Cyberlaw/Day 2

From Cyberlaw: Internet Points of Control Course Wiki
Jump to navigation Jump to search
  • Day 2 notes and questions:

Texas Lawyers

  • General criteria for liability:
    • Those with deep pockets
    • Those likely to be found liable
    • BUT liability rule must not kill internet or other things people care about. Must be a sustainable rule.
  • Whom to sue?
    • OS makers, ISPs, SW makers, and antivirus makers.
    • Go after people who have some actual relation to the problem.
    • Custodians of hijacked computers.
    • HW manufacturers.
  • What are the standards of liability?
    • Tort
      • BUT hard to get tort liability for purely economic harm, if no accompanying physical harm. So if virus resulted in someone actually dying, can bring basic negligence case based on breach of duty.
    • Picker article: most states will honor disclaimer of MS's warranty; won't let you get around it through tort or contract.
  • To whom would it be most fair to apply liability?
    • ISPs, because they have greater ability to control.
    • Picker: you've got cyberterrorists, and cyber-fraudsters, and cyber-vandals. Make distinctions along this taxonomy.
      • So can look to intent of harm-dealer. But this is difficult because there are innovative new harms coming up every day.
    • Perhaps 'harm' = running 'rogue' code that in retrospect you wouldn't have wanted to have running.
      • Can ISPs do anything about the problem of rogue code? Can they distinguish 'rogue code' from everything else that they pass?
        • Consider that ISPs assign IP addresses to people. Usually they know who those people are, and where they are.

ISP group

    • We don't want to pay the costs of compliance just because we're trying to be good. We would actually favor gov't regulation to a scheme of individual liability like this.
  • We do, however, favor consumer-targeted schemes. "We'll watch your traffic" could be a selling point to the consumer, too. "If it looks like you're doing something suspicious, we'll say you can't do it!"
    • Cf. Picker's scheme: "if you go with AOL, we'll be ready to catch you if you fall." An insurance scheme that compensates you for your 'hacking costs'.
    • What is the right level of efficiency? Compare value of software to costs incurred by hacking.
      • Consumers are probably only willing to pay as much as it helps them.

Standards of liability

  • What is the standard of care owed by grandma to prevent third parties getting infected by a virus propagated by her computer? How can we impose duties on users when their machine is an instrument of the problem?
    • Perhaps user education is the solution, e.g. through licensing.
      • Then again, for it to be effective, you'd have to have relicensing.
      • Cf. Dan Geir's monoculture argument that at least 50% of machines should have OS other than Windows.
    • BUT Picker's argument for shifting liability is as unrealistic as user education because computers are ubiquitous and would be too costly to re-educate everyone. Shift liability costs to the software professionals, and those making the PC, who are the least cost avoiders.

OS and SW makers

  • Why shouldn't OS & SW makers be the least cost avoiders??
    • Security problems aren't directly related to the SW/OS itself. There are too many complicating factors.
      • If you plug it in and immediately there's a virus, then liability would make sense.
    • Picker's response: buggy systems create their own forms of market separation. So people with a higher aversion to buggy systems won't buy them. JZ: This fits in with our generative schema.
      • BUT this assumes sophisticated and well-informed consumers.
      • Picker favors idea of releasing buggy software so that people are able to try it out, BUT this imposes unfair externalities on early adopters.

Big Questions = Where are the points of control here? What are the criteria: least cost avoider, moral responsibility? How do we frame this situation such that people believe they have more responsibility?

Ombudsman Group

  • Who are we missing from this bargaining table?
    • HW makers
    • Various state actors
    • Law enforcement (affected by whether rules are broad or specific)
    • Corporations & their IT departments (should they have different standards, depending on whether they have IP at stake and whether they run competing services?)
    • Benevolent hackers
    • Insurance industry