A growing number of analysts, tech industry reporters, IT decision makers, systems administrators, and other users of Microsoft products are starting to ask the same question: Should Microsoft be held financially liable for the vulnerabilities in Windows and its other products? Granted, this year hasn't been good, security-wise, for Microsoft: This summer's SoBig.F virus and MSBlaster worm interrupted businesses and individuals worldwide, albeit without any loss of data, and recent vulnerabilities in Microsoft Internet Explorer (IE) facilitated the deadly new QHost attack, which runs malicious code on users' computers when they navigate to unsafe Web sites. But Microsoft, like other software makers, has historically relied on an End User License Agreement (EULA) to protect itself from customers seeking restitution for the allegedly shoddy quality of its products. Is the EULA legally enforceable? Can Microsoft be held liable for problems, including financial losses, its customers accrue from using its software?
A Microsoft consumer in California is testing these legal waters, having launched a class-action lawsuit against the software giant that could cover millions of users in that state. The suit charges Microsoft with unfair competition and infringing on California's consumer protection laws, which are among the strictest in the nation. The suit also charges that Microsoft issues its security alerts too early, giving hackers time to construct attacks for vulnerabilities before users can patch their systems. Also, according to the suit, the company's security alerts are too jargon-laden and technical for average users to digest.
I can't comment about California's laws, and I'm certainly no legal expert. The claims about security bulletins are open to debate, but I'm not sure that the timing of the security bulletins is the problem. A bigger concern is that many Windows users don't take advantage of Auto Update, Windows Update, and the other update services that Microsoft makes available. And enterprises and midsized businesses have no easy solution, which is a topic we've returned to repeatedly this year in Windows & .NET UPDATE: Microsoft's patch-management strategy is broken and in desperate need of an overhaul. That overhaul is coming over the next several months, although it's unclear what steps, if any, the company will take to back-port the strategy to all the Microsoft products enterprises currently use, including Windows 2000 and Windows NT 4.0. Security advances, in my opinion, can't be a benefit only for users of newer products. The company has an obligation to at least protect its users. Non-security-related products are, perhaps, another story.
But should we hold the company liable? The topic is complex, and I've been wrestling with it for a while now, opining last month in a WinInfo Daily UPDATE Short Takes blurb that, yes, perhaps the company should be held liable. From what I can see, Microsoft does its best work under pressure, and if the company truly had a stake in keeping its customers safe, perhaps its products would improve as a result.
One thing that's always confused me is the legality of the EULA. Can you think of any other product whose license makes no guarantee that the product will work as advertised and even states that the company that made it has no legal responsibility if you lose money, data, or time as a result of using that product? It's somewhat inconceivable to imagine manufacturers selling cars, consumer electronics, furniture, or other products under these conditions. Because software is such a crucial part of our lives, perhaps it should be ... gasp ... regulated.
Don't get me wrong; I don't believe that we need more government oversight, and certainly, the US government doesn't exactly have a proud history of software development, the Internet notwithstanding. But isn't software now so important to the national infrastructure that it needs to be held to a higher standard?
You'll notice I'm asking a lot of questions. I really don't have the answers, beyond the notion that we all need to start asking these questions more often and more seriously. I'm interested in what you think: Is Microsoft's software too important to the nation's financial infrastructure to let the company continue making its software in a vacuum and selling it under terms which free it, legally, from any retribution tied to its lack of quality? In other words, should Microsoft be held financially liable for the bugs and vulnerabilities in its products? I honestly don't know.