Slashdot Mirror
Free Software at Risk Under Lemon law
mpawlo writes: "Newsforge published a piece I wrote on a lemon law for software. That is - what would happen if shrinkwrap limitation of liability clauses would be banned? I think Microsoft and the GNU Project would both suffer."
I love this little quip:
"We all know that the open and distributed model for development described in Eric S. Raymond's book "The Cathedral and the Bazaar" is much better and creates more reliable products than any closed non-distributed development model. "
I'm wondering if the author can substantiate this claim with facts.
This is the primary problem with Open Source advocacy, it relies a lot upon blind faith.
The legislation would skyrocket production costs for Microsoft if the company were forced to release foolproof products.
Why would this happen? Car manufacturers used the same "skyrocket production costs" argument with the lemon law with cars. But it just doesn't mean that everything needs to be perfect. Instead it just ensures some basic quality control such as practiced in Japan.
As for free software, it would just mean that some of the legal entities that support a packaged product (i.e., Red Hat) would be held to the same standards. IANAL, but if the FSF says 'this isn't a complete product' they can't be held liable any more than a tire company could be for some idiot putting the wrong tire on their car.
...is that Microsoft spends a lot on marketing to tell you that their stuff will streamline your business, keep your toilet from clogging, and whiten your teeth while you sleep.
Meanwhile, their EULA practically says that you're better off playing Russian Roulette with five bullets and only one empty chamber, than to trust their software in a mission/enterprise-critical environment. We can't get access to their source code to check it for bugs ourselves, which would shift liability to us if we could do so, did, and then okayed it for use-- we just have to take them at their word, and hope that the server farm doesn't melt down and bankrupt our company.
Free software, on the other hand, is just 'out there'-- it's like finding a still-wrapped condom on the street. Sure, you can pick it up and use it, but if bad things happen, well, how is that anyone's fault but your own?
Liability-eliminating EULAs are an affront to any kind of truth-in-advertising regulations. A software company should definitely be able to be held financially liable for losses caused by failings in its products-- not to a degree that would instantly put them out of business, but a fair amount. Say, equal to their annual marketing/advertising budget?
Let's look at it with the car company analogy. Suppose Ford's commercials said that the airbags in their cars would save you and your family's lives? Okay, now suppose someone dear to you was killed in a head-on collision while driving a Ford. How would you feel if, when you tried to sue, Ford said, "But wait, your loved one agreed to the EULA by deploying the airbag... let me read you this paragraph from it that says, if the airbag does not work as we said it would, we aren't liable."
If there is a Hospital or a goverment database running on software that fails, the developers SHOULD be prosecuted by LAW for this. But what about the hospital or government? Shouldn't they bear a good deal of the responsibility for either selecting solid software, or hiring someone to select such? In what manner is the liability to be limited? If I install RandomLittleUtilityX and it runs fine, and then install BigCorporateAndGenerallyTrustedProgramY and it breaks all over the place but runs fine on computers that don't have RLUX installed, is that RLUX's designer's fault, BCAGTPY's designer's/distributor's fault, or mine? If I write up a quick little utility to do something on my computer and it gets onto other computers through some P2P utility unintentionally and causes problems, should I have to pay for damages?
Think!
If sensibly implemented, this would put the burden of responsibility on commercial distributors of open source software. If I download an open source product from some coder's website, there's no transaction, there's no contract, and no liability. However, if I pay $100 to RedHat to purchase the same software, that should be treated the same as if I paid Microsoft for the same, and they should bear the burden of responsibility.
I would even go so far as to say that such a law would be good for open source developers, if not the open source "community" which is full of many leeches. Many of the companies that sell open source software these days are playing the "something for nothing" model; they take open source software that someone else has written, put it in a box, and charge for it, without undertaking development themselves. (See, for example, the controversy over OpenOSX.com.)
This is, of course, a much better business model than conventional software development... they get all of the money for none of the work. These are the people who would be most hurt by product liability laws... and forcing people who profit from the open source community to be responsible for it as well doesn't seem like such a bad idea to me.
I might be way off, but As far as I can tell, that clause allows me to ignore the GPL, as long as I don't want or need the permissions it gives me. And those are for distributing and modifying, not using. You got the right to use the software when it was given to you.
That's how I read it anyway.
That's funny. Market forces are the reason so much mass-market software is crap now. Customers preferred more features, mostly idiotic bells and whistles, and the illusion of tech support, to product quality.
OK, now that there's a monopoly situation, it's not just the market in the driver's seat anymore, at least on the desktop. But it was still a relatively free market when consumers had the choice between feature-laden dreck and more tightly-focused products with better quality. So now they change their minds and want quality? The market allocates resources according to buyer's preferences, and generally does that efficiently. That doesn't mean that buyers always choose the technically best product.
Anyway, the real driving force in this initiative is the lawyers trying to get their mouthparts into a nice big pool of cash. And if they happen to destroy another industry in the process, well, it won't be the first time.
And there's not even the consolation that more regulation will hurt Microsoft. Higher barriers to entry tend to protect monpolies, not break them up. It's the little guys and the innovators who will be screwed. They don't have the deep pockets to pay the lobbyists to subvert the regulations. And if GPL'd software happens to become a victim of collateral damage, Congress and the legal profession won't give a shit, because there's no money in it for them anyway.
So it's not about us needing more laws, it's about which laws will most benefit the greed and lust for power of those who actually run this country. Parasites don't care about their host's freedom, only about how much blood they can extract. The underlying problem is that they're making the decisions in the first place, not us. Nothing will change until that changes.
Get your teeth into a small slice: the cake of liberty
I don't even think that it will hurt Red Hat too badly. Normally (except in the case of injury or death), the vendor's liability for any product is limited to the purchase price. And Red Hat's business model is to make money off the consulting services, not particularly off the CD distributions. So they should be able to cover small claims on this front. And remember, even if a huge company installs it on 250 machines and sues, they probably only bought one copy, so the liability is still small.
Even better, the way lemon laws work gives the vendor an option: return the purchase price or fix the problem to a customer's satisfaction. If an Open Source vendor runs into a huge bug with hundreds or thousands of claims, they are also likely to have a small army of developers (which they don't have to pay) working on fixing it. And so, they can get the fix, and distribute the patch to settle the claims. Customers like that even more than getting their money back.
--The basis of all love is respect
At least for Free Open Source Software.
:-)
It doesn't include "It's free, use it on your own risk, it's not final version"
In general it excludes licenses like commercial, GPL, FreeBSD, etc. as they are now, but it can't exclude open wide beta testing, prerelease promotion. So, with adding to GPL restrictions clause like that, that would define software as such, would be possible to avoid lemon law restrictions.
Software in development never matures to it's final stage. Yes, I know people like 1.0, 2.0 etc. But where is the final stage? Simply defining always "Development in progress, but this is what it's done so far", would avoid that kind of law. On the other hand people have no signed contract or receipt to show that as evidence at the court.
I know that in case such law would be passed, I would just make a clause on my web page. "ENTER" if you.... "LEAVE" if you.... Works for XXX pages.
Putting on web page something likethat is easy. Here is an example
"Enter if you're interested in this software, but by entering you agree that this software hasn't matured to it's final stage (at least out of legal points, which don't allow free software to be passed on in different way, then being treated as work in progress), you also agree that software has provided you with license which defines how this software should be treated regarding distribution, usage etc. just the same as this software would reach it's final stage.
Considering legal points passed by "lemon law", this clause and describing maturity state of this software, it's unfortunate necessity for this software being able to be passed on freely."
Of course, I'm from Europe and I'm not concerned with stupidity like that.
Hope somebody is not offended with my bad English...
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
I think publishing the source should allow the disclaimers to be in force. MS does publish the source to some customers, and GNU to everybody. With the source you can (in principle) verify the functionality and absence of backdoors, and you can (in real life) fix problems yourself instead of having to wait for a Service Pack or other official upgrade.
This is pretty much the key. All that is needed to get OSS off the hook is the line in the documentation "This product does exactly the source code says it does. All other documentation is purely opinion."
What would Lemmy do?
Windows 95/98, by itself, left alone in a completely idle state, with no software running on it, not connected to the Internet; with no keyboard, mouse, or disk input; installed on a top-of-the-line, 100%-functional computer with no hardware problems whatsoever, will crash in 49 days. It's microsecond-precision clock overflows and fucks it up something nasty.
You were saying Windows is stable?
why does everyone keep insisting that if they get hacked it's a bug in the software?
if someone smashes my window and steals my stereo was it a bug in my house?
liability laws are impossible to correctly define/enforce since security requirements are constantly changing and vague.
you can't blame someone for not protecting against an enemy (i.e. new crack) that previously never existed and therefore wasn't even known about, which seems to be exactly what people want in their extreme arrogance over this issue.
Remember what got the ball rolling with car manufacturer liability. Ford manufactured a car that roasted its occupants when hit from behind. Ford figured it would be cheaper to pay the victims than it would be to fix the car. When this surfaced, public outcry did the rest.
Most cases aren't as clear-cut. Continuing on the car industry example, can you hold a vendor liable if you're not wearing seatbelts, and suffer serious injury as a result? Probably not. Can you sue if you are injured in a parking accident by the airbag? Probably not. Now, why were you injured in the first place by said airbag? Because they are inflating with the power required to restrain a person not wearing seatbelts. Anything wrong with this picture? You bet. The consumer has a responsibility of his own, in this case: wearing the seat belt.
Liability is eventually determined by a judge and a jury, and in corner cases it's just a lottery, which is why car manufacturers err on the side of safety -- theirs, not the safety of the customers who are wearing seat belts.
The same thing is looming on the horizon when a software lemon law gets introduced. Vendors will still go to great lengths to skirt their responsibility, and even if that works to "improve" the product, chances are the consumer will be hurt in the end.
For a preview of things to come, look at Microsoft's security fix to Outlook. It is available, so like seat belts, common sense holds that if you don't apply it, you willfully accept the consequences. But unlike seat belts (which are at worst an inconvenience), applying this patch will cripple Outlook beyond being usable.
You can't win this one. Frankly, I'd settle for a law that demands truth in advertizing w.r.t software products.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
Create laws that arm consumers with security information. Perhaps a grading scheme where software that doesn't connect to the internet is given a A rating. If it is a client then it gets a B rating. If it is a server it starts at C then for every three exploits within the last year the rating increments by one.
I think this sounds pretty nice, but it has problems. For instance, clients are not necessarily more secure than servers, a well-written anonymous ftp server could theoretically be infinitely more secure than a poorly-written web browser which downloads and executes code without express permission.
Also, most linux distributions would minimally start at a "C" rating under this scheme, while windows 98 would begin at "B" (without enabling "file/printer sharing"). Which do you consider to be more secure on the average? Do the ratings reflect that?
These problems are indicative of a greater flaw in this scheme, software doesn't have to rigidly conform to _any_ model, be it client/server, P2P, etc. Laws take a long time to be changed, software can be changed in weeks (witness Microsoft's court history.. pretty soon they might be stopped from producing Windows 95 ;) - if we draft laws or even form committees which define certain software paradigms as insecure, software will simply change paradigms to achieve a higher rating until the ratings-board is able to change criteria to match.
Alternatively, we could have panels of elected security-analysts pore-over every piece of software that is voluntarily-submitted for a rating (in source form), at a cost to the software producer (based on some criterion I don't know), and they could arbitrarily grant ratings based on their findings.
I don't know that this is the best solution, but it sounds more practical, it's similar to other analogous (movie ratings, supreme court, etc.) systems for ideal-compliance which are already in place and doing a reasonable (not perfect) job.
Thoughts?
What about allowing the transferral of costs caused by defects in software at the user level, instead of at the producer level? Insurance does this quite well. The costs of insuring your company (or yourself) against defects would be based on what software you are using. The cost of insuring a given piece of software would be a function of claims paid because a particular piece of software was found at fault. Perhaps, companies could even be allowed protection from software they produce and use internally. There are a number of complexities that I can see arising, but here I'm just presenting this as an idea.
I'm very wary of trying to use traditional liability law in the software industry. I fear that, if software liability is implemented (and it WILL be implemented) in a traditional manner, the ultimate casualty will be openness, not pocketbooks.
Use of traditional liability law would almost certainly make development of truly open and free software impossible. Even if the producers of free software are allowed a large amount of protection from litigation, very few will use it precisely because they will have no recourse should they be affected by a defect in such software.
As far as the broader software industry in general is concerned, it would shut tight as a trap. Many people have put in alot of hard work to get software companies to be more forthcoming with regards to defects, especially as they relate to security. This hard work has paid off quite well. It has made our lives much easier. Do we want to return to the days when it was next to impossible to get patches, let alone information on what the problem actually is? If sofware companies are made liable for defects in a traditional manner, only a select few will have access to bug announcements, and then they will only have access under a NDA. Life will become extremely difficult for those of us responsible for making sure machines are running and secure. Any public acknowledgement of a bug could then be possible grounds for a lawsuit, which is just a bad place to be. Any information we would get would normally be a result of a law suit, and probably too late to be of any real use. I value the amount of information I have access to. It has saved me countless hours, and I don't want to see that go away.
We need to find some way to induce some sort of liability for non-criminally negligent defects without sacrificing openness. Will this work? I think it has a chance to.
First, warranties only are meaningful in the context of a commercial transaction. There's no reason to expect a warranty on a free good. So this is not a problem for free software.
Second, warranties aren't that expensive to manufacturers. Under 5% of the cost of a car is in the warranty. More to the point, in the gambling industry, where full financial responsibilty for errors and downtime is the norm, GTech, which runs lottery systems, pays out about 0.3% of revenue in penalties.
Compensatory damages and blame management are real issues. But this comes up in other areas, and the suppliers work it out between themselves, as in the Ford vs. Firestone tire failure issue. In computing, we should expect full warranties on the OS from manufacturers who preload an OS. Let Dell and Microsoft argue between themselves who's responsible.
Finally, manufacturers who don't offer a full warranty should have to put a giant "AS-IS" on the box, like those signs that appear on used cars.
I'm sorry, let me revise. The current versions of Windows. Windows 95 is no longer supported by Microsoft, and Windows 98 soon won't be (or is it already unsupported?). I can't speak for ME because I don't use it, but 2k has been rock solid for me. Uptimes of over 2 months, and damn near all reboots because I constantly tinker.
I'm a big Linux advocate. I run an OpenBSD box. The primary reason I have a windows machine at all is because the support still isn't there for gaming and video editing. Yes, there are decent video editing tools for Linux. They're not as good as the Windows equivalents, or they're multimillion dollar software used to edit movies like the Matrix.
I'm just not a zealot. I recognize where the problems lie, and I recognize when there's a use/market for a particular product. Windows has it's place, and it's current incarnations, it's quite stable. When Linux gets support from software makers, it will have a place on the desktop. Until then, it simply can't give the end users what they want.
The author makes a very poor argument. Consumers have a reasonable expectation of performance from (e.g.) MS Windows because they pay for it. You can't make the same argument for software that you get for free.
This bill cannot kill open source *development*. It may, however, make the selling of open source software much more difficult. If this bill passes, companies like RedHat would now be liable for bugs in Linux. Of course, RedHat can (and does) take a snapshot of Linux and make lots of modifications and tweaks before making a release, but there's no way they're going to catch all of the bugs. They're best bet would be to get heavily involved in the system of releases of open source software. This will be very tricky, though, as developers will not be happy to see a company have such control...
Jason