4.25. The preceding discussion leads onto one
of the key issues raised in this inquiryliability. At present,
even if software is shipped with major flaws which give rise to
security vulnerabilities, end-users who suffer loss as a result
have no legal recourse against the vendorsend-user license
agreements generally exclude any legal liability. As Professor Anderson
put it, the Internet way of doing business is that "liability
gets dumped as much as possible on the end user" (Q 646).
The absence of liability, in contrast, means that there is little
incentive, particularly given the high degree of uniformity across
the marketplace, for vendors
to raise security standards. A key question therefore is whether
a liability regime would create an incentive for vendors to raise
4.26. Liability is a hugely controversial issue
within the IT industry. The witness to speak most forcefully in
favour of a vendor liability regime was Bruce Schneier. He argued
that "We are paying, as individuals, as corporations, for
bad security of products"by which payment he meant
not only the cost of losing data, but the costs of additional
security products such as firewalls, anti-virus software and so
on, which have to be purchased because of the likely insecurity
of the original product. For the vendors, he said, software insecurity
was an "externality
the cost is borne by us users."
Only if liability were to be placed upon vendors would they have
"a bigger impetus to fix their products" (Q 537).
Thus Mr Schneier had no doubt that liability was the key
to creating incentives for vendors to make more secure software.
4.27. Most other witnesses, however, were opposed
to the introduction of any form of liability regime. Jerry Fishenden,
of Microsoft, insisted that his colleagues were "making our
platform as secure as we possibly can within the complex nature
of software". He drew an analogy with the physical world:
"People do not tend to immediately look for liability towards
lock or window companies because houses are still being burgled.
The tendency is to want to blame the perpetrator" (Q 273).
4.28. Alan Cox, a developer of open source software,
focused on the possibility that a liability regime would stifle
interoperability and innovation: "you buy a PC, you add a
word processor, you add a media player, and you add a couple of
games. All these can interact in strange and wondrous ways and
as you add more software the combination increases. The rational
thing for a software vendor to do faced with liability would be
to forbid the installation of any third party software on the
system" (Q 313). Bruce Schneier, on the other hand,
argued "that the companies protest a little bit too much
in fact innovation is so profitable and so valuable that
you will see it" (Q 530).
4.29. Legal barriers were also raised. Nicholas
Bohm argued that those who suffered harm as a result of flaws
in software often had no contractual relationship with the vendor
that would entitle them to claim damages: "the risks and
losses are diffused by the Internet and it is not an environment
in which beefing up direct liability is an easy thing to do".
At the same time, he agreed that there was currently an "incentives
problem", in that "the suppliers and the creators by
and large do not suffer the adverse consequences to the same extent
as their customers" (Q 394).
4.30. Mr Bohm's objection to a liability
regime is certainly legitimate, though Bruce Schneier, while acknowledging
the problem, argued that the courts would have to manage it, as
they had done in other areas, where there were already "complicated
case-histories of partial liability" (Q 540). Professor Anderson
also concluded that "you are going to end up eventually with
some hard cases for courts to decide where ascribing liability
to this vendor or that vendor or to the user who misconfigured
the machine will be a complicated question of fact" (Q 658).
Analysing such questions of fact and reaching a judgment is what
the courts do every day.
4.31. At the same time, we accept that the pace
of innovation and change in the industry means that a comprehensive
liability regime may not yet be feasible. New ways to use the
Internetfor instance, new applications of "Peer-to-Peer"
and or other types of file sharingemerge at bewildering
speed. Online fashions and behaviours change just as fast. Professor Zittrain's
comment on liability was a qualified "not yet""
I would at least like to buy us another five or ten years of the
generative status quo and then see if it turns out that
things have slowed down and we pretty well know the uses to which
the network will be put" (Q 971). Alan Cox, while arguing
against liability, did concede that there might be "an argument
in the longer term that as technology improves and as we get better
at writing secure software that the law does need to hold software
companies to higher standards, at least in terms of negligence"
4.32. In principle, technological constraints
could slow the rate of innovation, creating a more stable and
mature market for software, at any time. "Moore's Law",
originally an empirical observation that computing power per unit
cost of silicon chips doubled approximately every 24 months, has
continued to hold good for over 40 years, and has supported an
astonishingly innovative industrybut there is no guarantee
that this rate of progress will be sustained in future. As this
Committee noted in 2002, fundamental physical constraints will
at some point limit the miniaturisation potential of conventional
4.33. We are not however in a position to predict
if and when the pace of change in the online world will slow.
Nor can we answer a related question, namely when the industry
will, in Alan Cox's words, "get better at writing secure
software". But we have no doubt that at some point in the
future the IT industry, like other industries, will mature: more
consistent standards for software design will emerge; the rate
of innovation will slow. At that point, if not before, clearer
definitions of the responsibility of the industry to customersincluding
a comprehensive liability regimewill be needed.
4.34. In the meantime, there are many areas in
which vendor liability is already appropriate. One such is where
vendors are demonstrably negligent in selling products which they
know to be insecure, but which they advertise as secure. In Adam
Laurie's words, "potentially there should be some issue of
liability for companies shipping products that are known not to
be secure and selling them as secure products" (Q 315).
As an example, he mentioned WiFi systems, where security protocols
were claimed to be secure long after they had in fact been broken.
4.35. Professor Handley also argued very
succinctly for imposing liability where negligence could be shown:
"If your PC, for example, gets compromised at the moment
there is no real liability for the software vendors or the person
who sold them the PC or anything else. The question then is: did
the person who sold you that software or the person who wrote
that software or whatever actually do the best job industry knows
how to do in writing that software? If they did then I really
do not think they should be liable, but if they did not then I
think some liability ought to be there" (Q 654). We
4.36. Any imposition of liability upon vendors
would also have to take account of the diversity of the market
for software, in particular of the importance of the open source
community. As open source software is both supplied free to customers,
and can be analysed and tested for flaws by the entire IT community,
it is both difficult and, arguably, inappropriate, to establish
contractual obligations or to identify a single "vendor".
Bruce Schneier drew an analogy with "Good Samaritan"
laws, which, in the United States and Canada, protect those attempting
to help people who are sick or injured from possible litigation.
On the other hand, he saw no reason why companies which took open
source software, aggregated it and sold it along with support
packageshe gave the example of Red Hat, which markets a
version of the open source Linux operating systemshould
not be liable like other vendors (Q 541).
4.37. Finally, we note that moves towards establishing
vendor liability would be much more effective if they were made
internationally rather than by the United Kingdom alone. There
is a significant cross-border market in software products, so
imposing liability onto United Kingdom companies, without making
foreign companies accept similar responsibilities, would risk
undermining competitiveness. In addition, regulatory intervention
at United Kingdom level might risk creating distortions in the
internal market, so falling foul of European Union law. We were
therefore encouraged by the cautious welcome given to the prospects
of vendor liability by Viviane Reding, Commissioner for Information
Society and Media at the European Commission:
"We will follow the development of the industry-led
initiatives in this area
If industry, if the market can
sort out the problem we leave the market to do that, but we also
say to the market or to the industry, 'We do not want this to
happen for a very long period of time, so if you can sort it out,
do it, and if after one or two years you have not managed to sort
it out then we will have to come in with regulation,' because
here we believe that self-regulation is the best way out, if it
is possible. If not, then we have to go to a binding regulation
which is potentially costly to the industry" (Q 947).
Conclusions and recommendations
4.38. The IT industry has not historically
made security a priority. This is gradually changingbut
more radical and rapid change is needed if the industry is to
keep pace with the ingenuity of criminals and avoid a disastrous
loss of confidence in the Internet. The major companies, particularly
the software vendors, must now make the development of more secure
technologies their top design priority. We urge the industry,
through self-regulation and codes of best practice, to demonstrate
its commitment to this principle.
4.39. In particular, we urge the industry
to endorse the following as best practice:
- Increasing the provision of
security advice to users when first booting up PCs or launching
- Automatic downloading of security updates
upon first connecting machines to the Internet;
- Ensuring that default security settings are
as high as practicable, even if functionality is restricted while
users are still learning about the risks they face; and
- An industry-wide code of practice on the use
of clear and simple language in security messages.
4.40. However, efforts to promote best practice
are hampered by the current lack of commercial incentives for
the industry to make products secure: companies are all too easily
able to dump risks onto consumers through licensing agreements,
so avoiding paying the costs of insecurity. This must change.
4.41. We therefore recommend that the Government
explore, at European level, the introduction of the principle
of vendor liability within the IT industry. In the short term
we recommend that such liability should be imposed on vendors
(that is, software and hardware manufacturers), notwithstanding
end user licensing agreements, in circumstances where negligence
can be demonstrated. In the longer term, as the industry matures,
a comprehensive framework of vendor liability and consumer protection
should be introduced.
15 Readers are reminded that the word vendor is used
in the sense universal within the IT industry, namely the manufacturers
of software and other products, rather than the general English
sense of retailer. Back
See Chips for Everything: Britain's Opportunities in a Key
Global Market (2nd Report, Session 2002-03), paragraphs 4.18