Saturday, January 20, 2007

Schneier Revisits Vendor Liability as The Cure to Bad Software

Bruce Schneier, long a favorite of many of us, has posted an essay on his blog that revisits his long-standing position that one reason software continues to be so bad is that vendors continue get away with walking away from responsibility for their actions. This time, he puts it in terms we may remember from freshman economics:
[W]hat the vendors do not look at is the total costs of insecure software; they only look at what insecure software costs them. And because of that, they miss a lot of the costs: all the money we, the software product buyers, are spending on security. In economics, this is known as an externality: the cost of a decision that is borne by people other than those taking the decision.

I was reminded yet again today of those externalities when I opened my (snail) mail to news from my bank that my debit card was about to be replaced (again for the 2nd time in a year!) because the cardholder association had alerted the bank that an un-named retailer had been hacked and our card was one of the victims. "Oh, and by the way, be sure to look carefully to see if you're card has any unusual charges on it."

Not only is the software vendor who put out junk that was so easily hackable going to get out of paying me for my own costs and added risks, but the retailer who chose to buy that junk is probably going to suffer little but a slap on the hand from the cardholder association. Our bank points out that it will not be informed which retailer managed to blow it this time because of confidentiality rules imposed by the cardholder association. My wife pointed out that if she knew which store had blown it this time she would be sure to take her business elsewhere -- Hit 'em where it hurts.


William R. Denny said...

This is precisely the subject of our CAIT project relating to cybersecurity. How timely!

Anonymous said...

take a look at the comments to Schneier's blog entry. There are some very powerful arguments against liability too - including its effect on smaller developers where the innovation comes from, and on open-source and other collaborative software.

John G

Michael Fleming said...

Fair enough -- I'll let y'all look for the one I posted to that same comment string wherein I go after some of those arguments in favor of the non-liable world...

(Remember a couple of things -- The externalities that Bruce raises don't just impact the buyer, they impact pretty much society at large. This is the sort of moment when regulation does step in, since the market's response, if there ever would be one, will be too slow to stop material damage to those of us who are living in the here and now. Remember that even those examples of liable manufacturers we see today were preceded by long times where they got away with no liability until some authority stepped in. Remember, e.g., Macpherson v. Buick, from 1916, see, where the car company lost its long-standing 'no privity--no liability' argument regarding damages for personal injuries where their car was the cause. There are times when the voice of reason is justified to step in and sweep the invisible hand of the market aside.

Michael Fleming said...

Oh -- And I think the open source arguments are a red herring. Those who use open source are already well aware of the risks (or rightfully should be), and if you get something for free it's fair to say you get what you pay for.

More relevant point about open source: It's possible that there is a mfr who might choose to adopt a piece of open source as his product and sell it (for money) -- I would find that mfr to be responsible for his choices (and therefore liable for what goes wrong).

I actually don't see the distinction being free versus paid, but rather 'picked it up off the street' versus 'received it from somebody who purports to be acting in a role that I should trust him'. I guess if I found a developer who puts in his 'no liability' clause and who also puts a huge-lettered statement on the front of his box that says something like "You're on your own suckers! Don't trust me to tell you if this is any good! And, by the way, you can't see the source code to decide if I'm really telling you the truth!" -- That guy I'd probably be more willing to let sell his stuff with a disclaimer. ;-)