Who Is Liable For Software With Security Holes?

securitas writes "Interesting article over at eWEEK that asks who is and should be legally responsible for insecure software. Some say it's the manufacturer. Currently software is exempt from product liability as we've come to know it in the physical world. Others say the software licenses should make users responsible if they don't install patches and updates. Infosecurity czar Richard Clarke said in his speech at RSA that Nimda cost US companies an estimated $2 billion. Imagine if Microsoft was legally liable and a $2 billion suit was filed. Now extend that to the other jurisdictions outside the US. What does this mean to open source software, which is being used to a greater extent in corporate environments? Food for thought."

Re:Just like a car..

Free offers essentially no protection.

If you give away free food and someone gets sick because of it, you're liable.

If you give away free toys and someone chokes on one, you're liable.

You can't charge people for walking on the sidewalk in front of your house, but in many areas, you're liable if someone hurts themselves on your little patch.

The only protection is to avoid having been negligent about the issue. And payed for software certainly has more resources to do so.

Software is probably better off left unencumbered by inherent liabilities. If you want to make somebody liable, get your software on a contract basis where you can make the terms whatever you like.

Another similar article!

Click here

Defective software

As a matter of law,in Australia, goods including software have to be "reasonably fit for the purpose" they have been purchased for, of "merchantable quality", and must fit the "description" they are sold under. If a good fails to comply with any or all of the above conditions, the disgruntled purchaser can sue for damages or a suitable replacement.In Queensland the relevant legislation is the 1896 Sales of Goods Act, which all Australian and New Zealand jurisdictions, has analogues of.

Many Commonwealth jurisdictions have similar regulatory regimes.

It is arguable that software which doesn't work very well fails all of the above requirements. A former law school acquaintenance of mine has even sued a car distributor, for a fleet of Lada Samaras, claiming that they didn't fit the description of a "motor vehicle" (ie a moving machine !) because they spent all their time in the shop !

What needs to be remembered is that all software producers can be liable under such a regime, Linux or Winduhs.

Truth in Advertising

[martyb]

Automatically applying patches is NOT a solution! There are countless stories where the applying of patches caused formerly working software to crash.(*)

One major advantage of OSS vs Commercial software is the availability of the source code. Another major benefit, but less well recognized, is the visibility of REPORTED DEFECTS. Prior to obtaining an OSS application, say on sourceforge, I can peruse the bug list and get a complete list of reported bugs. What's the chances I can see the complete list of reported defects in, say, Microsoft Office?

Okay, why not just have a law passed that requires commercial software developers to make all reported bugs publically visible? Ain't gonna happen; political contributions and lobbying efforts would squash that in a heartbeat.

BUT, there's another approach. Don't use LEGAL requirements -- make it a MARKET requirement.

In other words, consider these two scenarios when making a recommendation for two different software packages:

• This commercial package has these features and an undisclosed list of reported bugs. When bugs are discovered, we have to wait for the vendor to create a fix.
  
• This OSS package has these features, too, but here's a complete list of all reported bugs. Further, whenever any new bugs are discovered, I can find out about it immediately, and we can fix the code ourselves.
  

In short, software will always have bugs -- just as OSS makes the code available, we can use market forces to trumpet the same visibility of the known (and future) bugs.

(*) Footnote: Feature vs Bug... many years ago I worked for 2+ years in testing a COBOL compiler that was being upgraded to support the latest standard. The version that was already out in the field was rife with bugs. Several customers were worried that we were going to fix some bugs they depended on! Though non-standard code, they had developed workarounds and used them extensively -- fixing the bugs in the compiler would break their programs!

Re:The software industry is a great business

[MillionthMonkey]

Yeah, selling software is great... from the perspective of someone who knows nothing about the business. First you have to employ programmers, who are known to be independent-minded and "difficult."

Difficult programmers? (That's a problem?) Please. I am a programmer, so I take offense at both your generalizations. :)
You haven't refuted my point that selling software is better than selling airplanes. If an airplane comes apart in flight, and the flaw was even theoretically foreseeable, you expose yourself to incredible liability. I wouldn't want to be in the airplane business, or any "real" industry. It looks like a good way to get an ulcer. People in the software world like to fancy themselves as being in a real manufacturing business as opposed to a service-based one, until the topic of legal liability comes up. Then we suddenly view our position much more clearly.

Now... should software companies be liable for damages from bugs? I think it depends on the intended use of the product and the seriousness of the bug. Medical, military, and government software should at least be well-tested and well-written. But a bug that wipes out a user's save files for Bobo the Monkey III should not even be legally actionable.

Well that's reasonable, but those are two extremes. Nuclear, aerospace, medical, and military software is generally integrated into and viewed as a part of a larger physical system. If a microcontroller in an airplane has a software problem and feeds wrong information to an actuator on the plane causing a crash, you expose yourself to liability as a seller of a faulty airplane, not a faulty software program. Software that isn't sold as part of a larger machine with real physical parts doesn't have this problem. The shrinkwrap around a software box (and the EULA wrapper around the disk) is like an armor against lawsuits.

Microsoft products have various back doors like the buffer overflow that Code Red exploited, but they also have front doors and that's just incredible and inexcusable! Outlook has an intentional feature where it automatically executes VBA code contained in an attachment when you open it. This allows worms to flood the Internet on a regular basis, without even having to do hackish back-door stuff like overflowing a buffer. But it's not really a bug, it's a feature that wasn't well thought out. Someone wasn't using their head. All of Office suffers from feature creep and they don't think things through as they shovel thousands of questionable features into their software. (Maybe I lead a sheltered life, but I have yet to hear of anyone sending a legitimate VBA script via an Outlook attachment. Have you?) Incredibly, for all the monetary damage those worms have caused, Microsoft has suffered only a little humiliation. It has exposed itself to no product liability at all. If Microsoft sold airplanes, or medical equipment, or solid rocket boosters, they'd be out of business by now. Their workmanship is just too mediocre for anything except software.

Re:free vs. commercial & deep pockets

[yintercept]

Your problem is with the deep pockets law. First I want to show you how to abuse the law. The taxi business has a high liability risk. A cab company might decide to make all of its drivers "independent contractors." The independent contractors would be responsible for their insurance. The independent contractors would be underinsured, etc..

In this scenerio, the taxi cab companies were trying to avoid risk by pushing the risk onto a smaller business that would simply go bankrupt when an accident occurred.

You can imagine a company giving away the troublesome parts of the program for free (to avoid the liability exposure) while selling the stable pieces for a premium. Should MS have to pay for a bug in a free patch, or a free utility they distribute with XP?

In the taxi case, the courts would found the taxi cab company partially liable for the accident. Since they have deep pockets, they ended up paying the full claim.

This deep pocket legislation is quite popular since it prevents companies with deep pockets from spinning off risk into small entities.

Deep pocket litigation has some really bad side effects. Really, in every accident that occurs, you can say the county or city that built the road was partly to blame. This means that counties and cities become the deep pocket in thousands of lawsuits.

In the software world, we would start seeing the same gamesmanship going around if we started flinging billion dollar suits left and right. We would see big companies spawning little companies whose primary purpose is to control risk exposure. Meanwhile, fearing deep pocket litigation, the big companies would stop funding smaller research projects or stop giving code to GPL efforts in fear of become a deep pocket in a suit they really cannot control.

The litigation would not be pretty. The only certainty is that the lawyers would make out like bandits.