I recently ran across an article that will be especially interesting to the geekiest among us. It seems a group of security experts, the SANS Institute, believe that the only way we can ensure that buggy and dangerous software is not released by developers is to hold them all legally liable.
Nearly every attack is enabled by mistakes programmers make that provide a handhold for attackers,” said Alan Paller, Director of Research, SANS Institute. “The only way programming errors can be eradicated is by making software development organizations legally liable for the errors…
Paller is almost certainly correct in this assessment but he is talking as a security professional and not as a consumer, businessman, politician, programmer, etc. A law like this would have a number of very real impacts on you, your neighbor, your brother, your cousin the programmer, and your grandma’s small business.
1) High Cost Software
Why are doctor’s prices so high? One reason has to do with their malpractice insurance. A doctor, or the hospital he works for, is considered to be legally, and financially, responsible for any error they make. If this were applied to software a programmer might be sued because they weren’t very good at their job and wrote buggy software that produced the wrong shipping labels for grandma’s business and now she has to ship duplicate items. Right now she’d probably ask for a refund but with this kind of legislation she might sue for some damages - hopefully a reasonable amount - and win. This means we have to charge more for the software ahead of time, not just to cover the lawsuit cost but also because of the increased cost of development. I’d need to hire more programmers, more testers, and spend more time in development. And, lest you forget this applies to every electronic gadget you own: Microwave, TV, cable box, video game, car, laptop, mp3 player, refrigerator, stove, phone, etc - all more expensive.
2) Longer Product Cycles
You won’t be getting that new iPod every year anymore and Ford won’t be releasing a new truck this year. Now that these companies have to ensure an especially high product quality or face legal repercussions they will be spending a lot longer working on each product and the pace of new technology innovation will slow. Right now, companies are constantly racing to release the newest product before the next guy but this law would put a stop to that. That new TV that uses the new hot web feature, whatever that might be? Expect to wait until after the fad has worn off before your TV supports it.
3) Fewer Products
This should go without saying; While apple is busy making sure their new hotness is safe enough to release and avoid lawsuits they will be making far fewer new products in the future. Enjoy the fact that your favorite company makes 12 levels of the same product all with different features and at different price points allowing you to get the exact model you need and not pay for features you don’t? Say goodbye. If the SANS Institute has it’s way they’ll only be a single model of every product as companies try to combat their skyrocketing development costs.
4) Stagnate Innovation
A friend of mine’s company has recently been working on a small device for monitoring an extreme athletes performance while they jump, spin, twist, flip, and do whatever else they do. In the environment these security professionals envision innovative products like this will never come to market. What if the device provides bad data making a skier believe he/she can complete a maneuver that ends up killing them. Should the makers of the device be held responsible for the malfunction that caused the data that misled the skier? I don’t think so. In this security centric world they imagine no one tries anything new because they are afraid of the consequences when they make a mistake.
5) No More Google, Or Open Source, As We Know It
This may be an inflammatory title but its true. Do you think Google, or Yahoo for that matter, continues to provide the myriad of free services they provide once their legal responsibility for their system’s being compromised? I’m guessing not. No free GMail and no free chat services; What if their software allowed someone to peep into your conversation? Maybe no free search? What happens if a bug in Google’s image search shows obscene content to my daughter, can I sue them?
What about free open source software? Is each contributor to an open source project legally responsible for their individual contributions? Are they all responsible for the entire code-base? The financial burden may be to much to bear without a company behind it. If a law like this is ever passed expect open source to die a fast death.