Search This Blog


Saturday, June 13, 2009

Why EU Software Liability Bill is Not Going to Work

I almost fell off my chair when I learnt that EU wants software makers held liable for the code.

According to the gentlemen who are going to purpose the law:

Licensing should guarantee consumers the same basic rights as when they purchase a good: the right to get a product that works with fair commercial conditions.... more accountability for software makers, and for companies providing digital services, would lead to greater consumer choice.
Talk about naivety.

It's not that I think software quality is not important, it's just that I don't think by enforcing a law software quality will magically improve over night. In fact, I afraid that such a law would have the perverse effect, it would kill the software industry in the end.

Yeah, I know, software quality sucks in general. But the reason why it sucks so much is not because software developers are incompetent, or the software companies are negligence. The reason why software sucks is because software, by definition, is the act exploring new things. Unlike manufacturing area where products are created according to a well-known process, software development is always about developing new requirements that haven't been done before ( If your developer has to develop the same thing over and over again like the guy in the assembly line, he's incompetent--- fire him!). Now when you have a well-known process it's easier to put a guarantee on it, but when you are venturing into unknowns it's counterproductive to do so.

Let's assume that the if software liability bill was passed, what would happen then? Software companies would have to expand their testing budget and effort, for sure. This is going to result in a massive increase in software cost and a very slow software release cycle. So if you are expecting your software to upgrade in every 3 months, you might have to wait for 1 year ( or longer) for the upgrade. Are you going to trade the upgrade for "less bugs"?

Maybe the EU has NASA in mind when comes to software writing. NASA software that powers the space shuttle is known for its perfectness. The ratio of bugs, between NASA software and other commercial, is 1 to 294. But it's instructive to consider at what cost NASA pays to achieve this:

At the on-board shuttle group, about one-third of the process of writing software happens before anyone writes a line of code. NASA and the Lockheed Martin group agree in the most minute detail about everything the new code is supposed to do -- and they commit that understanding to paper, with the kind of specificity and precision usually found in blueprints. Nothing in the specs is changed without agreement and understanding from both sides. And no coder changes a single line of code without specs carefully outlining the change. Take the upgrade of the software to permit the shuttle to navigate with Global Positioning Satellites, a change that involves just 1.5% of the program, or 6,366 lines of code. The specs for that one change run 2,500 pages, a volume thicker than a phone book. The specs for the current program fill 30 volumes and run 40,000 pages.
"Our requirements are almost pseudo-code," says William R. Pruett, who manages the software project for NASA. "They say, you must do exactly this, do it exactly this way, given this condition and this circumstance."
This careful design process alone is enough to put the shuttle organization in a class by itself, says John Munson of the University of Idaho. Most organizations launch into even big projects without planning what the software must do in blueprint-like detail. So after coders have already started writing a program, the customer is busily changing its design. The result is chaotic, costly programming where code is constantly being changed and infected with errors, even as it is being designed.
"Most people choose to spend their money at the wrong end of the process," says Munson. "In the modern software environment, 80% of the cost of the software is spent after the software is written the first time -- they don't get it right the first time, so they spend time flogging it. In shuttle, they do it right the first time. And they don't change the software without changing the blueprint. That's why their software is so perfect."

How many of you are willing to spend that much time writing specs? And how many customers are willing to PAY for that kind of specs? Who is going to develop something that no customers are willing to pay for?
Furthermore, a lot of times software bugs are resulted from the interaction between different applications. And in this case it can be extremely hard to pinpoint the culprit-- which applications that you are going to put your blame on? And how would the bill going to arbitrate on this?

Software perfection can only achieved when there is a perfect understanding of requirements, but this is not how software development works. More often than not software is developed in iterative manner. The software vendors-- or the software users don't really know what they would get before the software is passed in their hands. And when the software doesn't perform in the way the users want that is considered as a bug. Now is it fair to penalize the software vendors because the users don't know their own requirements?

If the EU bills were adopted, the cost of software would skyrocket, it would take a longer time to deliver the software, and software industry would become unprofitable, resulted in a massive deaths of software companies, large and small.

That would be an ideal way to kill the human civilization.


BlackWasp said...

Oh dear.

The EU is one of the most undemocratically elected organisations that we have (I'm in the UK and, therefore, in the EU by default).

We have just gone through an election for the EU that was basically a waste of time and in a lot of ways jsut a poke in the eye for the UK government. The proportional representation system gives bizarre results, such as the election of allegedly fascist candidates with a small minority of the vote. This is supposed to be more democratic but it is hard to see how.

We then end up with a bunch of people hidden away in another country with almost zero accountability to the electorate but the ability to pass uninformed laws. This leads to such stupid attempts at legislature as this one.

The idea that software should be "fit for purpose" is reasonable. Who would be happy buying some of the freeware out there that crashes often and has missing features. However, I fear that the definition of "fit for purpose" will probably be completely obscure when drafted.

The description in the article is very interesting and the fears expressed may be justified. It could well put businesses, particularly small ISVs out of business. I like the NASA comparison. It would be interesting to have the conversation with a customer that explains that previously you could have the software in a week for £3,000 but now it will take a year and will cost £150,000 because of the cost of covering the EU requirements. You will also need a two year maintenance contract to pay for all the featues you wanted and expected but didn't tell us about during the development process.

Of course, this may be like straight bananas; the EU laws are often silly and disappear or become diluted after a while. The problem is that the indidividual governments have different interpretations of these laws and use them to pass their own unpopular legislation by piggybacking it and blaming the EU. You may well find that Germany or France says that they will not enforce it, whilst the UK accepts the law in full and adds something about the CDs your software comes on not being able to be left on a train.

Moran-Typemock said...

We are holding a poll (survey) on our blog asking people their opinion of the new EU software liability bill.

You are welcome to come and vote :


BlackWasp said...

I would like to vote but that poll is too black and white. Do I think software companies should be liable for their software? Yes, of course, to some degree. We don't want the industry producing complete rubbish. However, to the level suggested by the EU bill? Not so sure.

I like the comparison with cars. There can be 'bugs' in cars but these are solved with recalls (think software updates). You would not expect the general public to be able to sue the car manufacturers because there is a minor fault unless that fault causes a real problem and the car company refuses to repair it within a reasonable timescale. You certainly wouldn't expect people to return their cars after a year and demand a refund. Equally, a manufacturer should not be able to refuse a repair to an in-warranty car.