- From: Bullard, Claude L (Len) <len.bullard@intergraph.com>
- Date: Thu, 13 Oct 2005 12:27:18 -0500
- To: 'Dan Connolly' <connolly@w3.org>, "Henry S. Thompson" <ht@inf.ed.ac.uk>
- Cc: Tyler Close <tyler.close@gmail.com>, www-tag@w3.org, Daniel Weitzner <djweitzner@w3.org>, Rigo Wenning <rigo@w3.org>
- Message-ID: <15725CF6AFE2F34DB8A5B4770B7334EE07207548@hq1.ingr-corp.com>
Hmm. IANAL. That response opens an interesting liability test case: can someone be sued for negligence based on the server, or the architecture of the server? For a plaintiff to prove negligence, four elements must be present: 1. Duty 2. Breach of duty 3. Causation both actual and proximate 4. Damages. NOTE: Proving these conditions doesn't mean the plaintiff wins; it means it merits a judicial decision. Duty: general duty of care is imposed on all human activity. A person is under a legal to duty to take precautions against creating an unreasonable risk of harm to others or their property. No duty is owed to those whom their action posed no *forseeable risk*. NOTE: Does the act of using the URI create *forseeable risks* and is the W3C open to suit based on having created risks by implementing its specifications? Breach of duty: It must be shown the defendant's conduct fell short of the standard of care owed the plaintiff. This has three legs: 1. Misfeasance: doing a proper or lawful act in a wrongful or injurious manner (this is where the defendant could be sued prior to the statute being enacted; it is possible the statute is unnecessary. TimBL may be wrong given this, but if right, may inadvertently open the W3C up to a massive class action suit given deep pockets.). 2. Malfeasance: doing a wrongful or unlawful act (the statute in question appears to move the defendant to this leg) 3. Nonfeasance: failure to perform and act or duty that is otherwise required (defendant may be able to sue server owner for nonfeasance) IOW, a duty may be breached by doing the correct thing in the wrong way, by doing the wrong thing, or by not doing something that should be done. The hurdle is to establish a duty. SOURCE: 9-1-1 Liability: A Call for Answers (Ormsby, Salafia) len From: www-tag-request@w3.org [mailto:www-tag-request@w3.org]On Behalf Of Dan Connolly I heard Tim talking about this, and he pointed out the safety principle... "Agents do not incur obligations by retrieving a representation." http://www.w3.org/TR/2004/REC-webarch-20041215/#pr-deref-safe Perhaps that could be elaborated to say that we regard it as a privilege/right of users to be able to explore the web, and that it's the server's fault if it gives unauthorized access. But it seems to me that the designers of the Computer Misuse Act would concede that there's a bug in the server; they're saying that it's illegal to exploit bugs in software. > I have to confess I have occasionally done something close to this, > namely just repeatedly truncating a URI in the address window looking > for a directory I can browse. . . At the very least it never occurred > to me that I was running the risk of setting off alarms, much less of > breaking the law . . . Then provision (c) doesn't apply. But look at your server logs, and you'll find tons of bots trying to exploit well-known server bugs. That's clearly anti-social behaviour, and I'm somewhat sympathetic to efforts to outlaw it.
Received on Thursday, 13 October 2005 17:28:13 UTC