Why Making Developers Liable For Security Vulnerabilities Won't Work
from the it's-a-problem dept
It seems you can't go a few months before someone, somewhere brings up the question of whether or not developers of software products should be liable for the security vulnerabilities in their products. The frustration level is high with buggy software, and so out come the suggestions that lemon laws should apply and execs at companies that make buggy software should go to jail. The problem, though, is that software will remain insecure no matter what's done, and adding liability might actually make the problem worse. However, along comes Howard Schmidt saying instead of companies being held responsible, the actual developers of products should be held liable for security vulnerabilities. This is the same Howard Schmidt who announced 10 months ago that technology would solve the phishing problem in a year. He's got two months to go, and last we checked, phishing was still a growing problem. Should we hold him liable for falsely claiming that phishing would be gone? That's the crux of the problem. No matter how careful a developer is, there are always going to be holes he can't foresee. Making developers liable will only cause a few things to happen: vastly fewer programmers will be available to work on security issues, as it's just not worth the risk, and fewer companies will even try to make security products. Also, just about every product you buy will be surrounded by pages and pages of legalese to tell you that the product isn't at all secure to try to legalize themselves out of liability. That won't help anyone in terms of actually building more secure applications. Schmidt is right in saying that developers need to be better trained in computer security, but that doesn't mean adding liability issues without looking at the unintended consequences of such an action. Update: There's an update to this story, where Schmidt clarifies that he was talking about accountability, not liability -- and the ZDNet article misconstrued it.