W3C home > Mailing lists > Public > www-tag@w3.org > October 2005

RE: Computer Misuse Act breaks WebArch (ws Re: Section 5.4.2 of RFC 3986 not actually 'legal' syntax_)

From: Bullard, Claude L (Len) <len.bullard@intergraph.com>
Date: Thu, 13 Oct 2005 12:27:18 -0500
Message-ID: <15725CF6AFE2F34DB8A5B4770B7334EE07207548@hq1.ingr-corp.com>
To: 'Dan Connolly' <connolly@w3.org>, "Henry S. Thompson" <ht@inf.ed.ac.uk>
Cc: Tyler Close <tyler.close@gmail.com>, www-tag@w3.org, Daniel Weitzner <djweitzner@w3.org>, Rigo Wenning <rigo@w3.org>
Hmm.  IANAL.

That response opens an interesting liability test case:  can 
someone be sued for negligence based on the server, or 
the architecture of the server?  For a plaintiff to prove 
negligence, four elements must be present:

1.  Duty
2.  Breach of duty
3.  Causation both actual and proximate
4.  Damages. 

NOTE:  Proving these conditions doesn't mean the plaintiff 
wins; it means it merits a judicial decision.

Duty:  general duty of care is imposed on all human activity. 
A person is under a legal to duty to take precautions against 
creating an unreasonable risk of harm to others or their property. 
No duty is owed to those whom their action posed no *forseeable risk*. 

NOTE:  Does the act of using the URI create *forseeable risks* and 
is the W3C open to suit based on having created risks by implementing 
its specifications?

Breach of duty:  It must be shown the defendant's conduct fell short 
of the standard of care owed the plaintiff.  This has three legs:

1. Misfeasance: doing a proper or lawful act in a wrongful or 
injurious manner (this is where the defendant could be sued prior to 
the statute being enacted; it is possible the statute is 
unnecessary.  TimBL may be wrong given this, but if 
right, may inadvertently open the W3C up to a massive 
class action suit given deep pockets.).

2.  Malfeasance: doing a wrongful or unlawful act (the statute 
in question appears to move the defendant to this leg)

3.  Nonfeasance: failure to perform and act or duty that is 
otherwise required (defendant may be able to sue server owner 
for nonfeasance)

IOW, a duty may be breached by doing the correct thing in the 
wrong way, by doing the wrong thing, or by not doing something 
that should be done.

The hurdle is to establish a duty.

SOURCE:  9-1-1 Liability: A Call for Answers (Ormsby, Salafia)

len


From: www-tag-request@w3.org [mailto:www-tag-request@w3.org]On Behalf Of
Dan Connolly

I heard Tim talking about this, and he pointed out the safety
principle...

"Agents do not incur obligations by retrieving a representation."
http://www.w3.org/TR/2004/REC-webarch-20041215/#pr-deref-safe

Perhaps that could be elaborated to say that we regard it
as a privilege/right of users to be able to explore the web,
and that it's the server's fault if it gives unauthorized
access.

But it seems to me that the designers of the Computer Misuse Act
would concede that there's a bug in the server; they're
saying that it's illegal to exploit bugs in software.


> I have to confess I have occasionally done something close to this,
> namely just repeatedly truncating a URI in the address window looking
> for a directory I can browse. . .  At the very least it never occurred
> to me that I was running the risk of setting off alarms, much less of
> breaking the law . . .

Then provision (c) doesn't apply.

But look at your server logs, and you'll find tons of bots trying
to exploit well-known server bugs. That's clearly anti-social
behaviour, and I'm somewhat sympathetic to efforts to outlaw it.
Received on Thursday, 13 October 2005 17:28:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:37 GMT