Outlining a World Where Software Makers Are Liable For Flaws

CowboyRobot writes with this piece at the ACM Queue, in which "Poul-Henning Kamp makes the argument for software liability laws. 'We have to do something that actually works, as opposed to accepting a security circus in the form of virus or malware scanners and other mathematically proven insufficient and inefficient efforts. We are approaching the point where people and organizations are falling back to pen and paper for keeping important secrets, because they no longer trust their computers to keep them safe.'"

Sure

[recoiledsnake]

It will just cost 100x more, just like healthcare with the torts. Time to take out software developer insurance, similar to the healthcare insurance of approximately 1 million dollars a year paid by doctors these days.

Re:Sure

[maliqua]

and software development grinds to a halt. opensource vanishes who's going to donate time to a liability.

Re:Sure

It's very important we decimate the last industry the US has that's still mostly functional, profitable, and productive

Re:Sure

[sqlrob]

What liability?

Clause 1. If you deliver software with complete and buildable source code and a license that allows disabling any functionality or code by the licensee, then your liability is limited to a refund.

Re:Sure

[mandelbr0t]

Give me a fucking break. First I was hired as a hacker, then I was told that I no longer had the required credentials to work in software, and now you want to tell me the degree I've gotten is the wrong one? Go fuck yourself. I have no problem carrying liability insurance, but this shared delusion that only engineers can possibly write good code is merely an attempt to make software development an activity of the elite. And people wonder where groups like Anonymous and LulzSec come from.

Re:Sure

[Amouth]

so a PE can get out of being liable for a badly designed bridge by putting the blueprints and the bill of materials on a sign before you get on the bridge?

there is a point where i agree that the programmers should be liable for their code - to the extent that it shows negligence. the fact that software for so long has gotten away with "good luck, thanks for the cash" mentality is kinda sad.

I am a programmer - and i would be willing to stand behind my code used in the environment for which it was intended.. but at the same time i would want to be compensated for the risk.. same way a PE gets compensated based on the scope of work they have to sign off on.

Re:Sure

[Daniel+Dvorkin]

Ah, idealism! The proposed law, with Clause 1 in place, and enforced, doesn't sound too bad. Do you really think that's the way it would work? In the real world, any software liability law would be written by lobbyists working for Microsoft, Oracle, Adobe, EA, et al., and there is no way in hell it would make life easier for open source developers than for the big commercial developers.

Re:Sure

[slippyblade]

am a programmer - and i would be willing to stand behind my code used in the environment for which it was intended..

ROFL! Wow, you actually expect liability to be limited to the scope the product was INTENDED? That ranks up there with lawsuits against toys because little jimmy choked on a Lego brick or Peggy Sue shoved a jet fighter figure up her nose and shot the plastic missile into her sinus. There is no limit to the stupid and out of intended uses people will put things. There is NO SUCH THING AS IDIOT PROOF. The world keeps making better idiots. If this becomes law, at some point you WILL be sued. No ifs, ands, or buts about it.

Re:Sure

the fact that software for so long has gotten away with "good luck, thanks for the cash" mentality is kinda sad

Genuinely critical software isn't usually handled like this.

The whole premise is retarded. You want guarantees? Great, we already have a handy tool of commerce for that. They're called contracts. Just a heads-up... it's going to cost more.

Re:Sure

[dohnut]

No, licensed engineers just cover their asses better.

Or do you think the engineer should be held liable when someone parks a 30 ton vehicle on a bridge rated for 10 tons and the bridge fails? Well, then why should a software developer be held liable when the software asks you to enter your name and, instead, you feed it data which causes a buffer overrun which allows you to root the database server and steal everyone's credit card numbers? If you would have just entered your name correctly that never would have happened. A clear case of misuse if I ever saw one.

I think software developers should be liable but the liabilities need to be defined first. And if someone hacks the software outside of the scope of the security standards and practices that have been set by the government, put in place correctly by the developer and verified by the assigned regulatory bodies then there is no liability if something goes wrong.

Meanwhile the cost and time required to develop software will skyrocket. If you need any evidence of that, just look at how much time and money it takes to build a bridge these days.

Re:Sure

[digitig]

No, you just find that all software production is shifted offshore outside the jurisdiction of such a law, and you will find in the small print of your license that by purchasing the software you are acting as the importer and so accepting legal liability for any defects.

Re:Sure

[publiclurker]

Or even the cost of defending things that are not your fault. I worked for a company once where a contractor provided module required 3rd party drivers. The installer for these drivers would occasionally do strange things, making the module act funny causing problem in our program. The customer does not care about any of this, all they know is that they bought your program and every so often the screen goes blank. they are going to sue you, and then you'll have to go through the chain of ownership to get things straightened out.

Re:Sure

[Microlith]

They already have the beginnings in place.

It's called "patent indemnification," which they insist that vendors must have. Yes, effectively "patent violation insurance" to keep other companies off your back. Granted it's not entirely "liability insurance" but it's a step towards the state where you cannot develop software independently, but instead must be under the thumb of some larger corporation (or somehow have millions in insurance) to write and distribute software.

Re:Sure

[ScrewMaster]

so a PE can get out of being liable for a badly designed bridge by putting the blueprints and the bill of materials on a sign before you get on the bridge?

there is a point where i agree that the programmers should be liable for their code - to the extent that it shows negligence. the fact that software for so long has gotten away with "good luck, thanks for the cash" mentality is kinda sad.

I am a programmer - and i would be willing to stand behind my code used in the environment for which it was intended.. but at the same time i would want to be compensated for the risk.. same way a PE gets compensated based on the scope of work they have to sign off on.

What truly irks me about discussions such as this is that everyone wants to lay the blame on the programmer. It is the organization that is at fault. Matter of fact, the responsibility for a defective software product lies squarely with upper management. Frankly, I just don't get this perceived need to roast programmers and software engineers alive, when defective designs in every other industry cause harm, and nobody talks about throwing those engineers under a bus.

Standing by your code is one thing: taking the legal responsibility for a finished, shipping application that has problems that you would certainly have fixed if you knew about them is something else again. Management decides who works on what project, how much (if any) quality control time is assigned to that project, management decides what bugs are minor enough to fix in an update (and sometimes they're wrong about that.) Management decides who to hire in the first place.

I work in an industry where my codebase, if it were to malfunction in any serious way, would be a major problem for some rather large plants worldwide. But here's the thing: if the responsibility (and legal penalties) for such problems were mine, and mine alone ... well, guess what. I wouldn't be a software engineer anymore. Why should I go to jail, or be bankrupted with legal fees, when I did a perfectly competent job, but a bug still managed to get by QC? Might as well put the QC team on the hot seat too: they're the ones that missed it. Fact is, the corporate veil is there for a reason.

In any organization it's the people at the top (the people who get the big salaries and golden parachutes) who ultimately maintain responsibility for such failures. And that is how it should be: they make the big decisions, they're the ones who allocate resources. Your average code monkey is no more at fault for a product failure than the janitor. That's why, unless there's gross mismanagement, it's the company that is penalized, not the individual employees. There are supposed to be checks and balances. Face it people: we know how to do code right, but most vendors simply don't want to spend the money.

That bridge you were talking about is a perfect example: the reason bridges don't fail very often because of design flaws is because those designs are reviewed and cross-checked and signed-off upon by slew of other engineers and designers who make sure the design is solid. It's that way because nobody is perfect. Again, who decides how much code review and design assurance is necessary? Yeah, you got it: management.

All the disclaimers in the world don't mean squat in court if your software causes significant economic or physical harm. The company that produced it (not the individual developers) certainly can be sued and redress granted. But penalizing individuals for systemic problems within a given organization? Even discussing that is patently ridiculous.

There's no good reason to burn engineers at the stake. Plenty of reason to boil a lot of CEOs and managers in oil though.

You can't trust code ...

[LordNimon]

"You can't trust code that you did not totally create yourself."

I can't trust the code that I did totally create myself, either.

Re:You can't trust code ...

[amicusNYCL]

That reminds me of an anecdote one of my CS professors mentioned. When fly-by-wire technology for passenger planes was starting to get rolled out, they polled some people about their willingness to fly on a plane that was controlled by a computer. The group that had one of the largest negative response was programmers. For everyone else the software is just magic.

Re:You can't trust code ...

[dohnut]

I can't trust the code that I did totally create myself, either.

When was the last time any of us totally created code? I've been coding to various operating system APIs for a long, long time. Even back in the DOS days I made quite a few DOS and BIOS calls. We use(d) lots of 3rd party libraries for various things. Not to mention the libraries that come with your compiler/IDE.

I'm pretty sure I've never totally created any runtime code. Maybe some useless crap I did back in an assembler class would count?

I did have a radio-shack 8-bit processor kit when I was a kid though. That was all machine language (there was no ROM or non-volatile storage). However, I still had to trust that the opcodes did what they were supposed to do. Intel (and others) have shown us you can't even count on that all of the time.

People need to stop equating software to buildings

[Derekloffin]

You can overbuild a house, it generally makes it stronger. You over code a piece of software it just adds to the number of possible points of failure. The two really aren't good analogies for each other. That doesn't even consider things like how maintenance of both is handled, interactions of hardware, varying setups, and just simple complexity.

All we need is Love

[migla]

... All we need is love and Free Software. And even the love is not strictly a requisite.

Let's say everyone owns Free software, so nobody (i.e. everybody) is liable for faulty Free software. Everybody (i.e. nobody) pays.

In other words, sure, let the proprietors of proprietary software pay for software behaving badly.

If the software is free it's everybody's and nobody's responsibility. It's like culture and language in general. We do it together.

Who's with me?

Don't trust applications, ever

[ka9dgx]

The responsibility for preventing security problems with PCs should strictly fall into 2 places, the User, and the OS.... however... not the way 99.99% of you are thinking about it.

The user should decide what resources a program NEEDS in order to do a task, such as which folder it can access, what network connections, etc. This allows the user to decide ahead of time what they are willing to risk. Once that determination is made, the user then would give that list, along with a pointer to the program, to the operating system.

The OS should then enforce the users choices.... if it's not in the list, the application shouldn't even be able to find it, let alone access it. If the OS fails to enforce the users will, then the OS is at fault.... if the User gave away the store, well... they gave away the store.

This requires a simple change to the base design of operating systems, instead of permitting everything, and limiting actions of a running program to that of the user's account... the OS should limit the actions of the program to a short list of resources supplied by the user... and nothing else. Of course, the refactoring of everything to add this additional layer of logic is a massive undertaking.

  There would still be the traditional user rights, access control lists, etc.... but there would also be a level of control where the user decides which of the resources they have should be given to the application. This is called "capability based security", or cabsec for short.

It's going to take somewhere between 10 and 15 years before people are fed up enough to make the switch.... but it will happen eventually.

Security isn't an application issue... it never was, and never will be.

Re:Another law? No thanks.

[shutdown+-p+now]

The buyers bewared, ganged up together, and started to act pre-emptively.

Re:Another law? No thanks.

[Ichijo]

The author is talking about making the producer of bad software liable, just as we would hold a gun manufacturer liable if the gun blows up in a person's face.

Re:Another law? No thanks.

[1729]

Funny, none of my firearms actually say don't point at face

It's usually engraved at the end of the barrel. Look closely.

I proposed something similar in 2000

[Animats]

I proposed, back in 2000, that Microsoft be required to provide a full warranty on their products as part of their antitrust remedy. "Full warranty" has specific meaning in US law; see the article. A few vendors have provided full warranties and not found it too expensive. Notably, GTech, which builds gambling systems, is held financially responsible for errors made by those systems. This costs GTech less than half of one percent of their revenue.

It's time for the computer industry to grow up and take on warranty responsibilities. The auto industry had that forced on them by Congress in the 1960, over the screams of the auto industry. Cars rapidly became safer and more reliable.

Re:Crash! (Web of responsibility)

[Paul+Fernhout]

"Wouldn't you hold the software developer accountable for that?"

Which gets to why this idea by itself won't work.

First, who is the "software developer" of a system that uses lots of modules from a variety of vendors (including hardware aspects)? You have an entire ocean of people involved with a big project like that from designers to coders to testers to users...

Second, companies will just use corporate law to create liability shields where each part that could go wrong will be in its own sue-able unit with minimal assets.

Third, let's say something does go wrong, and you can point at a bit of offending code. But, was that really the problem? What about the compiler not smart enough to catch a *semantic* error? What about the simulators that were not good enough to discover the bug in advance? What about the testing procedures? What about the broken CS training programs that focus on theory and not practice? What about the managers who picked a poor development platform because it was popular? When you can go up a chain (or web) of responsibility, why blame the coder at the bottom when there are so many factors involved in making that accident, some of which operate on different timescales?

This whole issue is part of the reason why things like Forth and Smalltalk were so wonderful as small and understandable self-reflective systems, but we got mainstream adoption of buggy C/C++ and bloated Java instead. When the plane crashes from a pointer error, maybe we should blame those who did not choose to support Smalltalk decades ago?