Bonum Certa Men Certa

Liability for Software When Life is at Stake

A few months ago we used the London Stock Exchange (LSE) as an example of hugely costly Microsoft failures. The stock market crashed in the technical sense and Microsoft, along with those who are informed or responsible, dodged questions about the problem, which recurs once in several months. That was about money, but this time around it's about people's welfare, health, and even lives.



With roughly 320,000,000 zombie PCs out there, how can any sane person put Windows in mission-critical settings like a hospital? Well, that's just what some people do. They apparently learned nothing from a hospital near Microsoft Corporation turning into a massive botnet and it's happening again, this time in London. Yesterday's reports indicate that 3 hospitals were shut down due to Windows virus infections:

BBC: Computer virus affects hospitals

Three London hospitals have been forced to shut down their entire computer systems for at least 24 hours after being hit by a virus.


The Register: PC virus forces three London hospitals into computer shutdown

Three London Hospitals shut down their computer systems on Tuesday in response to a computer virus infection.

[...]

The infection at Barts and London Trust was reportedly caused by the Mytob worm, which contains built-in spyware functionality. Mytob spreads by email and has the ability to plant backdoor software on compromised Windows PCs.


Database leaks are only natural to expect. This means that any person's personal information and health record can make its way into a hot BitTorrent within hours. It's wonderful, is it not?

“This means that any person's personal information and health record can make its way into a hot BitTorrent within hours.”We have already produced and provided some evidence to show that Windows is insecure by design and probably irreparable. Unless it's overhauled radically or reimplemented from scratch, it can never benefit from several decades of UNIX doctrine, mostly trials and errors which made a robust, scientifically-backed model.

With Microsoft whistleblowers crying foul about critical failures and then getting sacked, one can't help wondering how Microsoft perceives liability. Appended below are several fairly recent articles about liability, bad software, dangers in healthcare, and questionable EULAs.

For information about the NHS and Microsoft, see this page (to avoid needlessly repeating old references).

_____ [1] Experts are calling for product liability for software

"Product liability does not apply to software," Gerald Spindler of the Faculty of Law of the University of Göttingen complained. "But what if a whole company comes to a standstill due to faulty software?" he mused.


[2] "Microsoft's 10Q Risk Factors Lists Conceivable Liability for Data Leaks

Improper disclosure of personal data could result in liability and harm our reputation. We store and process significant amounts of personally identifiable information. It is possible that our security controls over personal data, our training of employees and vendors on data security, and other practices we follow may not prevent the improper disclosure of personally identifiable information. Such disclosure could harm our reputation and subject us to liability under laws that protect personal data, resulting in increased costs or loss of revenue. Our software products also enable our customers to store and process personal data. Perceptions that our products do not adequately protect the privacy of personal information could inhibit sales of our products.


[3] Linux guru argues against security liability

Alan Cox, one of the leading Linux kernel developers, has told a House of Lords hearing that neither open- nor closed-source developers should be liable for the security of the code they write.


[4] New banking code cracks down on out-of-date software

The banking industry has re-affirmed a policy that makes online banking customers responsible for losses if they have out of date anti-virus or anti-phishing protection. New Banking Codes for consumers and businesses took effect on Monday.


[5] Secure web browsing through Live Linux distros

Banking isn't the be-all and end-all: there's many other reasons you'd want a secure system, separate from what's on the hard disk, besides Internet banking. Traveller's can't necessarily trust the integrity of a computer in an Internet cafe.


[6] Online banking fraud 'up 8,000%'

The UK has seen an 8,000% increase in fake internet banking scams in the past two years, the government's financial watchdog has warned.

The Financial Services Authority (FSA) told peers it was "very concerned" about the growth in "phishing".


[7] Swedish bank hit by 'biggest ever' online heist

Haxdoor typically installs keyloggers to record keystrokes, and hides itself using a rootkit. The payload of the .ki variant of the Trojan was activated when users attempted to log in to the Nordea online banking site. According to the bank, users were redirected to a false home page, where they entered important log-in information, including log-in numbers.


[8] Microsoft confirms OneCare zaps Outlook, Outlook Express e-mail

Microsoft Corp. has acknowledged that a bug in its Windows Live OneCare security suite has been causing users' e-mail to vanish from Outlook and Outlook Express.


[9] In zombies we trust

A little over a year ago, I wrote an editorial where in back-of-the-envelope style (.pdf) I estimated that perhaps 15-30% of all privately owned computers were no longer under the sole control of their owner. In the intervening months, I received a certain amount of hate mail but in those intervening months Vint Cert guessed 20-40%, Microsoft said 2/3rds, and IDC suggested 3/4ths. It is thus a conservative risk position to assume that any random counterparty stands a fair chance of being already compromised.


[10] Your data or your life

As unlikely and alarmist as this sounds, it could really happen. Intracare is the publisher of a popular practice management system called Dr. Notes. When some doctors balked at a drastic increase in their annual software lease, they were cut off from accessing their own patients? information.

This situation is completely unconscionable. There can be no truly open doctor-patient relationship when an unrelated third party is the de facto owner of and gatekeeper to all related data.


[11] Use Health Vault, Lose Your Rights

Microsoft has announced (NY Times Article) Health Vault. What should have followed here is a review of the service by my actually trying it.

[...]

Heard enough? So had I. I'm absolutely going to pass on Health Vault. In addition to looking like the Microsoft Passport debacle redux, this is a very one-sided contract. They can harm you but you cannot harm them. There is no way for any 3rd party to verify that their privacy and security software works.


[12] Microsoft Healthvault Patient Safety in Question

One topic I've not seen addressed is the safety and effectiveness of the data within HV - and I don't mean "safety" as in the data is secure from unauthorized access or misuse. I mean "safety" as in the utilization of data stored in HV by other applications won't result in an unsatisfactory patient outcome, you know, like death or injury.


[13] HealthVault: No Commitments and a Sleeping Watchdog.

Has Microsoft committed to keeping the promises that it has already made? No, just the opposite. Their privacy policy concludes:“We may occasionally update this privacy statement”

Which means that when the commitments that Microsoft has made regarding HealthVault become inconvenient, they will simply change them.


[14] HealthVault: Failing the seven generations test

...My mother died of ovarian cancer. My grandmother took a drug while my mother was in utero that increase the chances that my mother would get ovarian cancer. Any consideration given to my mothers genetic propensity to get cancer must take into account this environmental influence...My grandmothers medical record will remain relevant for at least five generations...How long should we be keeping our electronic medical records? We should ensure that they are available for the next seven generations...A private, for-profit, corporation is an inappropriate storehouse for records that the next seven generations will need. Corporations do not last long enough. Consider the Dow Jones Industrial Average, of the original 12 companies that made up the index, only one is still listed...

[...]

But this is still Microsoft we are talking about, which all things being equal, is especially bad. Microsoft has a history of abusing standards, and using those abuses to enable and extend its monopolies. In short they have a history of “being evil” in exactly the sort of way that we cannot afford to have impact our healthcare records.


[15] Bill Gates: Vista is so secure it could run life support systems

While on a visit in Romania, where Bill Gates participated in the celebration of 10 years since the Microsoft branch has been running there, and the launch of Vista, Microsoft?s president declared that, with the right ammount of administration, the new Vista could run life support systems in hospitals.


[16] Do Microsoft's EULAs have any real legal basis?

"Microsoft has no special exemption from the sale of goods act." Well, no, probably not - but it might still be selling you "services" instead of "goods". But the real point to remember is that it doesn't matter a jot what the "logical" position is, it is what the courts decide that matters.

As far as I know, no one has tested Microsoft's EULAs in a UK court and, until someone does, Microsoft will just go on assuming that they work. And I don't fancy the risk of taking on Microsoft's expensive lawyers in court myself...


[17] EULA La Vista, Baby

Well, I've taken a good look at the license agreement -- I had insomnia -- and I've discovered some clauses that will freeze your blood, curl your hair, and do your nails.


[18] Vista's EULA Product Activation Worries

Mark Rasch looks at the license agreement for Windows Vista and how its product activation component, which can disable operation of the computer, may be like walking on thin ice.

[...]

"Does the Microsoft EULA adequately tell you what will happen if you don't activate the product or if you can't establish that it is genuine? Well, not exactly. It does tell you that some parts of the product won't work - but it also ambiguously says that the product itself won't work. Moreover, it allows Microsoft, through fine print in a generally unread and non negotiable agreement, to create an opportunity for economic extortion."


[19] MSN Music Debacle Highlights EULA Dangers

MSN Music’s EULA is a case in point. When active, MSN Music's webpage touted that customers could “choose their device and know its going to work”.

But when customers went to purchase songs, they were shown legalese that stated the download service and the content provided were sold without warrantee. In other words, Microsoft doesn't promise you that the service or the music will work, or that you will always have access to music you bought. The flashy advertising promised your music, your way, but the fine print said, our way or the highway.


Comments

Recent Techrights' Posts

Who Is This Backup FOR, the NSA?
As Admfubar put it, "backups for everyone..."
Microsoft's Siege of Libya Coming to an End
One might be tempted to guess the users deleted Windows and installed something else
New Talk by Dr. Richard Stallman Published Two Days Ago By CeSIUM - Centro de Estudantes de Engenharia Informática da Universidade do Minho (Portugal)
The FSF no longer mentions Richard Stallman's talks, but we will
Name the Threats and Threat Actors
Looking back to 2006, there was Novell and gregkh (partly salaried by Microsoft), so these are familiar territories
The "Other" SPLC
You know you're winning the debate when censorship is explored
Microsoft: By Default, Destroy Linux
Here is what the very "polite" Microsoft Boccassi had to say
Perens on a Stick
Remember what Novell did and how few (barely anyone) sided with Novell
Andrew Tanenbaum Gets an Award for His Work on MINIX
ACM one week ago
Twitter's Fall to Irrelevancy in Europe
Musk bought a dud
[Meme] 'Useless' Kids of EPO Examiners
malnourished?
Granting Loads of Monopolies in Europe (to Foreign Corporations of Epic Size and Far Too Much Power Inside Europe) is Vastly More Important Than Raising European Kids Properly?
"Efficiency" first? Whose? Corporations or families? No wonder so many young families are hesitant to have any kids these days; that's particularly true in east Asia and also in north America, not just Europe
Techrights in the Coming Decade: The Free Speech (Online) Angle
Free speech is a fundamental tenet of a free society
 
Sheriff of Cork & Debian Edward Brocklesby or Brockelsby Street confusion
Reprinted with permission from Daniel Pocock
Three Points About Julian Assange Plea Deal
There is still a secret problem
[Meme] EFF Became a 'Bunch of Pussies' Working for GAFAM (and Sponsored by GAFAM)
It won't protect people, except very rich people's interests
IBM Does Not Care for the Blind (Wayland Harms Accessibility)
What a punch in the gut
Tux Machines Past 20: Still Thriving
Now 20 years and 2 weeks old
[Meme] Microsoft is Coming /Home
"LOL, REAL SORRY!!!"
Gemini Links 25/06/2024: Old Computer Challenge; An Opinionated GNU/Linux Guide
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, June 24, 2024
IRC logs for Monday, June 24, 2024
IEEE Computer Society on Andrew Tanenbaum, Winner of ACM Award, Who Also Inspired Linux Development
10 years ago
FSF Looking to Raise Money by Adding 200 New Members by July 19
The FSF is in good shape, according to Alexandre Oliva
Not Only Does It Not Add Security... (UEFI as a 'Bug Door')
SecureCore?
Data From Monaco Should Alarm Microsoft
Just how many people are deleting Windows and installing something else this year?
Linux in Central Sahel (Burkina Faso, Mali and Niger)
Vast area, vast number of "Linux users" (if one counts Android as such)
[Meme] Gagging One's Own Staff as a Signal of Corporate Distress
Censorship at Microsoft
Staying the Course
censorship isn't easy against sites that understand ways to resist it
The 'All-Seeing' Microsoft Eye
Microsofters are observing us closely
Links 24/06/2024: Long COVID and "How I Write Blogs"
Links for the day
Allegations That Microsoft is Covering Up Employee Dissatisfaction and Using a Survey to Catch 'Risk' to the Cult Mentality
This favours or gradually socially-engineers a company for sociopathy
'Linux Hint' Inactive for Nearly a Month (It Used to be Very Active)
Their Twitter account hasn't been active for a long time and it's not too clear what's going on
An Unexpected GNU/Linux Trend
Burkina Faso is changing and not just politically
Android (Linux) at New Highs in Burkina Faso, Now Measured at 72% (Windows Was Measured at 98% 15 Years Ago)
based on this month's estimates
With 0.76% for ChromeOS and 3.7% for GNU/Linux (4.5% Total) Burkina Faso Approaches 5% for 'Linux'
More if one counts Android as "Linux"
Gemini Links 24/06/2024: Being Dull and OpenSSH Autoban
Links for the day
EPO Issues in The Hague
a report dated 4 days ago about a meeting that took place 12 days ago
[Meme] Garbage in, Garbage Out (EPO Patent Quality)
"Get back to work"
When the Employer Makes You Too Sick to Go to Work (New EPO Document)
"registering when you are sick"
[Meme] Putin's Red Flags
Firefox ESR or Firefox USSR
The Corporate/Mainstream Media and Even Social Control Media is Distorting the Record About What Mozilla Actually Did (It Originally Surrendered to Vladimir Putin)
Mozilla being avoided for purely technical reasons (sites not being compatible with it) is one thing. Foolishly, Mozilla is giving people more political reasons to also shun Mozilla. This is suicide.
GNU/Linux Up Some More This Morning, Windows Down Sharply Even in Rich Countries
Microsoft is in trouble in the Muslim world
United Arab Emirates (UAE) Rising... Towards 5% for ChromeOS and GNU/Linux
the latest numbers show it growing from about 0.1% to around 2.4% for GNU/Linux, plus 2.01% for Chromebooks (ChromeOS), i.e. about 5% in total.
Links 24/06/2024: New Research, New Attacks on Justices Sceptical of Patent Maximalists, European Commission for Copyright Maximalists
Links for the day
[Meme] 12 Years a Fedora Volunteer
IBM gives me a 'free' Fedora badge as recognition
IBM Slavery: Not a New Problem
When IBM got rid of Ben Cotton it showed the world how much it valued Fedora
Why They Want to Abolish Master/Slave Terminology (Because This is What They're Turned Free Software Into)
It used to be about community; GAFAM turned that into exploitation and worse
Roy and Rianne's Righteously Royalty-free RSS Reader (R.R.R.R.R.R.) Version 0.2 is Released
They say summer "officially" started some days ago
Torvalds' Number Two Quit Linux a Decade Ago and Has Since Then Earned an Honorary Doctorate
Revisiting Fuzix and Alan Cox
GNU/Linux Reaches All-Time High in Tunisia
Based on statCounter
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, June 23, 2024
IRC logs for Sunday, June 23, 2024
Edward Brocklesby (ejb) & Debian: Hacking expulsion cover-up in proximity to Oxford and GCHQ
Reprinted with permission from Daniel Pocock
You Know the Microsoft Products Really Suck When...
"Qualcomm and Microsoft go 'beyond the call of duty' to stop independent Copilot+ PC reviews"
IBM and "Regime Change"
Change of regime is not the same as freedom
Microsoft Windows in Nicaragua: From 98% to Less Than 25%
Operating System Market Share Nicaragua
Techrights in the Coming Decade: The Community Angle
Somebody needs to call them out on their BS
Techrights in the Coming Decade: The Software Angle
Gemini Protocol has just turned 5 - i.e. roughly the same age as our Git repositories
Techrights in the Coming Decade: The Patent Angle
Next month marks 10 years since we began covering EPO leaks
Wookey, Intrigeri, Cryptie & Debian pseudonyms beyond Edward Brocklesby
Reprinted with permission from Daniel Pocock
[Meme] Choice Versus Freedom
So When Do I Start Having Freedom? Freedom is choice between the GAFAMs
Digital Liberation of Society at Times of Armed Conflicts and Uncertainty
We have technical contributions, not just written output
Links 23/06/2024: More Microsoft Cancellations, Growing Repression Worldwide
Links for the day
Gemini Links 23/06/2024: The Magician and the Hacker, tmux Tips
Links for the day
Links 23/06/2024: Twitter/X Wants Your Money, Google Reports a Billion DMCA Takedowns in Four Months
Links for the day
Digital Restrictions (Like DRM) Don't Have Brands, We Need to Teach People to Hate the Underlying Restrictions, Not Companies That Typically Come and Go
Conceptually, the hens should fear humans, not the farmer who cages them
Going Above 4% Again
Maybe 4% (or above) by month's end?
[Meme] Debian's 'Cannon Fodder' Economics
Conflicts of interest don't matter
Conviction, jail for Hinduja family, Debian exploitation comparison
Reprinted with permission from Daniel Pocock
According to Microsoft, It's Not a Code of Conduct Violation to Troll Your Victims Whose Files You Are Purging
The group of vandals from Microsoft think it's "funny" (and for a "nominal fee") to troll Microsoft critics
Microsoft Inside Debian is Sabotaging Debian and Its Many Hundreds of Derivatives With SystemD (Microsoft/GitHub Slopware With Catastrophic Bugs is Hardly a New Problem)
What is the moral of the story about The Scorpion and the Frog?
Links 23/06/2024: Hey Hi (AI) Scrapers Gone Very Rogue, Software Patents Squashed at EPO
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, June 22, 2024
IRC logs for Saturday, June 22, 2024
Gemini Links 23/06/2024: LoRaWAN and Gemini Plugin for KOReade
Links for the day