Business, Innovation and SkillsWritten evidence submitted by Symantec

Executive Summary

The proposed legislation is a welcomed step. Unfortunately it falls short of appropriately acknowledging the specificities of software and especially security software versus other forms of “digital content”.

Cyber security threats are not stagnant and the characteristics of malicious software constantly changes in order to avoid detection. This necessitates the need for software providers to update internet security software regularly, sometimes several times an hour, in order to mitigate the risks to consumers.

Symantec focuses its comments on five key areas: on the notion of digital content and how that fits with security software; the notion of satisfactory quality; the right to modify digital content; the right for repair and replacement; and compensation and liability.

As drafted, the legislation creates new areas of uncertainty for businesses and consumers and negatively affects well established business practices that have traditionally benefited consumers.

The principle that liability cannot be excluded or restricted, risks harming businesses and consumers by creating unfair competitive advantages for certain suppliers. It may result in companies increasing their pricing structures and may also limit the speed with which consumers are protected from threats.

Introduction

Symantec welcomes the opportunity to respond to the Committee’s inquiry into the Draft Consumer Rights Bill. We support the work the Department for Business, Innovation & Skills (BIS) has undertaken to develop a clearer, improved framework for consumer law. A simpler framework will help both consumers and industry by providing clarity on the rights and remedies consumers have when undertaking commercial contracts for goods, services and digital content, however we have identified some areas for review and improvement, as highlighted below.

Symantec is a global leader in providing security, storage and systems management solutions to help customers secure and manage their information against internet security threats. We provide internet security and information management products and services, many of which might fall under the remit of the draft consumer rights legislation. Symantec’s Norton AntiVirus, Norton Internet Security, Norton 360, and Norton Multi-Device, provide comprehensive online protection for consumers. Our security products protect user’s, computers, mobile phones and other internet enabled devices from unwanted malicious attacks such as viruses and spyware, and also identifies and blocks unsafe websites. As such, the proposed legislation is expected to significantly impact our current business practices and our customers.

Symantec would like to acknowledge the openness with which the government has engaged in the process of consulting for this legislation. Both as a company and as an industry, through trade bodies such as BSA|The Software Alliance, we had the opportunity to express some of our views to BIS and provide constructive feedback both on the positive and more challenging aspects of this legislation.

The Notion of Digital Content

We appreciate the desire to provide clarity to consumers with regard to contracts for digital content, and understand the rationale for introducing a new category for digital content into legislation. Symantec fully supports the need for consumers to be given greater clarity over the rights and the remedies available to them when purchasing digital content. However, simply transposing some of the rights and remedies for goods to digital content is not an optimal fit. The notion of “digital content” is used in the Draft Bill to encompass a variety of categories of digital goods that are available to consumers. Symantec do not agree with this approach as goods are static, tangible products whereas digital content can come in a variety of forms, some far more complex than others, and therefore special consideration needs to be given to the rights and remedies.

Moreover, different types of digital content interact differently with the array of consumer devices that are used by consumers and have various levels of complexity. Music, video, and ringtones for example have far less complex operation than security software. Ascertaining why a piece of software is not working is a far more complex process and could be due to a number of reasons, such as how it interfaces with other software or operating systems on a consumer’s device, changes to the consumer’s hardware or how the software is configured. As a result of this complexity, software companies develop dedicated customer support departments and even compete on the quality of the support they provide, unlike music and video providers whose digital content is expected to simply “run” on any technical platform and under almost any configuration.

Unfortunately some of these points are not fully recognised in the current legislative draft. Whereas creating a single legal framework for the various types of digital content is perhaps simpler, Symantec believes that it is not practical. This is because in reality there is no “one size fits all” approach to digital content as the different types of digital content can vary considerably.

Another good example of how software differs from other types of digital content is that of security software, an area in which Symantec specialises. Whereas digital music in MP3 formats or digital video in DVD format remain unchanged, software generally is subject to regular and systematic updates and improvements from its providers. This is increasingly the case in a cloud computing environment whereby the delivery of software is treated as a regular service and not classified as a good.

Various types of software require different frequency of updating. For example, security software needs to be updated very frequently (sometimes several times in an hour) to be able to detect new threats, fix problems or security vulnerabilities, or to add new features which ultimately enhance the usability and performance of the software. Security updates are vital to ensure the continued functionality and efficiency of the software, to secure the user’s device and applications, and to support the safe usage of the Internet. Therefore Symantec licenses many of its consumer “products” as a service, as the primary value to the consumer is contained within the on-going updating service, without which customers would not remain secure against new threats.

We recognise the Government’s intention to address some of these points, but to best protect the interests of consumers we feel that the proposed legislation has room for further improvement. As currently drafted, we fear that it is likely to create greater legal uncertainty in some areas. It also poses potential difficulties for companies developing security solutions to manage their business risk and provide the best possible protection for users and consumers. Finally it risks creating anti competitive incentives in the marketplace.

Symantec believes that some of the undesirable effects of the current draft go against the spirit of what the legislation is trying to achieve, as well as other broader public policy objectives.

Comments on Specific Clauses

Digital content to be of satisfactory quality (cl.36)

The clause states that digital content must be of satisfactory quality and thus “free from minor defects”. Symantec believes that this is an extremely broad term and is consequently open to interpretation. What is the threshold that defines a “minor defect”? This clause would prove problematic for all companies developing any type of software as it is not possible to guarantee that software will be free from all minor defects.

It is well known that all software comes with some minor bugs and errors that do not impair its usage or functionality; however some of these vulnerabilities may be open to attack. These bugs are often not known to the manufacturer at the time of release to market; once identified they are typically resolved in a subsequent software version. Correcting minor defects is part of a software development cycle and such defects are often linked to specific configurations and operating environments that the software developer cannot predict.

The current market environment allows significant choice for the consumer who can purchase software from competing brands. Some companies develop software on hardware platforms they do not own. The owner of a hardware platform who also develops software is in a better position to detect “minor defects” than its competitors who do not own the hardware platform yet are expected to compete with the hardware owner on a number of parameters (such as price, features, service).

If there is a requirement within the Draft Bill for “freedom from minor defects” in conjunction with the inability of the trader to limit its liability (clause 49), it creates a negative-incentive for the companies, especially small companies or companies that do not own the hardware for which the software is being developed. It gives an unfair competitive advantage to companies that produce both hardware and software and in the long run could limit competition and harm consumers in terms of price and quality due to the limited choices.

As stated above, “free from minor defects” is an extremely broad term. Symantec believes that this provision should be redrafted, recognising the specificities of software and its potential impact in the marketplace. It should apply a limited range of digital products. Furthermore it should be recognised that digital content which is more dynamic (such as security software) may be licensed via a service offering and not subject to the above provisions.

On determining “satisfactory quality”, the Draft Bill foresees that all relevant statements are taken into account. Specifically for security software, making future statements is highly problematic. There are known virus and attack techniques against which security software protects, but more importantly there are also unknown viruses and attack techniques, which cannot be predicted. For example, Symantec discovered 5,291 new vulnerabilities in 2012.1 It would be unreasonable to be expected to provide more than generic descriptions of the typical kind of attacks security software can defend users from.

Therefore, notwithstanding that such dynamic content may be provided on a service basis, it would be beneficial if the Draft Bill clarified these broad terms and not leave them open to interpretation. This could be achieved by including a reference in the legislation that the determination of quality is set against the technical specifications that the trader provides to consumers (as opposed to any statement made by the trader).

Clause 38: Digital content to be as described and right to modify digital content (Clause 42)

Quality is also determined based on the description given to the digital content. The content needs to remain in conformity with the description for the entire duration of the contract. This has a number of practical implications when it comes to security software that Symantec considers problematic, due it’s “dynamic” nature (as explained above). For instance a trader may update the security solution it offers to consumers and in doing so it may add, replace or remove a function of the software that the consumer had originally purchased in a way that this would not necessarily “meet the description given”, as set out in Clause 38. This change may be necessary for a number of technical or practical reasons such as a security fix; an update to improve functionality and enhance the user experience; an update to keep the software running (for example incompatibility with an operating system update that the user has made); or the suspension or removal of a function that may be vulnerable to cyber attack. Under the current rules, such changes are allowed, are foreseen in the end-user-licence agreements and are common practice among the industry. They are also highly desirable by the users who see the benefit of such flexibility in the end result of a constantly enhanced product.

Therefore it is unclear how this clause will enhance the user experience, or ultimately help protect the consumer. It seems to suggest that industry will be confined to delivering what was foreseen in version 1 of its product, without the possibility of enhancing the product and without the possibility of implementing emergency measures to reduce the risk of attack to users. It would seem sensible to allow digital content providers to modify the content if it is of benefit to the consumer or improves the functionality of the software, irrespective of whether it differs from the original description. Symantec believes that there is a strong argument for exemption from the provisions of Clause 38 for network and information security software vendors, on the basis of a necessity to modify the original functionality of a software product.

With regard to the principle that trial versions of software need to adhere to the full version once purchased, established industry practice is typically that trial software has (i) a limited lifetime but has full functionality; or (ii) an unlimited lifetime but with limited functionality. The Draft Bill does not make this distinction and is therefore not in line with industry practice. Symantec believes that the Draft Bill should be amended to reflect this established principle. Otherwise it is likely that software providers will cease to offer option (ii) which will limit the consumer’s ability to evaluate and choose between different products.

Clause 45: Right to repair or replacement

The Draft Bill sets out that the consumer is entitled to “repair or replacement” of digital content if it is not of satisfactory quality or if it does not meet the description given. In the case of a repair, it is unclear whether periodic software updates would count as a “repair” or a “replacement”. As already outlined, we are unable to predict future threats as they are continually evolving, and we are constantly developing the necessary mitigations which are delivered via online updates, often in very short periods of time. Threats are not static so an update that addresses version 1 of threat A may not be sufficient to address version 2 of the same threat or threat B. In this regard, updates function as a constant service provision and a mechanism to maintain the efficiency of the software. However the same update mechanism is also used to provide fixes to the software and address known incompatibilities that may emerge in its supported lifetime. The legislation does not define the mechanism to deliver a repair or a replacement, which we believe is the right approach. However, to the extent that “repair or replacement” is even an appropriate remedy for providers of dynamic, service-based content, it is recommended that the Explanatory Note and implementing guidance recognise that the repair or replacement mechanisms may often be integrated into existing servicing mechanisms to consumers, particularly of content of a dynamic nature.

Under this principle of liability for digital content, a consumer should be entitled to a replacement if a simple piece of software is defective, such as an ebook that has text or pages missing (or for software provided on disc media, a new disc if the original is damaged). The consumer simply returns the defective software/disc and receives a replacement. However, the situation is far more complicated when it comes to complex digital content such as security software. If the consumer has requested a replacement, there is not always a way of determining whether the consumer has actually deleted the software from their computer or indeed installed it on a separate/different device. Symantec believes that the Draft Bill should be framed in such a way to enable businesses to deliver a replacement through means that minimise the possibility of fraud.

Clause 48: Compensation for damage to device or to other digital content

As indicated above, the cause of failure of complex digital content can often be difficult to determine and can malfunction for a number of reasons unrelated to the design or development of the digital content in question. For example, the device on which the digital content is uploaded might not be functioning properly, or the digital content could conflict with a separate piece of software or hardware installed on the device. In the end, this will be down to a question of evidence, which becomes very costly and time consuming for the consumer, the provider and ultimately the courts.

Specifically for the internet security industry there is an issue linked to the problem of “damage” to other digital content, the inability to limit the liability according to “Clause 49” and the nature of the business in which the security industry operates.

As set out above, security software can be updated several times within an hour to address constantly evolving threats and in order to effectively protect consumers. These updates are developed with “reasonable skill and care”. They are tested against numerous possible known configurations. However by their very nature these updates are a process that needs to be automated and that is done under extreme time pressure. As a general rule, the faster an update is released to consumers the greater number of people are protected from a new threat.

However, a possible consequence of releasing updates too quickly is the possibility of releasing a false positive, ie there are consumers using an unforeseen configuration against which the update has not been tested. Once that update is installed, it mistakenly detects a “friendly” file as hostile and in responding to this perceived threat, causes damage to the computer or renders other digital content inaccessible.

The internet security industry has taken great effort to minimise such occurrences and companies like Symantec have a stringent process in place to prevent such incidents from occurring. However, it is impossible for any internet security company to completely protect against the risks of a false positive, especially in cases of high urgency, high volume attacks. Against this backdrop if one adds the fact that the Draft Bill does not allow the trader to restrict its liability under any circumstances, it becomes apparent that the security industry is confronted with a very real counter-incentive.

In cases of fast-growing attacks affecting many users, security companies need to release updates as quickly as possible to protect its customers, and at the same time ensure that they are able to manage the legal risk in case an update causes some unforeseen damage to a limited number of users applying an unknown/unforeseen configuration. Urgent critical fixes for serious internet threats may sometimes necessarily get released before completion of an exhaustive testing process, as there is generally a greater benefit for a greater number of consumers, compared to a small number who may experience more minor compatibility issues or false positives. The proposed legislation will encourage suppliers to slow down such releases pending more tests, potentially resulting in critical protection being delayed for the majority of customers.

Symantec appreciates the opportunity to provide input to the Committee’s enquiry. Please do not hesitate to contact us if you require additional information or if we can be of any further assistance.

About Symantec

Symantec is a world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Mountain View, Calif., Symantec has operations in more than 40 countries. Further information can be found at www.symantec.com. European Transparency Register Identification Number: 3612325809-89

6 September 2013