Alan Cox, one of the leading Linux kernel developers, has told a House of Lords hearing that neither open- nor closed-source developers should be liable for the security of the code they write.
Cox, who is permanently employed at Red Hat, told the Lords Science and Technology Committee inquiry into personal internet security that both open- and closed-source software developers, including Microsoft, have an ethical duty to make their code as secure as possible. "Microsoft people have a moral duty in making sure their operating system is fit-for-purpose," Cox said on Wednesday.
He added that it was generally accepted that no-one knows how to build a perfectly secure operating system, but that this was a research problem that someone would solve eventually, and make a lot of money in the process.
Cox said that closed-source companies could not be held liable for their code because of the effect this would have on third-party vendor relationships: "[Code] should not be the [legal] responsibility of software vendors, because this would lead to a combatorial explosion with third-party vendors. When you add third-party applications, the software interaction becomes complex. Rational behaviour for software vendors would be to forbid the installation of any third-party software." This would not be feasible, as forbidding the installation of third-party software would contravene anti-competition legislation, he noted.
Cox said that it would be difficult to make open-source developers liable for their code because of the nature of open-source software development. As developers share code around the community, responsibility is collective. "Potentially there's no way to enforce liability," he said.
The question of open-source liability becomes more complex because of how the code is used, added Cox. Open-source code is generally given away, but companies use that code to develop their own products. Cox said that there was a question of how liability would move from the initial developers to the companies.
Microsoft's national technology officer, Jerry Fishenden, who spoke at the hearing, said the responsibility for security breaches should rest firmly with those perpetrating the breaches. "We're making software as secure as we possibly can. People don't look at window-lock makers for the responsibility for burglary — the responsibility tends to rest with perpetrators," said Fishenden.
Adam Laurie, an open-source developer and security researcher, told the Lords that software manufacturers had a duty to the public to make it easy to secure computers, but he added that there is always a trade-off between usability and security. Developers should be liable for code they claim is secure even when it has been proven that it is not, he said.
The Lords inquiry will present its findings in the summer.
Talkback
"Microsoft's national technology officer, Jerry Fishenden, who spoke at the hearing, said the responsibility for security breaches should rest firmly with those perpetrating the breaches. "We're making software as secure as we possibly can. People don't look at window-lock makers for the responsibility for burglary — the responsibility tends to rest with perpetrators," said Fishenden."
... I am in agreement with the above statements, we as developers do due diligence to ensure that the code and software we produce is secure. However, due to the nature and interaction with different software on the same system that leads to insecure situation we should not be held liable.
As an example -- door maker built a most secure door possible, but the hinges that were used were not the best -- would this mean that door maker is liable when a burglar breaks into the house?
these are the points to look at
1. home owner bought a mediocre hinges -- should he be liable?
2. hinge maker made mediocre product -- should he be liable?
3. since door protects the home, door maker should be liable
4. the perpetrator should be held liable because he/she broke the law, not only invaded someones privacy, but also trespassed on private property and borrowed permanently something(s) that did not belong to them.
as you can see we as developers do our best to make the software secure and our reputation lies in making sure that is the case. We are there to meet consumer's needs by providing software that is valueable to them.
For mistakes in grammar, sentences or spelling -- purposely done to mislead the reader from true crux of the arguement.
nb