Coding Under the Watchful Eye of a Lawyer is Not My Cup Of Tea

Should developers be sued for security holes.

Some university professor is calling for software makers to be made liable for damage resulting from avoidable security flaws in their apps such as sloppy coding leading to hackers emptying users' bank accounts.

Ivory tower ideas like this are never possible in the real world. Software development is hard enough without having lawyers and insurance companies in charge of whatever code you write. Even today's PCI compliance and government organizations such as the Department of Transportation can add time and cost to even a simple project but that's nothing compared to what could be the future of programming if this idea gains traction.

I can't imagine taking 2 years to write a simple iPhone app where every programming decision has to be debated by teams of lawyers who don't even understand the basics of coding. How would you even get a job as a programmer if you need millions of dollars in liability insurance to even touch a code repository? Every website, mobile or desktop app would have to demand enormous prices to cover all the legal and insurance costs.

The idea that we can use legal liability to mandate better security practices seems undeniably reasonable to someone who knows nothing about programming. People always toss around the idea that programmers should be tested like professional engineers, something I blogged about previously as being a terrible comparison. Programming is not one discipline but hundreds and trying to pigeonhole programmers into a few categories to make testing easier is never going to work.

Even if you could force programmers to be professionally licensed and tested like plumbers before they would be allowed to write any code, what do you do in the meantime? Stop all programming for the next 10 years? Who gets the licensed programmers since the number of them would drop dramatically? Perhaps those who wouldn't want to pass a test in languages they know nothing about would rather enroll in law school, since the demand for new lawyers would explode. I can just imagine a new speciality "programming lawyer". Billing starts at $150 per line of code.

Face it, programming is getting more and more complicated. The end result is also more and more dependent on a bevy of frameworks, SDK's and living on a bed of OS's, many of which you may have no control over. Do we only write code with licensed and validated tools, on governmentally secured OS's and hardware and with licensed programmers watched carefully by teams of programming lawyers who examine every line with a fine toothed comb?

Count me out, I'd rather deliver pizzas.

The theory of forcing people to write good code is a nice one but it's doomed to fail. The entire modern world is built on amazing people writing amazing software and building amazing widgets. At the same time nothing is perfect. It's the price you pay for a continuously advancing tide of invention. Pushing the envelope of what's possible means taking risks, doing new things no one ever imagined, and potentially failing miserable. Replacing this with a safe world of legally perfect code written with great expense and taking zero risks means no progress, no invention, and no future for most industries, since everything today is built on a foundation of software.

I can imagine Tim Berners-Lee in such a world being denied the invention of the web, as the legal team looking at his first internet browser expressing concern than someone might use it to do something illegal or immoral. Or Twitter being rejected as the liability of allowing random people to say anything they want in public would make it impossible to fund.

It doesn't mean we can't do better, but involving massive insurance liability and hordes of lawyers in everyday coding will only kill the modern world. It's not like we don't already have reams of lawsuits poisoning our lives today but making software development impossible without these restrictions is asking us to return to using stone knives and bear skins (but of course the knives are sharp and the skins might be full of disease so even that's unlikely).

Coding can always improve, but we code in a highly connected and interdependent world where determining blame for some problem would only result in long and ugly trials where no one wins except the lawyers. That's not a world I want to live in as a programmer.