On Network Product Liability and the Need for Testing
Software, and network related products and services, have long been sold, licensed, or operated with a unique degree of immunity for flaws and failures.
A sea change may be coming.
This change could be of Biblical proportions, so perhaps a Biblical sounding warning should be heralded:
Manufacturers, makers, and vendors take heed lest you be drowned.
In March of 2023 the Biden Administration released a "National Cybersecurity Strategy"
Take a look at Strategic Objective 3.3, "Shift Liability For Insecure Software Products and Services":
The Administration will work with Congress and the private sector to develop legislation establishing liability for software products and services. Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios. To begin to shape standards of care for secure software development, the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.
I have long advocated that network devices and the software they contain be fully subject to the kinds of liability that are imposed on other kinds of products.[1][2]
It seems that perhaps the US government has finally gotten the message.
It is obvious to everyone that a lot of software is flawed. Vendors have evaded responsibility for a long time through the use of "terms of use" or license disclaimers of warranties; coerced arbitration; liability dollar limits; and choice of law, venue, and jurisdiction stipulations.
The Administration built its proposal around concerns for security and privacy. And that may well be where vendor liability attaches first.
But the logic and arguments in the proposal are not limited to security and privacy. Just as product liability began with products that could cause direct and terrible damage to people, courts and legislatures may expand the scope as network software harm manifests itself in ways beyond security or privacy.
Liability for Flawed Products is a Long Established Principle
For centuries makers of products have been held responsible for damages caused by flawed products when those damages were suffered by a direct purchaser. That worked acceptably for large entities that bought directly from makers. If the wheels fell off a locomotive, the railroad could recover damages from the maker of that locomotive, because the railroad bought directly from that maker.
Early product liability law acted only when there was a first-party, direct buy-sell relationship between the maker of a product and the ultimate purchaser. This was called "privity of contract."
The requirement of "privity" between maker and user does not work very well in our modern consumer world in which products are distributed through a chain of wholesalers and retailers. Today there is usually not much, if any, direct contractual contact between the maker of a thing and the buyer.
Things began to change in the 1950s when makers built highly dangerous products that caused significant harm to their users, but the makers were able to evade responsibility because there was no "privity".[3]
California was one of the first places where manufacturers were held to account for flaws in their products even when those products have passed through a chain of wholesalers and retail intermediaries.
A short history of Products Liability law may be found here: Product Liability Law: Some Legal Background
Sometimes the makers of a product are held to the standard of "strict liability", which means, effectively "if you made it then you pay for the harms caused without examining whether you were negligent in the design or manufacture." Strict liability is nearly insurance and is based on the premise that the maker has far more power than the user when it comes to the design choices that make a product safe.
In other contexts, the maker of a product may be held to the more lenient standard of "negligence".
There is No Reason Why Network Products Should Be Immune
For a long time arguments were made that software could not be patented. It took a couple of decades before courts and legislatures found those arguments to be largely filled with nothing more than heated air: If an adding machine came up with wrong sums then it did not really matter whether the error was the wrong number of teeth on a metal gear or an error in the software.
Software has long gotten away with flaws that would not be acceptable for other kinds of products. A good deal of this comes from the way that software is disseminated: by a license.
Lawyers love to fill licenses with all kinds of disclaimers and limits. Then they add provisions to make it difficult for users to enforce the few remaining rights: there is mandatory arbitration, inconvenient choice of governing law, and use of remote geographic jurisdictions and venues.
Because users typically had no power to negotiate better terms, those imbalanced agreements came to be the norm.[4]
Thus it became a routine assumption that software licenses would protect the vendor or maker from liability.
However there is no particular reason why software should be wrapped in these layers of armor while nearly every other kind of product is not.
In cartoons Wylie Coyote may ignore gravity for a moment after running off the edge of a cliff. But logic and physics will eventually prevail and poor Wylie will fall.
Similarly, as more people are harmed by ill-functioning software, the gravity of responsibility may begin to assert itself upon the makers and vendors of that software.
Indeed, this seems to be happening.
Which Standard of Proof: Strict Liability or Negligence?
When a product is subject to strict liability, the maker becomes an insurer: the vendor compensates the injured person. In other words, no excuses and rather few exceptions.
When a product is subject to the negligence standard, the vendor is liable to the injured person only if the vendor failed to meet its duty of care. What is "duty of care"? Generally it is the responsibility to be at least as careful in design and production as a hypothetical reasonable vendor in the industry. That's rather vague, and that's why there are great fights between armies of experts when such things come to trial.
The line that demarcates those situations subject to strict liability from those under negligence generally aligns with whether human injury (or death) can or has occurred.
Our Internet is becoming a lifeline grade utility. Our lives, health, finances, and relationships are becoming ever more dependent on the Internet.
Even if network products and operations are initially held to the lesser negligence standard, over time there may be a slow elevation of responsibility into the area of strict liability.
Negligence shifts like the sands of the desert. As vendors improve their practices, as better methods of design and care in production are introduced, the standard of care dividing negligent vendors from responsible vendors moves, usually becoming more stringent.
Vendors must pay attention to this shifting standard and must improve their practices to keep up, else risk liability should something go awry with their product.
Many excuses are made that "the Internet is too new", "it is too early to make vendors responsible for their products' failures". These excuses have become obsolete and stale.
There is no clear date when the Internet began. I tend to use the late 1960's, others use the date of the transition from NCP to TCP in the early 1980's. And others, use the rise of the world wide web in the mid 1990's. Even the most recent of those dates is three decades ago.
With this passage of time it becomes increasing difficult to plausibly maintain that the Internet (and the software and devices on it) are so new and fresh that they should be allowed a pass on liability should some harm befall.
At the present time (early 2023) there are fairly few parts of the Internet whose failure or misbehavior could inflict physical injury upon a human.
Yet that could change quickly.
We have seen remote surgery on an animal.[5] Surgery, performed remotely over the net on humans, is foreseeable.
And courts may start to recognize that destruction of a person's finances or reputation also ought to come under the hammer of a strict liability standard.
Testing is a Necessary Part of Vendor Responsibility
Much of the software used by consumers on the net is shoddy. A lot of code is dashed off in a hurry and if it runs in the developer's limited and often contrived and circumscribed network. Then the code is bundled off to Github and published to the public.
Beyond trivial "does it work for me" testing, there is often no real effort made by vendors to evaluate whether their code will hold up under potential real life conditions.
Absent a real effort to actually test code against plausible network events and conditions, it would be hard for a vendor to claim that due care had been exercised.
Testing is hard and imperfect. But it must be done, if not simply to produce a professional product, at least to try to meet a developer's duty of due care.
Open Source is Not Immune
There is no obvious, or non-obvious, reason why use of an "open source" license should create a shield against liability, either strict or based on negligence.
Use of open source software in a commercial product is not a bulwark against liability.
There is a lot of open source code that is extremely good and has been thoroughly, even if informally, tested by users.
And there is a lot of open source that can barely struggle its way through a compiler without generating myriad warnings.
The same can be said of a lot of proprietary software.
Whether open source or proprietary, the level of responsibility for flaws ought to be the same.
Conclusion
It is likely that vendors of network products will be made legally responsible for flaws in their products when those flaws contribute to security or privacy breaches.
This responsibility will almost certainly be extended to encompass flaws that cause personal injury, financial, and other kinds of harm.
In most situations negligence will be used as the measure of liability. Strict liability will probably be used, at least initially, only in those cases where human injury is possible.
Vendors can reduce their risks by acting responsibly and taking care in the design, construction, and documentation of their products. Over time we can anticipate that the definition of adequate care will become increasingly stringent.
Vendors will have to engage in reasonable amounts of testing of their products else risk being adjudged as negligent and liable for the harms their products cause.
In addition, vendors who do not perform adequate testing can expect that their insurance premiums will increase.
The world of software and network development is about to change. Part of that change should be increased attention to a broad range of testing, both for conformance to Internet standards and also for robust, safe operation on an Internet where things are often far from clean-room, development laboratory conditions.
Notes
[1] "From Barnstorming to Boeing – Transforming the Internet Into a Lifeline Utility"
8th IFIP/IEEE International Symposium on Integrated Network Management, Colorado Springs, Colorado, March 26, 2003
Speaker's Notes: https://www.cavebear.com/archive/rw/Barnstorming-to-Boeing.pdf
Slide deck: https://www.cavebear.com/archive/rw/Barnstorming-to-Boeing-slides.pdf
[2] "Network Operations On A Public Utility Internet"
NANOG, Austin Texas, 2019
https://www.cavebear.com/cavebear-blog/nanog-keynote-as-spoken/
[3] Some of the early cases were quite horrific. Several involved "vaporizers", pots of boiling medicated water placed in rooms where young children slept. Those children would sometimes tip the vaporizers and be scalded, resulting in permanent disfigurement or death.
[4] Open source license, most particularly the suite of GPL licenses, try to counteract the one-sided commercial license. However, some licenses, again such as the GPL, impose their own view of social values.
[5] China completes world’s first 5G remote surgery in test on animal (YouTube video clip)