Software Developer Liability Up For Debate In Europe
from the this-again... dept
A few years ago, there was a lot of attention paid to the question of whether or not software developers should be liable for bugs and security holes found in their software -- with some even suggesting that "lemon laws" should be extended to cover software products, allowing people to return software that was excessively buggy. In a 2005 discussion on the subject, we suggested that adding such liability wouldn't do much good, because software will pretty much always be buggy in some form or another. While we hadn't heard much on the issue lately, it appears that it's back up for debate in Europe, where the European Commission wants to make developers liable for buggy code.What's really odd here is the reasoning being given, as one of the commissioners backing the plan claims: "more accountability for software makers, and for companies providing digital services, would lead to greater consumer choice." Really? Increasing liability would increase consumer choice? Somehow I doubt it.
While I can understand the argument that buggy software is bad, and it sucks when people buy something that is less than promised, it's difficult to see what a law can do to fix it. This really does seem like a case where the market is better suited to fix the problem. If you build a buggy product, that is just an opening for someone else to build a better product.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
'ceptin
>for someone else to build a better product.
That would be true if it weren't for all the software patents and the hassles with both trademarks and copyrights. Can't build a less buggy something that's been covered by a patent. Can't use someone's trademarked name to advertise your competing product. Can't import the competitors databases, flat files, or other because those data are copyrighted/able. Blah, blah, blah.
[ link to this | view in chronology ]
Re: 'ceptin
Just because there is a defect ridden (defect is preferable to 'bug') large piece
of software, doesn't mean that it's cost-effective to try and replace it.
The big problem is that there is no, for lack of a better word, 'blueprint' for
software before it is developed. By and large, it's grown from the minds of
the developers and the marketers. Without a specification -- not a feature
list, but a specification that states clearly how the program should work -- nothing will change.
And, documentation is not a specification.
I think liability is a good thing. It's going to either force new insurance
businesses, or software companies will get serious about quality.
By way of comparison: if not legislated, do you think the auto manufacturers
would have improved quality on their own? Builders of buildings?
How about product safety? Lead in paint?
The market has not, does not, and never will solve all the woes of the world, no matter what you like to think, Mike. Rarely, if ever does it solve
consumer problems.
[ link to this | view in chronology ]
Re: 'ceptin
[ link to this | view in chronology ]
Re: Re: 'ceptin
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I dont get it
I understand that certain equipment has elevated expectations of reliablility; medical, aerospace, etc but is a BSOD on your desktop really something that should end up in court ? And why should it be the responsibilty of government to procecute ?
[ link to this | view in chronology ]
Re: I dont get it
"Dont the existing consumer protection laws already address these concerns ? Is software somehow exempt from them and therefore new regs are required ?"
In a word, yes. If a faulty heater starts a fire that burns down someone's house, the heater manufacturer can be held liable. If a faulty program trashes the data that supports someone's online, financial, or professional life, they're SOL.
Bruce Schneier has much to say on this topic. This is a good summary.
[ link to this | view in chronology ]
Re: I dont get it
No.
Is software somehow exempt from them and therefore new regs are required ?
According to the EULA that comes with every piece of software, they are. The next time you install a program, whether it's an app or a game, stop and read the EULA. You'll find two sections that are very interesting. The first will say that the software is provided "as-is" and that there is no warranty of any kind on it. They will not guarantee that the software will be suitable for your intended purpose, or that it will even run at all. The second will say that the company is not liable for any damages that may arise from the use of their software, even if such damages are proven to be the result of defects in their program.
I understand that certain equipment has elevated expectations of reliablility; medical, aerospace, etc but is a BSOD on your desktop really something that should end up in court ?
What if you use TurboTax to do your taxes and then later discover it has a bug in the calculation routines, causing the IRS to hit you with a $1,000 penalty? Do you just shrug and say "Oh well..."? Or would you want the software company to take responsibility for their screwup?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
But yet if you buy a TV that ends up being defective, you'd expect the manufacturer to be held accountable. Or you'd expect the store to refund your money, neither of which is an option for software.
[ link to this | view in chronology ]
It is, but..
I'm sure introducing liability laws would cut the number of bugs and allow people to seek recourse for damages inflicted on their corporation and person resulting from insecure and unstable software. I do agree though, it will cut down on the breadth of "acceptable" products; acceptable is in quotes because there is a lot of junk around that people use.
However, just like engineers are liable we developers should also be liable. For example there are plenty of options in the automobile market now so perhaps being liable wouldn't be as bad as one might think... or would you rather be buying a cars from a deregulated market. Cars that are made DIY in a garage in India by somebody who is just winging it and trust that if the car folds like a sheet of origami paper with you inside(thereby demonstrating that it is a poor product) that someday Adam Smith will rise from his grave to avenge you by lowering their share prices .0001 cents.
[ link to this | view in chronology ]
Re: It is, but..
But the points Sam I Am Not bring up are quite correct; when was the last time Microsoft released an operating system that was fit for purpose straight out of the box? But they continue to get away with it because their de facto monopoly is so entrenched that no power on Earth can fight it.
This legislation is going to cause all manner of trouble if it passes, but does anyone actually have a better idea?
[ link to this | view in chronology ]
Re: It is, but..
[ link to this | view in chronology ]
Programmer Confidence
Every programmer believes that when he fixes a bug in his code it is the last bug.
Every programmer believes that when he fixes a bug in his code he did not introduce a new bug.
[ link to this | view in chronology ]
Re: Programmer Confidence
NO moderately knowledgeable programmer would release software without a license or something the user agrees to that releases them from any liability.
NO moderately knowledgeable programmer will write software where they will be held liable for unexpected damage.
[ link to this | view in chronology ]
Re: Programmer Confidence
Every programmer knows his code has bugs.
Every programmer hopes when he fixes a bug in his code that he's approaching the line where buggy/bug free classifications involve more theoretical proofs than than actual encounters.
Every programmer prays when he fixes a bug in his code that he did not introduce a new bug.
[ link to this | view in chronology ]
Isn't usually the developers problem
It is the companies that push out code out with impossible deadlines and minimal QA that create most of the problems.
[ link to this | view in chronology ]
Please!
Of course, before I will allow him to install my software, I will require that he have version 10.7.4.99q build 679pqy of his OS, then I will need him to make sure that his video driver is version z69. You know, the version that was recalled because IT was buggy.
Just shoot me please!
There is no real way to guarantee that one piece of software is actaully buggy without first proving that the rest of the system in question is completely absolutely 100% bug free. What about that malware that got installed when the user installed the new buzzWidget tool bar on his browser?
This is just another way of making ambulance chasers richer!
[ link to this | view in chronology ]
Re: Please!
When the next OS update comes out, how do you know it won't introduce new errors into your code that rely on it's core libraries?
Are we going to be sued first when a network connection/hard disk issue causes data loss?
With millions of potential hardware configurations, it is impossible to write error proof software.
[ link to this | view in chronology ]
are you joking? you have no idea what you're talking about
second, there's products liability which is a torts law issue. market forces simply cannot handle products liability. look at the ford/firestone tire ordeal. do you know how many people _died_ because of that? it wasn't until AFTER the multi-million dollar JUDGMENTS came in that ford/firestone got destroyed. something like that usually takes a few years for the damages to roll in. by saying we should let the market figure it out, you're saying that we should allow this kind of damage to continue until the business entity gets sued out of existence. similarly, software developers create products that cause immense financial harm to people all the time (like blaster a few years ago, or the 100% technical crash for the london stock exchange a few months ago). it's one thing to have a few bugs here and there, but a lot of multi-platform code is buggy as hell on every single platform it was designed for. the market is simply incapable of handling this. one perfect example of this is windows update. if you leave an application running, and you have windows update set to automatic, windows can restart your computer on its own. back in windows XP, the early iterations would just restart your computer regardless of what you were doing which meant lots of lost work. later iterations required you to click a box, but if you were typing when the box came up, your input would go into that popup, and it was VERY easy to inadvertently trigger an instant reboot. vista STILL does this (i don't remember the name for this behavior, but security experts have a name for it when used as an exploit -- which also happened all the time with activex).
and before you say "hey YAW, software is a service, not a product," you need to know that products liability is a section of tort law that has forms in negligence and strict liability. both negligence and strict liability also apply to services. if you go get a tire changed, and the mechanic fails to tighten your lugs properly, you can still sue the mechanic for negligence and the standard is exactly the same as for products liability.
[ link to this | view in chronology ]
Re: are you joking? you have no idea what you're talking about
[ link to this | view in chronology ]
Re: are you joking? you have no idea what you're talking about
[ link to this | view in chronology ]
I wonder what the monthly premium would be...
Think of it like Directors and Officers Liability Insurance and you'll get the basic idea.
Hmm..
[ link to this | view in chronology ]
Re: I wonder what the monthly premium would be...
http://en.wikipedia.org/wiki/Directors_and_officers_liability_insurance
[ link to this | view in chronology ]
A Market For Lemons
Bruce Schneier discussed this awhile back.
It seems to me the only solution is Open Source; then the customer sees exactly what they’re getting, and can make a fully-informed decision.
[ link to this | view in chronology ]
Re: A Market For Lemons
Will all the developers who have contributed be held liable as well?
[ link to this | view in chronology ]
Re: A Market For Lemons
"... the proposed regulatory extension would cover all software, including beta products, and would cover both proprietary and open-source software."
[ link to this | view in chronology ]
Besides you don't actually BUY software, you buy a license to use it. That license includes a section on limited liability, usually printed at the bottom of the agreement in ALL CAPITAL LETTERS indicating that it's serious business.
As a small time developer I would have to say that being required to write bug-free code will put me and everyone else out of business. The insurance costs alone would be murder, on top of the insurance I already need, because I CAN ALREADY HAVE THE PANTS SUED OFF OF ME IF I FUCK UP.
[ link to this | view in chronology ]
Re:
Which is one of the reasons that Intel/Windows systems always seemed like a poor choice to be the dominant computer system in the world to me. Older computer systems like the Apple and Amiga had mostly closed architecture and with some small exceptions you knew that a program would work on your system. Along come the IBM clones where getting software to run is a crapshoot.
That said, no software company markets software as something that "might" work on your system. The minimum system requirements on the box (or web site) imply that if your system meets or exceeds the requirements it will work for you. Unfortunately that isn't always the case. I have a growing pile of older games that won't work on my system even though it meets or exceeds the minimum requirements.
Besides you don't actually BUY software, you buy a license to use it. That license includes a section on limited liability, usually printed at the bottom of the agreement in ALL CAPITAL LETTERS indicating that it's serious business.
Let's say that you hire a service to paint your house and they make you sign a contract that includes similar language to software EULAs. As they paint the house, they're not very careful and they accidentally paint over several of the windows. When you complain, they say that they're not responsible for defects in their work. A few days after they finish, it rains and all the paint washes off your house because they accidentally used water-based paint. You demand your money back, but they remind you of the clause in the contract that states that they are not liable for any mistakes they might have made.
Would you consider that fair?
As a small time developer I would have to say that being required to write bug-free code will put me and everyone else out of business. The insurance costs alone would be murder, on top of the insurance I already need, because I CAN ALREADY HAVE THE PANTS SUED OFF OF ME IF I FUCK UP.
How about just being required to patch whatever bugs are found? I'm sure you'll say that companies already do that, but you'd be wrong. They patch most bugs while the software is considered to be financially viable, but as soon as it drops off the sales charts, only the most serious bugs will be patched. After maybe a year, they don't bother any more.
Case in point; I bought a copy of the game Spider-Man from Activision, long after it had been released. The game does not like newer systems at all. One bug will keep you from running the game more than once, unless you know to manually delete the config file before running the game. Another will keep you from finishing the game unless you use cheat codes to skip the entire level (which prevents you from colecting all the bonuses and unlocking some of the promised content). Activision knew about both bugs and never fixed them. Not to mention the crashes, the game not responding to the controller, loading in extreme slo-mo mode, etc.
That might not sound like a big deal to you, but I didn't pay for part of a game, I paid for the whole thing and I had a reasonable expectation that it would work as advertised. There were no warnings on the package stating that the game might be un-completable on some systems or that it would be riddled with bugs if your system was newer than the requirements listed.
[ link to this | view in chronology ]
Re:
> develop bug-free code that is even CLOSE to affordable.
> There are simply too many variables to guarantee bug-free
> operation of software products (which operating system is
> used, versions of other installed and running software,
> hardware variations, etc.)
Do you have a citaton for this claim, or are you making things up to suit an agenda?
It's not impossible. It's not out of reach for a budget.
The way that software is currently developed is not
conducive to it, certainly. But, it's doable.
The pace at which software is developed would slow down
drastically. Is that such a bad thing? Do we need to
continually make our software release cycles faster
and faster?
[ link to this | view in chronology ]
Particularly in the niche products, we had a recent case where we went through a very well-documented RFP and chose a vendor based on its feature superiority in several areas. As we implemented, it became clear that one of the promised features had a major and known bug.
How did we know that it was known? As soon as we went to them with the problem, they assured us that it would be fixed in the next release. After a great deal of arm-twisting, they finally agreed to get us a patch within four months. Which was six months ago, and we're still waiting. Classic bait and switch. (And with implementation cost generally running at least 3:1 to software licenses for big packages-- just switching vendors is not a realistic solution.)
Software contracts are generally written so that no matter what they promise you, the packages aren't guaranteed to do anything. Clients are left with no recourse when vendors flat out lie during selection processes. A law would make these companies much more wary of this behaviour.
Please note, I don't blame the developers in these cases. This isn't about hidden bugs that couldn't reasonably be found. This is about software vendors rushing products to market with known flaws.
[ link to this | view in chronology ]
software
[ link to this | view in chronology ]
Yepp that is right
Interesting is how this applies to OSS and offerings such ad RedHat that are based on OSS but provide commercial/paid support i.e. will redHat be liable for damages caused by defects in Mozilla Firefox for example if they include it in the distribution package.
Overall I do agree that some form of required warranty will increase confidence and choice in the market. Something like CE certification of software would be good. Perhaps some EU accredited CMMI type of assessment for SW vendors might be good idea too. traceability to components used to build a product etc. stuff that has been implemented in other industries to help push forward quality.
The basic reason is that many many software companies are least to say mismanaged thus produce and sell very low quality produce.
So to the extend that we talk customer protection and required warranty I do agree there is need for regulation.
Also consider cases like Microsoft where they want to shift windows XP out of support for the simple reason they want to sell their less potent Vista product. Clearly consumer protection ought to kick in in some form or shape to protect customers.
I remember in the early days of Win XP that Win 98 was pushed out forcefully of commercial use in internet cafes in Bulgaria by BSA with the claim Win 98 license has expired and it is illegal to use!!! Indeed owners of these cafes were persecuted as criminals for not upgrading to WinXP. I believe customer protection needs to go into this licensing stuff and basically state that when you buy software you always retain right to use the latest version you paid for for unlimited time.
Also poor AV software (McAffee) that simply fails to protect you from well known threats covered by other products should be properly persecuted and vendors should be held liable again to the extend they give money back.
[ link to this | view in chronology ]
Re: Yepp that is right
>protect you from well known threats covered by other
>products should be properly persecuted
prosecuted, maybe?
> Although I doubt if anyone will be capable to insure
>windows 7
Why would anyone insure W7? I'm using the RC right now, and it works well.
>Software makers ought to be liable to some exten[t] like
>"give back money".
That would kill small devs, as mentioned earlier.
All in all, I see what this law is trying to accomplish (increase quality software by increasing accountability, even though if a software vendor produces a pile of crap, they will lose money anyway), but it's implementation could be a problem (small startup developers run out of business because of one bad egg).
[ link to this | view in chronology ]
Letting the market sort it out
I think there's a problem with expectations here, too. We simply don't have the engineering discipline to build complex software without bugs yet, so we can either accept bugs or accept much simpler software. As a UNIX weeny, I prefer the latter - I've never seen grep crash, and you can achieve a LOT by chaining simple, reliable tools together. But people want complex software today, and I doubt the average user would be willing to trade functionality for reliability to the extent that would be necessary to get bug-free software.
[ link to this | view in chronology ]
Carnac
I'd rather see people getting the right to sue lawmakers for assinine laws.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Consumer protection
The same could very well be said of physical goods, but in the UK at least we have very clear consumer protection laws which say if you promise your product does something and it doesn't then the consumer is entitled to a refund.
Whilst this law probably does actually apply to software (although the fact that what you buy is a license complicates the issue) clarifying the law would be a good thing in my opinion.
[ link to this | view in chronology ]
just think
Mind you, I only think corporate software that has potential to damage should be regulated like they are talking about. A buggy game isn't going to cause anyone financial harm. A buggy CRM implementation can though.
[ link to this | view in chronology ]
You don't own the cake only a license to eat...
Yea, lets give them "market" freedom but the buyers are encumbered with copyright, DCMA, EULAs, and anything else they can grease thru the system.
[ link to this | view in chronology ]