Vendors should not be liable for their security flaws

Few tech vendors or content producers do everything they can to eliminate security flaws, but changing the rules isn't the answer

Page 2 of 2

If all software is imperfect and carries security bugs, that means that all software vendors -- from one-person shops to global conglomerate corporations -- would be liable for unintentional mistakes. This essentially goes against most common law as we know it today, allowing lawsuits for unintentional acts of harm.

Why stop with software vendors? Why not make every website, blog, or any other digital service subject to similar liability? Harm is harm. If I go to a website that is innocently infected, and I get exploited and lose money, shouldn't I be able to hold that website accountable? Clearly, all of the above would practice more secure computing. But would they have time to do anything else?

It goes back to my original analogy. Just as no one would want to invest in unlimited liability corporations, no one would invest in software companies or digital content producers. You'd end up with less content, less software, less innovation, less stuff. And the world proves over and over again (rightly or wrongly) that we value the next new thing far more than we do adequate security. I don't like it, but it's the way it is.

For example, Microsoft Windows has far fewer security vulnerabilities than Apple's OS X or Linux for almost any given time period going back 20 years (for verification, check Secunia's searchable database). But that doesn't change the fact that Apple is gaining market share, especially in the consumer market. When measured against security, usability, new feature sets, and prettiness will win every time. It's always been that way.

Personally, I think it will take a huge "tipping point" security incident to make consumers value security more. But that, too, has been the way throughout history. We don't like inconvenience ahead of the pain. We tend to wait for the damage and respond afterward.

We constantly risk our future safety for faster progress. It's a very human trade-off -- and computers and software didn't change it. No doubt changing the rules to hold the tech industry liable for all harm to customers would improve security. But to an absurd degree it would also pour sand in the gears of technology development. Strive too hard for zero risk to customers, and you end up zeroing out everything else, too.

This story, "Vendors should not be liable for their security flaws," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.
| 1 2 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.