What sort of legal and policy choices would lead to more secure and safer software and computing-enabled devices? The patchwork of existing legal regimes in the US is based on regulations imposed on a few verticals (finance, healthcare, and education in particular), and a complex web of compliance frameworks, contractual provisions, and consumer lawsuits. As we think about making software safer and more secure for users, the policy choices we preference now may have long reaching effects. This talk will explore the implications of relying on software liability or other ex-post options vs. regulations or similar ex-ante choices.

1. Regulatory nets vs the
fishing hook of litigation
Wendy Knox Everette
@wendyck
BSides Las Vegas 2017

2. Regulation might be a dirty word in
today's political climate, but security is
the exception to our small-government
bias. And as the threats posed by
computers become greater and more
catastrophic, regulation will be
inevitable. So now's the time to start
thinking about it. - Bruce Schneier, Feb
2017

3. I am a lawyer, but I am not your
lawyer. This is not legal advice.
Instead, we are going to talk
about how to think about
incentivizing safer and more
secure computer software.
Photo by dakiny

4. Who am I?
@wendyck
● Software developer ‘99 -
‘13
● GMU Law School,
National Security Law
Concentration, ‘13 - ‘16
● ZwillGen Fellow ‘16 - ‘17
Photo by dakiny

5. Regulation - in the US, on a few
verticals
vs
Liability - contractual provisions,
very little software product liability
What we have now:

6. Liability
Tort or contract liability
imposed in a civil court,
such as the famous
McDonald's hot coffee law
suit.

7. Tort Liability
is
based on
negligence
or
strict liability
(as in product
liability)

8. Contract Liability
Users can enter into
agreements to indemnify
each other, agree on the
services and goods they will
exchange, and receive
contract breach damages if
the agreement falls apart

9. Regulation
The imposition of
rules by a
government body,
such as speed
limits or nutrition
labels on food
Photo by clry2

10. Are these a difference without a
distinction?
No, they are not! Proponents of software liability often favor it as protective of
innovation, and indeed the US has generally limited software liability so far in part to
allow the computer software industry to develop and innovate.
Meanwhile, proponents of regulation endorse the certainty and clarity that can
come from laying out a baseline set of requirements ahead of time.
(But are US regulations really all that clear? Are they too prescriptive in some
instances? When that occurs, do they make us less secure?)

11. Ex ante vs Ex Post
Tort liability, as with negligence and product
liability is an ex-post scheme, because any
liability is imposed based on past actions, after a
product has been released.
In contrast, something like HIPAA regulations
are considered to be ex-ante, as they apply
before a piece of software is released, and they
will influence the design of the software to
comply with their regulatory provisions.

12. How do we best
incentivize security?
Attempt to fix responsibility wherever it will
most effectively reduce hazards to life and
health inherent in defective products that reach
the market

13. So which is
better?
This is a complicated question, and this talk will
not aim to definitely endorse one or the other.
But lets look at some considerations on each
side….

14. Liability regime
pros & cons
● Ex-post scheme: no
harm, no liability
● Allows for innovation
● At the same time, this
can lead to
uncertainty which
may actually lead to
excessive risk-
avoidance behavior

15. Consumer Suits
US Courts have so far been reluctant to impose liability for software bugs, data
breaches, and so forth, in suits brought by consumers because there has been no
physical harm to consumers.
Some suits have been brought by consumers alleging violations of various laws like
the Video Privacy Protection Act, but these are niche harms, and are often still
dismissed by courts based on lack of substantial harm

16. Pure
economic
loss

17. Regulatory regime
pros & cons
Although regulations may be ex-ante, they may
still lead to uncertainty.
Generalized requirements, meant to avoid
locking-in a particular technology and therefore
impeding innovation, may be so vaguely worded
that companies are unsure how to interpret and
apply the regulation to their products.
Photo by irenicrhonda

18. Regulations can impose
burdensome
requirements, and be
slow to update, making
them a poor fit for a field
like technology that
changes quickly
Photo by aftab

19. Just a sampling of US regulations affecting computer
security
● FTC §5 authority protects consumers from
deceptive & unfair practices
● HIPAA (protects personal health information)
● SEC Cybersecurity rules
● NHTSA Automotive cybersecurity
● NY State Department of Financial Services
Cybersecurity Rules
Photo by plasticbag

20. HIPAA
HHS tasked to “develop regulations protecting the privacy
and security of certain health information”
HIPAA Security Rule:
● Ensure the confidentiality, integrity, and availability of
e-PHI created, received, maintained or transmited
● Identify and protect against reasonably anticipated
threats to the security or integrity of the information
● Protect against reasonably anticipated, impermissible
uses or disclosures
Photo by Jan Erik
Waider

21. GDPR The EU's General Data Protection Regime is a
new set of regulations set to take effect in May
2018.
● Will end up affecting many companies in
the US due to its broad scope
● For companies outside of regulated
industries like finance and healthcare, the
GDPR requirements may be the most
stringent regulations affecting them
Photo by volvob12b

22. Harold Feld on FCC Net Neutrality regulations

23. Uncertainty

24. Bounded
Risk
If regulations apply to more companies, we
might see more risk avoidance behavior
(because now it is clear that a particular
activity violates a particular regulation)
or
we might see more risk taking (because at
worst a company might be subject to a known
fine, which it decides is an acceptable risk to
bear)
Photo by Kundan
Ramisetti

25. Balancing
innovation with
due care
Should the goal be to make
bad products pricier?
Ex-post liability depends on
the assumption that
consumers correctly gauge
their risk levels & that all
consumers have the same
risk-utility curves
Photo by Mike
Sutherland

26. Reducing transaction costs
The Coase Theorem in economics states that if transaction costs (which include
monitoring for compliance) are reduced, then initial assignments of property rights
become un-important because people will negotiate their way to the most efficient
allocation of resources.
Transaction costs include trying to figure out how to comply with a regulation, or
guessing what actions a jury would pin liability on after an accident.
Would consumers bargain for perfectly safe devices?

27. Coase’s take
on the Coase
Theorem
“I don't like it because it's a
proposition about a system
in which there were no
transaction costs. It's a
system which couldn't exist.
And therefore it's quite
unimaginable.”
Photo by don_greene

28. Collective
Action
problems &
Uncertainty
Coase again, “There is no reason why, on
occasion... governmental administrative
regulation should not lead to an improvement
in economic efficiency,...this would seem
particularly likely when, as is normally the case
with the smoke nuisance, a large number of
people are involved and in which therefore the
costs of handling the problem through the
market or the firm may be high”
Photo by 1ulian

29. Who is the
least-cost risk
avoider?
Who is best positioned to take
actions to avoid bad outcomes?
Is it the company that created a
particular device?
A consumer who failed to apply a
patch or used a device in an
unanticipated manner?
A hacker who broke into a device
that was connected to the internet?

30. Externalities
Regulations and liability
schemes try to
internalize externalities
Photo by seanpbarry

31. Compliance,
Auditing
&
Vendor
Reviews

32. Risk Management Frameworks
Companies have been figuring out ways to negotiate with each other about
software services.
If we look at the rise of compliance and risk management frameworks, as well as the
development of standard contracting terms, we will see the industry trying to create
standards to protect their data and systems. In many ways these frameworks are
similar to regulatory regimes, in that they can be a known set of requirements
imposed ex-ante on a software service.

33. Auditing & Compliance Standards
Companies have begun taking vendor security more seriously, and are often now
reviewing their vendors and at the same time being reviewed by their business
partners or companies for which they are vendors.
These could be analogized to the various regulations that apply to some industries in
the US. Companies also often negotiate contracts with each other, requiring that
their business partners use reasonable security to protect confidential data or PII,
and contracting around representations, warranties, and SLAs. These, especially
requirements for "commercially reasonable security measures" could be analogized
to the ex-post liability regimes.

34. Thank you
@wendyck
wendy@wendyk.org
Photo by premierehdr