Weekly Edition
Return to the Security page
| |||||||||||||
Software liability laws: a dangerous solutionThe readers of LWN do not need to be reminded that the software industry as a whole has a big problem with computer security. One proposal aims to redress this state of affairs: the concept of legislation designed to create financial liability for the vendors of buggy software. This idea is applauded by many such as Bruce Schneier, author of the famous book Applied Cryptography. But despite the support of notable authors, software liability laws are themselves a dangerous liability to the software industry. One can readily find sympathy in the potential impact of software liability laws on developers of free and open-source software. Many of these developers are working on a volunteer basis, and holding them financially liable for the code they write and release freely could have a chilling effect on the development of free software. Of course, liability laws might be written to exclude programs given away for free, or they might concern themselves with vendors and leave individual developers out of the picture. Unfortunately, the dangers of software liability laws don't subside when individual developers are granted immunity. One of our community's most prominent projects, the Linux kernel, was never intended to grow off the 386 but is now found running everything from stock markets to supercomputers and military gear. This ubiquity brings demand for services, support, and a single throat to choke, which is the bread and butter of Red Hat and other businesses. When a vendor is selling free software, and we make the vendor financially liable for bugs in the code it is selling but did not write, we risk significant disruption to our cherished development models. Further complications arise when we imagine possible liability lawsuits. In the event of a security breach, directing blame and assigning liability can be problematic. Picture a system that runs Oracle on top of Red Hat Enterprise Linux, and imagine that the Oracle database is breached due to a bug in glibc. Does the buck stop with Oracle, Red Hat, or both? What if Novell provided the operating system, but the glibc developer who introduced the bug responsible for the breach is paid by Red Hat? An attorney might decide to sue all three parties, especially if it is unclear which component was vulnerable. Consider also that virtually all software developers attach disclaimers of warranty to their products. These disclaimers are nearly ubiquitous in free software licenses, and are even found attached to some public domain declarations. For software liability laws to have teeth, these disclaimers must be nullified. But when dealing with software designed to address a broad range of users, one must carefully select use cases in which default warranties apply. There is a big difference between a database full of blog postings, a database full of credit card numbers and a database full of top secret government intelligence. We must also recognize the differences in the types of failures under which warranty is considered appropriate. Ford Police Interceptors had a reputation for exploding when they were rear-ended. Ford also suffered a blow to its reputation, along with tire manufacturer Firestone, when tires on Ford Explorer vehicles were found to spontaneously fail. In both of these cases, the loss of human life was not the result of a willful human actor but was caused instead by spontaneous failure under expected operating conditions. By sharp contrast, software security breaches generally don't endanger life or limb, and successful exploits are not accidents but are rather the result of willful attack. The difference between accidental and intentional failure is an important one. Because the laws of physics and the nature of accidents do not change, we can expect auto manufacturers to build reliable gas tanks and tires. But in computer security, attackers discover new techniques each and every year. The equation for software is always on the move. At this point, advocates of software liability laws still hoping to sell their wares need to choose their words carefully, and so they plead for a standard based on best practice. But who defines best practice in an industry that is changing so fast? The pioneers of the Internet didn't predict many of the problems we're facing today, yet few would call them negligent. Real "best practice" is a moving target that is carried by the tides of the times, and in the world of technology, the waves are a mile tall and move thousands of miles per hour. These and other questions must be addressed if software liability laws are to succeed. Unfortunately, legislators are notoriously bad at understanding and regulating technology. Observers of SCO v. IBM surely agree that court cases are long, complicated and costly. Those with faith in any branch of government to appropriately legislate technology should reexamine the Digital Millennium Copyright Act, a law that continues to have a chilling effect on free software development, and Universal v. Reimerdes, the case in which 2600 Magazine's publication of DeCSS was suppressed. Security is, of course, a problem, and the case can be made that someone must be held liable. We prosecute the criminals who breach computer security, but if we're going to put burden on anyone else, we should choose the companies that leak personal information to these criminals when their security fails. In some ways, these companies might be held liable today, but we would do well to consider tightening down the screws. By increasing the burden on these data aggregators, the demand for secure software will increase. This gives the best solutions that engineers produce a market advantage, and financially rewards security-conscious vendors. This approach to liability also addresses the need for best practices and defense in depth when implementing and maintaining networks and databases. By concentrating liability in this way, we eliminate the complications that result from playing the blame game with a group of software vendors. Whose security was breached is a much easier question to litigate than how it was done and how it might have been stopped. As Schneier has pointed out, companies tend to convert variable cost liabilities into fixed cost insurance plans. Insurers have a financial incentive to excel at evaluating risk, and it isn't inconceivable that they might view the use of open code their experts can review a reason to offer lower premiums. Furthermore, putting liability on data aggregators allows those organizations to make choices on how much insurance they are willing to buy. A technologically sound small business might adopt best practices and spend less on insurance, or they might decide to skip out on insurance entirely. But if insurance were expensive and the danger of a security breach was still unacceptable, they might reconsider the practice of permanently storing large amounts of customer data, something that their customers tend to consider an invasion of their privacy anyway. Software code is quite complex, but we can write all kinds of new and useful software because it is intangible and cheap to produce. Placing liability on software vendors threatens to dramatically change this landscape. We can expect to see reduced participation, hampered innovation, and skyrocketing costs. We should carefully consider whether perfect security is a goal or an expectation, and educate users on the need for compartmentalization, defense in depth, patching, and best practices in their networks. If we approach the issue in this way, we can improve security overall with minimal risk to the efficiency of the software industry. (Log in to post comments)
Ponies Posted Sep 6, 2007 2:55 UTC (Thu) by ncm (subscriber, #165) [Link] The notion that using free software would lower insurance premiums is not just inconceivable, it's dangerous nonsense. The insurance industry is pathologically averse to offering any sort of discount for safe behavior, and charging extra for unsafe behavior drives away exactly the customers they most depend upon.
Bruce Scheier is often right, but not about this.
Ponies Posted Sep 6, 2007 8:44 UTC (Thu) by nix (subscriber, #2304) [Link] Um, no claims bonuses seem like a `discount for safe behaviour' to me. Aninsurance agency's ideal customer pays on time and never, ever makes a claim: i.e., engages only in safe behaviour.
Ponies Posted Sep 11, 2007 19:53 UTC (Tue) by hazelsct (guest, #3659) [Link] Ridiculous. There are incentives for safe behavior all over the insurance world, from auto (lower rates if you don't drive an accident-prone or high-theft auto) to homeowners (much lower rates in the US midwest than for gulf coast or flood plain residents). If company A doesn't offer them, then company B will steal all of its "safely-behaved" customers by charging them less. I don't know where you got this idea.
That said, there's no guarantee that free software users will pay less, and I agreed that it is somewhat dangerous to assert such a thing at this point. Until insurance companies start collecting evidence and pricing policies, such speculation is out of place.
Re: ponies Posted Sep 6, 2007 3:49 UTC (Thu) by JoeBuck (subscriber, #2330) [Link] ncm, what are you talking about? Insurance companies most certainly do offer discounts for what they consider safe behavior, frequently refusing to insure projects that don't meet their standards. Leading actors often are not permitted to do their own stunts because of the requirements of the insurance companies, and in the US, "good driver discounts" are standard practice. If you're over 50 and want to buy life insurance, you'll be asked to get a medical exam, and the result will affect your rate.
Software liability laws: a dangerous solution Posted Sep 6, 2007 8:57 UTC (Thu) by nim-nim (subscriber, #34454) [Link] This article is the usual FUD about "if software is liable poor basement hackers will be put in jail".
When assigning liability damages judges will just follow the money trail. You paid nothing to foo vendor, you get no damages. You paid foo vendor you get damages (and foo vendor can sue whoever it paid to get the right to distribute bar software)
The truth is liability laws would force support contracts to actually mean something. Right now FLOSS software is discriminated against by customers that feel they get some security by paying big bucks for proprietary software, when in fact they get almost nothing because these contracts have no legal backing.
+10 for automatic liability proportionnal to the pricing of software (or software support). That would:
Software liability laws: a dangerous solution Posted Sep 7, 2007 19:39 UTC (Fri) by jordanb (guest, #45668) [Link] You can, actually, buy legally-binding QOS guarentees from some companies (like IBM) for some software. The market has decided that such agreements are very, very expensive though, and the company will end up wanting pretty much total control over your operating environment.
I wonder if there are any insurance companies who offer software failure insurance. It seems like they'd be better structured to deal with the liability.
Software liability laws: a dangerous solution Posted Sep 7, 2007 20:05 UTC (Fri) by nim-nim (subscriber, #34454) [Link] The point is not you can buy software with actual liability.
The point is today non-IT people buy software expecting some liability if things go wrong. So in practice they get swindled by vendors. Often in a huge way (some vendors write huge bills and customers lap them because they expect corresponding huge liabilities)
And liabilities don't have to be astronomic for vendors to behave. Just high enough they take care of bugs (that editors often put way behind marketing useless gimicks)
Software liability laws: a dangerous solution Posted Sep 8, 2007 1:04 UTC (Sat) by jordanb (guest, #45668) [Link] Yeah you have a good point.
I've actually been thinking it might not be bad for programmers to be licensed like engineers or other professionals. One thing that engineers have that progammers don't is the ability to tell their boss "I won't cut that corner because it's illegal for me to do so." And if you're a contractor you don't have to worry about somebody else low-balling you if you quote the price of doing it correctly, they won't find a programmer who will cut any more corners because it'd be illegal for him to do so as well.
Also we'd have a great buffer against outsourcing. There's a reason why all the American civil engineering (or lawyering, etc) jobs haven't gone to India: few, if any Indian civil engineers, or lawyers, or whatever, have license to practice in the US.
Software liability laws: a dangerous solution Posted Sep 8, 2007 19:13 UTC (Sat) by kevinbsmith (guest, #4778) [Link] At least for now, licensing software developers would be a disaster. The industry is moving so fast that "best practices" from ten years ago are outdated, and from twenty years ago are laughable. Object orientation, XML, Test-Driven Design...who knows what comes next. And who knows which "flavor of the month" will become a best practice, and which will be revealed as unhelpful.
All the proposals I have seen for licensing are based on enterprise-level waterfall-style processes. Almost every job I have had (for 25 years) has been in small, agile projects that would not have benefited from processes appropriate for space shuttles and multinational banking. (Those processes would have killed the projects).
Personally, I have no problem telling my boss "no, I can't do that". I wish more people felt free to do the same, but I don't think licensing is the right way to get there.
I disagree Posted Sep 6, 2007 9:19 UTC (Thu) by morhippo (subscriber, #334) [Link] The article does not differentiate between the code authors and the software vendors.
Of course, if a software vendor sells a piece of medical equipment running linux, he should accountable if the software fails and personal injury incurs. This is regardless of the fact whether the component that failed was open-source or not. The key-word here is "sells". If you make money with open-source, then you should be accountable for its failures and should not be allowed to sneak out of the responsibility. Open-source code is better reviewed than closed source code and the software vendor has the ability perform any additional reviews with the code he may find appropriate.
If, on the other hand, a developer simply donates code (at no cost to the licensees) to an open source project, he should of course not be accountable for any injury that incurs because of the application and use of that code by third parties, unless the damage was caused with wilful intent by the developer (e.g. a back-door). You are less liable for a gift than for a sold good.
Software liability laws: an effective solution Posted Sep 6, 2007 11:17 UTC (Thu) by MathFox (guest, #6104) [Link] I see two issues with this proposal to make "data aggregators" liable and absolve software vendors from primary liability;At first, it doesn't solve the problem of "home computer botnets"; Secondly, what are the chances to get the biggest data aggregator, the government, liable (and more important, convicted)?
Security experts know that Microsoft is the biggest source of security problems. This is partly due to Microsoft's market share and partly due to the fact that Microsoft's security standards lagging those of the general Operating System market. In my opinion Microsoft sells dangerously defective software.
Holding people responsible Posted Sep 6, 2007 12:06 UTC (Thu) by kleptog (subscriber, #1183) [Link] I'm not entirely sure that _someone_ has to be held responsible. Sometimes bad things happen, that's why we have insurance companies.
I think people shouldn't be targeting security breaches themselves, but the effects thereof. If some hacker gets credit card numbers, then that's what should be focussed on. Are the laws relating to insufficient protection of personal details strong enough? Are they being used?
I don't think software liability in and of itself is useful. Look at the effects, not the causes, to determine if there's liability.
Holding people responsible Posted Sep 6, 2007 17:24 UTC (Thu) by smoogen (subscriber, #97) [Link] The insurance companies hold people responsible by setting premium rates, refusing to insure, and setting out rules for what a company must follow to get coverage. They also have a mile-long list of things that they will say they will not pay on to avoid bankruptcy. And finally they will file suit against other 'agencies' via liability loaws to reclaim monetary losses.
The big issue is that the major insurance companies will not get into the business of insuring against software problems until there is liability laws. And there will probably not be liability laws until insurance companies get into the market.
Holding people responsible Posted Sep 8, 2007 2:14 UTC (Sat) by giraffedata (subscriber, #1954) [Link] You could just have stopped at "by setting premium rates." That's what laws like this are about. There's almost always going to be insurance; the question is who buys it. People like to think there's a morally correct person to charge for an accident, but there isn't. People buy insurance (or self-insure) and pass the cost around to others. A good liability law (or better: contract) is one that assigns liability to the party best able to control it. He works with his insurer to achieve the proper balance between cost of safety and risk of damage. But the risk is almost always controllable from multiple angles. The user of software can control the risk by using it behind a firewall, or with proper backups, or with encryption, etc. So maybe he's the best one to buy the insurance.
Software liability laws: a dangerous solution Posted Sep 6, 2007 13:30 UTC (Thu) by NRArnot (subscriber, #3033) [Link] IANAL, but I believe that in English law in order for any type of product liability to arise there has to exist a contract, and in order for a contract to exist there has to be a voluntary exchange of value (usually a payment, although a contract stipulating payment of a "peppercorn" signed by both parties is acceptable).
Free software - no contract - no liability?
Then there's the explicit disclaimer in the GPL license. Note license, not contract. If you do not accept the license you have no legal right to use the product. Can someone who steals a product really hold the victim liable for its deficiencies?
(Of course, there is still all the non-English law to worry about).
International liability Posted Sep 7, 2007 17:06 UTC (Fri) by man_ls (guest, #15091) [Link] In non-English law, liability is usually much more restricted. Just the thought of someone suing a free software developer (without a support contract) is ridiculous, it would be like suing someone from the street for your personal problems. IANAL though.
International liability Posted Sep 8, 2007 2:04 UTC (Sat) by giraffedata (subscriber, #1954) [Link] Just the thought of someone suing a free software developer (without a support contract) is ridiculous You've heard of tort law? Liability for one's negligence -- no contract or transaction required. If you set up a public swimming pool, as a gift, and don't put a fence around it and a child you've never met wanders in and drowns, you're liable for the damage at least some places in the US. That may not be negligent enough to trigger liability in all jurisdictions, but all of them have similar cases that do. I'm not claiming that spreading buggy software reaches that level of negligence; just that it's not as black and white as if you give it away, you aren't responsible for your mistakes.
International liability Posted Sep 8, 2007 11:14 UTC (Sat) by man_ls (guest, #15091) [Link] Ah, OK. In Spanish law, "tort law" is called extracontractual responsibility, and of course it is applied in the sense you explain: if you open a hole in the middle of the street and somebody falls inside, you are responsible for any damages.The Spanish civil code, in its article 1902, says: Whoever causes harm to another by action or omission, with intervening guilt or negligence, is forced to repair the harm done.Which would seem like an open door to problems for free software developers. In practice responsibility is reduced by courts to a specific range of subjects, and "negligence" seems to be interpreted in a rather narrow sense. Just publishing code would not be enough if you have to download and deploy it first. As before, IANAL. This kind of disclaimer for example is usually not necessary here in Spain, and not just to avoid charges of negligence; you would have to actually claim you are a lawyer before anyone starts to even consider it. So maybe it is a cultural thing.
liability for negligently distributing free software Posted Sep 8, 2007 18:40 UTC (Sat) by giraffedata (subscriber, #1954) [Link] In practice responsibility is reduced by courts to a specific range of subjects, and "negligence" seems to be interpreted in a rather narrow sense. Just publishing code would not be enough if you have to download and deploy it first. I don't think there's ever been a case anywhere in the world of someone being held liable for negligently coding and/or distributing software. I base that solely on the fact that I've never seen it reported in LWN. But if you use your imagination, you can probably think of a case fitting that description where the negligence is so outrageous that the distributor should be held accountable, and courts would probably find the law requires it. ...IANAL. This kind of disclaimer for example is usually not necessary here in Spain, I don't think it buys you anything legally in the US either (and I don't think that's why people say it). Besides the fact that no one has the right to assume someone is a lawyer just because he sounds like he knows the law, there's the fact that no one is liable just for giving bad legal advice. One would have to be actually "practicing law," which is a much more specific behavior than giving advice in a public forum.
Software liability laws: a dangerous solution Posted Sep 8, 2007 1:54 UTC (Sat) by giraffedata (subscriber, #1954) [Link] I believe that in English law in order for any type of product liability to arise there has to exist a contract Hence the need for legislation. You're talking about warranty liability, which is the law already. There are a few other ways a person can owe someone for making a bad product. Some would require legislation. Can someone who steals a product really hold the victim liable for its deficiencies? Yes, under the theory of strict liability. I remember a (US) case in which an automobile manufacturer was held liable for a defect that damaged someone who stole the car. (He didn't steal it from the manufacturer, but the result would have been the same). The law holds people who make dangerous things responsible to the public (even evil people) for making them safe.
Software liability laws: a dangerous solution Posted Sep 6, 2007 16:40 UTC (Thu) by kh (subscriber, #19413) [Link] Of course, liability laws might be written to exclude programs given away for free, or they might concern themselves with vendors and leave individual developers out of the picture. I think another option would to be exclude vendors who provide a copy of their source code for their customers to verify and fix for themselves, but to hold liable companies who prevent these actions with proprietary software.
Reasonably secure by default Posted Sep 7, 2007 14:13 UTC (Fri) by Mog (subscriber, #29529) [Link] What I'd like to see is for a normal person (knowing only the basics about using a computer) to be able to buy a normal computer (the HP/Apple/Dell/whatever seen in the ads), bring it back home, plug it in the power and phone sockets and start it without fear of being rooted in the first hour.As the unoficial computer guru for friends and family I know this is not possible today. The standard Windows XP box will be owned in less than five minutes of being plugged on the Internet. I am so tired of cleaning up the mess. I think Dell and HP and Microsoft and others should be held liable of this sorry state of things.
Software liability laws: a dangerous solution Posted Sep 7, 2007 14:38 UTC (Fri) by anchorsystems (subscriber, #40101) [Link] This article is of lower quality than I would expect on LWN. It is very disorganised and does not make a coherent nor intelligent argumenent. The Bruce Schneier article linked dates from 2002. There are many essays of more recent authorship (both from Mr Schneier and others) which make better arguments. A quick search revealed:
Software liability laws: a dangerous solution Posted Sep 8, 2007 2:25 UTC (Sat) by giraffedata (subscriber, #1954) [Link] It's already the law that you can buy software with a warranty and if it's broken and causes you damage, the seller pays for it. It's also the law that you can buy software without a warranty and accept the risk of bugs yourself. The proposal is to remove that second option.That's a valuable option! People usually buy software without a warranty today. Why? Because the seller gives you a much lower price (even zero) if you do, and the buyer thinks he can control the risk himself for less than it would cost for the seller to do it. So if the law removes the option, the buyer will have to pay the higher price to the seller. Who is that good for? I rarely support taking choices away from people. But I might support a disclosure law -- so the seller has to explain how dangerous the software could be if it has a bug in it.
Software liability laws: a dangerous solution Posted Sep 8, 2007 10:53 UTC (Sat) by NAR (subscriber, #1313) [Link] So if the law removes the option, the buyer will have to pay the higher price to the seller. Who is that good for?In Hungary a couple of years ago cars with two stroke engines were effectively outlawed: basically the customer will have to pay a higher price for the four stroked cars. And actually it's good for the rest of us because it's better on the environment. Not selling flawed software to the clueless users is also good for the (virtual) environment, meaning less botnets, less spam, less DoS attacks, etc.
Software liability laws: a dangerous solution Posted Sep 9, 2007 1:47 UTC (Sun) by giraffedata (subscriber, #1954) [Link] Not selling flawed software to the clueless users is also good for the (virtual) environment, meaning less botnets, less spam, less DoS attacks, etc. OK, that's a good point and my argument may have wandered a little from the point. But I think it's still possible that putting the liability on the buyer does the job better. Hungary could have achieved the same thing by outlawing driving of new two-cycle cars, putting the regulation closer to the actual source of the problem. I've thought for a long time that the solution to the spam problem is to make people -- even bot hosts -- pay to send email. This would cause users to demand that their ISPs limit their ability to send mail and to invest in virus control measures. Or software without bugs, if that's how the viruses are getting in.
paying to send email Posted Sep 12, 2007 8:17 UTC (Wed) by copsewood (subscriber, #199) [Link] A good idea, but unfortunately very difficult to see it happen unless the existing email system collapses, assuming that Metcalfe's law holds.Nevertheless, I have written a paper and specified outline protocols for a payment system that might be of interest if the existing email system does collapse (or in connection with other mass applications for micropayments, assuming the preference for flat-rate communications costs becomes outweighed by the general desirability of being able to make larger numbers of smaller payments more flexibly.)
Software liability laws: a dangerous solution Posted Sep 9, 2007 8:11 UTC (Sun) by dlang (✭ supporter ✭, #313) [Link] when was the last time you were able to buy equivalent software with and without a warranty?
and a service contract is not a warranty. if you look at the licensing agreement of just about any software that you buy you will see that the seller disclaims any responsibility and that the software is not guaranteed to do anything at all, let alone what you want it to do. this is useually followed by a clause limiting their liability if the software does something wrong to the purchase price of the software.
consumers do not have a choice today.
Software liability laws: a dangerous solution Posted Sep 9, 2007 17:24 UTC (Sun) by giraffedata (subscriber, #1954) [Link] That (the fact that virtually no software is offered with a warranty) is pretty much my point. It's not offered because no one will buy it. People won't buy it because they believe they can protect themselves from the risk of a bug (or just bear the risk) for less money than it would cost the seller to guarantee there aren't any bugs. I believe the free market does a better job in this way of sorting out the complexities of the risks of operating computers than legislators can.
Software liability laws: a dangerous solution Posted Sep 9, 2007 18:50 UTC (Sun) by dlang (✭ supporter ✭, #313) [Link] you are missing the point.
the free market can't fix the problem if consumers don't have a choice.
people haven't opted to not buy the warranty, the companies have decided not to offer it (and not just for cheap software, take a look at the license for very expensive software, it says the same things)
Software liability laws: a dangerous solution Posted Sep 9, 2007 21:55 UTC (Sun) by giraffedata (subscriber, #1954) [Link] the free market can't fix the problem if consumers don't have a choice. Yes it can; it does it all the time. In the big picture, the consumers have a choice because if they want something (I mean are willing to pay for it), someone will provide it. The market is huge and dynamic. If there's even a chance consumers would choose something and nobody is offering it, there's profit to be made and someone will offer it. I believe the software industry has considered offering warranteed software and consistently determined that consumers would choose the cheap unwarranteed competition instead. I do support government regulation to promote competition, including by reducing barriers to entry into a market. Just not anti-competitive regulation that outlaws certain voluntary transactions.
Software liability laws: a dangerous solution Posted Sep 12, 2007 8:34 UTC (Wed) by copsewood (subscriber, #199) [Link] Legislators should not use legislation to patch a problem wrongly identified based on the unquestioned assumption that consequences of ineffective anti-monopoly legislation will continue to hold.The problem as identified: Consumers don't have an effective choice to buy secure software. The real problem: Metcalfe's law results in software monopolies denying consumers choices that the market might otherwise effectively be able to offer. The right solution: Legislate against software monopolies and apply existing legislation against software monopolies more actively and robustly. The wrong solution: Use software liability laws to offshore all software development to countries that don't have software liabilty laws Making consumers pay more directly for making wrong software purchasing choices (e.g. through increased ISP charges) can only really be considered and advanced when consumers have purchasing choices in the first place.
|
|||||||||||||