In response to Sept. 11, the American National Academy of Science is proposing that the U.S. congress enact laws which would make developers liable for software security breaches. The intent is to “cause the market to respond adequately to the security challenge,” the report on Cybersecurity Today and Tomorrow said.
While the issue of liability is still in its developmental stage, a U.S. law could have implications here in Canada. Whether Canadian laws follow suit may be moot since most Canadian developers will eventually sell their wares south of the border. As it stands today most software developers are liable for little more than the price of the software. Though this could change, it is unlikely to alter the Red Adair scenario that rules technology. The famed Texas oil fire fighter, when asked about the cost of a job, said, “you can have it fast, you can have it cheap or you can have it done properly, pick two.”
This is part of the reason software is often released before it should be.
the two sides
Canadian developers seem to be split on the issue of personal liability. Though many view the idea of a liability as a personal affront on their professional integrity, there is a sense that some reform is needed.
“There are problems out there and I can see why people would want to try to respond to [it],” said Joel Brown, president of Mooseware Ltd. in Mississauga, Ont. “Whether or not what is being proposed is the most useful way of getting at the problem is a different issue,” he said.
One school of thought says, that for software developers to gain the respect they feel they deserve, they need to be held accountable for their code, much the same way doctors, lawyers and accountants are held liable for their professional deeds.
Eric B. Verbonac, solutions delivery analyst with the Ontario Lottery and Gaming Corporation in Sault St. Marie said it is a good idea that developers are accountable for their work, and he is not against the idea of tagging lines of code in large projects so the work of individual developers can be identified. But he added a caveat. Without knowing exactly how the law would work, “it is very hard to judge [its efficacy].”
Making a developer liable for code written five years ago would certainly not be acceptable to the community at large.
In the other camp are those who feel making developers liable is inherently prejudiced since creating flawless software is next to impossible. Software does not operate in a vacuum. Combinations of applications, which a developer could never foresee, might create a security breach and thus introduce liability.
Mike L. Dewing, IT manager for the Skookumchuck Operations of Tembec Industries in Skookumchuck, B.C., isn’t sure laying the blame with the developer is a good idea.
“I think that if you take someone who is fresh out of school…and make them liable for the software they write, is not putting the responsibility where it should be,” he said.
Those who test software, whether internally with the software development company or as part of the installation team, should be responsible for security, he said. But even this has its limits.
“There are all kinds of things that you don’t even conceive of when you are developing [software],” he added.
Brown raised another point.
“Any kind of a legal framework which gives somebody a stick to hit software developers, whether they are individuals or corporations, is going to necessarily stifle innovation,” he said.
There was a commonality among developers – malicious code writers should be liable. The software engineering industry has a perceived lack of respect from its engineering brethren and intentionally faulty code doesn’t help the issue.
End user will pay
If liability laws do come into play end users will most likely suffer the brunt of it. Not only will prices likely go up, but there is also a sense among developers that applications will take much longer to develop.
“Every possible scenario that you can come up with will have to be put into the code and the programs will be a lot bigger and take a lot more resources,” Dewing predicted.
That Canada is not the litigious society found south of the 49 th parallel will be of little consequence since software is often developed with the enormous American market in mind.
“People who are afraid of getting sued or can’t afford errors and omissions insurance will just get out of the business…and those who are brave enough or rich enough to stay in the game will move more cautiously,” Brown said.
“To a large extent, I think, this is the way the American marketplace already works.”
“I think that the responsibility has to be shared among the people who are using the software and the people who sell the software,” Dewing said.
Ironically, this is pretty much where we sit today.
ComputerWorld Canada made several attempts, without success, to get Microsoft and Oracle to comment on the issue.