Outlining a World Where Software Makers Are Liable For Flaws 508
CowboyRobot writes with this piece at the ACM Queue, in which "Poul-Henning Kamp makes the argument for software liability laws. 'We have to do something that actually works, as opposed to accepting a security circus in the form of virus or malware scanners and other mathematically proven insufficient and inefficient efforts. We are approaching the point where people and organizations are falling back to pen and paper for keeping important secrets, because they no longer trust their computers to keep them safe.'"
Sure (Score:5, Insightful)
It will just cost 100x more, just like healthcare with the torts. Time to take out software developer insurance, similar to the healthcare insurance of approximately 1 million dollars a year paid by doctors these days.
Re:Sure (Score:3, Insightful)
Re:Sure (Score:4, Insightful)
It's very important we decimate the last industry the US has that's still mostly functional, profitable, and productive
Another law? No thanks. (Score:3, Insightful)
"There should be a law!"
No. No, there shouldn't. There also shouldn't be disclaimers that "this coffee can burn your ass," "don't point this gun at your face" or "don't use this curling iron to stir your bathwater while it's plugged in."
If organizations see pen and paper as the only alternative, then they're probably getting the quality of IT support that they're paying for.
Great idea (Score:2, Insightful)
Yeah, let's drive the cost of software through the roof. That will solve everything! Companies will employ a lot more people to do testing but will still have to invest in huge insurance policies just in case they miss something. Your next copy of Windows will cost more than a well equipped car.
Engineering liability (Score:2, Insightful)
I need you to design a bridge. We've already promised the customer that it'll be light and strong, but we only have budget for paper (so we're ok on 'light', just make sure that it's strong), and the deadline is next Monday.
If you think it can't be done, I have the "outsourcing provider" on the phone telling me that there are 500 engineers who would do it. I need an answer in two hours. I know that you've just bought a house and have a new baby on the way, so think again before you protest.
By the way, we've also accepted liability. If anything goes wrong, I'll say that you told me it wasn't a problem.
People need to stop equating software to buildings (Score:5, Insightful)
Re:Sure (Score:5, Insightful)
Re:Sure (Score:4, Insightful)
so a PE can get out of being liable for a badly designed bridge by putting the blueprints and the bill of materials on a sign before you get on the bridge?
there is a point where i agree that the programmers should be liable for their code - to the extent that it shows negligence. the fact that software for so long has gotten away with "good luck, thanks for the cash" mentality is kinda sad.
I am a programmer - and i would be willing to stand behind my code used in the environment for which it was intended.. but at the same time i would want to be compensated for the risk.. same way a PE gets compensated based on the scope of work they have to sign off on.
Re:Sure (Score:4, Insightful)
Ah, idealism! The proposed law, with Clause 1 in place, and enforced, doesn't sound too bad. Do you really think that's the way it would work? In the real world, any software liability law would be written by lobbyists working for Microsoft, Oracle, Adobe, EA, et al., and there is no way in hell it would make life easier for open source developers than for the big commercial developers.
Re:Sure (Score:2, Insightful)
If Console game developers can put in the added effort to make a product that is reasonably bug free, or is otherwise unplayable, back before consoles could update the software then I'm sure MS can debug Office a little bit better before shipping.
Office has a heck of a lot more code than Atari 2600 Space Invaders. And a heck of a lot more ways to interact with the user.
Office bugs aren't 'I press the left button and go right', they're 'I embed an Excel spreadsheet with 500,000 columns and when I change the font to 96-point Comic Sans the first column displays in the wrong font'.
Re:Sure (Score:4, Insightful)
am a programmer - and i would be willing to stand behind my code used in the environment for which it was intended..
ROFL! Wow, you actually expect liability to be limited to the scope the product was INTENDED? That ranks up there with lawsuits against toys because little jimmy choked on a Lego brick or Peggy Sue shoved a jet fighter figure up her nose and shot the plastic missile into her sinus. There is no limit to the stupid and out of intended uses people will put things. There is NO SUCH THING AS IDIOT PROOF. The world keeps making better idiots. If this becomes law, at some point you WILL be sued. No ifs, ands, or buts about it.
Re:Sure (Score:4, Insightful)
the fact that software for so long has gotten away with "good luck, thanks for the cash" mentality is kinda sad
Genuinely critical software isn't usually handled like this.
The whole premise is retarded. You want guarantees? Great, we already have a handy tool of commerce for that. They're called contracts. Just a heads-up... it's going to cost more.
Re:Sure (Score:5, Insightful)
No, licensed engineers just cover their asses better.
Or do you think the engineer should be held liable when someone parks a 30 ton vehicle on a bridge rated for 10 tons and the bridge fails? Well, then why should a software developer be held liable when the software asks you to enter your name and, instead, you feed it data which causes a buffer overrun which allows you to root the database server and steal everyone's credit card numbers? If you would have just entered your name correctly that never would have happened. A clear case of misuse if I ever saw one.
I think software developers should be liable but the liabilities need to be defined first. And if someone hacks the software outside of the scope of the security standards and practices that have been set by the government, put in place correctly by the developer and verified by the assigned regulatory bodies then there is no liability if something goes wrong.
Meanwhile the cost and time required to develop software will skyrocket. If you need any evidence of that, just look at how much time and money it takes to build a bridge these days.
Re:Another law? No thanks. (Score:4, Insightful)
The buyers bewared, ganged up together, and started to act pre-emptively.
Re:From TFA ... (Score:2, Insightful)
Re:Another law? No thanks. (Score:4, Insightful)
The author is talking about making the producer of bad software liable, just as we would hold a gun manufacturer liable if the gun blows up in a person's face.
Re:Sure (Score:5, Insightful)
They already have the beginnings in place.
It's called "patent indemnification," which they insist that vendors must have. Yes, effectively "patent violation insurance" to keep other companies off your back. Granted it's not entirely "liability insurance" but it's a step towards the state where you cannot develop software independently, but instead must be under the thumb of some larger corporation (or somehow have millions in insurance) to write and distribute software.
I proposed something similar in 2000 (Score:4, Insightful)
I proposed, back in 2000, that Microsoft be required to provide a full warranty on their products [animats.com] as part of their antitrust remedy. "Full warranty" has specific meaning in US law; see the article. A few vendors have provided full warranties and not found it too expensive. Notably, GTech, which builds gambling systems, is held financially responsible for errors made by those systems. This costs GTech less than half of one percent of their revenue.
It's time for the computer industry to grow up and take on warranty responsibilities. The auto industry had that forced on them by Congress in the 1960, over the screams of the auto industry. Cars rapidly became safer and more reliable.
Re:Crash! (Web of responsibility) (Score:4, Insightful)
"Wouldn't you hold the software developer accountable for that?"
Which gets to why this idea by itself won't work.
First, who is the "software developer" of a system that uses lots of modules from a variety of vendors (including hardware aspects)? You have an entire ocean of people involved with a big project like that from designers to coders to testers to users...
Second, companies will just use corporate law to create liability shields where each part that could go wrong will be in its own sue-able unit with minimal assets.
Third, let's say something does go wrong, and you can point at a bit of offending code. But, was that really the problem? What about the compiler not smart enough to catch a *semantic* error? What about the simulators that were not good enough to discover the bug in advance? What about the testing procedures? What about the broken CS training programs that focus on theory and not practice? What about the managers who picked a poor development platform because it was popular? When you can go up a chain (or web) of responsibility, why blame the coder at the bottom when there are so many factors involved in making that accident, some of which operate on different timescales?
This whole issue is part of the reason why things like Forth and Smalltalk were so wonderful as small and understandable self-reflective systems, but we got mainstream adoption of buggy C/C++ and bloated Java instead. When the plane crashes from a pointer error, maybe we should blame those who did not choose to support Smalltalk decades ago?