Computer security and liability---my thoughts

Almost three years ago Bruce Schneier posted a blog entry on Computer Security and Liability. Since then he has repeated his opinion several times; one of the more high-profile occasions was in front of the House of Lords. Some people agree, others disagree.

Until just a few days ago I disagreed with him on this particular issue. After the four learned hosts of LugRadio brought up the issue in episode 3 I had another think and I’ve now changed my opinion. I am now in favour of holding companies financially liable for damages resulting form security vulnerabilities in software products.

The software business is interesting because there’s a very obvious asymmetry in what is known about a product between the people who write and sell software and the people who use and buy software. Bruce Schneier has touched on that as well in his post on Security Lemons. Basically the buyer of software knows nothing of the ilities of what they are being sold, so there is very little to hang an informed decision on.

I think that introducing financial liability for software producers should take into consideration whether a buyer can make an informed decision before buying or not. This means that in cases where the buyer has full access to the source ((Note that the source doesn’t have to be free as in having all four freedoms granted by e.g. the GPL.)) there will be no financial liability on the developer. It would be enough to offer all source code under an NDA to a buyer before the deal is finalised. Basically liability would be the price a software vendor has to pay to keep the buyer in the dark regarding how secure the product is.

Simon Farnsworth

I’d go slightly further than you, and require that sellers either accept liability for faults in their product, or grant buyers all but one of the four freedoms.

In particular, I would require that sellers wishing to disclaim liability grant freedoms 0, 1 and 3, where the only way to exercise freedom 3 is to provide patches against the vendor source.

Thus, I can examine the source for vulnerabilities; I can fix them for myself (and run the fixed version); finally, I can publish my fixes for the benefit of other customers, or I can offer to sell my fixes to the vendor and other customers.

Leave a comment