Make Microsoft pay for Windows holes, say Lords

 

Gallery

By Barry Collins

Posted on 10 Aug 2007 at 13:14

Microsoft and other software vendors should he held legally liable for security flaws in their software, according to the House of Lords Science and Technology Committee.

The Lords claim that software vendors should be held responsible when it can be shown that their negligence has compromised users' security, at the presentation of their report into Personal Internet Security. Click here for full details of the report.

"We recommend that the government begin discussion, at European level, with a view to establishing the principle of vendor liability in the IT industry," said the chairman of the committee, Lord Broers. "The time for introducing vendor liability may not be now - but it will come, and it will be an essential element of a mature industry," he claimed.

When pressed on whether this meant holding Microsoft liable for security flaws in Windows, Lord Borers replied: "One would have to show Microsoft was fully aware that problem was there and allowed it to continue."

The Lords admit, however, that no piece of software can ever be 100% secure. "Clearly there's no totally fool-proof system," said Broers. "If they leave them [flaws] there and do nothing about it, they should be liable."

Microsoft could not be reached for comment at the time of publication.

The issue of liability would cause particular concern for open-source software, which is often distributed for free. The committee's technical expert, Dr Richard Clayton, said consumers might ultimately face the dilemma of running free software or paying for software that they know has full legal liability.

But Dr Clayton says software makers cannot continue to take no financial responsibility when their products fail.

"With almost every other product that consumers use, you wouldn't expect a company to just say sorry that hurt you [and not pay compensation]," he claimed. "We've grown up with the notion that software is like that. We have to buy firewalls and antivirus because we can't trust the software."

Software vendors are, predictably, opposed to the move. "We are concerned by the call to legislate specifically on liability in the IT industry," said Ilias Chantzos, senior principal government relations analyst at Symantec "Such an approach does not take into account the complexity of the IT industry.

"The introduction of new legislation should deal with malicious behaviour, such as the buying and selling of botnets. An approach along the line suggested in the report on the issue of liability could result in the opposite effect and risk reducing consumer choice and end users security and privacy."