CFP: PKI research workshop

pasward at big.uwaterloo.ca pasward at big.uwaterloo.ca
Wed Jan 23 12:10:10 EST 2002 

John S. Denker writes:
 > pasward at big.uwaterloo.ca wrote: 
 > >...
 > > People running around in business selling
 > > products and services and then disclaiming any liability with regard
 > > to their performance _for_their_intended_task_ is, IMHO, wrong.
 > 
 > IMHO this presents an unsophisticated notion of 
 > "right versus wrong".
 > 
 > By way of analogy:  Suppose you go skiing in Utah.
 > A rut left by a previous skier causes you to fall
 > and break your leg, or worse.  Now everybody involved
 > has been using the ski area _in_the_intended_manner_
 > yet something bad happened.  So who is liable? The 
 > ski area could have groomed that trail, but they 
 > didn't.  They could have enforced a speed limit, but
 > they didn't.  They could at least have bought insurance
 > to cover you, but they didn't.  They simply disclaimed
 > all liability for your injury.  Not only is this 
 > disclaimer a matter of contract (a condition of sale
 > of the lift ticket) it is codified in Utah state law.
 > Other states are similar.  If you don't like it, don't
 > ski.

First, this is not an analogy.  It is a counter example, and one of
very few that exist.  Second, it is an incorrect example:

     In Clover v. Snowbird Resort, a resort employee, arguably on
     duty, came over a roadcut and collided into the plaintiff. Utah's
     statute imposes on skiers the risk of hazards inherent to the
     sport, which includes changing weather conditions, impact with
     lift towers, collisions with other skiers, and losing control.
     Nevertheless, the Utah Supreme Court held that Utah's ski act
     requires a case-by-case determination to decide whether any
     particular hazard truly is integral to the sport. In that case,
     the court held that an injury caused by an unnecessary hazard
     that could have been eliminated in the exercise of ordinary care
     is not "inherent" and the skier may recover from the area
     operator.

Other states have similar cases and law.  For example, in Colorado
legislation, it explicitly states: 'The term "inherent dangers and
risks of skiing" does not include the negligence of a ski area
operator ....'  Courts are quite good at distinguishing between
inherent risk of an activity, and the duty of care required by a
ski-area operator.

Then we can look beyond this particular example to other segments of
society.  Auto manufacturers cannot disclaim liability even though
driving on a highway at 60 mph is an inherently risky activity.  Pub
owners cannot disclaim liability for their customers who become
drunk.  Not even MacDonald's can disclaim liability for the hot coffee
it serves in drive-thoughs.

So, why does the software industry, and the software-security segment,
persist in the notion that it can disclaim all liability regardless of
negligent coding behaviour?  Duty of care applies.  Does this mean
perfection?  No.  It never has.  However, it does mean that companies
are liable for the negligence of their employees, and disclaimers of
liability will not protect such companies.

 > Returning to PKI in particular and software defects in 
 > particular:  Let's not make this a Right-versus-Wrong
 > issue.  There are intricate and subtle issues here.
 > Most of these issues are negotiable.

I don't expect perfection.  I expect a duty of care.  Negligent coding
causing loss is not reasonable.  

 > In particular, you can presumably get somebody to insure
 > your whole operation, for a price.  In the grand scheme
 > of things, it doesn't matter very much whether you (the
 > PKI buyer/user) obtain the insurance directly, or whether
 > the other party (the PKI maker/vendor) obtains the insurance
 > and passes the cost on to you.  The insurer doesn't much
 > care; the risk is about the same either way.
 > 
 > The fact is that today most people choose to self-insure
 > for PKI defects.  If you don't like it, you have many 
 > options:
 >  -- Call up some PKI vendor(s) and negotiate for better
 > warranty terms.  Let us know what this does to the price.
 >  -- Call up http://www.napslo.org/ or some such and get
 > your own insurance.  Let us know the price.
 >  -- Write your own PKI.  Then defray costs, if desired, 
 > by becoming a vendor.
 >  -- Et cetera.

You've neglected "sue for damage due to neglience."  Disclaimer of
liability will not carry weight if the PKI vendor is negligent in
their design/implementation.  (Note, I am not saying that proving this
in court would be trivial.)

 > In general, there is a vast gray area between "Right"
 > and "Wrong".  Most things in my life can be described
 > as not perfect, but way better than nothing.

I am not arguing that there are not gray areas, nor that activities
never incur risk.  I am simply arguing that a disclaimer of liability
for the performance of a product will not cover negligence.

-- 
----------------------------------------------------------------------------
Paul A.S. Ward, Assistant Professor  Email: pasward at shoshin.uwaterloo.ca
University of Waterloo                      pasward at computer.org
Department of Computer Engineering   Tel: +1 (519) 888-4567 ext.3127
Waterloo, Ontario                    Fax: +1 (519) 885-1208
Canada N2L 3G1                       URL: http://shoshin.uwaterloo.ca/~pasward



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list