Slashdot Mirror
Software Product Liability?
ben writes "Reuters just ran a story about the increasing number of calls for liability on the part of software developers, with a not-too-suprising focus on Microsoft and its uber-fallible IIS webserver. Given that many other engineering disciplines have some sort of accreditation and licensing body to enforce codes of professional ethics, I'm curious what impact the demand for such a creature in the software industry could have on Open Source developers, especially the part-time hobbyist ones. That is, establishment of some sort of Software Developer's license means the developer is potentially liable for whatever havoc his bugs may wreak, and traditionally the only environment with legal resources adequate to deal with such liability has been the megalithic corporate one."
What if they blame your software, when in reality it's the fault of some other software used in conjunction with it? Or it's a hardware problem? Or it's a user trying to cover their own ass when they screw up? It's not quite as easy to see what happened after the fact as it would be if say... a building fell down.
It's more analagous to doctors prescribing medications. They do their best to make sure the patient is in the right condition to take them, but they can't control what the patient takes them with, or how they might misuse them. But of course, malpractice insurance is quite expensive...
This is a serious question that always seems to be glazed over by the open source advocates. Most seem to see it only as a method of attacking MS.
Well, if liabilities become a reality, EULA's won't protect the company, otherwise every company just puts a clause in it and the liabilities cease to exist. The law would be required to allow very few, if any, exceptions.
If the open source community has to face this, what will happen? The next time there's an error (such as the recent Bind exploit) do the lawsuits begin?
There can certainly be some kind of liability for bad code that you deliver to clients under a contractual relationship, just like there can be malpractice if your doctor gives you bad advice.
But liability for a program that you've published on the net or sold retail? That's as bad as liability for publishing a book advising people to plan their finances by astrology or go on some quack diet to prevent cancer. Those books are published all the time and it's (rightfully) up to the buyer to take the advice or not take it.
Most buyers simply know better than to believe such stuff. And sooner or later they will hopefully know better than to run Windows. It's just a matter of the field getting more mature.
This could lead to all kinds of nastiness. If a software vendor wants to limit their liability, they may tie their software to a very specific hardware configuration. This could result in the unintended consequence of giving M$$$$ an unprecedented amount of control over the hardware manufacturers and resellers. So, instead of purchasing software to solve a particular problem, you purchase hardware to meet the requirements of a software package. This seems^H^H^H^H^H is half-assed backward.
It does not sound unreasonable to me to hold a company liable for a software they are selling, while 'open sourse' software, which is usually distributed free of charge, could still be immune from that. After all for one you are paying and often you cannot fix the problem yourself while in the other you got it for free and in theory you can fix the problem yourself.
I doubt software vendors could continue to exist, if there were a level of performance required where NO bugs/faults were required. What may work though, especially when it comes to software like IIS and all of its fun vulnerabilities, is lemon laws similar to for cars.
A model of car needing a recall is no big deal - it's a bummer and an inconvenience most of the time, much as most software has the odd patch/upgrade for reasons of bugs appearing publicly. Continual faults/bugs/etc are a different matter entirely.
The notion also, of Unstable, Stable, Testing versions of software seems pretty sensible when it comes to the liability in open source software. Letting a user know what they're in for when using an Unstable product limits liability by saying "OK, this really could be crap" - miles more than IIS, to use one example.
a grrl & her server
What is sold as a product is not speech. If the courts have not been uniformly easy on code which expresses scientific ideas, written in an academic context, then certainly commercial software will not (and I think should not) enjoy protection as speech.
What would have to happen to change the current setting where commercial practice (and law) considers all software to be 'without warranty' is another matter.
The obvious reason that SW is presently very much a 'caveat emptor' instance is that most nontrivial software products are both comple and can be run in such a wide array of hardware and software environments that solid analysis of potential failures is clearly infeasible.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
It means that if software has 10000 lines of code and 10 bugs (1 bug per 1000 lines of code) and is being used by 10 people on 4 different PC configrations, probability of a) hitting the bug and b) that anybody will hear your screams is WAY lower than with software which has 1,000,000 lines of code with 1 bug per 5000 lines (actually much better quality) and 10,000 users on 1000 different configurations.
The problem is that MS software is LARGE and COMPLEX and there is no way it can really be tested on all possible PC configurations. None of the software is tested for all the cases. It all gets tested for 95-99% cases wich, with 100,000,000 users translates into 1 to 5 MILLIONS unhappy customers.
lets consider two facts..
1) RedHat/Mandrake/Suse/Caledra has been the big push of open source for the business world... without them Linux would be dead in the business world...
2) companies in (1) released products for sale (you buy them) and they sometimes have security bugs (a lot of them has a recent exploit in SSH recently)..
3) companies who uses products by companies in (1) who get 'rooted will sue the companies in (1)
4) companies in (1) will die (they have lot less $$$ then MSFT)..
5) bad for Linux...
-- Note: These Comments are Generated by ME! Not You! ME!
If I recall correctly, all products have "implied" warranties that cannot be voided. So, if you ever sign something that "voids" your warranty when you buy something from a merchant ("as is"), it really doesn't mean anything if the product is deffective. Lawyers just like putting phrases like that in so that the people who don't know any better will say "shoot, I can't sue because I signed that paper . . ."
I think "common law" applies to non-merchants and is very different (your hobbiest), but I better shut up before I post some big mistakes.
Anyway, to begin, I am assuming that expecting hobbiest to be liable for their code is total BS. It is like making someone responsible if their post causes someone damages or to kill themselves. Not only do I think current "common law" would imply hobbiest to be free of liability, they could always just use an alias for their code contributions, making enforcement impractical.
However, as a merchant, I think that by giving out the source code of your product, all related parties would effectively have the ability to check the code before they use it, which would shift the responsibility to the consumer. Yes, this is impractical! However, why do you think CPA's exist? Accounting information is extremely impractical for each individual to analize, so we have something called "auditors" to do this for us. It wouldn't be weird if a "software auditor" were to come to be and would give an "unqualified opinion" if everything was in order in your favorite distro.
Companies who didn't release their source, however, would not be allowed to void their implied warranties because there is no way to check if the code will do damage or not.
This would be a drastic change but would probably increase the quality of software, in general. MS would probably be the only company left that could afford not to open their source, but that is fine by me. At least they would be responsible when their software deficiencies indirectly impair my bandwidth.
Sdelat' Ameriku velikoy Snova!
... is really pointless. The argument is: an architect designs a house that doesn't blow over, or a bridge that handles the traffic load without collapsing. However, in these cases, anyone who does something out of the ordinary with the house (fills it with water, tries to open the inside door without opening the screen door), would be laughed at if they called it a design flaw.
Take the usual punching bag for example: IIS. IIS, when used properly, works quite well. You might argue about the functionality/performance/cost compared to [insert favorite httpd], but pass over those arguments for now.
Security is a common complaint for IIS. However, if a person broke into your house by going in through a weak point (a window, the chimney, etc), you wouldn't blame the architect.
Zealots might say that backdoors in software are like using doors without locks. But this is ignoring the fact that software is often not an integration of existing, proven solutions, but an exploration of ways to attack a problem. Also, these failings are plain to the layman, whereas software bugs are often obscure to the guru. You simply cannot have the expectation that software will *NEVER* crash.
An architect has a given set of solutions for common problems (building codes, pre-existing designs, etc). If they can't solve a problem with an existing, proven solution (or a mild derivation of such), they probably wouldn't take on the job. Programmers do not have this luxury. We are inventing these solutions on the fly -- and we will make mistakes.
This will probably be viewed as a troll but I feel I have to say it:
The problem with software is that when a virus/cracker compromises your system, any resulting damage can not logically be attributed to the software developer.
Nobody is out there expressly trying to break and/or compromise Firestone tires. They were sued because the tires malfunctioned of their own accord.
If IIS blew up on it's own and erased your disk you would have a legitimate case. As soon as a third party maliciously tries to compromise it, the case is off.
If someone broke into your house would you sue the lock maker? Likewise, if someone deflates your tires you have no case against Firestone.
If you can show me one case where code in IIS itself was responsible for damage (i.e. damage occurred while the code was running normally without any provocation) then I'm all for this, otherwise (as much as I hate to stick up for MS) you can't possibly blame them for Code Red etc.
The real solution is just to get a better product; if you are having a problem with break-ins buy a better lock, don't just try to shift blame for your bad purchase decisions on someone else.
I'm a firm believer that, in general, ALL SOFTWARE (including Linux, BSD, and Windows) is full of show-stopper bugs, with a probability in proportion to the number of lines of code raised to some power. If one piece of software seems more secure, it's just because the bugs haven't been found yet. And this will get worse as time goes by.
(How the bugs are handled after they are found is another story, perhaps we should be focusing on that instead.)
Microsoft has lots of smart people working for them. Free Software has many smart people looking at the code. Yet, most of this code has bugs. When I write a 10-line Perl script, it has bugs (for instance, what does it do in a full disk situation? What does it do when run by root? What does it do if a Perl library is missing or upgraded?).
Making software writers/distributers liable for bugs is simply impractical. Software is simply not like a bridge or a toaster. Software is incredibly complex, and it runs on machines that are also highly complex, connected to other machines with equal complexity. All the interactions can't possibly be comprehended.
And just what is a bug? If the program malfunctions under certain unforseen circumstances, but when it was written it met all the specs, is that a bug? If you use a formal system to "prove" correctness, are the rules correct? Did anybody make a typo setting it up? Is the program that does the check itself bug-free?
I can understand that if Microsoft promises you a secure webserver, and it's found not secure, you feel Microsoft is to blame. But perhaps a "secure webserver" cannot exist. Even if it did, once installed, it would interact with other software to create a security hole (example: Apache + PHP + anonymous uploads into the web-accessible area + MySQL running as root).
If a law for software liability were passed, it would instantly kill all but a few software companies. Free Software would wither or go underground because no programmer would want to touch it. You would get zero support for your software, unless your setup was 100% EXACTLY the same as the one the corps will support. This would probably be enforced with some draconian DRM. Our lives would get worse.
Of course you say, they could make an exception for Free Software. But what would the criteria be? Exception for no-cost? No, that would mean you can't charge for Free Software beyond the cost of media. No more PayPal buttons on your web site, no corporate sponsorship. And Microsoft would just turn IIS into a free download. Exception for source-code-included? That would be better for little guy (no more binary-only distro though), but Microsoft could just invent a very-high-level language where MS Word is 5 lines, and distribute that along with it. They would find some other way to get around it. Any liability exception would be unfair to someone.
If anybody should be liable, it's the person or company who chose and installed a particular system. This entity put together the components, so this entity is responsible for knowing they all work together without bugs. But like I mentioned before, I don't think this is possible. And even just one small change or upgrade and you don't know any more if your system is still secure.
In 40-50 or more years, the software industry might stabilize to the point where all basic computer tasks are performed using well-known, publically available, stable components and formal systems, and then you could use the term "engineering" and you could conceivably have more predictable software. But I don't really think we're anywhere near that point now. Computer science is still in its infancy.
I'm not optimistic!
Say instead of being a software engineer, I was an enginner who built bridges. Can you image a boss coming up to me and saying:
"I need a bridge built in this location to move some things across the river. We will lose out to our cometitors if this takes any longer than three months, you have two and a half. Tell me tomorrow how much steel you need ordered and I will have the iron workers (actually guys off the street who could spell iron) to start putting it together."
Would you go across a bridge built like that? I wouldn't if I had a choice in the matter. How different is this from many software projects? Not very. Management doesn't care about the software quality since they don't understand it anyway, the coders are passivly taught not to care either because it costs more to write well architected, well tested code. Code can be solid if effort is placed on writing solid code. There will still be bugs, but nothing like is prevelent today in commercial software. Think of all the VB monkeys that managers consider real programmers. (Not that there are good VB programmers, but by and large...)
Welcome to the world of software. As long as the current market drivers are in place, nothing will change.
-Pete
Soccer Goal Plans
What's a printer driver? A printer is an I/O device that is on the OTHER SIDE of an industry standard port. In essence it is a "remote device." What business does that sort of software have running in "ring 0?"
I am aware that many "printers" are dependent on "drivers" because they are missing hardware, but who's idea was that . . . ? Blame goes to: Microsoft.
I'm not sure what you mean by "file filter" but the same argument almost certainly holds. Blame goes to: Microsoft.
Beyond that "windows device drivers" aren't really drivers anyway, they are plugins to the (Microsoft) class driver. If they crash the system it is still Microsoft's fault, because the interface is poorly defined or the class driver does insufficient error checking. Blame goes to: Microsoft.
I have no sympathy at all.
-Peter
I believe this dialog will say that the drivers can't be guaranteed to be reliable. Does this constitute and implicit guarantee that certified drivers are reliable? No. MS states quite clearly that none of their software is guaranteed for anything, so what the hell good is the certification?
t
> If government offices informed Microsoft that in one year they would no longer buy software that limited the liability of the designer
Actually, if any goverment wants to buy Microsoft software with liablity, it can be easily arranged: Microsoft will find third party insurance company, add appropriate price tag to the box, and sell it to anybody.
Will one want to buy MS Word for $10,000? I can easily imagine this price if the seller has to pay mega-dollar liability in case Word crashes while editing super important goverment document.
Ever seen a rich WYSIWYG-editor that never crashes?
Want software prices to sky-rocket like medical expenses in US (one of the biggest contributors is doctor's own insurance)?
MSDOS: 20+ years without remote hole in the default install
> You can't always limit liability. For example, you can't sell a car and say that you are not liable for design defects.
The liability of car designer exists because the risks associated with it can be relatively easy calculated. There are well defined boundaries and conditions under which car manufacturer declares his car to be safe, and gives the warranty. Any deviation (wrong type of oil, gas, or tires, missed oil change, self-installed turbo charger) and the liability and warranty can be void to some extend.
For software vendor those boundaries would mean that software is run under particular certified hardware, only in combinations with particular certified third-party applications, with regular maintainence (i.e. patches), configured according to vendor's specs, etc.
You can buy such system from most large software vendors, and get some kind of warranty and liability. MS sell data center servers in this category. If you want to pay the price for it plus price for hardware, plus restrict yourself to particular list of application, you can get it with associated liability. But if you want to run it on cheap hardware with tons of random crap installed, you can't expect any reasonable liablity from vendor.
MSDOS: 20+ years without remote hole in the default install
The major difference between MS and open-source / hobbyist developers is that MS *does* make a claim as to its suitability for a specific purpose, and it *does* make a claim that it is secure.
The majority of open source software carries a disclaimer saying "Use At Your Own Risk". If you cant appreciate the risks, then you shouldnt be in the position to be deciding whether to use the software or not.