Six Lines

Liability and Software Security

Posted by Aaron Massey on 03 Jul 2011.

Tim Lee has a great article up on Ars Technica about liability and software security:

If your code gets hacked, are you the one on the hook? In the early decades of the software industry, the answer was usually “no.” Software licenses routinely disclaimed liability, and until recently, security flaws were considered to be just another fact of life. When problems were discovered, companies were expected to fix them quickly, but they were rarely on the hook for the resulting damage.

That’s changing rapidly. Recently, Sony faced a class action lawsuit for losing the private information of millions of users. And this week, it was reported that Dropbox is already being sued for a recent security breach of its own.

Read the whole thing; it’s not long.

I do want to pick a nit with part of the interview with Professor Alex Halderman of the University of Michigan:

Ars asked Alex Halderman, a computer science professor at the University of Michigan, to help us evaluate these options. He argued that consumer choice by itself is unlikely to produce secure software. Most consumers aren’t equipped to tell whether a company’s security claims are “snake oil or actually have some meat behind them.” Security problems therefore tend not to become evident until it’s too late.

I don’t disagree with the conclusion, but I do disagree with the rationale. (Yeah, I’m really picking a nit here…) It’s true that most consumers aren’t equipped to tell wether a company’s security claims are snake oil or not, but that doesn’t necessarily mean that a consumer choice approach is doomed to fail. The fact of the matter is that most consumers aren’t equipped to differentiate a high quality product from a low quality one in any field. The difference is that for most products we can effectively rely on the few consumers who are able to make that differentiation. I don’t know a thing about the best window treatment for a house, but with just a little digging I can find some reliably good advice one way or the other about a given product. Unfortunately, security is one of those products for which even experts are unable to provide reliable advice. It’s just inherently challenging to evaluate the security of a product. (Halderman talks about this later in the interview.)

If you’re interested in more information on these topics, I recommend Bruce Schneier’s extensive writings about both the challenge of evaluating security and the value of liability as a motivator for companies providing products that should be secured. Liability is one of the first things he mentions in his book Secrets and Lies: Digital Security in a Networked World. Perhaps the best summary of his views for the uninitiated is his recent TED talk.