Twice now I’ve been hit by cars. The first time it was no big deal. My vehicle wasn’t damaged and neither was I. The second time, a guy wasn’t paying attention and ran a stop sign and totalled the car I just bought. Both times I knew people who urged me to sue. I thought that was pretty ridiculous. For the second incident, I called the guy’s insurance company and asked that they pay replacement value for my car, my hospital bills, and time lost from work. They paid in full and even gave me a $5,000 “bonus” for not suing, even though I didn’t ask for that.
I received no money for the first and a fair amount of money for the second. What’s the difference? In the first case, though there was negligence (the lady who hit me was driving on a learner’s permit and slammed on the brakes in the rain), there was no damage. In the second case, there was negligence and considerable damage. It was only reasonable that the guy pay up. Once I even had a hospital bill wiped out because a doctor stitched up my lip but forgot to remove some splinters that were still in it. The doctor was negligent and the hospital assumed responsibility.
So what’s wrong with software manufacturers? Why the heck can’t we sue them when they do something wrong? When your business suffers millions of dollars of losses because some software malfunctions, why can’t we hold software companies liable? According to one survey, bad software annually costs companies $59.5 billion in losses (and that’s only in the US economy!). At least half of those losses are born by end users. I think it’s time that malpractice be extended to software producers, but doing it wrong will make things much, much worse. It could also destroy the open-source movement.
Malpractice is essentially the condition in which someone suffers harm due to a provider (software, legal, medical and so on) not following accepted standard practices. There are three broad categories of malpractice.
- When the provider knowingly follows substandard practices.
- There is no intent to follow substandard practices, but the provider is rushed or sloppy in their delivery of services.
- Where the provider is unaware of standard practices
The first big problem comes in defining “standard practices”. Any Perl code which doesn’t run under taint mode is immediately suspect. Buffer overflows using untrusted data should not be tolerated. Home brewed encryption? Out. Any licensing scheme or software design which prevents users from fixing security holes on their own should be null and void. But there are problems there. Any of the aforementioned “issues” could potentially be defended. Someone has to be the first person to try a new encryption method. Also, there are too many other areas where standard practices is a terribly ephemeral thing. It’s not a problem easily solved.
Getting back to the categories of malpractice, to my mind, willful malpractice is the worst and it should result in substantial punitive damages in addition compensatory damages. Any provider who knowingly does things which could harm the consumer should be punished severely. I’ve no sympathy for them (I’m lookin’ at you, Sony). However, proving this could be very difficult and, as a result, may make cases harder to win.
Negligent malpratice happens all the time. How many times have developers been rushed to push products out by a deadline and not had time to do a full security audit of their software (have you ever done a security audit of your software?)
Ignorant malpractice, however, is probably the most common. phpBB is one of the most widely used bulletin boards available, yet from the number of security holes which keep pouring in, it likely shouldn’t be used. Oh, I know how it goes: “yeah, just upgrade to the latest version!” But they’ve had such an awful track record that I can only ask: would you trust a car company whose cars keep exploding but say “yeah, but this one’s safe!” No, you probably wouldn’t.
phpBB security holes abound and the developers are probably guilty of negligent or ignorant malpractice. I seriously doubt they’re guilty of willful malpractice. But how would you sue them? Who would you sue? The developers aren’t making money and suing them will merely ruin the lives of inviduals who just wan to help others. I’m not sure this is going to do anyone any good. And once the security hole is fixed, can you sue your ISP for not upgrading?
So this is the crux of the problem. Suing people for software negligence would be a chilling effect on the open source movement. I’ve released a large amount of open source code, including security patches for Perl and code designed to make CGI scripting safer. I have never knowingly released open source code with a security hole and cannot recall a single security-related bug in any of my software. However, that doesn’t mean my software doesn’t have security holes. Knowing that I could be sued if I screw up might well give me pause about releasing software. However, more than once I’ve knowingly released code with security holes. I’ve been ordered to at past jobs. It’s easy enough to say “just quit!”, but that’s a simplistic answer for people who may have little choice in the matter. Developers in depressed ecomies who have a spouse and children may very well have their back against the wall.
Ultimately, large software companies are in the best position to fight lawsuits, but by the very nature of their code and their bank accounts, they’re likely to be inundated with them. Any laws designed to shield people who give code away for free is something they’d lobby vigorously to prevent (and Microsoft doesn’t charge for IE. Should that be exempt from liability for one of the most dangerous software products of all time?) We really need to update the laws to make companies liable for the harm they cause, but any such laws have a good chance of destroying much of the open source movement. I don’t know how to get around this.
Also, any such law should have both grandfather clauses (don’t sue Microsoft for security holes written before the law comes into effect) and a long lead time (for the law to come into effect now would destroy many companies).
With identify theft via software bugs being rampant, with companies seeing millions of dollars of data destroyed or corrupted, with people sitting idle while their computers are being fixed again, it’s high time we start making people liable for all of the damage they cause. Right now, we can’t even force companies to digest or encrypt people’s passwords, for cryin’ out loud! Software manufacturers are laughing all the way to the bank and their deposits are made with the money you and I lose.