Responsibility for Hackable software

If a software Company supplies software that can be hacked - then the said Company should be liable for any losses incurred by the user of the software. Microsoft (for example) makes a big point that you don’t own your software, you are licenced to use it - therefore they should be liable for any harm that befalls the user.

1 Like

Yes and they also make a big point that they are not liable for any issues that arise using their software.

3 Likes

It’s a tricky one.

There’s obviously bad design (hardcoding in unchangeable passwords), but then there are levels of less obvious or only discovered later vulnerabilities (think the recently discovered Meltdown and Spectre bugs).

Does a company which designed software or hardware which was as secure as they knew how to make it at the time, become liable later if a novel new vulnerability is discovered in it. Using the example above, should Intel suddenly be liable for every computer CPU they’ve ever made?

3 Likes

Or at the very least … their liability is limited to the purchase price of the software, which may not be as clear cut with the rise of subscription software, but still ensures that they can’t be liable for your “$50m loss”.

On balance, in my opinion, no. I share your frustration but it is a can of worms.

Example worm: Acme Software Company supplies small business accounting software that runs on Microsoft Windows. Microsoft makes a change to Microsoft Windows and you apply that update. An unforeseen interaction between the previously 100% working accounting software and the new version of Microsoft Windows causes an obscure software malfunction in the accounting software that is not detected for some time but ultimately costs the business a heap of money.

Which software company is liable, if any?

Another example worm: What if it’s open source software?

Another angle to consider is that … if a commercial software company is going to be liable for consequential liabilities, that will be reflected in the purchase price of the software. So ultimately everyone is going to pay for it.

Further to that, the commercial software company can’t really sell the software to you without first assessing the extent of possible consequential liabilities. They can’t price the software without understanding what risk they are taking on. In some cases, the software company would simply have to refuse to sell the software to you because the risk is too high for the software company to bear. (This is particularly the case where a small, relatively new, software company with some innovative product wants to sell to some behemoth company.)

I can imagine also that the software company sells two versions of the software.

  1. The expensive version, which covers consequential liabilities.
  2. The cheap version, where you waive your right to have consequential liabilities covered.

Only the cheap version would be affordable to most.

3 Likes