From: "C. Bradford Biddle" <biddle@pwa.acusd.edu>
Date: Sat, 24 Feb 1996 09:47:16 +0800
To: Bill Frantz <frantz@netcom.com>
Subject: Re: Digital Signature Legislation (fwd)
In-Reply-To: <199602222030.MAA04720@netcom7.netcom.com>
Message-ID: <Pine.3.89.9602231154.A13908-0100000@pwa.acusd.edu>
MIME-Version: 1.0
Content-Type: text/plain



On Thu, 22 Feb 1996, Bill Frantz wrote:

> At  20:54 AM 2/20/96 -0500, C. Bradford Biddle <biddle@pwa.acusd.edu> wrote:
> >---------- Forwarded message ----------
> >
> >DIGITAL SIGNATURE LEGISLATION: SOME REASONS FOR CONCERN

[...]

> >LIABILITY

[...]

> The question I have is, does "reasonable care" include keeping your machine
> "virus free"?  

A very good question, and one not answered by the Utah Act. The answer to
the question of what constitutes reasonable care for holders of private
keys will have to be addressed through the long, expensive, and inelegant
process of common law evolution: court case after court case after court
case slowly providing an answer. In contrast, the duties of certification
authorities are explicitly described in the Act. 

> >There is a second troubling policy choice relating to liability. The Utah
> >Act limits the potential liability of one actor in the infrastructure --
> >the certification authority -- to a fixed amount (termed a "suitable
> >guarantee" and determined by a complex formula or by administrative rule).
> 
> The historic precedent is the liability limit on nuclear power plants.

An interesting point, which can be spun several ways. The nuclear 
industry has been able to externalize the immense costs of waste storage, 
etc. Would the same investments have been made in nuclear energy if the 
nuclear industry was forced to internalize all of the costs it generates, 
including the costs of potential accidents? Probably not. I suspect that 
you could find people who would argue that the liability limits have had 
very good consequences (i.e., promoting investment in an ultimately 
beneficial technology) and others who would say that the current state of 
the nuclear industry points out the harm in allowing an industry to 
externalize costs.

> For both these problems, a relatively low liability limit would force
> people to use other techniques (e.g. old style signed contracts) for large
> transactions.  While we are working the bugs out of a new technology, with
> new standards of "reasonable care", everyone might win if the risks are
> limited.

Agreed. Letting market forces sort out the most appropriate risk 
allocations may be the best solution. This isn't really what the Utah Act 
does, however.

> Regards - Bill
> 
> 
> ------------------------------------------------------------------------
> Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
> (408)356-8506     | lost jobs and  | 16345 Englewood Ave.
> frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA


Thank you for your thoughtful comments.

Brad

Brad Biddle, Legal Intern <biddle@acusd.edu>
Privacy Rights Clearinghouse, Ctr for Public Interest Law
http://pwa.acusd.edu/~prc


For the record: Someone else who responded to my post on the Cypherpunks 
list referred to me as "Dr. Biddle." I think they were misled by Phil 
Agre's characterization of me as an "academic" in his introduction to my 
article. (Or perhaps just dazzled by the force of my arguments). I am, in 
fact, a law *student*, not a law professor.