Should Software Developers Be Liable for their Code?

Should Microsoft pay for the billions of dollars of damage that flaws in its software have caused around the world? It might have to, if a new European Commission consumer protection proposal becomes law. Although that sounds an appealing prospect, one knock-on consequence could be that open source coders would also be liable for any damage that errors in their software caused.

Here's what the European Commission is proposing:

A priority area for possible EU action is "extending the principles of consumer protection rules to cover licensing agreements of products like software downloaded for virus protection, games or other licensed content", according to the commissioners' agenda. "Licensing should guarantee consumers the same basic rights as when they purchase a good: the right to get a product that works with fair commercial conditions."

EU consumer commissioner Kuneva said that more accountability for software makers, and for companies providing digital services, would lead to greater consumer choice.

Now, you might think this is yet another case of Eurocrats gone mad, but they're not alone in believing that those who write software should take responsibility for it. No less a person than the security guru Bruce Schneier is also a big fan of the idea:

There's no other industry where shoddy products are sold to a public that expects regular problems, and where consumers are the ones who have to learn how to fix them. If an automobile manufacturer has a problem with a car and issues a recall notice, it's a rare occurrence and a big deal – and you can take you car in and get it fixed for free. Computers are the only mass-market consumer item that pushes this burden onto the consumer, requiring him to have a high level of technical sophistication just to survive.

...

The key to fixing this is software liabilities. Computers are also the only mass-market consumer item where the vendors accept no liability for faults. The reason automobiles are so well designed is that manufacturers face liabilities if they screw up. A lack of software liability is effectively a vast government subsidy of the computer industry. It allows them to produce more products faster, with less concern about safety, security, and quality.

Equally, no less a person than Alan Cox is against it:

Cox said that it would be difficult to make open-source developers liable for their code because of the nature of open-source software development. As developers share code around the community, responsibility is collective. "Potentially there's no way to enforce liability," he said.

But Schneier has a suggestion for dealing with that problem too:

The key to understanding this is that this sort of contractual liability is part of a contract, and with free software -- or free anything -- there's no contract. Free software wouldn't fall under a liability regime because the writer and the user have no business relationship; they are not seller and buyer. I would hope the courts would realize this without any prompting, but we could always pass a Good Samaritan-like law that would protect people who distribute free software. (The opposite would be an Attractive Nuisance-like law -- that would be bad.)

There would be an industry of companies who provide liabilities for free software. If Red Hat, for example, sold free Linux, they would have to provide some liability protection. Yes, this would mean that they would charge more for Linux; that extra would go to the insurance premiums. That same sort of insurance protection would be available to companies who use other free software packages.

So, where do you stand on the issue? Do you think introducing liability for software would be a great way to force Microsoft to pay for all the damage its software has caused, and to start writing some really secure code, or would it lead to terrible problems for those producing free software, and stunt the uptake of open source? Would the European Commission's proposal be a blessing or a blight?

Follow me @glynmoody on Twitter or identi.ca.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Contractual freedom

Matt's picture

This isn't really a GPL issue, but it might be a "free software" issue. It certainly isn't a licensing issue.

In the past we've always had the ability to 'barter' in contract law. A contract requires agreement which is generally known as an "express and unqualified asset to be bound by terms agreed between parties" (Google "Offer and Acceptance"). When we are unable to barter, we need some protection.

The traditional theory, the "freedom to contract", allows parties to enter into any contract they wish with a minimal intervention by the courts - eg. where there is fraud or illegality. Therefore, under contract, parties are freely capable of determining the nature and extent of rights and obligations. If they don't like it, a party is free to walk away. In theory.

When there are parties of unequal bargaining power this operates very harshly. Consider how many companies rely on MS products. Now look at how many have liability agreements with Microsoft.

In some transactions if often makes sense to legislate on matters of importance, for the protection of individuals - take for instance, the UK (and EU) where under the Unfair Contracts Terms Act 1997 (an act on limitation clauses), a clause that limits death or personal injury is void.

Where we have individual consumers (not companies), the law has come to recognise that we, as individuals, cannot influence a market by desire alone: we are very limited in what we can agree to. The commercial reality is that consumers will agree to pretty much anything if they can't avoid it. A lot of the times consumers don't understand. So we protect consumers, with acts like UCTA and the EU Unfair Terms in Consumer Contracts Regulations 1999, which allows consumers to disregard unfair terms (terms that are standard, un-negotiated and unnecessary).

As computers become so fundamental in our lives, we rely more and more on their performance for business critical operations. Ultimately this means we rely on the software as much as we do the hardware. Hardware manufacturers have long provided warranties that cover collateral "epic failures", because they are forced to by one another, and the end consumer. Yet we have a unique environment where software is rarely a liable product, and when a software company provides something that can be hardened but chooses not to, we are stuck with the end result.

It makes practical and economical sense to encourage software companies to become more responsible for the code they write. If the only way we can encourage this is through legalisation, then so be it. Cutting corners in a software product should be no different to drugs or hardware. The law does recognise the changing scientific and technological landscape and will not unreasonably penalise a developer in the future for a future unsafe coding practice. But it certainly should penalise negligent programming.

However, lets consider the down side. Not all software is contracted. Quite often a software license is really a contract regardless of the wording of it, or how it purports to be. If we have agreement and consideration, a court can be persuaded to find a contract if there's is sufficient intent to create legal relations. Collateral and unilateral contracts (often referred to in common law as Lord Boden's reward for a lost dog) can crop up without the express intent to accept a contract on bartered terms.

Therefore it is conceivable that use of a "free software" product (a product that is free), offered by a commercial entity, could be covered by contract law and thus a regulation like this. GPL software given away by its non-commercial creator would not be governed by a contractual regulation like this without contractual privity: where is the consideration, where is the offer and acceptance, where is there an intent to create legal relations etc? There should be no doubt that pure GPL software is not contractually liable on its own.

The EU has made many fantastic regulations in the past, and is quite often demonised by the press (ie: the press claims it is "regulating" something - implying that unregulated products will disappear/cost more, eg. fruit - when really it is just passing a law the ensures import/exporters can objectively grade the quality and style of their product, as properties very subjective). Not so long ago the 1999 regulations above were daemonized by businesses because they allowed consumers to get replacements outside of very limited warranties - here in the UK you can compel a seller to replace a faulty good within 6 years of purchase. Business lobbyists said that sellers would have to fork out millions and would be unable to sell anything but lasting products. They were wrong - they simply didn't want to be liable for faults...

I believe too much scaremongering about this proposed EU regulation is unhelpful. It's a good idea on paper. We should be more constructive in helping shape it.

Let's wait and see.

There may be an unfortunate

Anonymous's picture

There may be an unfortunate catch-22 here for open source projects. Software sales are legally built on the sale of a license. Included in the license is a disclaimer of liability. It seems like these contract are the potential target of regulation.

If, as the original article suggested, free software license are not valid contracts, they would not be affected. If, however, the free software license are not valid contracts, then their terms are not binding *at all*. Which means, among other things, that open source developers cannot stop commercial use, cannot force later developers to release the code, etc.

GLP is not a contract

shmget's picture

GPL is not a contract, yet its terms are still enforceable.

GPL is rooted in Copyright law, not contract law.

Very interesting analysis

Glyn Moody's picture

Thanks for taking the time to write and share it.

Software can never be guaranteed to be secure and work as expect

Anonymous's picture

A liability can never work. All software on the world requires to be rewritten with security in mind. Almost all programmers need to be educated in the security area. Schools must change their lessons to include real-world security problematics and we can never trust the standard we are implementing. For example FTP / SMTP / POP3 are always insecure and can lead to major damage when someone is sniffing in your NIC.

So the idea of liability for software is ridiculous and uninmplementable, otherwise I'd fully agree with that and everybody else as well.

Depends what they mean by "works".

Paul Johnson's picture

I wrote a piece disagreeing with Bruce Schneier a couple of years ago. The anti-spam software here won't let me give you the URL, but if you go to paulspontifications dot blogspot dot com and look in the archive for August 2007 you will find it.

However the actual EU quote here suggests something much more limited. If I buy a door lock, for example, then UK consumer law says it should be "fit for the purpose", which is a long way from saying it should protect me from all potential burglary. If it gets picked, or the door gets knocked down, I don't get to sue the lock manufacturer for the costs of the burglary. At most I get my money back for the lock, and that only if it was clearly unfit for purpose (like if it can be opened with a screwdriver, or if it jams and won't open at all).

Microsoft EULAs say that their software is warranted to perform "substantially in accordance" with the documentation, and this probably meets the "fit for purpose" criteria. I suspect that the real targets of this move are scareware and other forms of borderline malware that try to use their EULAs as get-out-of-jail-free cards on effectiveness. They may also want to make licenses transferable; at present I can sell my old disk drive second-hand, but not my license to use Office 97.

Good points

Glyn Moody's picture

thanks

PEBKAC

bolt's picture

How are you supposed to separate what damage was actually done by the software and what was done by a stupid user or several pieces of software that just don't happen to be compatible? If I put the wrong tyres on my car and they fall off, or I pull the handbrake doing 90 on the interstate, that's *my* mistake. If I open a virus infected document, throw my important files in the garbage, run rm -rf /, install a bleeding edge kernel that crashes or anything else like that, that's equally *my* mistake!

IMO, the only thing M$ could be held responsible for would be if... I have no idea, actually.

I think it's more about security holes and suchlike

Glyn Moody's picture

In other words, where software fails to protect users against viruses or worms because of failings in the way it was written.

Oh really?

Anonymous's picture

What about software "code" that you download transparently (like websites). Are the owners and editors of Wikipedia now going to be held responsible for providing an open source wiki that is edited by, quite seriously, millions of people are the globe? It seems to me like you are going to have a problem prosecuting over something no one really owns. With open source software, you can copyright a name, but you cannot truly copyright the entire piece of software essentially because it is not owned. Also, if your software is made available by you as only source code the end user turned it into executable software. Fine him for ruining his machine.

you don't "sue" the author

Anonymous's picture

you don't "sue" the author of the content, you must target the deeper pocket and go after the "publisher" of the content. Wikipedia in this example - they have a duty of care, and although a ridiculous amount of liability in their business model to allow content provided by the masses, they have it nonetheless, and own the liability in policing the content for moral hazards, accuracy, and other things - it's a crazy world - just because wikipedia has a great idea for distributing information, doesn't mean they can obfuscate the responsibilities that go with that territory - a new era is dawning - the lawsuits are coming

I stopped reading at "moral

Anonymous's picture

I stopped reading at "moral hazards." Information is information. What you do with it is your responsibility, not that of the provider.

Is information only information ?

rteodor's picture

I had a number of classes at university where they explained the difference between information and noise.

I don't know the details

Glyn Moody's picture

But I agree, it's going to be interesting seeing how they frame all this stuff.

Money is key

Dan Fego's picture

IMHO, Schneier hits the nail on the head. Paying for something inherently entails a business relationship -- an exchange -- in this case of money and software. When you pay for a product, you absolutely should expect it to work, and work properly.

While this may hurt adoption of FOSS in business (or it may not), I imagine this can only have a positive impact in the consumer market, where such liabilities will surely cause prices to rise, making the free alternatives more appealing. While businesses have to worry about things running right all the time and have serious costs associated with failures, consumers have less stringent requirements and expectations of the software they use. And at the end of the day, software will fail, will have bugs, and consumers will have to deal with it. In fact, computer users (i.e. almost everyone) have come to expect this (as mentioned).

Here's the interesting part: since everyone knows that change is a difficult thing for computer users to handle (case in point: ditching Windows for Linux), they'll be hard-pressed to imagine that things will actually now "just work," even with the heftier price tag that's likely to come. So what will they do? Re-evaluate whether the price tag is worth it (hint: it's not ;-))

Then again, I could also be full of rubbish. :)

I imagine this can only have

Anonymous's picture

I imagine this can only have a positive impact in the consumer market, where such liabilities will surely cause prices to rise, making the free alternatives more appealing

That would be the case if people actually bought the software they use, but no one in spain expects to pay for Windows, Office or anything else (it's free, isn't it? my friend installed it for me). Only medium-sized companies or bigger buy software legally. Well nowadays people buy Windows when buying new computers (that was impossible in the '90s) but when a new version comes out, no one buys it.

If users had to explicitly and unavoidably pay for all the programs that require it, almost everybody (at least in spain) would have Ubuntu installed.

Here you can find an article about this (search "windows is free" in google):
autotelic (dot) com (slash) windows_is_free

At last...

XLII's picture

I can't think of any way, in which above proposal might be harmful. I would see this as a danger in USA, where people gets few million dollars for putting their cat into microwave and suing company for doing so, but I'm not aware of any cases in Europe, that would address this issue.

As for now, when you BUY piece of software you're on your own. Sure company will probably provide some form of end-user support, however if anything fails you are on your own. Imagine trying trial version of software, which is quite stable, and then switching to paid version with more features that causes instability.

Right now, you can't do nothing, because software is sold in state "as it is". So it doesn't matter if it works or not. Sometimes software provider provides refund option, but it's only good will of theirs doing so.

Probably there will be some dumbasses who will accuse software developers for their PC exploding, however I seriously doubt that:
1) they are going to target free software developers, because of lack of wealth those mentioned
2) make any serious challenge for big companies lawyers

In the end I think such law would enforce refund policies for all developers, and more price negiotiation capabilities.

If you "seriously doubt that

Anonymous's picture

If you "seriously doubt that they are going to target free software developers, because of lack of wealth" ?

Then you have seriously underestimated the human capacity for greed.

Individuals would not be

frankson's picture

Individuals would not be liable already since there is no contract being made when you publish your code as open source. But this would probably indeed affect commercial distributors of software, be the distributed code closed or open.

@kerrylinux: this has nothing to do with GPL.

Besides, even with GPL and other licenses that tries to avoid warranties by explicit notice, you are already in most countries *liable for your own negligence*; that is, if you, say, develop and sell a GPL-licensed pacemaker that causes the death of thousands, you will likely enter the court already with the current laws, regardless of the license.

Indeed

Glyn Moody's picture

An interestingly, Bruce Schneier sees that as likely to lead to another layer of business offering insurance against that, just as in other industries.

I guess this is a reaction

david d's picture

I guess this is a reaction on the dismissal of the three strikes download law as the software vendors will held reliable for downloading licenced, copyrighted, content.

not really my impression

Glyn Moody's picture

- not least because everybody expected the "three strikes" law to go through. I think these are separate tracks

quality of liability

kerrylinux's picture

Open source software developers already take responsibility for the quality of their
software by using the GPL, which is consumer-centric and aims at protecting the user's
rights and freedoms as much as possible.
Most notably the right to control your own computer and to know what programs really
do is a direct consequence of the open source licenses. This actually is a form of
liability that the open source world accepts naturally, as it enables other
programmers to find potential problems and eliminate them, bringing about software of
better quality. For a long time open source developers actively protected consumers
while proprietary software vendors did not.

Virtues, certainly

Glyn Moody's picture

but not really the same as what the EU has in mind, I think.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState