LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Front page

Recent Features

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Software Customer Bill of Rights

[Posted September 3, 2003 by corbet]

[This article was contributed by Joe 'Zonker' Brockmeier]

In the last week or so, Cem Kaner's Software Customer Bill of Rights has been making the rounds of the "blogosphere" and getting quite a bit of attention. Essentially, Kaner proposes ten basic rights that should be enjoyed by any user of commericial software. As End User License Agreements (EULAs) have become increasingly onerous over the last few years, Kaner's bill of rights has struck a chord with users.

For the most part, the rights proposed by Kaner are already enjoyed by users of open source software. They already have the right to transfer free software to other users. They don't need to reverse engineer the software to check for security holes or to fix bugs and security glitches -- they already have the source code. (Nothing in any open source license would prevent a user from choosing to do it the hard way, however.) Kaner proposes that users should have the "right to see and approve all transfers of information from her computer." While "spyware" is a constant danger posed by proprietary software, with access to source code, users can make sure that a program isn't secretly sending data off of their computer to another machine.

However, there are a few rights that would benefit users of open source software. Firstly, the unfettered right to reverse-engineer proprietary software would be a major boon to the open source software community. As Kaner points out, courts have been willing to enforce clauses against reverse-engineering in software licenses. This poses a problem for open source developers looking to achieve interoperability with commercial software, operate embedded devices with open source software or simply a way to access data saved in a proprietary format.

Another right that Kaner proposes is "mass-market software should be transferrable." As mentioned previously, users already enjoy the right to transfer software that is licensed under a FOSS license. However, most users of open source software still end up dealing with proprietary software. How many open source users have purchased a laptop or desktop computer with software preinstalled that will never be use by the purchaser? The cost of a Windows XP license is built into the price of a brand-new machine. The user should have the right to transfer that software to another user who will make use of the software, if we so choose.

The first item on Kaner's list, however, is "let the customer see the contract before the sale." This is particularly timely in light of Dell's hidden license policy. Even some of the Linux vendors have started using the "clickthrough" mechanism, with some of the Linux installers requiring the user to agree to the terms of the open source licenses, without allowing the user to read them first. This is probably done because of the number of licenses involved -- most distributions include software under the GNU General Public License (GPL), Lesser GPL, Artistic License, Apache License, Mozilla License, BSD License and so on.

One potentially dangerous clause in Kaner's bill of rights is number ten, "When software is embedded in a product, the law governing the product should govern the software." Generally, this would be a good thing. A hardware manufacturer should not be able to use licensing terms to forbid the transfer of a router or network appliance by forbidding the transfer of embedded software. Car manufacturers shouldn't be able to exclude embedded software from warranties.

However, one wonders if this might make open source developers liable in some way if their software is "embedded" in a product. Most, if not all, FOSS licenses disclaim any warranty because the software is being given away. What happens, however, if a court decides that embedded software qualifies as "goods" and that developers can be held liable for defects -- even if they have not charged for the software in the first place? This may seem like a stretch, but we do live in a very litigious society.

Kaner's proposed rights would be a dramatic improvement for users of proprietary software, but they leave out many rights that FOSS users take for granted. For example, users of FOSS software expect to have access to source code. They also expect to be able to modify the software, to add or remove features that they deem necessary or desirable, and to be able to distribute the changes.

Despite the fact that the Software Customer Bill of Rights doesn't quite match the average FOSS license in terms of customer rights, it would be good to see it become reality. It's time to start reversing the current legislative trends that have given far too much power, and too little accountability, to vendors of proprietary software.

(Log in to post comments)

Software Customer Bill of Rights

Posted Sep 4, 2003 4:07 UTC (Thu) by LinuxLobbyist (guest, #6541) [Link]

However, one wonders if this might make open source developers liable in some way if their software is "embedded" in a product.

Hmm, I don't quite see the same problem that the author sees here. "When software is embedded in a product, the law governing the product should govern the software" means to me that the vendor of the device is responsible for the functioning of the device in total.

The device vendor chose the software and very likely customized it to suite his device. Even if he didn't modify it, he is responsible for the proper operation of the device irrepective of the software which is running inside of it. The entire device should be warranted by the device vendor.

If you read the "no warranty" paragraph in the preamble of the GPL (at least), it is primarily in the context of: If you receive this software and it is modified from the original, I, the original author cannot warrant this software; talk to the guy who modified it.

Well, not quite that, but my reading of the at least the GPL (particularly the part about 'you may at your option offer warranty protection in exchange for a fee' ... and I would presume without a fee, if you so choose) and this supposedly dangerous clause in Cem Kaner's Software Customer Bill of Rights leaves open the possibility of the author not providing a warranty, but the vendor providing a warranty.

Perhaps the clause does need some clarification, but I can't see where Cem is indicating that the author of the software should be the one who is responsible. It is the vendor of the hardware (car, in the given example) who is being held responsible.

Software Customer Bill of Rights

Posted Sep 4, 2003 15:37 UTC (Thu) by zonker (subscriber, #7867) [Link]

I can't see where Cem is indicating that the author of the software should be the one who is responsible. It is the vendor of the hardware (car, in the given example) who is being held responsible.

Actually, I wasn't suggesting that Cem was indicating the author of the software should be held responsible -- I'm just saying that I can see a lawyer going after the original author of software as well as the manufacturer, given the nature of lawsuits these days.

Software Customer Bill of Rights

Posted Sep 5, 2003 1:51 UTC (Fri) by LinuxLobbyist (guest, #6541) [Link]

Fair enough. However, in this sucky litigious society that we live in, it wouldn't surprise me to see a lawyer go after a Free Software developer today. Sigh. I can be such a pesimist.

Regardless, good article.

A New Word

Posted Sep 4, 2003 17:21 UTC (Thu) by llywrch (guest, #9903) [Link]

"Blogosphere" -- hehe, I like it.

I wonder if ESR will ever add it to his Hacker's Jargon list, or steadfastly insist that it's not representative of Hacker culture.

Geoff

Secure unsigned Java Web Start applications

Posted Sep 12, 2003 4:26 UTC (Fri) by MarkSwanson (guest, #9328) [Link]

>They don't need to reverse engineer the software to check for security holes or to fix
>bugs and security glitches -- they already have the source code. (Nothing in any

This idea is a failure because only a handful of people will have the skill, inclination or
time to find and fix bugs and security glitches.

The closest to perfect solution is to run your application inside of
a Java Web Start (JWS) secure sandbox.

>While "spyware" is a constant danger >posed by proprietary software, with access
>to source code, users can make sure that >a program isn't secretly sending data off
>of their computer to another machine.

Again, this idea is a failure for the same reason stated above.
Remember that unsigned JWS applications prevent "spyware" from working at all.

In fact, here's a great concept that doesn't get enough attention: you do not have to
trust the software vendor when you are running unsigned JWS code. That's the kind of
world I'd like to live in. Yes, If I give the vendor my email address I may have to trust
them not to sell it to a spammer - you know that's not what I'm talking about. I'm
merely mentioning what most of you already know - secure access to the hard drive,
network, keyboard, clipboard, video, etc.

Cheers.


Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds