Suing software developers over vulnerabilities is a bad move

Suing software developers over vulnerabilities is a bad move

Summary: Should vendors be responsible for the harm that vulnerabilities in their software cause?

TOPICS: Software, Legal, Security

No matter how much money we lose because hackers are able to exploit vulnerabilities in software, it's probably not worth using a legal stick on software companies to force them to write better code.

TechRepublic wrote an article quoting an academic from the University of Cambridge, Dr Richard Clayton, who thinks that software developers should be liable for any software vulnerabilities that lead to customers getting hacked and losing money.

For instance, if that were the case, and Google Chrome had a vulnerability that a hacker used to steal a Chrome user's bank account details, then that user could sue Google for the loss.

Fascinated by the idea, I had a chat with Minter Ellison technology practice partner Paul Kallenbach, wondering whether it is likely that something similar could ever happen down under.

Companies are protected against such action here and elsewhere by end-user licence agreements, he said, which limit payments for direct losses and generally exclude payments for indirect losses, which the Chrome hacking example would fall under.

For example, the Apple iTunes end-user licence agreement says that "in no event shall application provider be liable for ... any incidental, special, indirect or consequential damages whatsoever, including, without limitation, damages for loss of profits, loss of data, business interruption or any other commercial damages for losses ... even if the application provider has been advised of the possibility of such damages".

Clayton is arguing for regulations that remove the developer's right to waive responsibility in this way. And he's not the only one. A House of Lords committee (PDF) recommended the implementation of a similar measure in 2007, and European commissioners pushed for the requirement in 2009.

Yet, Kallenbach doesn't think that this way of dealing with things in Australia, or indeed anywhere else, will change. He said that if legislation were to force liability onto software companies, they would have to reconsider their line of business.

"The risk of developing software may be so great ... that no one will develop software," he said.

Certainly, no one would be able to offer software such as browsers for free, he believes. The open-source community would be on shaky ground, although in the case of open source, he said that as soon as someone modifies your software, you could make the case that it's not your software anymore.

Clayton said that developers should be held accountable when "avoidable" holes in the software are exploited and result in loss of money.

However, Kallenbach thinks it would be difficult to define "avoidable". "Software by its nature is complicated; the flaws usually arise from those complexities," he said.

There could be a case if a company released software with a known flaw, he said. Yet, while it's not possible in some European countries for companies to exclude themselves contractually from liability for gross negligence in end-user agreements, it is possible in Australia, according to Kallenbach.

Kallenbach said that whoever attempts to legislatively make companies liable for vulnerabilities in their software would have to be ready to make a brave move.

Now that I've spoken with him, I agree. I don't think it would be a good idea to make companies compensate users for their losses in this case, especially since a lot of the financial damage caused by malware is in some part, at least, caused by end-user stupidity.

Topics: Software, Legal, Security

Suzanne Tindal

About Suzanne Tindal

Suzanne Tindal cut her teeth at as the site's telecommunications reporter, a role that saw her break some of the biggest stories associated with the National Broadband Network process. She then turned her attention to all matters in government and corporate ICT circles. Now she's taking on the whole gamut as news editor for the site.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • ridiculous...

    I wouldn't expect anyone to be for suing software developers over stuff like this if they had a clue how complex making software can be. If they can prove the developer knew there might be an issue, or even knew of an issue and didn't fix it... well maybe... but not just because they didn't figure it out. Opening up lawsuits like this would just kill the computer industry overall... and eventually no one would have apps... programs would be tested for like 10 years before release. Its like people think they really want to be running Win7 and Office 2012 for the next 40 years...
  • Tested for 10 years

    Sounds good to me.

    I would rather have reliable software than the latest fashion in software.

    The pace of innovation in software is slow. There is very little need to have a new version every two years or so.
    • Hallelujah

      Unless you are a Pastor at your church, you have missed your calling because you seem to believe that if you only give human beings ten years, they will reach perfection.

      But of course they don't. Windows XP is more than ten years old. I don't know how long the outstanding bug list is, but I'm sure it runs to the hundreds of bugs. All big software packages are like that... Oracle, SAP, DB2, HP/UX, all of 'em. These systems are at a level of complexity that no human can comprehend in its entirety. Fix this bug, and another bug pops up over there. Forever.

      Maybe 'Notepad' can be made bug-free. But that's about it. You'll just have to accept the fact that humans are imperfect.
      Robert Hahn
  • EULA

    Isn't there something in the license agreement that covers this? Something about the developers not being liable for any damage caused by the program?
  • What if someone breaks into my house and steal?

    Does it mean I can sue the contractor or engineer who build my house?
  • Cons overcome the pros

    There just are too many cons associated with making the developers liable for security related losses for the end-user. All though I believe the suggestion is in good faith and I certainly would get mad if I found out my bank service has a security vulnerability, there are just too much ambiguity in the suggestion.

    Who to blame? The first-party service or the 3rd-party authentication service or the vendor that's supplying the library that the 3rd-party uses? What is the cost, is it calculated based on the "stupidness" of the vulnerability or the risk of the vulnerability or the amount of people vulnerable or the potential losses involved? Did the end-user do something "silly" like clicking a link and got session hijacked and would that constitute as a security breach or a bad move by the end-user?
    Hundreds of situations must be accounted for and formalised.

    Not to mention the insecurity and overall costs in correlation with devloping software; innovation will be affected, features will be rejected due to the potential security vulnerability based on ambigue laws, company risks would skyrocket.

    At the end of the day both customers will be affected and unhappy, but the punchline is that hackers will still exist and they will still breach software no matter how many measures are applied to software development.

    Yeah I'd say it's a bad move.
  • Suing software developers over vulnerabilities is a bad move

    software reliability is hard to achieve. unlike hardware, once imprinted in silicon it is impossible to hack/change, the software on the other hand is susceptible to corruption either maliciously or by chance (emf, erratic h/w, etc.). requiring software developers to deliver product with no vulnerabilities is next to impossible and will cost tons of money upfront, and will slow down software development if not halt it altogether. the current system works albeit leaving consumers in a disadvantage position. and like all human inventions, refinement comes with age and usage...
  • Why stop at software developers?

    IANAL, but here is my take.

    Why not sue your lawyer for losing your case? Just as software developers have adversaries attempting to break their code (i.e. hackers), lawyers have adversaries trying to break their case. A software developer who can anticipate every possible attack and come up with a counter measure beforehand can achieve the level of perfection necessary to stop any hacker in his tracks. By the same token, a lawyer who can anticipate every possible argument of his opponent and come up with a water-tight counter argument beforehand can achieve the level of perfection necessary to win any case.

    Of course, the idea is absurd. When you have a battle, each side will win some and lose some. Expecting a software developer to cough up because someone found an exploit is like suing your lawyer because the other lawyer won the case, suing the architect who designed your house because the truck that ran into your loungeroom broke down the wall, or suing your doctor because he couldn't cure your cancer. If we go down this path, we will just end up with no software developers, lawyers, architects, or doctors.

    Yes, there are always issues of negligence. If a software developer, lawyer, or architect is totally reckless, I understand you can sue, but the definition of negligence should be fairly high.
  • Why not sue?

    If the losses can be tied to some manner of negligence on the part of the developer (such as leaving a potentially dangerous security hole open for a certain amount of time), then an example should be made.

    For virtually every other product or service, there are legal guarantees that it will work properly upon sale. Even if, arguendo, it's different because you're buying a license to use the product, rather than the product itself, wouldn't a bug that affects the ability of the software to work properly (or at all) imply that the license was sold under false pretenses? Even if I'm buying a car from some sleazy, small toupee and plaid jacket wearing used car salesman, I can still sue him if the car doesn't work. Why should it be any different with software?
    Third of Five
  • It ends up being a tax on everybody

    As long as you're willing to pay the Lawyer Tax, there's probably nothing wrong with it. It's estimated that the cost of covering lawsuits adds about $500 to the price of every car. The argument you made works every bit as well on cars: if they are defective you should be able to sue. But whether you sue or not, you're going to pay the $500 because enough people are suing that they have to cover the expense.

    If you intend to cover consequential damages, there's no reason to believe that those could be any less from a $35 software package than they are from a $40,000 car. So the Lawyer Tax on $35 software packages could be $500 as well. This is an area where you need to be careful what you wish for.
    Robert Hahn
    • depends on the consequences

      In the case of a car, the defects that the companies are sued about can possibly be dangerous. As more stuff gets tied to software, there is a chance that something going wrong in the software could have dire consequences for people. Obviously, whether instructions are followed will be relevant here (lest someone sue for a blackout from running iTunes on a power plant computer).
      Third of Five
  • Split decision...

    I should be up front and say that I've made the leap from the development side of this question to risk management. I know full well that software development is hard.  Software is complex. Often individual developers are challenged with a variety of conflicting requirements. It is easy for errors to creep in, sometimes years later as a result of some other change. Yes indeed software is special. It is so special and error prone and we rely on it so much that standard EULAs routinely say that the producer is not liable if something goes wrong. 

    I'd like to suggest that we should rethink the idea that a software producer should have that kind of blanket shield. There is well established precedence for this change. Thoughtfully implemented this would not result in some nightmareish situation in which software developers would be left with no protections. 

    Lets take a quick example. Most of us drive.  I suspect that we all know that there are risks associated with driving. Some are annoying more than consequential - arriving late due to traffic congestion.  But some are life threatening. Driving on an interstate (which are designed to be generally safer than other roads) and having a tire fail due to something on the road leading to a fatal crash. This is tragic but part of the risks we routinely accept and it is not likely that some would or could successfully hold the auto manufacturer responsible for the death. I suspect that a significant majority would agree with that. But what if the death was due in large part to the failure of the seatbelts and airbags in the car and that the manufacturer had not properly engineered or tested those product features. Not allowing a lawsuit in such a case would be terrible public policy. We expect producers and many service providers to not act recklessly. 

    Software must be held to the same standard. I am not talking about people suing Apple because the Genius recommendations on their iOS device stop working or Microsoft because the copy paste functions don't work from time to time. I get that software is complex and special and there are some odd bugs that show up long after a product is carefully developed and tested. In those cases, if the bug is significant, the producer should fix it (just like we expect auto manufacturers to correct a design defect that results in the car catching fire while it is being driven up hill on cold days). Lots of products and services are complex - that is not a good enough reason to demand protection against reasonable litigation.

    We expect professional engineering and testing in products and we should expect no less in software. If you are developing a software application for e-commerce and you sell it (or if it is internally developed, deploy it) with SQL injection vulnerabilities and people loose money as a result of your recklessness or incompetence then the organization did not have adequate processes or controls and should be liable for the damages caused by their product. I have had to work with a software vendor that believed that they should not have to correct cross site scripting vulnerabilities in their product because they thought that the organizations that made browsers should solve the problem instead. There are top notch, well run, profitable organizations that produce sound software and there are organizations that are just about clueless when it comes to producing reliable software. Let's not shield incompetence because software is complex. 

    There are indeed users who are careless and reckless but that is no different than in other sectors. Reckless users should not be able to successfully litigate. Other sectors have already dealt with these kinds of issues - software can too. 
  • Vulnerability Management

    We agree with your conclusion, companies should ensure that applications are not malware vulnerable, but they shouldn’t compensate users for their losses caused by negligence. In order to ensure vulnerability management, we use three approaches that work well both separately, and together: DREAD, Data Asset Classification, and Criticality Definitions. We invite you to read further on this topic in the following article:
  • This is SOCIALISM

    If the developer is not competent enough to protect the information of their customers, they should be left to die. Yes, software is complex, but there's always room to improve it. It will never improve if the developers have the legal upper-hand.

    It's EXACTLY like how the government decided to bail out the banks... now, fiscally, the country is just going to stagnate. You people are completely delusional.
    Alexander Jakubowski