Contracting Insecurity: Software License Terms that Undermine Cybersecurity

HARBORING DATA: CORPORATIONS, LAW AND INFORMATION SECURITY, Andrea M. Matwyshyn, ed., Forthcoming

50 Pages Posted: 28 Sep 2006 Last revised: 14 May 2014

See all articles by Jennifer A. Chandler

Jennifer A. Chandler

University of Ottawa - Common Law Section

Date Written: 2006

Abstract

This article examines software contracting through the lens of cybersecurity in order to examine a series of terms and practices that arguably reduce the general level of cybersecurity. Part I considers clauses that undermine cybersecurity by suppressing public knowledge about software security vulnerabilities. This is done by preventing research through anti-reverse engineering clauses or anti-benchmarking clauses, and by suppressing the public disclosure of information about security flaws.

Part II shifts gears and considers a range of practices (rather than license terms) that undermine cybersecurity. In these cases, the practices are the problem, but the licenses contribute by creating an aura of legitimacy when "consent" to the practices is obtained through the license. The practices addressed in Part II are that of making software difficult to uninstall, abusing the software update system for non-security-related purposes, and obtaining user consent for practices that expose third parties to risk of harm.

Part III turns to the question of what should be done, if anything, about license terms that undermine cybersecurity. In particular, the article suggests that there are reasons to believe that such terms are the product of various market failures rather than a reflection of the optimal software license terms. The general contract law doctrines available to police unreasonable terms are unlikely to be sufficient to address the problem. Instead, specific rules adapted to the software licensing context are desirable.

For example, the article comments on the proposal that license terms restricting the public disclosure of software vulnerabilities be unenforceable. The article suggests that the freedom to disclose vulnerabilities be tied to a "responsible disclosure scheme." This would likely be acceptable to most independent security researchers, many of whom abide by their own self-imposed responsible disclosure guidelines. It may also be more palatable to software vendors than a simple rule that such clauses are unenforceable.

Keywords: cybersecurity, cyber security, software, license, contract, law

Suggested Citation

Chandler, Jennifer A., Contracting Insecurity: Software License Terms that Undermine Cybersecurity (2006). HARBORING DATA: CORPORATIONS, LAW AND INFORMATION SECURITY, Andrea M. Matwyshyn, ed., Forthcoming, Available at SSRN: https://ssrn.com/abstract=933199

Jennifer A. Chandler (Contact Author)

University of Ottawa - Common Law Section ( email )

57 Louis Pasteur Street
Ottawa, K1N 6N5
Canada
613-562-5800 ext. 3286 (Phone)
613-562-5124 (Fax)

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
178
Abstract Views
1,391
Rank
304,866
PlumX Metrics