 |
|
|
|
06/22/00
Software Developers Legally Liable for Bugs?
by Jake Davenport
(In response to the article found at the bottom of this posting.)
On one hand, I think it's reasonable to expect a software product to perform as advertised. It's even reasonable to suggest that irresponsible software developers may need to be held legally liable for damages incurred by their software under certain narrow circumstances. There are times, for example, when software companies can be negligent if not downright reckless when it comes to putting product on the market. I've seen it and lived vicariously over the tech support line the nightmares that ensued for the unlucky software users who were unwitting recipients of problem-laden updates. In almost all cases, the errors were due to bugs in the programs, bugs which quite often could have been detected before release with a proper quality control system in place.
Bear in mind that bugs, more often than not, relate to the features of the program (i.e., what the product is supposed to do), as opposed to security holes or exploits which tend to be weaknesses in the software that were unforeseen by the developers themselves. While bugs are almost always unintentional and sometimes not even present in the testing environment, the software company has a certain amount of responsibility to insure that the product it puts forth is properly tested and that it is free of any known bugs before release.
On the other hand, it's entirely unreasonable to hold a software company accountable for problems caused when their product is used in ways not originally intended or imagined, or when it is used in conjunction with other software packages that, in tandem, create new and unforeseeable problems. Even more importantly, a software company is not - and should not have to be - responsible for what users do with the software once they have it. Doing so would be akin to arresting the board of directors at Ford whenever a disgruntled employee drives a Ford Bronco over his supervisor.
The most important thing to remember, though, is that your average consumer is not at risk because Quicken doesn't calculate long division properly; no, your average consumer is at risk because he/she is running a cable modem and has no firewall installed. Your average consumer is at risk because they do not understand that they are at risk. In the same metaphorical vein as expressed in the cited article, the average customer does not know the Rules of the Road.
The gentleman below is making a thinly veiled criticism of Microsoft and their implementation of Outlook Express. Emotionally I fully understand and agree with his position. Fortunately, laws are made to prevent the emotional response from taking precedence over reason, and in this case reason must ultimately prevail.
While Linux users dance about and gloat that they, in their infinite wisdom, are not vulnerable to the "ILOVEYOU" virus because it exploits Outlook's integration with the Windows operating system, they forget that their beloved operating system must be patched on a regular basis to prevent hackers/crackers from exploiting all sorts of vulnerabilities. Just recently CERT sent out an advisory relating to DNS/BIND vulnerabilities in all UNIX flavors - which logically must encompass all implementations of Linux as well. However, Linux users are also power users, system administrators, and computer geeks/phreaks. They understand the rules of the road. They have their driver's licenses.
If car manufacturers were held to the standard the author below wishes to apply to software developers, even your most basic Yugo would have to come with bullet- and shatter-proof windows, anti-lock brakes, locking gas caps, LoJack, keyless entry, carbon monoxide detectors, armor plating, crumple zones, airbags in the front and side, ejector seats with parachutes, removable steering wheels, built in car-phones with speaker phones, computer-controlled mph to prevent excessive speed, neutral zone radar to keep cars from tailgating one another, and puncture-proof tires. Cars today, though, come in a variety of shapes and sizes and with a variety of safety features/enhancements. Your average human being can't afford a Mercedes with all the bells and whistles, but rest assured that no matter what kind of vehicle you buy, the brakes will work.
To extend the metaphor even further, think about car windows for a moment. Car windows are the most vulnerable portion of an automobile's design and provide instant access to a vehicle to anyone with a brick and the impetus to use it. Can you imagine suing GM because a criminal broke your drivers' side window and stole your stereo and the fuzzy dice you had hanging off the rear-view...?
The truth is that virus makers are criminals, and they have bricks and motivation. They're bad people. They are no different than someone who walks into a movie theater and shouts "Fire!" They're no better than the thief who burglarizes your home and burns it down as he leaves. And just like criminals in the "real" world, computer criminals will continue to circumvent the latest and greatest security measures, and they will always find vulnerabilities that they can exploit.
The marketplace needs to be informed and educated. Computer safety should be taught in third grade and up. There should be free computer classes so that people will learn how computer viruses are spread and what they can do to help stop the epidemic, just like sex education teaches children about syphillis in schools today. Software manufacturers should help pave the way, perhaps by sponsoring these classes. Perhaps, too, software developers should be held responsible when their negligence or dishonesty leads to the devastation of data on their customers' systems, but only insofar as Ford is liable when their braking systems malfunction.
When Microsoft posts their first recall, let me know...
--------------------------------
SECURITY EXPERT SAYS SOFTWARE INDUSTRY IS FALLING SHORT
In testimony provided to the Congressional subcommittee holding hearings on the love bug virus, noted computer security expert Peter G. Neumann of SRI International warned that the software industry is not doing what it should to keep the Internet safe: "Vastly many more people are now relying on the Internet, and most of them are oblivious to the risks... Overall, the
situation is grave. The commercial marketplace is not leading. The
government is not exerting enough driving forces. This is a really
ridiculous predicament, and would be a very bad joke if it were not so
serious... Until software developers and system purveyors are liable for the
failures of their products, there will be no real motivation to develop
robust systems... The mass-marketplace is overly concerned with features; it
tends to be long on fancy features and to ignore critical requirements such
as rudimentary robustness. However, robust features can be achieved with
good design and good programming practice, rather than the business-as-usual practices of sloppy development and a rush-to-market mentality. If automobiles were recalled as often as computer system flaws are detected, we would still have horses and buggies." (New York Times 11 May 2000)
|
|
|
|
|
|
|
