Can the EU Hold Software Makers Liable For Negligence? (lawfaremedia.org) 119
When it comes to introducing liability for software products, "the EU and U.S. are taking very different approaches," according to Lawfare's cybersecurity newsletter. "While the U.S. kicks the can down the road, the EU is rolling a hand grenade down it to see what happens."
Under the status quo, the software industry is extensively protected from liability for defects or issues, and this results in systemic underinvestment in product security. Authorities believe that by making software companies liable for damages when they peddle crapware, those companies will be motivated to improve product security... [T]he EU has chosen to set very stringent standards for product liability, apply them to people rather than companies, and let lawyers sort it all out.
Earlier this month, the EU Council issued a directive updating the EU's product liability law to treat software in the same way as any other product. Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.
Although the directive is severe on software makers, its scope is narrow. It applies only to people (not companies), and damages for professional use are explicitly excluded. There is still scope for collective claims such as class actions, however. The directive isn't law itself but sets the legislative direction for EU member states, and they have two years to implement its provisions. The directive commits the European Commission to publicly collating court judgements based on the directive, so it will be easy to see how cases are proceeding.
Major software vendors used by the world's most important enterprises and governments are publishing comically vulnerable code without fear of any blowback whatsoever. So yes, the status quo needs change. Whether it needs a hand grenade lobbed at it is an open question. We'll have our answer soon.
Earlier this month, the EU Council issued a directive updating the EU's product liability law to treat software in the same way as any other product. Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.
Although the directive is severe on software makers, its scope is narrow. It applies only to people (not companies), and damages for professional use are explicitly excluded. There is still scope for collective claims such as class actions, however. The directive isn't law itself but sets the legislative direction for EU member states, and they have two years to implement its provisions. The directive commits the European Commission to publicly collating court judgements based on the directive, so it will be easy to see how cases are proceeding.
Major software vendors used by the world's most important enterprises and governments are publishing comically vulnerable code without fear of any blowback whatsoever. So yes, the status quo needs change. Whether it needs a hand grenade lobbed at it is an open question. We'll have our answer soon.
Long overdue (Score:3)
Re: (Score:2, Insightful)
Re:Long overdue (Score:5, Insightful)
JaredOfEuropa: This will kill open source
No, it explicitly does not apply to open source:
(14) [...] In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity, since products so developed or supplied are by definition not placed on the market
JaredOfEuropa: with the burden of proof not on the accuser but the defendant?
No, it explicitly asks for the burden of the proof to lie on the accuser:
(42) [...] a person that claims compensation for damage caused by a defective product should bear the burden of proving the damage, the defectiveness of a product and the causal link between the two, in accordance with the standard of proof applicable under national law.
Re: (Score:3)
Re:Long overdue (Score:5, Informative)
You're referring to the difference between obligations of means and of results. A medical doctor has obligations of means (do what they can, hope for the best) while most of the time a provider of services has an obligation of result (a cook has obligation of making the food safe and as enjoyable as one would expected from reading the name and seeing the picture). The objective of the Directive is clarified that here there is an obligation of result.
Illustration:
1) (physical malfunction) You buy a toaster and your house burns down because the electrical resistance malfunctioned. You sue the manufacturer.
2) (software malfunction) You buy a Smart Toaster which burns down because of an infinite loop in the firmware. The manufacturer says it's not their fault since they used third party firmware; the firmware author says they followed usual good practice. It's nobody's fault still your house burnt and you're out in the cold. The Directive says you still can sue the firmware author.
Re:Long overdue (Score:5, Insightful)
If the EU pursues this, the EU is going to end up much less software, many fewer products and a lot of software which never gets updated. A company's response to this is going to be to dramatically shrink the amount of software in products sent into the EU. I'm just thinking about the stuff I work on, my first idea would be to release the code for a couple of years into the rest of the world and then only after I've gone a year or so without any issues, release into the EU. And then once I do release into the EU I am going to be extremely hesitant to change anything unless I absolutely have to. I am also going to raise my EU prices a lot to cover any liability. This totally destroys the model of release early and often. Instead you have to release into the EU using the most risk adverse methods possible. I'm sitting here right now considering if I will even continue shipping into the EU.
Re:Long overdue (Score:4, Informative)
Quite the contrary. The EU will have modern dependable software, while the rest of the world will still be stuck in crapware-land. Stop panicking and actually _read_ what is required. In all likelihood, doing good testing and documenting that will be quite enough.
Re:Long overdue (Score:5, Insightful)
Quite the contrary. The EU will have modern dependable software, while the rest of the world will still be stuck in crapware-land.
Nope.
Software companies won't maintain two source trees, with a "good" one for the EU and a "bad" one for everyone else.
Not gonna happen.
Everyone will get the "good" code because one source tree is simpler for developers.
The difference is that everyone else will get it cheap, and Europeans will pay much more to cover the cost of lawsuits.
Re: (Score:3)
Quite the contrary. The EU will have modern dependable software, while the rest of the world will still be stuck in crapware-land.
Nope.
Software companies won't maintain two source trees, with a "good" one for the EU and a "bad" one for everyone else.
Not gonna happen.
Everyone will get the "good" code because one source tree is simpler for developers.
The difference is that everyone else will get it cheap, and Europeans will pay much more to cover the cost of lawsuits.
Well, according to how the free market is supposed to work, the ones who can't be bothered to produce quality software will leave the market. This will leave the market free to be exploited for profit by those reputable companies who can be bothered to produce high quality software through the choice of secure development tools, defensive programming and testing and who can afford to spend some time in court dealing with lawsuits. Of course that will also drive up software prices but what do you want? More
Re: (Score:2)
It applies only to people (not companies)
I agree it's weird wording but I would guess they mean that the rights apply to individual customers not to companies i.e. If Bill Gates bought a defective product for personal use then he could sue on this basis but if Microsoft bought the product then they couldn't - they'd have to rely on whatever contractual terms they entered into.
Then there's the commercial OS vendors... (Score:2)
Well, that leaves out Apple and Microsoft, based on software release behaviors to date.
Re: (Score:2)
"according to how the free market is supposed to work" LOLOLOL, no such thing. Suppose you're going to tell us about invisible sky wizards and bigfoot next?
There was a certain element of sarcastic intent behind those words.
Re: (Score:2)
Well, that leaves out Apple and Microsoft, based on software release behaviors to date.
Yes. And that crap has to stop. The damage from those practices is already extreme and it is still rising.
Re:Long overdue (Score:4, Insightful)
This will either make companies more transparent about their defects.. (again, it takes the approach of "reasonable".. not perfect.. but if defects/vulnerabilities could have been caught with a simple scan and they didn't because of the rush to market or cost, then of course they should be held liable to those companies that were harmed by that) or they will slow their release cycles down to actually test/scan/improve their products..(this might also have a beneficial impact to customers/companies since its going to impact the justification of license upgrades (may be slower which benefits end consumers/companies, but may also be larger updates which might traditionally warrant a major release which benefits the producers)
I don't think it will harm the EU (as a whole).. but it will ensure that what's released isn't simply a "rolling beta"..
Re:Long overdue (Score:4, Insightful)
A company's response to this is going to be to dramatically shrink the amount of software in products sent into the EU.
That sounds like an awesome thing. I don't need a "smart" fridge, but those are what's available. There does not need to be tons of software in every thing.
This totally destroys the model of release early and often.
You mean release broken crap and have the users to the testing?
For some reason, software makers decided that releasing broken crap and them maybe fixing it is completely acceptable, even for expensive software. Would you want to buy a brand new car that breaks down every 1000km because of a manufacturing defect ("oopsie, someone forgot to tighten a screw")?
Re: (Score:2)
Would you want to buy a brand new car that breaks down every 1000km because of a manufacturing defect ("oopsie, someone forgot to tighten a screw")?
Hey, I have one of those. It's called an F-150.
Re: (Score:3)
If the EU pursues this, the EU is going to end up much less software
Is that bad? Europe won't get the newest IoT smart light switches with built-in house igniters? Such tragedy.
Same Age Old Problem (Score:3)
That's the problem - software close to the bleeding edge is going to be inherently buggy and will have errors in it. Allowing companies to develop software like this is essential for progress but, by shielding them from legal
Re: (Score:3)
If that is your attitude to product responsibility, then by all means, please stop sending your shit to us here in the EU.
Re: (Score:2)
That is a good thing. "Release early, release often" is a good model for free software. It is not a good model for commercial software. Most customers don't want to be paying beta testers.
Re: Long overdue (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
To be honest, I really don't see a problem with the scenario you are describing. The EU users will have software thoroughly tested by the rest of the world used as early adopters, which will then be stable and updated only when it really should, while the rest of the world gets poorly tested, bloated crapware? Sign me up! Sure, some features will take a few iterations to appear in the EU (or not be imported at all), but that is a good tradeoff for mature and reliable software. It's where you draw the line, I guess.
Seems like a Nirvana, with the EU blazing a path to the future with 100 percent error free, dare I say perfect software. A future where there is never a BSOD, and perfectly secure from hackers and issues forever and anon. Listen to this song while reading my post. https://www.youtube.com/watch?... [youtube.com]
Re: Long overdue (Score:3)
So less fancy things, more stuff that works, but just that.
Re: (Score:2)
If the EU pursues this, the EU is going to end up much less software, many fewer products and a lot of software which never gets updated.
No it won't. Most software already meets all the requirements using standard QA/QC issues. It's a fantasy to think that the EU will be different to America in this. In America people sue for virtually anything, including software problems.
If you're that concerned about causing actual liability to someone due to the quality of your code then you really REALLY shouldn't be anywhere near a computer.
Re: Long overdue (Score:2)
Fewer but more reliable products could be the result.
But I see that this is probably not applicable to every program, just programs with a certain level of criticality where the customer suffers economic or physical harm.
Re: (Score:2)
Correction. In 2) one still would sue the the Smart Toaster manufacturer, not the firmware author. Because the Manufacturer is the one who has put the Product on the market (signed the EC compliance certificate). (The Manufacturer might sue the firmware author but this is not addressed in this Directive as it does not apply to B2B.)
Re: (Score:3)
No, it does not require "perfect" software. Can nobody read anymore? It just requires that the state-of-the-art is being followed.
Re: (Score:2)
It just requires that the state-of-the-art is being followed.
I've seen what modern "best practices" have done to software. We're all doomed.
Re: (Score:2)
"Best practices" and "state-of-the-art" are very different things.
Re: (Score:2)
Define what "state-of-the-art" means in the context of software development.
Re: (Score:2)
No, it explicitly does not apply to open source:
It does apply to open source. The manufacturer becomes liable for the open source code when manufacturer integrates open source into their product. More importantly due to nexus of commercial activity if a manufacturer relies on an open source component and buys support from the maintainer then the maintainer of an open source project then the maintainer is on the hook for liability due to the corresponding commercial activity.
"Providing such software on open repositories should not be considered as makin
Re: (Score:3)
More importantly due to nexus of commercial activity if a manufacturer relies on an open source component and buys support from the maintainer then the maintainer of an open source project then the maintainer is on the hook for liability due to the corresponding commercial activity.
No, the maintainer would not be on the hook for liability. The maintainer would be selling a service or product to another business, not to a consumer so they can deny liability as the regulation covers consumers.
Whoever repackages the Open Source component and sells that to a consumer cannot deny liability, but that has nothing to do with the maintainer which is not even a party in the transaction.
Re: (Score:2)
What about SUSE ? They are based in Europe and sells support and their version of Linux. We just had the xz issue with OpenSSH. With this law would SUSE be in court ?
Or a much better example, SAP in Germany. Their software is very famous for causing harm, especially during install and implementation. SAP is rolling out a new version which is far different than R/3. Will they stop offering it in the EU until they are sure it has no issues ?
The law sounds good on paper, but I think Software Development
Re: (Score:2)
Re: (Score:2)
I think Software Development could be moved from the EU to other places.
It doesn't matter where it is developed. What matters is where it is sold.
If it is sold in the EU, EU laws apply.
Re: (Score:2)
Who would you sue if it were open source? I hope this would not apply to free software.
Re: (Score:3)
No, it will not. FOSS is not even in scope as it is not a "product". Small-time developers that sell to individuals may have to do things like document their testing, but that is essentially it. The claim that this "demands perfection" is just uninformed bullshit.
Re: (Score:2)
If FOSS is "not in scope because it is not a product", why does it say "this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity [slashdot.org], since products so developed or supplied are by definition not placed on the market"? That doesn't jibe. It seems clear from that description that they are still considering software "not placed on the market" to be a "product".
On the other hand, as I read that, if you make the source available without consi
Re: (Score:2)
If FOSS is "not in scope because it is not a product", why does it say "this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity [slashdot.org], since products so developed or supplied are by definition not placed on the market"?
It is called a "clarification".
Re: (Score:2)
Re: (Score:3)
Many of my clients wouldn't hire me otherwise.
It isn't that expensive.
If I'm legally, provably negligent, I expect to be held responsible for it. I'm a professional that takes pride in my work, not a monkey that throws code at a wall hoping some of it will stick.
Re: (Score:2)
I currently run a small business and already hold professional indemnity and public liability insurance which applies to all software I write and contribute to.
Many of my clients wouldn't hire me otherwise.
As do I, and it's not prohibitively expensive (about $3500/year), but that's because I've never been sued. When it happens, things will change.
If I'm legally, provably negligent, I expect to be held responsible for it. I'm a professional that takes pride in my work, not a monkey that throws code at a wall hoping some of it will stick.
That's great, and I commend you for standing by your code (although I doubt you haven't shielded your personal self from lawsuits via being an employee of your own corporation). But many (if not most) developers aren't like you. They do actually throw code at wall until it works and then do minimal testing. The end result is that you get either free or very cheap
Re: (Score:2)
Open Source software is exempt from that law.
And if the new camera software is not open source and is actually sold, then it should be operational. If it fails for the purpose I plan use it, then it is useless.
If I buy a new car from the dealership, I expect it to not break down in 1000km, because someone at the factory forgot to tighten a screw.
Why should commercial software be different?
Re: (Score:2)
No, it will kill all hobby development period. As well as all consumer products out there.
Because it's possible to write secure software, but only businesses and governments will be able to afford it. The code that runs the safety systems in your car are generally very small and very well regulated pieces of code, and likely not very big in order to keep the price down.
The code that ran the Space Shuttle, NASA estimates cost probably over $20,000 per line
Re: (Score:2)
That's a sliver. It serves suing lawyers to pretend it's all free or gigantic software.
Re: (Score:2)
Also online platforms can be held liable for a defective product sold on their platform just like any other economic operators if they act like one.
"Sold"
If you give it away for free, that's not selling.
"In order not to hamper innovation or research, this Directive should not apply to
free and open-source software developed or supplied outside the course of a commercial
activity, since products so developed or supplied are by definition not placed on the
market."
Re: (Score:2)
> whether a fledgling commercial effort or a hobby project
Actually it's worse than that.
The convention today is to have a project on github, have developer emails etc and submit pull requests.
But this being FREE software, ANYONE, ANYWHERE and ANYWHEN can change the code. No need to be a developer by trade or hobby. Could just be a kid making a change to how something works, then sharing it on a couple of flash drives with a mate or two, one of which totally legally uploads it somewhere and others pick
Re: (Score:2)
Boy, I wish I could mod you up. When I read the summary, I thought "How great for corporations! Not only will they narrow competition down to just other corporations, but when there's trouble, they just point the lawsuit against an individual developer."
Re:Long overdue (Score:5, Informative)
why the exception on professional use?
It's a consumer protection law.
(28) [...] the aim of this Directive is to ensure that consumers and other natural persons can easily exercise their right to obtain compensation in the event of damage caused by defective products,
Re:Long overdue (Score:4, Insightful)
But why the exception on professional use? Most of the damage from software defects is done by products used in a professional capacity.
The professional is responsible for delivering a safe service to their client with whatever software they choose to use. Doing it this way avoids problems with either a professional not being able to use open source software because there's no company to be liable - doesn't matter, the professional is liable anyway. Alternatively it avoids problems with a professional using software in a way that the manufacturer didn't intend - doesn't matter, the professional is liable anyway.
This is actually a really clever hack by the EU to make product liability work well for software. It's always the company that delivers the product that's liabl. For example, Google delivers search whilst being paid with your private information. If they deliver a misleading search because of a bug in an underlying Spark library used in building the search then they have to pay for the damage they did. It's their fault for failing to pay for appropriate testing when they selected that library.
Re: (Score:2)
Re: (Score:2)
But why the exception on professional use? Most of the damage from software defects is done by products used in a professional capacity.
There are numerous European software companies that offer support contracts. I suspect SAP SE makes a majority of their revenue this way.
There's almost no carrot, so the stick is your business can pay for professional support because the courts aren't going to hold your vendor liable except in the most egregious situation.
Re: (Score:2)
But why the exception on professional use?
This applies to all consumer law in the EU and the UK. Business to business sales aren't covered because it is assumed that the business doing the purchasing has an ability and expertise or can hire in expertise to do a much better job of evaluating something than your Average Joe to aid their decision whether to buy or not.
SQL injection vulns (Score:2)
Re: (Score:2)
Yeah, because SQL injection vulnerabilities are the only ones out there.
Re: (Score:2)
Yeah, because calling attention to one specific problem clearly means that the poster is unaware of any other problems...
You should stick to writing romance novels.
Re: (Score:2)
If a software developer writes an SQL injection vuln, they are incompetent at best, possibly negligent.
Kiss F/OSS goodbye with this... (Score:2)
I hope I'm wrong when reading this, but this would be the death of F/OSS as we know it:
1: Someone writes a program watch a serial line for packets and act on them if it notices a specified data pattern. Originally it was for a CS assignment, but was placed on a public GitHub repository.
2: Some company uses it for a critical operation, for example, how much load a power line is needing, and sending a message to increase/decrease load at the power generation sources.
3: The program fails or is run on an OS
Re: (Score:2)
Bullshit. This is for contexts where you bought something. FOSS is not a "product".
Re: (Score:2)
FOSS is not a "product".
FOSS is incorporated into many products.
Re: (Score:2)
And those who do the incorporating will then be liable.
Re: (Score:2)
Maybe that's the point when companies start giving back useful patches that also secure the open product.
Re: (Score:2)
Yes, so? And those that profit from FOSS in this way have liability. Do you see anything wrong with that? Do you see companies re-implementing massive amounts of FOSS themselves as a consequence? No. What will happen is that important FOSS project will get better funding. There is absolutely nothing wrong with that.
Re: (Score:2)
In your example "Some company" would be on the hook, not "Someone".
Re: (Score:2)
Exactly, if they blindly incorporate some school project into their shipped product, they fully deserve the cluebatting.
Disaster of epic proportions (Score:4, Insightful)
"In order to protect the health and property of natural persons, the defectiveness of a product
should be determined by reference not to its fitness for use but to the lack of the safety that
a person is entitled to expect or that is required under Union or national law. "
"When determining the defectiveness of a product, reasonably foreseeable use also encompasses misuse that is not unreasonable under the circumstances, such as the foreseeable behaviour of a user of machinery resulting from a lack of concentration or the foreseeable behaviour of certain user groups such as children."
"In so far as national law so provides, the right to compensation for injured persons should apply both to direct victims, who suffer damage directly caused by a defective product, and to indirect victims, who suffer damage as a result of the direct victimâ(TM)s damage"
With this kind of liability how would anyone be able to sell general purpose computers with general purpose operating systems to the general public? It is after all not fitness for use that matters it is the lowest denominator of human impairment and capability. Someone with an impairment pushes the wrong button and deletes their files you are liable for it and the follow on consequences. Ditto for a child that foreseeably sits in front of a computer and pushes random buttons to disastrous effect.
I don't understand how this wouldn't immediately create so much liability as to essentially collapse market for systems as we know it. I can easily see the decoupling of software from hardware where computers are sold without operating systems due to insane liability and nobody will even help you install an operating system because of the nexus to "commercial activity".
With physical products for example cars, saws, drills, jack hammers, nail guns it is understood that products are inherently dangerous within context of use and users are expected to exercise reasonable care and competency. With something like a general purpose computer no such framing exists. Anyone can contrive any of endless scenarios where any general purpose computer system can be used in a context where liability is accumulated even when fit for use and completely bug free.
Re: (Score:3)
How was this drivel marked "Insightful".
So, when a drunk pushes the wrong button/pedal and crashes the car, the manufacturer is liable because there wasn't a way to stop him crashing? I think the car analogy shows the flaw in your argument. But I'll explain: The car manufacturer has to provide (industry-standard) safety equipment, it does not have to make the car crash-proof.
Ford put seat-belts in cars, in the 1950s but people kept dying. When the government made passengers use the safety equipment, t
Re: (Score:2)
So, when a drunk pushes the wrong button/pedal and crashes the car, the manufacturer is liable because there wasn't a way to stop him crashing? I think the car analogy shows the flaw in your argument. But I'll explain: The car manufacturer has to provide (industry-standard) safety equipment, it does not have to make the car crash-proof.
I don't think drunk driving is an impairment that would count. Most likely being a child or being a human with poor attention or distraction or physical and mental impairments WOULD count based on the text I cited:
"When determining the defectiveness of a product, reasonably foreseeable use also encompasses misuse that is not unreasonable under the circumstances, such as the foreseeable behaviour of a user of machinery resulting from a lack of concentration or the foreseeable behaviour of certain user group
Re: (Score:2)
I can easily see the decoupling of software from hardware where computers are sold without operating systems due to insane liability and nobody will even help you install an operating system because of the nexus to "commercial activity".
Don't forget that a ton of software runs on practically ANY hardware (bios/firmware). So even hardware manufacturers are in the same shoe.
With physical products for example cars, saws, drills, jack hammers, nail guns it is understood that products are inherently dangerous within context of use and users are expected to exercise reasonable care and competency.
How does the 2nd paragraph you quoted jive with this? If "... such as the foreseeable behaviour of a user of machinery resulting from a lack of concentration or the foreseeable behaviour of certain user groups such as children" is a factor, then what would really exclude any of the products you listed from being safe from liability? Would all staple guns have to have a
Re: (Score:2)
How does the 2nd paragraph you quoted jive with this? If "... such as the foreseeable behaviour of a user of machinery resulting from a lack of concentration or the foreseeable behaviour of certain user groups such as children" is a factor, then what would really exclude any of the products you listed from being safe from liability? Would all staple guns have to have a "skin detector" like the saw blades that destroy the blade to protect your fingers in case they sense a ground?
The point I'm trying to make is a general purpose computer can be used for anything by anyone. Parents generally wouldn't allow children to play with nail guns and so the pool of nail gun users can be constrained to those with certain competencies. A general purpose computer on the other hand can be used by anyone for any purpose.
There is also the following:
"Where a manufacturer integrates a defective component from another manufacturer into a product,
an injured person should be able to seek compensation
Re: (Score:2)
a general purpose computer can be used for anything by anyone.
That's a good thing.
It is when you cannot use a general purpose computer for whatever purpose you have in mind, not because of your incompetence, but because is is defective (possibly by design) that you have a case.
Like when your car won't let you use its breaks. Or its gas pedal. Technically, if your car won't move, it is perfectly safe. It is still defective. No matter what you wanted to use your car for.
If you are driving under the influence, that's on you. If it won't start because you drained the
Re: (Score:2)
The biggest problem here is that people, including the article's author, are conflating security with safety.
Safety's purpose is to protect from unintentional harm.
Security's purpose is to protect from intentional harm.
Engineering for safety is taught and trained for already. It is applied to hardware and software alike where applicable.
Security is not taught as part of safety.
Also, defectiveness is not directly a security nor safety issue. It's first just a quality issue. That the consumer is getting wh
Re: (Score:2)
With this kind of liability how would anyone be able to sell general purpose computers with general purpose operating systems to the general public?
Because general purpose computers and general purpose operating systems don't kill anyone? Seriously go actually look at software products that have the ability to actually do any kind of damage and you'll find that precautions to cover what you've quoted are already taken care of. This applies from something simple, such as trying to do something stupid like setting my thermostat to zero degrees (the system will *still* turn the heating on at 5C to prevent pipe freezing), or disconnecting thermostats altog
Re: (Score:2)
Because general purpose computers and general purpose operating systems don't kill anyone?
Under the heading: "The right to compensation pursuant to Article 5 shall apply in respect of only the following types of damage:"
"(c) destruction or corruption of data that are not used for professional purposes"
You clearly don't understand what this is about. In this example the law would explicitly lead to car manufacturers being liable for things such as software errors in ABS routines. On the flip side I actively challenge you to use your computer in a way that you can inadvertently damage something. You say you can contrive the scenarios, get to it. Let's here some examples.
See above, the assumption this is limited to physical safety is flat wrong.
There is no... (Score:2)
..set of procedures, that if followed exactly, produces perfect code.
Yes, some software is poorly made, some incredibly poorly made, and some sort of penalty for incompetence is fine.
Unfortunately, the law deals in absolutes. Safe or unsafe, no middle ground. I see a slippery slope where unscrupulous lawyers use laws like this to extort good software makers because their code is not perfect
Re: (Score:2)
That is bullshit. The law does not deal in absolutes. Follow sound practices, do reasonable testing and be able to provide proof for that and you are good. Sure, cretin organizations like Microsoft are in deep shit with such requirements.
Re: (Score:2)
That is bullshit. The law does not deal in absolutes. Follow sound practices, do reasonable testing and be able to provide proof for that and you are good. Sure, cretin organizations like Microsoft are in deep shit with such requirements.
Ok, for sake of discussion in this instance, this law does not deal in absolutes.
Then you go on to say: Follow sound practices, do reasonable testing and be able to provide proof for that and you are good.
Sounds to me like you favor a world where we write blank cheques to lawyers for years on end while a case is argued in Court.
Show me ANY Court or honestly selected jury of your peers that has the technical wherewithall to evaluate the constraints you lay out.
A jury of their peers might necessarily be bias
Re:There is no... (Score:4, Insightful)
And what about this in the summary:
Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.
Objective state of scientific and technical knowledge? Do they realize that many developers out there have barely seen a hint of college, let alone have a degree? Do they expect every developer to be a "super programmer" who's abreast of all nuances that come with developing software? This appears to be a terrible law in the making.
Re: (Score:2)
They expect any developer that makes for-profit software to be competent at that job. There is absolutely nothing wrong with that requirement. We do not let amateurs do brain-surgery either, do we? And, come to think of it, all occupations that require real skill and can do real damage face this moment sooner or later.
Re: (Score:2)
Why can't the software-maker issue an update? Then, the software is compliant (because the maker took steps to mitigate the flaw). This law also demands actual damage be incurred or highly likely to be incurred. Legalized software-maker blackmail is not an option.
Sounds like deliberate "shortcomings" (Score:2)
It sounds like they want to hold software developers to the same untenable standards as architects and engineers. As a licensed engineer, it is likely the right approach. Assuming it ends up working like E&O insurance does in the US, the net effect is the company needs to get the insurance, and the employee ends up only having risk for gross negligence. In practice, some engineers are willing to commit gross negligence, but they do so with the knowledge that it could result in the loss of their license
Re: (Score:2)
It is apparent in many of the comments and the article too, that security is confused with safety.
Engineers train for safety, not security. And they most certainly are not held responsible for any sort of security failures.
Re: (Score:2)
An example: The fence around an electrical sub-station is there for safety. That fence, and its signage, is telling everyone to *please stay outside* for your safety. It is not telling you it will keep you out should you decide otherwise.
Re:Sounds like deliberate "shortcomings" (Score:4, Interesting)
Assuming it ends up working like E&O insurance does in the US, the net effect is the company needs to get the insurance, and the employee ends up only having risk for gross negligence.
That would have made sense if this law was to start pushing this stringent spec on corporations, not individual developers. But it's being written the other way around. If the developer is responsible for the code he/she writes, then what's the responsibility of a corporation a developer works for?
Re: (Score:2)
Pay no attention to the little man behind the screen. Opening lawsuits to business brings them to heel. Just ask giant Internet media companies threatned with changes to section 230. Currently, they can individually buy all three of the Big 3 automakers, with petty cash. Automakers've been living under lawsuits for a century, and stock values match.
Without that protection, the situation will normalize. If you feel that is normal.
Remember suing lawyers is the most important faction.
Systemic underinvestment in product security (Score:2)
Do you mean the dangers of putting all your security eggs in the one software/hardware monoculture.
The Microsoft Monoculture: A Single Point of Failure [virtru.com]
Warning: Microsoft 'Monoculture' [wired.com]
Simple Solution (Score:2, Insightful)
For my personally owned company, and for my open-source software, henceforth I will amend (and re-license) all my work to explicitly forbid and disclaim any use within the EU.
For any work I do under contract, or any employment (consulting or regular employee), I will require a contract wherein the company totally indemnifies me and assumes all liability. (Since I am officially retired now, this won't come up very often. So I can more easily tell employers to suck it, than when I did a lot of consulting in t
Re: (Score:2)
And since the EU is doing this to FOSS developers as well (any time a company incorporates FOSS, the liability goes to the developer, not the company)... well, that's the end of FOSS being contributed in any way to the EU.
FOSS is excluded from the law.
The loophole is that if a company decides to incorporate your FOSS, the law then says that the FOSS contributor is on the hook for the liability. If your FOSS is only used privately, not commercially, then you are exempt. But once a company adopts it, it is NOT the company that gets the liability. It's the FOSS contributor of the software they snarfed. This of course makes no sense at all, but there it is. And since any company can, by definition, use any FOSS in their products -- FOSS is effectivey not exc
Re: (Score:2)
The loophole is that if a company decides to incorporate your FOSS, the law then says that the FOSS contributor is on the hook for the liability.
This is completely incorrect. From the Directive itself when it describes how it works in regards of open source:
(15) Where free and open-source software supplied outside the course of a commercial activity is subsequently integrated by a manufacturer as a component into a product in the course of a commercial activity and is thereby placed on the market, it should be possible to hold that manufacturer liable for damage caused by the defectiveness of such software but not the manufacturer of the software because the manufacturer of the software would not have fulfilled the conditions of placing a product or component on the market.
So in that scenario the liability would be on the company that integrated the FOSS software into a market product and not on whoever made the FOSS software.
Hmm, Free Software (Score:2)
Hopefully an exception will be put in place to protect Free Software from such legal actions, although I would say that if a contract or agreement has been signed with the Free Software developer (or Open Source) although how that would apply to a distributor such as Red Hat would be interesting.
As it's quite obvious that Free Software is incapable (without such agreements in place) of providing any sort of warranty, and we know it explicitly states that no warranty or fitness for a specific purpose is prov
Re: (Score:2)
Hopefully an exception will be put in place to protect Free Software from such legal actions
Already is. Free and open source software are explicitly exempt under this directive.
Shame we don't get the same for politicians (Score:2)
Politicians and lawyers find it easy to hold others to standards they themselves can never approach. Software always contains bugs - good software has very few, but they're still there. Given that a program almost never runs in isolation, how will the courts decide which bit (user, application, libraries, kernel, compiler, hardware) is responsible. Nah, they'll go for joint liability as that way they can claim the maximum damages from everybody's pockets.
If this goes through, I guess all open source soft
What will happen? (Score:2)
Now what's the effect: Software has a cost to produce, and makes money by selling it (alone or as part of a product, like iOS). Companies can spend more money on software to make it more secure with the same features, or reduce the number of new features to make it more secure at less or zero cost, or do what they should have always done and listen to developers who know how to make it s
Great! (Score:2)
I detect many lawsuits coming in the direction of Microsoft and/or manufacturers of broken hardware over MS' crappy ACPI-table compiler. A product should function as the USER expects it to function, even when it's not used as expected. There are Linux users who buy a computer for which Microsoft's broken ACPI-table compiler has been used, this sometimes results in the machine not functioning as expected. The manufacturers expect said computers to be used with Windows, but someone wants to install Linux or s
Long overdue (Score:2)
What, you're happy with spending hundreds or thousands of dollars/Euros, and "we don't warrant this product as usable"?
Re: (Score:2)
The limitation to individuals will eventually fall, I expect, and this is a gradual introduction.
Wouldn't it then have made sense to first enforce it on corporations and then if it was successful, then extend it to individuals?
But essentially, commercial software is no different from any other engineering product and needs to come with the same requirements.
That is moronic. An engineer goes to a university and receives a degree, and then takes exams before they're given a title of "professional engineer". Many developers out there don't even have a degree, let alone having gone through an exam that tests their skills. This is why the responsibility for commercial software failure needs to fall squarely on the shoulder of corporat
Re: (Score:2)
The limitation to individuals will eventually fall, I expect, and this is a gradual introduction.
Wouldn't it then have made sense to first enforce it on corporations and then if it was successful, then extend it to individuals?
This is a consumer-protection law.
But essentially, commercial software is no different from any other engineering product and needs to come with the same requirements.
That is moronic. An engineer goes to a university and receives a degree, and then takes exams before they're given a title of "professional engineer". Many developers out there don't even have a degree, let alone having gone through an exam that tests their skills. This is why the responsibility for commercial software failure needs to fall squarely on the shoulder of corporations. If the corporation cares enough about the software (like cases of life and death, as in medical devices), they'll have more rigorous development and testing procedures, and rightly so.
This is why that degree is _not_ a requirement. Follow the state-of-the-art (degree or not) and you will be fine. Half-ass it and you become liable. Only a moron will see anything wrong with that in a technological (i.e. engineering) product that becomes more and more critical for the working of society.
Re: (Score:2)
A bunch of bureaucrats write rules about stuff they don't understand and they end up hobbling themselves.
Zigactly. Raving lunatics with zero grasp of the subject matter dictating how the universe should behave in direct contradiction to reality.
Listening to them spout their glaring ignorance tends to end in a heavy session of binge drinking because... damn....