FIRST IMPRESSIONS

Aftermarketfailure: Windows XP's End of Support

Andrew Tutt

Introduction

"After 12 years, support for Windows XP will end on April 8, 2014." So proclaims a Microsoft website with a helpful clock counting down the days. "What does this mean?" the website asks. "It means you should take action." You should "migrate to a current supported operating system - such as Windows 8.1 - so you can receive regular security updates to protect [your] computer from malicious attacks."[1]

The costs of mass migration will be immense. About 30% of all desktop PCs are running Windows XP right now.[2] An estimated 10% of the U.S. government's computers run Windows XP, including "thousands of computers on classified military and diplomatic networks."[3] And the costs of staying put? They will be enormous, too. It turns out that 95% of the world's ATMs are powered by Windows XP, and there is no readily available substitute in the offing. In one example of these exorbitant costs, the price of either extending support or upgrading to another version of Windows for each of Britain's major banks will be in the hundreds of millions. Costs will be similar, or perhaps even higher, worldwide.[4]

The failure to continue to patch unpatched computers will also have serious ramifications for society. Hackers will keep scouring Windows XP for flaws, holes, and vulnerabilities for many years after Microsoft ends support for its vaunted operating system. Zero-day vulnerabilities-flaws hackers have long known about but have waited to exploit for fear that the vulnerability will be immediately patched (and could therefore only be used once or for a short time)-will now be exploitable in perpetuity.[5] Experts "have repeatedly warned that April 8 could spark a hacker feeding frenzy."[6] Yet, ironically, those who run Windows XP pose a greater threat to others than to themselves.

In the special case of governments, enterprise businesses, and financial institutions, failure to patch or migrate will expose the personal data of millions of individuals to theft, fraud, and abuse. When the wave of security breaches from unpatched machines arrives, the lawsuits against companies for failure to secure user data properly will become even more costly.[7] There may also be immense blows to consumer confidence, leading to welfare-reducing market-wide substitutions away from e-commerce.[8]

Meanwhile, the many millions of consumers who do not realize the increased vulnerability of their desktop operating systems will continue to use Microsoft Windows XP. Perhaps they will do so because they do not believe they are at risk. They will say that they do not do any of their personal banking or shopping on their home computers, and they will assert that they do not check their email or visit social networks. As a result, they will conclude that they do not see the "need" to upgrade.[9] Yet, as long as they connect to the internet, their continued use of XP stands to cost society millions of dollars.

Computers do not use much of their powerful data-processing capability or much of their available internet bandwidth from moment to moment. Hackers love nothing more than to sneak onto computers and turn them into secret weapons whose idle bandwidth can be used to block traffic to enterprise websites through Distributed Denial of Service Attacks ("DDoS Attacks") and whose resources can be secretly co-opted to send millions of spam emails. These hackers also relentlessly use computers to break enterprise encryptions or reroute internet connections, which enables them to pretend that their attacks on sensitive infrastructure originate from any one of potentially millions of zombie computers.[10]

For these reasons, Microsoft Windows XP's end of support, combined with a collective action problem stemming from individual users' failure to realize or internalize the costs of not migrating or upgrading their operating systems, could prove catastrophic.

All of this could be avoided if Microsoft, as well as other intellectual property owners who have monopoly power in a product market, allowed for the creation of robust aftermarkets if they themselves elect to end support. They could do this voluntarily. In Microsoft's case, it could do so by releasing Windows XP's source code-the fundamental organizing instructions that make the program operate-under a carefully circumscribed global license.[11]

But the law could also obligate Microsoft to aid in the creation of such a market, although here things turn murky. Under the leading understanding of existing antitrust doctrine, if Windows XP were real property-a photocopier, for example-the law would obligate Microsoft to help other companies create an aftermarket for Windows XP support. Because Microsoft Windows XP is not just property but intellectual property, however, courts have been more reluctant to recognize a monopoly exception to intellectual property protections. They should not be.

The following essay briefly sketches out the argument for why software monopolists should be legally required to help other companies provide ongoing support for their products. First, the essay describes the conceptual and economic theories that would support such a requirement. Second, it describes the conflicting law governing the intersection between intellectual property and antitrust. Third, it exhorts Microsoft to extend the support clock, release its source code, or make clear to the world that should anyone else wish to take on the task of providing future security support for Windows XP, Microsoft will help them to do so.

I.  Intellectual Property's Imperfect Analogy to "Property"

Software does not work quite like ordinary property. We ordinarily think of goods as perishable or durable. Mostly, we worry about monopolies over perishable goods, which can be used only once, in contrast to durable goods, which can be used many times. Software appears to be a durable good, and many economists subscribe to the view that durable goods cannot be monopolized. Ronald Coase famously sketched a seven-page note that "convincingly explained why a durapolist"-that is, a durable-goods monopolist-"might not be able to exercise market power even if it held a market share of 100 percent."[12]

In two important respects, however, software is not quite a classic durable good. First, unlike in the case of a classic durable good, like a ten-year lightbulb, the world in which software exists is always shifting. In particular, hackers pose a constant threat to software security, which means that a consumer could go to bed on a Monday with a fully operational supercomputer handling tens of billions of consumer credit transactions and wake up on a Tuesday with a brick (that is, "an electronic device . . . that, due to a serious misconfiguration, corrupted firmware, or a hardware problem, can no longer function"[13]).

Second, when it comes to software, only the developer generally possesses the source code. This is both because the copyright laws make it illegal to copy source code and because it is easy to encrypt this code and keep it secret. As such, it is frequently, if not always, the case that only the maker of a software program-or those who are authorized by its maker-has the information he needs to fix software.

This is not how most property works. A Chevy does not expire because Chevrolet decides to stop making the parts. If Chevrolet discontinues making parts or ceases offering repair services, markets spring to life because replacing a bolt, a casing, or a tire does not require someone to know how the whole car fits together. Not so with software. Without access to the source code, it is very difficult, if not impossible, to fix a software program.

As a result, software like Windows XP starts to appear less and less durable, with its product market increasingly easy to monopolize. There are high barriers to entry (you have to create an entirely new operating system of your own to compete) and high switching costs (consumers have already invested in many programs that only work with Windows XP), and Microsoft has total control over the product's aftermarket (because only it possesses the source code and hence the ability to manipulate the code). This last point is the most important. Durapolists "often argue that, in their case, secondary markets . . . limit their ability to exercise market power."[14] But when other firms cannot intervene to keep Windows XP a viable competitor of a newer version of Windows, Microsoft can use the decision to discontinue support for Windows XP as an opportunity to ensure that consumers switch to Windows' next iteration.[15]

II.  The Uneasy Intersection Between Intellectual Property and Monopoly

The law of antitrust is a mess, especially when it comes to durable-goods monopolists. For physical goods, the leading case governing monopolists who attempt to exercise control over aftermarkets has held that the antitrust laws can create a duty to deal with those who seek to provide services or maintenance for the monopoly good. By contrast, in cases addressing intellectual goods, the opposite seems to hold.

In Eastman Kodak Co. v. Image Technical Services, Inc., the Supreme Court's leading statement on the duties of physical durable-goods monopolists, the Court held that a durable-goods seller could be required to sell spare parts for its "complex business machines . . . high-volume photocopiers[,] and micrographic equipment" to competitors, who would perform the actual installation and support services.[16] The Court held that Kodak's refusal to sell parts to Independent Service Organizations ("ISOs") made it more difficult for them to sell services for Kodak machines, and, as a result, "ISOs were unable to obtain parts from reliable sources . . . and many were forced out of business, while others lost substantial revenues . . . [and] [c]ustomers were forced to switch to Kodak service even though they preferred ISO service."[17]

Kodak, then, could stand for the principle that where a durable-good provider (Kodak was not even a monopolist in the copier market) can control the aftermarket for maintenance on its product, it has a duty to aid rival providers in making that aftermarket competitive. The rationale of Kodak is that a company's creation of one really great product should not entitle it to either renegotiate an expensive support plan at some later date or force users to switch to another one of its products-at least, not without giving competitors the opportunity to offer a third option: a reasonably priced support plan of their own.

Examining the legal developments in the wake of Kodak, particularly its interactions with intellectual property laws, shows that the case's core principle has not taken hold.[18] In one of the leading cases at the intersection of durable-goods monopoly and intellectual property-yet another lawsuit over photocopiers-the Federal Circuit held that there is no duty to help create an aftermarket for goods protected by intellectual property rights. The patent and copyright laws affirmatively protected from antitrust scrutiny Xerox's refusal to sell or license its patented and copyrighted products to ISOs. Troublingly, the Xerox case was nearly identical to Kodak except that the parts Xerox refused to sell or license were either patented or copyrighted.[19] A similar rationale held in another major case following Kodak, this one out of the U.S. Court of Appeals for the Ninth Circuit. In Image Technical Services, Inc. v. Eastman Kodak Co., the Ninth Circuit admirably declined to adopt a per se exemption from antitrust liability where a party refuses to sell or license intellectual property. But the court did hold that the existence of such intellectual property rights creates a presumption of legitimate business justification for anticompetitive conduct.[20]                                                                           

III.  Solution: Software as Property Like Any Other

The intellectual property­-antitrust cases seem to overlook the animating purpose behind these laws: consumer welfare. Presently, two cross-cutting intellectual property paradigms protect software as intellectual property: (1) the patent laws that protect any properly patented new and useful process, machine, manufacture, or composition of matter (lasting roughly twenty years) and (2) the copyright laws that protect original works of authorship from unauthorized reproduction, derivation, distribution, performance, or display (lasting roughly a century).[21] These two statutes are meant to promote innovation. The antitrust laws, by contrast, are intended to prevent firms from controlling prices or excluding competition.[22] But all three of these regulatory frameworks are designed, in the end, to enhance consumer welfare.

By electing to end support for Windows XP while guarding the secrecy of its source code and threatening to punish those who copy the code as part of their own efforts to continue to produce security updates, Microsoft does in fact exercise its statutory property right to prevent unauthorized copying. But it also obtains power over price. Given the purposes of both sets of laws, the ultimate question should be whether Microsoft's decision to prevent anyone from maintaining Windows XP as a secure, viable operating system reduces overall consumer welfare.

The math is not even close.

Thousands of companies would gladly pay Microsoft-or anyone-to ensure that the millions of people who will not be switching to a newer version of Windows XP on April 8 do not become unwitting soldiers in hackers' botnet armies. Governments that invest billions in consumer protection would readily pay to protect those consumers from the effects of Microsoft's decision to end support. While there may be harms to future innovation that might result from requiring Microsoft potentially to disclose the inner-workings of a thirteen-year-old operating system to some aftermarket competitors, Microsoft itself could prevent any such harm by simply continuing to offer support itself. Or, even more admirably, Microsoft could simply release the Windows XP source code.

Unfortunately, the legal system offers few paths to a remedy. Microsoft's Windows XP source code is already secret, and no legitimate business would reverse engineer the code simply to face a devastating copyright lawsuit. Furthermore, because companies lack access to the source code and therefore cannot otherwise articulate a way that they could create an aftermarket in Windows XP security updates and patches, it is almost inconceivable that a company would be able to maintain an antitrust claim against Microsoft for failure to continue providing XP support. A federal entity, like the Department of Justice or Federal Trade Commission, could attempt to make Microsoft deal with its aftermarket competitors. There's only one problem: Microsoft has no aftermarket competitors because Windows XP's source code is both secret and copyrighted. Alternatively, consumers themselves could bring suit against Microsoft, but such claims are, at best, years away, and the law in this area-as has been shown-favors owners of intellectual property rights over consumers.

This is a terrible conundrum, one that cries out for a legislative solution. Make no mistake: Microsoft's decision to end support for Windows XP could be one of the most consequential decisions made by any major institution this year. Society will soon need to rethink many old notions like property, competition, and innovation in a world where networked computers store individuals' most important and intimate personal information.[23]

Until the law catches up, however, it will fall to Microsoft alone to make the right decision. The company should extend the support clock, release its source code, or make clear to the world that if anyone else endeavors to provide future security support for Windows XP, Microsoft will help them do so.

 


          *       Visiting Fellow, Yale Law School Information Society Project; Law Clerk, Honorable Cornelia T.L. Pillard, U.S. Court of Appeals for the District of Columbia. Thanks to Kiel Brennan-Marquez, Amy Kapczynski, Alvin Klevorick, Shaun P. Mahaffy, Lisa Larrimore Ouellette, and Priscilla J. Smith for exceedingly helpful comments and encouragement. Thanks also to the editors of the Michigan Law Review, especially Matthew McCurdy and Brian Tengel.

    [1].     Support for Windows XP for Enterprise Business Is Ending, Microsoft, http://www.microsoft.com/​en-us/​windows/​enterprise/​end-of-support.aspx (last visited Mar. 30, 2014); see also Support Is Ending for Windows XP, Microsoft, http://windows.microsoft.com/​en-us/​windows/​end-support-help (last visited Mar. 30, 2014).

          [2].     Operating System Market Share, Netmarketshare, http://www.netmarketshare.com/​operating-system-market-share.aspx‌?qprid=10‌&qpcustomd=0‌&qptimeframe=M (last visited Mar. 30, 2014).

         [3].     Craig Timberg & Ellen Nakashima, Old Software Puts Federal PCs at Risk, Wash. Post, Mar. 17, 2014, at A1, available at http://www.washingtonpost.com/​business/​technology/​government-computers-running-windows-xp-will-be-vulnerable-to-hackers-after-april-8/​2014/​03/​16/​9a9c8c7c-a553-11e3-a5fa-55f0c77bf39c_story.html.

          [4].     PTI, Maintaining Windows XP After April 8 May Cost Rs. 11,90 cr Per Year, LiveMint (Feb. 25, 2014, 5:29 PM), http://www.livemint.com/​Consumer/​ljHfXP1dqSiJn5MYdEBBaN/​Maintaining-Windows-XP-after-8-April-may-cost-1190-cr-per.html; Kate Rogers, End of Windows XP Support Could Put ATMs at Risk, Fox Bus. (Mar. 19, 2014), http://www.foxbusiness.com/​personal-finance/​2014/​03/​19/​end-windows-xp-support-could-put-atms-at-risk; Matt Scuffham & David Henry, Banks To Be Hit With Microsoft Costs for Running Outdated ATMs, Reuters (Mar. 14, 2014, 10:57 AM), http://www.reuters.com/​article/​2014/​03/​14/​us-banks-atms-idUSBREA2D13D20140314; Simon Zekaria, Are the World's ATMs Ready for April XPiration?, Wall St. J. Digits (Mar. 19, 2014, 2:27 PM), http://blogs.wsj.com/​digits/​2014/​03/​19/​are-the-worlds-atms-ready-for-april-xpiration.

         [5].     Without support, Windows XP will suffer what's been called "zero day forever" because no one will be able to patch the system. See Mary Jo Foley, Microsoft warns Windows XP users risk ‘zero day forever', ZDNet (Aug. 16, 2013, 10:14 PM), http://www.zdnet.com/​microsoft-warns-windows-xp-users-risk-zero-day-forever-7000019503/​; Kurt Mackie, Windows XP Users To Face Perpetual ‘Zero Day', Redmond Mag. (Aug. 16, 2013), http://redmondmag.com/​articles/​2013/​08/​16/​windows-xp-zero-day.aspx; Tim Rains, The Risk of Running Windows XP After Support Ends April 2014, Microsoft Security Blog (Aug. 15, 2013, 2:00 AM), http://blogs.technet.com/​b/​security/​archive/​2013/​08/​15/​the-risk-of-running-windows-xp-after-support-ends.aspx.

          [6].     Brad Chacos, Avast: Windows XP Users Already Attacked 6 Times More Often than Windows 7 Users, PC World (Mar. 18, 2014, 8:33 AM), http://www.pcworld.com/​article/​2109144/​avast-windows-xp-users-already-attacked-6-times-more-often-than-windows-7-users.html.

          [7].     See, e.g., Elizabeth A. Harris et al., Neiman Marcus Data Breach Worse Than First Said, N.Y. Times, Jan. 24, 2014, at B1, available at http://www.nytimes.com/​2014/​01/​24/​business/​neiman-marcus-breach-affected-1-1-million-cards.html; Alastair Jamieson & Erin McClam, Millions of Target Customers' Credit, Debit Card Accounts May Be Hit By Data Breach, NBC News (Dec. 19, 2013, 12:07 PM), http://www.nbcnews.com/​business/​consumer/​millions-target-customers-credit-debit-card-accounts-may-be-hit-f2D11775203; Melanie Mason, Target, Neiman Marcus Will Be No-Shows At Hearing on Data Breaches, L.A. Times (Feb. 14, 2014), http://articles.latimes.com/​2014/​feb/​14/​local/​la-me-pc-data-breach-hearings-20140214.

          [8].     Paula Rosenblum, In Wake of Target Data Breach, Cash Becoming King Again, Forbes (Mar. 17, 2014, 5:11 PM), http://www.forbes.com/​sites/​paularosenblum/​2014/​03/​17/​in-wake-of-target-data-breach-cash-becoming-king-again.

          [9].     Swapnil Bhartiya, Windows XP Will Die in April, What Are Your Options?, Muktware (Mar. 21, 2014), http://www.muktware.com/​2014/​03/​windows-xp-will-die-april-options/​23434; Michael Endler, Windows XP Holdouts: 6 Top Excuses, InformationWeek (Mar. 17, 2014, 10:10 AM), http://www.informationweek.com/​software/​operating-systems/​windows-xp-holdouts-6-top-excuses/​d/​d-id/​1127666.

        [10].     See Lilian Edwards, Dawn of the Death of Distributed Denial of Service: How to Kill Zombies, 24 Cardozo Arts & Ent. L.J. 23, 26 (2006); Eugenia Georgiades et al., Crisis on Impact: Responding to Cyber Attacks on Critical Information Infrastructures, 30 J. Marshall J. Info. Tech. & Privacy L. 31, 32-33 (2013); T. Luis de Guzman, Unleashing A Cure for the Botnet Zombie Plague: Cybertorts, Counterstrikes, and Privileges, 59 Cath. U. L. Rev. 527, 528-31 (2010).

        [11].     Mark Gibbs, Microsoft, Instead of Turning The Lights Off On XP, Make It Open Source, Networkworld (April 12, 2012, 2:24 PM), http://www.networkworld.com/​columnists/​2012/​041212-backspin-258214.html.

        [12].     Barak Y. Orbach, The Durapolist Puzzle: Monopoly Power in Durable-Goods Markets, 21 Yale J. on Reg. 67, 69 (2004) (citing Ronald H. Coase, Durability and Monopoly, 15 J.L. & Econ. 143 (1972)).

        [13].     Brick (electronics), Wikipedia (Mar. 16, 2014, 5:56 AM), http://en.wikipedia.org/​wiki/​Brick_(electronics).

        [14].     Orbach, supra note 12, at 112.

        [15].     Id. at 109-10.

        [16].     Eastman Kodak Co. v. Image Technical Servs., Inc., 504 U.S. 451, 456 (1992).

        [17].     Id. at 458.

        [18].     See Harry First, Microsoft and the Evolution of the Intellectual Property Concept, 2006 Wis. L. Rev. 1369, 1422-32 (describing the marked difference in the analysis employed in Kodak from that used in subsequent cases while arguing that courts should scrutinize intellectual property claims to ensure that monopolies do not use such claims as tools to block competition and stifle innovation); Daniel J. Gifford, Antitrust's Troubled Relations with Intellectual Property, 87 Minn. L. Rev. 1695, 1710-18 (2003) (explaining that the Supreme Court's approach in Kodak has not "prevailed" in the intellectual property aftermarket cases, leading to "confusion in the case law").

        [19].     In re Indep. Serv. Orgs. Antitrust Litig., 203 F.3d 1322 (Fed. Cir. 2000); id. at 1328 ("Xerox was under no obligation to sell or license its patented parts and did not violate the antitrust laws by refusing to do so."); id. at 1329 ("Xerox's refusal to sell or license its copyrighted works was squarely within the rights granted by Congress to the copyright holder and did not constitute a violation of the antitrust laws.").

        [20].     125 F.3d 1195, 1217 (9th Cir. 1997).

        [21].     17 U.S.C. §§ 102, 106 (2012); 35 U.S.C. § 101 (2012).

        [22].     United States v. E.I. du Pont de Nemours & Co., 351 U.S. 377, 391-92 (1956); see Thomas G. Krattenmaker et al., Monopoly Power and Market Power in Antitrust Law, 76 Geo. L.J. 241, 247-48 (1987) (explaining that "market power" and "monopoly power" both refer to companies' ability to "price profitably above marginal cost" but represent two independent means of achieving this end-controlling prices or excluding competition-approximately corresponding to the twin prongs in du Pont).

        [23].     See generally BJ Ard, Confidentiality and the Problem of Third Parties: Protecting Reader Privacy in the Age of Intermediaries, 6 Yale J.L. & Tech. 1 (2013) (privacy); Jane Bambauer, Is Data Speech?, 66 Stan. L. Rev. 57 (2014) (speech); Oren Bracha & Frank Pasquale, Federal Search Commission? Access, Fairness, and Accountability in the Law of Search, 93 Cornell L. Rev. 1149 (2008) (competition); James Grimmelmann, The Internet Is a Semicommons, 78 Fordham L. Rev. 2799 (2010) (property); Andrew Tutt, The New Speech, 41 Hastings Const. L.Q. 235 (2013) (democracy and autonomy).

   //  VIEW PDF
BY VOLUME
Volume Archive
BY DATE
Monthly Archive
TOPICS
Tagged Posts

& Other Current Events

Crawford v. Washington: A Ten Year Retrospective

No one disputes the significance of Crawford v. Washington, 541 U.S. 36 (2004), which fundamentally transformed Confrontation...

Come Back to the Boat, Justice Breyer!

I want to get Justice Breyer back on the right side of Confrontation Clause issues. In 1999, in Lilly...

Crawford v. Washington: The Next Ten Years

Imagine a world . . . in which the Supreme Court got it right the first time. That is,...

The Crawford Debacle

First a toast-to my colleague Jeff Fisher and his Crawford compatriot, Richard Friedman, on the...

Confrontation and the Re-Privatization of Domestic Violence

When the Supreme Court transformed the right of confrontation in Crawford v. Washington, the prosecution...