> “If Toyota makes pickup trucks and someone takes a pickup truck, welds an explosive device onto the front, crashes it through a perimeter and into a crowd of people, is that Toyota’s responsibility?” he asked. “The N.S.A. wrote an exploit that was never designed to do what was done.”
Let's rework that analogy. If the NSA knows a trick to make Toyota pickup trucks explode, and they don't tell Toyota about the trick for years because they want to keep using it, and then eventually they leak the trick and suddenly everyone's Toyotas are exploding left and right, is that the NSA's fault?
Yes, yes it sure is.
I wouldn't go quite so far as to say the NSA was obligated to tell Microsoft (metaphorical Toyota) immediately about the exploit. For better or worse it's in America's interest for them to hack into foreign computers, and they take some risks as part of doing that. But they're 100% responsible for the downside of the risks they take.
Imagine Toyota makes a faulty truck, and then they issue a recall, and there's headline news about the danger this issue poses, and truck drivers all over Twitter are pleading for people to fix their trucks, but you nevertheless continue driving around for 799 days without fixing it, and then your truck explodes. I know who I'm blaming.
Both points are true. Think about having giant holes in the sidewalk. On the one hand, if you walk into a giant hole in the sidewalk in broad daylight, that's pretty much your fault, and your friends will laugh at you. On the other hand, everyone understands that some people will inevitably walk into a giant hole in the sidewalk if it's there, and so we consider it negligent to dig one without putting up bright orange barriers around it. In part that's because some people are more vulnerable than others (maybe it's nighttime, maybe their eyesight isn't very good, maybe they're going fast on a bicycle), and in part that's because with a large enough group of people some of them are bound to be careless, distracted, or unlucky.
Let's rework that analogy. If the NSA knows a trick to make Toyota pickup trucks explode, and they don't tell Toyota about the trick for years because they want to keep using it, and then eventually they leak the trick and suddenly everyone's Toyotas are exploding left and right, is that the NSA's fault?
Yes, yes it sure is.
I wouldn't go quite so far as to say the NSA was obligated to tell Microsoft (metaphorical Toyota) immediately about the exploit. For better or worse it's in America's interest for them to hack into foreign computers, and they take some risks as part of doing that. But they're 100% responsible for the downside of the risks they take.