It wouldn’t be a moment too soon:

I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn’t happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft.

— Signs of Liability: ‘Zero Day Threat’ blames IT and Security industry, Ian Grigg, Financial Cryptography, April 14, 2008

The book review iang quotes gets it about online crime not being amateur anymore: it’s organized. And it gets it about perhaps a more important point:

Surprisingly, the real villains in Zero Day Threat are not the identity thieves themselves, despite their unsavory lives of crime. Rather, the villains are supposed pillars of communities: bankers, credit-bureau managers and computer makers who enable the burglars, and who could ameliorate the identify-theft crisis but, instead, look away in the name of larger corporate profit.

…

“We found that there were much more complex contagions eroding the security and privacy of sensitive data” than mere spammers and virus writers, Acohido and Swartz comment, “and those corrupters had more to do with business practices and marketing strategies of the financial services and technology industries.”

…

The Exploiters consist of the lawbreakers, some of them addicts needing money for narcotics, some of them stone-cold-sober career criminals operating identity-theft syndicates across national borders. The Enablers consist of the banks, credit bureaus, credit card companies and data brokers seemingly blind, deaf and dumb to the need for privacy protection. The Expediters consist of the technologists who write computer programs with good intentions (at places like Microsoft), and their evil twins who write programs as recreation to disrupt networks.

— You won’t guess who’s the bad guy of ID theft, By Steve Weinberg, Special for USA TODAY, 14 April 2008

Corporations favoring profit over customer security or privacy? Say it ain’t so!

And didn’t we just see an example of technologists with good intentions nonetheless expediting information leaks? And the mistakes of a few developers at a state institution are nothing compared to the plague of viruses, botnets, and online crime networks that big software vendors expedite.

The book:

Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity by Byron Acohido and Jon Swartz; Union Square Press, 297 pages, $19.95.

Like Iang, I haven’t read it yet, but it sure sounds good from the review. Somebody is going beyond tinkery details to the big picture!

A book like this could be used by an ambitious prosecutor to go after some of those expeditors. A class action lawsuit could set a precedent that could be better than legislation to establish software vendor liability. As Iang points out, a class action lawsuit gone wrong would only affect one vendor, while legislation is too often written by legislators who don’t understand the subject matter. I would add that legislation is all too likely to adversely affect open software, while no lawyer would be foolish enough to try a class action lawsuit against Linux. Such a lawsuit will go after deep pockets, such as those in Redmond. And while Iang seems to worry that open software is part of the problem, it seems to me that open software gets fixed pretty quickly, while closed software, such as that emanating from Redmond, doesn’t, and is thus much more of a problem.

A class action lawsuit precedent would turn the externalities the vendors are currently ignoring into liabilities they’d have to do something about. One of the things they’d have to do is to get insurance, as Hal Varian has been saying since 2000. And the insurers would then require better security.

-jsq