Software Developer Liability Up For Debate In Europe
from the this-again... dept
A few years ago, there was a lot of attention paid to the question of whether or not software developers should be liable for bugs and security holes found in their software — with some even suggesting that “lemon laws” should be extended to cover software products, allowing people to return software that was excessively buggy. In a 2005 discussion on the subject, we suggested that adding such liability wouldn’t do much good, because software will pretty much always be buggy in some form or another. While we hadn’t heard much on the issue lately, it appears that it’s back up for debate in Europe, where the European Commission wants to make developers liable for buggy code.
What’s really odd here is the reasoning being given, as one of the commissioners backing the plan claims: “more accountability for software makers, and for companies providing digital services, would lead to greater consumer choice.” Really? Increasing liability would increase consumer choice? Somehow I doubt it.
While I can understand the argument that buggy software is bad, and it sucks when people buy something that is less than promised, it’s difficult to see what a law can do to fix it. This really does seem like a case where the market is better suited to fix the problem. If you build a buggy product, that is just an opening for someone else to build a better product.
Comments on “Software Developer Liability Up For Debate In Europe”
'ceptin
>If you build a buggy product, that is just an opening
>for someone else to build a better product.
That would be true if it weren’t for all the software patents and the hassles with both trademarks and copyrights. Can’t build a less buggy something that’s been covered by a patent. Can’t use someone’s trademarked name to advertise your competing product. Can’t import the competitors databases, flat files, or other because those data are copyrighted/able. Blah, blah, blah.
Re: 'ceptin
You’ve neglected to mention that it’s extremely expensive to write software.
Just because there is a defect ridden (defect is preferable to ‘bug’) large piece
of software, doesn’t mean that it’s cost-effective to try and replace it.
The big problem is that there is no, for lack of a better word, ‘blueprint’ for
software before it is developed. By and large, it’s grown from the minds of
the developers and the marketers. Without a specification — not a feature
list, but a specification that states clearly how the program should work — nothing will change.
And, documentation is not a specification.
I think liability is a good thing. It’s going to either force new insurance
businesses, or software companies will get serious about quality.
By way of comparison: if not legislated, do you think the auto manufacturers
would have improved quality on their own? Builders of buildings?
How about product safety? Lead in paint?
The market has not, does not, and never will solve all the woes of the world, no matter what you like to think, Mike. Rarely, if ever does it solve
consumer problems.
Re: 'ceptin
bingo, so address patents, not the buggy software
Re: Re: 'ceptin
Those are two completely different discussions.
I want a copy of Tomb Raider: The Angel of Darkness that isn’t full of bugs. I want a copy of Red Faction that will actually run properly on my system. I want to be able to run games using the Lithtech engine without having to downgrade my video drivers 4+ versions.
I dont get it
Dont the existing consumer protection laws already address these concerns ? Is software somehow exempt from them and therefore new regs are required ?
I understand that certain equipment has elevated expectations of reliablility; medical, aerospace, etc but is a BSOD on your desktop really something that should end up in court ? And why should it be the responsibilty of government to procecute ?
Re: I dont get it
“Dont the existing consumer protection laws already address these concerns ? Is software somehow exempt from them and therefore new regs are required ?”
In a word, yes. If a faulty heater starts a fire that burns down someone’s house, the heater manufacturer can be held liable. If a faulty program trashes the data that supports someone’s online, financial, or professional life, they’re SOL.
Bruce Schneier has much to say on this topic. This is a good summary.
Re: I dont get it
Dont the existing consumer protection laws already address these concerns ?
No.
Is software somehow exempt from them and therefore new regs are required ?
According to the EULA that comes with every piece of software, they are. The next time you install a program, whether it’s an app or a game, stop and read the EULA. You’ll find two sections that are very interesting. The first will say that the software is provided “as-is” and that there is no warranty of any kind on it. They will not guarantee that the software will be suitable for your intended purpose, or that it will even run at all. The second will say that the company is not liable for any damages that may arise from the use of their software, even if such damages are proven to be the result of defects in their program.
I understand that certain equipment has elevated expectations of reliablility; medical, aerospace, etc but is a BSOD on your desktop really something that should end up in court ?
What if you use TurboTax to do your taxes and then later discover it has a bug in the calculation routines, causing the IRS to hit you with a $1,000 penalty? Do you just shrug and say “Oh well…”? Or would you want the software company to take responsibility for their screwup?
“Greater consumer choice?” I don’t know many developers, myself included, that are going to put their necks on the line. It is one thing to offer refunds for defective software, but to be held “accountable” doesn’t sound too appealing.
Re: Re:
“Greater consumer choice?” I don’t know many developers, myself included, that are going to put their necks on the line. It is one thing to offer refunds for defective software, but to be held “accountable” doesn’t sound too appealing.
But yet if you buy a TV that ends up being defective, you’d expect the manufacturer to be held accountable. Or you’d expect the store to refund your money, neither of which is an option for software.
It is, but..
Laissez fair development is what we have and there sure are a lot of bugs around. Just because there is an opening in the market doesn’t mean you can fill it successfully with something which is better(many examples exist of “better” products failing). Having an opening in the market also doesn’t provide a reason why there is an incentive for the next person who comes along to write something better instead of just writing another similar program with a different set of bugs, pocketing your cash in the process.
I’m sure introducing liability laws would cut the number of bugs and allow people to seek recourse for damages inflicted on their corporation and person resulting from insecure and unstable software. I do agree though, it will cut down on the breadth of “acceptable” products; acceptable is in quotes because there is a lot of junk around that people use.
However, just like engineers are liable we developers should also be liable. For example there are plenty of options in the automobile market now so perhaps being liable wouldn’t be as bad as one might think… or would you rather be buying a cars from a deregulated market. Cars that are made DIY in a garage in India by somebody who is just winging it and trust that if the car folds like a sheet of origami paper with you inside(thereby demonstrating that it is a poor product) that someday Adam Smith will rise from his grave to avenge you by lowering their share prices .0001 cents.
Re: It is, but..
Seconded, up to a point; only rarely do software bugs cause more than inconvenience and financial loss, which any scale of damage awards needs to reflect, and it’s inevitable that some faults will escape notice however rigorous the testing.
But the points Sam I Am Not bring up are quite correct; when was the last time Microsoft released an operating system that was fit for purpose straight out of the box? But they continue to get away with it because their de facto monopoly is so entrenched that no power on Earth can fight it.
This legislation is going to cause all manner of trouble if it passes, but does anyone actually have a better idea?
Re: It is, but..
“we developers should also be liable”….Speak 4 yourself! One software I developed is so complex that I nearly had seizures developing one section of it. Tested the section for a month. Just testing it was exhausting. So if you want to be liable for developing what is considered a art, go 4 it and publish yourself as someone that is God’s right hand man and never errors in designing software that will be handled by a HUMAN that errors each and every day. The courts would be so backed up that the paperwork alone would go around our galaxy. Wake-up and get real!
Programmer Confidence
Every programmer believes his code is bug-free.
Every programmer believes that when he fixes a bug in his code it is the last bug.
Every programmer believes that when he fixes a bug in his code he did not introduce a new bug.
Re: Programmer Confidence
NO moderately knowledgeable programmer believes his code is bug-free.
NO moderately knowledgeable programmer would release software without a license or something the user agrees to that releases them from any liability.
NO moderately knowledgeable programmer will write software where they will be held liable for unexpected damage.
Re: Programmer Confidence
You must know some crappy programmers. Seriously. Among my peers I’d alter that as such:
Every programmer knows his code has bugs.
Every programmer hopes when he fixes a bug in his code that he’s approaching the line where buggy/bug free classifications involve more theoretical proofs than than actual encounters.
Every programmer prays when he fixes a bug in his code that he did not introduce a new bug.
Isn't usually the developers problem
The developer usually wants to develop code that is as error free as humanly possible.
It is the companies that push out code out with impossible deadlines and minimal QA that create most of the problems.
Please!
As a developer, I look forward to the day when a ticked off client will sue me for “buggy” software, winning of course. Sucking the life blood from my family.
Of course, before I will allow him to install my software, I will require that he have version 10.7.4.99q build 679pqy of his OS, then I will need him to make sure that his video driver is version z69. You know, the version that was recalled because IT was buggy.
Just shoot me please!
There is no real way to guarantee that one piece of software is actaully buggy without first proving that the rest of the system in question is completely absolutely 100% bug free. What about that malware that got installed when the user installed the new buzzWidget tool bar on his browser?
This is just another way of making ambulance chasers richer!
Re: Please!
Exactly!
When the next OS update comes out, how do you know it won’t introduce new errors into your code that rely on it’s core libraries?
Are we going to be sued first when a network connection/hard disk issue causes data loss?
With millions of potential hardware configurations, it is impossible to write error proof software.
are you joking? you have no idea what you're talking about
first, there’s a disclosure problem which is a contract law issue. nothing in IP or contract law allows you to advertise 100 features and then only deliver 80 of them. software is not special. if developers don’t disclose their bugs, consumers don’t know what they’re buying. since the source is almost always closed, there’s no way for consumers to even do their own due diligence to find out where these bugs are, so caveat emptor doesn’t apply. in contract law, if a material fault in the item you purchased is undisclosed, and you had no reasonable chance of finding that fault on your own, you are allowed to rescind, which means at least a refund. it’s virtually impossible to get a refund for the microsoft tax BEFORE you even use it. try doing it AFTER.
second, there’s products liability which is a torts law issue. market forces simply cannot handle products liability. look at the ford/firestone tire ordeal. do you know how many people _died_ because of that? it wasn’t until AFTER the multi-million dollar JUDGMENTS came in that ford/firestone got destroyed. something like that usually takes a few years for the damages to roll in. by saying we should let the market figure it out, you’re saying that we should allow this kind of damage to continue until the business entity gets sued out of existence. similarly, software developers create products that cause immense financial harm to people all the time (like blaster a few years ago, or the 100% technical crash for the london stock exchange a few months ago). it’s one thing to have a few bugs here and there, but a lot of multi-platform code is buggy as hell on every single platform it was designed for. the market is simply incapable of handling this. one perfect example of this is windows update. if you leave an application running, and you have windows update set to automatic, windows can restart your computer on its own. back in windows XP, the early iterations would just restart your computer regardless of what you were doing which meant lots of lost work. later iterations required you to click a box, but if you were typing when the box came up, your input would go into that popup, and it was VERY easy to inadvertently trigger an instant reboot. vista STILL does this (i don’t remember the name for this behavior, but security experts have a name for it when used as an exploit — which also happened all the time with activex).
and before you say “hey YAW, software is a service, not a product,” you need to know that products liability is a section of tort law that has forms in negligence and strict liability. both negligence and strict liability also apply to services. if you go get a tire changed, and the mechanic fails to tighten your lugs properly, you can still sue the mechanic for negligence and the standard is exactly the same as for products liability.
Re: are you joking? you have no idea what you're talking about
tl;dr
Re: are you joking? you have no idea what you're talking about
Then where is the problem with the existing law?
I wonder what the monthly premium would be...
This would surely benefit insurance companies, who will sell a type of developer’s insurance in case of problems.
Think of it like Directors and Officers Liability Insurance and you’ll get the basic idea.
Hmm..
Re: I wonder what the monthly premium would be...
Link problem.
http://en.wikipedia.org/wiki/Directors_and_officers_liability_insurance
A Market For Lemons
The market only works when customers have full information about what they’re buying. But with proprietary, closed-source software, they don’t get that information. The net result is that the entire market slides toward mediocrity.
Bruce Schneier discussed this awhile back.
It seems to me the only solution is Open Source; then the customer sees exactly what they’re getting, and can make a fully-informed decision.
Re: A Market For Lemons
If they bugs aren’t apparent to the developer, how will they be apparent to consumers purchasing/using the product?
Will all the developers who have contributed be held liable as well?
Re: A Market For Lemons
The scary thing is this law applies to both:
“… the proposed regulatory extension would cover all software, including beta products, and would cover both proprietary and open-source software.”
Outside of very simple, basic utilities it is impossible to develop bug-free code that is even CLOSE to affordable. There are simply too many variables to guarantee bug-free operation of software products (which operating system is used, versions of other installed and running software, hardware variations, etc.)
Besides you don’t actually BUY software, you buy a license to use it. That license includes a section on limited liability, usually printed at the bottom of the agreement in ALL CAPITAL LETTERS indicating that it’s serious business.
As a small time developer I would have to say that being required to write bug-free code will put me and everyone else out of business. The insurance costs alone would be murder, on top of the insurance I already need, because I CAN ALREADY HAVE THE PANTS SUED OFF OF ME IF I FUCK UP.
Re: Re:
Outside of very simple, basic utilities it is impossible to develop bug-free code that is even CLOSE to affordable. There are simply too many variables to guarantee bug-free operation of software products (which operating system is used, versions of other installed and running software, hardware variations, etc.)
Which is one of the reasons that Intel/Windows systems always seemed like a poor choice to be the dominant computer system in the world to me. Older computer systems like the Apple and Amiga had mostly closed architecture and with some small exceptions you knew that a program would work on your system. Along come the IBM clones where getting software to run is a crapshoot.
That said, no software company markets software as something that “might” work on your system. The minimum system requirements on the box (or web site) imply that if your system meets or exceeds the requirements it will work for you. Unfortunately that isn’t always the case. I have a growing pile of older games that won’t work on my system even though it meets or exceeds the minimum requirements.
Besides you don’t actually BUY software, you buy a license to use it. That license includes a section on limited liability, usually printed at the bottom of the agreement in ALL CAPITAL LETTERS indicating that it’s serious business.
Let’s say that you hire a service to paint your house and they make you sign a contract that includes similar language to software EULAs. As they paint the house, they’re not very careful and they accidentally paint over several of the windows. When you complain, they say that they’re not responsible for defects in their work. A few days after they finish, it rains and all the paint washes off your house because they accidentally used water-based paint. You demand your money back, but they remind you of the clause in the contract that states that they are not liable for any mistakes they might have made.
Would you consider that fair?
As a small time developer I would have to say that being required to write bug-free code will put me and everyone else out of business. The insurance costs alone would be murder, on top of the insurance I already need, because I CAN ALREADY HAVE THE PANTS SUED OFF OF ME IF I FUCK UP.
How about just being required to patch whatever bugs are found? I’m sure you’ll say that companies already do that, but you’d be wrong. They patch most bugs while the software is considered to be financially viable, but as soon as it drops off the sales charts, only the most serious bugs will be patched. After maybe a year, they don’t bother any more.
Case in point; I bought a copy of the game Spider-Man from Activision, long after it had been released. The game does not like newer systems at all. One bug will keep you from running the game more than once, unless you know to manually delete the config file before running the game. Another will keep you from finishing the game unless you use cheat codes to skip the entire level (which prevents you from colecting all the bonuses and unlocking some of the promised content). Activision knew about both bugs and never fixed them. Not to mention the crashes, the game not responding to the controller, loading in extreme slo-mo mode, etc.
That might not sound like a big deal to you, but I didn’t pay for part of a game, I paid for the whole thing and I had a reasonable expectation that it would work as advertised. There were no warnings on the package stating that the game might be un-completable on some systems or that it would be riddled with bugs if your system was newer than the requirements listed.
Re: Re:
> Outside of very simple, basic utilities it is impossible to
> develop bug-free code that is even CLOSE to affordable.
> There are simply too many variables to guarantee bug-free
> operation of software products (which operating system is
> used, versions of other installed and running software,
> hardware variations, etc.)
Do you have a citaton for this claim, or are you making things up to suit an agenda?
It’s not impossible. It’s not out of reach for a budget.
The way that software is currently developed is not
conducive to it, certainly. But, it’s doable.
The pace at which software is developed would slow down
drastically. Is that such a bad thing? Do we need to
continually make our software release cycles faster
and faster?
As a software buyer, I’d really like to see some accountability.
Particularly in the niche products, we had a recent case where we went through a very well-documented RFP and chose a vendor based on its feature superiority in several areas. As we implemented, it became clear that one of the promised features had a major and known bug.
How did we know that it was known? As soon as we went to them with the problem, they assured us that it would be fixed in the next release. After a great deal of arm-twisting, they finally agreed to get us a patch within four months. Which was six months ago, and we’re still waiting. Classic bait and switch. (And with implementation cost generally running at least 3:1 to software licenses for big packages– just switching vendors is not a realistic solution.)
Software contracts are generally written so that no matter what they promise you, the packages aren’t guaranteed to do anything. Clients are left with no recourse when vendors flat out lie during selection processes. A law would make these companies much more wary of this behaviour.
Please note, I don’t blame the developers in these cases. This isn’t about hidden bugs that couldn’t reasonably be found. This is about software vendors rushing products to market with known flaws.
software
While I can understand the argument that buggy software is bad, and it sucks when people buy something that is less than promised, it’s…
Yepp that is right
Software makers ought to be liable to some extend like “give back money”. I doubt liability for damage caused by use of the software is a feasible idea it will only help insurance companies as said earlier. Although I doubt if anyone will be capable to insure windows 7 or McAfee or Adobe Reader.
Interesting is how this applies to OSS and offerings such ad RedHat that are based on OSS but provide commercial/paid support i.e. will redHat be liable for damages caused by defects in Mozilla Firefox for example if they include it in the distribution package.
Overall I do agree that some form of required warranty will increase confidence and choice in the market. Something like CE certification of software would be good. Perhaps some EU accredited CMMI type of assessment for SW vendors might be good idea too. traceability to components used to build a product etc. stuff that has been implemented in other industries to help push forward quality.
The basic reason is that many many software companies are least to say mismanaged thus produce and sell very low quality produce.
So to the extend that we talk customer protection and required warranty I do agree there is need for regulation.
Also consider cases like Microsoft where they want to shift windows XP out of support for the simple reason they want to sell their less potent Vista product. Clearly consumer protection ought to kick in in some form or shape to protect customers.
I remember in the early days of Win XP that Win 98 was pushed out forcefully of commercial use in internet cafes in Bulgaria by BSA with the claim Win 98 license has expired and it is illegal to use!!! Indeed owners of these cafes were persecuted as criminals for not upgrading to WinXP. I believe customer protection needs to go into this licensing stuff and basically state that when you buy software you always retain right to use the latest version you paid for for unlimited time.
Also poor AV software (McAffee) that simply fails to protect you from well known threats covered by other products should be properly persecuted and vendors should be held liable again to the extend they give money back.
Re: Yepp that is right
>Also poor AV software (McAffee) that simply fails to
>protect you from well known threats covered by other
>products should be properly persecuted
prosecuted, maybe?
> Although I doubt if anyone will be capable to insure
>windows 7
Why would anyone insure W7? I’m using the RC right now, and it works well.
>Software makers ought to be liable to some exten[t] like
>”give back money”.
That would kill small devs, as mentioned earlier.
All in all, I see what this law is trying to accomplish (increase quality software by increasing accountability, even though if a software vendor produces a pile of crap, they will lose money anyway), but it’s implementation could be a problem (small startup developers run out of business because of one bad egg).
Letting the market sort it out
Agree with the points about it not really working if the buyer doesn’t have full information, and I would add that the cost of moving from one piece of software to a competitor can be immense – swap Halo for Gears of War, fine, but try moving a large business from SAP to Oracle when you discover than SAP is not quite as shiny as you’d been led to believe.
I think there’s a problem with expectations here, too. We simply don’t have the engineering discipline to build complex software without bugs yet, so we can either accept bugs or accept much simpler software. As a UNIX weeny, I prefer the latter – I’ve never seen grep crash, and you can achieve a LOT by chaining simple, reliable tools together. But people want complex software today, and I doubt the average user would be willing to trade functionality for reliability to the extent that would be necessary to get bug-free software.
Carnac
In a few years they’ll be suing developers for not producing software for the Eurpopean market.
I’d rather see people getting the right to sue lawmakers for assinine laws.
Laws like this will only drive the price of software through the roof. You think paying $60 for the latest game is high? Wait until developers have to cover the cost of “bug insurance” and the price will be three bills at least.
Consumer protection
“This really does seem like a case where the market is better suited to fix the problem. If you build a buggy product, that is just an opening for someone else to build a better product.”
The same could very well be said of physical goods, but in the UK at least we have very clear consumer protection laws which say if you promise your product does something and it doesn’t then the consumer is entitled to a refund.
Whilst this law probably does actually apply to software (although the fact that what you buy is a license complicates the issue) clarifying the law would be a good thing in my opinion.
just think
Just think, if this same reasonong were applied to other industries we’d have no safety standards for cars, no liability laws for bad construction. After all, buildings and cars will always have defects, so why bother to regulate them? Someone can always choose to make a better car or building.
Mind you, I only think corporate software that has potential to damage should be regulated like they are talking about. A buggy game isn’t going to cause anyone financial harm. A buggy CRM implementation can though.
You don't own the cake only a license to eat...
The “market”? And will my fairy god mother fix my defective product.
Yea, lets give them “market” freedom but the buyers are encumbered with copyright, DCMA, EULAs, and anything else they can grease thru the system.