Monday, June 01, 2015

Products Liability in the software world

Products Liability is a part of Torts that addresses harm to people from, well, products. For a variety of reasons, there are really very few Products Liability cases about software, although the biggest reason is pretty much that Torts is kind of like the evening news. In my Sociology of Mass Media news class back as an undergrad, we learned a lot about the "if it bleeds it leads" idea, and Torts turns out to be a fan of that concept. The large majority of Torts cases are around actual physical harm to people, and so far, software tends to largely stay safely tucked away in our computers. This will probably be changing a lot with the Internet of Things on the horizon, and so I've been wasting too much time thinking about how Products Liability concepts will play out with software.

Products Liability in the world's smallest nutshell: generally, you can sue under one of three theories.
  1. Manufacturing defect: the particular instance of the product that injured me was defective in some way. This is the "easiest" type of Products Liability suit, so long as the item that injured you wasn't destroyed in the accident.
  2. Design defect: this one is harder, but probably far more common. In this one it's not that one particular item is defective, but that EVERY instance of that particular product is defective.
  3. Failure to warn: this product injured me because I wasn't aware that it would hurt me in that particular way. This is the type of lawsuit that's responsible for loooooong warning stickers on everything.

One concept in Product Liability under the area of "design defect" is the idea of optional safety features on a product. If a particular company was aware of a safety feature, but did not include it in the product, could they be held liable for harm that occurs to a person which the missing optional safety feature might have prevented? This is not really an easy question to answer, because a lot of the time the reason that safety feature is missing from the product is that it would make the product more expensive to produce. The courts sometimes like to let the market "speak" -- they insist that the consumers should be the ones to decide whether an optional safety feature is worth spending on. The purchaser of the product is not the only one who gets a say, of course, but by and large the let-the-consumer-decide idea has a lot of appeal.

(When you have a design defect case, you also generally have to prove a reasonable alternative design, and having that safety feature available on other products like the one you're suing over is basically a reasonable alternative design nicely gift wrapped for you.)

The courts weigh the risk vs the utility of the particular design when deciding the cases. For instance, in Scarangella v. Thomas Built Buses, Inc., the court looked at "seven nonexclusive factors to be considered in balancing the risks created by the product's design against its utility and cost. As relevant here, these include the likelihood that the product will cause injury, the ability of the plaintiff to have avoided injury, the degree of awareness of the product's dangers which reasonably can be attributed to the plaintiff, the usefulness of the product to the consumer as designed as compared to a safer design and the functional and monetary cost of using the alternative design (id.). An additional pertinent factor that may be taken into account is "the likely effects of [liability for failure to adopt] the alternative design on … the range of consumer choice among products" (Restatement [Third] of Products Liability § 2, comment f)." Scarangella v. Thomas Built Buses, Inc., 93 N.Y.2d 655, 659 (1999)

So this is all a very long windup to the problem of Volvo's pedestrian detection. Story in a nutshell: some folks were demonstrating to themselves Volvo's self driving car. The car ran into two people standing in front of it. Volvo says "oops, pedestrian detection is $3000 extra, this model didn't have it."

Now, if a car hits a pedestrian because it's lacking an optional safety feature, how do we weigh the risk-utility of this design, given that the feature was available but not included? So much of what courts look at is the price impact of the optional feature- and here, it looks like Volvo gave us a price: $3000. However, how much of that $3000 is the true cost to Volvo to install this, and how much is just them wanting to charge a lot for a software library because they can?

I know pretty much nothing about how Volvo's actual pedestrian detection works, so let's consider an imaginary car where the pedestrian detection is purely a software library addition to the car's software, and doesn't require any new physical sensors or rewiring of the car, etc. In that instance, could the car company make pedestrian detection available only at a $3000 add-on price? You might say on the one hand that software is basically cost-free once it's been developed. There are going to be tests to do with each model, most likely, but once a particular model has been tested out, adding the software to a particular individual car of that model type should be just about cost-free. This is in contrast to a piece of hardware that requires, perhaps, a hand guard to be manufactured and installed for every single instance of the item.

On the other hand, if car companies could not recoup their software development costs by charging extra for software options, would the incentives be strong enough for them to develop the options? If every other car on the market had pedestrian detection available, the laggard car company would probably develop (or just license) the software for their car. But what would incentivize the first adopter to make it? Could they capture enough of the market by having this new feature available without charging for it as an upgrade?

The inherent non-rivalrous nature of software, in that once complete it can be infinitely reproduced for negligible cost upsets the standard risk-utility calculus; the monetary cost of using an alternative design drops to zero after the initial development.

It will be interesting to see what happens with safety oriented software options going forward in self driving cars.

Thursday, September 18, 2014

Zero Days

Zero day hacks are software bugs the software vendor is not aware of, and which therefore have no patch available. The "valuable" (for a particular definition of valuable...) ones are bugs that can be leveraged to give the exploiter privileged access on a computer, which can be used to install keyloggers, etc. Zero day exploits the exploits are often sold and there is debate about whether the government does or can use them in counterterrorism surveillance. If we ignore the "does the government use them?" question and focus on the "can they?" aspect, one statute that might offer the answer is the Computer Fraud and Abuse Act, 18 USC §1030(f). This section offers the government immunity from hacking when used to go after criminals. It states, "This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States." That's pretty wide ranging- "any lawfully authorized" covers a lot of ground. Is exploiting zero days lawfully authorized? I think that no matter what steps the actual exploit takes, the government might argue that it should be covered under "lawfully authorized activity" if it's part of an ongoing investigation. Is keeping knowledge of a zero day from the software vendor, so that a government agency can continue exploiting it, allowed? Is there a duty to disclose the issue so that others don't also exploit it? And is the purchase of zero day exploits covered under "lawfully authorized activity"? There's a law review article, 50 A.F. L. Rev. 135, Defensive Information Operations and Domestic Law: Limitations on Government Investigative Techniques, from 2001, which addresses 1030(f) in the context of government operations.

Monday, April 14, 2014

Creative Commons Goodness

My Instagram feed has for a long time featured occasional shots of coffee cups and my kindle. My favorite way to spend a weekend morning, after all, is so get a good cup of coffee and read, and in the vein of "shoot what you know" I've shot quite a few coffee cups + kindle still lifes. My friends have kidded me about it a few times over the years, but apparently some of them associated "coffee cup" and "kindle" with my photos enough that I was notified by a few folks when this article was published a few months ago:


- yup, that's my photo illustrating it! The awesomeness of tagging your pictures with a creative commons license on flickr and releasing them into the wild is that once in a blue moon one gets used. So cool. Looking at the last post I put up here, with the coffee cup & kindle reminded me that I wanted to save a link up here so I could find it again! So here are a few more coffee cups with Kindles. As you might guess from the name of my blog, my drink of choice is an americano, with pourovers being my fallback drink.

More Sherlock Holmes over breakfast

Weekend reading.

Pourover and more reading.

Tuesday, April 01, 2014

famous last words

April 2008, on my blog:
"I don't think that there has ever been a foray into legal territory on my blog, if I think about it. Which is a bit odd, because I'm not a lawyer, but my dad is, and I love talking about trials and legal things with him."
-- on Contracts
Spring break cappuccino

March 2014: dear blog, time for the once-every-few-years sorry-I've-neglected-you post (see exhibit 1, the most recent iteration and exhibit 2, the oldest iteration). What's my excuse this time? I'm in law school, so no free time. Also, maybe in a few years that post linked above is going to be factually incorrect. Who knows, I'm currently a clueless 1L so anything could happen. However, I went hunting through my blog today for some substantive writing from my past lives, having had some weird idea that I must have written a few posts that were more than a paragraph long. I was 98% incorrect, but I did dig up a few examples where I managed to ramble on at length.

Why am I in school again? According to my law school application essay, it's because of a conversation about open source software at OSCON 2012. I've thought a fair amount about programming vs legal issues over the last few months, and how diametrically opposed they are in so many ways. Tech industry: we are suspicious of you if you wear a suit to an interview or if you stay at a company for too long. Law: we are suspicious of you if you don't wear a suit to an interview or if you job hop. Software: I'm not sure what this program does, let's compile it and put in a break point to see exactly what's happening. Law: "'Chicken' may mean one thing or it may mean something else entirely. Who knows?" Software: you prove an algorithm is n log n by these steps that every one agrees on. Law: You might be able to prove a prima facie case of negligence with these facts, but maybe not.

In any event, I've had a few pushes from different parties to take up blogging again, so hopefully I will find time to write here more. I also hope I might find time to write about music again- the first few years of this blog were almost entirely music blogging, and it's something I miss.

So on that note, my latest favorite song is by Air Review, and you should check it out in this fabulous video of a border collie enjoying life while his owner does some mountain biking. This made me miss the Northwest so much; I need to find a weekend to get out there again soon!