Should software vendors be liable for vulnerabilities in the products they sell? Are they already liable to some degree, or would new legislation be required in order to make it so? These are interesting questions, sure to provoke strong opinions on both sides of the fence.
In almost every case, when you buy a software product, a close inspection of the end-user licence agreement (EULA) will reveal a host of exculpatory clauses, exonerating the vendor of responsibility for any kind of direct, indirect, consequential (and just about every other applicable adjective) damages “whatsoever” that may arise from the installation or use of - or inability to use - the software product. But is this reasonable, or indeed fair?
Software products are not a tangible asset, and as such escape much of the legislation that applies to the sale of goods and their fitness for purpose. However, the majority of successful compromises of systems and enterprises arise from the exploitation of a vulnerability or flaw in an application or OS, and often result in direct financial loss.
At first glance, the case for enforcing some kind of liability on vendors seems obvious. Make the vendors legally responsible for the quality of their products and thus increase their focus on writing secure code. Lower the number of vulnerabilities in published product and create an ecosystem where vendors routinely produce more robust software. This idea is not new, but what might some of the consequences be? Perhaps adequate cover already exists?
The first and most obvious point is that it may well increase the cost of developing software. The impossibility of creating invulnerable code would oblige vendors to take out unlimited liability insurance contracts against the inevitable stream of lawsuits - the cost of this being passed on to the consumer.
Companies might be tempted to skimp on even the most basic security practices, passing the buck to the software vendor when a breach occurs. This could effectively be the death knell for free software.
A second, unintended consequence could be equally costly for the consumer. What happens when the vendor releases an updated product addressing identified flaws with an earlier version? Would cover cease for earlier versions, obliging consumers to commit to expensive and perhaps unnecessary upgrades to continue to benefit from their newfound legal protection?
We also need to consider this from the channel perspective. How will a reseller manage to upgrade all its customers when it is on the hook for support? Will support become too much of a cost for resellers or distributors to bear? Will that mean the channel seeks other avenues for revenue, including retaining higher margins at the expense of the end customer?
Where do we truly stand right now; is new legislation required or even worthwhile? In the traditional last refuge of the scoundrel, I must add that I am not a lawyer - so I will defer to the opinion of a colleague who is.
My learned friend said: “If a software vendor negligently exposes its software to vulnerabilities, in particular because of defects in the software or non-compliance with best practices, under current law it can be held liable for all consequences arising therefrom. Exculpatory clauses in EULAs can limit liability but the validity of such clauses has to be examined on a case-by-case basis.”
Bear this in mind though: the vast majority of breaches are the result of the exploitation of vulnerabilities for which a patch has already been released by the vendor. Even with physical goods - such as a car - the vendor is not required to fix a (potentially life-endangering) fault, only to issue a recall and make the necessary changes. Is it really so different? And if you do not respond to the recall notice, or install the patch, where do you think the liability will lie in those cases?
Rik Ferguson is solutions architect at Trend Micro
Infrastructure provider says international sales now make up 51 per cent of its revenue
Suzanne Chappell of TMS plans sailing venture after selling Oxfordshire-based TMS to acquisitive Chess
Withdrawal of credit insurance by some providers a 'reflection' of current challenge facing IT sector, according to MD Steve Soper
SMART's UK managing director joins Lenovo to boost SMB business