Software companies have reacted with predictable caginess to the Lords Science and Technology Committee recommendations that vendors be held accountable for flaws in their products.
In last week’s report, Personal Internet Security [PDF], the Committee recommended that the UK Government should “improve standards of new software and hardware by taking the first steps towards the establishment of legal liability for damage resulting from security flaws.”
However, a number of leading security vendors have claimed such a system would be difficult to manage. According to Symantec, such liability would not only have a negative effect on the software industry, but might harm the very consumers it was meant to protect.
“Such an approach does not take into account the complexity of the IT industry. An approach along the line suggested in the report on the issue of liability could result in the opposite effect and risk reducing consumer choice and end users security and privacy," said a company statement released within hours of the report.
Another problem with liability was the almost impossible task of determining who was to blame, said Graham Cluley of Sophos.
“Is it the security software for not blocking a piece of malware? Is the user to blame for clicking on a link in an unsolicited email? Is it the anti-spam software for not stopping the email? Is it the web filtering software for not blocking access to the website? Is it the ISP for not intercepting the danger? Is it the website owner for not protecting their website with up-to-date patches and allowing hackers to plant malware on their site?” he asked.
A similar stance was taken by McAfee’s Greg Day. “It would be very difficult to hold vendors responsible for breaches, as it really comes down to how solutions are implemented,” he said. “You would have to ask, ‘Did they have it configured correctly, updated and maintained?’ Every business has different IT security requirements depending on their business and IT footprint. A security vendor supplies businesses with the tools, but it is down the business to use them correctly."
Judging from the report itself, most submissions on the issue were broadly against the idea, including that of prominent open-source developer, Alan Cox.
“You buy a PC, you add a word processor, you add a media player, and you add a couple of games. All these can interact in strange and wondrous ways and as you add more software the combination increases. The rational thing for a software vendor to do faced with liability would be to forbid the installation of any third party software on the system,” he said.
In the end, the Committee took a hard line on the issue, recommending liability be explored as an option in some circumstances.
“In the short term we recommend that such liability should be imposed on vendors, notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced,” said the Committee.