By William C. Snyder
(Re-published from Crossroads: Cybersecurity Law & Policy | Nov. 13, 2016) Effectively there is no liability for manufacturers of “buggy” software. This is not, however, due to a special exemption in the law enacted to ban software liability. There is a special exemption to liability enacted by Congress for interactive computer services, and sometimes that overlaps with software.
“Greer and Schneier (and others) are right that there should be liability for vulnerable software, but strict product liability would stifle innovation.”
Generally, however, the reason you can’t sue software creators for bugs is because Congress has not enacted or created such liability, not because they have banned such liability. In the routine case, the software creator makes the end user agree through a licensing agreement to not hold the creator liable. The end user must go along with that agreement, or else they can’t use the software (such as the Windows or Apple operating systems). Congress have never limited such licensing agreements for software like they (or some state legislatures) have for regular products liability.
The exemption that does exist is called “Section 230 Immunity.” Basically, it is immunity for Internet service providers (ISP’s), website hosting services, and websites. Section 230 of the Communications Decency Act of 1996 states:
- (c) Protection for “Good Samaritan” blocking and screening of offensive material
- (1) Treatment of publisher or speaker—No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.
- (2) Civil liability—No provider or user of an interactive computer service shall be held liable on account of—
- (A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or
- (B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph.
* * *
- (f) Definitions As used in this section:
- (1) Internet—The term “Internet” means the international computer network of both Federal and non-Federal interoperable packet switched data networks.
- (2) Interactive computer service—The term “interactive computer service” means any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions.
- (3) Information content provider—The term “information content provider” means any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.
- (4) Access software provider—The term “access software provider” means a provider of software (including client or server software), or enabling tools that do any one or more of the following:
- (A) filter, screen, allow, or disallow content;
- (B) pick, choose, analyze, or digest content; or
- (C) transmit, receive, display, forward, cache, search, subset, organize, reorganize, or translate content.
In short, “Section 230 of the Communications Decency Act grants interactive online services of all types, including blogs, forums, and listservs, broad immunity from tort liability so long as the information at issue is provided by a third party.” That immunity extends to liability for delivering malware (viruses, etc.) over the Internet. It does not cover liability for writing and selling or licensing buggy software.1
The reasons that you can’t sue over buggy software are mostly 1) it is nearly impossible to prove the elements of tort liability under either the common law or the Uniform Commercial Code, as explained in this article; and 2) Congress has never enacted (and the courts have never discovered on their own) strict liability for software defects. (“Strict liability” is legal responsibility for damages or injury even if the person found strictly liable was not at fault or negligent.)
Thus, in almost all cases, you waived suits for liability in the license for the software. Here is the license for Windows:
Last updated July 2016
MICROSOFT SOFTWARE LICENSE TERMS
WINDOWS OPERATING SYSTEM
IF YOU LIVE IN (OR IF YOUR PRINCIPAL PLACE OF BUSINESS IS IN) THE UNITED STATES, PLEASE READ THE BINDING ARBITRATION CLAUSE AND CLASS ACTION WAIVER IN SECTION 10. IT AFFECTS HOW DISPUTES ARE RESOLVED.
* * *
Microsoft warrants that properly licensed software will perform substantially as described in any Microsoft materials that accompany the software. This limited warranty does not cover problems that you cause, that arise when you fail to follow instructions, or that are caused by events beyond Microsoft’s reasonable control. The limited warranty starts when the first user acquires the software, and lasts for one year. Any supplements, updates, or replacement software that you may receive from Microsoft during that year are also covered, but only for the remainder of that one-year period or for 30 days, whichever is longer. Transferring the software will not extend the limited warranty.
Microsoft gives no other express warranties, guarantees, or conditions. Microsoft excludes all implied warranties and conditions, including those of merchantability, fitness for a particular purpose, and non-infringement. If your local law does not allow the exclusion of implied warranties, then any implied warranties, guarantees, or conditions last only during the term of the limited warranty and are limited as much as your local law allows. If your local law requires a longer limited warranty term, despite this agreement, then that longer term will apply, but you can recover only the remedies this agreement allows.
If Microsoft breaches its limited warranty, it will, at its election, either: (i) repair or replace the software at no charge, or (ii) accept return of the software (or at its election the Microsoft branded device on which the software was preinstalled) for a refund of the amount paid, if any. These are your only remedies for breach of warranty. This limited warranty gives you specific legal rights, and you may also have other rights which vary from state to state or country to country.
Except for any repair, replacement, or refund Microsoft may provide, you may not recover under this limited warranty, under any other part of this agreement, or under any theory, any damages or other remedy, including lost profits or direct, consequential, special, indirect, or incidental damages. The damage exclusions and remedy limitations in this agreement apply even if repair, replacement or a refund does not fully compensate you for any losses, if Microsoft knew or should have known about the possibility of the damages, or if the remedy fails of its essential purpose. Some states and countries do not allow the exclusion or limitation of incidental, consequential, or other damages, so those limitations or exclusions may not apply to you. If your local law allows you to recover damages from Microsoft even though this agreement does not, you cannot recover more than you paid for the software (or up to $50 USD if you acquired the software for no charge).
[emphasis in original]
If you don’t agree to that—or a provision like it in very nearly every software license—then you can’t use the software. What choice do you have? Only one: you could go to open source software. But, as Bruce Schneier explains, by its very nature (it is written like a Wikipedia) there is no one to sue for bugs in open source software.
Thus, Dan Greer reportedly said at a Black Hat USA conference: “Today the relevant legal concept is ‘product liability,’ and the fundamental formula is ‘If you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes.’ For better or poorer, the only two products not covered by product liability today are religion and software, and software should not escape for much longer.”
He then advocated for extending liability for vulnerable software: “The software houses will yell bloody murder the minute legislation like this is introduced,” said Geer, “and any pundit and lobbyist they can afford will spew their dire predictions that ‘This law will mean the end of computing as we know it!’ To which our considered answer will be, ‘Yes, please! That was exactly the idea.’”
In short, there is a special exemption for interactive computer services. There is, usually, practical immunity for people who license or sell buggy software to you. Congress could extend tort liability to the makers and sellers of buggy software.
My opinion is this: Greer and Schneier (and others) are right that there should be liability for vulnerable software, but strict product liability would stifle innovation. Some kind of middle ground such as liability for gross negligence only is appropriate. Also, I believe that Syracuse University iSchool Professor Lee McKnight is correct in saying that, “this issue [is more likely] to be addressed in the incoming administration than one more beholden to Silicon Valley’s sloppy business practices as usual.”
1 See, SOFTWARE MANUFACTURER DENIED SECTION 230 IMMUNITY – HARDIN V. PDX, 2014 WL 2768863 (Cal. App. Ct. June 19, 2014), http://blog.ericgoldman.org/archives/2014/06/software-manufacturer-denied-section-230-immunity-hardin-v-pdx.htm
Tort Liability for Buggy Software