Why in the world should they be held liable? The assertion itself is absurd. Hackers and their ilk should be held liable not the ones trying to stop them. This is akin to courtroom situations where a prosecutor makes the victim the guilty one by their naivte' - Craziness!
It's not surprising that
It's not surprising that such a move has finally been made. Every other branch of engineering and nearly all other professional occupations are heavily liable in the case of negligence. You can't build a bridge which collapses because of poor engineering, or an operating room machine which goes "Ping" when it shouldn't, and expect not to be held legally liable.
It's doubtful that the stance taken was to stop hackers and spammers by holding the developers legally liable (Terrorist -- Bridge : Is the engineer liable?) but to protect a customer against negligence and poor workmanship. It may not be the perfect solution, but the ball is rolling.
Completely agree with those requirements
Car builders are required to build seat belts and good breaks into their cars. Airplane vendors have to fulfil loads of security requirements. Medication vendors have to go to intensive tests before being allowed to sell their medication. Food vendors have to fulfil strict hygene requirements. I can't think of a good reason why software vendors shouldn't be obliged to adhere to some basic security requirements as well. After all, IT security is a common good, just as is traffic, airplane, drugs and food security.
Completely agree?
Your argument is not a good one - Sofware security is much different than Airline, medical, or car manufacturer security. In software you are constantly battling malicious attacks by preditors across the globe. This would be the equivalent of holding a car manufacturer accountable for an accident that was intentionally caused by a malicious driver.
In short, there are endless ways that software can be attacked, and people are cooking up new ways every day. It is impossible to be 100% secure, you can only do your best to try to prevent such attacks.
Difficulty in assigning culpability
Unless you want to write all of your programs in Assembly Language and use only your own libraries (the case for me in the 1980's) then your work includes the possibly faulty work of others. Do you want to be legally liable for the quality of software libraries that you cannot validate? In fact, with scripting languages such as PHP, your five-line "program" may invoke tens or hundreds of thousands of lines of library code.
Some case law pertaining to faulty consumer products apportion culpability according to relative contribution of the faulty component and to the person using it in possibly an improper manner. Thus, you have the situation where culpability for faulty software will have to be apportioned among the user and a chain of programmers: The application programmer using PHP, the programmers of PHP itself probably using C, the programmers of C using assembly language (C programs itself but the *first* C had to be assembled), and the programmers of assembly language who by now are probably dead.
SCO vs IBM, Novell and a flock of others shows the difficulty in apportioning and discovering "who did what".
Post new comment