By the way, the "cryptography" mailing list has been having an interesting discussion of whether companies are liable for selling bad crypto products or for relying upon them if they know that they are bad. I'm forwarding one of the recent messages on the topic. The entire discussion has been interesting thus far, although only some of the participants have been lawyers. Relevance? Look no further than 40 bit DES. Perry
-- BEGIN included message
- To: cryptography@c2.net, unicorn@schloss.li
- Subject: Re: PPTP (again)
- From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
- Date: Wed, 13 May 1998 16:09:18 (NZST)
- Delivery-Date: Wed May 13 00:18:54 1998
[Followups trimmed somewhat] Black Unicorn <unicorn@schloss.li> writes: >I've been watching trends which might suggest that a firm could be sued for >failing to exercise due diligence in their information protection efforts. >Shareholder derivative suits would be the most interesting from a legal point >of view because the cause-effect chain doesn't need to be very strong for one >such to succeed. So, under what circumstances would Microsoft (which is >exceptionally well represented from a legal standpoint, by the way) be >potentially liable for a security oversight? I wrote a paper on encryption and e-commerce about 2 years ago (http://www.cs.auckland.ac.nz/~pgut001/pubs/icommerce.pdf, rather in need of update in some areas) which briefly covers this issue in the section "Liabilities of Weak Encryption/Poor Security", but from the angle of having stockholders sue the company directors for negligence if they use known weak security and the company stock price slips due to this. For example everyone even vaguely involved in computers and security knows that US-exportable crypto is no good (it's certainly had press coverage in every imaginable medium), so a company which relied on this for security would make itself a prime target for negligence lawsuits when their security was breached. The paper gives a few references for further info, for example the US Federal Sentencing Guidelines for Organisation Defendants which give clear guidelines for judges when sentencing corporations found guilty in federal liability cases. There's only about a page of stuff there (I'm a cryptographer, not a lawyer), but I'd be interested in any thoughts people have on this. Peter.
-- END included message