Cure For Bad Software? Legal Liability

satch89450 writes: "SecurityFocus had a column that I missed when it was first published a few days ago, titled 'Responsible Disclosure' Draft Could Have Legal Muscle, but I discovered it when researching an answer to a comment on the CYBERIA mailing list. In this article, Mark Rasch discusses how the Draft would set the rules for reporting security vunerabilities, and in particular define the boundaries of liability assumed by bug-disclosers. By adopting a "Best Practices" RFC, the IETF could help the reporters of security-related bugs do their job, and put the onus of fixing the bugs on the vendors who make the mistakes, where it belongs. (The RFC draft described in the article, 'Responsible Vulnerability Disclosure Process, is here at the ISI repository.) This is, of course, in direct opposition to the process that Microsoft's Scott Culp, Manager of the Microsoft Security Response Center, would like to see. As Microsoft is more part of the problem than part of the solution, I believe that the path to a formal process would better serve the entire community - and that community includes Microsoft's customers. I'm taking this seriously because the mainstream press is talking about the issue, and what it's going to take to fix it. Here is an example from BusinessWeek that scares me silly. I'm glad I'm looking to change careers from software development to something safe, like law."

Open Source Software As Well

[BWS]

if we have software liabilities then we also open "Open Source" software to liabilities....

It would be crazy to say that "Open Source" have no liability while "Closed Source" do...

Re:Open Source Software As Well

So is OSDN legally responsible for not fixing page widening?

There's a lawsuit I'd follow!!

Re:Open Source Software As Well

[SuperDuperMan]

I agree. I would never consider contributing to the OSS movement if I knew I could be held liable and there is no reason I shouldn't be because I did it for free vs being paid. Linux will not be held to be above this process.

I'd hate to be responsible for ZLib.

Re:Open Source Software As Well

[bay43270]

This would create a huge barrier to entry for the entire software industry. Joe Blow could no longer write software 'just cause the world needed it'. If you aren't hiding behind a corporate shield, you simply couldn't write software.

IMHO, even as buggy as Microsoft's software is, they are the best suited to defend themselves. In a liable industry, they might stand the best chance of surviving.

Re:Open Source Software As Well

[aridhol]

so if there is a bug, who is the fault?

For every active open-source project, there is a maintainer. It is the job of this maintainer to ensure that released software is bug-free.

I think that, if we're going to have penalties for insecure open-source software, we should:

hold the maintainer liable

Only have penalties for release-level software. No alphas, betas, or cvs nightly builds. I also believe that a vendor or maintainer should be given a reasonable amount of time to fix a bug. There shouldn't be a penalty for a security hole that exhibits itself at one second after midnight on a full moon if the year is divisible by 7 when an attacker uses the root password as a user name. However, if this combination is discovered, and isn't fixed, then hold the maintainer/vendor liable.

OTOH, a crash that's caused by pressing the backspace key too many times should be fixable immediately or subject to penalties.

IMHO, of course.

Re:Open Source Software As Well

[ChaosDiscordSimple]

It would be crazy to say that "Open Source" have no liability while "Closed Source" do...

It's perfectly sane to hold Open Source software less liable than proprietary software.

Open Source software is more likely to be free (price) than proprietary software. If you get software for free (open or proprietary), lack of liability makes sense. Someone (or some company) gave you something for nothing, it seems a bit unfair to sue them when the free thing didn't meet your expectations.

Also, Open Source software is, well, open source. The software is guaranteed to behave as described in the source code (given a properly functioning compiler and computer). You're free to audit the software for fitness for your use, free to adjust it (or pay someone else to adjust it) to make it fit. With proprietary software, you're at the mercy of the supplier. If it doesn't work, well, tough luck.

Re:Open Source Software As Well

[aridhol]

Most of it is. However, I wouldn't trust beta software for my business, so they lose liability and users at the same time.

Re:Open Source Software As Well

[aridhol]

If there is no maintainer, there is nobody to update the pages, cut releases, administer CVS, etc.

If you don't like the term "job", replace it with "task". It is a task one takes upon oneself by creating open-source software.

Re:Open Source Software As Well

[Stonehand]

So it's perfectly acceptable for Red Hat to supply a daemon that gradually eats all acceptable filehandles, or for a buggy filesystem driver to destroy somebody's data?

Cute. That's like saying that, just because you *could* examine and rebuild your car transmission yourself, it's perfectly fine for it to burst into flame with high probability on warm days.

Re:Open Source Software As Well

[SomeoneGotMyNick]

Maybe it should be looked at this way....

If you purchase software in which the purchase amount benefits the commercial entity who develops the software, you are entitled to legal recourse in the event of failure due to the software. A guarantee of serviceability if you will.

On the other hand, if you wish to be absolved(sp?) of legal liability for software you create, then offer it for free, like most GPL software is.

I think this would be great for some of the excuses for shareware out there. If you charge a shareware fee, it better work. I've found better working freeware compared to shareware alternatives.

Re:Open Source Software As Well

[Darren+Winsper]

I'm the maintainer of a piece of open source software, and no way in hell will I ever say any of my releases are bug free.

I'm giving my code away, you don't have to pay a penny for it. How can I possibly be held liable for it breaking? How would I ever get anything out of beta if I had the constant threat of being sued if my "release" code contained a bug?

Re:Open Source Software As Well

[alen]

So if a company has to hire an army of QA software analysts to review the code, where do the savings come in from this supposedly free software? Just because there isn't licensing fees involved doesn't mean it's cheaper.

Re:Open Source Software As Well

[aridhol]

Well, you're pretty much trolling here, but what the heck ...

This was not my intent.

What you are proposing would even wipe out something like a recipe database.

If the recipe database causes a security hole, or can cause an entire operating system to crash, yes, I believe it should have liability attached to it.

Re:Open Source Software As Well

The problem is not with programmers but as to how they are managed and how the result of their labours is marketed.

Linux, and software included with it, is not generally provided with massive claims as to it's
improved functionality. There is no secret that there are bugs in linux, but you can find out what they are. Linux has very successfully done
its own marking without it making claims - the users do it for them. Only recently has IBM, Oracle, and others joined the Linux bandwagon.
For Linux and its stability they make no claims.
Torwalds himself sits by and says nothing...

Let MS post its change logs for windows.
This is not demanding open source from MS - does anyone really want to see it. It would be like
trying to keep the memory of a loved one in memory
as you are gazing at his/her rotting corpse.

Software is copyrightable.
Books are copyrightable.

Software is manipulating a language to control
a microprocessor.
The purpose of a book is to manipulate a mind.

Which is more important.

If I wright a self-help book which contains principles to supposedly improve my life (let's
say a get rich quick book) and I sincerely follow
those principles and can document it - and these
principles don't work - can I sue for the immeasurable pain caused by dashed hopes, and the
immense amount of time wasted by putting those
principles to the test???

Probably not - the legal experts will say - because the principles are not warrented.

Read the EULA's of practically every shrink-wrapped software package.

MS doesn't warrent its software for use in Nuclear
Power Plants and other places where things can get
critical.

No one warrants Linux, but the FAA is rumored to be testing linux for its later deployment in Flight Controlling Centers. Does this say anything???

Programmers are idealists - programmers do not generally like criticism of their efforts, but
programmers do appreciate the capababilities of
more experienced programmers who do not brag about their position in a company or exert authority based solely upon the fact that he had a
few beers together with the manager and found that they were passionate about the same football
team.

A Good Senior Programmer or Team Leader does not
innately want to critizize the work of another. The goal of the Leader is to promote learning - evalation is involved. The best way to do this is
to provoke the implementor to ask questions of himself - and on his own to maybe find a better
way.

In a code farm like the one MS maintains, and with
deadlines imposed my managers who have shown in there resumes that they can drive cattle, and marketers whose job it is to use pavlovian techniques to make the masses want more RIGHT NOW,
how can good programming techniques be taught and
good programs be written not knowing about what
goes on in a programmers mind. But probably,
the concept of 'mind' is non-existent with managers and marketers...

Re:Open Source Software As Well

[aridhol]

Do you fix security bugs immediately? If you re-read my comment, you'll notice that I mentioned penalties for insecure software. Period. If the software you write allows a hacker to crash the operating system or get access to personal data, I would say that you are liable if you don't fix it immediately.

Although I am only human, I would like to believe that I would feel the same way if I were the one who was liable.

Re:Open Source Software As Well

[aridhol]

too many backspaces = kill the application

And that's where the fault is. There is no reason for too many backspaces to be an application-killing fault.

Re:Open Source Software As Well

[aridhol]

A) Do a complete security audit.

• Does it grant elevated permissions (suid/sgid)?
• Does it allow file access to someone without permission?

In the first case, your recipe database shouldn't be doing this. Very few programs should have to suid, although some may need to sgid.

File access is a bit trickier. If the app runs as user X and grants access to files that should be viewable only by user Y, that's an OS problem. If the app runs as user X and allows anyone on the network to view files only readable by user X, that's an app problem.

BTW - OS crashes, even when triggered by application programs, are usually considered OS bugs.

I'll grant you that. Any way that an app can cause an OS to crash is an OS bug, and should be the OS vendor/maintainer's liability.

Re:Open Source Software As Well

[neuroticia]

There should be multiple levels of liability for faulty sourcecode just as there are multiple levels of liability in other areas of the law.

Opensource should not automatically be excused of all liability. If a bug exits and a sizeable amount of time passes with no fix, as new users are downloading and using the product *without being warned* then the maintainers of the source should be held liable. Opensource vendors should be required to post an updated list of bugs as they appear and fix them before releasing the next version of the software.

Commercial software vendors should be given a certain amount of time to remedy the problem based on the severity and spread of the problem, and for each day/week/month incur fines until the issue is resolved. Registered users of the software should be notified both when the bug is discovered and when the fix is released. All users should be able to access the information via the internet. A new version of the software cannot be released until known bugs in the last version are fully patched.

The liability of vendors should be clearly outlined and have the same tiers and exceptions that current liability laws have. It should be clear that vendors are not responsible for misuse of intended features of their systems (ie: Linux developers are not responsible for warning people that rm -rf / will trash their system.) and vendors liability will be determined on a set of criteria: a.) Software version number-- it should mean something again. b.) intended impact of software--vendors of backup software will be held to a higher standard if their software fails than would the creators of games or graphics software.

Vendors should not be allowed to attempt to silence those who make bugs public knowledge. There should be fines for companies that try to initiate lawsuits for third-parties publishing bug reports, examples of exploits, or other information. Perhaps there should be a certain set of guidelines as to the "release schedule" of those bug reports, however. Exploits can only be made publically available after a patch is available, bug reports can be made as soon as the bug is discovered, etc.

I think software liability is a good idea as long as it's not a loosely interpreted law that is applied equally to all vendors regardless of software genre and company size.

-Sara

Re:Open Source Software As Well

[aridhol]

Thank you for explaing this. I agree with most of what you said.

However:
Exploits can only be made publically available after a patch is available

I would change this to be either after a patch is available or after a given amount of time has passed since the bug report. If the vendors don't fix it, put a fire under their asses.

Re:Open Source Software As Well

[neuroticia]

Exploits should not be made available until after the bug fix is released. Under the criteria I detailed above, responsibility for the "fire" falls to the goverment. After a certain amount of time passes then the company will incur fines which can add up to a hefty sum. Microsoft and Apple *DO* care about the public knowing about and being able to exploit the bugs in their software, however they care more about money. Fines will be a larger incentive than will exploits.

Exploits harm the end-users of software for which there IS no fix. It's one thing to release an exploit after the patch is released and people have been given time to patch their systems. It prevents the rest of the world from having to sort through multiple gigs of logs containing attempts by nimda or code red.

When the exploit is published before the fix you open everyone up to liability for which they cannot avoid. If you're a Linux administrator do you really want the world to know that there's a bug that can format the hard drive of your server and that an exploit can be downloaded at http://.... And that there's nothing you can do? If you're a windows end-user do you want to know that there's an exploit circulating already for something that MS hasn't fixed?

It's like releasing a device that disables pacemakers before the people who own them can do anything about it. It doesn't bother the vendors of the pacemakers half as much as it bothers the owners/users.

Heavy *fines* bother the vendors/manufacturers more than the bad press does.

-Sara

Re:Open Source Software As Well

[Lendrick]

Opensource should not automatically be excused of all liability. If a bug exits and a sizeable amount of time passes with no fix, as new users are downloading and using the product *without being warned* then the maintainers of the source should be held liable. Opensource vendors should be required to post an updated list of bugs as they appear and fix them before releasing the next version of the software.

I'd have to disagree with this. The above represents the biggest problem with any liability to Open Source programmers. If you develop an Open Source project, you're doing so entirely on your own time. You may not have a chance to go back and update the bug list--or you may not feel like it. As long as no one is paying you to maintain your software, you should have absolutely no obligation to change it or update it for anyone.

On the other hand, if someone purchases software that doesn't work as advertised, the vendor that originally sold the software should be responsible.

Re:Open Source Software As Well

[aridhol]

My bad. I had completely forgotten the original purpose of this thread, being fines for failure to fix bugs. Of course, with these fines, there's incentive for companies to fix bugs.

Of course, the fines will need to hurt the corporations for them to be effective. Maybe base the fine on a combination of bug severity and company's net worth? Probably not legal, but probably effective.

Re:Open Source Software As Well

[aridhol]

What if a fix is not immediately obvious and takes a week or two to fix?

Show people that you're working on it. Post updates to the bug report. Let people know why it's taking so long (eg bug is actually in another module, trying to eliminate it without bugging something else).

Forcing people to write perfect code their first try is a pain.

s/a pain/impossible/ I know that it is impossible to write perfect code. However, it is not impossible to keep track of bug reports and to fix them, or to reply stating the reason they don't get fixed.

Re:Open Source Software As Well

[neuroticia]

That is a good argument. Another set of rules should apply to source or software that has been abandoned. (ie: no development has occured, versions released, or bugs patched for x number of months.) If the source is being actively developed, released, and patched then they're held liable for notifying the public of bugs.

Abandoned software should require only that it is obvious that the source has been abandoned and no updates are planned. (Something in the form of a "date last developed" being required for each software release so that no one would have to go back and add it as it would have been added at time of release? It could then be assumed that software whose 'date of release' is older than x number of months has been abandoned and liability is left to the end-user...?)Optionally software can be labled "abandoned" and further development only allowed once the lable is removed and accountability resumed.

Opensource developers who are *actively* involved in the development of the source should not be excluded from liability because they fall into a different category than those who have abandoned or completely given up their source. They show willingness to spend the time developing, and 10 minutes to post a bug report is not a major requirement. Volunteers at physical institutions in the "real world" are often required to fill out paperwork or occasionally fill out forms, I don't see why opensource *development* should be any different, or why it would ever be possible to convince the courts otherwise. Volunteers should never be required to volunteer additional hours to fix the problem, but they should be required to spend the 10 minutes to post the bug report and be held accountable if they do not.

-Sara

Re:Open Source Software As Well

[neuroticia]

Hm. I don't see why fines based on the size of the company and the severity of the bug would not be legal. A million-dollar fine would put a small company out of business rather than entice them to fix the problem. For a larger company it wouldn't even be an incentive to put down the lid of the toilet seat.

How about something even more... Compelling? Software that is not fixed within the maximum time allowed by law is required to release their source to the public domain?

-Sara

Re:Open Source Software As Well

[aridhol]

I don't see any legality issues with basing fines on bug severity. I'm not sure about the legality of basing it on company size.

Of course, we all know that any punishment will just waste court time as large companies spend more on their legal department than they would for proper fixes.

Re:Open Source Software As Well

[WNight]

Sure. Open source software that is sold should be usable for the purposes it was marketed.

If it was given away for free - too bad, there was no sale and no implied warranty.

Ditto with closed source. If someone wants to give away their closed-source app, they should be liable for its bugs. (Unless they sell it, by other means, such as giving the software away and charging for the CD Key.)

Re:Open Source Software As Well

[Chundra]

If a bug exits and a sizeable amount of time passes with no fix, as new users are downloading and using the product *without being warned* then the maintainers of the source should be held liable.

Not when you see this little blurb:

"Foobar is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE".

Part of the user's responsibility in relying on software (free or otherwise) is to read (and understand) the terms of the license.

Anyone who says this explicitly in their license should not be *required* to do anything. That includes notifying users, fixing, or even acknowledging the existence of bugs. And they definitely shouldn't be held liable for damages.

Re:Open Source Software As Well

[neuroticia]

In the "non computer world" product vendors are required to recall their products if their products are found to be flawed to the point where they are dangerous to the people buying them. This is often done even if the product *contains a warning* but there is a high enough incidence where the warning is ignored.

Everyone should be liable for their product up to a certain point. Should they be liable for the bugs existing in the first place? No. Software is imperfect. Should they be liable for the continued distribution of software with known bugs when they do not inform the users of the bugs? Yes. Should commercial vendors be liable for not fixing the product within a reasonable amount of time after being made aware of the bug? Yes.

I'm not talking about the "Oops. The computer just crashed" bugs that happen every once in a while without truly impairing the ability of the software to function. I'm talking about security holes, and problems that risk the integrity of data.

-Sara

Re:Open Source Software As Well

[Chundra]

Ok, well I meant that as it applies to free (in the GNU/BSD/Artistic License/etc. sense) software. I'm almost completely with you on the commercial software end.

Why the distinction? The ethics behind it all mostly. Almost every actively developed piece of open source software out there is maintained by a handful of people who literally "do it for fun". These are people who are addicted to writing code that does something they find cool--most are exploring technology, some are redefining it. They are motivated by the hey-wouldn't-it-be-nifty-if-we -could-do-X factor.

Compare this with the other extreme. Say, with a company that has massive teams of mostly mediocre programmers who are churning out big, bloated, meaty turds, packaging them up, marketing the hell out of them, forcing them down people's throats, influencing global politics, and being generally evil. Most commercial software companies aren't this bad, but that certainly seems to be their long-term goal. These are people motivated by the we-really-don't-care-as-long-as-we-make-a-buck factor.

I don't know about you, but I think that if a couple of nerds sit around and hack together some mindblowing piece of software, and they say "This isn't guaranteed to work. We hope it does, but if not...hey, sorry" and then the stuff *doesn't* work, I don't want to see any legal action taken against them.

That said, I think most of these open source maintainers are more than responsive to bug tracking and fixing. Spend any time on a high volume dev mailing list, and you see some *insane* dedication. Like, you know these guys sleep 8 hours a week whether they need to or not. I don't want to see these people warding off class action lawsuits. Save those for the nebulous corporate entities who bring you Value-Added Enterprise Solutions for the Multi-Tiered Enterprise.

Yeah. *cough* ;-)

Re:Open Source Software As Well

[neuroticia]

I'm definitely not for "equal fines" that would force opensource developers to patch their work, which has been donated to the community. The only 'sanction' I'd wish placed on them would be public notification of known bugs on the primary site of distribution. This wouldn't be much of an issue seeing as it's already fairly common among opensource groups, and quite a few even allow you to sign up for a listserv notifying you of bugs and patches. I'm just saying that we cannot expect Opensource to be disincluded from all liability and that we need to be prepared with an alternate set of sanctions that are to a 'lesser degree' than those that will face the commercial software developers. If we walk into the situation saying "We don't want any rules to apply to us at all" then we'll walk out extremely unhappy as there WILL be rules that apply to us and they might be more strict than if we were to suggest *which* rules should apply. I see nothing wrong with an extremely limited liability for opensource groups. The initial effort is a volunteer effort, the patching is a volunteer effort, and the software is given out for free to benefit people. Liability should be limited to making known bugs available.

That said, the courts *love* precendent, and if there is any precendent of volunteer efforts being excused from liability then that could work to our benefit. If, on the other hand, there have been cases that rule that volunteers *are* liable, then... If there is nothing that might apply, then we will be responsible for establishing the initial rules. Is life really that perfect? =]

Are there any cases in which a judge has ruled that volunteers cannot be held liable for their volunteer efforts? Or that programmers cannot be held liable for their code?

-Sara

Re:Open Source Software As Well

[aridhol]

I don't define immediately. Lawmakers do. And I don't believe that immediately only applies to Microsoft, or to any corporation.

Re:Open Source Software As Well

[neuroticia]

And who would obtain the rights to the license? Would the government sieze the license and auction it off to the highest bidder?

How, then, would we prevent someone such as... Microsoft? from interfering with the development of a variety of different opensource groups and purchasing the licenses to the software so as to have the ability to eliminate them from the competition? Scenario A: Microsoft repeatedly hires top developers (buying them off) from Linux Distribution X, resulting the failure of Linux Distribution X because bugs cannot be patched according to the timeline. Distribution X has no money to buy their developers back. Microsoft then bids on and wins the license to Distribution X... (Of course this couldn't work with Linux distro's since Distribution X isn't "Linux" or any of the underlying applications, so they'd actually have to exploit this 'law' across the several hundred pieces that make up Distribution X... But you get my point. =])

"Open source" is community. "Proprietary" is not. Releasing source to the public would allow them to repair the bug--proprietary groups can easily take opensource and fix the bug.

-Sara

Re:Open Source Software As Well

[neuroticia]

Regarding "Proprietary X" not being able to make the deadline, the scenario I outlined was in regards to "Proprietary Y" *INTERFERING* with the ability of "Opensource X" to purposefully push them past the deadline with the intention of purchasing the source code as the highest bidder. It is unlikely that "Opensource Y" would be able to sufficiently interfere with the deadlines of "Proprietary X".

The difference between Opensource and Proprietary software can be explained such as this: "Open source software makes the 'recipe' available to those who wish to bake their own, allowing them to modify the recipe. Proprietary programs only sell the pre-packaged baked goods." I explained it to my Grandmother who is still calling her mouse a rat. I think judges are intelligent enough to understand the concepts of "This makes this available for x amount of money while this makes this available PLUS the recipe for free."

Regarding the bug in PHP- you say it was just discovered 2 weeks ago? According to PHP as of Feb. 27th there is a fix. Either you're off about the date of the bug being 'discovered' or the response time is a phenomenon where the bug is fixed prior to being discovered. ;) Either that or another bug has been discovered along the same lines and has not been announced. Remember, we're not discussing undiscovered bugs that exist in the software and asking that developers be able to predict everything. We're talking the discovery time:time to patch ratio. In the Opensource community it is habitually lower with patches coming out every time a bug is discovered and a patch made available. If you're wrong about the date that the bug was discovered and the bug has actually been common knowledge since PHP3 then yes, the OSS community is in error, however it is a VOLUNTEER effort and should not be required to follow any standards higher than notifying the public of the bug's existence so that they can take the necessary measures to disable problematic parts of the program or temporarily replace it with an alternative. Proprietary code often has no viable alternative--Are people able to pay a few hundred dollars to switch from an application they've already paid a few hundred dollars for to another one? The ability to switch mid-race to another opensource program is unimpeded by monetary concerns.

Finally- on the concept of "All or nothing", law is never "All or nothing". There are many shades of gray and different groups are treated differently. For example, Apple is allowed to get away with business practices that MS would find themselves back in court for. Apple has a smaller marketshare and thus is not considered to be violating antitrust laws even when they are using unfair business tactics. I do not think it's unfair for the law to recognize that the Opensource community has limited funding and cannot hire the extra manpower that it might take to make the patches, while 'Proprietary Company X' has charged for their software and has essentially promised them a service that it should be bound to deliver.

-Sara

Re:Open Source Software As Well

[SomeoneGotMyNick]

if your idea came true, you can bet it would be the final nail in linux's coffin. All businesses would steer clear of it.

I seriously doubt it. Microsoft software, by it's very EULA, absolves Microsoft of all liabilities to damage as resulting from use of their software. It's always been a USE AT YOUR OWN RISK situation.

However, Technical Support departments can be thought of as some sort of unofficial liability mechanisms. They are not required by law to do this. Most companies will provide technical support if you pay for the software. It's a marketing thing disguised as warm and fuzzy customer support. Just so you'll come back to them when they want to sell you an upgrade.

If I buy software that ends up wrecking my computer through no fault of my own, I expect some sort of recourse. But today's EULA type agreements prevent me from legally requiring the company to pay to have my hard drive data recovered or something (This is the reason why I never use anything with Norton's in the name anymore). If I want to be a cheapskate and use free software, I shouldn't expect any legal recourse for damage it does to my computer.

If the free software vendor built a good reputation on producing solid software, then businesses will not necessarily steer clear of it. If the free software vendor offers OPTIONAL support contracts, insurance policies of sorts, that establishes an acceptable level of liability should anything bad happen, businesses would probably consider free software options just like commercial software with the added benefit of lower software only costs.

Re:Open Source Software As Well

[Darren+Winsper]

No, I do not fix security bugs immediately. If a bug is reported to me, I will fix it in my own good time. I'm giving people my software, they have no right to demand anything of me.

If my software crashes the operating system, that is the operating system's fault. Why? The operating system should not allow a non-root user space process to cause any harm to the OS.

If somebody reports a security bug and supplies a fix, I will probably apply it immediately. However, if you've paid me fuck all and report a bug, don't expect me to fix it in any time shorter than "when I can be arsed."

Fallout

[Petersko]

Should such a situation come to pass, the fallout would include:

1) Higher development costs
2) Far fewer small companies in consulting
3) Shrinking job market for new grad coders
4) Larger legal costs on both sides on the fence

On the brightr side, it would also include:

1) Lessening of age discrimination - experience outweighs youth
2) Alteration of programming education to focus on security
3) Higher standard of programming excellence
4) Self-policing. Companies who fail to adhere will run themselves right out of business in short order.

Finally, legal liability for Open Source projects is not a bad idea at all.

Re:Fallout

[warpSpeed]

Seems to me that we would end up with some sort of cross between sourceforge and freenet. Not really efficient, but for those that absolutly have to scratch that itch, without fear of liability...

~Sean

Re:Fallout

[SirSlud]

You're confused. Open Source != Free as in beer Software (for the millionth time).

If you sell your OS application, you should be liable.

If you dont sell it, you are not liable for its use.

You should not be held liable for a product who's distribution and use is volountary. What you should be worrying about is how companies would probably use free as in beer software less, because they would be unable to hold the creator of that software liable for damages incurred from use.

Re:Fallout

[Telastyn]

No offense, but in most every case, there is legitimate reasons for choosing youth over 'experience'.

in most companies, technical experience gained 10, 15, 20 years ago will be inversely useful today. Even business has changed in the past 2 decades. Things learned long ago obsolesce (sp?).

Experience is very very useful and desirable, but sometimes companies forget that experience doesn't always equate with ability. It is a better barometer for how mature, and understanding the worker is with standard policies, and the unwritten rules of the workplace.

Given that, most companies will then hire a 25 year old with 4 years of expereince over a 35 year old with 14 years of experience for a common coder job if they've similar talents. Why? Because the 35 year old probably has a wife, kids, and is asking $120k. The 25 year old is probably not as needy, and given the 'experience' factor, is probably only asking $80k.

Re:Fallout

[SirSlud]

Well, you dont have 40B dollars. However, if you did have 40B dollars, your 'spam filter' is not held to 100% perfection. People can't sue condom manufactures when they get pregnant, because the condom industry isn't so stupid to say, "Hey, these things are 100% effective." Presumably, as a sane individual, you wouldn't be selling a '100% effective spam filter', but a 'spam filter that can cut spamage, possibly up to 100%'.

Companies are liable when products do not live up to claims or they release products with known defects that cause damage. The OS community, if anything, would be less susceptable to releasing shoddy code under laibility laws, because there is no 'rush' to release unready code, nor any sales or market driven motivation to make claims about the product that dont stand up in the real world.

So, in closing, you would be on the hook if you distributed your software under the guise of unrealistic claims. Liability would not result in shitloads of lawsuits, it would result in companies having to think twice about their 'claims' about their products. OS developers would benifit, since they dont have sales teams and revenue expectations forcing them into situations where they must lie about the functionality, safety, or power of their solutions. Companies would finally be able to rein in their fucked up management and sales guys, because suddenly, /they/ would be the ones resonsible for lawsuits, not 'buggy software'. Developers in companies would finally get to say, "Fine. I'll release it. Just understand that you might incurr 40B dollars in damage on our company."

The problem isn't that software isn't perfect - EVERYONE knows it never will be. The problem is finding an honest to god reason to tell the sales team to go shove it up their ass and stop breathing down the software engineers neck. Because, FINALLY, EVERYONE IN A COMPANY will be resonsible for shipping software that didn't live up to claims, not the developer for not 'inventing' an extra 200 hours a week in order to make the software live up to the brochure that was printed 4 weeks ago by a bunch of suits who didn't know dick all about software.

To reiterate, so long as your product does not undermine your claims (absolutely no problem in the OS world, as you arnt trying to 'sell', so you can be realistic), youre safe. This will just rein in companies selling one thing, but distributing a whole other thing (read: Windows, Oracle ...)

Re:Fallout

[lynx_user_abroad]

Yes, it would be the end of Open Source. Who in their right mind would code for a project part time if it meant they were legally liable for anything that might go wrong with it?

There is no software you can write which I cannot make faulty with the right (wrong) compiler. And it doesn't matter how good a programmer you are, or how simple the program you wrote.

It makes no sense to hold the author of the software liable for faults, because the faults could be intorduced by the compiler, or by the later stages of deployment and configuration. So there should be blanket immunity for anyone who vends software in source form under the theory that anyone who has access to the source must exercise due dilligence to ensure that the software is appropriate for the situation in which it is deployed.

On the other hand, vendors who deliver software as a pre-compiled binary must assume some liability, as the consumer is no longer in a position to exercise due dilligence.

This would be a win for free software developers, as long as they only deliver code as source; no liability.

This would be a win for companies like RedHat, who would be able to offer pre-compiled free software, and assume some of the liability for making sure it was compiled correctly.

This would be a win for anyone who uses software, because vendors would ensure their products have less faults, under threat of liability.

This would be the death blow for Microsoft, because (as a company which vends primarily pre-compiled binaries only) they would be fully liable for the software they ship, but would be fully responsible for detecting and correcting their own faults.

I say bring it on.

Re:Fallout

[lynx_user_abroad]

If you dont sell it, you are not liable for its use.

Don't go there. It's not what you really want.

We may soon find ourselves in a world where nobody sells software, just the services.

In other words, how would this work in a world where you buy a hardware-only net computer, purchase internet access (a service) to gain access to applications (software) which are downloaded over the net? You never pay for the software, so when MS Money bounces your checks, who owns the liability? Not the hardware company, because it's not their software. Not your ISP, because they are only providing the connectivity. And not the application provider, because you didn't pay them anything.

If we're going to fix this, let's get it right this time.

Re:Fallout

[istartedi]

I wouldn't write code. I'd write novels where the characters were always discussing code. Instead of using quotes when the characters spoke, I'd use /* and */. Whenever I was narrating I'd put a // at the start of the line. If some idiot decides to OCR my novel into a computer and compile it, it's not my problem.

In all seriousness, I hope this proposal is DOA. This will crush the little guy, and enrich the lawyers. Oh, wait a second... all the laws are written by lawyers.

Look, legal liability for software is already an option. Ever heard of "mission critical"? If somebody is willing to back up their "5 nines" with dollars, I say more power to 'em; but don't go making my "3 nines, but a lot cheaper" illegal.

Re:Fallout

[w3woody]

I have to disagree with your assertion that fewer companies would be in consulting. Far from it; all it would mean is that consultants such as myself would both (a) include a disclamer of liabilities for developed software, and (b) force the customer to notice and initial the statement (along with the other important elements of the contract) before development started. (I already include a limitation of liability statement in my standard consulting contract.)

The only thing this law would affect would be purchases of mass-produced software. Me; I'd get out of the shareware business quick in order to avoid the liability issues. That's because you generally cannot negotiate individaul contracts with mass-produced software. And I sure as hell would not rely on the "click-through" contracts as a valid contract negotiation in the face of a law like this.

The flip side is that people would suddenly realize how much quality software (as opposed to "shovel-ware", where marketing demands everything is shoveled into the product) costs to develop if they suddenly found themselves in a world where software for a word processor were developed the same way as software for the Space Shuttle...

Re:Fallout

[WNight]

Selling software is the same as selling access to it. This has been through the courts when a company was giving away software and charging for the access codes. (Dunno the references)

But really, anything you charge for should come with a warranty of fitness. If you give it away for free, it comes with no warranty.

If MS really makes MS Money available for free on the web, and it's not perfect, you shouldn't be able to bitch. If they control access and only let in people who have paid in one way or another though, you have the right to expect a decent product.

(However, if free software was deliberately malicious, the writer could be held liable basically as if they'd written a virus or trojan.)

Re:Fallout

[WNight]

If you give the software away and someone else sells it, they're liable. Seems fairly obvious.

Re:Fallout

[WNight]

I don't see what the problem is. You write the program such that it calls DisplayLicense() to display the appropriate license. Then when they use it, they patch it to remove this call.

Your software protect the author (you) from any liability. Their software is their business and their (potential) liability.

Even if the SSSCA is implemented, it won't be retroactively employed, so don't worry about it now. (Well, from a personal liability point of view. Worry about it from a stupid politicians ruining the world point of view.)

Re:Fallout

[WNight]

The person you paid for it.

If they paid someone else for a component which is shown to be defective, then they sue that person/company themselves.

If you didn't pay for it, you don't get to sue.

Re:Fallout

[sholton]

So no matter how obfuscated and buggy your code is, I become responsible for it now because choose to use it?

Exactly. Or were you having problem with the concept of due diligence?

Further, despite the fact that I am not a programmer, I am expected to know enough about programming to be able to decipher your code, and impliment fixes.

Either that, or hire someone else to decipher the code, verify correct operation, compile, test it, and implement fixes for you. That's what binary distributions are for. It may not be cost-free, but what were you expecting?

If anything, (as you've correctly pointed out) it makes the market even more lucrative for companies like Microsoft, but only if they get their act together. And that's a win-win for everybody.

Re:Fallout

[sholton]

Selling software is the same as selling access to it.

We need to be technical here, because it's important. Normally, you don't buy software, you buy a license to use it. Software which is offered as open source could be considered much different. When you procure software in source form, (at least under most Open Source licenses) you could almost say you own it, but with an encumberance. The person/group from which you procured it can, for the most part, no longer dictate what you do with the software, prevent you from using it in the future, force you to upgrade, or prevent you from taking it apart and using the bits as you see fit.

If you give it away for free, it comes with no warranty.

So, if the local petrol station offers a free car wash with a fill-up, and the machine scratches the paint job all to hell, I'm S.O.L? It was free, right? So I can't really complain that it caused damage?

Re:Fallout

[WNight]

The "you buy a license to use it" idea has never been tested and seems to fly in the face of all existing contract law. In fact, the only people pushing this idea are the software companies.

I'd say that if I give you a copy of MS Windows, and a copy of GCC, you have the same legal rights with both - before you consider the GPL. Without considering the license, your rights are the same. Allowed to use, and to sell/give away, but not to duplicate or use as the basis for a new program.

The GPL simply grants you additional rights. And then there's the issue of warranty of sale - rarely does someone simply give you MS Windows for free.

If the local gas station gives away a car wash with a fill, the wash isn't free. You bought it with the fill-up. If it was truly free, and they didn't have reason to suspect the machine would cause damage, I don't think they'd be liable. (Except perhaps in the US.)

If they knew about the potential damage it would depend on how much damage. If it could (with time) cause paint to flake off, that's probably an expected risk of high-pressure washing. If they knew the machine was faulty and scraping cars, they might be liable.

This is where a judge would decide.

If you release an OS and it sucks it's a lot different than releasing an game that's really a drive-erasing trojan. In one the damage is unintentional, in the other, you intended to cause harm.

Re:Fallout

[BWS]

Analogy for you:

Lets say that I have a kid and he/she is on a school soccer team. Lets say thay have an out of town game, so me with my SUV drive him and a few other kids to the game. Lets say that I wasn't quite careful and got in an accident and two of the kids get broken arms and injuries? Am I responsible? Yes? am I liable? Yes? even though I volunteer to do this? Yes.

The same can be said of OS Projects...

Re:Fallout

[kubrick]

Yeah, but those kids aren't legal adults responsible for their own decisions.

Bad analogy.

Re:Fallout

[BWS]

replace kids with car pool... I get a group of people at my work place to do a carpool?

Re:Fallout

[kubrick]

Your workplace might be liable; I know Workcover, in some Australian states at least (compulsory work insurance), covers car journeys to and from work.

I'd imagine that you could only be found liable if it were your bad driving that caused the accident, or other circumstances where you were directly to blame *and* the others had no way of knowing that they were being misled (e.g. you knew that the brakes sometimes locked up, etc.)

(If the car looked like a bomb, the tires were bald, etc. I imagine that your co-workers would have been expected to have exercised their responsibility for their own self-protection.)

Of course, as always, it comes down to the side with the best lawyers. :)

In the hypothetical case of legal liability for bad software, I imagine we'd end up splitting software into two classes; cheap (or free/Free), non-liable software, and expensive and liable software. Someone has to pay for all those code audits and company lawyers, after all, and I bet it would be the customer (it usually is :)

Re:Fallout

[WNight]

Yes, I think you should be able to sue the seller, and they to sue their suppliers, etc.

And yes, I think this should stop as soon as a checkbook isn't involved.

Really though, I don't think a judge would allow a company to sue their employee for incompotence because the job of a boss is to watch what their employees produce and make sure it gets tested.

And as for not being able to sue just because you didn't pay... Why should you be able to sue if you got something for free? If I give you a stereo and it breaks, should you be able to sue me for a working stereo?

If I give you network code and it's not terribly secure, should you be able to sue? However, if I sold you network code, I think you could expect that the code was at least of a certain level, depending on the price and the advertisement.

Anyways, I would put a hard line on suing people for something you got for free. That's the difference between a sale and a gift. Seems like a very intuitive place to draw a line.

Re:Fallout

[WNight]

They should be liable.

Gifts don't come with the same implied warranty that purchases do.

I'd even take this a bit further and say that you shouldn't be liable even if you take money, unless you understood the intended use and agreed with it. If you sell embedded code that runs a hand-held game you design it to different standards than if you were writing code intended for a life-support machine

The only exception I'd see to this would be in you intended to hurt someone. At this point I think you could be charged with fraud. You desired an outcome and deceived someone to those ends. Cash doesn't necessarily have to change hands for this charge to stick.

I really don't see why this doesn't make sense... To believe otherwise seems similar to supporting the family who sued the volunteer search & rescue team who failed to find their son. The volunteers offered to help, they didn't guarantee results. If their help is useless, it's worth what you paid. I don't see that they agreed to anything that would make them liable if they didn't do it properly. (Yet, US law supports this shit, so likely your interpretation would pass, especially since the big companies love it.)

Re:Fallout

[WNight]

The sticky spot is that payment does imply a warranty of general fitness, or create an expectation of the advertised service. That's part of the implied contracts of sale (Fitness for advertsied use, etc).

Gifts do not have warranties. Promises don't constitute contracts until there is consideration for both parties.

Companies go into mind-numbing detail in disclaiming warranties because it discourages many uneducated consumers from suing when they have the legal right. The act of sale provides fairly comprehensive warranties in fact, most of which can't be disclaimed.

However, if I give you a hard drive, for instance, and claim it's a 160GB drive, you can't sue me later if it turns out to be a 2GB drive. Sure, I promised that it was 160, but didn't enter into a contract based on that claim (such as a purchase contract) so you have no right to expect anything.

Companies can try to claim that they receive no consideration for the use of a product, yet if money traded hands, that's going to be awfully hard to make a judge believe even if an elaborate series of cut-outs are used to shield the maker from actually directly collecting the payment. The only way they'd be likely to convince a judge would be if you could go onto the net, download the software for free, and have it work unencumbered without an activation code or linked activation software.

What about 3rd party items?

If I'm using a tool, component, or class library from a 3rd party, what happens if the vulnerability is in their code? As a contractor would I have to spend $10,000 in legal fees just to prove it's Borland or MS or Sun's fault? Besides, how can you gurantee 100% that anything is safe? With the lawsuit happy society we have today the smallest mistake could put even a medium sized company right out of business. And if you think this will help open source, it won't. Would you use "free" software that has no liability while commercial software does? Would you get a "free" operation from a doctor with no liability or pay for one from someone who does.

Open source and liability

[jms]

Any liability law should offer an exemption for software that is distributed along with buildable, commented source code.

The reason is simple. The end-users of open source software are in a position to verify the integrity and correctness of the software. Even if such an end-user is not a programmer, they could, if they were concerned, pay someone else to inspect the code. They have been provided with the ability to protect themselves, because the source code accurately describes the actual operation of the product.

The end-users of proprietary software are in no such position. They are absolutely dependant on the software vendor to verify the integrity and correctness of the software. They are powerless to protect themselves, and without the source code, they are only left with a representation of the operation of the product. This is far less information then the source code, which specifies the actual operation of the software.

Therefore, only proprietary software vendors should be held liable for bugs in their software.

Re:Open source and liability

[BWS]

that logic is faulty...

lets say that if Ford starts to include a book that explains how cars work and what each part does? will that exempt them from liability?

Re:Open source and liability

[Petersko]

Not reasonable. For a project of any complexity, verifying the integrity and correctness of the code is a financially gigantic undertaking. If you disagree, I have a favor to ask.

I'm kind of concerned about using this Apache product. Would you mind trundling off and verifying the integrity and correctness of all the source code please? Oh yeah - and if it includes standard libraries I need those verified as well.

Can you get that done before the weekend? I was hoping to install on Saturday.

Re:Open source and liability

[BWS]

Lets say that a company is giving away free sound cards. However, the sound card when used for more then 20 hour straight without rebooting will melt. Now lets say I had some MOBOs damanged by this... can I sue?

Re:Open source and liability

[Graymalkin]

Which means no one would use open source software. If you've got two competing products, one open and one closed. The possibility of a bug in the application will lead to millions of dollars in damages. You know this from the beginning. With a liability law, even a lopsided one like you suggestion in place, a company is going to go with the closed solution. Why? Because if you know a bug will cost millions of dollars you're going to go with the product you've got a chance of recouping damages with. You'll pick the software with a vendor you can sue. Bah source code shmorse code, the cost of fixing potential problems in code in damn high if it is done well. You've also got the fact that you can never squash all bugs in software. Yet again the user of Free software gets shafted, not only can they not sue the vendor for a million dollar bug but they also have to spend their own money in order to try to fix it.

Re:Open source and liability

[elmegil]

Unfortunately Microsoft could use this dodge as well.

This leaves a catch-22. You can't expect OSS to be exempt, but not being exempt puts a huge barrier in front of voluntary development.

Re:Open source and liability

[mjh]

Therefore, only proprietary software vendors should be held liable for bugs in their software.

If this happens, we've codified into law, the current myth that already plagues open source/free software. That if something goes wrong with free/open source software, there's no one to sue. Thus there's a business liability in choosing free/open source software.

Right now this is a myth, and is completely untrue, because if something goes wrong with ANY software, there's no one to sue. I've been opposed to software liability in my /. sig for some time now. Here's a journal entry on software liability that I wrote. It has three comments. Unfortunately the comment period expired some time ago. But I think we still need to talk about how to do software liability without putting open source/free software at a disadvantage either directly or indirectly.

Re:Open source and liability

[edremy]

More imporantly, you've not paid for open source software.

I didn't? What's this charge on my credit card for a copy of RedHat?

Sure, you can say that I bought the service contract and not the software, but I suspect you're going to have a really, really hard time convincing a judge of that when there's a box sitting on the store shelf that has "Red Hat Linux" printed on it. Specifically, that convincing is going to cost $ in lawyer's fees which RH can ill afford.

Seriously, this is a *terrible* idea. MS has lawyers out the wazoo and the cash to pay them to tie up any such suits forever. (See antitrust case) RH and other small companies don't, and they are going to get hammered the first time a major problem comes along

Eric.

Re:Open source and liability

[alen]

MS and other companies have sold beta software in the past. They'll just label any future release post beta or something. Good enough to release, but not bug free.

Re:Open source and liability

[Ooblek]

Its amazing how many people will actually believe their own dishonest attempts at stretching the truth. So its as simple as you don't pay for it, you can't hold someone liable for it? I don't want this to sound like a flame, but you are a fool.

There is currently NO WAY to verify that there are no bugs in a piece of software. It is simple, published science. Look at a software engineering 101 book. No, this idea of liability stinks of a political agenda where someone is trying to pretend to be a friend to the people. The people are the ones that buy stuff off shelves and don't realize that it took many person-years to create that product. The politicials think it is just a matter of incompetence that is causing the problem. I am pretty sure that any good engineer will tell you that the problem is not 100% incompetence. Things change in the environments that software runs in that is totally outside of the control of the authors.

Open source software has bugs just as proprietary software has bugs. For this reason alone, no liability should be on the shoulders of anyone who produces software. If the liability is to be assigned, it should be equal without regard for the price you paid for the software.

Re:Open source and liability

[furiousgeorge]

It has nothing to do with money exchanging hands....... it's more about 'implied fitness'.

If I win a Ford Pinto on a game show (I paid nothing) and it explodes when I turn it on, is Ford except from liability? Hell no.

It's the same reason most restaurants WILL NOT give away leftover food anymore. Even though it's free, if somebody gets food poisoning they can/will sue.

This whole arguement is a strawman. If you want commercial vendors to be bound by the rules, expect the free producers to as well. And Mandrake is ALREADY begging for cash....

Re:Open source and liability

[markmoss]

The market has created clear categories of software that range from the rather unreliable (Windows, piddly silly games, etc) to the extremely reliable

The problem is, MS is selling Windows as being in the "extremely reliable" class, but under the law at present, the fine print in their EULA supposedly means that all their TV ads showing servers allegedly running unattended don't matter. What we need is not laws creating liabilities for all software, but rather laws making it much easier to sue for fraudulent advertising.

Re:Open source and liability

[Relic+of+the+Future]

Or you could just set the maximum damages that can be claimed equal to some multiple of the cost of the software (possible based on the serverity of the bug). Bug in a $X000 database package that causes massive data corruption? Big suit. Bug in $30 shareware game that makes your computer freeze up every-other month? Small suite. Bug in free (as in beer) software? 0 * anything is zero.

(Should also have some provision to sue for damages from someone who you're paying to service your free software I supose...)

Re:Open source and liability

[WNight]

Having any exceptions is unnecessary. Just disallow any claim against free (as in cost) software.

If MS wants to release a free beta of XP, they shouldn't be liable for bugs in it. Ditto if you download Redhat 7.2 and install it.

This is consistent with current law. If you don't pay for something it's a gift. If you pay, it's a sale which means there're implied warranties of fitness, etc.

Just make sure you catch the obvious abuses of this, such giving the software away and charging for the serial number, etc.

Re:Open source and liability

[mpe]

You're expecting ALL software users to be able to inspect software for defects and this is simply not the case. Many people want to use software the way they use a car - and they don't have either the mechanic's drawings & skills or the knowledge to read/fix source.

Ever heard the phrase "You can take a horse to water, but you can't make it drink"?
At some point you have to consider responsibility transfering to the end user.

Re:Open source and liability

[mpe]

It is like somebody giving out free basketballs. If the free basketballs were made with defects, you have no basis for forcing the giver to fix your basketball. They have incurred no legal duty to you. There is no quid pro quo.

This isn't relevent to the GPL, because it does involve exchange of "consideration". Also there is an obvious loophole with making simple payment an issue in this way. To avoid any liability sell everything as "buy one, get one free"...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Source protects itself

[juliao]

How far can you take liability?

If I give you a car, am I liable for the fact that it has no brakes? What if I sell you a car?

What if I give you a tool? Am I liable that it breaks and breaks whatever you were trying to fix with it, too? What if I sell you one? What if I sell you one and say that it's rated for the work you're trying to do, but it still breaks?

See the differences?

Now for software:

What if I give you a binary? Am I liable that it doesn't work? Am I liable that it has flaws?
What if I sell it to you? Am I liable then?

Now for something completely different: Source Code What if I give you source code? It's available for your inspection... Can we say that source code documents itself? If you are worried about what the code does, you can read it, compile it, debug it, step-trace it. Source code is NOT a program, it's closer to an algorithm than to a program. Can I be sued for giving you instructions on how to tell you computer to do something?

If source code if just instructions, directions for a computer, then source code starts to look like something different, and precedent must come not from binary-software but from things like legal advice.

And you know how that goes... IANAL, so I can say anything, you take my word if you want to. So, if IANAP (not a programmer), can I give you whatever source code I want, and I won't be liable?

And who defines what a programmer is? The ACM?

Re:Source protects itself

[egomaniac]

You're making a good overall point, but source code is not fundamentally different from binary code.

I could, if I were so inclined, write code by hand in Motorola machine code, and call that the source code. Then I could create a compiler which could translate (enough) Motorola machine code into Intel machine code to compile my program, and call the Intel program the binary. I could even GPL the program, and require everybody to distribute the Motorola machine code (the "source code") along with the Intel machine code (the binary), and that would be 100% upheld in court.

This is obviously a contrived example, but the *only* difference between this and, say, using Java are that no machines exist which understand Java source code directly. You could, in theory, build such a machine, and could then safely refer to Java source code as "binary machine code" -- and it would be, every bit as much as Intel machine code is binary machine code. The really cool thing is then you could program directly in Java bytecodes, and call that the source code, and use a decompiler to turn that into Java source, which would be understandable by the machine and therefore safely call that the compiled binary machine code.

Yes, these are obviously contrived examples, but the point is that you can't say "Source code is NOT a program, it's closer to an algorithm than to a program" and then claim that the same is not true of binaries. After all, I could distribute my stupid Motorola-to-Intel program, and then tell everybody "Hey, the source code is there, you should have read it". A binary is just a more-difficult-to-understand computer language, and the difficulty of understanding it doesn't seem like a good foundation for a legal definition.

Shift of Cost

[regen]

IMNSHO, this would be a really good thing. One of the current problems with software (and a lot of other things) is that cost are shifted away from where they belong in order to make a product cheaper.

It is cheaper to write software that works most of the time, but has a few bugs than it is to have an proper design, implementation and testing process that prevents buggy software from being shipped too soon. In general the industry has the felling that it cheap and easy to release a patch for a bug later so the cost of not catching it early is small.

This is the exact opposite of hardware engineering, were companies go to extreme measures to try and debug the design be commiting to Si since it is very expensive to do this.

Increasing the cost of bugs to the software developer will decrease the quantity of code and increase the quality of code, something that is sorely needed.

</rant>

Upgrades

[chill]

This could have a wonderful effect on upgrades. No more mixing fixes and feature adds -- too dangerous (aka Service Packs).

Can you imagine MicroSoft's position? New license agreements with WinXP require users to upgrade every two years. MS will be held legally liable for the stability of those upgrades. They better damn well get it right.

Remember that U.S. Navy ship that switched to NT and was dead in the harbor? Imagine the Navy sending a bill to Bill. :-)

Merchantability

[mcrbids]

At heart here, and often forgotten, is the issue of "merchantability". What is that? It's the assurance that something is saleable, that reasonable expectations of performance can be made, and that the product does, in fact, perform its intended function.

Because of this, it can be SOLD. If I sell you a keyboard for $20, you now have the expectation of merchantability. It is expected to work, and both reasonable business sense and many local and federal laws require that if it does not, I either provide something that works, or give you your money back, within a reasonable period of time. (14 days in California)

If we re-institute the concept of merchantability in software, all that would happen is that you could get your money back - thus little to no effect on OSS software.

Red Hat may be impacted, but since they are already selling services rather than products (you can download all their stuff for free) even they would be minimally affected.

So, as an advocate of open source and "free" software, I welcome the issues of product liability and the enforcement of merchantability. It would improve the industry, force it to get better, and would finally provide its customers what they've been promised all along - a better, easier life!

What should happen? A date set for a software "merchantability horizon". All products released before that date would be exempt, any products released/sold after that date would have to fit the definition of merchantability, products sold before that point can continue on their merry way.

Can you imagine how many people would upgrade their Windows if they knew that MS would be liable thereafter if it screwed up?

Re:Merchantability

[BWS]

really? I am sure that RedHat makes a lot of money on their 199.99 etc boxes for sale on stores to corperate customers...

Re:Merchantability

[HiThere]

But if I've read the EULA's correctly, it's been multiple decades since any mainstream software product was sold. They've just allowed you to access it for awhile. ... Of course, they say that it is leased, but it doesn't look like any lease that I've encountered in any other context.
.

Re:Merchantability

[Relic+of+the+Future]

2. Merchanitability is not liability. As far as I can see, this already covers software, correct?

Nope. From GNU GPL:

EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

And most other EULAs say the same thing (or something similar). I'd give an example from MS, but I'm not within arms reach of one.

Now, the GPL says there's no warranty because you didn't pay for this stuff. I don't remember what legal rigamarole MS uses. Can we fall back to arguing that most EULAs aren't legal instead?

Re:Merchantability

[Kanasta]

1. Software vendors exisit today that will provide you with necessary levels of support and uptime/reliability. That's a fact.

Paying to call a long distance line to be put on hold does NOT count as support.

3. Liability holding software vendors responsible for how a client uses the software. This is a wrong idea. If I use inappropriate software to do a job then I should be accountable, not the vendor.

While I agree with you, given the state of public liability lawsuits, where eg a drink driver sued (and won) against a local council because the road was not straight, You can be sure the courts will stuff up here too.

Re:Merchantability

[WNight]

Those products were sold, before you got to see the EULA. Thus what the EULA says is irrelevant.

The only software that is licensed is that which is agreed to before any money is paid. If you call up Microsoft and ask for a site license, they can hand you a list of restrictions. If you walk into CompUSA and buy the software, you've bought it free and clear.

(And are only bound by existing law. You can't copy it, but you also can't use it to bludgeon someone with, and not because of any restriction from the vendor.)

The Get Out of Jail Free Card

[ackthpt]

Campaign Donor [×]

Non-Donor []

A check in the Campaign Donor box guarrantees the
holder insulation from legislation which may find
the card holder liable for any damages, further, the
card holder may be elligible for assistance from the
Department of Justice in legal matters.

One model of liability for software

[guerby]

I believe a good model for liability in the software field is to move to the service and practitioner of the field model.

A customer asks a practitioner of the software field to solve a particular problem. The practitioner then writes and/or reuse and/or adapt existing software to solve the customer problem. Then the provider is liable for having provided a wrong solution according to current practices of the field.

For example delivering a closed source software with poor security track record as part of a contract specifying security as critical would rank as an obvious cause of liability, since the provider choosed it amongst various solutions, he/she will have to justify its choice before a court.

I believe the regular mechanism to cover potential liability damage in other fields, insurance companies, will play its cleaning up role by not accepting to cover software solution providers with poor practices.

It will probably also make the free software code base the center of most of these service providers, since it easy easy to customize, most of the code base have well known status, and there is no hairy licensing issues when you use them

As for shrink wrap software, it should install on the designated system, but after that you probably have no recourse at all if this doesn't work that well.

I attended a lawyer conference on software licenses and liabilities, and there are vague texts and no case law, and most lawyers were quite sure that the standard warranty disclaimer was with high probability invalid (under French law). They talked about services and "open source", and some recognized that using that as scientific knowledge and having practioners use it to deliver solution was like architects building bridges vs people creating mathematical models of gravity: the scientist is not responsible if an architect use his/her model (reviewed and published in good faith) to design a bridge and it falls down, it is obviously the architect responsability to choose a model that works, to the level of the accepted practice of the field of course. If the architect has a solid track record, if the phenomenom is beyond current knowledge, then it is up to insurance companies.

Since a piece of software shares a lot with a theorem applying to symbolic information I find this model of liability very pertinent to the software field.

Disclaimer: I am not a Lawyer

Cooool.

[El+Camino+SS]

Does this mean we can get a class action against uncle George for making crappy Star Wars (TM) strategy games?

I think I'm going to get some money back for Force Commander!

This proposal is a little like "software patents"

[tkrotchko]

In theory, this should help the little guy and open source because they could be more responsible for their customer.

But in fact, it will have the opposite effect. It means that software will have to be "certified" before it could be released.

Little developers (guys in their basement) could never afford this. Big guys (Microsoft) could. Again, this favors big, established companies over upstarts.

But more seriously, lets look at the worst issue with having liability for unsecure software:

If I have a Firestone tire (as mentioned in one of the links), I expect that it will be safe to put on my car and drive up to the speed rating on the side. But if I used the tire as a swing in my backyard and I fell off and broke my arm, should Firestone be liable? After all, a lot of people use tires for swings, and they didn't do anything to make them safer for this purpose.

Silly? Maybe. But now apply to something like a computer operating system. What is its intended purpose? Basically its purpose is infinite. It will allow a piece of hardware to begin to have infinite possibilities. So now I have to make sure my software is safe in any possible circumstance that I can't even forsee!

Mind you, I'm not excusing bad software, but I don't see how this proposal will do anything, because a new license will come out that people will simply have to accept something like:

"I accept that if I use this software it is completely insecure and will allow bad people to do bad things to me and my computer. I completely waive all rights to bring legal action again the makers of this software, even if they knew there is or was a problem. "

This is a "good in theory, bad in practice" solution.

No more GPL warranty clause

[heroine]

Now if you want to give away software you'll really have to pay for it. Sooner or later a responsibility document was going to happen but the areas where it's going to hit hardest are not in mainstream press but in free software, where programmers won't have enough money to release anything in the first place.

Software liability vs 'real world' products

[ip_vjl]

Unlike the 'real world' example of the tire mentioned in the BW article ... software developers have a much harder time controlling the environment in which their software is used.

For example, If I buy a car tire from firestone, but instead use it on some home-build dune-buggy that I use to drive over lava fields in Hawaii and the tire blows (flipping me into the lava) should Firestone pay? I wasn't using the tire according to the specs that they call for the tire.

Imposing liability on software will only force software manufacturers to list hardware/software configurations on which they are willing to accept liability. If you use the software outside of that configuration, then you're on your own. My guess is that this would disqualify just about everybody, as they'll only be able to certify a limited amount of equipment (as it will entail actually owning that equipment to test).

I mean, would you accept liability on a product that can be used on a multi-use computer that may have god-knows-what software/hardware config?

So this will lead to something like:

• the back of the software box listing the exact system requirments that the software is good for (and liable on) and if you use it outside of that environment, you're no longer using the software as it was intended.
  
  Which then just gives software companies even more reason to offer less support, as they'll then only need to offer support on their specific hardware, or risk the liability of condoning the use of their software on unsafe/untested environments.
  
• more incentive to legislate the demise of the multi-use computer in favor of locked computing appliances ... which is exactly what a number of people would like (think DRM)

Think about it.

Re:Software liability vs 'real world' products

[Stonehand]

But a lot of serious bugs do come from developer incompetence or carelessness, not compatibility issues. Look at Sendmail, for instance -- it has a long, long history of bugs, and most of them involve *just* Sendmail and aren't terribly configuration specific. Ditto for IIS bugs -- many of them are built-in.

Things like buffer overflows are bad, period. There's extremely few reasons to, say, wantonly accept user input without checking length -- that's rammed into the head of beginning programming students, for cryin' out loud. "Handle border cases", we scream at them. "Don't trust the client" is another common refrain for server-client systems. Many issues come from when programmers just apparently don't give a damn about doing the right thing. "Don't ship with hard-coded back-door passwords" is another common-sense example.

Most of that has NOTHING TO DO with system requirements, and EVERYTHING to do with not coding carefully. It's not like, gee, whoops, your code randomly mutates and develops security flaws ON ITS OWN.

Re:Software liability vs 'real world' products

[CharlieG]

What we have now in "System Requirements" is very broad - you will see a list like

System Requirements (Hardware)
1)Dell Optiplex GN1 (Of revision type D) with 12x CD-Rom Option, 256Meg Ram, Maxtor 20 Gig HD formatted with NTFS in 2 Partitions, one partition of 4 gig, the other 16 gig. HP LaserJet iV
Dell Monitor Model D1025TM
Dell Internal Network Card
SoundBlaster Live Revision 1c

System Requirements (Software)
NT 4 SP5 installed on the First Partition in a directory Called "C:\IHaveNoControlOverMyConfigAtAll"
System Admin Account Name = "ILikeIt"
SystemAdmin Password = "ALot"
System IP Address = 192.168.0.1
Video Driver Rev 3 configured for 1024x768 Resolution in 16 bit high color mode, 72 hz
No Other Software installed

THAT is what system requirements would look like. Your system blows up

- "Oh, I'm running the Video Driver at 60hz" -"I'm sorry sir, that is an unsupported system"

"I can't get the Rev D Dell Motherboard, only Rev E"
"I'm Sorry Sir, that is an untested Configuration, I can't help you"

I'll tell you about strange bugs you find the first time you write shrink-wrap software

Back in the days of Windows 3.1, I wrote a program for a client that was sold over the counter. If we got a bug report, we did our level best to fix it. Part of the program printed reports, and it worked fairly well

Back in those days, HP sold a strange card for their Laser Printers. This card allowed you to use your PC as the Print Engine for the Laser Printer - you bypassed the Parallel Port, - It printed to this card, and the card drove the printer - It was faster.

We get a call one day - One purchaser of this software had an IBM PS/2 Model 80 - These had the "Microchannel" architecture that was unique to IBM. He also had one of these HP cards. Printing just would NOT work. If the user used the Parallel port, everything was fine. When he tried it in a PS/2 Model 90, it worked fine - after maybe 20 hours spent isolating the problem, we found out that the problem ONLY occured with a particular rev of the HP card in the Model 80

We asked the customer if he would like his money back - I could NOT fix the problem - It was at a lower level than the APIs I was using, and the system config was rare enough that that was the cheapest way to fix the problem

So yeah, we had a known bug - we never publicised it. If you called support, we would have told you. Guess what. The guy used the parallel port, and we NEVER got another call about that bug

Comment removed

[account_deleted]

Comment removed based on user account deletion

Liabilities...

[Fizzlewhiff]

I've said it once and I'll say it again. CowboyNeal should be held responsible for these vulnerabilities. *grin* Anyway, here's a very similar slashdot discussion and the related article at eWeek which I don't believe is referenced in this new incarnation.

It can work, but....

[CharlieG]

you won't like it.

It will lead to VERY VERY strict licensing terms for software, and software development tool - sort of like Civil Engineering

Let's say I was Microsoft (or ANY other software vendor)

You buy a new motherboard - my answer is, "I do not approve of my software being installed on that hardware" - You will very quickly see things like "Approved Configuration Lists" - X Brand Motherboard, with Y brand Video Card, Z keyboard - ONLY. The "ONLY" other software I approve on the box at the same time is AAAA. Make any changes and your on your own

Heck, buy a car, change the suspension parts yourself to NON factory parts. Flip over due to your front wheel falling off - good luck suing the car mfg, you'll have to prove it was not YOUR changes

Re:It can work, but....

[bluGill]

Heck, buy a car, change the suspension parts yourself to NON factory parts. Flip over due to your front wheel falling off - good luck suing the car mfg, you'll have to prove it was not YOUR changes

Sure, now buy a new car. Modify the alternator to serve as a welder (this is doable). Now have a rollover. You will have no problems convincing the courts that your midification didn't cause the problem.

When your example is modify the suspention parts, and then roll over, of course you have problems. Changing any suspention part changes the way the vechical acts. If there is any suspention modification I would expect the vechical to behave different (sometime better!) when driven to the edge of rollover. Of course if your change is shocks to a homemade shock it is impossibal to prove they are liable for the problems. If your new shocks are just an aftermarket brand, the manufacture will stand beside you to prove it isn't their problem. (or alternatively if it is their problem you are suing the wrong guy. Or are you arguing that if I install an aftermark brand of shock (assume a quality shock) but screw up the instation that the car maker should be liable for my goof? I won't agree to that.

that depends on what "bad" means.

[trb]

This article is talking about security problems. That's only one kind of bad. Other kinds of bad include unreliable (hangs, bsods, whatever), incompatible, obfuscatory, and so forth.

Microsoft might be able and interested to remove security bugs from their software, no downside for them there. But what if Microsoft would engage in some obvious "good software practices" to make their software less bad? Like what if they made their software simpler? More modular? Like if their OS could run whatever window system, window manager, file browser you wanted, a la UNIX. Or whatever web browser. Imagine.

What kind of idiotic system design is it that has all these user-mode applications inextricably woven into the fabric of the OS? What unfathomable nonsense. What person who ever studied software engineering buys this silly story?

How about if MS would use unobfuscated data formats, so that it would be easy to work with document data (let's grep through my .doc files!) or multimedia data (let's convert between .wma and .mp3!).

How about if they had a simple and stable API for writing software, so that it would be easy to port software between the MS OS and other OS's. Fat chance.

These are some of the things that make MS bad. Will they ever address them? Magic 8-ball says, "Outlook not so good."

How deep does the rabbit hole go?

[gregfortune]

Ok, so I'm currently working on a auction system that is in use by at least one company. They ask for a change in the software so the commission percentages that are charge to their consignors are handled in a slightly different way. I make the change and under certain conditions, it's now possible for the consignor to be charge half of what they should be. I can see there should possibly be some liability here especially if I were "selling" the product.

btw, none of the things I'm listing here ever happened, I'm just supposing...

Now, they ask for a change that resizes the storage size for the Notes for each customer. I make the change, but my code does not also make the change to their database schema. I provide a separate script that does that. The customer installs the upgrade, but does not upgrade the db. Who is liable? Can I be held liable for not making my upgrade *easy* enough if the client forgets to run the db upgrade script and loses data?

Let go even further. I use MySQL for the db, python-mysql for the db module, python for the language and Qt for the interface. ReportLab is being used for pdf generation, lpr for printing, X-windows for launching the program, KDE for the desktop manager, and Acrobat Reader to parse the pdf files into ps for printing. Without these things, the program will not run.

Now, due to a bug in MySQL, the company finds that it is losing n*$50 where n is the number of items in the auction for every auction. Perhaps the 50 entry fee is not getting stored correctly and suppose that's a database problem. Who's liable? Me, for leveraging off an existing system without it being totally stable? The db? Maybe in this case it's clear the db maker would be held responsible.

Now let's lose some data because MySQL was not *configured* correctly. Who's fault now? Customer, me, or MySQL?

Lastly, let's lose some data due to a bug in the database that was caused by a ambiguity in the API of glibc that allows a function to be called in a way that was not intended and works as expected most of the time, but is clearly not a bug when it doesn't work the expected way. Who now? MySQL? The library they used? Me for using MySQL? The customer for being stupid enough to hire me when I'm not even competent enough to ensure the tools I use have absolutly no bugs in them? ARGH!

I'll tell you one thing... I've never associating my name with a general library if this kind of thing goes through. Blame would very often be passed back down the chain as far as possible trying to find a scapegoat other than yourself.

Is good software possible?

[jc42]

As a programmer, I have often given a simple explanation of why I can't write reliable software. On most vendors' computers (Microsoft obviously, but also Sun, HP, IBM and most of the rest), the inner workings are totally hidden from me. I can't even in principle know what a lot of my code will do in all cases, because I much make calls to the underlying system and its libraries, and the code for these things is a proprietary secret.

What I usually use as a parallel is: Imagine that the people who built buildings or bridges were required to use commercial steen and concrete, but the specs for these materials were trade secrets. Imagine that construction firms had to use whatever material was delivered, and were not permitted to see its specs. There would be no way that anyone could calculate the effect of loads and stresses, and things would fall down under load.

This is how software is built.

On Open Source systems, it's somewhat different, because the source is available. But even there, you can only understand the system "in principle". You usually don't have the time it would take to thoroughly investigate all the components that you use. Open Source software does generally work better, true, but it's not because every programmer has examined every piece of the source. It's because a lot of them have examined a few pieces, and they can tell each other about problems (and fix them).

This probably has significant legal impact. Consider the construction parallel again. If I design a structure and specify materials of a certain quality, those materials are used, and the structure collapses, I am probably liable. But if the material vendors substitute material with different properties (usually for cost reasons), all I need to do is show in court that the material didn't meet my specs. I'm not liable, and the vendors end up facing some serious fraud charges.

With software, this sort of fraud happens routinely, with all sorts of system components that are delivered knowing that they don't do what the manuals says they do. Or the vendors don't even bother checking that things work right, because they know they can't be held liable. Then people hire programmers like me to write software using such shoddy systems, and expect us to write reliable software on top of it. Then it turns out that some parts of the system have "undocumented features", and the code doesn't work right.

Until we find a way to force reliability on the Microsofts and Suns and IBMs of the world, the way we have with companies that sell steel and concrete, there's no way whatsoever that programmers can ever write reliable software.

Re:Is good software possible?

[Jerf]

Nitpick further: Reliable for what definition of "reliable"? When Program A crashes through no fault of its own, but that Program B scrambled the process information in the kernel, in a strict sense, that renders Program A unreliable: You can't know it won't crash.

It's not widgets that are the problem, it's everything. For all you know, your console library will crash the system on some input. Follow the link, that's not idle speculation.

The fundamental problem with software is that like other mathematical entities, it only potentially takes one hole (and subsequent exploitation, accidental or otherwise) to bring the whole structure crashing down, from app to OS. (Or further; I've had Windows 3.1 programs that "reliably" (*grin*) managed to scramble the CMOS on their way down.) No physical structure and no physical metaphor (and by extension no thought processes that operate primarily by metaphor to the physical world) can fully capture this aspect of software.

Reliable, in the strict sense, means %100. My system has only rebooted spontaneously twice in the last month, but that's not %100.

Re:Is good software possible?

[dghcasp]

jc42's argument is recursive: jc42 can't make reliable software because his foundation isn't reliable.

But the converse is not automatically true: If I had a reliable foundation, could I write reliable software? The answer is only if that is important to you. And the probable truth is that for most people, it would only be important if it was required by law.

Given the current state of software, reliability is only really important to a few companies. Oracle, because their customers demand it. IBM's mainframe o/s's are really reliable, because their customers demanded it. Telecom equipment manufacturers are usually held to laws that require for "maximum 3 seconds unexpected downtime per year."

If there were laws requiring software to be reliable, could most people write "reliable" software? Freed from the ability to blame the os/middleware/hardware/whatever and the "Your program crashed because Windows Sucks" defence, what would you do?

Reliable and secure software can be written. but doing so requires a certain level of professionalism among developers, and an honest acceptance of the value of those things traditionally considered un-fun, such as

designing for testibility

writing test cases

designing for failure and recovery

anticipating all possible failures instead of only the "success path" and handling failures later

considering all the edge cases

rigourous code inspections

development processes

doing real analysis and design

In "real life," most coders don't even do simple things like checking the return value of close(2). Even fewer have any idea what they would even do with a failure case in close(2).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Interesting, but should not be an RFC

[AdamBa]

First of all, I don't like these "soft" RFCs (aside from joke ones) that are not technical.

Second of all, the RFC really has no force given the RFC language. The two key provisions, that companies SHOULD fix holes within 30 days, and that customers SHOULD apply patches in a timely manner, can both be ignored since "SHOULD" in RFC-speak is different from "MUST".

Thirdly, this RFC is a bit too targeted at Microsoft:

1) The Vendor SHOULD ensure that programmers, designers, and testers are knowledgeable about common flaws in the design and implementation of products.

2) Customers SHOULD configure their products and systems in ways that eliminate latent flaws or reduce the impact of latent flaws, including (1) removing default services that are not necessary for the operation of the affected systems, (2) limiting necessary services only to networks or systems that require access, (3) using the minimal amount of access and privileges necessary for proper functioning of the products...

This is too "ripped from today's Microsoft headlines". This stuff about removing default services is bogus. Something like UPNP in Windows (designed to makes things easy for novice users) is useful only if it is turned on by default. Anyway what does "not necessary for the operation of the affected systems" mean. You can run Linux without a GUI...so if an exploit is found in KDE or Gnome will someone jump up and say, "You enable the GUI by default and it wasn't necessary and you violated the RFC"? The solution to flaws in UPNP to not ship with them, not to disable everything in the box.

Fourth, what the heck is this supposed to mean:

7) The Customer SHOULD give preference to products whose Vendors follow responsible disclosure practices.

Can we please keep the social engineering out of the RFC -- this is an absurd requirement to put in there. Why not just say "Customers SHOULD give preference to open source software because we think it's k3wL"?

- adam

Re:Interesting, but should not be an RFC

[WNight]

UPNP would be just as usefull if the user had to click a button called "Find Devices". Seriously, if you suggest users can't do that then you should support locking them up for their own good.

Users would also benefit from having all their files easily accessible from anywhere by simply typing their SSN, without one of those hard-to-remember passwords. But the drawbacks of that far outweigh the benefits, so we call it a bug, not a feature.

Ditto with the UPNP. Not having to click a button to turn it on might save a few seconds, but that's a small price to pay for some semblance of security.

Learn from biotech?

[dasmegabyte]

I think a lot of software is released buggy as hell simply because investers and customers expect development houses to show results very quickly. Many contract jobs are six months or shorter, barely enough time to come up with a dog & pony slideshow of great software, let alone develop a secure product. Most developers depend on tools from other companies to cover the gaps in the process -- tools like IIS and apache.

The problem lies with the fallacy of internet time -- that software advances can keep up with hardware advances. The difficulty here is that Moore's law is based on years of research -- an advance in memory that doubles the speed next year will have begun five years or more ago with tons of R&D. Software doesn't really have that luxury -- it's all about the now.

One might say that this sort of demand is a requirement in business -- but in many ways, it's a self maintaining fad. Look at biotech -- a biotech company might do research for dozens of years before they can release a new drug or procedure. They have amazingly tedious checks and balances. Why? Because human lives are at stake. Because a single slip up will cost them millions in malpractice.

Holding software companies liable for security failures is a great idea in the respect that it will force dev houses to make better software. But in the process something will have to be done about the expectation that software is a need it now sort of deal.

As a side note: this sort of legislature would be a godsend for contract programmers. If company X has to wait years for a secure product to come out of Microsoft or hire somebody now to do the work cheap and sign off on the liability, they'll probably choose the latter. It'll also decrease on the feature blitz of new products that is leading to the increased need for pay for play software licensing.

The Sky Wouldn't Fall

[medcalf]

There is a lot of "sky is falling" rhetoric going on about this that is just wrong-headed. Clearly, it would be a bad idea to make a company liable in perpetuity for a software product, with that liability beginning the moment a vulnerability is reported to them, or worse yet, discovered.

However, it is possible to write reasonable legislation around this. Consider: you can do any software task in hardware, albeit possibly less efficiently and frequently less easily and at higher cost. If you were to make a circuit which performed some function, and that circuit were to have an error which caused economic harm to someone, that person could sue you for damages. Thus, why should it not be legal to sue for damages a company which makes a product which *could* be reduced to a circuit, provided that the other circumstances were the same?

If a law were written to allow users to sue a software company for liability, under the conditions that the company had known of the vulnerability for some time (say, 30 days just to be arbitrary, or say 3 years - whatever), and knowing that, had neither produced a fix nor issued a recall to all registered customers, I don't see a problem.

You would certainly want a grace period for the company to fix the flaw or recall the product. You would probably want limitations on liability to the provable immediate losses, or the cost of the software, whichever is higher (possibly with some limited damages above that). You would likely want such a law to exempt programs distributed as or with complete and understandable source code, on the same basis that you couldn't sue someone who printed a design from which you built your own circuit. (That is, including source code would transfer liability from the producer to the user.)

This would allow companies which depend on commercial products that they cannot inspect to have legal protection, while not bankrupting companies who act responsibly by fixing problems within a short period after they are found.

-jeff

Comment removed

[account_deleted]

Comment removed based on user account deletion

What if they refuse to fix a bug?

[LrdZombie]

I think making software companies liable for their products so they would be forced to fix reported bugs would be a great idea. I remember a year or so ago I found a bug in a game by Activision, and I dutifully reported it to them. I didn't make it public at the time, since I wanted to give them a fair amount of time to issue a patch, but their complete refusal to do anything about it leaves me little choice. Maybe they don't think that fixing the bug in Ghostbusters that prevents you from entering one of the buildings on the map from a certain direction isn't worthy of their attention, but dammit I paid $30 for that game back in 1984, and it interferes with my enjoyment of the product! The customer support rep's excuse? "I'm sorry sir, I've never heard of a 'Commodore,' so I must assume we do not support it." Where does it end?

Too late

[drew_kime]

Mind you, I'm not excusing bad software, but I don't see how this proposal will do anything, because a new license will come out that people will simply have to accept something like:

"I accept that if I use this software it is completely insecure and will allow bad people to do bad things to me and my computer. I completely waive all rights to bring legal action again the makers of this software, even if they knew there is or was a problem. "

Okay, whose EULA were you quoting there?

As reliable as?

[sharkey]

...to make their software as reliable and trustworthy as electric, water, and telephone service

Well, Windows is already more reliable than Ameritech or Indianapolis Power & Light Co. The water company still has 'em beat, though.

Re:This proposal is a little like "software patent

[willhelm]

This is silly. First off, the Firestone thing caused DEATH. So if a software malfunction/bug caused DEATH because of the malfunction/bug, whoever wrote it should absolutely get sued for writing bad software. Just like malpractice suits. It's DEATH because of poor quality.

Off of that tangent, I think this is a great idea. Maybe software will come out slower because people are being more thorough. Maybe software will have a higher quality because people spend the time rather than rush it. Maybe it creates a whole new insurance industry for programmer's insurance.

Do you want missile guidance systems to have software bugs in them? Do you want your financial institution to "lose your accounts" because of bugs in the software? This is serious stuff folks. It's time to get serious about it.

I personally don't think it'll hurt the little guys at all unless they're creating bad software. In which case, maybe it should hurt them.

Opinion of one programmer

[jridley]

Speaking for myself, I'm all for this. How many times have you wanted to do a better job but were given impossible deadlines, leading to shipping something you knew wasn't tested well enough, and hoping to fix the bugs later? Most programmers WANT to produce good software, but are not given time or tools.

I hope that something like this will cause managers and execs to provide proper tools and sufficient time to produce truly stable programs. I do believe that, like other forms of liability, though, unless intentional negligence is shown, liability must stop at corporations, not individual programmers.

Also, there must be still a way for free software to escape liability. If you're getting something for free, you can't expect the author to take liability.

I would think that in this situation, Microsoft should WELCOME liability law; it would be a great selling point for them in the face of Linux, if they could say "if you use free software, nobody is liable if it destroys your business, but Microsoft IS liable for any harm caused your business by our software." I imagine that many corp execs would give that argument a lot of weight.

However, at the same time I don't know if it would be 100% effective, because by now enough CTO's have realized that Linux (and other free solutions) is a more reliable platform for many applications, and it's still better for all involved to use something that works than to use something that causes you monetary loss and then try to recoup it in court.

Re:Opinion of one programmer

[Reziac]

The last time this discussion came up hereabouts, I posted an idea for how to handle software liability.. let's see how much I can remember off the top of my head...

Basically, each vendor rates his own product's reliability on a scale from 0 to 5.

0 means "no warranty whatsoever, and therefore no liability" and would probably be what gets used by free software. That way the developer has no liability, and the consumer knows this in advance.

On the far end of the scale, 5 would mean "100% reliable, therefore we're 100% liable if it falls down" -- a rating that no one would assign their product lightly, because if they're full of crap, it will have heavy legal implications.

Software that is +5 reliable (with liability regs to back up such claims) would be worth more in the marketplace, compared to a similar product whose vendor had only +1 confidence in its reliability.

Liability would have to be preset by regulation, with what is or isn't "reliable" defined. Penalties need to be on a sliding scale based on whatever factors seem needful, to codify it so it doesn't wind up being the ultimate court clogger, and to kill the monetary rewards from spurious claims.

Also, independent reviews could use the "reliability code" to rate software, which would only be to the benefit of free software, frex: "OpenBSD has a vendor liability of 0, but we find that it fulfills all the criteria for a +5 rating!" It wouldn't take the consumer public long to catch on to the whole concept, either -- much as they now look for the "Designed for" logos on mainstream commercial products.

I'm sure I've forgotten stuff from my original post.. feel free to look it up and repost anything I missed :)

Gotcha

[Graymalkin]

If you want liability for software kiss the GPL goodbye and look forward a stifling of developmental progress in software. Under a liability law the GPL would be unenforcible because it provides that the author is in no way responsible for the software you're using. One of the two isn't going to work out and I think the liability law would have a little more clout. That is assuming people even develop software anymore. I'm not going to put myself in a position to get sued because of a bug in my software. I'm not going to go through the hassle and effort to try to start my own business if any software we write is going to lead to our legal raping because we couldn't possibly squash all the bugs in our code.

The GPL and free software in general would be forced the way of the Dodo. If your license couldn't absolve you from responsibility for your code fucking up a whole tenet of the GPL would be meaningless. Besides being impossible to develop no one would continue to use it. If the possibility for a software glitch to cause monetary damage are you going to pick a vendor you can sue or can't sue? Managers are going to go with the folks they can slap a lawsuit against in order to recoup damages. Why would you use an open source application in which a bug could cause you millions in damages that you couldn't recoup? The only reason managers go with open source software now is they can't sue vendors of proprietary software for bugs so they go with the lower TCO (whichever option that is).

It is also ridiculous to compare an operating system like Windows to some RTOS or firmware system that control hazardous equipment. Windows and Linux aren't designed for use in hazardous environments. They also are not cleared to operate on certain pieces of equipment. If a system doesn't pass a safety inspection it isn't going to get sold. A heart monitor isn't going to run Linux and the control equipment for a nuclear reactor is not going to have Clippy morphing into a bicycle.

Re:Gotcha

[Chris+Johnson]

The GPL is not a EULA. It is a redevelopment license, giving you rights you wouldn't otherwise have. It makes YOU the vendor.

If YOU are the vendor, why the hell would you want to sue yourself, be it possible or not?

Re:Gotcha

[Graymalkin]

If you are the vendor you can be sued. Was I not clear enough?

liability - joy

[cluge]

Great, another revenue source for lawyers. Does any one else see a problem with this?

Imagine someone suing everytime they got a blue screen. The ONLY way to make the software super duper lawyer proof would be to overly control the hardware. Thus stiffling inovation and the creative process as a whole. Remember that original IBM PC and the clone makers were more successful than Apple because the box was open and could be added to and hacked with relative ease. No persons box will have anything "easy" about hacking at it after the lawyers are finished.

For almost any problem where litigation has been the answer, the solution is often worse than the initial problem.

Re:liability - joy

[Animats]

Imagine someone sueing every time their car stalled. That's where we are now, and it works. Warranties cost auto companies a few hundred dollars per vehicle, and are built into the cost.

It's amazing

[alen]

When it comes to stealing music of the internet all the open source zealots make comparisons about sharing physical items with friends.

But when it's open source software that can be held liable for deficiencies it's somehow very different than physical products and it's up to the user to fix problems.

Re:This proposal is a little like "software patent

[HiThere]

It will definitely hurt the companies that can't afford to hire a full time lawyer. The exact effects would, of course, depend on the details of the law. I suspect that one of the reasons for the degree of apprehension about this is that we have recently seen so many laws that were only to the benefit of whoever was the highest bidder.

(Well, that's not strictly true. MS has benefited from laws designed to aid Disney. But if you consider categories of bidders rather than individual bidders, then it appears to be true.)
.

1st amendment impact

[mjh]

IANAL, but IIRC, source code has been found by the courts to be speech. Software liability will create a prior restraint on the expression of that speech. I don't think that any liability laws will be upheld in the courts for people who release source code. They can claim that it's simply the exercise of their 1st amendment rights.

But this will impact the distributions, who release software in binary form. I don't believe that binary code is considered speech. So the Red Hat's, SuSE's, Madrake's, Debian's of the world might be in trouble with their current distribution method. But probably not the authors.

All told, I still find the idea of software liability to be discomforting. Unless it can be done in such a way that it doesn't immediately disadvantage free/opensource software, either directly (by holding authors/distributors liable) or indirectly (by making free/opensource software a business liability since there's no one to sue), I think it's a really bad idea. See my journal entry for more details.

Re:1st amendment impact

[bluebomber]

What about precedents like legal advice? If a lawyer gives bad/faulty legal advice, isn't he liable? Is legal advice "speech" (in the legal sense)?

On another note: Binary code isn't speech?? What is the difference between source code and binary code? I can write my source code in assembly; surely you're willing to accept that as speech.

You can try to make the case that binary code is not easily understood and thus shouldn't qualify as speech. But assembly code for some obscure processor might be just as difficult to understand as machine code for something common. I'm sure you wouldn't have to look around too hard to find some people who can understand machine code for some processor. (A couple of jobs ago I could disassemble a dozen or so of the more common MIPS instructions in my head; it only takes a little practice...)

I read the argument in your journal about financial liability for corporations and I'm not sure I buy it. You're essentially saying that purchasing a cheap product without a warranty is more expensive than purchasing an expensive product with a warranty, all other things equal.

Say you have the option to buy an Apache installation from XYZ Corp for $cost (and they will be liable for bugs), and you have the option of downloading it for free with no 3rd party liability. Assume they are packaged identically -- the only thing you're really paying for is the assumption of liability by XYZ Corp. All you've done is buy "bug insurance" from XYZ Corp for $cost.

IANACA (corporate accountant): does the failure to purchase insurance create a liability on the balance sheet?

Re:1st amendment impact

[mjh]

In stating that binary code is not speech, I was simply remembering what I'd read when the finding came out stating that source code is speech. IIRC, it specifically said that source code is speech, but binary code is not.

I read the argument in your journal about financial liability for corporations and I'm not sure I buy it. You're essentially saying that purchasing a cheap product without a warranty is more expensive than purchasing an expensive product with a warranty, all other things equal.

That's not what I am saying at all. I don't support this idea. IMHO, it's flawed logic. However, that's the logic that already gets used in corporations all over the place. As a consultant, I can't tell you how often I've been told, straight in the face by an otherwise intelligent business owner, "We don't use that because there's no one to sue if we have a problem."

Business owners are willing to pay extra money for lowered liability. They're willing to go with a proprietary product today because they think it's a lower risk, even if it costs a ton more. I don't want to see a world in which a business owner can say, "there's no one to sue," and actually be correct. Right now you can simply say to that business owner, "Well actually there's no one to sue in any circumstance. Read your EULA." But if software liability becomes a law, open source/free software will suddenly become a business liability, since in that case there really is no one to sue.

Business owners are out there trying to manage the risks to their business. They're more than willing to pay handsomely for lowered risk. If it's suddenly a business risk to use open source/free software, I think that's a bad thing for open source/free software.

How about a compromise

[ch-chuck]

As it is, software companies get off scott free, with only their reputations at stake (and those w/ deep pockets can afford the advertising budget to counter the bad experiences and boost their reputation). But it would be nice to see some sort of financial incentive to produce better quality, reliable software instead of just a lousy implementation of the latest greatest big idea. Just like there are contracts that reward being completed on time and punished for being late, we could have mandated licensing terms where a major bug (like the UPnP hole thing) VERIFIED by a disinterested 3rd party, would result in a partial refund, to partially cover the expenses of patching. I would not go so far as making a company legally liable for some of those always overinflated 'costs' that show up in class action lawsuits. Noone should have to code in fear that a missing comma is going to cost the company a million dollars. But a simple system of rewards and punishments to get over the 'flashy crud' that so many consumers fall for, and onto a more stable, robust, secure world.

Separation of return address from writable data.

[chris_sawtell]

A large proportion of the of the security problems would just go away if the subroutine return address was stored in a separate memory area from the data area. This would make the buffer overflow / stack-smashing type of attack impossible. It's such a simple idea I am amazed that it has not implemented long ago. There must therefore be something wrong in my thinking, what is it?

Who sold it?

[drew_kime]

I write an anti-spam filter that and post it into the public domain (Open Sourced). Microsoft uses it in their next whiz-bang mail server.

Who sold it, you or Microsoft? The one selling it bears the liability. Same as when a component of a physical good is defective. The end user sues the seller, and maybe the original componenet manufacturer. The seller may also sue the manufacturer to recover their own legal costs.

But end users always sue the guy with the deepest pockets. In your example, I don't think many people would waste their time suing you.

Re:Who sold it?

[bluebomber]

But end users always sue the guy with the deepest pockets.

The rule is: sue everyone and see where the money is.

Latest UCITA mods reverse this

[coyote-san]

Incredibly, the latest proposed UCITA modifications (to make it acceptable to more states) is the exact opposite of this.

Commercial software is exempt from all liability. Even if they acted in bad faith and consciously lied to you about the presence of critical bugs, you have no resource.

Open source software is held to the highest legal standards.

The legislation doesn't state it this nakedly, but it moves commercial software out of the "product" category and into a new category, so none of the consumer protection or product liability laws apply. Esp. if you never release the "final" version of your software.

In contrast, other definitions apply to all software. But since there's no exchange of "items of value" with OSS, there's no contract and it gets hit with the full power of the law.

This is totally indefensible for the reasons mentioned elsewhere. Microsoft has the ability to test its software bettter, and denies me the ability to protect myself, yet it gets a free pass. Meanwhile the guy who spent his weekends trying out an idea and who posted it with warnings that the code is not yet well-tested could lose his house.

This is what contracts are for

[wfrp01]

If you want your software to be guaranteed to have feature 'x', then demand that your vendor sign on the dotted line a promise that the product meets your expectations. And be prepared to pay money to get what you want.

Otherwise, read the damn license. You know, the one that says "NO GUARANTEE OF FITNESS TO RUN NUCLEAR POWER PLANTS BLAH BLAH BLAH". If a vendor is explicitly telling you that they are NOT promising you anything, then you are just plain stupid to think that you have the right to demand more. If you don't like it, put your money back in your pocket.

Where you might take issue with are products that hide the fine print inside the shrink wrap. Of course you have no such problem when you can see the source.

Doesn't the standard EULA take care of this?

[DohDamit]

I seem to recall, in big bold letters, a statement at the end of the standard EULA that says without question that installing the software makes the user assume any and all responsibility for loss due to the installation or use of the software being licensed. Even if the law generally requires people to give reasonable disclosure, I don't see how someone can't use the EULA and say,"Sorry bud. You read the agreement, and there's your notice."

Lawyers please reply.

Re:Doesn't the standard EULA take care of this?

[kindbud]

My secretary installed that software, and I agreed to nothing. I see no contract. Where is the piece of paper with my signature? Prove that I read and agreed to anything.

Re:Doesn't the standard EULA take care of this?

[Stonehand]

Then you have zero right to use the software.

Re:Doesn't the standard EULA take care of this?

[kindbud]

I've every right to use it. I have an invoice right here that proves I paid for it. If the money I spent does not give me the right to use it, then what have I paid for?

Re:Doesn't the standard EULA take care of this?

[Chris+Johnson]

The previous poster is unclear on the concept that a contract can be invalid because it's ludicrous :)

No, merchantability doesn't currently apply

[drew_kime]

Merchanitability is not liability. As far as I can see, this already covers software, correct?

Most modern EULA's specifically disclaim merchantability to any purpose whatsoever. The poster you're replying to is simply saying that if your software doesn't do what the seller said it would, then they owe you your money back.

You downloaded it for free? Then they don't owe you anything. You paid $50,000 for multiple installations and several hundred user seat licenses? They owe you a refund.

Re:No, merchantability doesn't currently apply

[dattaway]

You paid $50,000 for multiple installations and several hundred user seat licenses? They owe you a refund.

Don't forget interest on that price as it can add up too.

Software Engineering

[pmz]

One thing that is encouraging is that Software Engineering may become a real discipline and not just a buzzword. It is inevitable that Software Engineering will take the same course as other traditional engineering disciplines. Our reputations depend on it.

One thing that is discouraging is the possibility that hobbyists will be shut out depending on what sort of legislation occurs. This is something that hasn't happened in many other disciplines. Would wonders like TLC's "Junk Yard Wars" be possible if the Mechanical Engineering industry were regulated to death? What about model rockets? Home chemistry sets? Do-it-yourself electronics? Helping your neighbor build a tree-house for the kids?

I hope the people behind any new legislation understand that purely non-commercial efforts, where the would-be customers pay nothing and nothing is promised, should not be regulated.

Free Software is non-commercial and nothing is promised to the end-user, so it should be left as-is. However, those who choose to commercialize it, such as Red Hat or IBM, should be willing to accept some liability. After all, they are making money off of it.

In conclusion, software should be treated just like any other product. If money is being made off of it, then the customers are due what they paid for. If no money is involved, the lawyers and politicians should just keep their hands off.

Re:Software Engineering

[Chris+Johnson]

One interesting thing about this is, it's not really about money. It is about AUTHORITY. It's interesting to look at what you've just said from an anarchist perspective....

It's about what context you're in. If your neighbor builds a treehouse for the kids and it's crap and your kid breaks a leg when it falls apart, what do you do? Some people are so thoroughly trained to authority that the first and only thing they think of is suing- immediately turning to the highest available authority, to force an outcome.

What other ways of addressing the situation might arise? Well, you could talk to the person. Let's assume the person is deranged, hostile, and you'll get nothing out of them, even an apology. They'll carry on like they were doing. What can you do in absence of authority? The answer is, your context includes a community- you talk to the community. Maybe not to help yourself, but you put the word out. Maybe people will help you out in your time of need. The point is, you aren't existing in a social vacuum and neither is your neighbor- even if you cannot resort to AUTHORITY to COMPEL your neigbor to make restitution to you (and set what that restitution can fairly be), you can still take advantage of your (not-authority) community and arrive at a consensus that deals with the fact of the irresponsible treehouse-builder. There may be many adjustments made to deal with this reality.

Now, what does this have to do with software legislation? Is it an argument against ever legislating anything? Not exactly. The argument for anarchy has some underlying assumptions- which don't always hold.

It's assumed that the person you're dealing with is OF the community. They may not be. In the case of something like Microsoft, it is not: what you do and say is really of no concern to it. As it happens, Microsoft makes USE OF AUTHORITY- copyright, contracts backed by the U.S. Government- it wields authority itself while being exempt from it in the sense of being held liable. If there was no copyright, no licensing agreements and user agreements etc. then it would be less worrying that Microsoft itself is exempt from any authority.

There is also the assumption that you are capable of communicating your views to others in your community. And there are too many software vendors already who're trying to not only suppress, for instance, information about settlements (like, suing someone, settling, and part of the terms is that you cannot talk about what you'd sued about) but even negative reviews! Microsoft does some of this as well, and it is poisonous to any operating anarchy- as well it should be, since what is to enforce these requirements that information not get out there? The government, of course. So again, it is abuse of government for the purposes of obliterating the ability of a community to protect itself via communication about threats.

And this also holds for the continuing efforts to suppress bug information and security hole information- the important thing to a Microsoft is not the hole, but establishing sufficient AUTHORITY to prohibit anyone communicating information that might be unhelpful to Microsoft's goals.

So- with the situation the way we have it, it's really not feasible to have half-anarchy, with Microsoft et al running around exempt from any authority. They themselves use government as a lever to inflict authority on others, and it's pretty unlikely that this will be changed. Bringing liability to the software industry effectively wrests SOME of this authority out of Microsoft's hands again, and places the law above them instead of making the law entirely their bitch ;)

The concern that Microsoft would use this to obliterate all other software companies is VERY well thought of: of course they would, it's the first thing Ballmer thought of in another context. However, malicious harassment by lawsuits IS, I think, illegal: if I'm not mistaken, this is called 'barratry'? The fact that it's not reasonable to prevent them from doing this is a problem. Who says there can't be multiple problems? In this case, Microsoft's willingness to abuse authority is a problem, not a normal condition. It's not to be taken for granted as standard operating procedure and an excuse to not use liability.

The bottom line is, liability is a structure of authority designed to supplant anarchistic negotiation between equals. It is not a superior solution- as long as such negotiation is still possible. Well, with entities like Microsoft, negotiation is NOT possible: they by design have enormously more power and authority than individuals do. As such, some structure of authority NEEDS to be worked out that will deal with them, otherwise they will simply continue to run amok. So, the anarchist viewpoint on this is ironically, "The existence of these super-powerful and authoritative entities is already so fscked up that some kind of regulation's gotta be made to deal with them. They're creatures of regulation in the first place- either disband them or come up with ways of interacting with them that are APPROPRIATE to their power and authority. Pretending they should be allowed 'anarchy' on grounds of personal liberty is intellectual wankery... if they want true lack of liability, let them be disbanded, and repeal all copyright and licensing laws while you're at it, so THEY can do nothing to YOU either!"

What would I do?

[Rocketboy]

Obviously, since simple software is both more reliable and easier to prove, I'd limit myself to simple software. Good-bye GUI, hello command line. Also, since most software these days is built heavily dependant on someone else's libraries, I'd either have to have the source or roll my own: black boxes, no matter how well guaranteed by the vendor, won't fly because of the costs of litigation. So what we end up with are small, simple programs to which the source is widely available and easy to tinker with.

Is it me or does that sound very familiar? :)

Airplane maker parallel

[edremy]

Before deciding this is a great deal, consider the airplane industry. (I'm talking light planes, not airliners.)

Before WWII, there was a thriving business with dozens of light plane makers. You could buy good, cheap little planes. After WWII, there was some consolidation in the industry but you could still get a decent little plane for reasonable bucks.

Then the lawyers got involved. Liability lawsuits appeared everywhere. Since planes stick around for a while, a crash of a 20 year old model was still grounds to sue. Cessna quit making anything smaller than a corporate jet. Piper nearly went bankrupt. The entire GA industry entered a slump.

Finally, Congress acted and set strict liability limits on older light planes. (If it's been flying for 15 years, the maker probably isn't at fault.) Liability is still a problem though: a decent light plane that can carry a small family costs as much as a house now. This isn't a fancy plane: cloth seats and barely enough room to move your feet.

There are a few small makers out there (Cessna came back), but almost nothing cheap is left. You can build your own from a kit and slap an "Experimental" tag on it, but that leaves *you* fully liable for anything that happens. (Then again, as a pilot it was probably your fault anyway.) You could go for an ultralight, but that's for sightseeing, not for travel.

End result: a few companies sell a few, very expensive planes to rich people. Folks like me with a pilot's license but no trust fund rent aging C152s on weekends since we can't afford anything else. (Someday I'm going to build one, but I've got a 7-month old kid and a mortgage right now.)

Liability is almost certainly the wrong way to do this

Eric

Lets jump OFF the bandwagon

[RembrandtX]

My gut instinct (like many people here im sure) was to say . 'GREAT .. now M$ has to fix their holes.'

Bad move on my part .. after thinking about it (and finishing the article) Many smaller companies (shareware/freeware) are gonna get nailed on this first.

The one man-opensource-grassroots guys are gonna get hammered.

Hell .. anyone wanna bet how quickly the new M$ department that checks for vulnarabilities in compedator's products would get formed ? Why spend years in court .. when you can just bury them in paperwork *THAT THEY LEGALLY ARE RESPONSABLE FOR*.

I for one .. vote no.

Re:This proposal is a little like "software patent

[debrain]

Recall that an American Destroyer was rendered dead in the water as a result of NT crashes and space shuttle missions rendered write-offs because of NT crashes. Not to pick on NT, but these are cases where lives did depend upon software. Death is just an example of liability.

The draft is quite dead

[Florian+Weimer]

The authors assume that there is consensus regarding dealing with disclosure of vulnerabilities, at least in the industry, i.e. some limited information is published.

However, this assumption is false. Have you ever read about a security hole in z/OS? Or SAP? Do you think these products are completely error-free?

Security and Reliability are different

[interstellar_donkey]

There are two elements to this: loss of revenue resulting from software failure due to poor design, and failure due to illegal activities.

Software is a tool. When you pay for software you have an expectation that the software will do it's job. If it fails to do it's job and results in loss of revenue because of it's poor design, then it seems clear that the company who designed the buggy software should share some of the liability.

On the other hand, when a security hole is found and exploited, the ensuing loss of revenue is the result of a criminal activity. Why should software companies be held liable for the actions of law breakers? (unless the software is implicitly designed as a security tool).

If I buy a new TV set and a week after I get home it doesn't work because of a defect in the manufacturing process, I expect the company who made the TV to make reparations. If it doesn't work because vandal kids broke into my apartment and smashed the screen with a baseball bat, I doubt it would be fair to file suit against Sony because they didn't make the screen with thick enough glass.

Of course, Microsoft shoots itself in the foot every it mentions 'secure' in it's marketing. By doing so, it implies that security is a feature of it's software, and in turn should bear legal liability of it's own security holes.

Personally, I'd like companies to make software that works. Microsoft should focus on making an operating system that doesn't crash. In turn, other companies should focus on making software that protects the operating system from criminals.

If anything should be done in the courts, some legislation that would force software companies to release source code to third parties in the business of security for review would be a good start.

Perpetual Beta

[gnovos]

Of course, any liability law would have to have a clause for beta testers, becuase you can't hold somone liable for failing while in the TESTING phase (If you could, test tracks all over the country would be bankrupt). The solution will naturally be that everything gets released as a beta. Everything. Office Xb, Mac OSb, Linux Kernal 2.5.4.7.1.1-prebeta-RC4-b ... um, ok, Linux kernals will remain unchanged.

New License?

[belroth]

Is it time to start work on a new software license to cover this? Add a clause to the GPL running something like "This software may not be used in the United States of America" and appropriate warning screens/click throughs indicating the same.

Sad, but those of us not in the Land Of The Free may have to consider this eventually, sort of an inverse case of the situation that used to exist with encryption and the US. Sigh.

When not if, Liability & OSS

[Mr.+Fred+Smoothie]

First off, as I've said before, this is GOING to happen, like it or not. Every trend in the industry is pointing that way. Texas licenses software engineers and other states will eventually follow; post 9/11 the govt. is very concerned about security and more inclined to legislate it; and consumer advocates have been pushing for limiting or doing away w/ warranty disclaimers for some time. Everyone here doing software development for a living (whether for a giant corp or self-employed developers doing consulting gigs) better either prepare for liability for faulty software, get out the pocketbooks and lawyers to start lobbying madly, or find a new career.

WRT Open Source software, I see no a priori reason why OSS developers should be any less liable than commercial software companies, PROVIDED that certain reasonable guidelines apply:

1. liability should never exceed the amount of money the developer/company *received* from the customer or class of customers unless gross negligence can be proved;
2. in cases of gross negligence, the liability should coincide with the amount of *actual damages*; i.e., you don't get a million bucks because someone was able to read your web documents unless that act actually cost you $1 million in losses;
3. developers should be reasonably shielded from liability in cases where the customer/user *actually* modified the software (not just *had* source available) -- if the modifications had a substantive affect on the security or safety of the product;
4. parties can enter binding legal contracts to alter the balance of liability -- in instances where the customer *plans* to alter the software, whether they end up doing it or not. CLICKWRAP LICENSES DON'T COUNT.

These measures will only benefit the the software industry; serious programmers will have the satisfaction of working in a climate where time to market takes a back seat to quality (because the law penalizes nonconformance to this norm); software processes in the aggregate will improve for the same reason; customers and users will have a better experience with software in general and will have more respect for practioners who take the profession seriously.

And people who lack confidence in their abilities to generate bug-free code can buy liability insurance, just like many other professionals currently do. In other words, software professionals can finally expect to *earn* the title!

Re:When not if, Liability & OSS

[kindbud]

3. developers should be reasonably shielded from liability in cases where the customer/user *actually* modified the software (not just *had* source available) -- if the modifications had a substantive affect on the security or safety of the product;

I completely disagree. Availability of source should shield the developer from liability. Kill two birds with one stone: you're off the liability hook if you release source, simple as that. I think the benefit to the public of opening the source outweighs the benefit of holding liable those who release source. Only hold liable the ones that do not release source. They are the only ones withholding information, they are the only ones keeping the customer in the dark about the risks.

Killing open source in corporate environs...

[Logic+Bomb]

Businesses like to (and must) manage their risk. If software companies are in fact reasonably liable for bugs/security issues in their software, IT managers and their bosses will have to weigh the ease with which they can tell their lawyers to sue someone against trusting their network administrators and support personnel with verifying open source software is secure. If the current sheep-like decision making holds -- *bleat* Buy Microsoft! *bleat* -- this could result in much less corporate adoption of open source software.

Bogus

[Mr.+Fred+Smoothie]

Your comment points out why the assumption embodied in this whole thread is bogus (no offense to anyone):

It is like somebody giving out free basketballs. If the free basketballs were made with defects, you have no basis for forcing the giver to fix your basketball.

If you give me a basketball which unbeknownst to me is filled with an explosive gas, which then explodes and burns me severely, you should be liable. The extent of your liability should of course be mitigated by whether you were nefarious (you knew the basketballs were dangerous, took steps to cover it up, deliberately didn't warn me not to play basketball in lightning storms, whatever) or are just an incompetent basketball maker. The fact is regardless of the cost of the initial transaction, you have cost me greatly in damages. The premise of any commercial transaction is that no party gives up something without assent. If you give me something without charging me, it can be assumed that you assent to not receiving payment, but you can't reasonably infer my assent to being grievously harmed!

I believe this is pretty much the way it works with everything except software, and recently some courts have starting invalidating clickwrap licenses on the basis of arguments like these (which IIRC was one of the motivations for the UCITA). In other words, in the literal basketball example you would currently legally be liable (AFAICT, IANAL, etc). Why should Free Software be any different?

First things first

[bstrahm]

First off, this is an Internet Draft. Anyone can write one, with a simple boilerplate saying that ISOC owns the copyrite on it (so they can publish it for 6 months) and some formatting I can publish an Internet Draft that says anything (I have published a few too...) THERE IS NO SUCH THING AS AN RFC Draft

Second this is going non-standards track, and as such has no weight, either protocol wise, or legally

Oh well... It must have been fun to write, ZDnet in London had a link to it a week ago, where they tried to pawn Mr. Culp off as the author... Oh well.

Thank you... Come again

Everyone except us...

[fmaxwell]

Most businesses that contract software have an SLA (service-level agreement); if the software doesn't meet certian standards, the supplier must pay a penalty. For the most part, the more serious potential problems are handled privately, without the need for some sweeping government iron hand.

And how does that help some small business when they buy a copy of Windows* and it hoses, costing them hours of work? How does that help them if Outlook Express cheerfully formats someone's hard drive because some kid in Brazil sent a virus-infected e-mail that exploited yet another Windows/HTML/Javascript/VBscript/etc. flaw? Most businesses buy and use commercial software for which there is no SLA available. Ever try to get Microsoft to agree to an SLA?

I am a software engineer and have been for over 20 years. I am still astounded by the "everyone except us" attitude. Why should we hold Boeing liable if one of their jets has an engineering flaw that kills people? The engineering in a commercial jet is far more complex than the engineering in 99.99% of the commercial software that's been written. The same can be said of automobiles, skyscrapers, submarines, satellites, and nuclear reactors. But we don't exempt the companies the produce those items from legal liability.

And don't tell me that "software flaws don't kill people." Software flaws in aircraft and medical equipment have already killed people. When a software flaw takes the phones down and people can't call 911, it can kill people.

Re:Everyone except us...

[JamesOfTheDesert]

And don't tell me that "software flaws don't kill people."

OK, I won't. What I *will* tell you is that getting a computer virus that formats your hard drive is a far cry from someone dying. For those extreme cases, there already exists legal resources.

For the less dramatic cases, I would ask you if your store-bought software failed to live up to the claims of the manufacter. If so, then you can sue the company.

If you choose to buy a product where the mafacturer makes no claims for the product, and doesn't guarantee its safety, then that's your business.

In the long run, consumer education will acomplish more than state intervention.

Re:Everyone except us...

[fmaxwell]

If you choose to buy a product where the mafacturer makes no claims for the product, and doesn't guarantee its safety, then that's your business.

And if you insist on only buying software for which the manufacturer guarantees the performance and safety of the product then you will be out of business!

I know of no major piece of commercial PC software in existence that comes with a performance guarantee. It doesn't matter if you are talking about Windows, Partition Magic, Microsoft Office, Borland C++ Builder, or Quake III. Every one of them has language disclaiming responsibility if their software malfunctions.

In the long run, consumer education will acomplish more than state intervention.

Right. We'll educate consumers about software performance guarantees and then they can demand that Microsoft and other software publishers provide such guarantees. Then the software publishers will refuse. And what will the next step be in your world sans consumer protection laws?

There's a big stick here...

[kindbud]

I think any developer who releases source code should be shielded from product liability. The only ones that ought to be liable are the ones that keep the source code private.

If you release source, you have fully disclosed the capabilities of, as well as the flaws in your product, and any liability laws ought to recognize that and reduce yor eliminate your liability burden. If you decline to release source, you should assume liability for the undisclosed capabilities and flaws in your product. It would then be your choice whether keeping your code proprietary is worth assuming the liability burden.

Admittedly, I haven't thought about this a lot, but it has a certain logical appeal to it. There might be some ways around it. Maybe Microsoft releases source code to Windows 95 claiming it is for Windows 2000, hoping no one would notice. Myabe small firms or individuals that want to keep code proprietary are unfairly burdened. Or maybe lack of liability and/or source unfairly burdens the customer, regardless of the size of the vendor. I dunno... what do you think?

Re:There's a big stick here...

[Stonehand]

Bull. Take apart your car. You can break it down into components, and you can verify how much of it works -- at a large scale, anyway. You can even replace the engine or make other significant modifications.

Yet, the car manufacturers are still liable if they screwed you over badly, by, say, having utterly unreliable engines -- even though you COULD possibly fix it yourself.

And there are many small companies that do have potential liabilities without needing to retain lawyers. Generally, it helps if they're more competent than, say, incompetent programmers.

Re:There's a big stick here...

[kindbud]

Analogies to cars only go so far, we must acknowledge. They are useful to try and get a grasp of what direction to go, but when it gets down to details, the analogy breaks down. That doesn't mean that the broader analogy is invalid, it just means it has limited application to the software situation.

It's not unreasonable to expect that inasmuch as software as-a-product resembles a car as-a-product, the same rules ought to apply. By the same token, where they are different, the rules might need to be different.

Liability where?

[SecurityGuy]

IANAL, of course, but I find this a stretch. RFCs are nothing more than a loose agreement. Everyone's life is easier when we adhere to them, but it's certainly common enough to have people, organizations, and products which don't. I'll buy this when I see prosecutions for negligence for every host which doesn't have postmaster@ routed to a real, live human. RFCs are also full of wiggle room. Lotsa SHOULD, not a lot of MUST. In this case reporters SHOULD everything, vendors mostly MUST. I can see software vendors backing away from this because it places the burden entirely on them while allowing reporters to decide for themselves whether they should follow the process or not.

How much of a stretch is it to see M$ declare that they don't agree with the RFC, that it's an irresponsible process, so they're not going to play? I'd be surprised if they did anything else.

Sorry, but I see this as a weak claim. Sadly, law often seems to work counter to how rational people would expect, so we'll see.

Please!

[Mr.+Fred+Smoothie]

You are assuming that the customer is *as capable as the developer* in assessing the risks, and in most cases that's just not so! If your software is going to be used solely by other programmers, great. Enter into a binding legal contract w/ them which states that they will waive all claims against defects. But don't seriously tell me that if some small business uses Apache (which the proprietor's nephew kindly downloads and installs for them) and through an actual flaw in the software suffers some actual damages -- sensitive financial info of a third party, i.e. customer credit card data, is compromised -- you think that the *non-tech-saavy* small business proprietor should bear the legal burden for the loss?

Gimmie a break. THAT will kill free software, *not* imposing liability!

Re:Please!

[kindbud]

People seem to be able to learn of safety problems with cars, insofar as the manufacturers and government do not conspire to conceal problems. Most motorists are not mechanics. They learn about problems from people and organizations that have mechanical expertise and can evaluate these things. How is this any different for software? If the source is available, someone is going to study it and issue a report, especially if it's a popular product.

I admit, there is a problem in this idea for vertical market products where the developers and the users are part of a specialized discipline. Few outside experts would audit source code for a specialized mathematics package that has a small customer base. I don't know what, if anything, might or ought to be done to address that.

Legal liability would kill independent developers

[serutan]

Nobody would do software development except companies that can afford massive liability insurance. Experts don't even agree on whether it is theoretically possible to guarantee that code is bug-free. Software liability is an attempt to milk money out of the inevitable. Bugs happen. Kids fall off tricycles. Coffee is hot. The last thing I want to see is for the litigation industry to grow in yet another direction at everyone else's expense.

The key word is...

[Mr.+Fred+Smoothie]

NEGLIGENCE. If one can persuasively argue that it was a forseeable consequence of the design of explosive-filled basketballs that someone would get hurt, then the fact that it's an "accident" has no bearing at all. Ingorance does not excuse negligence. If I can't be bothered to figure out whether or not the things I make are safe, I have no business selling them OR giving them away.

But you're right, I guess people don't actually ever get sued for people falling down and hurting themselves on slippery sidewalks in front of businesses ("accident", you cry) or getting burned by a cup of McDonalds coffee ("accident" you merrily chirp again).

Oh, wait; they do! For millions even!

This could get interesting...

[MongooseCN]

Let's say MS buys some code from a small competeing company. MS runs the code and it crashes one of their servers and causes some minor damage. MS then, using these new laws about accountability, sends it's massive legal department after the small competing company. The small company, having no finances to put up against MS, will cease to exist.

Sure the new laws of accountability sound nice but it takes money to enforce them.

Bad software isn't the real problem

[Sloppy]

It's so simple: If you don't like crappy software, Just Say No. Don't buy it, don't use it.

Is "Just Say No" not an option (e.g. MS monopoly)? Then there's your problem; fix that. Until then, keep your lawyers off my computer.

There's some magic point along the cost/quality somewhere in between Microsoft and NASA, and people can find the right point for themselves, if they are free. The current situation may be funnelling people toward one extreme, but software liability (even in cases where the customer doesn't want to pay for it) will just funnel everyone toward the other. We don't need that.

Re:Separation of return address from writable data

[Relic+of+the+Future]

A lot of work has gone into virtual memory to make it look like you only have ONE HUGE memory block, with code at one end and a stack at the other with return data and return addresses. And you only have the one stack pointer...

So, you could change it... but you'd need to make a new CPU, new controlers, rewrite virtual memory... it's be a lot of work.

I don't know if it would be more or less effort to do that than it would be for sloppy programers to stop writing code that's vulnerable to buffer overflows.

Open Source Heresy

[Arandir]

Time for your daily dose of Open Source Heresy...

All commercial software should be warranted. [gasp!]

I am not advocating a law demanding such warrantees, rather, I am advocating that software companies stop committing fraud by marketing products while simultaneously disclaiming merchantibility.

If I buy a refrigerator and it does not keep my food cold I can return it and get my money back. If the manufacturer won't refund my money I can sue. If this same refrigerator explodes causing material damage to my home and my health, I can sue for major bucks. But not so with software. They all have this little warranty disclaimer saying if the product even *intentially* kills my dog I am S.O.L.

Before you all get your panties in a bind, please note that I said "commercial" software. Noncommercial software is a completely different matter.

"But no one would want to contribute to Open Source if they could get sued. Bullshit. No one but the seller gets sued. YOU are not the one selling the software. Remember when Odwalla got sued for tainted apple juice? It was Odwalla, the seller of the apple juice, that got sued, and not the Odwalla employees, or the apple growers, or the fertilizer salesmen selling manure to the apple growers, or the cattlemen selling manure to the fertilizer salesmen selling fertilizer to the apple growers, etc.

Now before all the libertarians and free marketeers jump all over me, let me stress again that this is a *fraud* issue. A company that sells a product is asserting that the product is fit to be sold. This is known as merchantibility. It's the cornerstone of the US Commercial Code, and much of Western Civilization's common law. Any disclaimers of merchantibility need to be be explicity to the consumer before purchase. Hiding them in fine print on the bottom of the box, or God forbid inside the box itself, is fraudulent.

Every other product on the store shelves is assumed to be fit to sell, EXCEPT for software. This is stupid. This needs to be changed. All warranty disclaimers for commercial products should be null and void unless they are written in three foot high blinking neon lights.

Re:Got Bugs?

[satch89450]

From BusinessWeek Online: MARCH 18, 2002 See today's date... I wonder who's at fault.

No one. Most weekly magazines use the principle that the "issue date" is the last day that the magazine should be sold on newsstands, not the date that the magazine was first published.

Sorry.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Trolls, hot coffee and free software

[Mr.+Fred+Smoothie]

OK. IANAL. However, I'm not a stubborn, ignorant, anonymous jackass, either.

In Tort law, people are all held to some normative standard of "due care" in all of their interactions with other people regardless of the context. If a person's failure to excercise said normative level of due care causes harm to another, they are liable for damages, plain and simple. Even in war, where the purpose is to kill others, there exist normative standards, transgression of which turns warriors into war criminals.

The McDonalds coffee lady got her money because 12 jurors felt that McDonalds didn't meet the standard of due care with regard to the temperature at which reasonable people serve coffee. If you decided to show your contempt for normative standards of urban foot travel by running blindfolded up and down city streets until you collided with someone, sending them tumbling to the ground and injuring them, legally you'd be liable. No less a legal mind than Oliver Wendell Holmes wrote "If, for instance, a man is born hasty and awkward, is always having accidents and hurting himself or his neighbors ... his slips are no less troublesome to his neighbors than if they sprang from guilty neglect." So AS I SAID BEFORE, even incompetence is no excuse.

Because of standard warranty disclaimers in software, software developers are among the only people for whom no violation of normative standards of due care are enough to trigger liability.

I can understand how anonymous trolls might not feel bound by normative standards of society; most reasonable and thoughful people in this forum, however, can probably conceed that some liability, properly crafted to offer balanced protection to consumers and producers of software products, whether free or proprietary, is at least as morally justified and neccessary as standards for hot caffeinated beverages.

Holmes

[Mr.+Fred+Smoothie]

BTW, the Holmes quote is from Common Law. Thank God for Project Gutenberg.

Wrong reason

[Mr.+Fred+Smoothie]

You are only liable when the product is sold, not when it is a gift.

Why do you keep repeating this falsehood? Do you have any legal references or even logical formulation to back it up?

The friend's lack of liability comes from his lack of negligence, not his lack of profit. He might be held liable if he knew it was defective, or if it had been on the news for months that the empty lot he'd taken it from was full of cars that explode, or if the reason he gave it to me was because he didn't like the overwhelming stench of gas fumes that mysteriously appeared every time he drove it...

This is where I'd usually say "you get the point," except it's clear you don't.

Re:Who would be Liable?

[Chris+Johnson]

Everybody in the world.

Everybody has authority to fix the problem, and license to do so- hence, everybody in the world is liable.

I'm serious- think about the question, "Who has authority to fix the problem, and who DOES NOT have authority to fix it?"

Re:This proposal is a little like "software patent

[debrain]

http://www.google.ca/search?q=space+computer+failu re&hl=en
(search: space computer failure)

Gives at least this result: http://www.cnn.com/TECH/space/9806/01/mir.computer /

Which, although neither referencing Windows NT, and on MIR not a shuttle, is an equally valid example of software failures jeapordizing human life in space.

Regarding the failure on the Space Shuttle, I similarly cannot find references for it. I remember it quite clearly (which does not make it an infalliable statement by any stretch, though), but references for it I cannot find at this time.

Hope that helps.

Re:Free Bee

[spitzak]

You may be joking, but "free beer" is derived from a sentence RMS (or Gnu, or somebody) said to differentiate two possible meanings of the word "free": "Free as in 'free beer' or free as in 'free speech'".

The idea is that when you hear the term "free speech" you usually think of the freedom of the speaker, not that the speech is available for no cost. And when you think of "free beer" you usually think of the beer being available at no cost.

I feel sorry for you if you have never seen free beer. Don't you have any friends who party?

Aaarrrrggghhh!

[Mr.+Fred+Smoothie]

The "you" we've been talking about the entirety of this thread is the Free Software developer. The software developer *distributes* software that he or she *wrote*!!! The act of distribution, along with announcements on mailing lists, interviews about the product, etc. clearly indicate in most cases that the developer KNOWS that people will be using the software. The acts of authorship and distribution should be subject to due care and normative standards just as much as any other activity. If I fire a loaded gun in the air in a large crowd, I don't have to know WHO it will hit, the fact is I should know it will likely hit SOMEONE!

Now if I distribute a web server, and I either

• know it contains a buffer overflow which can result in a remote root exploit, and don't fix it
• think that since I'm giving it away, I don't have to be bothered to check for common code errors that are well known sources of exploits

Than it can (and should) be argued that I have failed to show consumers of my software "due care", have been negligent, and am therefore liable for damages -- ASSUMING that damage results from the vulnerabilities!

I need to let this thread die before I have a stroke!

Liability is a systems issue

[Pussy+Is+Money]

The reason why you cannot put liability on a piece of software is the same why you cannot use a single benchmark to predict the performance of a whole system.

Code has to be run before any bugs in the code can manifest themselves. The bugs only turn into damage when the code is deployed. In addition, the same code in another deployment might not cause any damage. Therefore, you cannot hold a programmer responsible for bugs. You can only hold him liable for damages done through bugs.

When software bugs cause damage, that implies the software was being run, probably doing something useful, perhaps operating on valuable data. The software breaks *because* it is part of a workflow, part of a system.

This is when you can hold liable the person that sold you the *system*. Some people, notably IBM, will do this.

HOWEVER, if you download and install applications willy-nilly, and play games, and don't reboot properly, and thus proceed to *construct your own system*, then *you* are liable.

What people do not realize, is that by dragging icons and windows across the screen, they are picking the fruits of over 40 years of work by other programmers, who made programming a computer as easy as dragging icons and windows across the screen.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:This proposal is a little like "software patent

[debrain]

And if they used linux, and the same thing happened, the developers shouldn't be responsible......why?

First, it wasn't Linux, it was NT.

Second, NT was a purchased product, so money was exchanged for software architecture, engineering and development. The liability would be different if no monetary exchange was made.

Third, if it was Linux, then the agency would be capable of fixing the problem internally, on the fly. A software systems expert can fix any problem, save hardware, with enough experience or training, on an open system.

Fourth, as I said, that was not a post about NT, it just so happened that the most fruitful examples involved NT, so I used them. There are several excellent posts regarding why developer liability of free & open software is posited onto the user in that the user can fix it, has not entered into a commercial contract, and the user has not just the option but the incentive to fix problems, should they encounter them and will them away.