Can software vendors be held accountable for insecure or buggy software?

Can software vendors be held accountable for insecure or buggy software?

Summary: Based on the Talkbacks to a recent news story about a "highly critical" security flaw in RealNetworks' RealPlayer media player software, the aged-old question of whether software vendors can be held accountable for insecure or buggy software is once again rearing its two heads.  I say two because the answer is both yes and no.

SHARE:
TOPICS: Tech Industry
8

Based on the Talkbacks to a recent news story about a "highly critical" security flaw in RealNetworks' RealPlayer media player software, the aged-old question of whether software vendors can be held accountable for insecure or buggy software is once again rearing its two heads.  I say two because the answer is both yes and no. 

On the bad news front, if you want my take on this, the answer legally speaking is no.  As I wrote in a nearly four year old story about whether Microsoft is liable or not for the security flaws in its software as well as any resulting damages, software vendors cannot be held accountable.  Including the precedent setting TJ Hooper tugboat case (yes, tugboats have something in common with software, sort of), there's a four-point legal negligence and liability acid test that software vendors may not come close to satisfying. 

On the good news front, any vendor can be held accountable by the wallets in our pockets.  The problem is that most people and businesses are too chicken to cross that road.  This is evidenced by the way certain products with a long-term track record of untrustworthiness continue to get widespread usage.  Ironically (well, maybe not since it's a life or death issue), car and tire manufacturers (ie: Ford and Firestone) aren't traditionally as lucky when their products develop a  certain notoriety for failure.   Apparently, money doesn't run a close enough second place to life or death.  

Topic: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • If that was true...

    Bill Gates would be begging for change outside a Longhorn restaurant instead of making it an OS.

    And Ballmer would be a Broadway dancer.
    Xunil_Sierutuf
  • They d a m n well need to be...

    The whole industry needs to mature. I can tell you one thing, I (and everyone I speak to) is pretty darn tired of battling our computers. It was supposed to make things easier, not more difficult.
    ordaj@...
    • Make things easier... plus...

      I seem to recall that one promise was to make us more productive over a given period time. The golden egg -- at least I thought -- was that greater productivity over a given period of time might lead to a greater quality of life because we could reclaim more of it (iow, get more done in fewer hours thereby reclaiming some of those overtime hours). Boy, how wrong I was. Hey, you just work one more hour per day and you can get the work of three people done instead of two. And don't you dare turn off that blackberry during your kid's little league game.
      dberlind
      • Yes. And...

        ...the PC has become one giant black hole of effort. Endless babysitting. It's worse than a kid. It whines, it nags, it cries constantly, and it craps all over itself. But it just won't grow up.

        And to top it off, you can't even be sure your information is secure.
        ordaj@...
  • Buggy, yes; insecure, no

    The only flaws software vendors should be held legally liable for are those involving actual bugs in the software. Such bugs do indeed prevent the software from operating as advertised, and fixing them should be the responsibility of the vendor (and fixes should be provided for free to all software purchasers).

    Weaknesses that require the intervention of a 3rd party (such as security holes) should not legally be the responsibility of the vendor. These flaws do not prevent the software from being used as advertised, and only result in a problem if an outside force acts. Once again I repeat my mantra: If there were no malware, security "holes" would be a non-issue.

    I hate using analogies, since most are poor (especially car analogies) when applied to the software industry, but to me this seems like holding tire manufacturers responsible for flats caused by nails in the road. Since we know that tires can be punctured by nails, and we know there are nails on the roads, should tire manufacturers be required to ensure that all tires are protected from nail punctures, even if the car driver chooses to drive over a bed of nails? If the tire vendor claims to have nail-proof tires and doesn't, that's the vendor's liability; in the absence of such a claim, the burden is on the consumer to be sure to purchase tires that are indeed nail-proof. Flats due to "blow-outs" are a different issue, and if caused by flaws in the tire material itself are of course the vendor's responsibility. Such flats are analogous to software "bugs".

    That's not to say, of course, that the vendors wouldn't be well served by addressing security problems anyway, even if it's not their "responsibility"; public relations is always a consideration. Microsoft could learn a lot from the OSS movement in this regard.

    The "vote with your wallet" admonishment is, as you say, where the consumer's true power lies. Another poster here mentioned that the industry needs to "mature"; that can also be said of consumers, as well. At some point, the consumer must be expected to use some intelligence and discretion when making purchases.

    Carl Rapson
    rapson
    • How's this for mature?...

      I know quite a few people that will *not* be buying any new PCs or related gear. They are tired and frustrated with it and can't see spending more money for something they can't seem to get on top of anyway.
      ordaj@...
  • hurts the little guy more than anyone else

    legal accountability--meaning a developer could possibly be fined for defects in your software--would destroy the innovation from the little guys. software like netscape, ICQ, bittorrent, even linux would probably never have happened in a world where defects are punishable by law. the risk would be too great.

    only the big players would be able to play in the game cause they can afford the risk.

    let the market decide, and keep the barrier of entry for innovative software low. that is the one thing that is unique about software vs. almost any other product. lawyers make enough money.
    linusconcepcion@...
  • bugs are inevitable

    No software is without bugs. If bugs are punishable, software vendors will need "bug insurance" which will skyrocket the price of the software. As opposed to requirement of bug-free software, a requirement to follow a rigorous QA process can be much more realistic.
    rakshe