Linux guru argues against security liability
Alan Cox, one of the leading Linux kernel developers, has told a House of Lords hearing that neither open- nor closed-source developers should be liable for the security of the code they write.
Cox, who is permanently employed at Red Hat, told the Lords Science and Technology Committee inquiry into personal internet security that both open- and closed-source software developers, including Microsoft, have an ethical duty to make their code as secure as possible. "Microsoft people have a moral duty in making sure their operating system is fit-for-purpose," Cox said on Wednesday.
He added that it was generally accepted that no-one knows how to build a perfectly secure operating system, but that this was a research problem that someone would solve eventually, and make a lot of money in the process.
Cox said that closed-source companies could not be held liable for their code because of the effect this would have on third-party vendor relationships: "[Code] should not be the [legal] responsibility of software vendors, because this would lead to a combatorial explosion with third-party vendors. When you add third-party applications, the software interaction becomes complex. Rational behaviour for software vendors would be to forbid the installation of any third-party software." This would not be feasible, as forbidding the installation of third-party software would contravene anti-competition legislation, he noted.
Cox said that it would be difficult to make open-source developers liable for their code because of the nature of open-source software development. As developers share code around the community, responsibility is collective. "Potentially there's no way to enforce liability," he said.
The question of open-source liability becomes more complex because of how the code is used, added Cox. Open-source code is generally given away, but companies use that code to develop their own products. Cox said that there was a question of how liability would move from the initial developers to the companies.
Microsoft's national technology officer, Jerry Fishenden, who spoke at the hearing, said the responsibility for security breaches should rest firmly with those perpetrating the breaches. "We're making software as secure as we possibly can. People don't look at window-lock makers for the responsibility for burglary — the responsibility tends to rest with perpetrators," said Fishenden.
Adam Laurie, an open-source developer and security researcher, told the Lords that software manufacturers had a duty to the public to make it easy to secure computers, but he added that there is always a trade-off between usability and security. Developers should be liable for code they claim is secure even when it has been proven that it is not, he said.
The Lords inquiry will present its findings in the summer.