Microsoft’s Little Liability Problem

Microsoft has a little liability problem called Windows. Many are no doubt aware of a would-be class-action lawsuit launched last week in California. The suit targets Microsoft over security problems. The plaintiff is a woman who had her identity stolen. Details are
here. (NYTimes, free registration required)Editorial Notice: All opinions are those of the author and not necessarily those of

#@%* Lawyers
My first reaction was #@%* lawyers and stupid class-action suits. But as the NY Times article indicates, there could be more to it this time. Software makers have always managed to avoid warranty and product liability problems by licensing rather than selling their wares. There are two assumptions about this in the software business. The first is that these issues cannot be evaded forever. The second is that nothing will actually change until someone figures out how to overturn the End User License Agreement (EULA) in court.

What’s different in this case from previous software suits are the participants, the basis of the suit and the political climate. A little background is in order for non-US readers. The American legal system is peculiar. There are reasons why it works the way it does. Americans have ceded to the courts much of the power accorded to Government agencies in other countries. There is a lot wrong with this approach, but it does have a few positives. It does provide an avenue for the little guy to prevail over the big. And that happens often enough to give the process credibility. Without going too far into it, we can observe that lawsuits are a regular feature of American business life.

Get Rich Quick
For an ambitious trial lawyer, the best road to fame and riches is the class-action suit. A lawyer can go to court on behalf of a particular client and seek class-action status. If granted, the lawyer gets to represent not only that client, but all others with the same complaint within the court’s jurisdiction. This tool was developed to deal with complex cases where the alleged wrongdoing effected many, many people. For example, there was a class-action suit that represented the interests of all women that received defective silicone breast implants. Usually everyone in the “class” gets the option of signing on to the settlement or going to court on their own if they think they can do better. The class-action appeals to lawyers, who can get rich. It appeals to courts, who deal with one case rather than thousands. And it appeals to aggrieved citizens, who can avoid being defeated piecemeal by wealthy corporations.

If a lawyer can launch a lawsuit and get it certified as a class-action, they’ve made a start on the road to fame and fortune. They still have to win the case, or establish an expectation that they will. This is a risky undertaking that has bankrupted not a few law firms. To get the biggest payoff, the lawyer has to take the case on a contingency basis. The client(s) don’t pay the lawyer a cent. Instead, the lawyer gets a percentage of the payout. The lawyer finances the legal costs of fighting the case. This can easily run into the millions. There was an excellent book (and a pretty good movie) called “A Civil Action” that told the story of a law firm that went under trying to win a class-action suit. The movie “Erin Brockovich” also told the mostly true story of a class-action lawsuit from the lawyer’s perspective. Keep in mind that it is a Hollywood movie. And that the story it tells is as typical of class-action suits as Julia Roberts is of single mothers.

The combination of contingency fees and class-action suits have created a legal sub-industry. There are law firms that prospect for such suits. They find a group of people damaged in some way by someone, then go to court seeking class-action status. The lawyers behind the Microsoft suit have had successful class-action product liability suits before. They know what they are doing. That guarantees nothing, but one has to take the initiative seriously.

The suit’s first hurdle is getting certified as a class-action. Microsoft has its best chance to beat the suit here. They have a potent argument. Not all California Windows users had their identity stolen or their computers hacked. And not all the victims of identity theft or hacking can attribute the cause to Windows. The counter-argument is that it makes no difference. Microsoft can’t evade responsibility because their products are not 100% faulty. This could go either way, and a failure to gain class-action status will be the end of it. There is no way to tell right now how this will pan out.

If the suit does get certified as a class-action, there is the EULA to deal with. The legal status of the EULA is not entirely clear, but it has held up in a few previous suits. They were all reasonably narrow industry cases. Nobody has made a really credible consumer based attack on the EULA before. The law firm has come up with the novel argument that because MS is a monopoly, they can’t use a restrictive license as a shield. Since consumer’s effectively have no choice but to buy Windows when they buy a computer, they are not in a position to enter into the licensing agreement freely. And that MS’s conduct in releasing shoddy products is so reprehensible the EULA shouldn’t be able to protect them. They also say that the upgrade process is so complex and inept that a normal person can’t possibly ensure they have a secure computer. With MS back into the “patching the patches” routine, this is a powerful argument. One re-enforced by the apparent IE security hole that permitted crackers to steal the source code for Half-Life 2. One can hear the speech to the jury, “If a development company like Valve can’t secure their Windows machines due to MS negligence, then what chance does the consumer have?”

Time of the Season
Microsoft has yet to answer the suit in court. But if their legal strategy is anything like their PR strategy, they’re dead. So far, an MS spokesperson has said “The complaint misses the bigger point, which is that the problems caused by viruses and other attacks are caused by criminal acts by the people writing the viruses.” And “It is pretty clear that Microsoft has made security a priority.” Or as the lawyers will translate for the jury, “the problem isn’t our faulty product, its the people who exploit our faulty product”, and “we haven’t done anything wrong and we won’t do it again”. Both are tacit admissions of guilt.

Judges, on the whole, are remarkably fair and clear-minded. But they still swim in the same sea as the rest of us. They are not immune to changes in the character of the water. This summer has been disastrous for Microsoft. The conviction that they cannot or will not make a secure operating system has taken hold in the mass media. As has the idea that MS security blunders are responsible for a great deal of financial and emotional damage. This suit itself is symptomatic of that perception. If the perception did not exist, this law firm would be prospecting in more promising places. At some point, some judge and jury will accept the argument that MS cannot make billions selling an essential product used by everyone with no warranty whatsoever. This law firm is betting that now is that time.

The rest of us in the software business are now on notice. We cannot continue to get away with ship-now-and-fix-later as a development strategy. The day before the filing of this suit was the last day anyone doing business in the US could claim they didn’t think product liability could apply to them. If this suit is successful, any products introduced after its initiation will be held to a much higher standard. Fewer features, better stability and effective security need to start going into products as of now.


  1. 2003-10-07 7:20 pm
  2. 2003-10-07 7:20 pm
  3. 2003-10-07 7:39 pm
  4. 2003-10-07 7:44 pm
  5. 2003-10-07 7:53 pm
  6. 2003-10-07 7:57 pm
  7. 2003-10-07 7:58 pm
  8. 2003-10-07 7:59 pm
  9. 2003-10-07 7:59 pm
  10. 2003-10-07 8:01 pm
  11. 2003-10-07 8:01 pm
  12. 2003-10-07 8:01 pm
  13. 2003-10-07 8:03 pm
  14. 2003-10-07 8:05 pm
  15. 2003-10-07 8:11 pm
  16. 2003-10-07 8:13 pm
  17. 2003-10-07 8:13 pm
  18. 2003-10-07 8:13 pm
  19. 2003-10-07 8:19 pm
  20. 2003-10-07 8:21 pm
  21. 2003-10-07 8:23 pm
  22. 2003-10-07 8:24 pm
  23. 2003-10-07 8:27 pm
  24. 2003-10-07 8:33 pm
  25. 2003-10-07 8:33 pm
  26. 2003-10-07 8:36 pm
  27. 2003-10-07 8:37 pm
  28. 2003-10-07 8:40 pm
  29. 2003-10-07 8:45 pm
  30. 2003-10-07 8:50 pm
  31. 2003-10-07 8:51 pm
  32. 2003-10-07 8:54 pm
  33. 2003-10-07 9:05 pm
  34. 2003-10-07 9:05 pm
  35. 2003-10-07 9:07 pm
  36. 2003-10-07 9:08 pm
  37. 2003-10-07 9:09 pm
  38. 2003-10-07 9:10 pm
  39. 2003-10-07 9:12 pm
  40. 2003-10-07 9:13 pm
  41. 2003-10-07 9:15 pm
  42. 2003-10-07 9:15 pm
  43. 2003-10-07 9:16 pm
  44. 2003-10-07 9:27 pm
  45. 2003-10-07 9:38 pm
  46. 2003-10-07 9:44 pm
  47. 2003-10-07 9:49 pm
  48. 2003-10-07 10:20 pm
  49. 2003-10-07 10:23 pm
  50. 2003-10-07 10:30 pm
  51. 2003-10-07 10:37 pm
  52. 2003-10-07 10:38 pm
  53. 2003-10-07 10:38 pm
  54. 2003-10-07 10:47 pm
  55. 2003-10-07 10:51 pm
  56. 2003-10-07 10:59 pm
  57. 2003-10-07 11:00 pm
  58. 2003-10-07 11:17 pm
  59. 2003-10-07 11:29 pm
  60. 2003-10-07 11:29 pm
  61. 2003-10-07 11:30 pm
  62. 2003-10-07 11:30 pm
  63. 2003-10-07 11:32 pm
  64. 2003-10-07 11:33 pm
  65. 2003-10-07 11:36 pm
  66. 2003-10-07 11:43 pm
  67. 2003-10-07 11:52 pm
  68. 2003-10-08 12:28 am
  69. 2003-10-08 12:37 am
  70. 2003-10-08 12:46 am
  71. 2003-10-08 12:47 am
  72. 2003-10-08 12:53 am
  73. 2003-10-08 1:31 am
  74. 2003-10-08 1:37 am
  75. 2003-10-08 1:51 am
  76. 2003-10-08 2:09 am
  77. 2003-10-08 2:21 am
  78. 2003-10-08 2:41 am
  79. 2003-10-08 3:38 am
  80. 2003-10-08 3:53 am
  81. 2003-10-08 4:10 am
  82. 2003-10-08 4:22 am
  83. 2003-10-08 5:00 am
  84. 2003-10-08 5:02 am
  85. 2003-10-08 6:45 am
  86. 2003-10-08 7:04 am
  87. 2003-10-08 7:06 am
  88. 2003-10-08 7:31 am
  89. 2003-10-08 7:33 am
  90. 2003-10-08 8:25 am
  91. 2003-10-08 9:25 am
  92. 2003-10-08 11:04 am
  93. 2003-10-08 11:36 am
  94. 2003-10-08 12:26 pm
  95. 2003-10-08 12:47 pm
  96. 2003-10-08 1:57 pm
  97. 2003-10-08 1:58 pm
  98. 2003-10-08 1:58 pm
  99. 2003-10-08 2:00 pm
  100. 2003-10-08 2:46 pm