Sue the b***ards!

by Curtis Poe

Twice now I've been hit by cars. The first time it was no big deal. My vehicle wasn't damaged and neither was I. The second time, a guy wasn't paying attention and ran a stop sign and totalled the car I just bought. Both times I knew people who urged me to sue. I thought that was pretty ridiculous. For the second incident, I called the guy's insurance company and asked that they pay replacement value for my car, my hospital bills, and time lost from work. They paid in full and even gave me a $5,000 "bonus" for not suing, even though I didn't ask for that.

I received no money for the first and a fair amount of money for the second. What's the difference? In the first case, though there was negligence (the lady who hit me was driving on a learner's permit and slammed on the brakes in the rain), there was no damage. In the second case, there was negligence and considerable damage. It was only reasonable that the guy pay up. Once I even had a hospital bill wiped out because a doctor stitched up my lip but forgot to remove some splinters that were still in it. The doctor was negligent and the hospital assumed responsibility.

So what's wrong with software manufacturers? Why the heck can't we sue them when they do something wrong? When your business suffers millions of dollars of losses because some software malfunctions, why can't we hold software companies liable? According to one survey, bad software annually costs companies $59.5 billion in losses (and that's only in the US economy!). At least half of those losses are born by end users. I think it's time that malpractice be extended to software producers, but doing it wrong will make things much, much worse. It could also destroy the open-source movement.


2006-09-26 14:07:23
software isn't like medical treatment nor driving a car. it's like building a home. when you have a home built, you don't sue the builder if the paint chips or appliacnes break. you make them come and fix it for free. similar holds when you buy a new car. there's a certain timeframe in which you get free support for problems and you can always purchase an extension.
if you purchased software without first finding whether it would function as expected, seems it's your fault. would you buy a house without an inspection? a car sight unseen? even for medical treatment you should get a second and third opinion.
as for opensource, you aren't obligated to use the software. if it doesn't work for you, don't use it!
malpractice for software is simply ridiculous!
if you don't like the privacy statement for a particular company, don't do business with them. if they violate their privacy agreement, sue them for that.
jesus, i could go on and on but suing software developers definitely isn't the answer.
2006-09-26 14:56:19
Just what we need.... more civil litigation. So someone figures there are $59 billion in losses annually due to defective software. How much do you think our society's attitude towards litigation costs us? Let's see with a back of the napkin estimate. 950,000 lawyers in this country. Figure an average salary of $100,000. That is a $95 billion charge to pay the lawyers in our litigious society (and its probably a pretty low estimate). I don't have any estimates for actual damages awarded by civil courts, but I can guess. My guess is that it dwarfs the lawyer's charge by a good margin.

And you really want to extend this dubious protection to another industry? And you think this will make life better? When people decide that the only recourse to address their grievances is to take them to court, society loses.

I too could go on and on, but I'm going to stop now.

2006-09-26 20:24:48
People love to jump on the "litigation just costs us money" bandwagon, but the reality is that some things need to be stopped, and sometimes only civil litigation can stop them.

If a operation crippled you for life, would you refuse the sue the doctor because litigation offers dubious protection? Would you drive over a bridge that you didn't have an expectation of it being built with "best practices?" There are lots of things we have to assume in this world, and only the threat of lawsuit is there to keep people in line. If you have a better solution that takes human nature into account, please enlighten us.

Software will be subject to litigation someday. In fact, I would be surprised if someone hadn't sued on the basis of poorly-written software already. The question is, when the laws get written, how is everything going to work? How can we punish a company for willfully including security breaches, while protecting the well-meaning, yet still requiring all code (open or closed) to adhere to a reasonable expectation of usefulness?

If it doesn't happen here, it will happen in some other country you'll do business with. Or a state will enact a law. Talking about it now helps us do it right. Pseudo-libertarian ranting won't.

Summary Department
2006-09-27 03:38:46
Ovid Smash!
2006-09-27 06:41:01
> It could also destroy the open-source movement.

If you get rid of waivers (which is basically what happens today with licenses), then software gets much more expensive and open source is DEAD.

2006-09-27 10:38:36
No one makes anyone use phpBB. It's a willful action, and completely unlike being in a car accident.

You can't legislate software standards until there are software standards. Having those, though, would have a chilling effect on commerce. People already can't find enough programmers, and once you require them to be licensed and tested (just like the doctors, lawyers, contractors, and others subject to "standard practices"), the labor supply will be even more critical.

If your company uses software, test it first. Ensure it does what you want and doesn't do stufff you don't want. If it doesn't meet your needs, don't use it. This is akin to buying a house. No one forces you to buy it, but you have it inspected.

Intentionall and malicious causing harm, however, needs no further legislation and is sufficiently ccovered by law. However, I tend to think people highly overestimate the amount of harm done to them.

2006-09-27 14:57:54
Perhaps we need a two tier system. The first tier requires nothing of the developer and is for open source and other such projects. With this software you have no right to sue.

The second tier requires that the developer have a specified education and a license (like a doctor). This tier is for "mission critical" software and you can sue if it fails.

Obviously, the software from the second tier would be more expensive (probably a lot more expensive!) and the developers would need to carry insurance. On the other hand, the developers would be paid like doctors in this case.

I used to run a software development company that promised zero detected defects for one year after installation. No one cared and no customer ever mentioned it so I don't think people care much about software bugs.

Aristotle Pagaltzis
2006-09-27 21:03:22
Have you read The Crooked Timber of Software Development? It argues that software development merely an occupation, not a profession, pretty much on the basis of the arguments you make, and goes on to suggest a few practical ideas for how we might start changing the situation.

I’d go so far as to call it required reading for every self-respecting software developer.

2006-10-08 10:44:31
We're only in this situation because software development in the free market works, and works well. The lack of a lawsuit mentality makes many products that serve many purposes. Beating providers who provide something gratis will shut down a lot more than the open software movement.

Believe me, I'm all for accountability. When the contracts department where I work sets up a software vendor, they establish the standards the vendor operates under. The vendor performs to those standards, or faces the consequences. That's because my employer carries enough weight with respect to most software providers' size to declare and enforce terms. The real issue is when the software vendor is too big and unresponsive, and the ultimate customer/user is suffering. How can a lawsuit deal with the complexities, the "should have's" in providing good software? Any legal issues would have to be explored through class action suits. That'll be a mess.

Eventually, the market can sort this out. Better software should have better reviews, and get better acceptance in the marketplace. phpBB is a good example. When a better product with a better track record comes along, the technical market is savvy enough to adopt it. If the non-technical market were to learn why they need to adopt the new alternative, they'd have motivation to adopt it as well.

If you want to take an analogy from history, look at the early 20th century, before class action lawsuits forced manufacturers to provide safer products. A lot of people got hurt. Lawsuits and anti-trust legislation changed this, but at that juncture in history, a knowledgeable organization with a moderate amount of funding could have shifted the entire manufacturing industry to safer products without such pain, and without the fallout of the entitlement mentality that is crushing our civilization. Tens of thousands of lives could have been saved. Lawsuits are only one tool to enforce good practices, and not the most effective at that, IMO.

When the guy who invented train air brakes tried to sell them to J. P. Morgan, if he would have emphasized Morgan's practical benefits of it (save money) instead of his own practical benefit (save lives), thousands of more lives would have been saved in the interim before the railroads all adopted air brakes due to government finally got around to doing something about it. Maybe Morgan was inhuman, but if the air brake guy could have remembered that the residual benefit in his opinion (save money) was a primary benefit to Morgan, then his primary benefit would have been gained much earlier. Decades earlier. Everybody would have benefited. If you have to wait for everybody to do the right thing for the right reason, you're going to wait a long time indeed. I'll settle for the right thing getting done for a variety of reasons any day, especially when lives hang in the balance, and there are no ethical tradeoffs to be made. (The Morgans of the world can look after their own souls.)

If a steering organization has a goal, they can accomplish real results without having to resort to a largely ineffectual tool with a crummy track record. It's nearly impossible to track some of these defects back to the source, nearly impossible to create standards of appropriate conduct when the actual coder can do pretty much whatever they want. I've never heard of a 3:1 safety margin in coding, like I've worked with in mechanical engineering. However, I can tell you that product X is better than product Y, and if both are free products, can find ways of rewarding the provider of product X for the better product. When Product Z comes out, if it's better than X, support for X can be discontinued promptly. In addition, migration tools can be published to speed adoption of the new product, so non-technical people can reap the benefits sooner. Meanwhile, it'll take decades for the legal types to determine the type of "tubes" the Internet comprises. It's a much more effective toolset, because it lets you apply changing standards (evolving higher, of course) to products using the industry's own knowledge.

If it is a professional organization, it can make membership voluntary, but provide some assurance that members have a minimum level of qualifications in their field. Look at the standards the SAE (Society of Automotive Engineers) provides. Not just professional certifications, but standards, regulations, and methodology that actually suits the environment. A lot better toolset to drive software development to a higher level, without the wallowing in BS and attempted nailage of jello to trees that trying to codify a standard of conduct will create for the benefit of the legal profession.

I for one, would love to see data quality and security enhanced very early on. After all, it only takes a SSN (a numberspace not even owned by the credit agencies), a date of birth, and a business account to pull people's financial records and history. What the f4 kind of authentication is that? If that's the best practice, why bother encrypting the data after it's in your hands? It's already junk, because it was treated like that at the earliest part of the chain of custody. The fact that peoples' lives and well being hang in the balance certainly hasn't caused the owners of this data to enhance their security, and if you look at it realistically, there's no motivation for being forced to do so, due to the nature and composition of our governing bodies. Nobody's generated a class action lawsuit for this yet, and it's a prime candidate. Why hasn't this happened already?

(political leanings aside, look at the occupations of our goverment in the US -- they nearly all have an interest in not changing this status quo -- this won't change in anybody's lifetime.)

Finally, sadly, the example of the auto accident fails in a very significant manner. The goals of a lawsuit are to punish the offender and redress a wrong with the ultimate goal of preventing future occurrences. The wrong was redressed (inadequately -- you're *never* going to be the same after surgery), but the liability insurance the accident instigator had (required by law in all states) shielded him/her from the consequences of their own actions and made the commission of the accident a de facto business decision. It turned it from a "do not do this" situation into a calculated risk, and an unsafe driver was not kept off the streets. They may have had higher insurance rates, but they remain in a position to re-commit their act of negligence if it is in their economic interest. That's not a desirable result, but that's a lawsuit against an insurance company for you.

I realize the link to this article was concatenated with the goal of functionality, but the name "sue the bards" actually states the real effect of a lawsuit mentality. Sue all the bards, and you'll stop them from performing their best.