Fog Creek Software
Discussion Board




Lawyers, EULA, and Civil Engineers

Recent article from CNet gets into lawyers making a push to remove the clause preventing users of software from suing the software manufactuer due to product defects.

Article linked:
http://news.com.com/2100-1002_3-5067873.html?tag=fd_lede2_hed

The following quote really gets under my skin.
"Civil engineers very rarely make a mistake, and when they do it's a career-ending one," Leavitt said. "The software we're using at this point has the potential to create damage as bad or worse."

I contend that Civil Engineers don't have to worry about people attaching C4 to bridge supports or people mining out the foundation of a building.  And if these things do occur, the law falls on the individual that planted the explosives, not the engineer that didn't think to put up laser fencing, proximity sensors and fire breathing dragons at the base of the bridge.

When the drunk boat driver drove into the 520 in Seattle, they didn't sue the civil engineer that built a floating bridge, the law suit went after the drunk boat driver.

Okay, enough venting. . .

Elephant
Tuesday, August 26, 2003

Yeah, this is all we need...Lawyers suing software companies because of a glitch or bug.

I'm all in favor of more engineering practices in software and raising the bar, but the scumbag lawyers will be suing each and every software company in this country right out of existence.

However...

Food for thought....if a company knew it could get sued because it forced the developers to ship poor quality code, would that force companies to listen more to the developer's concerns over the quality of the code?

Mark Hoffman
Tuesday, August 26, 2003

Just recently I read an article about Intel's future efforts to use empirical methods for "testing" their designs. Problem is that those designs come with inherent physical side-effects which are nearly impossible to fully test or simulate, so you'll have to calculate probabilites that your chip actually does what it's designed for.

I believe with growing complexity the same will yield true for software systems in the near future.

Johnny Bravo
Tuesday, August 26, 2003

The problem is that there's no good way to unambiguously define what's fair in most situations like these and too many lawyers looking for a quick buck on a stupid lawsuit.

Airplanes are the worst about this.  When Aylah's plane crashed, her parents were talking about suing the Cesna corporation, who built the aircraft.  The problem is that the plane was heavily overloaded and off-balance, at the insistence of the producer in charge.  So really, the people at fault are either the producer in charge for ordering the plain to be overloaded, or the pilot, for allowing the plane to take off in violation of the plane's operating manual?

The problem is with the level of complexity we are demanding, it's getting closer to impossible to make sure that all of the bugs are worked out. 

Say there's a flaw that, stastically, will crash an aircraft most hideously once every 100,000 flights.  If that's the only flaw with it, it's probably still better than driving.  So it could be argued that, given a reasonable assessment of that probability, should the manufacturer be held liable?

It's worse for light aircraft.  Light aircraft are more likely to be put into manuvers they weren't designed for (not every plane is designed for aerobatics).  They are also more likely to run out of gas, get into a situation that the less-experienced pilot can't get out of, etc.  All of these cases still occasionally require multi-million dollar lawsuits.  Even if it's a crackpot who's bringing suit without a lawyer, you still need to yourself have a competant lawyer to defend yourself.  For quite a few years, nobody wanted to build light aircraft for exactly that reason.  They are still quite expensive after the continued requirement for the manufacturer to be prepared for lawsuits.

To work around this, people build aircraft themselves, from plans and kits.  In theory, the manufacturer or the plans and kits is absolved of liability for them.  But then the person who put them together can't really sell the plane without worying about getting sued 10 years down the road if it crashes.  And the kit manufacturer shouldn't be 100% absolved of responsibility because there have been some quite unsafe designs produced.  Plus, for added fun, if you sell a homebuild, there's no legal way that you can avoid getting sued down the road if somebody's determined.

Pretty much every artificial line that you can make will have cases that are allowed but completely unfair.  You can't rely on your average lawyer or person on the street being able to understand these sort of fairness issues, which means that the lawsuits that aren't fair will continue to be brought.

With software, again, it's a matter of reasonable liability.  Windows was developed for quite a few years without any need to wory about buffer overflows.  That only happened later, so it's understandable that there's *some* problems from Microsoft with respect to overflows.  Plus, if you can't be absolved of waranty, this means that it suddenly becomes very expensive to release software for free because then you could get sued for flaws in that software.

Try to resolve that by saying that "OK, so it's only the cases where you *claim* to be secure, not just any overflow."  Which will mean the end of OpenBSD, who has otherwise been very good about security holes.  One, so far, has slipped by in the past 7 years.

Flamebait Sr.
Tuesday, August 26, 2003

Good points.  And whom do we hold responsible for open source software when the software producers are now liable for faults in the software?

Elephant
Tuesday, August 26, 2003

The CNet article wasn't bad.  There are important points from the pro-legislation side.  For example, people need increased protection for whistle-blowers and exploit demonstrators.  Merely implementing an attack shouldn't be illegal; it's the nature of computers that when you describe something in good enough detail, it can run.

I'd say the article was good journalism.  It started out sensationalistic but empty, and slowly grew more meat, including pointing out that the US is litigation-happy.

Tayssir John Gabbour
Tuesday, August 26, 2003

One thing seems sort of odd to me about the article and product liability claims as applied to software in general:

Product liability claims can be brought by people who bear no contractual relationship to the product itself.  For example, a bystander who is harmed by a defective product could in some cases have a valid claim against the manufacturer. 

Microsoft's EULA may be able to bar the people who purchase Windows from bringing claims (because the user agrees not to do it by accepting the EULA), but the EULA can't prevent a bystander with no contractual relation to Microsoft from bringing a product liablity claim.

One big problem is that the people most likely to be harmed by a defective MS Windows are exactly those people who are purchasers of Windows and thus barred by the EULA from bringing a product liability claim.  This seems to me like kind of an odd state of affairs, at least a state of affairs that doesn't exist in quite this way with regard to non-software products.

Herbert Sitz
Tuesday, August 26, 2003

After all the discussion on "http://discuss.fogcreek.com/joelonsoftware/default.asp?cmd=show&ixPost=66367&ixReplies=22" I suppose all I can offer is that great minds think alike and fools seldom differ!

David Roper
Tuesday, August 26, 2003

Actually, in most jurisdictions, I think you'll find that even if there is an explicit waiver of the right to sue under product liability that this is unenforceable in terms of negligence and actual loss.

'Course proving either or both is the kicker.

Simon Lucy
Tuesday, August 26, 2003

> Food for thought....if a company knew it could get sued because it forced the developers to ship poor quality code, would that force companies to listen more to the developer's concerns over the quality of the code?

No. It would probably lead to industry support for programmers becoming "accredited" so that companies can then shift blame to and sack the certifying software engineer.

"All our software is approved by a licensed software engineer. In this case, the individual responsible has been dismissed."

.
Tuesday, August 26, 2003

I'm all for software warranties, but the damages should be limited to the purchase price of the software.  The company doing the suing would then be forced to stop using the software until they acquired another license.  I think this works well for open source software as well as closed source software.  If the most that a software company has to worry about is refunding the purchase price of their product to the few companies that might sue, their risk is fairly low.  One would hope that in the case of truly horrible software the company responsible would fix the problems due to the number of refunds.

While this solution might not be perfect it is certainly better than what we have now and has little chance of destroying the software industry.  In fact I would think that things would improve rather quickly.

Anthony Rubin
Wednesday, August 27, 2003

I think there needs to be some responsibility on the part of software manufacturers for putting out crappy products or products that don't work.  Even if that is just being able to return the product, that is better than what we have now.

Further than that, I would like to see organizations pursue software companies for breach of contract when they deliver products that don't meet the needs of the contract.  Too often does an organization buy a product or hire a consultant and then get delivered crap.  Yes the market can regulate this to an extent, but the problem with this theory is that these IT systems are massive and very expensive to replace or upgrade, so organizations do not have the freedom of choice that is required for a real "market" solution.

However, I am *very* wary of holding software manufacturers liable in general.  It is just not feasible at this time, in my opinion, to develop software to high enough standards that it would be worth the risk assumed.  Now, I would surely like to see this change, and in an ideal future I would like to see some liability on the part of the software producers, just like with other forms of engineering.  There will, however, need to be distinctions between product faults and malicious attacks on the product.  As you say, the bridge isn't designed to be attack-proof (though if you sell it as attack-proof, it had better be).  But if the bridge simply fails and people die, people are held accountable.

Mike McNertney
Wednesday, August 27, 2003

Even the definition of "bug" is hard to pin down.  Is the program just supposed to work that way?  How do you distinguish "bug" from "feature request"?  There is no firm line.

I certainly agree that, getting lawyers involved would be a very bad thing, and produce no real benefits.

Jim Rankin
Wednesday, August 27, 2003

*  Recent Topics

*  Fog Creek Home