Commentary

China Watch

Forum Digests

Columnists

Letters

There is a case for strong software liability

By Bruce Schneier (China Daily)
Updated: 2008-07-18 07:33

A recent study of Internet browsers worldwide discovered that more than half - 52 percent - of Internet Explorer users did not have the current version of the software installed.

For other browsers the numbers were better, but not much: 17 percent of Firefox users, 35 percent of Safari users and 44 percent of Opera users were using an old version.

This is particularly important because browsers are an increasingly common vector for Internet attacks, and old versions of browsers don't have all their security patches up to date. They are open to attack through vulnerabilities the vendors have already fixed.

Security professionals are quick to blame users who don't use the latest update and install every patch. "Keeping up is critical for security," they say, and "if someone doesn't update their system, it's their own fault that they get hacked".

This sounds a lot like blaming the victim: "He should have known not to walk down that deserted street; it's his own fault he was mugged." Of course the victim could have - and quite possibly should have - taken further precautions, but the real blame lies elsewhere.

It's not as if patching is easy. Even in a corporate setting, systems administrators have trouble keeping up with software patches. There could easily be dozens per week across all operating systems and applications, and far too often they break things.

Microsoft's Automatic Update feature has automated the process, but that's the exception. Patching is triage, and administrators prioritize it along with everything else they do.

It's the system that's broken. There's no other industry where shoddy products are sold to a public that expects regular problems, and where consumers are the ones who have to learn how to fix them.

If an automobile manufacturer has a problem with a car and issues a recall notice, it's a rare occurrence and a big deal - and you can take your car in and get it fixed for free.

Computers are the only mass-market consumer item that pushes this burden on to consumers, requiring them to have a high level of technical sophistication just to survive.

It doesn't have to be this way. It is possible to write quality software. It is possible to sell software products that work properly and don't need to be constantly patched. The problem is that it's expensive and time-consuming. Software vendors won't do it, of course, because the marketplace won't reward it.

The key to fixing this is software liabilities. Computers are also the only mass-market consumer item where the vendors accept no liability for faults. The reason automobiles are so well designed is that manufacturers face liabilities if they screw up.

A lack of software liability is in effect a vast government subsidy of the computer industry. It allows them to produce more products faster, with less concern about safety, security and quality.

Last summer, a British parliamentary science and technology committee issued a report on personal Internet security. I was invited to give testimony for that report, and one of my recommendations was that software vendors be held liable when they are at fault.

Their final report included that recommendation. The government rejected the recommendations last autumn, but this month a report on a follow-up inquiry was issued - which still recommends software liabilities.

I'm not implying that liabilities are easy, or that all the liability for security vulnerabilities should fall on the vendor. But the courts are good at partial liability.

Any automobile liability suit has many potential responsible parties: the car, the driver, the road, the weather, possibly another driver and another car and so on.

Similarly, a computer failure has several parties who may be partially responsible: the software vendor, the computer vendor, the network vendor, the user, possibly a hacker and so on.

But we're never going to get there until we start. Software liability is the market force that will give companies the incentive to improve their software quality - and everyone's security.

The author is a security technologist and author: schneier.com/blog

(China Daily 07/18/2008 page9)