Twice now I’ve been hit by cars. The first time it was no big deal. My vehicle wasn’t damaged and neither was I. The second time, a guy wasn’t paying attention and ran a stop sign and totalled the car I just bought. Both times I knew people who urged me to sue. I thought that was pretty ridiculous. For the second incident, I called the guy’s insurance company and asked that they pay replacement value for my car, my hospital bills, and time lost from work. They paid in full and even gave me a $5,000 “bonus” for not suing, even though I didn’t ask for that.
I received no money for the first and a fair amount of money for the second. What’s the difference? In the first case, though there was negligence (the lady who hit me was driving on a learner’s permit and slammed on the brakes in the rain), there was no damage. In the second case, there was negligence and considerable damage. It was only reasonable that the guy pay up. Once I even had a hospital bill wiped out because a doctor stitched up my lip but forgot to remove some splinters that were still in it. The doctor was negligent and the hospital assumed responsibility.
So what’s wrong with software manufacturers? Why the heck can’t we sue them when they do something wrong? When your business suffers millions of dollars of losses because some software malfunctions, why can’t we hold software companies liable? According to one survey, bad software annually costs companies $59.5 billion in losses (and that’s only in the US economy!). At least half of those losses are born by end users. I think it’s time that malpractice be extended to software producers, but doing it wrong will make things much, much worse. It could also destroy the open-source movement.
Malpractice is essentially the condition in which someone suffers harm due to a provider (software, legal, medical and so on) not following accepted standard practices. There are three broad categories of malpractice.
- Willful
- When the provider knowingly follows substandard practices.
- Negligent
- There is no intent to follow substandard practices, but the provider is rushed or sloppy in their delivery of services.
- Ignorant
- Where the provider is unaware of standard practices
The first big problem comes in defining “standard practices”. Any Perl code which doesn’t run under taint mode is immediately suspect. Buffer overflows using untrusted data should not be tolerated. Home brewed encryption? Out. Any licensing scheme or software design which prevents users from fixing security holes on their own should be null and void. But there are problems there. Any of the aforementioned “issues” could potentially be defended. Someone has to be the first person to try a new encryption method. Also, there are too many other areas where standard practices is a terribly ephemeral thing. It’s not a problem easily solved.
Getting back to the categories of malpractice, to my mind, willful malpractice is the worst and it should result in substantial punitive damages in addition compensatory damages. Any provider who knowingly does things which could harm the consumer should be punished severely. I’ve no sympathy for them (I’m lookin’ at you, Sony). However, proving this could be very difficult and, as a result, may make cases harder to win.
Negligent malpratice happens all the time. How many times have developers been rushed to push products out by a deadline and not had time to do a full security audit of their software (have you ever done a security audit of your software?)
Ignorant malpractice, however, is probably the most common. phpBB is one of the most widely used bulletin boards available, yet from the number of security holes which keep pouring in, it likely shouldn’t be used. Oh, I know how it goes: “yeah, just upgrade to the latest version!” But they’ve had such an awful track record that I can only ask: would you trust a car company whose cars keep exploding but say “yeah, but this one’s safe!” No, you probably wouldn’t.
phpBB security holes abound and the developers are probably guilty of negligent or ignorant malpractice. I seriously doubt they’re guilty of willful malpractice. But how would you sue them? Who would you sue? The developers aren’t making money and suing them will merely ruin the lives of inviduals who just wan to help others. I’m not sure this is going to do anyone any good. And once the security hole is fixed, can you sue your ISP for not upgrading?
So this is the crux of the problem. Suing people for software negligence would be a chilling effect on the open source movement. I’ve released a large amount of open source code, including security patches for Perl and code designed to make CGI scripting safer. I have never knowingly released open source code with a security hole and cannot recall a single security-related bug in any of my software. However, that doesn’t mean my software doesn’t have security holes. Knowing that I could be sued if I screw up might well give me pause about releasing software. However, more than once I’ve knowingly released code with security holes. I’ve been ordered to at past jobs. It’s easy enough to say “just quit!”, but that’s a simplistic answer for people who may have little choice in the matter. Developers in depressed ecomies who have a spouse and children may very well have their back against the wall.
Ultimately, large software companies are in the best position to fight lawsuits, but by the very nature of their code and their bank accounts, they’re likely to be inundated with them. Any laws designed to shield people who give code away for free is something they’d lobby vigorously to prevent (and Microsoft doesn’t charge for IE. Should that be exempt from liability for one of the most dangerous software products of all time?) We really need to update the laws to make companies liable for the harm they cause, but any such laws have a good chance of destroying much of the open source movement. I don’t know how to get around this.
Also, any such law should have both grandfather clauses (don’t sue Microsoft for security holes written before the law comes into effect) and a long lead time (for the law to come into effect now would destroy many companies).
With identify theft via software bugs being rampant, with companies seeing millions of dollars of data destroyed or corrupted, with people sitting idle while their computers are being fixed again, it’s high time we start making people liable for all of the damage they cause. Right now, we can’t even force companies to digest or encrypt people’s passwords, for cryin’ out loud! Software manufacturers are laughing all the way to the bank and their deposits are made with the money you and I lose.
software isn't like medical treatment nor driving a car. it's like building a home. when you have a home built, you don't sue the builder if the paint chips or appliacnes break. you make them come and fix it for free. similar holds when you buy a new car. there's a certain timeframe in which you get free support for problems and you can always purchase an extension.
if you purchased software without first finding whether it would function as expected, seems it's your fault. would you buy a house without an inspection? a car sight unseen? even for medical treatment you should get a second and third opinion.
as for opensource, you aren't obligated to use the software. if it doesn't work for you, don't use it!
malpractice for software is simply ridiculous!
if you don't like the privacy statement for a particular company, don't do business with them. if they violate their privacy agreement, sue them for that.
jesus, i could go on and on but suing software developers definitely isn't the answer.
Just what we need.... more civil litigation. So someone figures there are $59 billion in losses annually due to defective software. How much do you think our society's attitude towards litigation costs us? Let's see with a back of the napkin estimate. 950,000 lawyers in this country. Figure an average salary of $100,000. That is a $95 billion charge to pay the lawyers in our litigious society (and its probably a pretty low estimate). I don't have any estimates for actual damages awarded by civil courts, but I can guess. My guess is that it dwarfs the lawyer's charge by a good margin.
And you really want to extend this dubious protection to another industry? And you think this will make life better? When people decide that the only recourse to address their grievances is to take them to court, society loses.
I too could go on and on, but I'm going to stop now.
People love to jump on the "litigation just costs us money" bandwagon, but the reality is that some things need to be stopped, and sometimes only civil litigation can stop them.
If a operation crippled you for life, would you refuse the sue the doctor because litigation offers dubious protection? Would you drive over a bridge that you didn't have an expectation of it being built with "best practices?" There are lots of things we have to assume in this world, and only the threat of lawsuit is there to keep people in line. If you have a better solution that takes human nature into account, please enlighten us.
Software will be subject to litigation someday. In fact, I would be surprised if someone hadn't sued on the basis of poorly-written software already. The question is, when the laws get written, how is everything going to work? How can we punish a company for willfully including security breaches, while protecting the well-meaning, yet still requiring all code (open or closed) to adhere to a reasonable expectation of usefulness?
If it doesn't happen here, it will happen in some other country you'll do business with. Or a state will enact a law. Talking about it now helps us do it right. Pseudo-libertarian ranting won't.
Ovid Smash!
> It could also destroy the open-source movement.
If you get rid of waivers (which is basically what happens today with licenses), then software gets much more expensive and open source is DEAD.
No one makes anyone use phpBB. It's a willful action, and completely unlike being in a car accident.
You can't legislate software standards until there are software standards. Having those, though, would have a chilling effect on commerce. People already can't find enough programmers, and once you require them to be licensed and tested (just like the doctors, lawyers, contractors, and others subject to "standard practices"), the labor supply will be even more critical.
If your company uses software, test it first. Ensure it does what you want and doesn't do stufff you don't want. If it doesn't meet your needs, don't use it. This is akin to buying a house. No one forces you to buy it, but you have it inspected.
Intentionall and malicious causing harm, however, needs no further legislation and is sufficiently ccovered by law. However, I tend to think people highly overestimate the amount of harm done to them.
Perhaps we need a two tier system. The first tier requires nothing of the developer and is for open source and other such projects. With this software you have no right to sue.
The second tier requires that the developer have a specified education and a license (like a doctor). This tier is for "mission critical" software and you can sue if it fails.
Obviously, the software from the second tier would be more expensive (probably a lot more expensive!) and the developers would need to carry insurance. On the other hand, the developers would be paid like doctors in this case.
I used to run a software development company that promised zero detected defects for one year after installation. No one cared and no customer ever mentioned it so I don't think people care much about software bugs.
Have you read The Crooked Timber of Software Development? It argues that software development merely an occupation, not a profession, pretty much on the basis of the arguments you make, and goes on to suggest a few practical ideas for how we might start changing the situation.
I’d go so far as to call it required reading for every self-respecting software developer.
We're only in this situation because software development in the free market works, and works well. The lack of a lawsuit mentality makes many products that serve many purposes. Beating providers who provide something gratis will shut down a lot more than the open software movement.
Believe me, I'm all for accountability. When the contracts department where I work sets up a software vendor, they establish the standards the vendor operates under. The vendor performs to those standards, or faces the consequences. That's because my employer carries enough weight with respect to most software providers' size to declare and enforce terms. The real issue is when the software vendor is too big and unresponsive, and the ultimate customer/user is suffering. How can a lawsuit deal with the complexities, the "should have's" in providing good software? Any legal issues would have to be explored through class action suits. That'll be a mess.
Eventually, the market can sort this out. Better software should have better reviews, and get better acceptance in the marketplace. phpBB is a good example. When a better product with a better track record comes along, the technical market is savvy enough to adopt it. If the non-technical market were to learn why they need to adopt the new alternative, they'd have motivation to adopt it as well.
If you want to take an analogy from history, look at the early 20th century, before class action lawsuits forced manufacturers to provide safer products. A lot of people got hurt. Lawsuits and anti-trust legislation changed this, but at that juncture in history, a knowledgeable organization with a moderate amount of funding could have shifted the entire manufacturing industry to safer products without such pain, and without the fallout of the entitlement mentality that is crushing our civilization. Tens of thousands of lives could have been saved. Lawsuits are only one tool to enforce good practices, and not the most effective at that, IMO.
When the guy who invented train air brakes tried to sell them to J. P. Morgan, if he would have emphasized Morgan's practical benefits of it (save money) instead of his own practical benefit (save lives), thousands of more lives would have been saved in the interim before the railroads all adopted air brakes due to government finally got around to doing something about it. Maybe Morgan was inhuman, but if the air brake guy could have remembered that the residual benefit in his opinion (save money) was a primary benefit to Morgan, then his primary benefit would have been gained much earlier. Decades earlier. Everybody would have benefited. If you have to wait for everybody to do the right thing for the right reason, you're going to wait a long time indeed. I'll settle for the right thing getting done for a variety of reasons any day, especially when lives hang in the balance, and there are no ethical tradeoffs to be made. (The Morgans of the world can look after their own souls.)
If a steering organization has a goal, they can accomplish real results without having to resort to a largely ineffectual tool with a crummy track record. It's nearly impossible to track some of these defects back to the source, nearly impossible to create standards of appropriate conduct when the actual coder can do pretty much whatever they want. I've never heard of a 3:1 safety margin in coding, like I've worked with in mechanical engineering. However, I can tell you that product X is better than product Y, and if both are free products, can find ways of rewarding the provider of product X for the better product. When Product Z comes out, if it's better than X, support for X can be discontinued promptly. In addition, migration tools can be published to speed adoption of the new product, so non-technical people can reap the benefits sooner. Meanwhile, it'll take decades for the legal types to determine the type of "tubes" the Internet comprises. It's a much more effective toolset, because it lets you apply changing standards (evolving higher, of course) to products using the industry's own knowledge.
If it is a professional organization, it can make membership voluntary, but provide some assurance that members have a minimum level of qualifications in their field. Look at the standards the SAE (Society of Automotive Engineers) provides. Not just professional certifications, but standards, regulations, and methodology that actually suits the environment. A lot better toolset to drive software development to a higher level, without the wallowing in BS and attempted nailage of jello to trees that trying to codify a standard of conduct will create for the benefit of the legal profession.
I for one, would love to see data quality and security enhanced very early on. After all, it only takes a SSN (a numberspace not even owned by the credit agencies), a date of birth, and a business account to pull people's financial records and history. What the f4 kind of authentication is that? If that's the best practice, why bother encrypting the data after it's in your hands? It's already junk, because it was treated like that at the earliest part of the chain of custody. The fact that peoples' lives and well being hang in the balance certainly hasn't caused the owners of this data to enhance their security, and if you look at it realistically, there's no motivation for being forced to do so, due to the nature and composition of our governing bodies. Nobody's generated a class action lawsuit for this yet, and it's a prime candidate. Why hasn't this happened already?
(political leanings aside, look at the occupations of our goverment in the US -- they nearly all have an interest in not changing this status quo -- this won't change in anybody's lifetime.)
Finally, sadly, the example of the auto accident fails in a very significant manner. The goals of a lawsuit are to punish the offender and redress a wrong with the ultimate goal of preventing future occurrences. The wrong was redressed (inadequately -- you're *never* going to be the same after surgery), but the liability insurance the accident instigator had (required by law in all states) shielded him/her from the consequences of their own actions and made the commission of the accident a de facto business decision. It turned it from a "do not do this" situation into a calculated risk, and an unsafe driver was not kept off the streets. They may have had higher insurance rates, but they remain in a position to re-commit their act of negligence if it is in their economic interest. That's not a desirable result, but that's a lawsuit against an insurance company for you.
I realize the link to this article was concatenated with the goal of functionality, but the name "sue the bards" actually states the real effect of a lawsuit mentality. Sue all the bards, and you'll stop them from performing their best.