Bruce Schneier has two very interesting posts on his blog that stand out (to me at least) by their proximity to each other. Most recently Bruce has this to say about the recent financial meltdown:
The most interesting part explains how the incentives for traders encouraged them to take asymmetric risks: trade-offs that would work out well 99% of the time but fail catastrophically the remaining 1%. So of course, this is exactly what happened.
But three posts earlier Bruce has this to say about software vendors:
So if BitArmor fails and someone steals your data, and then you get ridiculed by in the press, sued, and lose your customers to competitors — BitArmor will refund the purchase price.
Bottom line: PR gimmick, nothing more.
Yes, I think that software vendors need to accept liability for their products, and that we won’t see real improvements in security until then. But it has to be real liability, not this sort of token liability. And it won’t happen without the insurance companies; that’s the industry that knows how to buy and sell liability.
Talk about asymmetric risk. If software vendors accepted liability (or even partial liability) for anything that might happen as a result of their product, who in their right mind would ever go into the business? The problem is that liability is open-ended while the profit on each deal is not. It would nuts for any vendor to take such an asymmetric risk. It would be like an MD practicing medicine without malpractice insurance.
Which is, as Bruce alludes, how any such liability would ultimately by acceptable. Software vendors would buy liability insurance to protect themselves in the event that they are ever found at fault. Like malpractice insurances this would pool the risk and spread it over all the software vendors.
Which in the end eliminates any real incentive to avoid the mistakes to begin with. Sure the premiums would increase if found at fault, but just as with malpractice insurance the pain would be diluted by eventually raising every ones rates. And everyone would just price the rate increase into their business model exactly like the medical community does today. In the end it won’t really be the vendors money or risk.
And that’s what it really boils down to in the end. It’s a matter of exactly whose ox is getting gored. You notice that they only people suggesting that software vendors be held liable or otherwise punished for defects are not themselves producing software products. I have never seen a zero defect advocate that could actually deliver zero defect software.