Software liability is nonstarter
I generally admire the work coming from the SANS Institute, but Alan Paller’s call for software liability (via Deb Shinder) for security vulnerabilities just doesn’t make sense. That’s because software security is like a bank vault which are rated by the time and effort required to break, but none are rated unbreakable.
While SANS is right to point out the sloppiness of the software industry, calling for software liability is irresponsible. Even the most secure software in the world can be hacked if there was a sufficient reward.
I can understand holding companies liable for human deaths or injury due to bad software in things like automobiles, it’s not realistic to ask for liability for software. Commercial software companies should be responsible to the extent that they provide fixes and patches for some finite period of time, and this is already the industry norm.
I think we can all agree we cannot continue with the status quo. It has been a bit since I have read Geekonomics, but there is a cost to bad software. Right off the bat, I can’t think of anything that performs as badly while escaping consequences largely because of the EULA.
Glad to see we can agree that death and injury will generally lead to liability claims. So what about loss of time, opportunity cost etc?
Now, the bank vault idea. What about the Kryptonite Lock $3,500 loss promise. Now to be sure, there is plenty of fine print, have to file a police report, return the lock to Kryptonite etc, but their point is simple, they are not going to be the weak link.
Now bank safes, or even home safes. You are quite correct, that is exactly what I teach in Security Leadership Essentials, safes are rated to last this much time against drilling, this much time against fire etc. But that is worth looking into more closely. The manufacturer of the safe doesn’t do the rating, I think that is U.L. that gives you the ratings. With a safe you know exactly how much protection time you are getting. With the current paradigm for software, you have no idea what you are getting.
The consumer deserves some protection. Consider this scenario, I am an artist who moved into digital art two years ago and have been painting like mad for two years. I bought Creative Suite from Adobe and yesterday a malformed .pdf installs bot software that removes all my original and yet unpublished, but contracted for digital artwork from my system and puts it all in a bittorrent or six for free downloading by anyone; my business and my livelihood is threatened. Should it really be too bad, so sad, no money for you now mosey on lil artist? Or should I be entitled to some compensation?
In my class we teach about downstream liability, there are four factors ( warning get your own attorney, this is not legal advice):
- Duty, my responsibility to practice due diligence
- Breach, my failure to maintain due diligence makes it possible for a failure to occur
- Causation, said failure actually happens leading to
- Harm, your negligence caused me harm
In most of the world this is pretty straightforward. Why is it a non-starter with software?
Leave your response!