Mon, May. 17, 2004
Virus Liability Issues
CK - Washington. Jens Henke discusses in his note Schadensersatzpflicht für Virenprogrammierer, The Liability of Virus Programmers, some aspects of the civil liability of programmers of harmful viri as it may arise in German law, Peter Müller notes in his blog. Henke's starting point is the Sasser virus and the time line of its release and of the release of warnings and measures to remedy defects in the Microsoft operating systems. Henke argues these key points:
The programmer of the virus is liable under principles of tort law.
The programmer's liability is limited by the intervening contributory negligence of users of the affected operating systems who failed to apply corrective measures promptly. Such users are not liable for the harm caused to third parties when they permitted the virus to invade and enabled Sasser to spread.
Programmer Liability: Tortious liability results from the Sasser release which is capable of the intentional invasion of randomly selected systems. While randomness may cause questions with respect to the intent requirement of §823 of the Civil Code, Henke argues that the programmer demonstrated intent by knowingly tolerating random harmful effects. Therefore, liability rests on §823 (1) which, among other things, protects against damage to property.
Limitation of Liability: On April 13, 2004, long before the Sasser release, warnings of defects in the Microsoft operating systems alerting to the specific risks associated with the likes of Sasser as well as remedies for defects in the operating systems were widely published. Henke suggests that German law requires commercial users to promptly take preventive action to prevent harm; in an IT environment, prompt should mean within one day from acquiring knowledge of the defect. The negligence of third parties in repairing the defects in the operating systems could trigger, beginning on April 14, 2004, i.e. one day after release of an effective remedy by Symantec, contributory responsibilities by third parties that allowed Sasser to invade and spread Sasser to others. Such contributory negligence could partially exculpate the programmer from liability under §823(1).
Liability of Propagators: Sasser hosts who propagated the worm after failing to repair their copies of the faulty operating systems may appear liable, Henke argues, but their lack of intent renders §823 (1) inapplicable. They might be liable under §823 (2) which triggers a liability in tort based upon the violation of criminal statutes but Henke finds that there is no criminal statute that would trigger liability for purely negligent propagation.
Looking beyond Henke's thoughtful analysis, an argument could be made that §830 of the Civil Code may render third party hosts of Sasser liable for damages. In addition, justified apprehension of IT users in applying fixes to their copies of the Microsoft operating systems may excuse their failure to act. Such apprehension could be justified by prior experience with Microsoft patches which are frequently reported to do more harm than good. In any case, the defects in the Microsoft operating systems may shift the ultimate responsibility to its producer unless its terms of sale or license should prove more fortified than its products, or the almost natural bugginess of software is such that programmers should always be free from liability.
CK - Washington. Jens Henke discusses in his note Schadensersatzpflicht für Virenprogrammierer, The Liability of Virus Programmers, some aspects of the civil liability of programmers of harmful viri as it may arise in German law, Peter Müller notes in his blog. Henke's starting point is the Sasser virus and the time line of its release and of the release of warnings and measures to remedy defects in the Microsoft operating systems. Henke argues these key points:
Programmer Liability: Tortious liability results from the Sasser release which is capable of the intentional invasion of randomly selected systems. While randomness may cause questions with respect to the intent requirement of §823 of the Civil Code, Henke argues that the programmer demonstrated intent by knowingly tolerating random harmful effects. Therefore, liability rests on §823 (1) which, among other things, protects against damage to property.
Limitation of Liability: On April 13, 2004, long before the Sasser release, warnings of defects in the Microsoft operating systems alerting to the specific risks associated with the likes of Sasser as well as remedies for defects in the operating systems were widely published. Henke suggests that German law requires commercial users to promptly take preventive action to prevent harm; in an IT environment, prompt should mean within one day from acquiring knowledge of the defect. The negligence of third parties in repairing the defects in the operating systems could trigger, beginning on April 14, 2004, i.e. one day after release of an effective remedy by Symantec, contributory responsibilities by third parties that allowed Sasser to invade and spread Sasser to others. Such contributory negligence could partially exculpate the programmer from liability under §823(1).
Liability of Propagators: Sasser hosts who propagated the worm after failing to repair their copies of the faulty operating systems may appear liable, Henke argues, but their lack of intent renders §823 (1) inapplicable. They might be liable under §823 (2) which triggers a liability in tort based upon the violation of criminal statutes but Henke finds that there is no criminal statute that would trigger liability for purely negligent propagation.
Looking beyond Henke's thoughtful analysis, an argument could be made that §830 of the Civil Code may render third party hosts of Sasser liable for damages. In addition, justified apprehension of IT users in applying fixes to their copies of the Microsoft operating systems may excuse their failure to act. Such apprehension could be justified by prior experience with Microsoft patches which are frequently reported to do more harm than good. In any case, the defects in the Microsoft operating systems may shift the ultimate responsibility to its producer unless its terms of sale or license should prove more fortified than its products, or the almost natural bugginess of software is such that programmers should always be free from liability.
Permalink
CURRENT :: 2003 :: 2004 :: 2005 :: 2006 :: 2007 :: 2008 :: 2009 :: 2010 :: 2011
:: 2012
:: 2013
:: 2014
:: 2015
:: 2016
:: 2017
:: 2018
:: 2019
German Reports: