Make Vendors Liable for Bugs

By Bruce Schneier
Wired News
June 1, 2006

Have you ever been to a retail store and seen this sign on the register: "Your purchase free if you don't get a receipt"? You almost certainly didn't see it in an expensive or high-end store. You saw it in a convenience store, or a fast-food restaurant. Or maybe a liquor store. That sign is a security device, and a clever one at that. And it illustrates a very important rule about security: It works best when you align interests with capability.

If you're a store owner, one of your security worries is employee theft. Your employees handle cash all day, and dishonest ones will pocket some of it for themselves. The history of the cash register is mostly a history of preventing this kind of theft. Early cash registers were just boxes with a bell attached. The bell rang when an employee opened the box, alerting the store owner -- who was presumably elsewhere in the store -- that an employee was handling money.

The register tape was an important development in security against employee theft. Every transaction is recorded in write-only media, in such a way that it's impossible to insert or delete transactions. It's an audit trail. Using that audit trail, the store owner can count the cash in the drawer, and compare the amount with what the register tape says. Any discrepancies can be docked from the employee's paycheck.

If you're a dishonest employee, you have to keep transactions off the register. If someone hands you money for an item and walks out, you can pocket that money without anyone being the wiser. And, in fact, that's how employees steal cash in retail stores.

What can the store owner do? He can stand there and watch the employee, of course. But that's not very efficient; the whole point of having employees is so that the store owner can do other things. The customer is standing there anyway, but the customer doesn't care one way or another about a receipt.

So here's what the employer does: He hires the customer. By putting up a sign saying "Your purchase free if you don't get a receipt," the employer is getting the customer to guard the employee. The customer makes sure the employee gives him a receipt, and employee theft is reduced accordingly.

There is a general rule in security to align interest with capability. The customer has the capability of watching the employee; the sign gives him the interest.

In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at work:

"When ATM cardholders in the U.S. complained about phantom withdrawals from their accounts, the courts generally held that the banks had to prove fraud. Hence, the banks' agenda was to improve security and keep fraud low, because they paid the costs of any fraud. In the U.K., the reverse was true: The courts generally sided with the banks and assumed that any attempts to repudiate withdrawals were cardholder fraud, and the cardholder had to prove otherwise. This caused the banks to have the opposite agenda; they didn't care about improving security, because they were content to blame the problems on the customers and send them to jail for complaining. The result was that in the U.S., the banks improved ATM security to forestall additional losses -- most of the fraud actually was not the cardholder's fault -- while in the U.K., the banks did nothing."

The banks had the capability to improve security. In the U.S., they also had the interest. But in Britain, only the customer had the interest. It wasn't until the British courts reversed themselves and aligned interest with capability that ATM security improved.

Computer security is no different. For years I have argued in favor of software liabilities. Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don't have much interest. Features, schedule and profitability are far more important. Software liabilities will change that. They'll align interest with capability, and they'll improve software security.

One last story. In Italy, tax fraud used to be a national hobby. (It may still be; I don't know.) The government was tired of retail stores not reporting sales and not paying taxes, so a law was passed regulating the customers. Any customer having just purchased an item and stopped within a certain distance of a retail store, has to produce a receipt or face a fine. Just as in the "Your purchase free if you don't get a receipt" story, the law turned the customers into tax inspectors. They demanded receipts from merchants, which in turn forced the merchants to create a paper audit trail for the purchase and pay the required tax.

This was a great idea, but it didn't work very well. Customers, especially tourists, didn't like to be stopped by police. People started demanding that the police prove they just purchased the item. Threatening people with fines if they didn't guard merchants wasn't as effective an enticement as offering people a reward if they didn't get a receipt.

Interest must be aligned with capability, but you need to be careful how you generate interest.

earlier essay: We're Giving Up Privacy and Getting Little in Return
later essay: The Scariest Terror Threat of All
categories: Economics of Security, Computer and Information Security, Laws and Regulations
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..