Is There a Legal Remedy for Software Bugs and Other Things That Go Bump in the Night?
by John Brewer, Computer Club of Oklahoma City
October 2004
How does one practice "safe computing" when one considers software bugs, adware and spyware, viruses, worms and other bits and bytes of malicious code? There is a concept in law called "product liability." Product liability means that a manufacturer can incur liability for marketing a product with defects. Does this concept apply to software? Probably not ... due to the EULA. EULA is an acronym for "end user license agreement," sometimes called the "shrink-wrap license." The term shrink wrap is used because the license is usually contained within the shrink-wrapped box containing the software and is contained in a read- me type file within the software itself. When one installs software, there is generally a license that appears in a small window that one must "accept" before the software can be installed. The small window contains a small portion of the license agreement. In order to read the entire agreement, one must either scroll through the text or print it out. Very few people actually read the license agreement.
EULA license agreements generally contain very broad waivers as a condition to use the software and such agreements have been consistently upheld by the courts. In recent years, the trend has been to broaden protection to software companies. A new controversy is over the issue of embedded software. For example, if you purchase a new automobile, and it has software that controls certain of the automobile components, do different legal rules apply to the embedded software?
Everyone is familiar with the Microsoft patches that seek to plug holes in their operating systems and applications. Nefarious people stay awake nights searching for vulnerabilities to exploit. These attacks, in the form of malicious code, often cause damages of staggering proportions. Is Microsoft at fault or is this simply a price for “doing business”? Would software companies do a better job if they had less legal protection for vulnerabilities in their software? That is an interesting question. Perhaps broad EULAs are nothing more than protection for negligent work in many instances.
The opposite side of the issue is that software programs are difficult to finish in a manner that is completely error free and plugged from malicious exploitation. Programmers have more issues to contend with than security.
Richard Fromo, an author and security consultant, is very outspoken in his criticism of the protection that software companies possess. He said recently, “Unfortunately, the only way to effect change in the software makers' philosophy of doing business is to hit them where it hurts, namely, in the pocketbook. All it takes is a few (large) customers to say 'enough is enough' and move to an alternative operating environment, and it'll be all the incentive Microsoft needs to revamp its products quickly and effectively.”
Recently there was a large and complicated law called the Uniform Computer Information Transaction Act (UCITA) that was considered by many State legislatures. UCITA is very pro-industry insofar as it gives a green light to shrink-wrap licenses and allows software manufacturers to virtually sell their products on an “as-is” basis and to disclaim liability for defects. Fortunately, UICTA has encountered a skeptical reception at the State level and only Virginia has enacted the law.
The following is extracted from the licensing agreement for a well known software application:
DISCLAIMER OF WARRANTY. The software (including without limitation, the related documentation() is provided on an “as is” basis, without warranty of any kind, including without limitation the warranties that it is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the software is borne by licensee. Should the software prove defective in any respect, licensee and not [ name omitted ] or its suppliers or resellers assumes the entire cost of any service and repair. This disclaimer of warranty constitutes an essential part of this agreement. No use of the software is authorized hereunder except under this disclaimer. Some jurisdictions do not allow the exclusion of implied warranties or limitations on how long an implied warranty may last, so the above limitations may not apply to you.
LIMITATION OF LIABILITY. To the maximum extent permitted by applicable law, in no event will [ name omitted ] or its suppliers or resellers be liable for any indirect, special, incidental or consequential damages arising out of the use of or inability to use the software, including, without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if advised of the possibility thereof, and regardless of the legal or equitable theory (contract, tort or otherwise) upon which the claim is based. In any case, [ name omitted ] the entire liability under any provision of this agreement shall not exceed in the aggregate the sum of the fees licensee paid for this license (if any), with the exception or death or personal injury caused by the negligence of [ name omitted ] to the extent applicable law prohibits the limitation of damages in such cases. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not be applicable.
It might be prudent to read the licensing agreement the next time one installs software. It is doubtful if one can do anything about these one-sided terms but it is an issue worthy of notice.
John Brewer practices law in Oklahoma City, is a member of the Governor’s and Legislative Task Force for E-Commerce, and enjoys issues relating to eBusiness and cyberspace. Comments and questions are welcome and can be emailed to
In accordance with Title 17 U.S.C. Section 107, this material is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. The article may contain sources for content as attributed within the article.