Once again, I expect I'm in the minority on this, but I'm quite happy to see that the European Commission wants consumer protection laws extended to software.
Before you reach for the pitchforks and run me out of town, hear me out. The BSA, representing Microsoft, IBM and Apple, don't want this because they feel that it would stifle development and that software is a fundamentally different thing from a toaster. While I agree that we're not producing toasters and our liability should be different from manufacturers of such, I don't believe this would stifle development. I believe it would fundamentally alter it. Instead of rushing to see how fast we could get our products to market, more time in software testing, penetration testing, fuzz testing, etc. More research into developing secure systems would take place and developers would actually know what OWASP stands for. Plus, this would fix one of the biggest issues with security: companies don't want to pay for security because those costs rarely generate revenue or losses great enough to justify said costs. It makes no economic sense for companies to care about security (remember: economics doesn't care a fig for ethics).
One complaint is that there might be less software interoperability. This is probably true and it's a sad price to pay, but if we care about our craft, sometimes sacrifices have to be made. And that, my friends, is the crux of the problem. I don't believe most software developers want to develop bad code, but they'd rather develop bad code than be told they can't play. While I'm sure many would deny this, watching the juvenile interactions that are the best many developers can maintain, I stand firm by my statement.
So the EC wants consumer safety laws and business/developers don't. Perhaps, just perhaps, we should find out what those laws are first? To whom do they apply and how? What are the penalties? Obviously it would be idiotic if we're talking about jail time; if it's merely the cost of the software, this might be too lean. If, instead, we had a reasonable indemnification for "good faith" efforts and modest penalties, I think this would be a good start. In fact, I would argue that "good faith" efforts should probably lean in favor of the businesses/developers to stop frivolous suits. Of course, how does one demonstrate "good faith" efforts in closed-source software?
I expect that most software develops would still prefer to say "no" rather than entertain even a shred of compromise, but like bankers receiving fat bonuses with bailout money, maybe, just maybe, the general public is tired of our justifications.
Update: there is one reason I would strongly object to consumer protections: if EC gets around to write said laws. I know that sounds paradoxical, but given some of the computer laws (and attempts) coming out of Europe, I don't really trust people who don't understand computers to regulate them.
I believe it would fundamentally alter it. Instead of rushing to see how fast we could get our products to market, more time in software testing, penetration testing, fuzz testing, etc.
Do you have any evidence on which to base this belief? Would the natural response not instead be to divert more money to lawyers and compliance officers?
Does this mean you would no longer be able to post code to Github, Sourceforge etc. without first performing security audits and CYA?
Re:Wishful thinking
Ovid on 2009-05-13T08:31:51
There is a fundamental issue well-known to economists that when a good has negative externalities (e.g., pollution), then the forcing those generating the externalities to internalize those costs is widely considered the fairest way to deal with them. The problem is really trying to assess what those costs actually are and which manufacturers are responsible for which portion of the costs (the devil is always in the details). Since software manufacturers clearly generate a product with negative externalities -- think about the entire ecosystem of credit card thieves and botnets -- just ignoring the problem doesn't seem like a good solution. I don't, however, have evidence that manufacturers will actually produce better quality products instead of hiring more lawyers, so fair point to you.
As for posting code to Github, Sourceforge, etc., that's merely one of many, many details which would need to be addressed. I'm certainly not pretending to have all of the answers. I'm merely saying that we shouldn't continue to ignore this problem just because we don't yet have the answers. However, I do suspect that many developers will think "how could I post to github?", panic, and then refuse to back the idea because they want to have their fun without any responsibility for it.
Side note: some will deny the "negative externalities" of many of these software issues because they don't have a reasonable grasp of the economics involved. I would argue that they read up quite a bit more about economics and how our global technology security challenges might impact those who don't even own a computer.
Negative externalities
Ed Avis on 2009-05-13T12:07:21
A product does not have negative externalities merely because it harms its owner. If you want to pour diesel in your own fish tank, so be it; only pouring it into the local river is an externality. So just saying that software makers have a shoddy product is not enough to put them in the same category as noisy concerts, polluting factories, and view-blocking skyscrapers.Of course, there are negative effects to society as a whole from the existence of botnets, but that is true for almost any product: a car manufacturer is not liable for the effect of traffic jams, although individual car drivers may have to pay congestion charges or taxes. There are also many positive externalities from the use of software, but software makers don't get special subsidies because of those. They make a product and consumers decide whether to buy it or not. The good and bad features of the product are taken into account by consumers when deciding what to buy.
Now, if consumers are not equipped to make an informed decision, or if market distortion such as monopolies stops them exercising a free choice, then there is a case for regulation. However I really doubt that legislators, civil servants or lawyers would do a better job than individuals of choosing which software should be allowed.
Re:Wishful thinking
Ed Avis on 2009-05-13T12:24:37
A product does not have negative externalities merely because it harms its owner. You can pour diesel in your own fish tank; only when you pour it in the river does it become an externality.Of course there is harm to society as a whole from the existence of botnets. But some negative effect or another exists for any product from cars to telephones to books. There are many positive effects on society from the use of software, but makers don't get a special subsidy because of them. The quality of the program (including how secure it is) is taken into account by consumers when deciding what to buy and use.
Now, if consumers aren't able to make an informed judgment there may be a case for regulation. But I find it hard to believe that legislators, government agencies and lawyers would make a better judgment than individuals do. Further, even if you disagree with the government's opinion of what software you are allowed to run, there is no way to get around it. For that reason it's best to let individuals make their own choices.
How about this: like with organic/non-genetically-modified food, let the authorities issue a stamp of quality. Those who want or need high quality software will go for it. So this is a wholly volunteer thing and the market regulates itself.
Re: Software Liability Protection
Ovid on 2009-05-13T09:38:49
As for software from other countries, they may be cheaper and quicker, but we still have liability laws for non-software products from them. If a small shop in Texas sells their software in Europe via the Internet and they hurt people, you could still bring suit. For shrink-wrapped software, Europe could simply ban the software from being shipped here if they didn't comply. Granted you might not get anywhere suing software manufacturers from other companies, but that's the way it would work for smaller companies. (Annoyingly, this might be an incentive to buy from larger firms).
Big companies which have the greatest impact on consumers are the companies most likely to comply with this because they won't have a choice. Microsoft will release more secure software and they'll probably be hurt by this because they've been going on too long without security. Apple, ironically, may be even worse in this regard.
Put in a reasonably grace period of five years or so and we'll see dramatic shifts.
As for your "stamp of quality" authorities, how would they evaluate all of the software out there? They couldn't. There's simply too much of it. They'd have to issue that to entire companies and the certification process would be so onerous (I guarantee it), that most companies wouldn't bother and people would ignore it. Microsoft, IBM and others would automatically get that certificate because they could afford it and then they'd just ignore it. It would be meaningless.
Re: Software Liability Protection
chromatic on 2009-05-13T15:28:37
Microsoft will release more secure software and they'll probably be hurt by this because they've been going on too long without security.
Why do you believe this? Microsoft is not in the habit of complying with regulations it considers annoying or onerous. I'm sure Microsoft is also very capable of demonstrating irreparable harm to its business (and if you want to talk about negative externalities, consider the cost to customers) by breaking all existing software.
Maybe the government should also run a Toys for Insecure Software program.
The only thing I want, and what I think is the original idea behind this proposal, is a money back guarantee, if you find the software doesn't do what you wanted it to do.
Currently, software vendors hide behind a "no promise of fitness for any particular purpose" clause in the EULA, and I'd like to see this clause wiped out of existence.
Re:Money back guarantee
Ovid on 2009-05-13T11:42:26
That might be enough to satisfy me. However, what's to stop someone from buying the software, installing it, then returning it for a money-back guarantee and still using it? That would be problematic, I think. Still, this would go a long way towards mitigating some of the issues involved.
Re:Money back guarantee
Mutant321 on 2009-05-13T12:57:34
What's to stop someone downloading the same software via BitTorrent? I think that's really an argument about piracy rather than the issue at hand (and most medium to large companies don't pirate - at least on a large scale - because they can be audited).
I agree with bart... a money-back guarantee - while it wouldn't solve every problem - would at least give consumers some protection (while crucially leaving "free as in beer" alone). Anything more (as much as I'd love to see MS et al suffer for their shoddy code) really does run the risk of stifling innovation
Re:Money back guarantee
drhyde on 2009-05-14T15:35:20
The penalty needs to be only payable once actual harm or misrepresentation has been demonstrated, (thus preventing your hypothetical) and needs to be a large multiple of the price. That price including any consultancy fees, maintenance contracts and so on, not just the purchase price. This would make people who just release their software for free immune (a large multiple * 0 == 0), but those who run businesses around free software liable.Re:Money back guarantee
Ovid on 2009-05-14T16:39:45
Free software is one thing, but what about open source? If someone releases free software that has a nasty security hole exposing your credit card data to others, then I would argue that there's a liability issue. If it's also open source, I think that would be a mitigating factor in liability.
Re:Money back guarantee
jmm on 2009-05-13T14:04:19
It would be nice to use that guarantee to get my money back whenever I was forced to accept a copy of Windows along with the hardware that was all I really wanted to get.
I was writing a comment to agree with you Ovid, but it got too long and turned into a whole blog post:
http://wknight8111.blogspot.com/2009/05/software-engineering-licenses.html
In short, software engineers for safety-critical systems should be licensed and certified in the same way that practitioners of other engineering disciplines are. Far from harming those other industries, regulations, licenses, and certifications have had a real business benefit to them.
