Software developers have had it easy, comparatively speaking, than the manufacturers of hardware, or other more tangible items. Car manufacturers are held liable for defects in their automobiles; tire manufacturers are held liable for defects in their tires; toy manufacturers are held liable if they don't place warning labels about choking hazards, or if they make a toy that is actually harmful; etc. Yet software developers have lived behind a shield of no-liability that has protected them from any financial retribution, even if their software is faulty, damages computers it is installed on, or has such blatant security holes that a 12 year old with some HTML knowledge can effectively wipe out someone's hard drive.
Recently, however, a growing number of people both in the software industry, and the judicial system, are beginning to voice opinions that software companies should be just as liable as Firestone, Ford, or Kenner. Many people who use products on their PCs know of things like patches, updates, and security fixes. If you use Windows, it can seem to be a daily occurrence to download the newest security patches for Internet Explorer, Outlook/Outlook Express, Windows itself, etc. And many of us, myself included, simply click the update button and hope that it won't mess our computer up when it "fixes" the problems.
It would seem that some people are beginning to get the hint that software developers have become lazy in some respects. Nowhere can this seem more true than in PC gaming, where patches are sometimes required to be downloaded the day a game hits store shelves...patches which should have been in the game to begin with, or fix problems that should have been found in quality assurance and testing. But it also seems that people have begun to grow unhappy with the fact that software developers can release software without it being ready for use.
Microsoft is seen as the deep pocket target of this legislation. But, it isn't exactly unfounded, nor is it unfair to target the monopolistic software giant in this legislation.
Up until recently, Microsoft has pretty much not done anything about the gigantic security holes in its Windows operating system (OS), it's Internet browser, or it's e-mail programs. It seems the company waits for a security hole to be discovered, and then releases a patch to "fix" the problem, and takes no responsibility if someone's entire computer is compromised. If some reports are to be believed, the company already knows about many of these problems before they release the programs into the marketplace. Supposedly Windows 2000 was released with 20,000 bugs and security holes already known to Microsoft, and yet the software giant released the OS to the market anyway.
Or Lack Thereof.
Some industry people think that Microsoft uses a litmus test of sorts to see where things should be worked on. These people say that security in Microsoft programs is the part of the test that gets the least attention. The odd thing is, the litmus test isn't for the good of the public and commercial users, but for profitability. Security, it seems, is simply not profitable to Microsoft.
Take, for example that 99% of the computer viruses in the world only attack one OS: Windows. These same viruses really only spread to and from, and attack one e-mail program: Microsoft Outlook/Outlook Express. Some people would say that the large amount of viruses attacking Windows is because of its dominance in the computer OS market. It's more accurate to say that they attack Windows because it lacks even the most basic of security in the OS, and in any and all Microsoft suites and programs.
Outlook, for example, can run a virus without you even opening the e-mail, or any attachments it may have, in many cases simply downloading the infected email from your mail server allows the virus to go to work. If the virus is encoded in HTML, Outlook lets the HTML through without any filter, and lets malicious code run directly from the e-mail to your computer by even just clicking on the e-mail to delete it because it automatically opens the email when clicked. Internet Explorer also allows HTML codes to automatically run, unless you specifically tell it not to (something most normal users don't know how to do), which means viruses can be encoded into web pages as well. The OS allows for important files to be overwritten by any program that wants to do so, without letting the user know. And many of the files and file extensions that programs like Outlook use, are also used by Word, Excel, and other applications published by Microsoft, which means if a virus infects one of the programs, it can, and normally does, infect them all.
There have been so many Microsoft Outlook viruses that many of them are not even considered news worthy anymore. And yes, they are all Microsoft Outlook viruses, not generic computer viruses, like Microsoft would like you to believe, since they all affect, run through, and use only Outlook and Outlook Express as their spreading techniques. You have to hand it to Microsoft in deflecting that bit of bad PR by having the media call them computer viruses instead of Microsoft Outlook viruses, imagine what people would think of Microsoft products if these viruses were labeled as they should be?
When these viruses deliver their payload, it can sometimes be as annoying as pop-up windows, or as damaging as the complete formatting, and subsequent loss of data, of the hard disk drive of the computer. When this happens, the receiver of the payload currently has no recourse to get any sort of compensation from Microsoft about it. It doesn't matter if the virus was disguised in an MS Word file, sent to and received by a MS Outlook e-mail program, and used Windows to destroy itself; right now, this isn't Microsoft's fault. Or, at least, Microsoft isn't liable for any damages caused by their lack of security features in their programs.
The Possible Future
If this new legislation is made, then companies like Microsoft are in for a very large eye opener. Of course Microsoft, and other companies, will lobby and throw money around to try and ensure legislation that makes them liable for damages done by security holes never gets past the planning stages, but they can't be sure that that will work.
Analysts say putting a dollar amount on the liability that Microsoft could face is hard to do, but since Microsoft is expected to have around $50 billion in cash reserves and short term investments by June 30, 2001, they would be one of the biggest targets of class action lawsuits. Even if Microsoft was found liable under the new legislation, and forced to pay out just $100 to every person who has been hit with a Microsoft Outlook virus, the money paid out could get into the billions. And that doesn't account for companies that end up losing actual money because of malicious code running through the truck sized holes in Microsoft products, that would be even more money.
So could this new legislation destroy Microsoft? Doubtful. But it could force Microsoft, and other companies, to actually look at the security features they do have, and the holes that they also have, and try to fix them before they become a problem for end users. It's not like hackers and people who write viruses create the security holes, they simply exploit them when they find them. And in Microsoft's case, they have lots of security holes to exploit. Perhaps Microsoft Windows XP Version 26 OSR 37, will actually be more secure than the current versions of the Windows operating systems. If this legislation is made, Microsoft had better hope so.
This legislation won't make programs like Norton's Anti-Virus or MacAfee Anti-Virus obsolete, or unusable; after all there are some security holes that are probably honestly not seen. But if Windows 2000 was released with 20,000 known bugs and security holes, then Microsoft is the one to blame, and should be held liable for any damages doen from the exploitation of those security holes.