Return to Question

My employer asked me to implement a feature that would require storing passwords in clear text in a database (or using an obscure encrypt/decrypt function stored in a binary, which is a bit better, but also insecure).

I replied that I was willing to implement such a feature, provided that customers were acknowledged of security implications when using it.

When discussing this problem with colleagues, someone told me that, as a software engineer, we are personally responsible (in the legal sense) for security problems that we introduce in our products. I looked into my contract, but did not found anything related to a similar case.

From a legal point of view, should I refuse to implement such a feature? Is it true that my employer could take me to court if a customer experiences damage due to this feature, even if he was aware of security concerns as well?

EDIT: I understand this question can only be answered reliably from a lawyer. The same is true for licensing questions: people here give their understanding and their experience, sometimes after having consulted a lawyer, with no guarantee it applies in another jurisdiction. But licensing is explicitly accepted as a topic here, see What kind of questions can I ask here?. I believe other programmers may have the same issue, and other may have been confronted to this situation before, and may have consulted a lawyer for that.

My employer asked me to implement a feature that would require storing passwords in clear text in a database (or using an obscure encrypt/decrypt function stored in a binary, which is a bit better, but also insecure).

I replied that I was willing to implement such a feature, provided that customers were acknowledged of security implications when using it.

When discussing this problem with colleagues, someone told me that, as a software engineer, we are personally responsible (in the legal sense) for security problems that we introduce in our products. I looked into my contract, but did not found anything related to a similar case.

From a legal point of view, should I refuse to implement such a feature? Is it true that my employer could take me to court if a customer experiences damage due to this feature, even if he was aware of security concerns as well?

EDIT: I understand this question can only be answered reliably from a lawyer. The same is true for licensing questions: people here give their understanding and their experience, sometimes after having consulted a lawyer, with no guarantee it applies in another jurisdiction. But licensing is explicitly accepted as a topic here, see What kind of questions can I ask here?. I believe other programmers may have the same issue, and other may have been confronted to this situation before, and may have consulted a lawyer for that.

My employer asked me to implement a feature that would require storing passwords in clear text in a database (or using an obscure encrypt/decrypt function stored in a binary, which is a bit better, but also insecure).

I replied that I was willing to implement such a feature, provided that customers were acknowledged of security implications when using it. My employer did not agree, arguing that it would be bad advertising for our software and it may lower the confidence customers have in our solutions.

When discussing this problem with colleagues, someone told me that, as a software engineer, we are personally responsible (in the legal sense) for security problems that we introduce in our products. I looked into my contract, but did not found anything related to a similar case.

From a legal point of view, should I refuse to implement such a feature? Is it true that my employer could take me to court if a customer experiences damage due to this feature, even if he was aware of security concerns as well?

EDIT: I understand this question can only be answered reliably from a lawyer. The same is true for licensing questions: people here give their understanding and their experience, sometimes after having consulted a lawyer, with no guarantee it applies in another jurisdiction. But licensing is explicitly accepted as a topic here, see What kind of questions can I ask here?. I believe other programmers may have the same issue, and other may have been confronted to this situation before, and may have consulted a lawyer for that.

My employer asked me to implement a feature that would require storing passwords in clear text in a database (or using an obscure encrypt/decrypt function stored in a binary, which is a bit better, but also insecure).

I replied that I was willing to implement such a feature, provided that customers were acknowledged of security implications when using it.

When discussing this problem with colleagues, someone told me that, as a software engineer, we are personally responsible (in the legal sense) for security problems that we introduce in our products. I looked into my contract, but did not found anything related to a similar case.

From a legal point of view, should I refuse to implement such a feature? Is it true that my employer could take me to court if a customer experiences damage due to this feature, even if he was aware of security concerns as well?

EDIT: I understand this question can only be answered reliably from a lawyer. The same is true for licensing questions: people here give their understanding and their experience, sometimes after having consulted a lawyer, with no guarantee it applies in another jurisdiction. But licensing is explicitly accepted as a topic here, see What kind of questions can I ask here?. I believe other programmers may have the same issue, and other may have been confronted to this situation before, and may have consulted a lawyer for that.

My employer asked me to implement a feature that would require storing passwords in clear text in a database (or using an obscure encrypt/decrypt function stored in a binary, which is a bit better, but also insecure).

I replied that I was willing to implement such a feature, provided that customers were acknowledged of security implications when using it. My employer did not agree, arguing that it would be bad advertising for our software and it may lower the confidence customers have in our solutions.

When discussing this problem with colleagues, someone told me that, as a software engineer, we are personally responsible (in the legal sense) for security problems that we introduce in our products. I looked into my contract, but did not found anything related to a similar case.

From a legal point of view, should I refuse to implement such a feature? Is it true that my employer could take me to court if a customer experiences damage due to this feature, even if he was aware of security concerns as well?

My employer asked me to implement a feature that would require storing passwords in clear text in a database (or using an obscure encrypt/decrypt function stored in a binary, which is a bit better, but also insecure).

I replied that I was willing to implement such a feature, provided that customers were acknowledged of security implications when using it. My employer did not agree, arguing that it would be bad advertising for our software and it may lower the confidence customers have in our solutions.

When discussing this problem with colleagues, someone told me that, as a software engineer, we are personally responsible (in the legal sense) for security problems that we introduce in our products. I looked into my contract, but did not found anything related to a similar case.

From a legal point of view, should I refuse to implement such a feature? Is it true that my employer could take me to court if a customer experiences damage due to this feature, even if he was aware of security concerns as well?

EDIT: I understand this question can only be answered reliably from a lawyer. The same is true for licensing questions: people here give their understanding and their experience, sometimes after having consulted a lawyer, with no guarantee it applies in another jurisdiction. But licensing is explicitly accepted as a topic here, see What kind of questions can I ask here?. I believe other programmers may have the same issue, and other may have been confronted to this situation before, and may have consulted a lawyer for that.