I’m at our CIS conference on security and privacy today (and tomorrow). What follows is random thoughts and comments provoked by the presentations. For a more thorough blog of the conference, allergy click here.

The morning panel is discussing whether and how to apply tort liability to promote security. Solove’s insight is that its human error that leads to insecurity, and that we should be smarter about using readily obtainable identifiers like SSN as ID and passwords, making identity theft a lot easier to pull off. The panelists agree that negligence liability should be imposed on software vendors, but are assuming that such liability won’t overly deter innovation and that it will be possible to set an efficient standard of care. A gentleman from Microsoft suggested that its the people who write viruses who should be targeted, not the software companies. Froomkin suggests that there’s a benefit of imposing liability on the end users who purchase the crappy software in the first place, and then and won’t patch.

Clearly, there should be some liability for insecure software, if only because the software companies are in the best position to do something about insecurity. But we’re unlikely to get there, with EULAs, UCITA and USAPA-type laws that enable vendors to escape legal responsibility for vulnerabilities.