July 08, 2005

Liability for Software - is the end of the Security Industry a bad thing or a good thing?

I've been thinking about software liability a bit and just the other day had a bit of a revelation. If security software came with liability it would destroy the security industry. That's the good news :-) The bad news is that we'd also get some regulation to boot, which would slow things down, as Marcus Ranum points out (by way of Eric Marvets).

My revelation occurred like this. In the closing stages of a small security job for a friend, I discovered that the intellectual property was being handled with a handshake. This didn't worry me from a property point of view simply because the <1000 lines of code written weren't worth enough to argue about, it was the process and knowledge that was being charged for.

But the absence of a proper transfer contract did worry me from a liability point of view. So I wrote in that there was zero liability. And the discussions started ... it was during that discussion with the client that I realised that the reason I had written zero liability - and left the client high and dry to fend with what could well have been buggy, incomplete, snake-oil nonsense written by a script kiddie, for all the client knows - was that if there was any liability, the price would have to go up.

And, significantly! The price would sky rocket because the mere presence of a letter from a lawyer would probably wipe out not only the profits from the job but the entire revenues (quick reality check, ask your lawyer what their retainer would be for a software liability action).

So we - me as supplier, the client as user, and the entire industry - are faced with a choice. Either supply the product at price X and go with zero liability, or supply the product at price Y and assume some liability.

What's the ratio between X and Y? For me it was at least double. Probably more like 3-4 times. It's so significant that I know the client wouldn't pay so they only have one choice: either they pay for no liability and get the security, or they don't get the security work done at all.

So what would happen if liability were added to software? Marcus suggests Microsoft Windows would go to $1000 per copy, citing the medical industry's experience. It's a number!

Clearly Microsoft Windows would go up in price. Just as clearly, people would switch to open source product, which cannot as easily carry liability because there is no _for consideration_ contract, and their $1000 laptop would stay a $1000 laptop [1, 2]. And, as it happens, the secure Operating Systems are the BSDs so not only will they suddenly find more popularity, we'd get more security into the bargain as well as more people start to use these products, probably via the hard route of Linux, which would be also forced to get serious about security.

This of course is the argument of the liability people - make software cope with its insecurity by properly pricing the cost of security such that it more correctly allocates society's resources. With the added wrinkle of open source of course. The problem with taking this path is that, no matter how desirable you find the notion of supporting open source, subsidies are a net 'bad' as an assumption in economics. That is, most every theory and study in economics shows that subsidies cost society more than they make. Which is to say that letting the market find the way to produce secure software is still a better bet than installing a permanent subsidy for open source into place.

This market process may already be on the move, says Eric Marvets:

[Microsoft's] marketing department is quietly getting ready and now all that's left is for the product to hit the market. These may all be coincidences, but I think it's a masterfully crafted business plan mid-execution.

Microsoft is rejigging everything in place for a shift to a more security-oriented focus (quietly...).

Will it work? Who knows. But one thing is clear - the market is pushing Microsoft in the direction of further security. What we need is happening, in the market. The question of whether regulators can do better is really a tough one, and experience and theory says No. So in promoting why adding liability would improve our net security, the question to ask is why it would work this time when the combined weight of economics and experience is against it?

1. Open source suppliers can carry liability, but lets ignore the edge cases here.
2. Countries with poorly developed intellectual property laws would still use Windows, as they also don't enter into contracts for consideration.

Posted by iang at July 8, 2005 09:56 AM | TrackBack

I respect Marcus quite a bit, but his reasoning in this piece astoundingly off-base.

1) Medical liability is expensive because malpractice insurance has become a form of social insurance: if you go to the doctor and something goes wrong, you get a settlement from the insurance company. Things going wrong include losing ability to earn income, death, etc. Expensive. His claim that doctors aren't better or safer after 30 years doesn't make sense; his arguement that (a significant amount) of people are priced out of the health insurance market by malpractice premiums is controversial at best.

2) Strict liability applies to many products. Businesses that make these products are still in business. There was some adjustment, but they moved on. Some of it is cost restructuring, and some of it is in improved products: even in the medical field, marked improvements have been observed (See the WSJ article on anesthesiologists: http://www.post-gazette.com/pg/05172/525947.stm) The GAO and others have soundly refuted the claim that doctors are detered from practice by liability policy.

3) The cost arguement applies to just about every extension of liability. A priori, we can't measure the benefits and the costs just look high. See the fight waged by the regulated industry against every single environmental regulation ever passed.

"subsidies are a net 'bad' as an assumption in economics"

Not in the case of externalities, and I think that's really what is at stake here. Marcus is right--people will buy secure SW if they want it. People will also eat healthy if they want to. But for some set of reasons, they don't. And we should start to care if market behavior of individuals affects others. My life is certainly worse off when millions of un-secured PCs are out there. So the subsidy to F/OS would improve social welfare if we assume this software is more secure for the magnitude of users.

This is what I am curious about: if 10 million windows users just got sick of XP and got the local geek to put some distro on their machine, what would the network look like over the next 24 hours? Six month?

Posted by: Allan Friedman at July 8, 2005 02:08 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.