Centuries ago, in a land now lost to time and distance, there was a proud, energetic tribe that loved to party. Unfortunately, they had a problem: they would throw massive parties and hire only the worst caterers in town to provide the food. So, when they had their feasts, there were always lots of complaints about the food being over-cooked, under-cooked, greasy - or all three. Guests, even the rich and powerful, would leave the parties sick to their stomachs from the nauseating fare, and the poor hosts were left to dispose of mountains of reeking uneaten garbage. Since nobody was willing to hire good caterers, the few who tried to produce good food went out of business in a hurry. After years of this, finally, one of the tribesmen suggested it was time to do something about the situation. A meeting of the tribal gurus was convened, and the tribe's best and brightest minds met for months and wrestled with complex ideas and trade-offs. Finally, the big day came and the tribe assembled to hear the wisdom of the gurus, "We cannot completely solve the problem," announced the spokesguru, "but we know how to improve the garbage situation." The guru reached into his guru-bag, and pulled out a large, black insect, "let me introduce to you - the cockroach. By inviting my little friend the cockroach to your feast, you will find an eager ally who will help you deal with the large amounts of leftovers." The tribe eagerly followed the advice of the gurus and pretty soon were overrun with disgusting cockroaches - massive, arrogant, sleek, fat creatures that quickly migrated into all kinds of places where they had not been invited. The tribal elders met, and after a brief discussion, ordered the gurus be impaled in the town square, their bodies left to feed their friends the cockroaches.
Decades later, the tribe's designated village idiot got tired of eating cockroaches and went to the tribal elders, "I have an idea! Instead of buying bad food why don't we only buy good food and then we'll not leave leftovers, and there will be no food for the roaches and nobody will be sick to their stomachs any more! In fact, if we stop buying bad food, I bet the caterers will start making good food and or we'll create a market for good food and - in either case - the people who have been serving us this crap for so long will go out of business or they'll adapt really fast!" The bemused village elders listened to this and sighed: obviously, their village idiot was not just an idiot - he was also possessed by a demon. So they ordered him impaled and soon the cockroaches had removed all trace that he had ever existed.
As I write this, a number of computer security gurus are arguing in favor of the idea of holding software vendors liable for security flaws in their products. Basically, the reasoning goes as follows:
The idea of opening the doors to liability litigation has got to have the cockroaches - excuse me - lawyers salivating at the prospect of going after the deep pockets of one of America's world-leading industries. You know, the way they went after the automotive industry, the medical profession, manufacturing, etc. And we can see what a great job it's done!
Do you think your doctor is any better (or safer to go to) than in the 1970's, when medical insurance was 1/10 of what it is today?
Of course not. Doctors screw up just as often and just as badly - it's just much more expensive for them. In fact, it's much more expensive for everyone. The cost of medical liability litigation is passed on to insurers. The cost of insurance is passed on to society at large, as a means of diffusing financial risk, and is borne disproportionately by the corporations that offer employee medical benefits. It's also borne disproportionately in terms of pain and death by those who can no longer afford medical care. When I was consulting in the mid 1990's my Blue Cross high option policy cost me $4,000/year. Last year, when I looked at self-insuring again, it was $12,000. This year it's $16,000. CNN said something horrifying recently to the effect that 19% of our GNP is being spent on our medical industry. Some of that's profit but a lot of it's food for the cockroaches.
Would you pay $1,000 for Microsoft Windows?
You will, if the gurus succeed in their plan to invite the cockroaches to the feast. What amazes me is that some of the leading proponents of opening the doors to litigation are really smart guys. I think that they're just incredibly frustrated (as are we all!) with the poor quality of software and the way that the vendors that offer it are able to disclaim any responsibility for flaws in their wares. It does seem like an obvious idea to reverse that decision with a stroke of a pen. Unfortunately, it won't work.
By bringing litigation into the software industry, we will effectively be regulating it. But, instead of regulating it through a large slow-moving government bureaucracy, we'd be regulating it through a profit-motivated decentralized group that had no actual incentive for seeing the problem resolved. If the security gurus want to see software security improve I submit to you that any "solution" they offer needs to be constructive not punitive - it needs to show a clear path for the vendors to make a lot of money by improving their wares. We would probably waste less money (and create more jobs!) if, instead of litigating software, we created a new federal agency - The Bureau Of Software Security (TheBOSS) that was responsible, like a software Food and Drug Administration, for making sure our software industry favored those who knew how to work the bureaucracy instead of those who knew how to create and innovate. The periodic scandals TheBOSS would produce would also be valuable fodder for 60 Minutes segments and would offer real value as entertainment. Of course, TheBOSS would so stultify the US software industry that it would move offshore and effectively remove itself from our economy. One can imagine fantasy scenarios in which Microsoft re-incorporates as a business in the Republic of Tongo (a wholly-owned subsidiary of Microsoft-Tongo, Inc.) where it could just go right back to writing whatever click-wrap licenses it wanted.
In other words, I don't think that the security gurus have made a good argument (yet) for why suing software companies is going to actually make their products better. My guess is that it'll result in short-term bloodletting followed by rapid return to the status quo. The only difference is that instead of a single page of fine print shrinkwrap license, you'll have 34 pages of license (written in Tongan) that you have to sign and FAX to Tongo before you can run the software.
Regulation just feeds bureaucrats and lawyers, it doesn't actually improve things. If regulation improved things, then why were AT&T's long distance rates so ridiculous until the breakup of Ma Bell? Why were airline fares 3 times what they are today before airlines were no longer allowed to lock out competition using regulation?
I can hear you thinking, "we're talking about litigation not regulation!" but you need to understand that litigation is worse because the litigators actually profit by being fast, creative, and part of the problem, whereas the regulators profit by being large, plodding and slow. For an industry like software, either one is sure death. It's like choosing between being shot through the liver of stomped to death by an elephant: who cares? The end result is the same.
Of course we need to be a little bit realistic and look at the way things work in the real world. In the real world, software liability litigation isn't going to happen. Why? Because software companies have a hell of a lot of money to invest on wining and dining politicians. The only people who can afford to out-spend the software companies in influence-peddling would be the trial lawyers. If the software liability game plays itself out the same way asbestos litigation did, the first sign of impending doom will be when some state legislature decides they're going to open the floodgates in their state so they can get all the lawyer-dollars. If you think I'm fantasizing, here, I'm not - do a little research of your own on the history of asbestos litigation in the US. There are towns that make a significant amount of their income by being "litigation friendly" for asbestos class actions. Before you even allow yourself to think about software liability litigation, you owe it to yourself to reseach the history of the asbestos lawsuits. And the residential mold lawsuits. And the lawsuits against the gun manufacturers. etc. etc. Look at all these areas of litigation and ask yourself, "who won?"
The answer is so simple that apparently only the village idiot can see it:
If you don't like crap, don't buy crap.
If you do buy crap, don't complain that it smells.
If you hold your money in your hand and say what you want loudly enough, someone will come along and try to earn it.
If 50% of the FORTUNE 500 announced that they were suspending all purchases from Microsoft until Microsoft stopped shipping Windows with a browser with ActiveX enabled by default, it'd be fixed in 24 hours. There'd be some face-saving muttering about how ActiveX wasn't really a security problem but, well, we're responsive to our customers, etc, etc. But it'd happen, and it'd happen fast. Imagine if 50% of the FORTUNE 500 announced that they were going to defer any new purchases in desktop operating systems pending a 3 year re-assessment of their technology strategy in which they were going to factor in cost of system administration, security administration, anti-virus administration, and downtime. Microsoft stock would hit $1/share in 3 days and 100 new startups would be born, each frantically building the best virus-proof low-administration, secure, reliable operating systems they could. If you hold your money in your hand and say what you want loudly enough, someone will come along and try to earn it - if the government and the corporate world want good, secure systems all they have to do is stop buying crap and the providers of crap will "re-align" or blow away. It's that simple.
Of course that's not going to happen. Why? Because it appears that the corporate world is "happy enough" with the crap that they are buying, or they wouldn't be buying it, would they? They're willing to put up with the smell. Leave them alone and don't make the problem worse by inviting the cockroaches to the feast.
Waffle House, Frederick MD (exit Rt144), waiting for the snow to stop, Feb 26, 2005