Friday, July 25, 2008


Liability for software failures?

Security maven Bruce Schneier suggests, in a column in The Guardian, that a solution to the problem of shoddy software that needs constant patching to fix bugs and security vulnerabilities is to hold vendors legally liable for software failures:

It doesn’t have to be this way. It is possible to write quality software. It is possible to sell software products that work properly, and don’t need to be constantly patched. The problem is that it’s expensive and time consuming. Software vendors won’t do it, of course, because the marketplace won’t reward it.

The key to fixing this is software liabilities. Computers are also the only mass-market consumer item where the vendors accept no liability for faults. The reason automobiles are so well designed is that manufacturers face liabilities if they screw up. A lack of software liability is effectively a vast government subsidy of the computer industry. It allows them to produce more products faster, with less concern about safety, security, and quality.

Mr Schneier particularly points out the problem with web browsers, the single most important type of application program for most users:

A recent study of Internet browsers worldwide discovered that over half — 52% — of Internet Explorer users weren’t using the current version of the software. For other browsers the numbers were better, but not much: 17% of Firefox users, 35% of Safari users, and 44% of Opera users were using an old version.

This is particularly important because browsers are an increasingly common vector for internet attacks, and old versions of browsers don’t have all their security patches up to date. They’re open to attack through vulnerabilities the vendors have already fixed.

Bruce is very often spot on in his analyses, but not this time.

I, too, have often lamented the poor quality of software. If our toasters turned out like our computer software, I often say, we wouldn’t tolerate the situation. Suppose that when you pushed down the lever on your toaster, the machine popped up perfect toast 95% of the time. And suppose that 3% of the time you got your toast burnt to a cinder, and 2% of the time the toaster never heated and never popped, and you had to unplug it, wait 10 seconds, and plug it back in before it would work. You’d never buy that brand again, of course, and if all brands did that you might never buy a toaster again.

And, worse, what if .003% of the time, the toaster burnt your house down? But, no, unlike software, toasters don’t have those sorts of problems.

So, yes, I agree that the quality of software is generally appalling, and I agree that it should be fixed. But, no, the marketplace won’t reward it. The fact still is that new features, not bug fixes, are what will sell the next version, and delaying the release of software until more bugs are fixed just allows the competitors to get in there first.

But the more basic issue is the business model we’ve settled into for a great deal of the software we use, including, notably, web browsers: it’s free.

Of the four browsers that Bruce mentions, Firefox and Opera are completely free, and Internet Explorer and Safari are arguably so, since they’re bundled with every system and freely downloadable, and they’re competing with free “products”. Where’s the financial incentive to spend a lot more money to build a higher-quality freebie? And mightn’t legal threats just lead to the abandonment of risky products that don’t bring in revenue?

Beyond that, who is it who would be held liable for, say, failures in Firefox? It’s an open-source project, with countless, random people contributing to it. It’s not entirely a willy-nilly thing, but it’s hardly tightly controlled. There’s no big corporation, no Microsoft or Apple equivalent, behind it.

It’s tough, in an environment where product is given out for free, to demand quality — the adage that “you get what you pay for” is in full effect. But demanding quality is the only way we have any hope to get it. There’s no way we can look to the legal system, at least not in general.

Now: Who’s willing to stop using web browsers until there’s one available that’s bug-free and guaranteed to have no security holes? Raise your hand.

[Barry looks around, his own hands in his pockets.]

Right, and how many of you are willing to pay, say, $200 per computer for a high-quality, bug-free web browser?

I didn’t think so.

1 comment:

scouter573 said...

It seems to me that by choosing free software for your example, you have defenestrated the youngling with the cleaning fluids.

I think the problem is that tying quality judgement to the purchase choice won't work because most people can't choose. They are given a PC (work) or talked into a PC that comes bundled with software. There's no choice. Note that you can't even really choose the version of software that you want even when you pay (choose XP over Vista - not possible).

Suppose that damages for faulty software were (1) proportional to the damage, and (2) proportional to the cost of the software. In this case, the consumer would have the choice of for-free and for-fee software. With actual revenue at risk, there would be a motive to produce a product that worked.

Right, and how many of you are willing to pay, say, $200 per computer for a high-quality, bug-free web browser?

Well, I did. When it came time to replace the aging, failing PC, I bought a Mac. I decided that I better put up with questionable products or start voting with my dollars. It doesn't make me a saint, but every journey must start with a single step. I have begun my journey.