Can the EU Hold Software Makers Liable For Negligence? (lawfaremedia.org) 74
When it comes to introducing liability for software products, "the EU and U.S. are taking very different approaches," according to Lawfare's cybersecurity newsletter. "While the U.S. kicks the can down the road, the EU is rolling a hand grenade down it to see what happens."
Under the status quo, the software industry is extensively protected from liability for defects or issues, and this results in systemic underinvestment in product security. Authorities believe that by making software companies liable for damages when they peddle crapware, those companies will be motivated to improve product security... [T]he EU has chosen to set very stringent standards for product liability, apply them to people rather than companies, and let lawyers sort it all out.
Earlier this month, the EU Council issued a directive updating the EU's product liability law to treat software in the same way as any other product. Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.
Although the directive is severe on software makers, its scope is narrow. It applies only to people (not companies), and damages for professional use are explicitly excluded. There is still scope for collective claims such as class actions, however. The directive isn't law itself but sets the legislative direction for EU member states, and they have two years to implement its provisions. The directive commits the European Commission to publicly collating court judgements based on the directive, so it will be easy to see how cases are proceeding.
Major software vendors used by the world's most important enterprises and governments are publishing comically vulnerable code without fear of any blowback whatsoever. So yes, the status quo needs change. Whether it needs a hand grenade lobbed at it is an open question. We'll have our answer soon.
Earlier this month, the EU Council issued a directive updating the EU's product liability law to treat software in the same way as any other product. Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.
Although the directive is severe on software makers, its scope is narrow. It applies only to people (not companies), and damages for professional use are explicitly excluded. There is still scope for collective claims such as class actions, however. The directive isn't law itself but sets the legislative direction for EU member states, and they have two years to implement its provisions. The directive commits the European Commission to publicly collating court judgements based on the directive, so it will be easy to see how cases are proceeding.
Major software vendors used by the world's most important enterprises and governments are publishing comically vulnerable code without fear of any blowback whatsoever. So yes, the status quo needs change. Whether it needs a hand grenade lobbed at it is an open question. We'll have our answer soon.
Long overdue (Score:3)
Re: (Score:2)
Re:Long overdue (Score:5, Insightful)
JaredOfEuropa: This will kill open source
No, it explicitly does not apply to open source:
(14) [...] In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity, since products so developed or supplied are by definition not placed on the market
JaredOfEuropa: with the burden of proof not on the accuser but the defendant?
No, it explicitly asks for the burden of the proof to lie on the accuser:
(42) [...] a person that claims compensation for damage caused by a defective product should bear the burden of proving the damage, the defectiveness of a product and the causal link between the two, in accordance with the standard of proof applicable under national law.
Re: (Score:3)
Re:Long overdue (Score:5, Informative)
You're referring to the difference between obligations of means and of results. A medical doctor has obligations of means (do what they can, hope for the best) while most of the time a provider of services has an obligation of result (a cook has obligation of making the food safe and as enjoyable as one would expected from reading the name and seeing the picture). The objective of the Directive is clarified that here there is an obligation of result.
Illustration:
1) (physical malfunction) You buy a toaster and your house burns down because the electrical resistance malfunctioned. You sue the manufacturer.
2) (software malfunction) You buy a Smart Toaster which burns down because of an infinite loop in the firmware. The manufacturer says it's not their fault since they used third party firmware; the firmware author says they followed usual good practice. It's nobody's fault still your house burnt and you're out in the cold. The Directive says you still can sue the firmware author.
Re:Long overdue (Score:5, Insightful)
If the EU pursues this, the EU is going to end up much less software, many fewer products and a lot of software which never gets updated. A company's response to this is going to be to dramatically shrink the amount of software in products sent into the EU. I'm just thinking about the stuff I work on, my first idea would be to release the code for a couple of years into the rest of the world and then only after I've gone a year or so without any issues, release into the EU. And then once I do release into the EU I am going to be extremely hesitant to change anything unless I absolutely have to. I am also going to raise my EU prices a lot to cover any liability. This totally destroys the model of release early and often. Instead you have to release into the EU using the most risk adverse methods possible. I'm sitting here right now considering if I will even continue shipping into the EU.
Re:Long overdue (Score:4, Informative)
Quite the contrary. The EU will have modern dependable software, while the rest of the world will still be stuck in crapware-land. Stop panicking and actually _read_ what is required. In all likelihood, doing good testing and documenting that will be quite enough.
Re: (Score:3)
Quite the contrary. The EU will have modern dependable software, while the rest of the world will still be stuck in crapware-land.
Nope.
Software companies won't maintain two source trees, with a "good" one for the EU and a "bad" one for everyone else.
Not gonna happen.
Everyone will get the "good" code because one source tree is simpler for developers.
The difference is that everyone else will get it cheap, and Europeans will pay much more to cover the cost of lawsuits.
Re: (Score:2)
Quite the contrary. The EU will have modern dependable software, while the rest of the world will still be stuck in crapware-land.
Nope.
Software companies won't maintain two source trees, with a "good" one for the EU and a "bad" one for everyone else.
Not gonna happen.
Everyone will get the "good" code because one source tree is simpler for developers.
The difference is that everyone else will get it cheap, and Europeans will pay much more to cover the cost of lawsuits.
Well, according to how the free market is supposed to work, the ones who can't be bothered to produce quality software will leave the market. This will leave the market free to be exploited for profit by those reputable companies who can be bothered to produce high quality software through the choice of secure development tools, defensive programming and testing and who can afford to spend some time in court dealing with lawsuits. Of course that will also drive up software prices but what do you want? More
Re: (Score:1)
It applies only to people (not companies)
I agree it's weird wording but I would guess they mean that the rights apply to individual customers not to companies i.e. If Bill Gates bought a defective product for personal use then he could sue on this basis but if Microsoft bought the product then they couldn't - they'd have to rely on whatever contractual terms they entered into.
Re: (Score:1)
Just stop writing shitty code. Case in point, your homepage does not work.
Re: (Score:3)
Re: (Score:2)
A company's response to this is going to be to dramatically shrink the amount of software in products sent into the EU.
That sounds like an awesome thing. I don't need a "smart" fridge, but those are what's available. There does not need to be tons of software in every thing.
This totally destroys the model of release early and often.
You mean release broken crap and have the users to the testing?
For some reason, software makers decided that releasing broken crap and them maybe fixing it is completely acceptable, even for expensive software. Would you want to buy a brand new car that breaks down every 1000km because of a manufacturing defect ("oopsie, someone forgot to tighten a screw")?
Re: (Score:2)
If the EU pursues this, the EU is going to end up much less software
Is that bad? Europe won't get the newest IoT smart light switches with built-in house igniters? Such tragedy.
Re: (Score:2)
If that is your attitude to product responsibility, then by all means, please stop sending your shit to us here in the EU.
Re: (Score:2)
That is a good thing. "Release early, release often" is a good model for free software. It is not a good model for commercial software. Most customers don't want to be paying beta testers.
Re: (Score:2)
Re: (Score:2)
Re: Long overdue (Score:2)
So less fancy things, more stuff that works, but just that.
Re: (Score:2)
If the EU pursues this, the EU is going to end up much less software, many fewer products and a lot of software which never gets updated.
No it won't. Most software already meets all the requirements using standard QA/QC issues. It's a fantasy to think that the EU will be different to America in this. In America people sue for virtually anything, including software problems.
If you're that concerned about causing actual liability to someone due to the quality of your code then you really REALLY shouldn't be anywhere near a computer.
Re: (Score:2)
Correction. In 2) one still would sue the the Smart Toaster manufacturer, not the firmware author. Because the Manufacturer is the one who has put the Product on the market (signed the EC compliance certificate). (The Manufacturer might sue the firmware author but this is not addressed in this Directive as it does not apply to B2B.)
Re: (Score:3)
No, it does not require "perfect" software. Can nobody read anymore? It just requires that the state-of-the-art is being followed.
Re: (Score:2)
It just requires that the state-of-the-art is being followed.
I've seen what modern "best practices" have done to software. We're all doomed.
Re: (Score:2)
No, it explicitly does not apply to open source:
It does apply to open source. The manufacturer becomes liable for the open source code when manufacturer integrates open source into their product. More importantly due to nexus of commercial activity if a manufacturer relies on an open source component and buys support from the maintainer then the maintainer of an open source project then the maintainer is on the hook for liability due to the corresponding commercial activity.
"Providing such software on open repositories should not be considered as makin
Re: (Score:2)
What about SUSE ? They are based in Europe and sells support and their version of Linux. We just had the xz issue with OpenSSH. With this law would SUSE be in court ?
Or a much better example, SAP in Germany. Their software is very famous for causing harm, especially during install and implementation. SAP is rolling out a new version which is far different than R/3. Will they stop offering it in the EU until they are sure it has no issues ?
The law sounds good on paper, but I think Software Development
Re: (Score:2)
Who would you sue if it were open source? I hope this would not apply to free software.
Re: (Score:2)
No, it will not. FOSS is not even in scope as it is not a "product". Small-time developers that sell to individuals may have to do things like document their testing, but that is essentially it. The claim that this "demands perfection" is just uninformed bullshit.
Re: (Score:2)
Boy, I wish I could mod you up. When I read the summary, I thought "How great for corporations! Not only will they narrow competition down to just other corporations, but when there's trouble, they just point the lawsuit against an individual developer."
Re: (Score:2)
Many of my clients wouldn't hire me otherwise.
It isn't that expensive.
If I'm legally, provably negligent, I expect to be held responsible for it. I'm a professional that takes pride in my work, not a monkey that throws code at a wall hoping some of it will stick.
Re: (Score:2)
I currently run a small business and already hold professional indemnity and public liability insurance which applies to all software I write and contribute to.
Many of my clients wouldn't hire me otherwise.
As do I, and it's not prohibitively expensive (about $3500/year), but that's because I've never been sued. When it happens, things will change.
If I'm legally, provably negligent, I expect to be held responsible for it. I'm a professional that takes pride in my work, not a monkey that throws code at a wall hoping some of it will stick.
That's great, and I commend you for standing by your code (although I doubt you haven't shielded your personal self from lawsuits via being an employee of your own corporation). But many (if not most) developers aren't like you. They do actually throw code at wall until it works and then do minimal testing. The end result is that you get either free or very cheap
Re: (Score:2)
Open Source software is exempt from that law.
And if the new camera software is not open source and is actually sold, then it should be operational. If it fails for the purpose I plan use it, then it is useless.
If I buy a new car from the dealership, I expect it to not break down in 1000km, because someone at the factory forgot to tighten a screw.
Why should commercial software be different?
Re: (Score:2)
No, it will kill all hobby development period. As well as all consumer products out there.
Because it's possible to write secure software, but only businesses and governments will be able to afford it. The code that runs the safety systems in your car are generally very small and very well regulated pieces of code, and likely not very big in order to keep the price down.
The code that ran the Space Shuttle, NASA estimates cost probably over $20,000 per line
Re: (Score:2)
Also online platforms can be held liable for a defective product sold on their platform just like any other economic operators if they act like one.
"Sold"
If you give it away for free, that's not selling.
"In order not to hamper innovation or research, this Directive should not apply to
free and open-source software developed or supplied outside the course of a commercial
activity, since products so developed or supplied are by definition not placed on the
market."
Re: (Score:2)
> whether a fledgling commercial effort or a hobby project
Actually it's worse than that.
The convention today is to have a project on github, have developer emails etc and submit pull requests.
But this being FREE software, ANYONE, ANYWHERE and ANYWHEN can change the code. No need to be a developer by trade or hobby. Could just be a kid making a change to how something works, then sharing it on a couple of flash drives with a mate or two, one of which totally legally uploads it somewhere and others pick
Re:Long overdue (Score:5, Informative)
why the exception on professional use?
It's a consumer protection law.
(28) [...] the aim of this Directive is to ensure that consumers and other natural persons can easily exercise their right to obtain compensation in the event of damage caused by defective products,
Re: (Score:3)
But why the exception on professional use? Most of the damage from software defects is done by products used in a professional capacity.
The professional is responsible for delivering a safe service to their client with whatever software they choose to use. Doing it this way avoids problems with either a professional not being able to use open source software because there's no company to be liable - doesn't matter, the professional is liable anyway. Alternatively it avoids problems with a professional using software in a way that the manufacturer didn't intend - doesn't matter, the professional is liable anyway.
This is actually a really cle
Re: (Score:1)
The exception is probably to allow a gradual introduction. Professional uses come with huge potential damage and hence it may be good to collect some experience with this partial approach first. Also, in professional use, the buyer may be required to demonstrate defectiveness as professional products follow different standards (more skill and insight required from the buyer). I agree that this is long overdue.
Re: (Score:2)
SQL injection vulns (Score:2)
Re: (Score:2)
Yeah, because SQL injection vulnerabilities are the only ones out there.
Re: (Score:2)
Yeah, because calling attention to one specific problem clearly means that the poster is unaware of any other problems...
You should stick to writing romance novels.
Kiss F/OSS goodbye with this... (Score:2)
I hope I'm wrong when reading this, but this would be the death of F/OSS as we know it:
1: Someone writes a program watch a serial line for packets and act on them if it notices a specified data pattern. Originally it was for a CS assignment, but was placed on a public GitHub repository.
2: Some company uses it for a critical operation, for example, how much load a power line is needing, and sending a message to increase/decrease load at the power generation sources.
3: The program fails or is run on an OS
Re: (Score:2)
Bullshit. This is for contexts where you bought something. FOSS is not a "product".
Re: (Score:2)
FOSS is not a "product".
FOSS is incorporated into many products.
Re: (Score:2)
And those who do the incorporating will then be liable.
Re: (Score:2)
Maybe that's the point when companies start giving back useful patches that also secure the open product.
Re: (Score:2)
In your example "Some company" would be on the hook, not "Someone".
Disaster of epic proportions (Score:4, Insightful)
"In order to protect the health and property of natural persons, the defectiveness of a product
should be determined by reference not to its fitness for use but to the lack of the safety that
a person is entitled to expect or that is required under Union or national law. "
"When determining the defectiveness of a product, reasonably foreseeable use also encompasses misuse that is not unreasonable under the circumstances, such as the foreseeable behaviour of a user of machinery resulting from a lack of concentration or the foreseeable behaviour of certain user groups such as children."
"In so far as national law so provides, the right to compensation for injured persons should apply both to direct victims, who suffer damage directly caused by a defective product, and to indirect victims, who suffer damage as a result of the direct victimâ(TM)s damage"
With this kind of liability how would anyone be able to sell general purpose computers with general purpose operating systems to the general public? It is after all not fitness for use that matters it is the lowest denominator of human impairment and capability. Someone with an impairment pushes the wrong button and deletes their files you are liable for it and the follow on consequences. Ditto for a child that foreseeably sits in front of a computer and pushes random buttons to disastrous effect.
I don't understand how this wouldn't immediately create so much liability as to essentially collapse market for systems as we know it. I can easily see the decoupling of software from hardware where computers are sold without operating systems due to insane liability and nobody will even help you install an operating system because of the nexus to "commercial activity".
With physical products for example cars, saws, drills, jack hammers, nail guns it is understood that products are inherently dangerous within context of use and users are expected to exercise reasonable care and competency. With something like a general purpose computer no such framing exists. Anyone can contrive any of endless scenarios where any general purpose computer system can be used in a context where liability is accumulated even when fit for use and completely bug free.
Re: (Score:2)
How was this drivel marked "Insightful".
So, when a drunk pushes the wrong button/pedal and crashes the car, the manufacturer is liable because there wasn't a way to stop him crashing? I think the car analogy shows the flaw in your argument. But I'll explain: The car manufacturer has to provide (industry-standard) safety equipment, it does not have to make the car crash-proof.
Ford put seat-belts in cars, in the 1950s but people kept dying. When the government made passengers use the safety equipment, t
Re: (Score:2)
I can easily see the decoupling of software from hardware where computers are sold without operating systems due to insane liability and nobody will even help you install an operating system because of the nexus to "commercial activity".
Don't forget that a ton of software runs on practically ANY hardware (bios/firmware). So even hardware manufacturers are in the same shoe.
With physical products for example cars, saws, drills, jack hammers, nail guns it is understood that products are inherently dangerous within context of use and users are expected to exercise reasonable care and competency.
How does the 2nd paragraph you quoted jive with this? If "... such as the foreseeable behaviour of a user of machinery resulting from a lack of concentration or the foreseeable behaviour of certain user groups such as children" is a factor, then what would really exclude any of the products you listed from being safe from liability? Would all staple guns have to have a
Re: (Score:2)
The biggest problem here is that people, including the article's author, are conflating security with safety.
Safety's purpose is to protect from unintentional harm.
Security's purpose is to protect from intentional harm.
Engineering for safety is taught and trained for already. It is applied to hardware and software alike where applicable.
Security is not taught as part of safety.
Also, defectiveness is not directly a security nor safety issue. It's first just a quality issue. That the consumer is getting wh
Re: (Score:2)
With this kind of liability how would anyone be able to sell general purpose computers with general purpose operating systems to the general public?
Because general purpose computers and general purpose operating systems don't kill anyone? Seriously go actually look at software products that have the ability to actually do any kind of damage and you'll find that precautions to cover what you've quoted are already taken care of. This applies from something simple, such as trying to do something stupid like setting my thermostat to zero degrees (the system will *still* turn the heating on at 5C to prevent pipe freezing), or disconnecting thermostats altog
There is no... (Score:2)
..set of procedures, that if followed exactly, produces perfect code.
Yes, some software is poorly made, some incredibly poorly made, and some sort of penalty for incompetence is fine.
Unfortunately, the law deals in absolutes. Safe or unsafe, no middle ground. I see a slippery slope where unscrupulous lawyers use laws like this to extort good software makers because their code is not perfect
Re: (Score:2)
That is bullshit. The law does not deal in absolutes. Follow sound practices, do reasonable testing and be able to provide proof for that and you are good. Sure, cretin organizations like Microsoft are in deep shit with such requirements.
Re: (Score:2)
That is bullshit. The law does not deal in absolutes. Follow sound practices, do reasonable testing and be able to provide proof for that and you are good. Sure, cretin organizations like Microsoft are in deep shit with such requirements.
Ok, for sake of discussion in this instance, this law does not deal in absolutes.
Then you go on to say: Follow sound practices, do reasonable testing and be able to provide proof for that and you are good.
Sounds to me like you favor a world where we write blank cheques to lawyers for years on end while a case is argued in Court.
Show me ANY Court or honestly selected jury of your peers that has the technical wherewithall to evaluate the constraints you lay out.
A jury of their peers might necessarily be bias
Re: (Score:3)
And what about this in the summary:
Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.
Objective state of scientific and technical knowledge? Do they realize that many developers out there have barely seen a hint of college, let alone have a degree? Do they expect every developer to be a "super programmer" who's abreast of all nuances that come with developing software? This appears to be a terrible law in the making.
Re: (Score:2)
Why can't the software-maker issue an update? Then, the software is compliant (because the maker took steps to mitigate the flaw). This law also demands actual damage be incurred or highly likely to be incurred. Legalized software-maker blackmail is not an option.
Good move and overdue (Score:1)
The limitation to individuals will eventually fall, I expect, and this is a gradual introduction. But essentially, commercial software is no different from any other engineering product and needs to come with the same requirements. The case of FOSS will sort itself out, no doubt. The EU is _very_ aware of the importance of FOSS.
Re: (Score:2)
The limitation to individuals will eventually fall, I expect, and this is a gradual introduction.
Wouldn't it then have made sense to first enforce it on corporations and then if it was successful, then extend it to individuals?
But essentially, commercial software is no different from any other engineering product and needs to come with the same requirements.
That is moronic. An engineer goes to a university and receives a degree, and then takes exams before they're given a title of "professional engineer". Many developers out there don't even have a degree, let alone having gone through an exam that tests their skills. This is why the responsibility for commercial software failure needs to fall squarely on the shoulder of corporat
Sounds like deliberate "shortcomings" (Score:2)
It sounds like they want to hold software developers to the same untenable standards as architects and engineers. As a licensed engineer, it is likely the right approach. Assuming it ends up working like E&O insurance does in the US, the net effect is the company needs to get the insurance, and the employee ends up only having risk for gross negligence. In practice, some engineers are willing to commit gross negligence, but they do so with the knowledge that it could result in the loss of their license
Re: (Score:2)
It is apparent in many of the comments and the article too, that security is confused with safety.
Engineers train for safety, not security. And they most certainly are not held responsible for any sort of security failures.
Re: (Score:2)
An example: The fence around an electrical sub-station is there for safety. That fence, and its signage, is telling everyone to *please stay outside* for your safety. It is not telling you it will keep you out should you decide otherwise.
Re: (Score:3)
Assuming it ends up working like E&O insurance does in the US, the net effect is the company needs to get the insurance, and the employee ends up only having risk for gross negligence.
That would have made sense if this law was to start pushing this stringent spec on corporations, not individual developers. But it's being written the other way around. If the developer is responsible for the code he/she writes, then what's the responsibility of a corporation a developer works for?
Systemic underinvestment in product security (Score:2)
Do you mean the dangers of putting all your security eggs in the one software/hardware monoculture.
The Microsoft Monoculture: A Single Point of Failure [virtru.com]
Warning: Microsoft 'Monoculture' [wired.com]
Simple Solution (Score:2)
For my personally owned company, and for my open-source software, henceforth I will amend (and re-license) all my work to explicitly forbid and disclaim any use within the EU.
For any work I do under contract, or any employment (consulting or regular employee), I will require a contract wherein the company totally indemnifies me and assumes all liability. (Since I am officially retired now, this won't come up very often. So I can more easily tell employers to suck it, than when I did a lot of consulting in t
Hmm, Free Software (Score:2)
Hopefully an exception will be put in place to protect Free Software from such legal actions, although I would say that if a contract or agreement has been signed with the Free Software developer (or Open Source) although how that would apply to a distributor such as Red Hat would be interesting.
As it's quite obvious that Free Software is incapable (without such agreements in place) of providing any sort of warranty, and we know it explicitly states that no warranty or fitness for a specific purpose is prov
Shame we don't get the same for politicians (Score:2)
Politicians and lawyers find it easy to hold others to standards they themselves can never approach. Software always contains bugs - good software has very few, but they're still there. Given that a program almost never runs in isolation, how will the courts decide which bit (user, application, libraries, kernel, compiler, hardware) is responsible. Nah, they'll go for joint liability as that way they can claim the maximum damages from everybody's pockets.
If this goes through, I guess all open source soft