These past few weeks have been rough on anyone responsible for managing computers -- whether a home network of a couple of PCs or an enterprise with thousands of machines. Given the damage done by the Blaster worm and the flood of junk e-mail generated by the SoBig.F virus -- even for those who avoided infection -- nearly everyone has been left looking for someone to blame. And, in the best American tradition, people are suggesting that businesses that incur costs because of defects in software should be able to recover damages from the publisher -- Microsoft (MSFT), in the cases of Blaster and SoBig.F.
Appealing as the prospect of hauling Bill Gates into court may be, legal vengeance isn't going to solve the problem of buggy, insecure software. For one thing, I have yet to see a problem for which more lawsuits is a good solution. Furthermore, the notion of using product-liability law as a route to better software is based on a misunderstanding of how the law works.
Contrary to widespread belief, software has no special standing under tort law, although it nearly did. A proposed law called the Uniform Computer Information Transactions Act (UCITA) would have exempted software from most of the warranty requirements of the Uniform Commercial Code and would have drastically increased the current legal tilt in favor of the sellers of software. Only two states, Virginia and Maryland, ever adopted the standards of UCITA, and Maryland did so in significantly modified form.
LIMITED NATURE. In the face of heavy opposition, UCITA's sponsor, the National Conference of Commissioners on Uniform State Laws, dropped its support last summer, and the proposed law is now a dead letter. The software industry's heavy push for UCITA couldn't overcome fears that makers of products containing software, such as cars, airplanes, or medical devices, might try to define their products as software and force plaintiffs to leap the very high hurdles imposed by UCITA.
The real issue is the limited nature of product liability law. As pointed out by Jody Armous of the University of Pittsburgh Law School and Watts S. Humphrey of Carnegie Mellon University's Software Engineering Institute in Software Product Liability, the law of product liability comes into play only if someone is hurt or property is damaged. (Armous and Humphrey's primer is 10 years old but still quite useful.)
Software defects are rarely responsible for killing or maiming people, or even property damage. But if faulty software causes a plane to crash or a radiation therapy machine to deliver a lethal dose of gamma rays to a patient, for example, the victims' families can win damages. In the case of products regarded as inherently dangerous, the plaintiffs need not even show that the defendant was negligent, just that his product caused the injury.
END LOSER AGREEMENTS. If only monetary losses are suffered, however, the compensation, if any, is governed by the terms of any contract between buyer and seller and by the requirements of the Uniform Commercial Code (except in Louisiana, which has its own quirky laws). Unless the contract says otherwise, it's generally very hard for a buyer to recover more than the cost of a purchase. If a restaurant's defective air conditioning fails, the manufacturer or contractor may be liable for the cost of repairing or replacing it -- but not usually for any business lost.
The trouble lies in the contracts typically used to sell software, especially the "end user license agreements" (EULA) that accompany most standard commercial software. Often the products are sold "as is," with the publisher promising only to deliver software and not promising that the software is actually good for anything. At least the Windows XP EULA (U.S. version) promises that Windows will "perform substantially in accordance with the accompanying written materials for a period of ninety (90) days."
However, it limits Microsoft's liability to replacing the software or refunding its cost, and adds "in no event shall Manufacturer or its suppliers be liable for any damages whatsoever (including without limitation, special, incidental, consequential, or indirect damages for personal injury, loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising out of the use of or inability to use this product, even if Manufacturer has been advised of the possibility of such damages."
That's a contract, and courts have generally upheld the validity of these licenses. The buyer doesn't get much of a chance in court.
JUST SAY NO. The real mystery, to me at least, is why large buyers, such as corporations and even governments, accept obviously lopsided terms in which Microsoft and other software publishers disavow any responsibility for their own products. True, Microsoft has a Windows monopoly, but it's no longer the only game in town. Furthermore, its business strategy depends on customers' willingness to upgrade their software even though they could get along just fine without doing so.
Maybe it's time for big buyers to just say no to Microsoft and other software vendors that refuse to provide reasonable warranties and real contracts for their products. This might not help consumers directly, but they would benefit to the extent that tougher warranties would force publishers to improve their products. It's about time for the buyers to demand their rights. By Stephen H. Wildstrom, Technology & You columnist for BusinessWeek