft be held financially liable for the vulnerabilities in Windows and its other products? Granted, this year hasn't been good, security-wise, for Microsoft: This summer's SoBig.F virus and MSBlaster worm interrupted businesses and individuals worldwide, albeit without any loss of data, and recent vulnerabilities in Microsoft Internet Explorer (IE) facilitated the deadly new QHost attack, which runs malicious code on users' computers when they navigate to unsafe Web sites. But Microsoft, like other software makers, has historically relied on an End User License Agreement (EULA) to protect itself from customers seeking restitution for the allegedly shoddy quality of its products. Is the EULA legally enforceable? Can Microsoft be held liable for problems, including financial losses, its customers accrue from using its software?

A Microsoft consumer in California is testing these legal waters, having launched a class-action lawsuit against the software giant that could cover millions of users in that state. The suit charges Microsoft with unfair competition and infringing on California's consumer protection laws, which are among the strictest in the nation. The suit also charges that Microsoft issues its security alerts too early, giving hackers time to construct attacks for vulnerabilities before users can patch their systems. Also, according to the suit, the company's security alerts are too jargon-laden and technical for average users to digest.

I can't comment about California's laws, and I'm certainly no legal expert. The claims about security bulletins are open to debate, but I'm not sure that the timing of the security bulletins is the problem. A bigger concern is that many Windows users don't take advantage of Auto Update, Windows Update, and the other update services that Microsoft makes available. And enterprises and midsized businesses have no easy solution, which is a topic we've returned to repeatedly this year in Windows & .NET UPDATE: Microsoft's patch-management strategy is broken and in desperate need of an overhaul. That overhaul is coming over the next several months, although it's unclear what steps, if any, the company will take to back-port the strategy to all the Microsoft products enterprises currently use, including Windows 2000 and Windows NT 4.0. Security advances, in my opinion, can't be a benefit only for users of newer products. The company has an obligation to at least protect its users. Non-security-related products are, perhaps, another story.

But should we hold the company liable? The topic is complex, and I've been wrestling with it for a while now, opining last month in a WinInfo Daily UPDATE Short Takes blurb that, yes, perhaps the company should be held liable. From what I can see, Microsoft does its best work under pressure, and if the company truly had a stake in keeping its customers safe, perhaps its products would improve as a result.

One thing that's always confused me is the legality of the EULA. Can you think of any other product whose license makes no guarantee that the product will work as advertised and even states that the company that made it has no legal responsibility if you lose money, data, or time as a result of using that product? It's somewhat inconceivable to imagine manufacturers selling cars, consumer electronics, furniture, or other products under these conditions. Because software is such a crucial part of our lives, perhaps it should be ... gasp ... regulated.

Don't get me wrong; I don't believe that we need more government oversight, and certainly, the US government doesn't exactly have a proud history of software development, the Internet notwithstanding. But isn't software now so important to the national infrastructure that it needs to be held to a higher standard?

You'll notice I'm asking a lot of questions. I really don't have the answers, beyond the notion that we all need to start asking these questions more often and more seriously. I'm interested in what you think: Is Microsoft's software too important to the nation's financial infrastructure to let the company continue making its software in a vacuum and selling it under terms which free it, legally, from any retribution tied to its lack of quality? In other words, should Microsoft be held financially liable for the bugs and vulnerabilities in its products? I honestly don't know.

ARTICLE TOOLS

Want to use this article? Click here for options!

Add a Comment

How can there be so many opinions on this dumb topic? I mean, honestly, you computer freaks, Microsoft should be held liable for its products. End of discussion. I don't see what the big fuss is about.

Anonymous User 5/31/2005 3:07:09 PM

Hi Paul. Here is my nickle's worth: We SHOULD NOT hold Microsoft liable for malware and viruses (yes for not working as advertised).

Our whole model is upside-down. Viruses and malware COULD NOT SPREAD, if the intermediaries (ISPs and routing farms in the core) were required to block all known stuff, as soon as a signature is identified.

End users (my mom) CAN'T be taught how to stop this stuff - and lazy (or uninformed) administrators can't be stopped from being lazy or uninformed. Stop it en-route and it will die within minutes (as opposed to years, as several have been bouncing around the web).

Will Harper 10/22/2003 6:29:35 AM

Like many things in our society, we need to bear the responsibility individually for our own protection.

We have auto insurance, reimbursing us after an incident, but we have regulations, also that require a certain standard of quality in the products we drive. We should be evaluating those products BEFORE we buy them. There is no lack of information, certainly.

We lock our front doors, and keep homeowner's insurance, but again, we need to bear the responsibility of taking care of our own property to forestall tragedy as best we can.

There are contracts we sign which warn of possible dangers, but they are so complex that we seldom read them before we sign. We need to bite the bullet and read them, or live with the consequences.

There must come a day when we are held responsible for our own possessions, and that we, as consumers, become smarter, more wary, more intelligent and better informed.

We cannot continue to push the blame off on the creator - unless of course, there is some proof of gross IRresponsiblity, carelessness, malice or other evil intent. If we do not buy poor products, the companies that sell them will no longer hold onto business, and they will fail.

Microsoft is a fine company, which makes fine products, and which, in my opinion, supports those products admirably. Where, in this world is anything perfect - though we may strive for perfection, we seldom attain it. Does Microsoft attempt to give us good products, and inform us and support us? I think so... and better than most companies. And are we willing to WAIT for the perfection that is possible, if the developing product were given the time it needs to become near-perfect?

I do think we need to insist on quality - as much as it is feasible - but then again, we are always looking for newer, brighter, fancier, better, smarter, cheaper... and insisting that companies fulfill all those hedonistic desires - immediately!

You can't have it both ways: You want quality, you must wait the time it takes to create a perfect product. In a society such as ours, since other companies won't wait while one company strives for perfection, the "one company" will go out of business, because we purchase products, wanting them "NOW", expecting perfection, knowing we will not get it, and then we, American society that we are, proceed to SUE the company for giving us the product we purchased... and risking more money, time and effort on the lawsuit!

We need to start taking some personal responsibility for our own lives... and stop looking for people and companies to blame.

Alice M Schumm 10/21/2003 12:41:55 PM

I have been a user of Microsoft products since DOS 1.0.
Have dealt with an excessive number of bugs and severe program errors during all those years.

But the grossest one of these occurred when I participated in the BETA TEST PROGRAM for Windows 2000.
The BETA software was plagued with numerous bugs. I reported all that I found on initial installation. And as I discovered new bugs and errors during that BETA TEST period. I was at the same time impressed with much of what I saw and used.
I purchased my copy on Windows 2000 Pro the first day it was released. Was anxious to use a copy with all the bugs repaired.
WRONG!!!!
Every single bug that was there in the ETA TEST program. Was still there in the released version. Not a single one had been corrected.
Should Microsoft be held responsible?
Absolutely.
Yet as a customer, I assume full responsibility for the Gross Errors that Microsoft knowingly releases to the public. I say knowingly, because reported bugs were not corrected. In my eyes this is virtually criminal on the part of Microsoft.
My personal losses, when man hours are allowed to be considered in addition to actual physical losses. Probably equal abut 50 times my investment in their software. And I still use it, because there is no substitute available that I can afford to own.

This PC has an Intel Pentiun 4, 2.8GHz, 800FSB with Hyper-Threading Technology. 1,024 MB PC3300 DDR memory.
It was shipped with the current release of Windows XP. The first Windows upgrade was 29 different software fixes. After being in use all these many months.

Rev. John Foreman 10/10/2003 9:54:45 AM

I will begin with my answer and then state why. Answer: NO Everywhere I look, we still keep trying to chase the notion that it must be perfect. Nothing man-made has ever been designed, produced, or delivered without it's defects, blemishes, quirks, emperfections and the like. I relate this to small forest that if left along provides wood for building, heat for warmth, shade from the elements, protection from the seasonal weather changes, but the signs posted say "Forest Produced By GOD, but God is NOT Responsible for Man's Move to Make Better" We (MAN) start to say that the tree's in the forest are not big enough, or have been placed in the wrong place where by it blocks our view of the sun. Result we cut down the trees' and when the floods come we want to blame something or somebody because nothing was there to hold back the tide. I could go on and on, but the result would still be the same if you want perfection DON'T Open that CAGE, once the cat is out there is the scratching, marking, the additional noise, and the occasional bluppers. Thank You the oppurtunity to respond.

Donald L. Coe 10/10/2003 6:30:40 AM

Should Microsoft Be Liable for Bugs in Its Products?

Well, if it was, so would EVERY other software company in the world. This would bring the IT industry to a standstill.

If MS is liable for bugs, would they be able to counter-sue if you didn't apply patches or misconfigured the software they make?? Sort of like if a pharamacutical company couldn't be sued if you didn't follow the directions on the bottle.

I think this sort of arguement is really a waste of everyones time.

Nathan 10/9/2003 10:10:43 PM

Who will be held liable for linux and other open source code????

Joel (UltraBrowser) 10/9/2003 11:01:05 AM

I must retort with a question ... If you lock the door to your house and a theif breaks the window, climbs in, robs you blind, unlocks the door from the inside and leaves with all your stuff, should the lock company be found liable? Similar with wireless network vulnerabilites... if you aren't protecting yourself from the bad guys, shame on you. But if they do access your network resources against your will, they broke the law not you. Isn't that the case with unsavory individuals exploiting vulnerabilities to access your network or PC resources?

Even further, considering the power of the press and it's influence on the financial infrastructe of western civilization, should media be held financialy liable each time their oft too quick released, unsubstantiated accusations result in financial and emotional suffering of others?

Ted Alexander 10/8/2003 9:53:14 AM

Oversights can happen in the design of any hardware or software product, and this should not be penalized. However, when a company negligently designs a defective product, there are all kinds of lawsuits -- especially with an automobile. Over the years, Microsoft has added many features with the implementation completely disregarding security, such as active content in emails or active RPC ports on a dial-up internet connection. This constitutes negligence and should be treated as such.

Kevin Campbell 10/7/2003 11:49:29 PM

What a burdonsome precident this would set! The ramifications not just for Microsoft, but for all software vendors would be huge. Microsoft, with all of their billions, would be able to make the required changes and so would all of the other large software vendors. Those that would be hurt the most would be the small to medium sized vendors who could not afford the lawsuits or the additional costs of R&D to solve the problem.

Let's not kid ourselves into thinking that only Microsoft's software has bugs. All software has bugs! To market a software product that has no bugs would increase the cost of that software ten fold or more. Microsoft can afford this, the little guys can't.

Ron Wright 10/7/2003 2:52:47 PM