Slashdot Mirror
Free Software at Risk Under Lemon law
mpawlo writes: "Newsforge published a piece I wrote on a lemon law for software. That is - what would happen if shrinkwrap limitation of liability clauses would be banned? I think Microsoft and the GNU Project would both suffer."
I love this little quip:
"We all know that the open and distributed model for development described in Eric S. Raymond's book "The Cathedral and the Bazaar" is much better and creates more reliable products than any closed non-distributed development model. "
I'm wondering if the author can substantiate this claim with facts.
This is the primary problem with Open Source advocacy, it relies a lot upon blind faith.
huge difference (#13146)
by Anonymous Reader on 2002.05.11 13:21
I am not a lawyer (thankfully), but I do know that if I pay for something, and it fails, I am entitled to compensation. If it fails from negligence or designed error, then there can be punitive damages. But let's examine the case of a Linux/BSD web server, running Apache, MySQL, and PostNuke.
To be safe, I download for free a non-commercial Linux such as Debian, or FreeBSD. I might be mistaken, but both are developed by groups of people, and anyone is allowed entry if they are competent enough coders. But a group is not a company. The whole corporation/private/public/IPO thing. I acquire, freely and legally, a copy of their work. They might have benefactors and patrons, but that isn't the same as employers.
So I download Apache, MySQL, and PostNuke. All fall under the same category. Maybe MySQL doesn't, then just replace MySQL/PostNuke with Perl/DBI.
So now a huge bug develops, a hole so large, it had to be coded in Redmond. I lose all my data, my competitors get my secrets, and I'm on unemployment line next to Enron execs. Who do I have to blame?
Let's see, someone or some people worked on a project that was supposed to do some particular task. They made it freely available, source and all, so that others might work on it as well. They made no claims about it's security, stability, etc. Others may have, but they did not misrepresent the software in any way.
I did not contribute, but I saw an opportunity to use their work. So I did. They received nothing from me, not money, not anything. And, the whole time, the company kept no secrets about the product, and in fact, by making the source available, does just the opposite.
There was no intent to decieve, nor any misrepresentation. By not purchasing the product nor any sort of service contract, I entered into no agreement with the group.
Going in, I understand the risks. I assume the responsibility if problems occur. This is 180 degrees different from microsoft, since they make plenty of claims, and since there is a legal agreement between a company and microsoft, and because they are marketing a product with known liabilities.
No, free/open source software doesn't stand to be shut down, rather it stands to gain tremendously. The problem is for companies like RedHat which sell and service open source software. So, form the commercial standpoint, it hurts linux companies who don't have billions to spend on lawyers, like er um, microsoft. But it doesn;t hurt open source software.
rob mandel
^^^----- Posted anonymously here
The legislation would skyrocket production costs for Microsoft if the company were forced to release foolproof products.
Why would this happen? Car manufacturers used the same "skyrocket production costs" argument with the lemon law with cars. But it just doesn't mean that everything needs to be perfect. Instead it just ensures some basic quality control such as practiced in Japan.
As for free software, it would just mean that some of the legal entities that support a packaged product (i.e., Red Hat) would be held to the same standards. IANAL, but if the FSF says 'this isn't a complete product' they can't be held liable any more than a tire company could be for some idiot putting the wrong tire on their car.
While I don't favor turning the sharks loose on software companies, it is obvious there NEEDS to be some sort of liability and responsibility for bugs.
Some sort of "lemon law" that would REQUIRE the publisher to either correct bugs, and distribute patches for free, or else refund the purchase price IS needed.
What needs to stop is companies like MS being able to leave gaping holes in their products, then correct some of them, and releasing them as "upgrades", ala Windows 98 SE and ME... Those were not really "new" OS's, they were service releases that increased the stability of `98...
In all honesty, the commercial software publishers have brought this on themselves. Sure, MS distributes patches for free for the worst holes (ala, the ones that make Code Red, Nimda, and Klez work), but the fact is, they let their products LEAVE the house with those bugs in the first place.
I see bad consequences for free software out of this, created for it by the closed source companies. Perhaps there can be an exception written in for companies that release source, and in effect, have industry wide peer review of their code.
Eventually, if such a law isn't passed, sooner or later the sharks are going to class action sue and crack away ALL such limitations in the EULA's.
There is too much money and lost productivity happening right now due to software defects.
What we need is a defined list of responsibilities, passed into law, that can't be EULA'ed away.
=== The price of freedom is eternal vigilance
Neither the federal government nor any state has ever had any sort of warranty/liability law that would affect gifts (transactions involving no payment or consideration), unless the defect was willful and intentional (ie trojans). There is no negligence protection for gifts. I highly doubt that any such software lemon law would break with this ancient precedent.
The GPL clause disclaiming only nondisclaimable warranties exists solely for severability purposes; the "unless prohibited by law" clause appears in almost every warranty disclaimer.
Even assuming that such a "lemon law" could be passed (which is, to my mind, a dubious proposition in and of itself), it wouldn't affect Free/Open Source Software (or even proprietary freeware) at all because there's no contract between the the author/distributor of the software and the user.
While IANAL, I did consult one about this once - when you give something away, you have no obligation to the recipient. Specifically, the recipient can't sue you if the product is defective in some manner.
... their lightplane industry before inventing any new product liability laws.
It got so that anyone who flew whilst drunk and crashed a plane that he hadn't maintained for years could sue the manufacturer for many millions with a fair chance of winning. And even if the manufacturer won their legal costs would wipe out the profit on many aircraft. So basically the US lightplane industry closed down. (It has since started up again, as a shadow of its former self, following some law changes.)
OK, that didn't affect all that many people. Closing down the software industry would be a different game altogether.
...is that Microsoft spends a lot on marketing to tell you that their stuff will streamline your business, keep your toilet from clogging, and whiten your teeth while you sleep.
Meanwhile, their EULA practically says that you're better off playing Russian Roulette with five bullets and only one empty chamber, than to trust their software in a mission/enterprise-critical environment. We can't get access to their source code to check it for bugs ourselves, which would shift liability to us if we could do so, did, and then okayed it for use-- we just have to take them at their word, and hope that the server farm doesn't melt down and bankrupt our company.
Free software, on the other hand, is just 'out there'-- it's like finding a still-wrapped condom on the street. Sure, you can pick it up and use it, but if bad things happen, well, how is that anyone's fault but your own?
Liability-eliminating EULAs are an affront to any kind of truth-in-advertising regulations. A software company should definitely be able to be held financially liable for losses caused by failings in its products-- not to a degree that would instantly put them out of business, but a fair amount. Say, equal to their annual marketing/advertising budget?
Let's look at it with the car company analogy. Suppose Ford's commercials said that the airbags in their cars would save you and your family's lives? Okay, now suppose someone dear to you was killed in a head-on collision while driving a Ford. How would you feel if, when you tried to sue, Ford said, "But wait, your loved one agreed to the EULA by deploying the airbag... let me read you this paragraph from it that says, if the airbag does not work as we said it would, we aren't liable."
Most open source software seems to be in the perpetual beta state anyway, but if a lemon-law were to pass, maybe the commercial vendors would move toward this as well. Never releasing a "finished" version, just alphas, pre betas, betas, preview editions, release candidates, etc, etc, etc.
If this were to happen, it might actaully help the public, forcing the commercial vendors into a system where they actaully have to admit that thier product is never finished. Maybe then the public would stop shelling out money every time the latest edition comes out, lining the pockets of Gates and company.
Why couldn't one limit the maximum liability to, say, 10 times the license / distribution price? So a typical private MS customer might claim some thousand dollars while a company or school (with a single contract covering thousands of machines) could start multi-million dollar lawsuits. Obviously, the risk for authors of free software is then still zero. For linux distributors, the liability might be limited to the non-free software parts (like yast in SuSE) and to the editing process (identification of alpha/beta/production grade software). In any case, big money will only be at stake for companies which make big money.
The company for which I work develops custom software. IANAL, but one of the ways we limit liability is through collecting and documenting requirements for the software, and testing that those requirements were met. We also follow a strict software development process, which supports out ability to develop a quality product. By developing this documentation, we are able to pass liability off to our customers. I.e., They have agreed that our software meets their requirements and our tests are sufficient to prove that it does. Now, if we knew our software didn't meet the specification, that is different (usually called FRAUD).
I would think that something like this would work for the larger Open Source projects. If they could have the requirements of the project documented (i.e., what it is suppose to do) and have tests written to verify this, then they may have a out. The problem is M$ case is that they know of the problem, or their quality process is not sufficient, and do nothing about it.
The dogcow says "Moof!"
I think any liability laws would unfairly punish smaller companies.
Some people are in favour of Lemon Laws specifically because they dislike Microsoft and think that Microsoft software is insecure. This is stupid and shortsighted.
Deal with Microsoft's monopoly abuses seperately. Monopolies come and go but bad legislation is forever.
Create laws that arm consumers with security information. Perhaps a grading scheme where software that doesn't connect to the internet is given a A rating. If it is a client then it gets a B rating. If it is a server it starts at C then for every three exploits within the last year the rating increments by one.
After you have informed the consumer you can let the market decide. If they still use software with a G rating then that's their own problem.
I think publishing the source should allow the disclaimers to be in force. MS does publish the source to some customers, and GNU to everybody. With the source you can (in principle) verify the functionality and absence of backdoors, and you can (in real life) fix problems yourself instead of having to wait for a Service Pack or other official upgrade.
This is pretty much the key. All that is needed to get OSS off the hook is the line in the documentation "This product does exactly the source code says it does. All other documentation is purely opinion."
What would Lemmy do?
If I build a tree house on my property that is unsafe and someone tresspasses and uses this tree house (which I haven't even said he could use) and gets hurt then I am potentially liable both crimally and civilly. It's called an attractive nuiscence.
I didn't charge anybody anything... I didn't even give permission for it to happen. Yet I am still at fault.
Just because I don't profit off of a transaction doesn't give me a right to put somebody at risk - financially or physically - unless perhaps I am completely forth right; and even then often not. And simply saying "Well, at your own risk," is not completely forth right, not even close.
The only different with purchasing the product is that the legal agreement is explicit. And in an explicit agreement risk can be accepted by the customer. But in the implicit agreement it is assumed that risk is accepted only if it obvious.Otherwise you're buying the right not to be put in a dangerous situation. Which u can't buy because u fundamentally own this as a citizen.
As for the suggestion that there can't be a law suit because there is no company - I think it is pretty clear in the american litigation system there are no lack of defendants.
Remember what got the ball rolling with car manufacturer liability. Ford manufactured a car that roasted its occupants when hit from behind. Ford figured it would be cheaper to pay the victims than it would be to fix the car. When this surfaced, public outcry did the rest.
Most cases aren't as clear-cut. Continuing on the car industry example, can you hold a vendor liable if you're not wearing seatbelts, and suffer serious injury as a result? Probably not. Can you sue if you are injured in a parking accident by the airbag? Probably not. Now, why were you injured in the first place by said airbag? Because they are inflating with the power required to restrain a person not wearing seatbelts. Anything wrong with this picture? You bet. The consumer has a responsibility of his own, in this case: wearing the seat belt.
Liability is eventually determined by a judge and a jury, and in corner cases it's just a lottery, which is why car manufacturers err on the side of safety -- theirs, not the safety of the customers who are wearing seat belts.
The same thing is looming on the horizon when a software lemon law gets introduced. Vendors will still go to great lengths to skirt their responsibility, and even if that works to "improve" the product, chances are the consumer will be hurt in the end.
For a preview of things to come, look at Microsoft's security fix to Outlook. It is available, so like seat belts, common sense holds that if you don't apply it, you willfully accept the consequences. But unlike seat belts (which are at worst an inconvenience), applying this patch will cripple Outlook beyond being usable.
You can't win this one. Frankly, I'd settle for a law that demands truth in advertizing w.r.t software products.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
Create laws that arm consumers with security information. Perhaps a grading scheme where software that doesn't connect to the internet is given a A rating. If it is a client then it gets a B rating. If it is a server it starts at C then for every three exploits within the last year the rating increments by one.
I think this sounds pretty nice, but it has problems. For instance, clients are not necessarily more secure than servers, a well-written anonymous ftp server could theoretically be infinitely more secure than a poorly-written web browser which downloads and executes code without express permission.
Also, most linux distributions would minimally start at a "C" rating under this scheme, while windows 98 would begin at "B" (without enabling "file/printer sharing"). Which do you consider to be more secure on the average? Do the ratings reflect that?
These problems are indicative of a greater flaw in this scheme, software doesn't have to rigidly conform to _any_ model, be it client/server, P2P, etc. Laws take a long time to be changed, software can be changed in weeks (witness Microsoft's court history.. pretty soon they might be stopped from producing Windows 95 ;) - if we draft laws or even form committees which define certain software paradigms as insecure, software will simply change paradigms to achieve a higher rating until the ratings-board is able to change criteria to match.
Alternatively, we could have panels of elected security-analysts pore-over every piece of software that is voluntarily-submitted for a rating (in source form), at a cost to the software producer (based on some criterion I don't know), and they could arbitrarily grant ratings based on their findings.
I don't know that this is the best solution, but it sounds more practical, it's similar to other analogous (movie ratings, supreme court, etc.) systems for ideal-compliance which are already in place and doing a reasonable (not perfect) job.
Thoughts?
First, warranties only are meaningful in the context of a commercial transaction. There's no reason to expect a warranty on a free good. So this is not a problem for free software.
Second, warranties aren't that expensive to manufacturers. Under 5% of the cost of a car is in the warranty. More to the point, in the gambling industry, where full financial responsibilty for errors and downtime is the norm, GTech, which runs lottery systems, pays out about 0.3% of revenue in penalties.
Compensatory damages and blame management are real issues. But this comes up in other areas, and the suppliers work it out between themselves, as in the Ford vs. Firestone tire failure issue. In computing, we should expect full warranties on the OS from manufacturers who preload an OS. Let Dell and Microsoft argue between themselves who's responsible.
Finally, manufacturers who don't offer a full warranty should have to put a giant "AS-IS" on the box, like those signs that appear on used cars.
I'm sorry, let me revise. The current versions of Windows. Windows 95 is no longer supported by Microsoft, and Windows 98 soon won't be (or is it already unsupported?). I can't speak for ME because I don't use it, but 2k has been rock solid for me. Uptimes of over 2 months, and damn near all reboots because I constantly tinker.
I'm a big Linux advocate. I run an OpenBSD box. The primary reason I have a windows machine at all is because the support still isn't there for gaming and video editing. Yes, there are decent video editing tools for Linux. They're not as good as the Windows equivalents, or they're multimillion dollar software used to edit movies like the Matrix.
I'm just not a zealot. I recognize where the problems lie, and I recognize when there's a use/market for a particular product. Windows has it's place, and it's current incarnations, it's quite stable. When Linux gets support from software makers, it will have a place on the desktop. Until then, it simply can't give the end users what they want.
CMYK is patented, and licensing this patent is not at all cheap. Certainly, it's not something that's possible for a piece of software like the gimp.
Claiming that a piece of software is inadequate because the maker of the competing software uses legal means to stop competitors from implementing a piece of functionality is really quite stupid.
himi
My very own DeCSS mirror.
Something that really bugs me is the comment that this lemon law could kill "OpenSource and Free Software" alltogether. In the case you guys from the US haven't noticed: There are other countries with other laws.
Of course here in Germany a vendor or producer is liable for what he sells, too. But this liability has limitations! In Germany you CANNOT sue McDonald's because you failed to notice that coffee may be hot and McDonald's hasn't provided you with that information! You CANNOT sue a toy company for selling Superman capes without providing a warning that those capes won't give you the ability to fly! And even if you can sue a company for liability (i.e. because they failed to give notice about poisons or side-effects in their products), you won't be rich!
German jurisdiction mostly follows the customs and the common sense. That means: if you pay 1000 Euro for product A it is NOT regarded in the same way as product B which you got for free.
Besides: do you really think that OpenSource and Free Software are dead the same moment the US leaves the building?
-- Beware the Jabberwock, my son!
The author makes a very poor argument. Consumers have a reasonable expectation of performance from (e.g.) MS Windows because they pay for it. You can't make the same argument for software that you get for free.
This bill cannot kill open source *development*. It may, however, make the selling of open source software much more difficult. If this bill passes, companies like RedHat would now be liable for bugs in Linux. Of course, RedHat can (and does) take a snapshot of Linux and make lots of modifications and tweaks before making a release, but there's no way they're going to catch all of the bugs. They're best bet would be to get heavily involved in the system of releases of open source software. This will be very tricky, though, as developers will not be happy to see a company have such control...
Jason