Vendors 'should be liable for bad security'

IT firms and service-providers have reacted with alarm to a new report calling for them to be held liable for security breaches.

But Lord Broers, chair of the House of Lords Science and Technology subcommittee which produced the report, said users could not be expected to full responsibility for web security.

"They will always be outfoxed by the bad guys. We feel many of the organisations profiting from internet services now need to take responsibility, " he told a press conference launching the report, called Personal Internet Security.

He gave the example of a machine being used to send out phishing letters attempting to con people into revealing banking details. "They should be obliged to stop it… It should not be too difficult to identify the machine, though of course who is operating it is another matter."

Lord Errol, a member of the committee, said he believed service providers were afraid to act for fear of diluting the so-called "mere conduit" defence, which allows them to disclaim responsibility for what users do with their system. "We need to modify that so that they can take action," he said.

Both men agreed that, given that no complex IT system can be guaranteed secure, it would be difficult to define the liability of security firms and operating-system vendors, such as Microsoft, for vulnerabilities in their products.

Lord Boers said that in Microsoft's case "one would have to show that [the company] knew the problem was there and allowed it to continue."

He stressed that the liability issue was one for the long-term and that there were more pressing measures to take.

Security vendors, while welcoming the broad recommendations in the report, were quick to express concern about the liability issue.

Greg Day, security analyst for at McAfee comments, said: “It would be very difficult to hold vendors responsible for breaches, as it really comes down to how solutions are implemented. You would have to ask, ‘Did they have it configured correctly, updated and maintained?"

Symantec said in a statement: "An approach along the line suggested in the report on the issue of liability could result in the opposite effect and risk reducing consumer choice and end users security and privacy."

A statement from the CBI also expressed reservations about another recommendation, that organisations such as banks should be obliged to report any breach of security and notify anyone whose personal data may have been compromised.

It said: "Whilst appealing on the surface, new rules such as a data-security breach notification law, or increased liabilities on ISPs and software providers, need to be treated with caution.

"Such catch-all legislation to address personal security is not guaranteed to work in the fast-evolving landscape of the internet. It could also impose a disproportionate burden on businesses already struggling to develop effective security practices in the complex world of Internet commerce."