Last week Hewlett-Packard attempted to use the Digital Millennium Copyright Act (DMCA) to crush security research company SNOsoft for revealing a particular nasty exploit allowing a remote attacker to access to machines running HP’s Tru64 Unix operating system. While this is not the first attempt to disrupt legitimate security research using the DMCA (see earlier attempts by the RIAA against Dr. Ed Felten), this represents a true departure from previous attempts: to a casual observer, SNOsoft didn’t even violate the DMCA!
The DMCA, as its name suggests, is about protecting copyright in the age of technology that enables perfect digital copies of copyrighted materials. Part of the act outlines terms that make it a crime to circumvent copyright controls or distribute tools for that purpose. What’s interesting is that the “technology” distributed by SNOsoft had nothing to do with copyright protection technology, it only really enabled a malicious user to access a system running Tru64 without proper authorization. Is that wrong? Undoubtedly a person using the exploit against a third-party’s system would be breaking the law, but they, not SNOsoft, would be prosecutable under US federal computer fraud statutes, not the DMCA.
Did HP honestly expect it would be able to sue SNOsoft for damages resulting from the release of the exploit, despite the fact that the problem was a direct result of HP’s own faulty software? Most software today is distributed under an End User License Agreement (such as this example Microsoft EULA) that stipulates the software is provided “as is”, under no warranty, and not even guaranteed to be suitable for any purpose! If HP is not liable to its own customers for faults in its Tru64 Unix, how can it contend that SNOsoft should be liable for any damages that result from an exploit that someone other than SNOsoft used to breach a Tru64 system?
Perhaps recognizing the possibility of setting a software-liability precedent, HP hastily recanted its legal threats.
Software companies want to be able to sell a product, but they don’t want to be liable for any damage their product might inflict. They want to sell something, but a person who purchases their product doesn’t actually own it, they only own a “license” which can be revoked by the manufacturer at any time. They want to be able to access a user’s machine without their knowledge. They want. They want. They want.
How about what we, the users, want?
It’s time that software development companies realized that they’re just regular companies and, like every other company (recent examples notwithstanding), they have to follow the rules. Play time is over. Grow up or go home.