Unsafe at Any Speed? Consumer Groups Target Software
Sat Jun 15, 7:37 AM ET
By Elinor Mills Abreu
story.news.yahoo.com
SAN FRANCISCO (Reuters) - Ralph Nader ( news - web sites) forced auto manufacturers to make safer cars in the 1960s. Now, consumer advocates and others say software vendors should be liable for their faulty products, just as producers of cars and toasters are.
At the crux of this radical proposal, on which potentially billions of dollars in lawsuits could one day rest, is the definition of software itself. Is it a product or a service?
If it were just a simple packaged product the case might be more open-and-shut. But software vendors have so far successfully persuaded courts that computer code is different from anything else because of its intangible nature and the way it interconnects with other software and systems.
"Software is like Jello; when you touch one part of the product, the other part wiggles," said Claude Stern, an attorney with Silicon Valley law firm Fenwick & West in Palo Alto, Calif.
Because it is written by programmers and easily modified, and is used in concert with other pieces software and hardware, it is more like a service, Stern said.
"Toasters are relatively complete in and of themselves, as are tires. Software is not so simple," he added. "People are okay with the fact that software isn't perfect."
Others argue that such claims enable software makers to sacrifice quality for the sake of profits.
"Software is not free speech or free expression; it's a product," said Mark Rasch, a computer and Internet lawyer and former head of the U.S. Department of Justice ( news - web sites)'s computer crime unit.
"Where we've been so far is 'Download or die' -- and you take your chances," Rasch said. "As long as software companies are not liable for the damage from their products they have no incentive to make the product more secure."
Attorneys on both sides of the debate say there won't be a rush to the courthouse any time soon and that consumer demand or laws may be necessary to break the legal logjam.
"Year 2000 (lawsuits) were a huge bust," said Stern. The much-feared Y2K bug -- expected to bite when year changes caused computer functions to break down -- never led to serious awards against the software industry.
"As a consequence, the plaintiffs bar backed off this. They got whacked."
GOVERNMENT REPORT URGES REFORM
But a recent U.S. government scientific advisory panel took a different view. The National Academy of Sciences ( news - web sites) issued a report in January urging lawmakers to consider adopting legislation to hold software vendors liable for security breaches.
"Vendors in general have very strong disclaimers saying -- 'If you use our product and something bad happens to you, tough,"' said Herb Lin, a senior scientist at the Computer Science and Telecommunications Board of the National Research Council ( news - web sites), an arm of the academy. "So imposing liability would change that."
"Why is software, which is now essential for everyday living, not held to the same standard as cars and children's toys?" attorney David Banisar wrote in SecurityFocus.com. "It is time to slay this sacred cow, and start sharing the burden with those who are responsible."
Unhappy software buyers currently have recourse under existing product liability law, according to lawyers. However, software vendors successfully limit their liability by including disclaimers in the licenses that users must agree to when installing the software, they said.
Vendors have tried to cement those disclaimers into state law with the Uniform Computer Information Transactions Act, which protects software makers from liability for defects in their products. The effort seems to have stalled, though, with only Maryland and Virginia enacting it.
If software makers were held liable, the cost to consumers would rise dramatically, said Marc E. Brown, a partner at the Los Angeles law firm of McDermott, Will & Emery.
"To expect software, which is inherently complex, to be perfect is ridiculous," agreed Art Coviello, president and chief executive of RSA Security Inc. Holding software makers to product liability standards "would slow down the adoption rate of technology."
EUROPEAN COURTS ALREADY THERE
Case law in Europe has begun to see things differently, said Matthew Norris, manager at Hiscox Technology, a London-based insurance underwriting firm.
"It's a huge fallacy to say that software is not a product," Norris said. "In many states and many countries, software is considered a product."
A Dutch judge in September convicted Exact Holding of malpractice for selling buggy software, rejecting the argument that early versions of software are traditionally unstable. However, since the judge did not see gross negligence or intent, he upheld the disclaimer.
Researchers on both sides of the Atlantic say most reported security incidents are due to software defects that could easily be fixed.
Most commercial software has "tens of thousands of known defects," complains attorney Cem Kaner, author of "Testing Computer Software" and computer science professor at the Florida Institute of Technology.
Software makers should be forced to practice better software design instead of allowed to rush products out the door, Kaner and others said. "We demand that in every other field of engineering," said Stephen Cross, director of the Software Engineering Institute.
"Most software vendors have gotten away with convincing consumers, businesses and others that software is so hard (to develop) you just can't do it right, and that's a bunch of baloney," said Gary McGraw, chief technology officer at Cigital Inc. and author of "Building Secure Software." |
