- by Paul Murphy, -

If you were to make up your own list of the top ten issues likely to affect computing over the next five to ten years, would you include liability reform in the American legal system?

I think you should, even if you live, as I do, in Canada or some other country where American law doesn't apply directly because change is coming, and that change will affect anyone who works with hardware or software made or sold by American companies.

How change will come is an open question. If the Republicans win this year's elections liability reform will probably come through the legislative process. That got seriously started last year when Democrats in the House and Senate lined up with the American Trial Lawyers Association to block the president's attempt to cap medical liability claims while imposing some common sense restrictions on filings. In doing so, they presented the Republicans with a perfect wedge issue that's easy to explain, won't cost many Republican votes, and is guaranteed to appeal strongly to large, traditionally Democrat, blocs such as nurses and others negatively affected by the current system.

The other possibility, if the Democrats win, is that change will come through the evolution of case law.

Either way, however, the computer business is going to be affected and your relationships with suppliers, employers, or customers are going to have to change with it.

Peel away the layers of legal onion and what you find at the heart of the issue as it affects IT is the risk transference attendant upon the use, or the failure to use, of professional best practices. Best practice adherence offers a magical defence against liability because, hair splitting to the contrary, professionals who follow whatever best practices are widely considered applicable under the circumstances at issue are reasonably safe from personal liability claims even if those best practices later turn out to be inadequate.

The question, of course, is what constitutes a best practice and the only answer I've ever found is that a best practice is whatever an expert witness - usually a prof or senior consultant with no actual experience in the field- is likely to believe it to be. In practice this usually means that best practices significantly lag reality and need bear no obvious relationship to good sense. In reviewing data center operations, for example, I always solemnly raise the need to have all employees sign a copy of the organisation's formal internet usage policy, not because this has the slightest impact on the behaviour of porn addicts or other nits who misuse organisational resources, but because doing so protects me from liability when someone is caught.

To see how adopting majority practices transfers risk look at the opposite case: imagine yourself going against local majority opinion and ask who wears the horns when the resulting decision goes wrong? I did this once, bringing in Sybase on SPARC to resolve some issues with a couple of racks of SQL-Servers only to find myself blamed for the performance problems that arose when a Wintel DBA insisted on her right to delete and remake all the indexes every day. Basically it's not the risk of failure that's at issue with best practice conformance; it's the risk of being out of step that disappears when you adopt blest practices.

One of the fundamentals of last spring's proposed liability reforms was a re-balancing of the risk transference involved with medical best practices. In that particular industry case law has evolved a wonderful catch 22 in which informed consent is required along with procedural best practices but it is assumed that any patient who accepted risks a review team eventually describes as excessive or unnecessary would have made the opposite decision had the practitioner responsible done an adequate job of explaining the risks.

In medicine, therefore, any level of informed consent can be turned against the practitioner by appropriately procured expert testimony. In software the opposite assumption is usually made - that the user has the expertise and options needed to make a fair choice on whether or not to accept the risk transferences embedded in licensing - but the result is equally unbalanced.

Thus last year's federal tort reform package focused on medical liability in the press releases but tried to trim off both extremes in the law: limiting liability, raising the bar for compensation, and clarifying assumptions about the relative power and expertise of the players in the provider-customer relationship.

If reform arrives via the legislative route, that same broad applicability should be there although we obviously won't know for sure until well after the politicians are done with it and the first applicable rulings come in. At that time, however, it should finally be possible for someone to hold companies like Microsoft, CA, and Oracle responsible for costs incurred as a direct result of software failures - and that will dramatically change the industry.

Something similar seems likely to happen even if the Democrats win; it'll just come through the courts instead of the Congress as case law gets extended to establish new forms of liability for hardware and software failures.

For example, a few years ago I had several conversations with a senior individual at a San Francisco law firm about starting a class action against Microsoft with respect to Code Red --an attack that still hits my server several times a day. The class I had in mind was the group of people who, like me, have no Microsoft licenses of any kind on site and nevertheless incur at least some costs as the direct result of weaknesses in Microsoft's products.

In the end the firm declined the case in part because my ability to pay doesn't stack up well against Microsoft's and in part because Microsoft could offer a strong defence in that good professional practice on their customer's part would avoid the problem.

I think the outcome of those discussions would be different today for two reasons.

First, Microsoft's best practices defence is now worse than useless to them. Back in 2001 third parties, including some not owned or controlled by Microsoft, published vulnerability information as soon as it became available. At that time. therefore, best practices for Windows administrators included checking these third party sites for early warnings of vulnerabilities and taking counter action well before the bulk of the attacks occurred.

Today, however, Microsoft has established far more control over the flow of information and generally only provides vulnerability information to the public well after it has developed a patch. As a result practitioners who adopt Windows best practices as recommended by Microsoft now guarantee the bad guys time to develop, test, and distribute exploit code.

Secondly, both then and now any court will accept that a professional responsible for collecting and holding sensitive information has to adopt the best possible security practices. In 2001 you could reasonably argue that security best practices ruled out use of any Microsoft operating system produced since they stopped selling Xenix, but you couldn't win with that argument in court because most of the people you'd be talking to are technical illiterates who can be counted on to abandon fact for majority opinion on any issue of this kind. Today, however, the positive visibility accorded Linux in the popular press coupled with Microsoft's negative security image means that most of these people are drifting toward some understanding of the issues and would therefore listen to a reasonable argument on it.

in other words someone, real soon now, is going to make and win the argument in court that best practices in corporate computing rule out the use of Microsoft servers and thereby make anyone who does use them liable, along with Microsoft, for the consequences of that decision.

The bottom line is simple: whether change comes through legislation or through the creation of new case law, liability reform will come. When it does, Microsoft's freedom from liability is going to be just so much collateral damage - and so is yours; making this one of the top ten things likely to the affect the IT industry over the next five to ten years.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry.