Contracting Insecurity: Software License Terms that Undermine Cybersecurity
HARBORING DATA: CORPORATIONS, LAW AND INFORMATION SECURITY, Andrea M. Matwyshyn, ed., Forthcoming
50 Pages Posted: 28 Sep 2006 Last revised: 14 May 2014
Date Written: 2006
Abstract
This article examines software contracting through the lens of cybersecurity in order to examine a series of terms and practices that arguably reduce the general level of cybersecurity. Part I considers clauses that undermine cybersecurity by suppressing public knowledge about software security vulnerabilities. This is done by preventing research through anti-reverse engineering clauses or anti-benchmarking clauses, and by suppressing the public disclosure of information about security flaws.
Part II shifts gears and considers a range of practices (rather than license terms) that undermine cybersecurity. In these cases, the practices are the problem, but the licenses contribute by creating an aura of legitimacy when "consent" to the practices is obtained through the license. The practices addressed in Part II are that of making software difficult to uninstall, abusing the software update system for non-security-related purposes, and obtaining user consent for practices that expose third parties to risk of harm.
Part III turns to the question of what should be done, if anything, about license terms that undermine cybersecurity. In particular, the article suggests that there are reasons to believe that such terms are the product of various market failures rather than a reflection of the optimal software license terms. The general contract law doctrines available to police unreasonable terms are unlikely to be sufficient to address the problem. Instead, specific rules adapted to the software licensing context are desirable.
For example, the article comments on the proposal that license terms restricting the public disclosure of software vulnerabilities be unenforceable. The article suggests that the freedom to disclose vulnerabilities be tied to a "responsible disclosure scheme." This would likely be acceptable to most independent security researchers, many of whom abide by their own self-imposed responsible disclosure guidelines. It may also be more palatable to software vendors than a simple rule that such clauses are unenforceable.
Keywords: cybersecurity, cyber security, software, license, contract, law
Suggested Citation: Suggested Citation