June 15, 2012 – Robert Sloan on the Software Vulnerabilities

On 15 June 2012, Tech and Law Center organized a conference at the Politecnico di Milano with Robert Sloan on

“The Software Vulnerabilities”

In his talk, Robert Sloan highlighted that unauthorized access to online information costs billions of dollars per year. Software vulnerabilities are a key. Software currently contains an unacceptable number of vulnerabilities. The standard solution notes that the typical software business strategy is to keep costs down and be the first to market even if that means the software has significant vulnerabilities. Many endorse the following remedy: make software developers liable for negligent or defective design. This remedy is unworkable.

Robert Sloan offer an alternative based on an appeal to product-risk norms. Product-risk norms are social norms that govern the sale of products. A key feature of such norms is that they ensure that the design and manufacture of products impose only acceptable risks on buyers. Unfortunately, mass-market software sales are not governed by appropriate product-risk norms; as result, market conditions exist in which sellers profitably offer vulnerability-ridden software. This analysis entails a solution: ensure that appropriate norms exist.

Sloan contend that the best way to do so is a statute based on best practices for software development, and we define the conditions under which the statute would give rise to the desired norm. Why worry about creating the norm? Why not just legally require that software developers conform to best practices? The answer is that enforcement of legal’s requirement can be difficult, costly, and uncertain; once the norm is in place, however, buyers and software developers conform on their own initiative.


Robert Sloan earned his PhD from MIT in the area of computational learning theory under the supervision of Ron Rivest. He has been at the University of Illinois at Chicago (UIC) since 1990, except during a stint as program director for theory of computation at the National Science Foundation. He is currently Professor and Department Head of the UIC Computer Science Department. His current research interests include (1) public policy and legal problems relating to computer security and privacy, and (2) problems at the boundary of theoretical computer science and artificial intelligence, especially knowledge representation