Vulnerable Software: Product-Risk Norms and the Problem of Unauthorized Access

2012 University of Illinois Journal of Technology, Law and Policy 45 (2012)

83 Pages Posted: 7 Mar 2011 Last revised: 1 Feb 2014

See all articles by Richard Warner

Richard Warner

Chicago-Kent College of Law

Robert H. Sloan

University of Illinois at Chicago

Date Written: March 7, 2011

Abstract

Unauthorized access to online information costs billions of dollars per year. Software vulnerabilities are a key. Software currently contains an unacceptable number of vulnerabilities. The standard solution notes that the typical software business strategy is to keep costs down and be the first to market even if that means the software has significant vulnerabilities. Many endorse the following remedy: make software developers liable for negligent or defective design. This remedy is unworkable. We offer an alternative based on an appeal to product-risk norms. Product-risk norms are social norms that govern the sale of products. A key feature of such norms is that they ensure that the design and manufacture of products impose only acceptable risks on buyers. Unfortunately, mass-market software sales are not governed by appropriate product-risk norms; as result, market conditions exist in which sellers profitably offer vulnerability-ridden software. This analysis entails a solution: ensure that appropriate norms exist. We contend that the best way to do so is a statute based on best practices for software development, and we define the conditions under which the statute would give rise to the desired norm. Why worry about creating the norm? Why not just legally require that software developers conform to best practices. The answer is that enforcement of legal’s requirement can be difficult, costly, and uncertain; once the norm is in place, however, buyers and software developers conform on their own initiative.

Keywords: Software, Technology, Norms, Privacy

JEL Classification: K10

Suggested Citation

Warner, Richard and Sloan, Robert H., Vulnerable Software: Product-Risk Norms and the Problem of Unauthorized Access (March 7, 2011). 2012 University of Illinois Journal of Technology, Law and Policy 45 (2012). Available at SSRN: https://ssrn.com/abstract=1780280 or http://dx.doi.org/10.2139/ssrn.1780280

Richard Warner (Contact Author)

Chicago-Kent College of Law ( email )

565 West Adams St.
Chicago, IL 60661
United States

Robert H. Sloan

University of Illinois at Chicago ( email )

1200 W Harrison St
Chicago, IL 60607
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
85
rank
282,119
Abstract Views
900
PlumX Metrics