Software Liability

Another perennial topic that seems to come up whenever I am speaking to someone who is a consumer of technology. If they are one of the people that I actually bore with some of the details about what I do, it isn’t uncommon for me to talk about their individual concerns about internet security and identity theft.

Usually what they express to me is how they feel they have to be internet security experts to feel comfortable using the typical consumer computer configuration and going on to the internet to do anything. They feel that the industry has failed them in that no real concern is given to safety in products, but the focus is on selling the Next Great Innovative Feature Packed Product.

When industry experts get together, they tend to talk around the real issue and blamestorm about who should be left holding the bag. Usually, and strangely to me, this is the same people, or those next down stream from those people, who they are selling their products. Blaming their customers for buying their products? Interesting thinking there.

Therefore, as I’ve stated elsewhere, I have found it encouraging that the House of Lords published a report on personal internet security in which they preface with the following:

The Government have insisted in evidence to this inquiry that the responsibility for personal Internet security ultimately rests with the individual. This is no longer realistic, and compounds the perception that the Internet is a lawless “wild west”. It is clear to us that many organisations with a stake in the Internet could do more to promote personal Internet security: the manufacturers of hardware and software; retailers; Internet Service Providers; businesses, such as banks, that operate online; the police and the criminal justice system.

We believe as a general principle that well-targeted incentives are more likely to yield results in such a dynamic industry than formal regulation. However, if incentives are to be effective, they may in some cases need to be backed up by the possibility of direct regulation. Also, there are some areas, such as policing, where direct Government action is needed. So Government leadership across the board is required. Our recommendations urge the Government, through a flexible mix of incentives, regulation, and direct investment, to galvanise the key stakeholders.

There is also an interesting method of encouraging public discourse on the subject and one of the advisors to the council has a commentary about the whole process.

Interesting talk here, but there is a large degree of opposition. After all, it is features that sell software and not safety or quality; it is utility. When bad things happen, it is blamestorming and not pragmatism that prevails.

At least, that is how it has been until recently. Many people I know use the TJX breach as a case study for the PCI industry. Certainly it is interesting for a variety of reasons and has more than enough blame for each party involved.

Because of the invisibility of the problem caused by the reluctance of private firms to report on breaches unless they are caught and the technical adversaries aversion to attention, it is hard to address the problem for lack of quality data. This has every indication of changing in the future if California’s example is made federal.

For the most part, the feds in the USA are out to lunch and ineffective:

Limited resources. Current and former agents contend there are too few federal cyberinvestigators, and that too little is done to retain detectives with advanced technical training. Budget numbers appear to support the critics’ complaints.

Fractured responsibility. A half-dozen federal agencies fight organized Internet crime with overlapping programs, and at times are barred from sharing information. One private security consultant described having to act as a go-between, linking information between two agencies unable to talk directly.

An unfamiliar threat. Traditional crime-fighting techniques are often useless. And there are indications that top government officials still do not appreciate the scope or danger of the Internet fraud menace.

The great freedom that companies have with selling and sharing customer information and the limited and largely ineffective ability for those consumers to opt out of their practices is, in my opinion, one of the largest reasons for the identity theft epidemic.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s