Should Developers Be Liable For Their Code?

Glyn Moody writes "They might be, if a new European Commission consumer protection proposal, which suggests 'licensing should guarantee consumers the same basic rights as when they purchase a good: the right to get a product that works with fair commercial conditions,' becomes law. The idea of making Microsoft pay for the billions of dollars of damage caused by flaws in its products is certainly attractive, but where would this idea leave free software coders?"

Not my fault

[oh_bugger]

As a developer, I say that surely it's the tester's fault if there's flaws!

Re:Not my fault

[s_p_oneil]

Hmm, it would probably go like this:

Engineers: "It's the software!"
Developers: "It's the hardware!"
Both: "Why didn't the testers catch this?"
Testers: "That wasn't one of the use cases, so it's the designers' fault."
Designers: "The product wasn't meant to be used that way, so it's a documentation error if the tech writers didn't tell users not to do that."
Tech writers: "Don't look at me, I just write what you guys tell me to write."

Open Source Developer: Don't look at me. My users contribute design ideas, code, docs, testing, etc. So if there's a problem, it's their fault 4 times over for designing it, coding it, failing to test it, and failing to document it. ;-)

Re:Not my fault

[naoursla]

It worked on my box.

Re:Not my fault

[CarpetShark]

Actually it'll probably work out like:

Providers: Yeah, it's broken, sorry. Contact our insurance company, and put in a claim.

Clients: Oh, you're insured for this? Great.

Providers: Yeah, of course. We're pros, and totally insured for this, like all the other pros. Why else do you think you couldn't get a two-page website for less than $12,000?
 

Re:Not my fault

[koutbo6]

Good luck also untangling the dependency mess in software, I doubt it would be difficult to pin down who is really at fault.

Think of the mess when people start suing developers of web applications!

App Developer: Its the browser!
Browser developer: its the JavaScript library!
JavaScript library Dev: its the VM developers!
user again: Yeah lets sue Sun!
Javascript developer: JavaScript is not ...you know what ..your absolutely right! go for it

User can't find Sun and sues Microsoft for VBScript because its the closest thing to it.

Microsoft: Oracle bought Sun.
Oracle: Hell I knew I shouldn't have bought Sun, anyway, Java is OpenSourced so I have no control over it.
Java developers: JavaScript is not Java!
User: Why am I here?
Java developers: I don't know, but if there is anything wrong, its usually Microsoft's fault.
Microsoft: .... [chairs start to fly and hit user on the head]
Microsoft Lawyer: Lets counter suit the chair manufacturers for not anticipating our use case.

Fast forward to court date after every software and furniture manufacturer under the sun gets involved in the case....

User's lawyer: What do you mean you got windows off of pirate bay? You could have mentioned this small detail before I took on your case!
RIAA Lawyer: Don't worry, you can plead insanity, and I can take it from here.
TPB: Argh! We be hosting the tracker only mate! not the software! the software be hosted in china.

After a very long court proceeding which involved everybody under the sun and caused three world wars, two nuclear stand-offs, and countless bus parties... a strange group of people came crashing into the courthouse

Guys in red:Nobody expects the Spanish Inquisition!

and it starts to go downhill from here!

Re:Not my fault

[sjames]

Insurance company: Did the contract specifically say you could use that menu item while wearing a green shirt?

Clients: Well no, not specifically, but...

Insurance company: DENIED!!!!!!!!!!!!!

if you pay you get working stuff or a refund,

[A+beautiful+mind]

if you get it for no price, you don't enjoy such priviledges.

If someone sells GPL based software, they are free to do so and pick up the tab on flaws in the product. Same goes for proprietary software.

This should have been done at least 10 years ago.

Re:if you pay you get working stuff or a refund,

[rliden]

Do you really want to pay for perfect? There are risks associated with anything and buying perfect costs a hell of a lot of money.

This is an issue that is more complicated that should developers be held liable for perfection. Is it good enough to work reliably in most cases? Was there a malicious or negligent intent to box and bunch of schlock? There are a lot of good questions that could be asked here when trying to define the responsibility and accountability of development companies.

The market for proprietary software and the community for open source software does function pretty good for weeding out the crapware.

Re:Where would this idea leave free software coder

[superwiz]

Going to medical school.

umm... to avoid being sued?

GPL

[neoform]

http://www.opensource.org/licenses/gpl-license.html

Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.

Stupid Idea

[Courageous]

The idea that code should be perfect is a stupid idea: consumers don't want that.

They want "good enough," not perfect. Perfect costs a great deal of money, probably 4X, and consumers will buy the good enough product, at 1/4 of that price, well beyond 95% of the time.

C//

Re:Stupid Idea

[rlseaman]

The idea that code should be perfect is a stupid idea: consumers don't want that. They want "good enough," not perfect. Perfect costs a great deal of money

Your comment is "insightful", but it is beside the point. This is exactly the same issue with all engineering. An object manufactured to better standards than needed for the purpose is an overly expensive object. The question rather is the web of responsibility. If Microsoft or Google or even somebody's shareware makes a claim of suitability, certainly the consumer should have redress when it proves unsuitable.

There are many other dimensions of this issue. For instance, the software industry is well known for adding pointless complexity - features that nobody ever asked for. If GE added a can opener to a toaster, they would be liable for any unexpected risks this reveals, but Microsoft can make Word so complex that businesses using it accrue large expenses related to training, etc., and risks related to misformatted and delayed documents and so forth - and yet Microsoft currently faces no significant market pressure from liabilities associated with having broken their own product.

Re:Stupid Idea

[Anonymous+Brave+Guy]

Exactly. The problem with trying to enforce this kind of measure for software is that there is a cost/performance curve, and most people don't want to pay to be right up at the end of it.

Heck, no-one in the world knows how to get right up to the end of it. Even the guys at NASA, whose development process is awesomely effective at producing reliable software compared to the the commercial/home user industry, still get bugs. Given the nature of their work, their bugs can cost as much in a single mission as a bug in widely used home user software costs spread across the whole user base, potentially including a cost in human lives, so it's not like they're hiring stupid people or not trying to get everything perfect.

Re:Stupid Idea

[14erCleaner]

Perfect costs a great deal of money, probably 4X

With free software, it's even more than 4X. Maybe even 10X.

What if..

[Mastadex]

Say a developer uses a number of 3rd party libraries (ie. Boost, TinyXML, etc), who will be pay damages if the program crashes in a bad way? The developer for not trying to catch 3rd party crashes, or the 3rd party for writing in bad code?

Re:What if..

[A+beautiful+mind]

The one who sells the given product. This is all about sale.

If my harddrive breaks within warranty period, I don't go to the company who manufactured the silicon or the ICs, I go to the retailer or Samsung, who sold me the drive.

Only if they get final say on release of the code.

[GuyverDH]

Until the coders get total control of the project, from inception to completion, then no, they cannot be held responsible for bugs in the code.
How many companies push to get code out the door with *imperfections* - claiming they'll fix those in the first update?
Too many these days.
I'd say it's the management that controls the release schedules that should sign their names in blood on the bugs still known about (and unknown as testing probably wasn't allowed to complete).

Re:gpl comes with a license

[A+beautiful+mind]

you can sue a soup kitchen if it gives you food poisoning.

Sure, since that's a public health matter. If software controlling an aircraft crashes and causes the aircraft to crash too and that kills people, I'm pretty sure the software makers might end up liable too.

To continue your analogy, if a soup kitchen gives you soup that is too cold, comes in a plastic bowl and is too small of a portion, you've got nowhere to turn with that and you should have nowhere to turn with that, it is gratis after all. On the other hand, if this happens in a restaurant that calls itself high quality and advertises the famous chicken soup from a master chef and you get the same treatment, then there are numerous consumer protection agencies in Europe at least to fine the given restaurant.

The word: Purchase

[MathFox]

Most EUropean countries have clauses in their laws that instruct the judge to take the price of the good into account when considering what would be a reasonable quality for a product. A corollary of that is when you give something away for free, the expected quality level is something like "not known harmful".
When you buy software, for example a Linux distribution, you may expect that the distributor has tested the packages and that the software mostly works. Because you pay more for MacOS, you may just expect MacOS to work better.

Off course there has to come jurisprudence on all this, but I don't think that finding just one bug will entitle you to your money back. However, when the software won't work at all for you, the supplier can not hide behind EULAs and could be forced to compensate your damages... It will be a case-by-case balancing of responsibilities.

Licensing and Accredidation

[iluvcapra]

If the EU wants higher-quality software, they should support an industry-wide system for the licensing and qualification of programmers, like we have for other engineering disciplines and professions. For example, they could require that all government software, or software for use in aircraft and life-critical functions. These developers wouldn't be "better" than anyone else, but they'd have taken an exam and be nominated by their peers, like a state bar.

If the software is developed by professional developers with licenses, it gets a big seal on it, and then people can choose to buy it or not based on the rep of the licensing body, and their risk tolerance.

Re:gpl comes with a license

[Timothy+Brownawell]

If software controlling an aircraft crashes and causes the aircraft to crash too and that kills people, I'm pretty sure the software makers might end up liable too.

Actually it would probably be whoever decided that that software was OK to use in an aircraft. If I were to somehow get an aircraft and install Gentoo on some critical system, I'm pretty sure I'd be the one to get in trouble rather than the Gentoo or Linux (kernel) or Glibc people.

Re:gpl comes with a license

[chill]

Except you just can't run anything for aircraft control. Read the fine print on software like Java, Windows and other items. You'll see it explicitly states you are not to use it for nuclear power plants, aircraft control and other life-critical applications. There are special rules for the super-critical stuff.

On the other hand, if this happens in a restaurant that calls itself high quality and advertises the famous chicken soup from a master chef and you get the same treatment, then there are numerous consumer protection agencies in Europe at least to fine the given restaurant.

That concept is so pathetic I don't know where to begin. Consumer protection agencies to fine a restaurant for poor quality and bad treatment? Are Europeans that big of pussies? What is wrong with "tell your friends they suck, don't eat there" and watch their business evaporate? You can't be serious that the government steps in for things like this!?

open source is still not liable

[voss]

Because the software is not purchased there is no contract. "permission to use" is not the same as a sale.

Re:gpl comes with a license

[jabithew]

Doesn't GPL have explicit anti-sue protection, with that whole section on lack of implied merchantability or warranty?

This program is free software: you can redistribute it and/or modify
        it under the terms of the GNU General Public License as published by
        the Free Software Foundation, either version 3 of the License, or
        (at your option) any later version.

        This program is distributed in the hope that it will be useful,
        but WITHOUT ANY WARRANTY; without even the implied warranty of
        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
        GNU General Public License for more details.

        You should have received a copy of the GNU General Public License
        along with this program. If not, see http://www.gnu.org/licenses/.

From the GNU how-to.

Does anyone know how this would interact with the potential EU law?

Re:gpl comes with a license

[rackserverdeals]

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.

If the law changes and requires software to offer a warranty then the GPL will be vulnerable. Even if the GPL didn't include that statement, a court could invalidated it because a contract that breaks the law is not legally binding.

Changing a license for a big project isn't always easy.

This will most likely hurt companies like Redhat, Canonical, Novell and other corporate open source contributors because they will have to stand by their products and you're bound to get a few cases where they have to pay up.

But it's not a law yet.

Re:gpl comes with a license

[h4rm0ny]

A good analogy is like a map that lets you see a wider view of the terrain. A bad analogy is like the wrong sort of petrol in your car.

Re:gpl comes with a license

[Pentium100]

I know a joke based on this:

If food makers used the same licenses as software makers, then in a opaque box, there would be a license agreement:

1. The manufacturer does not guarantee that this item can be used for food and is not liable if it is not suitable for eating.
2. The user is not allowed to examine the contents of this item (for example to look if it had rat tails in it).
3. The user has a right to use (eat) the product, but does not become its owner.
4. The right to use (eat) the product gets only one person.
5. The user does not have a right to sell of give away the product to third parties.
6. The manufacturer does not guarantee that the product is free of hazardous materials (for example, rat poison, dioxin etc).
7. The manufacturer is not liable for any health risk to the user because of the product.
8. The manufacturer guarantees that the box is made of high quality materials and, if there is a flaw in it, will replace the box. This does not extend to the product that is in the box.
9. By opening the box and reading this agreement the user automatically agrees to it.

Re:gpl comes with a license

[Stewie241]

Well, as somebody with an engineering degree, I know that we were taught that we were responsible for designs produced using software products. So, for example, if one used structural design software to design a building, and that software gave erroneous results, you are to blame, and not the software.

Aircraft software

[Okian+Warrior]

I make software that goes on an aircraft for a living.

All such software is required to be certified by the FAA, which has elaborate requirements for development, documentation, and testing (the applicable document is DO-178B).

I'm told that the reason for certification is not safety, but culpability. If your software satisfies the requirements and passes review by the FAA, then your company will not be held liable if it causes problems.

In essence, certification represents "best effort" engineering practices and tries very hard to eliminate bugs in the final product.

By the time a software package gets on a plane, many people have combed over it looking for problems, and the testers have spent a massive amount of time running it. There is a safety/failure hazard analysis which asks all the "what if" questions, and the flight crew has written procedures in case it fails.

If a bug is found after deployment (this happens occasionally) and it is discovered that there was a flaw in the certification process, all hell would break loose. It would open up the FAA and the company to all sorts of lawsuits from injured parties. The people who signed off on the certification would essentially be screwed.

The FAA is generally a bunch of bureaucrats. The one thing they do well is look out for their own interests.

Oh, and I worked for the company that got Microsoft Windows certified to run in the cockpit as a map display. It's Posix compliant, dontcha' know!

Re:"May Contain Bugs"

[mfnickster]

> I'm looking at a silica packet that is labled, "Do not eat."

I followed those instructions and nearly starved to death!

My lawyer advised suing for "negligence causing anorexia."

Re:gpl comes with a license

[Tablizer]

The bar for coding [engineered] things is so much more higher than for say writing a GMail Clone. If an email service goes down people typically arent going to die as a result.

What if somebody sent the message, "Don't eat that banana, it's poisoned". But your Gmail clone loses some words and the other side gets, "eat that banana" only?