Standards for Software Liability: Jim Dempsey, Lawfare, UC Berkeley Law

by mustache_kimono on 1/24/2024, 6:37 PM with 61 comments
  • by mustache_kimono on 1/24/2024, 8:05 PM

    Basically the argument, as I see it, the feds are demanding a liability regime, as software producers shouldn't be able to disclaim all liability for the software they sell, and the courts are better situated than regulatory agencies to decide liability questions.

    However, we don't have the time to let a software liability common law regime develop over decades, given the threat presented now. Therefore we should adopt the products liability, design defect analysis, which he explains as:

         In fact, it turns on two reasonableness inquiries: Was there a “reasonable” alternative design that the manufacturer could have used to avoid the vulnerability, and, without that alternative, was the actual design used “unreasonably dangerous”?
    Imagine asking the question -- are there reasonable alternative designs for OpenSSL? For C and C++? For Linux? Re: OpenSSL and C and C++ memory vulnerabilities, I'd say maybe, see: Rust and rustls! Re: Linux, I would have to say no. Is there an alternative which doesn't have the same issues? Not really.

    The author's summary liability regime, in light of the NIST guidance, would be as follows:

        1. A rules-based approach would define a floor—the minimum legal standard of care for software—focused on specific product features or behaviors to be included or avoided.
    2. However, a list of known coding weaknesses cannot suffice alone. Software is so complex and dynamic that a liability regime also needs to cover design flaws that are not so easily boiled down. For these, I propose a standard based on the defects analysis common to products liability law.
    3. But this liability should not be unlimited or unpredictable. As the Biden administration’s National Cybersecurity Strategy recognizes, developers deserve a safe harbor that shields them from liability for hard-to-detect flaws above the floor. For that, I would turn to a set of robust coding practices.

  • by zer00eyz on 1/24/2024, 9:31 PM

    The elephant in the room:

    If software becomes a product does that mean it's no longer speech? How do you have liability for something that is copyright? What about the first amendment in the us?

  • by pylua on 1/24/2024, 8:46 PM

    This would be a great win for the lawyers. T

    The better alternative would to be to completely rework the software developing discipline to be as rigorous as civil engineering from the top down. Requiring proper licensing, and security clearances for accessing U.S. customer data.

  • by Turing_Machine on 1/24/2024, 8:31 PM

    I can't think of a better way to destroy FOSS, and to drive non-free software completely off-shore.

    P.S. where should the liability fall for:

    This site can’t provide a secure connection www.lawfaremedia.org sent an invalid response.

  • by gavinhoward on 1/24/2024, 9:06 PM

    He wants a standard of care, and I have one. [1]

    He wants a liability regime, and I have one. [2]

    Yes, we need to start accepting liability for our software, and as he says, it's better to get one now before one is thrust upon us.

    Bonus points if it funds FOSS.

    [1]: https://gavinhoward.com/2022/10/we-must-professionalize-prog...

    [2]: https://gavinhoward.com/2023/11/how-to-fund-foss-save-it-fro...