BBC Commentator Goes After Software Licensing 453
An anonymous reader writes "Bill Thompson, a regular commentator on the BBC World Service programme Go Digital, criticizes current software licenses (including the GPL) for giving developers 'freedom from responsibility which would be considered wholly unacceptable in almost any other sphere of activity, public or private'." From the article: "A friend of mine is a children's writer. When she writes a non-fiction book she is typically asked to sign a contract that indemnifies the publisher against legal costs resulting from errors of fact in the book. If she was to suggest a school experiment that involved drinking sulphuric acid, because she'd confused it with acetic, then she'd be in big trouble. Yet I can't do anything when a company produces software that exposes my online banking details to any script kiddie with time to spare, because I've agreed a license that removes such liability. "
Bad analogy (Score:2, Insightful)
Software User is to Developer
GPL (Score:5, Insightful)
Keyword (Score:5, Insightful)
Sure thing, we'll get right on that (Score:2, Insightful)
you don't "license" use of a book (Score:5, Insightful)
There is a lot of crap out there about companies liking proprietary software because it gives them someone to sue when the software breaks catastrophically. That Microsoft has about a $40 billion dollar war chest, earned almost entirely through the sale of very broken software, pokes some big holes in that theory.
You're getting software for free. Don't bitch about indemnity in the license.
Separate Coding and Liability (Score:5, Insightful)
The solution, I think, is that the realms of coding and of liability need to be separated. Let the coders code and let service companies such as IBM work together with them to provide support and, if needed, liability for customers that need it. This is exactly what happens when IBM "sells" Linux to Wallstreet, for example. They sell the kind of responsibility for the software that individual developers could by no means provide.
Typical Big Government Response (Score:4, Insightful)
No, I do not believe that everyone should be left to fend for themselves without ANY regulation. If someone produces a medication and makes a claim that a patient considered reasonable, and they get more ill or die as a result, then the company should be held accountable. But to make every fucking business activity subject to error and omission insurance will wreak holy hell on our economy. E&O insurace requirements will guarantee that
1) software development will slow,
2) software for process control will halt due to liability questions,
3) make lawyers and insurance companies rich,
all without one single shred of evidence that any of these effects actually made software development any *better*.
When I install software, especially for the first time, I do NOT have it on my production machine. Why do people like Thompson like doing things like this? Why should a software publisher spend heavily to debug (and still not get EVERYTHING) in a manner that *assures* the E&O insurer that it will not delete Mr. Thompson's latest mp3?
Wow (Score:2, Insightful)
No guarantees (Score:5, Insightful)
EULAs do not provide any more protection (Score:5, Insightful)
From the Windows XP Home EULA [microsoft.com], with caps removed to get past lameness filter: and so on and so on.
With this amount of legal protection, I feel completely safe using Microsoft products!
Yeah... (Score:3, Insightful)
"life critical" (Score:4, Insightful)
What nonsense (Score:2, Insightful)
But if you give me a car, or if my hobbyist mechanic friend builds me a car and then gives it to me, I can't really hold him responsible for it not functioning properly. Same thing if my programmer friend just gives me custom banking software he built. When you get something for free, it needn't be licensed in such a way. If it had to be, then no one would ever give anything away from free, which is bad for the public. The better solution is for people who are worried about this potential to simply not accept things which are given away for free.
We have such restrictions on sold goods because otherwise our market can be completely tampered with. Without them, it allows companies to claim goods perform a certain function safely and reliably when in fact they don't.
I do agree though--there was a general trend in EULA's for software developers to say, "Listen, what happens now that you've bought this software is YOUR problem. If it fries your hard drive, or sends all your most personal files to my friends, that's YOUR problem." Yea, that's bad. But the GPL simply doesn't enter into it. The GPL is a license about copying and redistributing software. If you start selling GPL software to a company, then maybe the company that sold it can be held a bit responsible for it not working well (they should, after all, be testing the configuration; otherwise, why are you paying them?).
Unfortunately, I don't think the "security" issue is really the critical one. After all, car manufacturers aren't held responsible for making car theft easy (even though it actually is quite easy). Software developers (especially open source ones) spend a lot of time on making software secure, but we can't possibly hold them responsible for every hack. No products, be they physical or in the software world, are really completely secure.
Analogy doesn't fit (Score:1, Insightful)
This analogy would make sense except that you can void a warranty (and assumedly any liability) if you make any adjustments to the car that could negatively affect its braking system, etc. The same is true with software vendors only amplified a thousand times. Software vendors have no way of telling ahead of time what kind of hardware faults, existing programs, etc, are already installed that could interfere with the operation and security of the program.
Further, nobody holds a car company liable if someone finds a way to jimmy the lock and open your door, which would be the equivalent of a hacker in this case.
These kinds of liabilities only work in more closed systems.
What I'd like to see...(or maybe not) (Score:3, Insightful)
Re:Keyword (Score:3, Insightful)
Re:About time (Score:5, Insightful)
If you don't like it - write up a new license claiming responsibility for whatever it is your software may do. Write whatever software you want. Users will possibly flock to you just for the peace of mind they would get (or is it piece of mind?
Of course, so will the lawyers, but hey, it was your choice (as a developer) to release software under those conditions anyway.
Re:you don't "license" use of a book (Score:5, Insightful)
So basically, if you want software that's guaranteed, you're going to have to do a few things.
A) Pay someone a whole lot of money to write it.
B) Test the hell out of it before it gets put in place.
C) Realize that this is going to take a long time
D) Probably pick some very specific hardware for it to function with, and not have the option to easily upgrade in the future.
E) Make sure you get all the feature requests and whatnot right the first time, because patches and stuff are not going to be easy or cheap.
The market, for the most part, has opted for halfway broken software for a couple reasons. Upfront costs, freedom to grow/update/expand more easily, and because brokenass Windows was good enough for a lot of stuff. Hardware increases allowed significant boosts in productivity, and to a large degree, software was just sort of along for the ride. Now that commodity hardware offers so much power that the drive to upgrade is much less of a factor, it might make more sense to focus more on software quality.
Re:GPL (Score:3, Insightful)
Re:you don't "license" use of a book (Score:2, Insightful)
malpractice caps do NOT decrease premiums (Score:5, Insightful)
Now let's get back on topic. It's wrong for people to make excuses for bugs in code which expose my personal information to hackers, stalkers and marketers. I'd just as soon see the industry grind to a halt until they find a way to nip these miscreants in the bud. And no, I can't opt out of this dangerous system unless I stop driving (so much for being able to get food), close my bank account (yeah, hide my money under my bed so a thief has a reason to physically rob me and then kill my whole family to get rid of witnesses), declare myself dead (to retire my SSN - whoops, that's illegal, welcome to Club Fed! - or at least, welcome to joblessness) and practically move out of the country (well, actually that's a good idea if Canada is my destination).
Thanks to stupid programmers there's absolutely no way anyone can protect themselves from identity thieves. The only reason why someone hasn't hijacked you is that they don't care to.
Now please, come back after you find yourself having to fight for years to fix your credit after a hacker stole your personal information off Lexis-Nexis and then tell me they shouldn't stop the digital train for some major overhauls. Until you're a victim of the gaping flaws in the digital fortress you really don't understand the sharpness of that sword of Damocles that is swinging back and forth over your head.
Re:GPL (Score:3, Insightful)
Giving a book away for free does not indemnify the author of accountability for its content. Were I to claim you like whipped cream and underage barnyard animals in an unnatural manner that might well be actionalbe as libel (assuming the claim were false), depsite this post being distributed freely.
Nothing is ever our fault, we muyst always find someone else to hold responsible for problems that we should be tough enough and capable enough to not get into or to solve ourselves.
Yeah. Those goddam irresponsible Pinto drivers are really to blame. They should have know those cars were particularly libel to blow up.
BSOD's are not like coffee being hot or Jarts being pointy. Heat and pointyness are not flaws in their design and construction and injuries resulting from them are based on carelessness, events the user could have avoided while still taking full advantage of coffee and Jarts.
BSODs happen because someone else was careless, nor is there anything the user can do about them and they prevent the user from taking full advantage of the system.
"Yes, ladies and gentlmen of the jury, my client mugged Mr. Smith, but Mr. Smith was fully aware of the risks he was taking when he left his house. Mr.
Smith is only a "victim" because he was not tough enough to resist my client. He should take responsibility for his own actions."
That dog won't hunt.
KFG
Re:Analogy doesn't fit (Score:3, Insightful)
I have no problem with someone claiming "as-is" on software given away or sold for a small fee; it is completely unreasonable to expect someone who is not receiving any money or receiving very little money for a piece of software to be able to afford to offer warranty protection. However, I do have a bit of a problem with companies releasing buggy software at premimum rates, and then disclaiming any responsibility for their own misconduct or incompetence.
Hmm. I just thought of something. One way to solve the problem is require a company to include source code at no extra charge to their customers a software product which is sold if it is offered as is or if they fail to do so they cannot disclaim any warranty. If the customer who buys the product has the source they have (in theory) the capacity to fix the problem; if the customer is denied source then the manufacturer must wartant its performance. This would solve the problem rather nicely; companies like Microsoft could either give away the crown jewels and thus have to provide the means for anyone who bought the product to understand it, or they would have to provide technical support and warranty protection as part of the retail price of the product. Claims that they can't afford it are belied by the extreme price charged for new copies of the program or the excessively high charges for maintenance, often times for which they provide absolutely nothing. If software developers want to charge premium prices they should be providing at least minimum quality warranty protection or allow their customers to be able to fix problems that develop.
Parially, yes (Score:5, Insightful)
If you as a company, invest tens of millions into a rollout of a new software product ( be it a new version of Windows, or a new Linux Kernel), without
Take windows for example. If you lose $500,000 in a day because some critical windows server crashed from a certain DDOS attack, should Microsoft be responsible? Or should you be responsible, because you should have known from years of examples that Windows is very vulnerabile to those kinds of attacks, and you should either have an external protection mechanism in place, or not use the software? I think the latter. Then again, I am not the person who thinks "sue" when I slip on icy stairs in the winter and break my neck either. I think "maybe I should have bought better gooddamned shoes for walking around in the winter". The other commentors are right, there is not enough responsibility in the world today. Grow a backbone and stop sueing everyone.
Bullshit. There's always an option (Score:5, Insightful)
There are companies that make solutions like this, IBM is one of them. You can get a mainframe setup to do database work that will never go down, ever. However it'll be expensive as hell, you will run the DB and ONLY the DB on it, it will be accessed only in rigidly controlled ways, etc.
Re:malpractice caps do NOT decrease premiums (Score:3, Insightful)
And that's exactly what would happen. Anyone doing any sort of business electronically will cease to do so.
There is no way for software to be written so that it's absolutely safe from people who are determined to break it. Depending on your paranoia level, you can believe (or be reassured by the notion) that certain 3-letter gov't agencies can decrypt any secure transmission you might make over the wire.
And your identity can be easily stolen for reasons that have nothing to do with stupid programmers. Anywhere your information lives, it can be stolen by someone authorized to use it - regardless of how tightly the systems are locked down.
Any system of any complexity at all relies on assessment of risk and assumption of best practices. Any system - from the space shuttle to an operating system to an e-commerce application - cannot guarantee absolute safety.
We'd probably agree that any company who, through gross negligence, exposes sensitive data should face legal exposure. But if every business had to fear that every minute flaw found in whatever computer system they've got running could lead to a lawsuit, it would shut down e-commerce (in all forms) overnight; and would set business and the economy back in a major way as the cost benefits that information systems (used both internally and external to the organization) are turned off under an entirely different sword of damocles.
Re:No Single Vendor is Responsible for Software (Score:3, Insightful)
Similar analogies can be made towards anything that is built. When Ford builds a car, they don't create every nut, bolt and beam in the car. They probably buy a lot of the parts from third-party manufacturers and assemble them together. This is true for many products out there.
An analogy closer to home, is the system my friend's company puts out. They treat cancer tumors using some custom hardware run with custom software. But this software runs on windows and some computer hardware they purchase. However, there is a standard configuration for windows and the hardware that's approved by some governing federal medical agency to prevent any foul ups.
Depending on the situation, the assembler is or isn't liable. In the case of my friend's company, they aren't liable since this computer setup has been approved by a large, governing, official body. What about the case where Ford Explorer's had tires from another manufacturer and those tires exploded? Is Ford liable or the tire manufacturers? This is what our court system is for.
Your question is legitimate, but naive. (Score:2, Insightful)
Anyone who wants to can develop software and market it without disclaiming liability. But they would be used as floor mops by companies that disclaim liability. The only places that write that kind of software are those that can afford to spend exorbitant amounts on mission-critical software development because the possibility of failure is even more exorbitantly expensive. Check out what it costs NASA to build software for their space shuttles, and the kind of hardware they run it on; I think it will be illuminating.
Government could write a law prohibiting liability disclaimers. This would kill most software for its jurisdiction. I'm sure the carmakers made the same argument, but here's the difference: software is cheap and easy to develop, virtually free to distribute, and exorbitantly expensive to prove fitness for a given purpose (especially given the possible variety of configurations typically expected of software). Perhaps most significantly, in most cases it's generally cheap to replace when it's proven unfit. In this environment, focusing on guaranteeing fitness brings very rapidly diminishing returns.
What about consumers? (Score:1, Insightful)
* Fully researching the present and past state of the company or individuals responsible for the software, and their abilities both demonstrated and implied.
* Fully looking into [resent and past security issues with the software
* Doing a full independant side-by-side comparison with competitors
Yes, you're right. Corporations have IT staff for a reason: they should take the responsibility for procuring suitable software, and for arranging appropriate support contracts where necessary.
Great.
So what about Jane Average, 67, retired schoolteacher, buying a new computer because she wants to keep in touch with the grandchildren? Is she supposed to do all that research? How is she supposed to interpret the results? And what is she supposed to do when she reaches the truth, which is that there is no computer system she can buy that comes with a decent warranty. Even Apple's license agreement disclaims all responsibility for everything - they even specially state that they don't guarantee they'll bother to fix security flaws!
Jane can't write her own OS if she isn't happy with what's out there. And she can't afford to pay a company for a real support contract. She has to suck it up and hope that nothing too nasty happens.
Are you happy with that?
Do you really live in a world where people are so faceless that you only even bother to consider corporations?
Re:malpractice caps do NOT decrease premiums (Score:3, Insightful)
First of, the majorty of successful identity theft cases out there have been proven to be the result of social engineering. Meaning, there were no bugs and there were no clever hackers exploting the computer systems. Instead, there were con-men tricking people into giving them information, there were theives sifting through the trash of some careless individual that threw out personal information with out destorying it. It means the problem isn't the 'bad bad programers' it's the idiots out there who are too stupid to think about what they are doing before they do it.
And you are right, I think THOSE people should be held accountable. And I also think that if you develop software for a company that is in control of that sort of information, it's their responsibilty to ensure that your software works or to make you responsible for making sure it works. THEY put the software and information on the same system. It was their decision to do so. Unless they've secured a guareentee that your software is safe from you, then it's THEIR responsibility. And amazingly enough, that's the way the courts see it too.
But that has nothing to do with a standard EULA. People do not steal identities by hacking Quicken. And even if they did, it was YOUR choice to put that software on your computer and make that information avalaible to it. Especially AFTER they've made you agree to a license telling you they aren't responsible for any bugs in the program. If you don't like that EULA, then follow their advice and DON'T USE THE SOFTWARE.
Re:No guarantees (Score:2, Insightful)
Why is that idealistic and unreasonable?
In my fantasyland the Supreme Court decides that the more onerous restrictions of some EULA's are against public policy and cannot be enforced. Not the GPL - that's not onerous. I'm talking about waivers of damages, warrantee, etc.
Re:malpractice caps do NOT decrease premiums (Score:4, Insightful)
and again
I'd just as soon see the industry grind to a halt
So, you'd like to see everyone just stop until it is completely safe, but you can't see how it is you could live without the systems that are in place. By the industry grinding to a halt, you mean your just going to stay home and eat your scrambled eggs until the world is without risk. Until your fluffy little world is just right to you.
Well, the world ain't perfect and you do have choice. And people should be free to assume whatever level of responsibility they feel comfortable with as long as there is no fraud. Doctors should be able to make patients sign legally enforceable waivers of complete responsibility from even claims of malpractice. And so too should manufacturers of software and hardware. If that car manufacturer want to make you sign a contract that says that their cars may explode upon key insertion and they are not liable for damages beyond the cost of the car, then that should be the way it is. Then let some decide to indemnify and other not and see if the price difference is worth it to customers.
Perfection costs time and money and is most often illusory, so to mandate it is a fools errand.
Re:About time (Score:2, Insightful)
Bill Thomson == Muppet (Score:3, Insightful)
Re:Parially, yes (Score:2, Insightful)
The responsibility rests with the people who started the DDOS attack. Ob Duh.
Who did you blow to get a +5, Insightful on that?
Idealism and Reality (Score:3, Insightful)
Implementing responsibility in software is desirable -- and unlikely.
At the bottom of the problem (surprise, surprise!) we find money. Software development requires expensive human labor and support; the software industry already limits its investment in quality assurance and support. To fully test every piece of software for 100% (or even 99%) reliability would drive software prices spiralling — you would see no free software movement, no open source, and be living with a very limited selection of corporate software at cocaine-like prices. Witness what has happend with liability lawsuits and medicine, driving costs to astronomical levels.
If anything, the success of the software industry could be attributed the its very lack of guarantees. It has few material costs; anyone with a $500 PC can start a software business. You don't need to guarantee your product, and society is conditioned to accept broken software after years of living with Microsoft's badly engineered products. Companies ship erroneous code to customers, knowing full-well that it can be patched later.
Do I think software should provide guarantees? Yes. Will it happen in my lifetime? Not unless society changes dramatically.
If only the whole automobile industry said... (Score:1, Insightful)
Re:Parially, yes (Score:3, Insightful)
Re:GPL (Score:3, Insightful)
Yes. Because the average BBC columnist has neither the time nor the experience to audit every single OSS application on his computer. OSS has an advantage that the source is there, but many OSS writers think that it means they don't have to guarantee their software - after all, they can see that it's safe. The user's rights include the right to use safe code, and free programs (in either sense) don't relieve the programmer of the responsibility to write safe code.
And that's not just the average BBC columnist. How many people who run Linux have read through the entire kernel? How many people who install a GNU system, or KDE, or Mozilla, or whatever, on top of it, also read through the source code of those? I'm guessing zero. For that matter, I doubt Bill Gates has read through Windows' source code, although he certainly is capable of reading it and he has access to the whole thing. It's just that nobody has the time to read large software.
I think the solution is a security auditing OSS group. A few respected members of the community - and a few regular volunteers - should get together and read through at least the important parts of important existing software (e.g., Firefox, not xeyes, and the SSL code, not the about dialog), and verify those. With enough approval, the group says that the code is safe. This takes advantage of the open nature, but makes the concept practical.
Re:GPL (Score:3, Insightful)
Well, I was alluding to that, just because it is so well known. But I didn't want to use it as an example for that reason. But in general, lawsuits have dehumanized us.
Chance of error, proper use (Score:3, Insightful)
Take condoms, for example. They can help protect against pregnancy and/or STD's. They can also break. In a reasonable situation you should be able to expect some safety in using them, if you use them properly. If you think that wearing a condom is going to make it OK for you to head on down to 3rd and Main every night to pick up a $10 date... well you don't sue Trojan when you get a little more than you bargained for, no do you?