Should Microsoft Be Held Liable for Defective Software?

The vulnerability warnings come so often now that they don't even register as news. Microsoft, the largest software company, is probably responsible for more software vulnerabilities than any other company in the world. For example, just last week the company posted information about critical flaws in the Windows 2000 RAS component, Internet Explorer's (IE's) Gopher technology, and an older Web-related technology in SQL Server. This year, Microsoft announced its Trustworthy Computing initiative, and although the company seems earnest about tackling security head-on, few positive and concrete examples of real progress are available. And although we've been dealing with—and in many cases cursing—the steadily increasing number of problems with Microsoft's software, the company's customers have done little to address the problems.

Until now, that is. A vocal and growing minority of Microsoft's users is starting a call to action, and some have dollar signs in their eyes. Other customers with real buying power, such as various factions of the US government, are complaining directly to Microsoft and threatening to move to rival systems such as Linux if the company doesn't turn around its security woes.

The notion that Microsoft should be held accountable for insecure software isn't new, but a movement to hold the company financially liable for its insecure software is. Critics have often lambasted the software industry for its rarely challenged End User License Agreements (EULAs), which effectively protect vendors from responsibility when their software breaks down. "Today, Firestone can produce a tire with a systemic flaw and they're liable," Bruce Schneier, chief technology officer of network-monitoring firm Counterpane Internet Security, told Reuters recently. "But Microsoft can produce an operating system with multiple systemic flaws per week and not be liable."

That situation might soon change. Microsoft has almost $40 billion in liquid assets and is a ripe target for the sort of class action lawsuits that hobbled tire-maker Firestone and various tobacco companies in recent years.

Microsoft, of course, says that its products are more reliable than those in other industries when you factor in usage rates. "Society has benefited from high-volume, low-cost software and a rapidly evolving ecosystem," says Microsoft CTO Craig Mundie. "Microsoft can't control [the entire] process. If the printer driver tanks the system, who do you hold liable?"

We blame Microsoft, Craig. For example, consumer advocate Ralph Nader recently backed a plan that would let the US government use its market power to force Microsoft to fix its security problems or face losing lucrative government contracts. Nader revealed details of the plan just weeks after the Pentagon released a study that stated open source solutions such as Linux would save the government millions of dollars. But Nader's opinion is that the government's buying power could have more far-reaching effects than propping up Linux. "The Department of Justice is spending years in court trying to restrain very modest elements of Microsoft's monopoly abuses," Nader wrote in a letter to Mitchell Daniels, director of the US Office of Management and Budget (OMB). "There are serious problems with the Microsoft monopoly, including those associated with harm to innovation, security, and pricing. The federal government spends billions of dollars on software purchases from one company that is continually raising prices, making its products incompatible with previous versions in order to force upgrades, deliberately creating interoperability problems with would-be competitors, and is well known for engaging in many other anticompetitive practices. Would a business that was spending this much money be such a passive consumer?"

And Reuters reported this weekend that Air Force Chief Information Officer (CIO) John Gilligan has complained about security problems directly to Microsoft. "I'm spending more money patching and fixing than we did to buy [the software]," he said. "I can't afford to do this anymore."

Finally, here's an odd fact to consider. Just this week, I received several emails from readers who honestly don't want Microsoft's software reliability to improve; unstable, unreliable, and insecure software products virtually guarantee job security for a large portion of the IT world. If Microsoft's software were as easy to use and reliable as the company advertises, these IT personnel would be out of a job.

So should users hold Microsoft liable for the numerous software vulnerabilities that the company acknowledges week after week? The Trustworthy Computing initiative is one fairly damning factor in determining blame: The company's highest executives have admitted again and again that the company needs to do more to create secure and reliable software. That, combined with the seemingly never-ending supply of security bulletins and software patches seems to suggest that the company, indeed, could do more to address security. I'm just not sure that Microsoft breaking out the checkbook is the answer.