LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 7/1/2009 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
Is the mystery Borland suitor Serena?
Borland software is considering an offer from another company after a preliminary deal with MicroFocus. Is Serena the new company?
06/30/2009 01:55 PM EST

Windows 7 - An eBayer's dream product?
Windows 7 pre-orders can make people money on eBay.
06/29/2009 03:48 PM EST

Know thine cloud provider
Cloud computing require companies to understand compliance and regulation. Third parties will play a big role in regulated industries.
06/29/2009 02:58 PM EST

 

Microsoft Worldwide Partner Conf.
7/13/2009 to 7/16/2009
New Orleans
Microsoft

OSCON (Open Source Convention)
7/20/2009 to 7/24/2009
San Jose
O'Reilly Media

XBRL Technology Workshop & Summit
7/28/2009 to 7/30/2009
Santa Clara
XBRL US

ACM SIGGRAPH
8/3/2009 to 8/7/2009
New Orleans
ACM SIGGRAPH

OpenSource World (formerly LinuxWorld)
8/12/2009 to 8/13/2009
San Francisco
IDG World Expo


 
print Printable version 
Most Read Latest News Blog Resources
Kapow automates website data retrieval
Kapow Technology's Web Data Server 7.0 can be used to create modules that navigate through...

COBOL’s future lies in the clouds
After 50 years of use in businesses, COBOL is still lingering around mainframes. But the s...

Oracle's Fusion 11g lays groundwork for ERP platform
Fusion's components are standards-based and integrated, but some abilities are lost if non...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

Making Software Vendors Pay for Negligence


The U.K. House of Lords is considering transferring the costs of insecurity away from consumers

By David Worthington
September 5, 2007 — 
The Chevrolet Corvair was recalled after consumer advocates claimed that it was unsafe at any speed; there was a clear commercial incentive for General Motors to manufacture safe products. But what incentive does the software industry have to produce secure software? The upper house of the British Parliament may not have much power, but it has the software business in its sights.

The Science and Technology Committee of the House of Lords published a report in August on personal Internet security, which concludes that it is all too easy for vendors to “dump risks” onto consumers through licensing agreements to avoid paying the costs of insecurity.

The report stated that efforts to promote best practices have been hampered by a lack of commercial incentives to make products secure. The committee’s solution is to propose transferring the cost of insecurity onto demonstrably negligent hardware and software manufacturers, with the long-term goal of establishing a framework for vendor liability across Europe.

The report makes detailed recommendations about the form of the proposed law. It also details short-term goals such as enacting data breach notification laws, providing guidance to the courts, researching IT security, and suggesting best practices for the software industry.

Graham Titterington, a principal analyst at Ovum specializing in IT security and business continuity, believes that the committee’s proposals are impractical. “The complexity of all of the issues is too great to legislate in a universal fashion. In the event that defects are known and reported and not fixed in a reasonable manner, there are areas where negligence would be appropriate. Automatic liability for all errors is not realistic.”

Titterington added that the industry simply does not have the knowledge and technology to produce totally secure software. Indeterminate factors such as whether the consumer has taken steps to mitigate vulnerabilities, the extent to which the software is being used, and the class and value of the software are the gray area of the law.

“This proposal could open a can of worms of litigation,” added Ovum senior analyst Bola Rotibi.

The Lords committee’s technical expert, Richard Clayton, a professor at the University of Cambridge, believes that the committee members understand that it will take some time to sort out the ramifications—noting that the current penal system evolved over time. But, on balance, they have concluded that permitting software vendors to disclaim liability is not a viable situation going forward, he said.

Clayton noted that courts must decide who is at fault every time a motorcar goes off the road, whether it is the driver, people that design the car or road, or the person that made the tires.

“These are difficult questions, but things we are used to sorting out through litigation,” said Clayton. “It is the sort of thing our society can cope with. Software developers are not used to coping because they can say, ‘We disclaim liability.’ The upside is [a market incentive to create] much more reliable software that can be trusted. It outweighs the short- and medium-term confusion.”

The Open Source Conundrum
Open source software is of particular interest: In a consensus-based community, there may be tremendous confusion about who is responsible for any negligence. Clayton believes that it would be difficult to ascertain who produced it, and wondered whether assigning liability will produce a bias against free software.

Assigning blame will be tricky but not impossible, said Clayton. “If you go to a church picnic for free food and get sick, you won’t be surprised if you can sue somebody. The expectation is that the church is not going to poison you.”

Clayton quipped that the software industry’s license agreements could easily be compared to musical theater, where the small print on tickets does not guarantee that a particular actor will perform. However, he predicted that the end result—after the case law settles down and penal code is established—would be that the software industry is just the same as any other industry.

Ovum’s Rotibi agreed that some of the onus has be on the software vendors, in terms of how they implement the security of applications and networks. She added that the industry could do a lot more than it has done in the past in terms of helping consumer safety and security: “Maybe this is what is needed to shake the industry up.”


Share this link: http://www.sdtimes.com/link/31110
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading