Somebody else's problems
Software vendors have long embraced the idea that they are not liable for anything bad that happens as a result of your use of their products. Windows crashes, taking with it the only copy of your PhD thesis, costing you years of work? Not Microsoft's fault. You email drops mid-delivery and never reaches its destination and you ? Not your email client's fault, your mail service provider's fault, nor your ISP's fault. You're abused on Twitter and lose your job? Not Twitter's fault. You probably deserved it.
These are all SEPs: Somebody Else's Problems. If you follow Douglas Adams' helpful instructions in The Hitchhiker's Guide to the Galaxy you need never see them.
All these scenarios are about lawyers: contractual policies that say "nyah, nyah, caveat emptor" all the way down. Even in the first, the simplest, case, exactly who should bear the blame is fuzzy. Why did Windows crash? It could be a bug in the operating system itself (Microsoft), the underlying hardware (which itself includes dozens of manufacturers at various levels), the word processor, other software running on the system, or a smidgeon too little power arriving from the electric company? In a way, email is simpler, because although there are myriad places it could fail along the way, the internet was designed with failure in mind, so what's supposed to happen is that packets that don't arrive get re-sent until they do. So instead the first place you look is your spam folder. On Twitter, while you could blame the system's lack of moderation, the real problem is millions of overactive human beings. It doesn't take much of a percentage to make real trouble.
In each case, there are reasons why we've put up with "it's not my problem" for so long. The first case is a hangover from general computer industry immaturity: until about ten years ago, you considered yourself lucky to have a computer that worked at all and whatever was wrong with this one would probably be fixed in the next version, a couple of years hence. All that has halted, as shown by this week's story that London's Metropolitan Police still has more than 27,000 computers running XP. (Like we said in 2014, when Microsoft terminated XP, software is forever.) On Twitter, it takes time to make the genuine calculation about where to put the boundary between unacceptable abusive behavior and essential freedom of speech. With email, check your spam folder. The internet's original design assumes unreliability and we have alternative channels. In that case, the lack of liability doesn't burn.
Now, however, this approach will fail - rapidly, badly, and soon. In the last couple of weeks, researchers have showed they can wirelessly unlock any of the 100 million Volkswagens sold in the last 20 years; open 75% of Bluetooth smart locks; spoof the world in a Tesla's sensors ; and infest smart thermostats with ransomeware. And yet some people think online voting is a pretty neat idea.
I have two reactions to these stories. One: people buy Bluetooth bike locks? *Why*? Two: What is wrong with these manufacturers? Security people have been banging on about flaws like transmitting passwords via radio in the clear for *25 years*. Why is selling such a thing even legal in 2016? "Not fit for purpose" applies in spades. It's one thing to decline liability for vulnerabilities that only surface when the software is deployed as part of complex systems. It's quite another to fail to do even the most minimal thinking about what could go wrong as a result of their product. As computers infest the physical world, "computer security" changes from "Oh, look - someone's cloned my credit card" into "They stole my car" and soon into "They killed my grandma". We are at the boundary beyond which we cannot afford to continue letting manufacturers glance sideways past and behave as though their ignorance doesn't exist. Today, it's our problem. It needs to be their problem, as Ross Anderson et al were saying back in 2008 (PDF).
Understand, I'm not talking about trying to protect people from their own stupidity. It's never going to be Tesla's fault if your kid is a crappy driver. Equally, though, it's never going to be an average person's fault that the bike lock they trustingly buy has failed to properly randomize its session keys - how would they even test this? We need security standards that manufacturers have to meet for computer systems that affect the physical world and for which they must accept liability if they don't. In the automotive world, some suggestions have been that the insurance industry will be the forcing function. That's fine as long as you're dealing with quantifiable risks like bike theft; companies can publish a list of acceptable locks. It's not clear that the risks inherent in scalable attacks using cars, streetlights, thermostats - the Internet of Things generally - can be calculated. It's the computer equivalent of derivatives, which Warren Buffett famously called "weapons of financial mass destruction". The best we can hope is that insurance companies refuse to take it on.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.