Group E Roxana Hernandez-Pastrana Ryan Herring Jinghua Luo Kevin Mack Shahram Rezaei Software Liability This document provides an overview of the debate on whether software companies should be liable for damages incurred due to security flaws in their software. There are several things that both sides agree on and it is important to mention them first. Both sides agree that software security is an expensive problem. They also agree that catching and prosecuting hackers who write malicious viruses should be a top priority. The agreements are otherwise few and far between. One side thinks that software companies should be required to pay damages, while the other side thinks that distributing the cost of security flaws among multiple parties is the solution. The current legal protocol of using “End-User License Agreements” is a contentious point of debate with one side claiming they give far too much leverage to software companies, the other side claiming that companies would be unable to stay in business without them. There are good arguments on both sides. Summary Software companies should be liable for damages associated with security flaws in their software. This means that companies would be required to pay the costs incurred by users of the software if a security flaw was exploited by a hacker. Affirmative Liability increases the quality of software by forcing companies to consider the costs of their decision to ignore security flaws. The cost of the decision to ignore security flaws should be borne by the software creator. The threat of liability will level the playing field for software companies and promote competition. End-User License Agreements (EULAs) should not be upheld by the courts because average consumers have no bargaining power and cannot possibly know what the security flaws in the software are before signing the agreement. The cost of software might increase, but it will be worth it to have secure software. Negative Companies will simply raise prices to cover their legal charges without increasing the security of their software. Small companies will become no match for large companies because legal charges will be a greater percentage of their costs. This will result in monopoly or duopoly software industries. Software can never be bug free, so hackers will always exist. The cost burden of security flaws should be borne by hackers, network administrators, and consumers in addition to software companies. Court cases will take so much time that by the end of the case, the software will be obsolete due to the pace at which software evolves. The potential risk of liability will discourage companies from investing in innovation and will thus hamper the growth of the software industry. Let the market, rather than lawyers, do the job! If companies produce insecure software, they will be punished by the market with loss in sales and damaged reputation as customers turn to more secure software produced by other vendors. Analysis of the major arguments Increasing the financial liability of software companies will increase software quality. Affirmative Increased liability forces companies to consider the cost of delivering poor products, giving those companies incentives to invest in quality. Consumers might have to pay more for products, but at least the product will be better and they will have legal recourse if the product fails. Liability will force longer development cycles to ensure quality. Longer development cycles encourage critical thinking about security and design of software from the early stages. Negative Greater liability increases the cost to software companies, which they will pass on to consumers in the form of increased prices and in many instances, will likely result in no improvement in quality. Companies will simply charge more to cover their legal expenses. Software can never be bug free, so hackers will always find new ways to exploit systems. The cost to consumers caused by security failures should be paid by the criminals who write the viruses. Longer development cycles mean consumers will be required to wait longer for products and focus on security means that fewer features will be available. This decreases the overall value of owning the software. The cost of security flaws should be incurred by the software company. Affirmative The software provider is in the best position to ensure security in their software. Consumers cannot be expected to know the details of the software in order to prevent security breaches. In economics terms, the cost of security failures to consumers is an externality over which they have no control. Fundamentally, the decision maker (software company) should bear the cost of its decision (providing flawed software). Negative It is not economically sound to place 100% of the cost burden due to security failures on the software company. The majority of that cost should be incurred by the hacker who wrote the code to take advantage of the security flaw. Furthermore, network providers should also incur some of the cost since they are responsible for ensuring the smooth interaction of many users and software packages at once. Increased liability will improve competition among software companies. Affirmative Companies will be forced to compete on the quality and price of their software since they will be held accountable with stiff penalties for making a faulty product. Negative Small companies are going to suffer because those companies can least afford expensive legal charges. This will cause many companies to go bankrupt leaving a monopolistic ruler for each particular area of software. Under the current system, companies can distinguish their product by making it more secure. This gives consumers with a tradeoff in terms of price, quality and security. In the case of a software industry where there is already a monopoly (i.e. Microsoft), increased liability will simply result in increased prices to end consumers with no increase in quality. Companies will only have incentives to raise prices to cover legal expenses. End-User License Agreements (EULAs) should not be upheld by the courts. Affirmative These agreements give far too much leverage to software companies. Consumers have no bargaining power over the terms of the agreement. Consumers do not have the opportunity to read the agreements until after having purchased the software product. Consumers then have no choice but to accept these agreements as it is usually difficult or impossible to get a refund for a product. Negative These agreements are necessary to avoid endless litigation for software companies. Companies cannot foresee all of the possible uses of their product and must protect themselves from uses that cause problems.