02 June 2006

What Bruce Schneier Didn't Say

The ever-perceptive Bruce Schneier has another interesting column in Wired. This time he raises the question: Why not make vendors liable for software bugs? As he explains:

For years I have argued in favor of software liabilities. Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don't have much interest. Features, schedule and profitability are far more important. Software liabilities will change that. They'll align interest with capability, and they'll improve software security.

But one thing he doesn't address here is what will happen to open source. After all, if coders become personally responsible for the bugs they write, the volunteer system is going to collapse pretty quickly.

I asked him about this a couple of years ago, and this is what he said:

I presume there would be some exemption for open source, just as the United States has a "good Samaritan" law protecting doctors who help strangers in dire need. Companies could also make a business wrapping liability protection around open source software and selling it, much as companies like Red Hat wrap customer support around open source software.


Daniel Macintyre said...

Um, we ARE talking about the concept that gave us Linux and Firefox, right?

In an open community based project with a decent number of participants, due diligence is hardly a problem. The people producing this software already have a vested interest in keeping it secure - the same interest that got them involved with it in the first place. That's why these products are ALREADY so much more secure than their closed source counterparts.

Also, in initial stages, products are typically released as alpha or beta software first. consumers using these versions already assume that the software is imperfect. They can hardly hold the producers responsible at THAT point!

All in all, I feel pretty comfortable with the prediction that open source software would be in no real danger from software liability - in fact, the above protections might even encourage MORE software vendors to go open source as a hedge against possible future liabilities in their products.

glyn moody said...

Well, I suppose it depends on the details of how the liability would work.

Certainly, OSS can mean many eyes are looking for problems, but what worries me is that even the vague possibility that they might get sued would be enough to chill coders' enthusiasm.

As far as betas are concerned, the problem is that most things seem to be betas these days - just as Google. So the courts wouldn't be impressed if every piece of software were called a beta release to avoid liability issues, with no real 1.0.

As a supporter of the OSS I hope this is all theoretical; but it's worth thinking about, at least in general terms.