Vendors should not be liable for their security flaws

I was talking to a coworker about how so many businesses — as exemplified by big banks and other financial firms — seem to commit fraud and other criminal activity with impunity. A few end up paying hundreds of millions to billions of dollars in fines, but almost no one ever goes to jail.

My friend thinks the problem stems from the limited legal liability given to corporations, their officers, and stockholders. He believes the solution lies with changing stockholder responsibility.

[ Also on InfoWorld: Paul Venezia makes a case for why those guilty of bad code must pay. | Learn how to work smarter, not harder with InfoWorld’s roundup of all the tips and trends programmers need to know in the Developers’ Survival Guide. Download the PDF today! | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

When a company incorporates, stockholders’ potential damages are limited to the value of their stock. Once the stock has gone to $0, all potential liability is over. My friend thought that the limited liability protection ought to be removed so that injured parties could sue stockholders for far more than just the value of the stock. He felt that stockholders, under threat of losing personal assets beyond their stock investment, would be incentivized to only invest in “safe” companies, and businesses would strive to be more honest and more secure overall.

It sounds like an intriguing idea, except for one obvious result: Who would invest in unlimited liability corporations? You’d end up with fewer corporations, fewer jobs, and less innovation.

Obviously, the system we have now needs correction, but you don’t need to do away with the idea of traditional corporations altogether. In fact, I would argue, that — warts and all — we have about the level of risk we as a society have agreed to tolerate in return for greater reward. You just need a moderate course correction from time to time.

I’ve come to the same conclusion regarding software liability. For decades, tough security acolytes have argued that software vendors should be held liable for their software vulnerabilities. They want to change commercial laws, like my friend suggests above, to make the risk a company takes higher. Then and only then, according to these believers, will software companies make significantly more secure software.

I call bunk on that idea.

For one thing, there’s no such thing as perfect software. All software has bugs and all software has security flaws. Even one of the strongest proponents of software vulnerability liability, Dr. Daniel J. Bernstein, who makes some of the most secure software in the world, has seen hackers uncover security bugs in his software. Few people in the world have the security skills that DBJ has. But he is imperfect. He’s human.

If all software is imperfect and carries security bugs, that means that all software vendors — from one-person shops to global conglomerate corporations — would be liable for unintentional mistakes. This essentially goes against most common law as we know it today, allowing lawsuits for unintentional acts of harm.

Why stop with software vendors? Why not make every website, blog, or any other digital service subject to similar liability? Harm is harm. If I go to a website that is innocently infected, and I get exploited and lose money, shouldn’t I be able to hold that website accountable? Clearly, all of the above would practice more secure computing. But would they have time to do anything else?

It goes back to my original analogy. Just as no one would want to invest in unlimited liability corporations, no one would invest in software companies or digital content producers. You’d end up with less content, less software, less innovation, less stuff. And the world proves over and over again (rightly or wrongly) that we value the next new thing far more than we do adequate security. I don’t like it, but it’s the way it is.

For example, Microsoft Windows has far fewer security vulnerabilities than Apple’s OS X or Linux for almost any given time period going back 20 years (for verification, check Secunia’s searchable database). But that doesn’t change the fact that Apple is gaining market share, especially in the consumer market. When measured against security, usability, new feature sets, and prettiness will win every time. It’s always been that way.

Personally, I think it will take a huge “tipping point” security incident to make consumers value security more. But that, too, has been the way throughout history. We don’t like inconvenience ahead of the pain. We tend to wait for the damage and respond afterward.

We constantly risk our future safety for faster progress. It’s a very human trade-off — and computers and software didn’t change it. No doubt changing the rules to hold the tech industry liable for all harm to customers would improve security. But to an absurd degree it would also pour sand in the gears of technology development. Strive too hard for zero risk to customers, and you end up zeroing out everything else, too.

This story, “Vendors should not be liable for their security flaws,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.