Establishing product liability a smart way to confront IT security problems
IT companies use shrink wrap agreements to avoid responsibility, but costs are transferred to consumers with no guarenteed increase in security; shifting liability to software companies may push some out of the market, but some say that will all be for the best
Not a day goes by, it seems, without a clever hacker exposing yet another security flaw in a popular software product. Yes, the company will typically offer a patch, and if they are dilitory another group will oblige, but all too often the damage has already been done. Billions of dollars are lost every year from data theft and the productivity losses associated with computer downtimes, and much of it can be traced to insecure software.
Bruce Schneier, an expert in IT security and cryptography, believes that government can play a role in ending these problems by establishing liability for software companies. “If you don’t [enforce vendor liability] the problem will never be fixed, but if you do the technologies will come out of the woodwork to fix the problem because there will be money to be made from it,” Schneier argued recently at the Information Security Solutions Europe (ISSE) conference in Rome. Such a scheme would have drawbacks, he acknowledged, including much longer product development periods and a retreat from the market by smaller companies unable to manage the risk, “but at least security improves while we are waiting.”
Nowadays, software vendors are protected by the boilerplate langauge of their End User License Agreements (EULAs) or “shrink-wrap” licenses, which require customers as a condition of use to waive their rights to sue over defective software. Courts have repeatedly upheld such provisions, but their unusual structure has long caused consternation among security experts and legal scholars. “The EULA is the slickest ‘Get out of jail free card’ I can think of in recent years,” said Richard Forno, an author and security consultant.
One halfway measure, Forno and others say, would be to require full disclosure of known product defects. As it stands now, customers have to decided whether to accept the risk of a software failure without any useful information. Treating software like an investment product just might force companies to do a little more work ahead of time without exposing them to unbearable liability risk. Indeed, they might just become more like other companies. Would that really be so bad?
-read more in Phil Muncaster’s IT Week report ; see also this CNET News report
