Software Developer Liability

Bruce Schneier has written an editorial on his blog and for Wired which takes issue with the position put out by a former White House technology adviser that developers should be held personally responsible for security problems in the code they write.  Bruce feels that this is not wise at all ... as a developer, I completely disagree.

Bruce's analysis of the market forces involved in ensuring that security improves is dead on, which means for the proposal of developer liability to work means that developers must have a greater stake in the marketability of the code they write.  As a consultant I can say I welcome the idea, and so should any full-time corporate developer.  Personal liability would guarantee that my rates would rise considerably to cover that risk, and that I would insist that if I am personally liable for code that I produce then I will keep the right to use that code on an ongoing basis.  It would shake up programming as we know it, forcing businesses to realize that the developers on a project could not be treated as mere resources but would be far closer akin to partners in a project.

Now, it would have some downsides.  Programming is already incredibly hard to get started in, especially if you come into the industry from a non-traditional vector (i.e. not from College).  Personal liability would make new programmers yet more of risk and you may very well see some talented young minds who made a mistake go down in flames.  It would also force business types to change the entire compensation model for programmers in radical ways.

Is this likely to happen? Of course not!  Bruce is absolutely correct about the "right" way for government to address this problem.  But as for me and my pocketbook, I wouldn't mind if the government tried to something like this proposal.