Suing software developers over vulnerabilities is a bad move

Should vendors be responsible for the harm that vulnerabilities in their software cause?

No matter how much money we lose because hackers are able to exploit vulnerabilities in software, it's probably not worth using a legal stick on software companies to force them to write better code.

TechRepublic wrote an article quoting an academic from the University of Cambridge, Dr Richard Clayton, who thinks that software developers should be liable for any software vulnerabilities that lead to customers getting hacked and losing money.

For instance, if that were the case, and Google Chrome had a vulnerability that a hacker used to steal a Chrome user's bank account details, then that user could sue Google for the loss.

Fascinated by the idea, I had a chat with Minter Ellison technology practice partner Paul Kallenbach, wondering whether it is likely that something similar could ever happen down under.

Companies are protected against such action here and elsewhere by end-user licence agreements, he said, which limit payments for direct losses and generally exclude payments for indirect losses, which the Chrome hacking example would fall under.

For example, the Apple iTunes end-user licence agreement says that "in no event shall application provider be liable for ... any incidental, special, indirect or consequential damages whatsoever, including, without limitation, damages for loss of profits, loss of data, business interruption or any other commercial damages for losses ... even if the application provider has been advised of the possibility of such damages".

Clayton is arguing for regulations that remove the developer's right to waive responsibility in this way. And he's not the only one. A House of Lords committee (PDF) recommended the implementation of a similar measure in 2007, and European commissioners pushed for the requirement in 2009.

Yet, Kallenbach doesn't think that this way of dealing with things in Australia, or indeed anywhere else, will change. He said that if legislation were to force liability onto software companies, they would have to reconsider their line of business.

"The risk of developing software may be so great ... that no one will develop software," he said.

Certainly, no one would be able to offer software such as browsers for free, he believes. The open-source community would be on shaky ground, although in the case of open source, he said that as soon as someone modifies your software, you could make the case that it's not your software anymore.

Clayton said that developers should be held accountable when "avoidable" holes in the software are exploited and result in loss of money.

However, Kallenbach thinks it would be difficult to define "avoidable". "Software by its nature is complicated; the flaws usually arise from those complexities," he said.

There could be a case if a company released software with a known flaw, he said. Yet, while it's not possible in some European countries for companies to exclude themselves contractually from liability for gross negligence in end-user agreements, it is possible in Australia, according to Kallenbach.

Kallenbach said that whoever attempts to legislatively make companies liable for vulnerabilities in their software would have to be ready to make a brave move.

Now that I've spoken with him, I agree. I don't think it would be a good idea to make companies compensate users for their losses in this case, especially since a lot of the financial damage caused by malware is in some part, at least, caused by end-user stupidity.