Liability for Software Vulnerabilities

20 Oct ’05

Bruce Schneier writes today on the liability for software vulnerability issue that has been attracting attention recently, particularly since Howard Schmidt, former White House cybersecurity advisor, commented at Secure London 2005 that individual coders should be held accountable for flaws in their code.

Schmidt’s comment was an oddity in an otherwise sane debate about the right boundaries for responsibility – individual coders should not be civilly liable any more than any other employee of any other business is for any mistake made – and Schneier puts the discussion back where it belongs (I posted on the issue in another context some time ago).

But on the larger point, I don’t agree that there ought generally to be liability on software manufacturers. I think focussing attention on security (as an example of a vulnerability for which liability might be an issue) is a good thing – transparency is critical to effective functioning of the market – but at least in the non-consumer area, vendors and purchasers can decide for themselves what the appropriate level of risk allocation is between themselves. Purchasers of insecure software who then turn around and deploy it will in turn negotiate appropriate risk allocation with their own customers, and so on. Insecure software will in time wither on the vine. In non-negotiated markets – shrinkwrap software sold to consumers, for example – the analysis is admittedly different. But in any case, my sense is that imposing civil liability on manufacturers will be as effective a chill on innovation as anything one could imagine. No more alphas and betas, presumably (indeed, why not just rename them “bet the company release”); certainly nothing released until extensive stress testing has been completed.

My sense is that getting it now is still a more important value to us than getting it right.

None of this matters, of course. Tort law will inevitably develop in this area as the externalities that Schneier speaks of become more pervasive, and the liability that he advocates may well become commonplace.

The analogy that is often used is liability on car manufacturers (see here, for example), but I’m not sure that’s appropriate. Nothing else we’ve known as a society so far holds the potential for such radical transformation of the way we live and work. Never before has innovation been so vital, both in terms of importance and vigour. And with innovation and complexity come risk – unavoidably.

Previous post:

Next post: