Licensing programmers: a resurgent issue
by Andy Oram
Every couple years somebody comes up with the idea, "Hey! let's
license software engineers!" Committees are formed, standards drawn
up, and papers smoothed out by waiting bureaucrats--and then
everything falls apart and the software profession returns to the
status quo, because everybody realizes the plan just isn't feasible.
I've been following this cycle for years, and even parodied it in the
of my story
Code the Obscure.
But the most recent wave of calls for licensing are getting
serious. The drive this time comes from the national security
kick. Computer systems are vulnerable because of bugs, and bugs are
human failings caused by programmers, so--the reasoning is hard to
fight--let's ensure we have good programmers through licensing.
Licensing for software engineers is no longer an arcane topic to be
considered by the existing and aspiring members of a single field.
Once you license programmers and other computer professionals, you
open the door to making their employers liable for their work.
And the converse is also true: when you demand that government "should
pass a law...Make companies liable for insecurities" as leading
security expert Bruce Schneier does in his most recent
Crypto-Gram Newsletter of October 15,
you inevitably force those companies to set standards for their
employees. And the whole set of questions ties directly into our
national security debate.
No wonder calls for licensing and liability have been
getting louder. The only political arguments that seemed
to be aired against the trend represent the free-market
attitude, "Government shouldn't get involved in business
matters," which is no argument at all so far as I'm
The unanimity of experts on this topic has made me reluctant to share
my own point of view; I did not even circulate my recent article
The National Strategy to Secure Cyberspace: a Sober Cyberassessment
very widely. But I have felt pushed to speak out since reading the
November 2002 issue of the Communications of the ACM,
published by the
Association for Computing Machinery,
one of the oldest and most important organizations in computing.
This issue of their journal take up the topic of licensing (by no
means for the first time) and offers a number of perspectives. And
once again, the ACM and its guest authors come down overwhelming
against licensing. Only one article, by the renowned David Parnas,
offered firm support. The other points of view expressed ranged from a
wavering "Well, they've started licensing software engineers in Texas
and it hasn't hurt anybody yet" to an extreme suggested by the title
"Software engineering considered harmful." While I think the title of
that article is misleading, the author does essentially convey the
idea that the term "software engineering" is an oxymoron.
(I should point out that licensing is different from
certification. Licensing is backed by government requirements and
forms a legal requirement to practicing one's profession.
Certification is much less intrusive, being just a statement by some
organization that you have mastered certain material, such as Windows
The software profession's repeated refusals to countenance licensing
are impressive, because pragmatic circumstances pressure the leaders
of every profession toward licensing.
By licensing you reassure your customers of your competence. To take a
more cynical point of view, licensing creates a barrier to entry that
restricts the number of practitioners in a field and consequently
raises the salaries of those who cross the barrier. And one mustn't
leave out the attractiveness of the mystification factor! ("We can't
challenge what she tells us; she's a licensed software engineer.")
Admittedly, as one article in the ACM journal points out, there are
also disincentives to licensing. Licensing gives customers and others
a hook on which to hang lawsuits and the types of regulation called
for by Schneier and others. But these pressures exist anyway;
licensing could equally function as a way to stave them off.
The continuing evolution of the software field, which makes licensing
untenable, also dooms attempts to make companies liable for software
flaws. The problems faced are stated in my earlier-cited
But unfortunately, the state of the fifty-year-old software field is
nowhere near mature enough that we can justly hold programmers
responsible for bugs. While we have made progress in many areas--for
instance, we have programming languages that rule out the dreaded
buffer overflows responsible for most security flaws--we are always
running behind. This is because new programming techniques keep being
invented (for instance, popular languages like ASP and PHP for
building dynamic Web pages) and we cannot anticipate their security
Liability for software bugs would fall particularly hard on
the field of free and open source software, which ironically provides
the most robust and secure products.
The proposal for certifying security professionals may also be
misguided. Certain basic habits of good security can be delineated,
but I don't know how well they can be formally taught or tested. The
particular vulnerabilities and attacks change so frequently that no
certification can ensure public preparedness.
My article does not rule out ratings by insurance companies
to enforce best practices, or holding companies liable
for egregious, deliberate negligence.
The particular issue of free software has also come up in
the licensing debate around
I highly respect the people who yearn for liability, but I
challenge them to come up with a concrete proposal for such a law that
would actually work and be fair. All I've seen so
far are vague demands and a lot of righteous indignation. I think the
debate should continue, because I'd like to find a solution--we just
have to look realistically at the state of software and think ahead to
the consequences of legal action.
Would licensing or liability be helpful?
No need for laws.
The solution to this problem is really quite simple. Expect better code from your employees, provide them with the tools needed to produce good code, and replace employees who can't (or won't) live up to the standard.
No need for laws.
Anyone here find a bug in their cars?
Don't confuse licensing with liability!
Andy -- While I agree completely that software licensing is a bad idea, I'm troubled by the way your article seems almost to equate licensing with liability. They're two completely separate issues with, I think, only the most tenuous of connections. I think, for example, that certain forms of liability are appropriate for commercial software vendors -- particularly, liability for failure to deliver the advertised/marketed functionality. (If properly written, these would actually *encourage* free software, which would simply be made available rather than marketed with implied promises/warranties.) And there are kinds of voluntary licensing that I would see as too harmless to bother opposing (although you might say that these are really certification, not licensing). -- Nathaniel
It depends on your objective
I don't see that licensing leads to liability for bugs any more than doctors are liable for patients who die of incurable diseases. In any field of endeavor there are recognized limits as to what can be done. Licensing would lead to liability for negligence but that liability possibly already exists.