Slashdot Mirror
BBC Commentator Goes After Software Licensing
An anonymous reader writes "Bill Thompson, a regular commentator on the BBC World Service programme Go Digital, criticizes current software licenses (including the GPL) for giving developers 'freedom from responsibility which would be considered wholly unacceptable in almost any other sphere of activity, public or private'." From the article: "A friend of mine is a children's writer. When she writes a non-fiction book she is typically asked to sign a contract that indemnifies the publisher against legal costs resulting from errors of fact in the book. If she was to suggest a school experiment that involved drinking sulphuric acid, because she'd confused it with acetic, then she'd be in big trouble. Yet I can't do anything when a company produces software that exposes my online banking details to any script kiddie with time to spare, because I've agreed a license that removes such liability. "
Publisher is to Author as
...BZZZZZT!
Software User is to Developer
I read
I bet his wife gives away her books for free, too. On a more serious note, this is more expansion of the culture of victimization and the lack of responsibility that is taking over the Western world. Nothing is ever our fault, we muyst always find someone else to hold responsible for problems that we should be tough enough and capable enough to not get into or to solve ourselves.
The keyword is that people agree to these license. If you don't agree, don't use the software. Or, you could buy more expensive software that comes such a guarantee. I can't think of any specific examples, but I'm sure the software that runs pacemakers has some sort of guarantee. However, it's very expensive.
Bradley Holt
Sadly, legislation is probably the only way to make software developers--or rather, their companies--more liable. What, you expect the free market to take this one on? Who here honestly expects a company to decide it's competitive to be more liable?
No I'm not trolling.
The license is an agreement. If you don't like the terms, don't accept the license, and don't use the software.
There is a lot of crap out there about companies liking proprietary software because it gives them someone to sue when the software breaks catastrophically. That Microsoft has about a $40 billion dollar war chest, earned almost entirely through the sale of very broken software, pokes some big holes in that theory.
You're getting software for free. Don't bitch about indemnity in the license.
The solution, I think, is that the realms of coding and of liability need to be separated. Let the coders code and let service companies such as IBM work together with them to provide support and, if needed, liability for customers that need it. This is exactly what happens when IBM "sells" Linux to Wallstreet, for example. They sell the kind of responsibility for the software that individual developers could by no means provide.
I would hope that Mr. Thompson considered the alternative that people often hold others accountable for their own ignorant actions. Yes, a publisher is often held accountable for the stupid actions of a reader (who would be stupid enough to drink sulphuric acid?). But is that situation an indictment of the author, or the court system that allowed an ignorant person to use the courts to make whole an action that the claimant should be responsible for?
No, I do not believe that everyone should be left to fend for themselves without ANY regulation. If someone produces a medication and makes a claim that a patient considered reasonable, and they get more ill or die as a result, then the company should be held accountable. But to make every fucking business activity subject to error and omission insurance will wreak holy hell on our economy. E&O insurace requirements will guarantee that
1) software development will slow,
2) software for process control will halt due to liability questions,
3) make lawyers and insurance companies rich,
all without one single shred of evidence that any of these effects actually made software development any *better*.
When I install software, especially for the first time, I do NOT have it on my production machine. Why do people like Thompson like doing things like this? Why should a software publisher spend heavily to debug (and still not get EVERYTHING) in a manner that *assures* the E&O insurer that it will not delete Mr. Thompson's latest mp3?
"Rocky Rococo, at your cervix!"
And shouldn't the companies that implement the code be responsible for the insecurities, instead of passing the buck onto the developer? If a company incorporates a piece of software, and does nothing to lock down the program, doesn't change passwords, doesn't configure it properly, shouldn't the company be responsible? A developer is responsible to a degree, but so is the user. It takes two to tango, and going back to the quote, if a kid drinks sulphuric acid, how did he get it? The parents are responsible for the kid... Just like the system is the responsibility of the owner/operator...
In many cases, there is no option for a more expensive software that comes with a guarantee. Yes, some software like hospital life support and air traffic control come with a guarantee, but that is why you will see many 'normal' sw mfgs license mention these applications by name and say that you should not use their product in these environments.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
From the Windows XP Home EULA, with caps removed to get past lameness filter: and so on and so on.
With this amount of legal protection, I feel completely safe using Microsoft products!
Let's make all software developers totally legally responsible for their programs. That way, the only people who can afford to write software are huge companies, and even computer progamming for hobbyists ceases to exist because of the liability issues surrounding the creation of code. It'll be sort of like the doctors who have to buy really expensive malpractice insurance as protection against frivolous lawsuits, only the people who have to pay in this case won't be pulling down doctors' salaries.
Medial equipment, avionics, there's plenty of stuff that is specifically made for situations where failure is not an option. Consumer software is not such a thing.
Free Mac Mini Yeah, it's
Normally, I'd agree with the commentator in this article. If you sell software, you should be subject to the same liability as if you sold any other thing. For example, if you sell me banking software, it's assumed that this software is secure and won't easily let hackers steal my account information. If you sell a car, it better not explode every time it gets rear-ended, or have tires that explode when going over certain speeds.
But if you give me a car, or if my hobbyist mechanic friend builds me a car and then gives it to me, I can't really hold him responsible for it not functioning properly. Same thing if my programmer friend just gives me custom banking software he built. When you get something for free, it needn't be licensed in such a way. If it had to be, then no one would ever give anything away from free, which is bad for the public. The better solution is for people who are worried about this potential to simply not accept things which are given away for free.
We have such restrictions on sold goods because otherwise our market can be completely tampered with. Without them, it allows companies to claim goods perform a certain function safely and reliably when in fact they don't.
I do agree though--there was a general trend in EULA's for software developers to say, "Listen, what happens now that you've bought this software is YOUR problem. If it fries your hard drive, or sends all your most personal files to my friends, that's YOUR problem." Yea, that's bad. But the GPL simply doesn't enter into it. The GPL is a license about copying and redistributing software. If you start selling GPL software to a company, then maybe the company that sold it can be held a bit responsible for it not working well (they should, after all, be testing the configuration; otherwise, why are you paying them?).
Unfortunately, I don't think the "security" issue is really the critical one. After all, car manufacturers aren't held responsible for making car theft easy (even though it actually is quite easy). Software developers (especially open source ones) spend a lot of time on making software secure, but we can't possibly hold them responsible for every hack. No products, be they physical or in the software world, are really completely secure.
From the article: The point is not that we should encourage lots of lawsuits against software companies, or have unlimited liability for software. After all, I can't sue Toyota if my car doesn't start and so I miss an important meeting, although I can sue it if a design fault means I crash on the motorway.
This analogy would make sense except that you can void a warranty (and assumedly any liability) if you make any adjustments to the car that could negatively affect its braking system, etc. The same is true with software vendors only amplified a thousand times. Software vendors have no way of telling ahead of time what kind of hardware faults, existing programs, etc, are already installed that could interfere with the operation and security of the program.
Further, nobody holds a car company liable if someone finds a way to jimmy the lock and open your door, which would be the equivalent of a hacker in this case.
These kinds of liabilities only work in more closed systems.
Can you imagine what the lawsuit would be like when some user says "Software X deleted some file" and the software company says "No, it didn't." How would you go about proving this either way? Or in the case where perhaps a virus or something performs an attack on your software like perhaps a buffer overrun attack and causes the file to be deleted? OMG this would be messy for both sides. I can't imagine trying to make a jury understand the issues involved! I think they would end up picking a winner rather arbitrarily based on the personality of the lawyers and witnesses.
Avoid Missing Ball for High Score
I disagree. You don't like buying/using my software because I'm free from any responsibility if it runs amok and kills your family and makes love to your motorcycle? Don't use it. I'm not going to make you. If you don't feel comfortable dealing with those circumstances on your own if they happen, then I don't want you to use my software products (not that I actually have any, but still).
;D).
If you don't like it - write up a new license claiming responsibility for whatever it is your software may do. Write whatever software you want. Users will possibly flock to you just for the peace of mind they would get (or is it piece of mind?
Of course, so will the lawyers, but hey, it was your choice (as a developer) to release software under those conditions anyway.
Just so you know, malpractice premiums do not decrease for doctors in states where malpractice awards are capped to $250,000. Most lawsuits are launched when doctors maim or kill patients due to negligence, not because of highly publicized frivolous reasons. Your analogy is flawed, to say the least.
Now let's get back on topic. It's wrong for people to make excuses for bugs in code which expose my personal information to hackers, stalkers and marketers. I'd just as soon see the industry grind to a halt until they find a way to nip these miscreants in the bud. And no, I can't opt out of this dangerous system unless I stop driving (so much for being able to get food), close my bank account (yeah, hide my money under my bed so a thief has a reason to physically rob me and then kill my whole family to get rid of witnesses), declare myself dead (to retire my SSN - whoops, that's illegal, welcome to Club Fed! - or at least, welcome to joblessness) and practically move out of the country (well, actually that's a good idea if Canada is my destination).
Thanks to stupid programmers there's absolutely no way anyone can protect themselves from identity thieves. The only reason why someone hasn't hijacked you is that they don't care to.
Now please, come back after you find yourself having to fight for years to fix your credit after a hacker stole your personal information off Lexis-Nexis and then tell me they shouldn't stop the digital train for some major overhauls. Until you're a victim of the gaping flaws in the digital fortress you really don't understand the sharpness of that sword of Damocles that is swinging back and forth over your head.
--- Grow a pair, liberals... stop letting the Republicans bully you!
If you as a company, invest tens of millions into a rollout of a new software product ( be it a new version of Windows, or a new Linux Kernel), without
Take windows for example. If you lose $500,000 in a day because some critical windows server crashed from a certain DDOS attack, should Microsoft be responsible? Or should you be responsible, because you should have known from years of examples that Windows is very vulnerabile to those kinds of attacks, and you should either have an external protection mechanism in place, or not use the software? I think the latter. Then again, I am not the person who thinks "sue" when I slip on icy stairs in the winter and break my neck either. I think "maybe I should have bought better gooddamned shoes for walking around in the winter". The other commentors are right, there is not enough responsibility in the world today. Grow a backbone and stop sueing everyone.
Pay more. Find a company willing to take a contract that includes gaurentees. However don't bitch when it's way more expensive and that it takes way longer. Don't expect something cheaply turned out on the latest hardware in a couple months. Expect that it's a verified system that takes years of testing, and is rigidly controlled.
There are companies that make solutions like this, IBM is one of them. You can get a mainframe setup to do database work that will never go down, ever. However it'll be expensive as hell, you will run the DB and ONLY the DB on it, it will be accessed only in rigidly controlled ways, etc.
You're right in that no single vendor is responsible, but you're wrong in that it means that a company can't be liable.
Similar analogies can be made towards anything that is built. When Ford builds a car, they don't create every nut, bolt and beam in the car. They probably buy a lot of the parts from third-party manufacturers and assemble them together. This is true for many products out there.
An analogy closer to home, is the system my friend's company puts out. They treat cancer tumors using some custom hardware run with custom software. But this software runs on windows and some computer hardware they purchase. However, there is a standard configuration for windows and the hardware that's approved by some governing federal medical agency to prevent any foul ups.
Depending on the situation, the assembler is or isn't liable. In the case of my friend's company, they aren't liable since this computer setup has been approved by a large, governing, official body. What about the case where Ford Explorer's had tires from another manufacturer and those tires exploded? Is Ford liable or the tire manufacturers? This is what our court system is for.
"Injustice anywhere is a threat to justice everywhere." - Martin Luther King, Jr.
If you could buy a version of Windows without the disclaiming of all liability, but it cost $10K and was tied to a very specific set of hardware from ten years ago (forget about choosing an LCD monitor, or plugging in a USB card reader, gigahertz CPUs, playing games, etc), would you buy it? No, I don't think so. But that's basically the option you're looking at.
Anyone who wants to can develop software and market it without disclaiming liability. But they would be used as floor mops by companies that disclaim liability. The only places that write that kind of software are those that can afford to spend exorbitant amounts on mission-critical software development because the possibility of failure is even more exorbitantly expensive. Check out what it costs NASA to build software for their space shuttles, and the kind of hardware they run it on; I think it will be illuminating.
Government could write a law prohibiting liability disclaimers. This would kill most software for its jurisdiction. I'm sure the carmakers made the same argument, but here's the difference: software is cheap and easy to develop, virtually free to distribute, and exorbitantly expensive to prove fitness for a given purpose (especially given the possible variety of configurations typically expected of software). Perhaps most significantly, in most cases it's generally cheap to replace when it's proven unfit. In this environment, focusing on guaranteeing fitness brings very rapidly diminishing returns.
-- Moderation in all things, exceptions to all rules --
If you as a company, invest tens of millions into a rollout of a new software product ( be it a new version of Windows, or a new Linux Kernel), without
.. then Yes, you are responsible for a large part, if that software catastrophically fails. Because it is likely something you would have came across in all this research, in one form or another.
* Fully researching the present and past state of the company or individuals responsible for the software, and their abilities both demonstrated and implied.
* Fully looking into [resent and past security issues with the software
* Doing a full independant side-by-side comparison with competitors
Yes, you're right. Corporations have IT staff for a reason: they should take the responsibility for procuring suitable software, and for arranging appropriate support contracts where necessary.
Great.
So what about Jane Average, 67, retired schoolteacher, buying a new computer because she wants to keep in touch with the grandchildren? Is she supposed to do all that research? How is she supposed to interpret the results? And what is she supposed to do when she reaches the truth, which is that there is no computer system she can buy that comes with a decent warranty. Even Apple's license agreement disclaims all responsibility for everything - they even specially state that they don't guarantee they'll bother to fix security flaws!
Jane can't write her own OS if she isn't happy with what's out there. And she can't afford to pay a company for a real support contract. She has to suck it up and hope that nothing too nasty happens.
Are you happy with that?
Do you really live in a world where people are so faceless that you only even bother to consider corporations?
That's like saying, "If you don't like me driving on the sidewalk and running over little kids then don't leave your house." What the artical was alluding to was that liability laws won't allow many industries to simply license out liability. I can't build a car, and then have the sales contract say "we have no liability if this vehicle bursts into flame and kills the occupants if rear ended." When Pintos did that in the 70's, Ford got bitch slapped. You notice Ford didn't rear end anyone, but they were still held negligent for making a car that explodes when rear ended. Why can software companies do this just because they license their products to their users rather than selling them?
I read the bbc news pages a lot. Every time I see that Bill was involved, I just skip over. He'll write anything... as long as it is absolute garbage.
Implementing responsibility in software is desirable -- and unlikely.
At the bottom of the problem (surprise, surprise!) we find money. Software development requires expensive human labor and support; the software industry already limits its investment in quality assurance and support. To fully test every piece of software for 100% (or even 99%) reliability would drive software prices spiralling — you would see no free software movement, no open source, and be living with a very limited selection of corporate software at cocaine-like prices. Witness what has happend with liability lawsuits and medicine, driving costs to astronomical levels.
If anything, the success of the software industry could be attributed the its very lack of guarantees. It has few material costs; anyone with a $500 PC can start a software business. You don't need to guarantee your product, and society is conditioned to accept broken software after years of living with Microsoft's badly engineered products. Companies ship erroneous code to customers, knowing full-well that it can be patched later.
Do I think software should provide guarantees? Yes. Will it happen in my lifetime? Not unless society changes dramatically.
All about me
the same thing. Or any other industry for that matter. Every responsiblity/liablity a corporation or individual has has been forced upon them for the greater good. Software will have its time too. Software is young and as such gets away with more. Seat belts didn't become mandatory in cars overnight. And laws that force you to wear them didnt happen over night either.
One thing one must consider is proper use, and chance of error.
Take condoms, for example. They can help protect against pregnancy and/or STD's. They can also break. In a reasonable situation you should be able to expect some safety in using them, if you use them properly. If you think that wearing a condom is going to make it OK for you to head on down to 3rd and Main every night to pick up a $10 date... well you don't sue Trojan when you get a little more than you bargained for, no do you?