Liability and Computer Security

Pelerin writes "In the latest Crypto-Gram, Bruce Schneier has written an interesting essay with some thoughts about the current lack of business incentives for the deployment and production of more secure software. His main recommendation/prediction is this: "Step one: enforce liabilities. This is essential. Today [...] the marketplace rewards low quality. More precisely, it rewards early releases at the expense of almost all quality. If we expect CEOs to spend significant resources on security -- especially the security of their customers -- they must be liable for mishandling their customers' data. If we expect software vendors to reduce features, lengthen development cycles, and invest in secure software development processes, they must be liable for security vulnerabilities in their products." Schneier's five-step plan for thinking about security is also good.

Pelerin continues: "All well and good, but this raises some questions in the case of a company offering security solutions based on open source / free software.

• Where does the chain of liability end? Can somebody attempt to recover damages from Linus when a kernel security hole shows up?
• Can a case be made for lower insurance rates for free software solutions? (I mean, can it be made to the accountants and the lawyers, not the techies).
• When liability enters the picture, which mechanisms can allow free software to compete based on its merits, not on the likelihood of surviving a liability lawsuit?

"

Indemnity clauses

[xrayspx]

If you read a license, any license, it basically states that you use the enclosed software "at risk", meaning you can't sue if something, anything, goes wrong. Including data corruption, script kiddie 0wn@g3, etc. What he's proposing is getting rid of that. Fine, now Microsoft is liable for NT vulns, but you can't basically throw MS licensing rules out the window and leave BSD and GPL in tact. So then the "As Is" portions of the Open licenses have too.

Why not hold Network Admins responsible for problems on their networks? I am a network admin, and if some kid got in and stole a database from one of my employers, compromising customers, I would expect to take the full heat for it. In the back of my mind I'd be saying "F*** Microsoft and their buggy-ass code", but I would know it was my fault for allowing it to happen.

This is no solution. What's the estimated cause of Nimda so far? Code Red? SadminD? Melissa? I love you? all the other outlook worms?

The cost of lawsuits from just these AUTOMATED attacks would cripple even Microsoft. Not to mention the CDUniverses of the, er, Universe.

Software authors need these clauses for a reason, if they didn't have them there, they might as well go start a farming commune instead because it wouldn't be worth it to code anymore.

Free Software authors would then also have to specify under which conditions they would ALLOW their software to be run. Otherwise some schmuck could install some .01a version of code that some guy wrote on his weekend off as a proof of concept on their primary webserver, immediately get hacked, and sue Joe Programmer into the stonage.

Nice idea, just to tweak MS, but I don't like the way it would play out.

Re:Indemnity clauses

[cthugha]

Fine, now Microsoft is liable for NT vulns, but you can't basically throw MS licensing rules out the window and leave BSD and GPL in tact.

You can get MS and leave the GPL (essentially) intact. The difference between them is that you pay for MS stuff, whereas you generally don't pay for GPL software. Of course, if you pay for GPL software, you should probably have a right of action against the supplier (but not necessarily the original author, if s/he gives it away).

The technical legal difference between the two is that an MS EULA is a contract (legally binding agreement for mutual consideration), whereas the GPL is only a licence (permission to do something the grantee couldn't previously do without anything in return) I understand the contract/licence nature of the GPL is still a matter of some debate, but if a law were passed saying "no clauses excluding liability in contracts for the sale of software", then we could probably catch the EULAs and leave the GPL and other open source licences intact where the GPL'd or OSL'd software was provided gratis. At any rate, I think it should be possible somehow to distinguish the two on a "you pay for one, you don't pay for the other" basis.

Why not hold Network Admins responsible for problems on their networks? I am a network admin, and if some kid got in and stole a database from one of my employers, compromising customers, I would expect to take the full heat for it. In the back of my mind I'd be saying "F*** Microsoft and their buggy-ass code", but I would know it was my fault for allowing it to happen.

It depends on who made the decision to go with the buggy software. If it was your decision, then yes, the responsibility falls on your shoulders. If, however, the decision came from management on the rationale that "nobody got sued for going with MS" or some other non-tech-related reason, and that decision was made against your own advice, then you shouldn't cop the heat for that

Of course, given your lowly position in your organization relative to the goon that actually made the decision, office politics will pretty well guarantee that you'll take the heat anyway :).

Re:on legal liability

This isn't about adding new laws to make writing software more difficult. It's about ending special protection and holding software companies to the same standards as everyone else. If I buy something from you, it better work--this is how it is for every other product under the sun, why is software special? As for free software, well the same standards would apply as for anything else that is free. You normally can't sue over something that is free, except in extreme cases where you can prove gross negligence or outright malice. That standard would work just fine here too.

This may give proprietary software a PR advantage over free software (it has to uphold higher standards), but them's the breaks. Besides, free software has always touted an equivalent PR advantage (the source has been reviewed by countless experts in the field), so it's just good old-fashioned competition.

In my view, those who are against software liability are no better than the RIAA/MPAA who try to prop up their inefficient ways of doing business through lobbying and legal bullying. They too like to blame their customers when anything goes wrong.

Basis of liability

[gweihir]

The liability will not go to Linus. Basically everybody operating computing equipment will have to have insurance, just like if you operate a car or like you should have if you go wind-surfing.

This insurance will get much cheaper if you use good systems and have the required competence to make them secure.

Some problems will have to be resolved by the legal community:

• Who is responsible for the operation of a pice of computing equipment and how does this responsibility transfer?
• How is the competence of such an "operator" graded?
• What constituts criminal/unauthorised misuse of computing equipment?

The last point is important, since you are only responsible for problems caused by your equipment, as long as they are not due to some criminal action by somebody else that you could not easily detect.
To stay with the car analogy: If somebody sabotages your brakes in a way you don't notice until they stop working, accidents that result may not be your responsibility.

An additional point: While a car manufacturer has certain responsibilities, not everything that can go wrong is their responsibility. Only things they claim or are required by law to claim have to be backed up by their product. If you hit a tree because you don't know how to drive or if you start sliding on ice, that is certainly not the manufacturer's fault.

In the case of software this gets a little more complicated, as there is no "unit" of software. My feeling is that Manufacturers will not face legal requirements for characteristics their software will need to have, because such characteristics might be impossible to specify (not saying people will not try). Instead I think that cheap "computer operation insurance" will only be available for products where either the Manufacturer takes legal responsibility for some characteristics of the product or where the insurance companies have a strong indication that the pice of software has these characteristics.

I also think that Computer Scientists and other people that produce code and systems will have to have a kind of "Malpractice Insurance" whenever they commercially create code for others.

Amateur cars

[interiot]

Take as an analogy the auto industry. Ford had legal suits brought against it due to its possible problems with their cars. This is good for the general safety of consumers, but it results in almost zero amateur cars. Individuals can build kit cars for themselves but can't sell newly manufactured ones, and smaller manufacturers can distort their cars so they fit into some exception of the laws. But generally, 99.9% of the cars in the US are made by a couple of manufacturers.

This is what will happen to software if similar laws are applied to software.

Comment removed

[account_deleted]

Comment removed based on user account deletion