Liability issues in software engineering: the use of formal methods to reduce legal uncertainties

This paper reports on the results of a multidisciplinary project involving lawyers and computer scientists with the aim to put forward a set of methods and tools to (1) define software liability in a precise and unambiguous way and (2) establish such liability in case of incident. The overall approach taken in the project is presented through an electronic signature case study. The case study illustrates a situation where, in order to reduce legal uncertainties, the parties wish to include in the contract specific clauses to define as precisely as possible the share of liabilities between them for the main types of failures of the system.

[1]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[2]  Daniel J. Ryan Two Views on Security Software Liability: Let the Legal System Decide , 2003, IEEE Secur. Priv..

[3]  Stéphane Frénot,et al.  Security benchmarks of OSGi platforms: toward Hardened OSGi , 2009, Softw. Pract. Exp..

[4]  Wolfgang Emmerich,et al.  Precise service level agreements , 2004, Proceedings. 26th International Conference on Software Engineering.

[5]  Stéphane Frénot,et al.  Liability in software engineering: overview of the LISE approach and illustration on a case study , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[6]  Tyler Moore,et al.  Information Security Economics - and Beyond , 2007, DEON.

[7]  Fred B. Schneider Accountability for Perfection , 2009, IEEE Secur. Priv..

[8]  Shazia Wasim Sadiq,et al.  Compliance checking between business processes and business contracts , 2006, 2006 10th IEEE International Enterprise Distributed Object Computing Conference (EDOC'06).

[9]  Daniel Le Métayer,et al.  Designing Log Architectures for Legal Evidence , 2010, 2010 8th IEEE International Conference on Software Engineering and Formal Methods.

[10]  Marek J. Sergot,et al.  Using the event calculus for tracking the normative state of contracts , 2005, Int. J. Cooperative Inf. Syst..

[11]  Wolfgang Emmerich,et al.  The monitorability of service-level agreements for application-service provision , 2007, WOSP '07.

[12]  Mark Solon,et al.  Preparing evidence for court , 2004, Digit. Investig..

[13]  Daniel Le Métayer,et al.  A Formal Framework for Specifying and Analyzing Logs as Electronic Evidence , 2010, SBMF.

[14]  Yiannis Papadopoulos Model-based system monitoring and diagnosis of failures using statecharts and fault trees , 2003, Reliab. Eng. Syst. Saf..

[15]  Brian Randell,et al.  Fundamental Concepts of Computer System Dependability , 2001 .

[16]  Pavel Gladyshev,et al.  Rigorous Development of Automated Inconsistency Checks for Digital Evidence Using the B Method , 2007, Int. J. Digit. EVid..

[17]  Anita K. Jones,et al.  Computer System Intrusion Detection: A Survey , 2000 .

[18]  Stéphane Frénot,et al.  Catching two rabbits: adaptive real-time support for embedded Linux , 2009 .

[19]  D. M. Berry,et al.  Appliances and Software : The Importance of the Buyer ’ s Warranty and the Developer ’ s Liability in Promoting the Use of Systematic Quality Assurance and Formal Methods , 2000 .

[20]  Wolfgang Emmerich,et al.  Service-Level Agreements for Electronic Services , 2010, IEEE Transactions on Software Engineering.

[21]  Peter Stephenson Modeling of Post-Incident Root Cause Analysis , 2003, Int. J. Digit. EVid..

[22]  Daniel Le Métayer,et al.  A Formal Privacy Management Framework , 2009, Formal Aspects in Security and Trust.

[23]  Mohamed Saleh,et al.  Analyzing multiple logs for forensic evidence , 2007, Digit. Investig..

[24]  Jean-Baptiste Raclet,et al.  Causality Analysis in Contract Violation , 2010, RV.

[25]  J. Eber,et al.  How to write a financial contract , 2003 .

[26]  Noureddine Boudriga,et al.  A Temporal Logic-Based Model for Forensic Investigation in Networked System Security , 2005, MMM-ACNS.

[27]  Christian Johansen,et al.  A Formal Language for Electronic Contracts , 2007, FMOODS.