Should Software Firms Be Liable for Malware?

Cyber attacks seem to be getting more sophisticated by the hour. A few weeks ago Microsoft announced a previously unknown vulnerability in its Internet Explorer and Windows operating software that allows criminals to take control of a computer without being detected. The operation involved what is known as "drive by" attacks, in which visitors to what are supposed to be legitimate Web sites are redirected to a page that secretly downloads the malicious software. Serious threats like these make software makers tremble not just because they're difficult to fix but because the firms fear that legal action and tough government regulation on security issues could be right around the corner.

Serious threats like these make software makers tremble not just because they're difficult to fix but because the firms fear that legal action and tough government regulation on security issues could be right around the corner. Many in the computer-security industry believe companies will face increasing scrutiny in the years to come, forcing them to take legal responsibility for flaws in their programs that let hackers in. Microsoft would take most of the heat simply because its software is everywhere: Windows runs on nearly 95 percent of the world's computers, which is why it bears the brunt of online assaults. "Microsoft fears a class-action lawsuit based on the fact that they make and distribute products that are not absolutely perfect," says Eric Domage, a software-security analyst at the market intelligence firm IDC.

Software firms haven't had to sweat security problems very much because licensing agreements protect them from liability when systems are hacked, information is stolen, and customers suffer financial losses using their products. They argue that the performance of software is dependent on too many variables—the computer it runs on, other programs that are installed on the computer, and how vigilant the end-user is about keeping security updates current. "Software makers traditionally assert that software is not a 'product' and not subject to product-liability laws," says Dana Taschner, a lawyer who handled a suit against Microsoft over security problems in 2003 (both parties dropped the case). European Union commissioners have now proposed extending -consumer--protection laws to include software, which would mark a radical shift in how software is developed and sold in Europe. Taschner expects to see more significant litigation against software makers very soon: "A day of reckoning is coming on software security."

Recent antitrust rulings against Microsoft in the European Union over its bundling of Windows with Internet Explorer may make it easier for plaintiffs in the future to argue that they had little choice but to use Microsoft's products, legal experts say. In order to fend off the legislators and trial lawyers, Microsoft has been going to great lengths to show that it's serious about security. A case in point is the release in June of Microsoft Security Essentials, a free download that offers a more robust protection against malicious attacks than Microsoft's regular free security updates. It replaces the company's much-ridiculed OneCare subscription service, which cost $50 and never attracted many takers. The company is also scrambling to develop an update that guards against the latest vulnerability, even though it was alerted to the problem sometime in 2008, according to a Microsoft spokesperson.

Holding software makers financially liable for the security of their programs would make for safer browsing online, but the added security would come at a price. John Palfrey of Harvard's Berkman Center for Internet and Society warns against making companies like Microsoft scapegoats for poor Internet security. "Unleashing the tort lawyers on software makers would have a dampening effect on innovation," he says. Instead of targeting those that make the software, Palfrey thinks it would be better to go after the people who are actually writing malicious software in the first place. To do that, legislators should focus on negotiating more viable ways to prosecute cybercrimes that cross international borders. That, of course, would be much more difficult than putting Microsoft on the stand.