Posted on 23-8-2003
Microsoft
Criminal?
by Chris Barton, 22.08.2003, NZ Herald
Is Microsoft a reckless company? I ask only because Section
251 of our
computer crime laws states that anyone who "intentionally or
recklessly and
without authority" causes software or data on a computer "to
be damaged,
deleted, added to, modified, or otherwise interfered with or
impaired" is
liable to seven years imprisonment.
There's no doubt the maker(s) of this wretched Blaster worm
which has
wreaked havoc on Windows XP and 2000 PCs over the past week
would be caught
by this clause. So were they to be tracked down in New Zealand
they would
get their dues - although I think something involving grievous
bodily harm
would be more appropriate.
But the broad scope of Section 251 indicates Microsoft should
be punished
too. After all, it clearly intended the feature in Windows that
allowed
this to happen.
The "feature" that let the worm run riot goes back to Microsoft's
2000
version of Windows. A feature that's actually a gaping flaw
left unfixed
for all this time. I call that intentionally reckless - especially
when
security experts have been warning about the vulnerability for
yonks.
Microsoft also admits it was at fault. But is it, or any other
software
company that releases poor code on the unsuspecting consumer,
a criminal?
Judge David Harvey discusses this possibility in his book internet.law.nz.
He says "the key words of 'intentionally' or 'recklessly' indicate
a
deliberate or unreasonable taking of a risk with a knowledge
or
understanding of possible outcome".
Just how hard would it be to show that some of Microsoft's army
of code
cutters - with their considerable programming expertise - knew
Windows XP
and 2000 had faults and security holes when it was released?
And also knew
those faults could have bad outcomes?
Microsoft might reason software is inherently never finished.
And point out
it does take reasonable steps to rid its software of bugs before
release.
Of course the idea is academic as no one would want to go against
the
mighty Microsoft on such an issue.
But would there be a case under our consumer protection law
which now
covers telecommunications services and computer software? The
basic premise
here is if you buy goods or services, then you can expect them
to perform
as they say they will for a reasonable length of time. If they
don't then
you can get redress - like money back or other remedies, and
in some cases
you can even claim consequential losses.
Judging by the number of calls to the Herald about the Blaster
worm mayhem,
I reckon there are thousands of Windows users who have paid
to get their
computers fixed. So would they have a Disputes Tribunal case
against
Microsoft to reclaim some of that money?
Microsoft would say it wasn't the primary cause of the damage
- the worm
was. True, but the worm got through because the software consumers
bought
in good faith had a serious flaw. It's like a car driving into
the side of
your house and the wall falling down - partly because of the
crash, but
also because the wall was badly built or of substandard materials.
Microsoft would argue it warned about its bad building last
month and users
should have downloaded the fix-it patch. True, it did warn on
its website
and in press releases. But where were the newspaper ads that
you'd normally
expect with a product recall?
Where, too, was the warning on the software? - "This product
must be used
with an automatic connection to the Microsoft update site. Failure
to
download critical updates may cause problems with your PC."
And where was the advisory? "If this product is connected to
the internet,
Microsoft recommends it should be used in conjunction with anti-virus
software and a firewall."
For far too long users have accepted that software is different
from other
consumer products. And that the End User Licence Agreement you
buy
indemnifies the vendor against any claims, losses, or problems
resulting
from its use - even if the vendor knew about the problem before
it sold the
product. Our consumer protection law is supposed to stop that
sort of cop-out.
|