In our interview, Linus Neumann, calls for product liability for software and vocals his concern that the public is increasingly indifferent about problems with data security.
Standing next to me is Linus Neumann, speaker for the Chaos Computer Club. Mr. Neumann, what opportunities and risks do you currently see in digitization?
Well, I think plenty has already been said about the opportunities. There’s huge potential for savings and value creation to be tapped through digitization. The thing is, we’re also creating new problems for ourselves in the process if we’re not careful. What I often find with new products and ideas at the moment is that no lessons are being learned from the first wave of digitization. In other words, the same mistakes are being made all over again in IT security. It’s as if we were jumping backwards in our evolution with every step we take forwards.
Are you seeing any learning processes emerge?
Yes, unfortunately, the learning processes in IT security are always associated with something being broken. In this regard, there are plenty of triggers for learning processes right now. We’ll see whether these actually take shape. What worries me slightly is that there are so many problems, precisely in the field of IT security, that the public is actually growing desensitized to all the problems and news stories – for example when data goes missing somewhere nowadays, in particular user data.
Of course, the data isn’t actually missing, it’s just in a different place. There’s an abundance of data accumulating here, for all of us. When something like this happens, the concern and outcry of the general public is increasingly weak, increasingly marginal, and that’s a bad sign when these dramatic events happen so often that they no longer shock people. That’s not really what we want.
That’s a clear plea for digital responsibility on the part of providers. Is that enough, or do you think other entities also have a digital responsibility?
In the IT sector, we’ve had this interesting phenomenon for many decades where software products in particular are being sold without any product liability. It’s considered completely normal that a provider who sells us software isn’t liable, at least not towards private users, when that software is defective. Really, if your computer crashes, or if you have a problem with your operating system, that’s pretty much your problem.
It’s a problem with the use and maintenance of these products. Of course, this lack of legal rights also has an impact on the priorities that companies set for themselves.
In certain areas, in particular the area of security, it would be good to make providers liable for the products they sell to consumers in some way. That would obviously lead to corresponding priorities being set in the production, control, sale and update of software – priorities which are not really being applied at the moment.
So you’re really pleading for statutory changes?
Well, I’m pleading for different statutory changes. There is a law on IT security, and product liability for software had been considered, but didn’t make it into the final legal text.
So I’d say that I’m advocating for different legal regulations, because I’m not particularly impressed with the current IT security law.