A new stock market tactic, but is it legal? Paul Rosenzweig talks about a new way to manage a software bug on Lawfare:
Now we have a new paradigm—one that attempts to monetize the bug and establish its fair market value. Andrea Peterson reports on a new use of the stock market. A security research firm called MedSec recently found a flaw in the implantable heart device manufactured by St. Jude Medical. Rather than alerting St. Jude so they could fix it, or trying to sell it to them, MedSec took a different tack. It gave knowledge of the flaw to Muddy Waters Research, a hedge fund. Muddy Waters, in turn, took a short position on St. Jude stock (betting it would go down) and then released a report, based on MedSec research, that publicly disclosed the alleged flaws. The stock duly dropped, Muddy made a profit (nobody is saying how much) and gave a cut of the profit to MedSec.
While people who put in the time to discover real software bugs should receive some sort of compensation, this still makes me a little ill. Worse yet, Paul notes that no one has been able to reproduce the reported problem, and if this remains true, the SEC should come down hard on both the MedSec and Muddy Waters for market manipulation.
I see this as part and parcel of the necessary confusion of the private and technology sectors. In this case, the urge to profit from a technology mistake is permitted, probably unethically if not legally, to come to fruition.
But, since we’re talking about medical technology, what is the special ethical responsibility of MedSec to report the problem? What if a patient dies because someone delayed reporting a bug until they had arranged to profit from the predicted stock market behavior? Is that on the hacker, on the investment firm taking the position, or on some other party?
Can merely forbidding this actually or legally work? Or is it really on the medical device firms to get their shit together and create working hardware and software? Or is the technology just too damn hard? Or do they not care because the stock price doesn’t affect the company that has issued the stock all that much?