Free Software at Risk Under Lemon law 393
mpawlo writes: "Newsforge published a piece I wrote on a lemon law for software. That is - what would happen if shrinkwrap limitation of liability clauses would be banned? I think Microsoft and the GNU Project would both suffer."
Really? (Score:5, Insightful)
"We all know that the open and distributed model for development described in Eric S. Raymond's book "The Cathedral and the Bazaar" is much better and creates more reliable products than any closed non-distributed development model. "
I'm wondering if the author can substantiate this claim with facts.
This is the primary problem with Open Source advocacy, it relies a lot upon blind faith.
How does GNU suffer ? (Score:4, Insightful)
GPL software liability would be born by the distributors, and not by the authors (as the article claims). Distributors of software merely need to be reasonably accurate as to the capabilities of their software. Authors of software have no real issues.
Microsoft has a lot of its retail sales go through OEM manufacturers. Those OEMs would bear a heavy liability. So you can predict that the OEMs would rapidly reconfigure Windows to turn off all the nasties like ActiveX, auto-execution of attachments, automatic installation of servers like IIS, macro executable capabilities in Office, etc. Essentially, they would make Windows secure by default.
But I think reasonable liability for software sellers is a good thing.
Re:Really? (Score:3, Insightful)
I think that facts can be referenced by security incidents, patches, and accessibility on complete products. One of the problems with open-source systems: a lot don't go 1.0. If the program works great, but never goes 1.0 release then no one can critique its bugs because it is still in development.
To be fair to closed-source projects, you cannot group Microsoft Windows into the same catagory with something like Unicos. Both are closed-source, but Unicos is particularly designed for a specific platform on specific hardware, where Windows is designed to run on a handful of platforms (NT on MIPS, PPC, etc, and "regular" Windows on x86->P4) and on just about any hardware thrown at it. Windows would be more stable (forget security for a sec) if people would keep it running on hardware designed for Windows with proper drivers sanctioned by Microsoft.
As for open-source there are many pieces of software that just plain suck! We all need to be honest!
Not a lot of sense here... (Score:5, Insightful)
The legislation would skyrocket production costs for Microsoft if the company were forced to release foolproof products.
Why would this happen? Car manufacturers used the same "skyrocket production costs" argument with the lemon law with cars. But it just doesn't mean that everything needs to be perfect. Instead it just ensures some basic quality control such as practiced in Japan [loyola.edu].
As for free software, it would just mean that some of the legal entities that support a packaged product (i.e., Red Hat) would be held to the same standards. IANAL, but if the FSF says 'this isn't a complete product' they can't be held liable any more than a tire company could be for some idiot putting the wrong tire on their car.
Re:How does GNU suffer ? (Score:2, Insightful)
Yep. IANAL, but liability attorneys aren't likely to sue Open Source authors because A) there was no money actually paid to them by customers, and B) Open Source authors aren't likely to have as much in the way of financial resources as the software publishers. When you sue in a liability case, you go for the deep pockets.
The difference... (Score:5, Insightful)
Meanwhile, their EULA practically says that you're better off playing Russian Roulette with five bullets and only one empty chamber, than to trust their software in a mission/enterprise-critical environment. We can't get access to their source code to check it for bugs ourselves, which would shift liability to us if we could do so, did, and then okayed it for use-- we just have to take them at their word, and hope that the server farm doesn't melt down and bankrupt our company.
Free software, on the other hand, is just 'out there'-- it's like finding a still-wrapped condom on the street. Sure, you can pick it up and use it, but if bad things happen, well, how is that anyone's fault but your own?
Liability-eliminating EULAs are an affront to any kind of truth-in-advertising regulations. A software company should definitely be able to be held financially liable for losses caused by failings in its products-- not to a degree that would instantly put them out of business, but a fair amount. Say, equal to their annual marketing/advertising budget?
Let's look at it with the car company analogy. Suppose Ford's commercials said that the airbags in their cars would save you and your family's lives? Okay, now suppose someone dear to you was killed in a head-on collision while driving a Ford. How would you feel if, when you tried to sue, Ford said, "But wait, your loved one agreed to the EULA by deploying the airbag... let me read you this paragraph from it that says, if the airbag does not work as we said it would, we aren't liable."
Limits? (Score:2, Insightful)
Re:How does GNU suffer ? (Score:3, Insightful)
I'm going to now go out and make a distributing company! Yes, now not only do I have to peer review EVERY line of code that goes into what I distribute, but I have to accept liability for it if it screws up! Yeah, I'm sure VC would be totally into that.
Re:How does GNU suffer ? (Score:3, Insightful)
I disagree with this. All it would take to put the fear of a lawsuit into all developers considering releasing code under GPL is one large organization who had a vested intersest in shutting down GPL code. [microsoft.com] I wonder if anyone like that exists.
Disingenuous on the part of the "community" (Score:2, Insightful)
If sensibly implemented, this would put the burden of responsibility on commercial distributors of open source software. If I download an open source product from some coder's website, there's no transaction, there's no contract, and no liability. However, if I pay $100 to RedHat to purchase the same software, that should be treated the same as if I paid Microsoft for the same, and they should bear the burden of responsibility.
I would even go so far as to say that such a law would be good for open source developers, if not the open source "community" which is full of many leeches. Many of the companies that sell open source software these days are playing the "something for nothing" model; they take open source software that someone else has written, put it in a box, and charge for it, without undertaking development themselves. (See, for example, the controversy over OpenOSX.com.)
This is, of course, a much better business model than conventional software development... they get all of the money for none of the work. These are the people who would be most hurt by product liability laws... and forcing people who profit from the open source community to be responsible for it as well doesn't seem like such a bad idea to me.
Re:Wouldn't Affect Free/Open Source Software (Score:2, Insightful)
I might be way off, but As far as I can tell, that clause allows me to ignore the GPL, as long as I don't want or need the permissions it gives me. And those are for distributing and modifying, not using. You got the right to use the software when it was given to you.
That's how I read it anyway.
Re:Really? (Score:2, Insightful)
No, you have it backwards. A well designed OS would not barf all over itself and dy because of a bad driver. The driver/device might fail, but the OS would chug right along.
As for open-source there are many pieces of software that just plain suck! We all need to be honest!
You are right, there are plenty of open-source software projects that suck. Of course, there are plenty of closed-source software projects that suck too. I don't see the relevance at all.
Re:Not a lot of sense here... (Score:2, Insightful)
Microsoft has 40 billion dollors to play with, are you telling me they can't used the money to debug thier software to without raising prices on thier software?
Re:market forces change not laws (Score:2, Insightful)
OK, now that there's a monopoly situation, it's not just the market in the driver's seat anymore, at least on the desktop. But it was still a relatively free market when consumers had the choice between feature-laden dreck and more tightly-focused products with better quality. So now they change their minds and want quality? The market allocates resources according to buyer's preferences, and generally does that efficiently. That doesn't mean that buyers always choose the technically best product.
Anyway, the real driving force in this initiative is the lawyers trying to get their mouthparts into a nice big pool of cash. And if they happen to destroy another industry in the process, well, it won't be the first time.
And there's not even the consolation that more regulation will hurt Microsoft. Higher barriers to entry tend to protect monpolies, not break them up. It's the little guys and the innovators who will be screwed. They don't have the deep pockets to pay the lobbyists to subvert the regulations. And if GPL'd software happens to become a victim of collateral damage, Congress and the legal profession won't give a shit, because there's no money in it for them anyway.
So it's not about us needing more laws, it's about which laws will most benefit the greed and lust for power of those who actually run this country. Parasites don't care about their host's freedom, only about how much blood they can extract. The underlying problem is that they're making the decisions in the first place, not us. Nothing will change until that changes.
Re:Interesting comment - not by me (Score:3, Insightful)
I don't even think that it will hurt Red Hat too badly. Normally (except in the case of injury or death), the vendor's liability for any product is limited to the purchase price. And Red Hat's business model is to make money off the consulting services, not particularly off the CD distributions. So they should be able to cover small claims on this front. And remember, even if a huge company installs it on 250 machines and sues, they probably only bought one copy, so the liability is still small.
Even better, the way lemon laws work gives the vendor an option: return the purchase price or fix the problem to a customer's satisfaction. If an Open Source vendor runs into a huge bug with hundreds or thousands of claims, they are also likely to have a small army of developers (which they don't have to pay) working on fixing it. And so, they can get the fix, and distribute the patch to settle the claims. Customers like that even more than getting their money back.
Lemon Law's got flaws (Score:2, Insightful)
It doesn't include "It's free, use it on your own risk, it's not final version"
In general it excludes licenses like commercial, GPL, FreeBSD, etc. as they are now, but it can't exclude open wide beta testing, prerelease promotion. So, with adding to GPL restrictions clause like that, that would define software as such, would be possible to avoid lemon law restrictions.
Software in development never matures to it's final stage. Yes, I know people like 1.0, 2.0 etc. But where is the final stage? Simply defining always "Development in progress, but this is what it's done so far", would avoid that kind of law. On the other hand people have no signed contract or receipt to show that as evidence at the court.
I know that in case such law would be passed, I would just make a clause on my web page. "ENTER" if you.... "LEAVE" if you.... Works for XXX pages.
Putting on web page something likethat is easy. Here is an example
"Enter if you're interested in this software, but by entering you agree that this software hasn't matured to it's final stage (at least out of legal points, which don't allow free software to be passed on in different way, then being treated as work in progress), you also agree that software has provided you with license which defines how this software should be treated regarding distribution, usage etc. just the same as this software would reach it's final stage.
Considering legal points passed by "lemon law", this clause and describing maturity state of this software, it's unfortunate necessity for this software being able to be passed on freely."
Of course, I'm from Europe and I'm not concerned with stupidity like that.
Hope somebody is not offended with my bad English...
Re:Disclaimers OK if you publish the source (Score:5, Insightful)
I think publishing the source should allow the disclaimers to be in force. MS does publish the source to some customers, and GNU to everybody. With the source you can (in principle) verify the functionality and absence of backdoors, and you can (in real life) fix problems yourself instead of having to wait for a Service Pack or other official upgrade.
This is pretty much the key. All that is needed to get OSS off the hook is the line in the documentation "This product does exactly the source code says it does. All other documentation is purely opinion."
Re:Microsoft and the Lemon Law (Score:1, Insightful)
You were saying Windows is stable?
Re:Really? (Score:3, Insightful)
This is one of the biggest problems with OSS: Poor evaluation of software quality.
Geeks don't generally use photoshop, artists (the types who don't frequent
liability laws (Score:1, Insightful)
if someone smashes my window and steals my stereo was it a bug in my house?
liability laws are impossible to correctly define/enforce since security requirements are constantly changing and vague.
you can't blame someone for not protecting against an enemy (i.e. new crack) that previously never existed and therefore wasn't even known about, which seems to be exactly what people want in their extreme arrogance over this issue.
Liability is a complex creature (Score:3, Insightful)
Most cases aren't as clear-cut. Continuing on the car industry example, can you hold a vendor liable if you're not wearing seatbelts, and suffer serious injury as a result? Probably not. Can you sue if you are injured in a parking accident by the airbag? Probably not. Now, why were you injured in the first place by said airbag? Because they are inflating with the power required to restrain a person not wearing seatbelts. Anything wrong with this picture? You bet. The consumer has a responsibility of his own, in this case: wearing the seat belt.
Liability is eventually determined by a judge and a jury, and in corner cases it's just a lottery, which is why car manufacturers err on the side of safety -- theirs, not the safety of the customers who are wearing seat belts.
The same thing is looming on the horizon when a software lemon law gets introduced. Vendors will still go to great lengths to skirt their responsibility, and even if that works to "improve" the product, chances are the consumer will be hurt in the end.
For a preview of things to come, look at Microsoft's security fix to Outlook. It is available, so like seat belts, common sense holds that if you don't apply it, you willfully accept the consequences. But unlike seat belts (which are at worst an inconvenience), applying this patch will cripple Outlook beyond being usable.
You can't win this one. Frankly, I'd settle for a law that demands truth in advertizing w.r.t software products.
Re:He's right... Here is a different solution. (Score:3, Insightful)
Create laws that arm consumers with security information. Perhaps a grading scheme where software that doesn't connect to the internet is given a A rating. If it is a client then it gets a B rating. If it is a server it starts at C then for every three exploits within the last year the rating increments by one.
I think this sounds pretty nice, but it has problems. For instance, clients are not necessarily more secure than servers, a well-written anonymous ftp server could theoretically be infinitely more secure than a poorly-written web browser which downloads and executes code without express permission.
Also, most linux distributions would minimally start at a "C" rating under this scheme, while windows 98 would begin at "B" (without enabling "file/printer sharing"). Which do you consider to be more secure on the average? Do the ratings reflect that?
These problems are indicative of a greater flaw in this scheme, software doesn't have to rigidly conform to _any_ model, be it client/server, P2P, etc. Laws take a long time to be changed, software can be changed in weeks (witness Microsoft's court history.. pretty soon they might be stopped from producing Windows 95 ;) - if we draft laws or even form committees which define certain software paradigms as insecure, software will simply change paradigms to achieve a higher rating until the ratings-board is able to change criteria to match.
Alternatively, we could have panels of elected security-analysts pore-over every piece of software that is voluntarily-submitted for a rating (in source form), at a cost to the software producer (based on some criterion I don't know), and they could arbitrarily grant ratings based on their findings.
I don't know that this is the best solution, but it sounds more practical, it's similar to other analogous (movie ratings, supreme court, etc.) systems for ideal-compliance which are already in place and doing a reasonable (not perfect) job.
Thoughts?
Re:Really? (Score:2, Insightful)
If Microsoft was annoucing that for $200 you could buy the latest version of WindowsXP, I think do not think many people would bite. With commercial companies, they want there product to function right out of the box. Over the years, I have not had many chances to install Windows, but when I have it worked great. It's only ever I start playing around and "tweaking" things does the system start going a little haywire. And granted, like you said, not all the bugs can be caught. (Even user created ones.
But, with freely available source code, you better know what you are getting into when you download the source. I am not going to discredit the developers because I am sure many of them try their best to have the software work as well as it can. They have there own QA procedures and debug methods which might not qualify them for Six Sigma but it shakes out some bugs. Those downloading the beta stuff know it might still be buggy and are usually sympathic to the developers and will report bugs if they run into them.
Mozilla is are great example of such a product. Using Bugzilla, users can post bugs and errors they find in the course of running the software. I admit this isn't for the weak of heart or the computer illiterate, but then again, how many computer illiterate people are going to want to install Linux and download Mozilla - or any other free software for that matter - for their system. Unless they have an interest in learning about Linux and becoming computer literate, I say very few.
I should have originally stated that public beta testing or "screwing the user" is one of the ways to shake bugs out of the code. I am sure developers do their fair share and they look towards interested users who are willing to help. Especially if you can't afford a QA department, in the free software world, public beta testing isn't such a bad deal. Not ideal mind you, but not too shabby either.
(And I should add, you will have those developers who are like "Listen. This works on my machine. If it doesn't work on yours, fix it. I'm too busy to deal with you." And in that case, there public beta testing is really "screwing the user".)
Re:Really? (Score:3, Insightful)
The MySQL and PostgreSQL people arent stupid, when Borland open-sourced Interbase they were like "Oh my GOD! These megacorporate development teams totally outclass us." Even Postgres can't even now come anywhere near Interbase despite the fact they've got all that code to copy-and-paste from. Heck Postgres only a short time ago fixed their field size limitation.
What we need to do now is work out how succesful open source projects e.g. Samba, Apache get through difficult times, e.g. meticulous bug-hunting OpenBSD-style, massive code rewrites. Then we can stick this message onto the front of Sourceforge.
"Market Based" Solution? (Score:2, Insightful)
I'm very wary of trying to use traditional liability law in the software industry. I fear that, if software liability is implemented (and it WILL be implemented) in a traditional manner, the ultimate casualty will be openness, not pocketbooks.
Use of traditional liability law would almost certainly make development of truly open and free software impossible. Even if the producers of free software are allowed a large amount of protection from litigation, very few will use it precisely because they will have no recourse should they be affected by a defect in such software.
As far as the broader software industry in general is concerned, it would shut tight as a trap. Many people have put in alot of hard work to get software companies to be more forthcoming with regards to defects, especially as they relate to security. This hard work has paid off quite well. It has made our lives much easier. Do we want to return to the days when it was next to impossible to get patches, let alone information on what the problem actually is? If sofware companies are made liable for defects in a traditional manner, only a select few will have access to bug announcements, and then they will only have access under a NDA. Life will become extremely difficult for those of us responsible for making sure machines are running and secure. Any public acknowledgement of a bug could then be possible grounds for a lawsuit, which is just a bad place to be. Any information we would get would normally be a result of a law suit, and probably too late to be of any real use. I value the amount of information I have access to. It has saved me countless hours, and I don't want to see that go away.
We need to find some way to induce some sort of liability for non-criminally negligent defects without sacrificing openness. Will this work? I think it has a chance to.
Full waranties are quite reasonable (Score:4, Insightful)
First, warranties only are meaningful in the context of a commercial transaction. There's no reason to expect a warranty on a free good. So this is not a problem for free software.
Second, warranties aren't that expensive to manufacturers. Under 5% of the cost of a car is in the warranty. More to the point, in the gambling industry, where full financial responsibilty for errors and downtime is the norm, GTech, which runs lottery systems, pays out about 0.3% of revenue in penalties.
Compensatory damages and blame management are real issues. But this comes up in other areas, and the suppliers work it out between themselves, as in the Ford vs. Firestone tire failure issue. In computing, we should expect full warranties on the OS from manufacturers who preload an OS. Let Dell and Microsoft argue between themselves who's responsible.
Finally, manufacturers who don't offer a full warranty should have to put a giant "AS-IS" on the box, like those signs that appear on used cars.
Re:Microsoft and the Lemon Law (Score:3, Insightful)
I'm a big Linux advocate. I run an OpenBSD box. The primary reason I have a windows machine at all is because the support still isn't there for gaming and video editing. Yes, there are decent video editing tools for Linux. They're not as good as the Windows equivalents, or they're multimillion dollar software used to edit movies like the Matrix.
I'm just not a zealot. I recognize where the problems lie, and I recognize when there's a use/market for a particular product. Windows has it's place, and it's current incarnations, it's quite stable. When Linux gets support from software makers, it will have a place on the desktop. Until then, it simply can't give the end users what they want.
Re:Responsibility (Score:2, Insightful)
There has to be a middle ground somewhere that makes it possible for manufacturers to produce software at a reasonable cost but also ensure the consumer the software has undergone reasonable testing to eliminate as many bugs as possible.
Re:Really? (Score:2, Insightful)
Lemon Law and Free Softwares (Score:3, Insightful)
I don't know how that Lemon Law was written, and as a NON-lawyer, I just has this to say
Think of Free Softwares as Lemons you picked from a Lemon Orchard.
Thank of Commercially Shrinkwrapped Softwares as the one you purchase from supermarket.
Both the Free Softwares (aka Lemons you picked from Lemon Orchard) and Commercially Shrinkwrapped Softwares (aka Lemons you bought from supermarket) _WERE_ owned by somebody BEFORE it got into your hand.
If you ate the Lemons you picked (FREE) from a Lemon Orchard, and you got sick from it, how much right you have on SUING the Lemon Orchard owner ?
On the other hand, if you purchased a lemon from a Supermarket, ate that thing and you got sick, I am sure you have causes to sue the supermarket owner.
Applying the above principle, I don't think those who wrote Free Softwares (other than those who had BAD INTENTIONS) can be successfully sued - for the users of FREE Sofwares didn't pay ANYTHING to the authors.
On the other hand, the producers of Commercial shrikwrapped Softwares might be liable for whatever harm that comes from the softwares - for the authors of the commercial softwares got PAID by the users, either directly, or indirectly.
And let me re-iterate this - I am NOT a lawyer. Do not take what I say as fact, please !
lemon law (Score:3, Insightful)
This bill cannot kill open source *development*. It may, however, make the selling of open source software much more difficult. If this bill passes, companies like RedHat would now be liable for bugs in Linux. Of course, RedHat can (and does) take a snapshot of Linux and make lots of modifications and tweaks before making a release, but there's no way they're going to catch all of the bugs. They're best bet would be to get heavily involved in the system of releases of open source software. This will be very tricky, though, as developers will not be happy to see a company have such control...
Jason