Here's an odd couple: Microsoft and the Linux Foundation. These two organizations, normally on opposite sides of almost any issue, agree that a new set of guidelines making software vendors liable for knowingly shipping buggy software is badly off base. They claim that the guidelines are likely to lead to a flood of expensive lawsuits against both large commercial vendors and small-scale open source developers. What's more, it could impose expensive obligations to scour support forums and the like for notice of problems, a procedure that would be overly burdensome for small developers, say critics.
Yes, this is a warning that developers should follow the issue closely. But there's another side to the story: Don't software buyers, both consumers and enterprise, deserve to get what they've paid for: software that solves the problem it was written to address?
[ The bugs we love to hate: nine of the strangest bugs ever. |
"There is a sense that disclosing defects is bad for marketing," says Fred von Lohmann, a senior attorney with the Electronic Frontier Foundation. Indeed, big software vendors have been arm-wrestling with buyers and consumer advocates over the issue of responsibility for buggy code since the 1990s, he says.
Changing the user agreements: No more free passes for buggy software
A centerpiece for the sometimes heated argument is the ubiquitous user license agreement. If you are one of the relatively few software buyers who has actually read one, you know that vendors typically disclaim responsibility for the quality of their software. And as the law is generally applied today, that means an aggrieved buyer can't sue. Would we allow, say, an auto manufacturer, the same luxury to disclaim responsibility?
Software developers may be held to the same standard as manufacturers under the new guidelines. A key passage -- Section 3.05 (b), if you want to look it up -- says that user agreements contain an implied warranty that purchased software "contains no material hidden defects of which the transferor [the seller] was aware at the time of the transfer." What's more, no matter what language the vendor places in the user agreement, the warranty still stands.
The guidelines are just that: guidelines. Written by the respected American Law Institute, an organization of law professors and a small number of judges, the guidelines are designed to help judges apply the law in intellectual property disputes. They are not binding, but because the ALI is highly regarded in the legal community, attorneys on both sides of the argument believe that they are likely to be influential.
Critics of the guidelines maintain that the wording in 3.05 (b) is problematic. What's "material"? What does "knowingly" mean? And what do they mean by "hidden"?
"One concern is that the language ALI adopted may invite class action [lawsuits]," says Mark Weinstein, an attorney specializing in intellectual property matters with the firm of White & Case. Weinstein, a former software developer, says that because drivers have to interact with such a wide variety of software and hardware, it could be difficult -- if not impossible -- for the developer or the vendor who ships it to be able to address all potential problems. (White & Case has represented Microsoft in Europe, but Weinstein was not involved in those cases.)
Cem Kaner, a professor of software engineering at Florida Institute of Technology and a leading proponent of the guidelines, said in an e-mail interview that "every company discovers some bugs in the field that they didn't know about when they released the product."
However, Kaner adds: "Now think about the bugs you [InfoWorld] have reported. At what point, after realizing the bug existed in the software, did the publisher of this software reveal that bug to the public, in a way that prospective customers could know about it? Of all the bugs your magazine has reported, how many did you learn about from the publishers and how many from customers or third parties?"
On the security front, firms such as Microsoft and Symantec certainly publicize security breaches and offer patches. Symantec, of course, is self-interested, publicizing security bugs to help promote its security software; the ubiquity of Microsoft's software and years of complaints by enterprise customers pushed the company to be more open than most about its security holes. But for other types of bugs, most companies are quiet about them outside of vague descriptions in "what's fixed" documentation when they ship an update. So, as someone who has covered the industry for some time, I'd have to agree with Kaner: We in the technology and business press generally hear about problems from customers, not vendors.
The troubled liability exception for open source
In a fumbled attempt to protect open source developers, who often work pro bono, the ALI guidelines exempt free software from the liability of bugs. As we all know, open source software may or may not be free -- and free software may or may not be open source. What defines open source isn't the price or lack of a price, but the freedom of the community to modify it under the terms of the GPL or other relevant license. And that raises a number of serious complications for open source vendors, which is why the Linux Foundation joined Microsoft in an unsuccessful attempt to convince ALI to rethink the guidelines.
Is an open source vendor that doesn't charge for its software, but does derive revenue from support and services, covered by the guidelines? It's not at all clear, and the commentary from ALI doesn't address the point at all, according to a letter to ALI signed by attorneys for Microsoft and the Linux Foundation.
And given the almost infinite number of changes by any number of coders that open source software is subjected to, who is legally responsible for defects? Interestingly, even the Electronic Frontier Foundation, an enthusiastic backer of the new guidelines, is concerned about the treatment of open source in the guidelines, says EFF's von Lohmann.
The guidelines apply directly to only the software, but von Lohmann says that judges considering service agreements for, say, cellular data service might apply similar reasoning. And given the heat surrounding AT&T's subpar performance providing 3G service to iPhone users, that's a very interesting idea.
As to the bottom line in this debate, I must confess that I'm still not sure how to balance the conflicting interests touched on by the guidelines. I'm not in the least concerned about Microsoft and other large commercial vendors who have inflicted buggy software on users for decades. But should the independent software vendors, particularly those in the open source community, suffer for the sins of the big guys? The one thing that is clear, though, is that open source and small, independent commercial software vendors had better be on top of this issue.
I welcome your comments, tips, and suggestions. Reach me at firstname.lastname@example.org.