Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Software EU Government Security

Can the EU Hold Software Makers Liable For Negligence? (lawfaremedia.org) 132

When it comes to introducing liability for software products, "the EU and U.S. are taking very different approaches," according to Lawfare's cybersecurity newsletter. "While the U.S. kicks the can down the road, the EU is rolling a hand grenade down it to see what happens." Under the status quo, the software industry is extensively protected from liability for defects or issues, and this results in systemic underinvestment in product security. Authorities believe that by making software companies liable for damages when they peddle crapware, those companies will be motivated to improve product security... [T]he EU has chosen to set very stringent standards for product liability, apply them to people rather than companies, and let lawyers sort it all out.

Earlier this month, the EU Council issued a directive updating the EU's product liability law to treat software in the same way as any other product. Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.

Although the directive is severe on software makers, its scope is narrow. It applies only to people (not companies), and damages for professional use are explicitly excluded. There is still scope for collective claims such as class actions, however. The directive isn't law itself but sets the legislative direction for EU member states, and they have two years to implement its provisions. The directive commits the European Commission to publicly collating court judgements based on the directive, so it will be easy to see how cases are proceeding.

Major software vendors used by the world's most important enterprises and governments are publishing comically vulnerable code without fear of any blowback whatsoever. So yes, the status quo needs change. Whether it needs a hand grenade lobbed at it is an open question. We'll have our answer soon.

This discussion has been archived. No new comments can be posted.

Can the EU Hold Software Makers Liable For Negligence?

Comments Filter:
  • by Alinabi ( 464689 ) on Sunday October 27, 2024 @07:34PM (#64898569)
    But why the exception on professional use? Most of the damage from software defects is done by products used in a professional capacity.
    • Re: (Score:2, Insightful)

      Overdue? This will kill open source and small time developers. Who in their right mind would publish their software, whether a fledgling commercial effort or a hobby project, if they can be held liable for damages with the burden of proof not on the accuser but the defendant? Software is far too complex to demand perfection (see my sig), and while it is possible to create software that is proven to be safe to a degree, it is ridiculously expensive and out of reach of hobbyists or small businesses.
      • Re:Long overdue (Score:5, Insightful)

        by test321 ( 8891681 ) on Sunday October 27, 2024 @07:50PM (#64898595)

        JaredOfEuropa: This will kill open source

        No, it explicitly does not apply to open source:

        (14) [...] In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity, since products so developed or supplied are by definition not placed on the market

        JaredOfEuropa: with the burden of proof not on the accuser but the defendant?

        No, it explicitly asks for the burden of the proof to lie on the accuser:

        (42) [...] a person that claims compensation for damage caused by a defective product should bear the burden of proving the damage, the defectiveness of a product and the causal link between the two, in accordance with the standard of proof applicable under national law.

        • The first point is a relief, the second not much so. The accuser needs to prove damages and establish the software as the cause. That still requires software to be fault free if you wish to avoid suits for damages, rather than the much more reasonable standard of showing that common standards, practices and safeguards were applied.
          • Re:Long overdue (Score:5, Informative)

            by test321 ( 8891681 ) on Sunday October 27, 2024 @08:18PM (#64898643)

            You're referring to the difference between obligations of means and of results. A medical doctor has obligations of means (do what they can, hope for the best) while most of the time a provider of services has an obligation of result (a cook has obligation of making the food safe and as enjoyable as one would expected from reading the name and seeing the picture). The objective of the Directive is clarified that here there is an obligation of result.

            Illustration:
            1) (physical malfunction) You buy a toaster and your house burns down because the electrical resistance malfunctioned. You sue the manufacturer.
            2) (software malfunction) You buy a Smart Toaster which burns down because of an infinite loop in the firmware. The manufacturer says it's not their fault since they used third party firmware; the firmware author says they followed usual good practice. It's nobody's fault still your house burnt and you're out in the cold. The Directive says you still can sue the firmware author.

            • Re: (Score:3, Insightful)

              by jonsmirl ( 114798 )

              If the EU pursues this, the EU is going to end up much less software, many fewer products and a lot of software which never gets updated. A company's response to this is going to be to dramatically shrink the amount of software in products sent into the EU. I'm just thinking about the stuff I work on, my first idea would be to release the code for a couple of years into the rest of the world and then only after I've gone a year or so without any issues, release into the EU. And then once I do release into t

              • Re:Long overdue (Score:5, Informative)

                by gweihir ( 88907 ) on Sunday October 27, 2024 @09:20PM (#64898741)

                Quite the contrary. The EU will have modern dependable software, while the rest of the world will still be stuck in crapware-land. Stop panicking and actually _read_ what is required. In all likelihood, doing good testing and documenting that will be quite enough.

                • Re:Long overdue (Score:5, Insightful)

                  by ShanghaiBill ( 739463 ) on Sunday October 27, 2024 @09:49PM (#64898787)

                  Quite the contrary. The EU will have modern dependable software, while the rest of the world will still be stuck in crapware-land.

                  Nope.

                  Software companies won't maintain two source trees, with a "good" one for the EU and a "bad" one for everyone else.

                  Not gonna happen.

                  Everyone will get the "good" code because one source tree is simpler for developers.

                  The difference is that everyone else will get it cheap, and Europeans will pay much more to cover the cost of lawsuits.

                  • Quite the contrary. The EU will have modern dependable software, while the rest of the world will still be stuck in crapware-land.

                    Nope.

                    Software companies won't maintain two source trees, with a "good" one for the EU and a "bad" one for everyone else.

                    Not gonna happen.

                    Everyone will get the "good" code because one source tree is simpler for developers.

                    The difference is that everyone else will get it cheap, and Europeans will pay much more to cover the cost of lawsuits.

                    Well, according to how the free market is supposed to work, the ones who can't be bothered to produce quality software will leave the market. This will leave the market free to be exploited for profit by those reputable companies who can be bothered to produce high quality software through the choice of secure development tools, defensive programming and testing and who can afford to spend some time in court dealing with lawsuits. Of course that will also drive up software prices but what do you want? More

                    • It applies only to people (not companies)

                      I agree it's weird wording but I would guess they mean that the rights apply to individual customers not to companies i.e. If Bill Gates bought a defective product for personal use then he could sue on this basis but if Microsoft bought the product then they couldn't - they'd have to rely on whatever contractual terms they entered into.

                    • This will leave the market free to be exploited for profit by those reputable companies who can be bothered to produce high quality software through the choice of secure development tools, defensive programming and testing

                      Well, that leaves out Apple and Microsoft, based on software release behaviors to date.

                    • "according to how the free market is supposed to work" LOLOLOL, no such thing. Suppose you're going to tell us about invisible sky wizards and bigfoot next?

                      There was a certain element of sarcastic intent behind those words.

                    • by gweihir ( 88907 )

                      This will leave the market free to be exploited for profit by those reputable companies who can be bothered to produce high quality software through the choice of secure development tools, defensive programming and testing

                      Well, that leaves out Apple and Microsoft, based on software release behaviors to date.

                      Yes. And that crap has to stop. The damage from those practices is already extreme and it is still rising.

              • Re:Long overdue (Score:5, Insightful)

                by dstwins ( 167742 ) on Monday October 28, 2024 @12:51AM (#64899011) Homepage
                Actually not really.. much of the issue is due to companies rushing to market with the notion of "we will fix it later" ignoring the consequences of their actions.. In many cases (not all, but many) companies have a list of defects (unpublished) with their products that are to be addressed in later releases/updates/SPs.. but the problem is the end user/end company doesn't KNOW that.. which means the burden of testing is on the end customer/company... who is screwed if that "defect" creates a vulnerability that causes damage to others. (security vulnerability being the largest impact). And companies (especially the larger ones) have no incentive to address this other than "maintain the status quo".

                This will either make companies more transparent about their defects.. (again, it takes the approach of "reasonable".. not perfect.. but if defects/vulnerabilities could have been caught with a simple scan and they didn't because of the rush to market or cost, then of course they should be held liable to those companies that were harmed by that) or they will slow their release cycles down to actually test/scan/improve their products..(this might also have a beneficial impact to customers/companies since its going to impact the justification of license upgrades (may be slower which benefits end consumers/companies, but may also be larger updates which might traditionally warrant a major release which benefits the producers)

                I don't think it will harm the EU (as a whole).. but it will ensure that what's released isn't simply a "rolling beta"..
              • Re:Long overdue (Score:5, Insightful)

                by Pentium100 ( 1240090 ) on Monday October 28, 2024 @01:47AM (#64899047)

                A company's response to this is going to be to dramatically shrink the amount of software in products sent into the EU.

                That sounds like an awesome thing. I don't need a "smart" fridge, but those are what's available. There does not need to be tons of software in every thing.

                This totally destroys the model of release early and often.

                You mean release broken crap and have the users to the testing?

                For some reason, software makers decided that releasing broken crap and them maybe fixing it is completely acceptable, even for expensive software. Would you want to buy a brand new car that breaks down every 1000km because of a manufacturing defect ("oopsie, someone forgot to tighten a screw")?

                • by 0xG ( 712423 )

                  Would you want to buy a brand new car that breaks down every 1000km because of a manufacturing defect ("oopsie, someone forgot to tighten a screw")?

                  Hey, I have one of those. It's called an F-150.

              • by Cyberax ( 705495 )

                If the EU pursues this, the EU is going to end up much less software

                Is that bad? Europe won't get the newest IoT smart light switches with built-in house igniters? Such tragedy.

                • Sure, the EU will miss out on the crap...but it will also miss out on the latest and greatest. Good luck getting any AI developer to work in the EU under these rules for a good long time because it is very hard, if not impossible, to make sure the algorithm never gets anything wrong.

                  That's the problem - software close to the bleeding edge is going to be inherently buggy and will have errors in it. Allowing companies to develop software like this is essential for progress but, by shielding them from legal
              • If that is your attitude to product responsibility, then by all means, please stop sending your shit to us here in the EU.

              • This totally destroys the model of release early and often.

                That is a good thing. "Release early, release often" is a good model for free software. It is not a good model for commercial software. Most customers don't want to be paying beta testers.

                • Release often is the best strategy almost everywhere. Long delays between release piles up bugs, which can be deep and hard to fix. Given the same amount of test efford, the release often strategy will have fewer bugs - and be able fix and release the fix faster. I worked a place where we went into release rarely strategy because releases were so expensive due to manual testing and paperwork, and then the releases only got much more expensive and buggy. The solution is automatic testing and release often.
              • So better to live with a shitty product because you are too scared to force the company involved to fix their bugs and for them to be responsible for it?
              • To be honest, I really don't see a problem with the scenario you are describing. The EU users will have software thoroughly tested by the rest of the world used as early adopters, which will then be stable and updated only when it really should, while the rest of the world gets poorly tested, bloated crapware? Sign me up! Sure, some features will take a few iterations to appear in the EU (or not be imported at all), but that is a good tradeoff for mature and reliable software. It's where you draw the line,
                • To be honest, I really don't see a problem with the scenario you are describing. The EU users will have software thoroughly tested by the rest of the world used as early adopters, which will then be stable and updated only when it really should, while the rest of the world gets poorly tested, bloated crapware? Sign me up! Sure, some features will take a few iterations to appear in the EU (or not be imported at all), but that is a good tradeoff for mature and reliable software. It's where you draw the line, I guess.

                  Seems like a Nirvana, with the EU blazing a path to the future with 100 percent error free, dare I say perfect software. A future where there is never a BSOD, and perfectly secure from hackers and issues forever and anon. Listen to this song while reading my post. https://www.youtube.com/watch?... [youtube.com]

              • I am not sure that less software is a bad thing. I used to be a hardware engineer when I still had hair. Verification constraints forced us to keep things simple. I remember a lot of discussions with the digital guys about making a setting programmable. They generally did not like that since this would explode the number of testvectors.
                So less fancy things, more stuff that works, but just that.
              • If the EU pursues this, the EU is going to end up much less software, many fewer products and a lot of software which never gets updated.

                No it won't. Most software already meets all the requirements using standard QA/QC issues. It's a fantasy to think that the EU will be different to America in this. In America people sue for virtually anything, including software problems.

                If you're that concerned about causing actual liability to someone due to the quality of your code then you really REALLY shouldn't be anywhere near a computer.

              • Fewer but more reliable products could be the result.
                But I see that this is probably not applicable to every program, just programs with a certain level of criticality where the customer suffers economic or physical harm.

            • Correction. In 2) one still would sue the the Smart Toaster manufacturer, not the firmware author. Because the Manufacturer is the one who has put the Product on the market (signed the EC compliance certificate). (The Manufacturer might sue the firmware author but this is not addressed in this Directive as it does not apply to B2B.)

          • by gweihir ( 88907 )

            No, it does not require "perfect" software. Can nobody read anymore? It just requires that the state-of-the-art is being followed.

            • by narcc ( 412956 )

              It just requires that the state-of-the-art is being followed.

              I've seen what modern "best practices" have done to software. We're all doomed.

        • No, it explicitly does not apply to open source:

          It does apply to open source. The manufacturer becomes liable for the open source code when manufacturer integrates open source into their product. More importantly due to nexus of commercial activity if a manufacturer relies on an open source component and buys support from the maintainer then the maintainer of an open source project then the maintainer is on the hook for liability due to the corresponding commercial activity.

          "Providing such software on open repositories should not be considered as makin

          • by bsolar ( 1176767 )

            More importantly due to nexus of commercial activity if a manufacturer relies on an open source component and buys support from the maintainer then the maintainer of an open source project then the maintainer is on the hook for liability due to the corresponding commercial activity.

            No, the maintainer would not be on the hook for liability. The maintainer would be selling a service or product to another business, not to a consumer so they can deny liability as the regulation covers consumers.

            Whoever repackages the Open Source component and sells that to a consumer cannot deny liability, but that has nothing to do with the maintainer which is not even a party in the transaction.

        • by jmccue ( 834797 )

          What about SUSE ? They are based in Europe and sells support and their version of Linux. We just had the xz issue with OpenSSH. With this law would SUSE be in court ?

          Or a much better example, SAP in Germany. Their software is very famous for causing harm, especially during install and implementation. SAP is rolling out a new version which is far different than R/3. Will they stop offering it in the EU until they are sure it has no issues ?

          The law sounds good on paper, but I think Software Development

          • SAP is b2b so they are not affected by this new law. SUSE does not sell the software, they sell support for said software so probably not affected either, but best to talk to a real lawyer here.
          • I think Software Development could be moved from the EU to other places.

            It doesn't matter where it is developed. What matters is where it is sold.

            If it is sold in the EU, EU laws apply.

      • by schwit1 ( 797399 )

        Who would you sue if it were open source? I hope this would not apply to free software.

      • by gweihir ( 88907 )

        No, it will not. FOSS is not even in scope as it is not a "product". Small-time developers that sell to individuals may have to do things like document their testing, but that is essentially it. The claim that this "demands perfection" is just uninformed bullshit.

      • I currently run a small business and already hold professional indemnity and public liability insurance which applies to all software I write and contribute to.

        Many of my clients wouldn't hire me otherwise.

        It isn't that expensive.

        If I'm legally, provably negligent, I expect to be held responsible for it. I'm a professional that takes pride in my work, not a monkey that throws code at a wall hoping some of it will stick.
        • by lsllll ( 830002 )

          I currently run a small business and already hold professional indemnity and public liability insurance which applies to all software I write and contribute to.

          Many of my clients wouldn't hire me otherwise.

          As do I, and it's not prohibitively expensive (about $3500/year), but that's because I've never been sued. When it happens, things will change.

          If I'm legally, provably negligent, I expect to be held responsible for it. I'm a professional that takes pride in my work, not a monkey that throws code at a wall hoping some of it will stick.

          That's great, and I commend you for standing by your code (although I doubt you haven't shielded your personal self from lawsuits via being an employee of your own corporation). But many (if not most) developers aren't like you. They do actually throw code at wall until it works and then do minimal testing. The end result is that you get either free or very cheap

          • Open Source software is exempt from that law.
            And if the new camera software is not open source and is actually sold, then it should be operational. If it fails for the purpose I plan use it, then it is useless.

            If I buy a new car from the dealership, I expect it to not break down in 1000km, because someone at the factory forgot to tighten a screw.

            Why should commercial software be different?

      • by tlhIngan ( 30335 )

        This will kill open source and small time developers.

        No, it will kill all hobby development period. As well as all consumer products out there.

        Because it's possible to write secure software, but only businesses and governments will be able to afford it. The code that runs the safety systems in your car are generally very small and very well regulated pieces of code, and likely not very big in order to keep the price down.

        The code that ran the Space Shuttle, NASA estimates cost probably over $20,000 per line

      • Also online platforms can be held liable for a defective product sold on their platform just like any other economic operators if they act like one.

        "Sold"

        If you give it away for free, that's not selling.

        "In order not to hamper innovation or research, this Directive should not apply to
        free and open-source software developed or supplied outside the course of a commercial
        activity, since products so developed or supplied are by definition not placed on the
        market."

      • > whether a fledgling commercial effort or a hobby project

        Actually it's worse than that.

        The convention today is to have a project on github, have developer emails etc and submit pull requests.

        But this being FREE software, ANYONE, ANYWHERE and ANYWHEN can change the code. No need to be a developer by trade or hobby. Could just be a kid making a change to how something works, then sharing it on a couple of flash drives with a mate or two, one of which totally legally uploads it somewhere and others pick

    • Re:Long overdue (Score:5, Informative)

      by test321 ( 8891681 ) on Sunday October 27, 2024 @07:45PM (#64898587)

      why the exception on professional use?

      It's a consumer protection law.

      (28) [...] the aim of this Directive is to ensure that consumers and other natural persons can easily exercise their right to obtain compensation in the event of damage caused by defective products,

    • Re:Long overdue (Score:5, Insightful)

      by AleRunner ( 4556245 ) on Sunday October 27, 2024 @08:01PM (#64898613)

      But why the exception on professional use? Most of the damage from software defects is done by products used in a professional capacity.

      The professional is responsible for delivering a safe service to their client with whatever software they choose to use. Doing it this way avoids problems with either a professional not being able to use open source software because there's no company to be liable - doesn't matter, the professional is liable anyway. Alternatively it avoids problems with a professional using software in a way that the manufacturer didn't intend - doesn't matter, the professional is liable anyway.

      This is actually a really clever hack by the EU to make product liability work well for software. It's always the company that delivers the product that's liabl. For example, Google delivers search whilst being paid with your private information. If they deliver a misleading search because of a bug in an underlying Spark library used in building the search then they have to pay for the damage they did. It's their fault for failing to pay for appropriate testing when they selected that library.

    • think of the negative impact on this. Open Source Devs especially could be personally bankrupted by a single coding error. Professional liability needs to be left to contracts and seperate laws.
    • But why the exception on professional use? Most of the damage from software defects is done by products used in a professional capacity.

      There are numerous European software companies that offer support contracts. I suspect SAP SE makes a majority of their revenue this way.
      There's almost no carrot, so the stick is your business can pay for professional support because the courts aren't going to hold your vendor liable except in the most egregious situation.

    • But why the exception on professional use?

      This applies to all consumer law in the EU and the UK. Business to business sales aren't covered because it is assumed that the business doing the purchasing has an ability and expertise or can hire in expertise to do a much better job of evaluating something than your Average Joe to aid their decision whether to buy or not.

  • No more SQL injection vulns. It's been 20 years since even PHP got a way to easily avoid those. You can be 100% perfect with that.
    • by lsllll ( 830002 )

      Yeah, because SQL injection vulnerabilities are the only ones out there.

      • by narcc ( 412956 )

        Yeah, because calling attention to one specific problem clearly means that the poster is unaware of any other problems...

        You should stick to writing romance novels.

      • SQL injections are a vulnerability that never should happen. There are ways to avoid it 100%.

        If a software developer writes an SQL injection vuln, they are incompetent at best, possibly negligent.
  • I hope I'm wrong when reading this, but this would be the death of F/OSS as we know it:

    1: Someone writes a program watch a serial line for packets and act on them if it notices a specified data pattern. Originally it was for a CS assignment, but was placed on a public GitHub repository.
    2: Some company uses it for a critical operation, for example, how much load a power line is needing, and sending a message to increase/decrease load at the power generation sources.
    3: The program fails or is run on an OS

    • by gweihir ( 88907 )

      Bullshit. This is for contexts where you bought something. FOSS is not a "product".

      • FOSS is not a "product".

        FOSS is incorporated into many products.

        • And those who do the incorporating will then be liable.

        • by allo ( 1728082 )

          Maybe that's the point when companies start giving back useful patches that also secure the open product.

        • by gweihir ( 88907 )

          Yes, so? And those that profit from FOSS in this way have liability. Do you see anything wrong with that? Do you see companies re-implementing massive amounts of FOSS themselves as a consequence? No. What will happen is that important FOSS project will get better funding. There is absolutely nothing wrong with that.

    • In your example "Some company" would be on the hook, not "Someone".

      • Exactly, if they blindly incorporate some school project into their shipped product, they fully deserve the cluebatting.

  • by WaffleMonster ( 969671 ) on Sunday October 27, 2024 @08:47PM (#64898673)

    "In order to protect the health and property of natural persons, the defectiveness of a product
    should be determined by reference not to its fitness for use but to the lack of the safety that
    a person is entitled to expect or that is required under Union or national law. "

    "When determining the defectiveness of a product, reasonably foreseeable use also encompasses misuse that is not unreasonable under the circumstances, such as the foreseeable behaviour of a user of machinery resulting from a lack of concentration or the foreseeable behaviour of certain user groups such as children."

    "In so far as national law so provides, the right to compensation for injured persons should apply both to direct victims, who suffer damage directly caused by a defective product, and to indirect victims, who suffer damage as a result of the direct victimâ(TM)s damage"

    With this kind of liability how would anyone be able to sell general purpose computers with general purpose operating systems to the general public? It is after all not fitness for use that matters it is the lowest denominator of human impairment and capability. Someone with an impairment pushes the wrong button and deletes their files you are liable for it and the follow on consequences. Ditto for a child that foreseeably sits in front of a computer and pushes random buttons to disastrous effect.

    I don't understand how this wouldn't immediately create so much liability as to essentially collapse market for systems as we know it. I can easily see the decoupling of software from hardware where computers are sold without operating systems due to insane liability and nobody will even help you install an operating system because of the nexus to "commercial activity".

    With physical products for example cars, saws, drills, jack hammers, nail guns it is understood that products are inherently dangerous within context of use and users are expected to exercise reasonable care and competency. With something like a general purpose computer no such framing exists. Anyone can contrive any of endless scenarios where any general purpose computer system can be used in a context where liability is accumulated even when fit for use and completely bug free.

    • ... the lowest denominator ...

      How was this drivel marked "Insightful".

      ... pushes the wrong button ...

      So, when a drunk pushes the wrong button/pedal and crashes the car, the manufacturer is liable because there wasn't a way to stop him crashing? I think the car analogy shows the flaw in your argument. But I'll explain: The car manufacturer has to provide (industry-standard) safety equipment, it does not have to make the car crash-proof.

      Ford put seat-belts in cars, in the 1950s but people kept dying. When the government made passengers use the safety equipment, t

      • So, when a drunk pushes the wrong button/pedal and crashes the car, the manufacturer is liable because there wasn't a way to stop him crashing? I think the car analogy shows the flaw in your argument. But I'll explain: The car manufacturer has to provide (industry-standard) safety equipment, it does not have to make the car crash-proof.

        I don't think drunk driving is an impairment that would count. Most likely being a child or being a human with poor attention or distraction or physical and mental impairments WOULD count based on the text I cited:

        "When determining the defectiveness of a product, reasonably foreseeable use also encompasses misuse that is not unreasonable under the circumstances, such as the foreseeable behaviour of a user of machinery resulting from a lack of concentration or the foreseeable behaviour of certain user group

    • by lsllll ( 830002 )

      I can easily see the decoupling of software from hardware where computers are sold without operating systems due to insane liability and nobody will even help you install an operating system because of the nexus to "commercial activity".

      Don't forget that a ton of software runs on practically ANY hardware (bios/firmware). So even hardware manufacturers are in the same shoe.

      With physical products for example cars, saws, drills, jack hammers, nail guns it is understood that products are inherently dangerous within context of use and users are expected to exercise reasonable care and competency.

      How does the 2nd paragraph you quoted jive with this? If "... such as the foreseeable behaviour of a user of machinery resulting from a lack of concentration or the foreseeable behaviour of certain user groups such as children" is a factor, then what would really exclude any of the products you listed from being safe from liability? Would all staple guns have to have a

      • How does the 2nd paragraph you quoted jive with this? If "... such as the foreseeable behaviour of a user of machinery resulting from a lack of concentration or the foreseeable behaviour of certain user groups such as children" is a factor, then what would really exclude any of the products you listed from being safe from liability? Would all staple guns have to have a "skin detector" like the saw blades that destroy the blade to protect your fingers in case they sense a ground?

        The point I'm trying to make is a general purpose computer can be used for anything by anyone. Parents generally wouldn't allow children to play with nail guns and so the pool of nail gun users can be constrained to those with certain competencies. A general purpose computer on the other hand can be used by anyone for any purpose.

        There is also the following:

        "Where a manufacturer integrates a defective component from another manufacturer into a product,
        an injured person should be able to seek compensation

        • a general purpose computer can be used for anything by anyone.

          That's a good thing.

          It is when you cannot use a general purpose computer for whatever purpose you have in mind, not because of your incompetence, but because is is defective (possibly by design) that you have a case.

          Like when your car won't let you use its breaks. Or its gas pedal. Technically, if your car won't move, it is perfectly safe. It is still defective. No matter what you wanted to use your car for.

          If you are driving under the influence, that's on you. If it won't start because you drained the

    • by evanh ( 627108 )

      The biggest problem here is that people, including the article's author, are conflating security with safety.

      Safety's purpose is to protect from unintentional harm.
      Security's purpose is to protect from intentional harm.

      Engineering for safety is taught and trained for already. It is applied to hardware and software alike where applicable.

      Security is not taught as part of safety.

      Also, defectiveness is not directly a security nor safety issue. It's first just a quality issue. That the consumer is getting wh

    • With this kind of liability how would anyone be able to sell general purpose computers with general purpose operating systems to the general public?

      Because general purpose computers and general purpose operating systems don't kill anyone? Seriously go actually look at software products that have the ability to actually do any kind of damage and you'll find that precautions to cover what you've quoted are already taken care of. This applies from something simple, such as trying to do something stupid like setting my thermostat to zero degrees (the system will *still* turn the heating on at 5C to prevent pipe freezing), or disconnecting thermostats altog

      • Because general purpose computers and general purpose operating systems don't kill anyone?

        Under the heading: "The right to compensation pursuant to Article 5 shall apply in respect of only the following types of damage:"

        "(c) destruction or corruption of data that are not used for professional purposes"

        You clearly don't understand what this is about. In this example the law would explicitly lead to car manufacturers being liable for things such as software errors in ABS routines. On the flip side I actively challenge you to use your computer in a way that you can inadvertently damage something. You say you can contrive the scenarios, get to it. Let's here some examples.

        See above, the assumption this is limited to physical safety is flat wrong.

  • ..set of procedures, that if followed exactly, produces perfect code.
    Yes, some software is poorly made, some incredibly poorly made, and some sort of penalty for incompetence is fine.
    Unfortunately, the law deals in absolutes. Safe or unsafe, no middle ground. I see a slippery slope where unscrupulous lawyers use laws like this to extort good software makers because their code is not perfect

    • by gweihir ( 88907 )

      That is bullshit. The law does not deal in absolutes. Follow sound practices, do reasonable testing and be able to provide proof for that and you are good. Sure, cretin organizations like Microsoft are in deep shit with such requirements.

      • That is bullshit. The law does not deal in absolutes. Follow sound practices, do reasonable testing and be able to provide proof for that and you are good. Sure, cretin organizations like Microsoft are in deep shit with such requirements.

        Ok, for sake of discussion in this instance, this law does not deal in absolutes.

        Then you go on to say: Follow sound practices, do reasonable testing and be able to provide proof for that and you are good.

        Sounds to me like you favor a world where we write blank cheques to lawyers for years on end while a case is argued in Court.

        Show me ANY Court or honestly selected jury of your peers that has the technical wherewithall to evaluate the constraints you lay out.

        A jury of their peers might necessarily be bias

        • Re:There is no... (Score:5, Insightful)

          by lsllll ( 830002 ) on Monday October 28, 2024 @12:02AM (#64898957)

          And what about this in the summary:

          Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.

          Objective state of scientific and technical knowledge? Do they realize that many developers out there have barely seen a hint of college, let alone have a degree? Do they expect every developer to be a "super programmer" who's abreast of all nuances that come with developing software? This appears to be a terrible law in the making.

          • by gweihir ( 88907 )

            They expect any developer that makes for-profit software to be competent at that job. There is absolutely nothing wrong with that requirement. We do not let amateurs do brain-surgery either, do we? And, come to think of it, all occupations that require real skill and can do real damage face this moment sooner or later.

    • ... extort good software makers ...

      Why can't the software-maker issue an update? Then, the software is compliant (because the maker took steps to mitigate the flaw). This law also demands actual damage be incurred or highly likely to be incurred. Legalized software-maker blackmail is not an option.

  • It sounds like they want to hold software developers to the same untenable standards as architects and engineers. As a licensed engineer, it is likely the right approach. Assuming it ends up working like E&O insurance does in the US, the net effect is the company needs to get the insurance, and the employee ends up only having risk for gross negligence. In practice, some engineers are willing to commit gross negligence, but they do so with the knowledge that it could result in the loss of their license

    • by evanh ( 627108 )

      It is apparent in many of the comments and the article too, that security is confused with safety.

      Engineers train for safety, not security. And they most certainly are not held responsible for any sort of security failures.

    • by evanh ( 627108 )

      An example: The fence around an electrical sub-station is there for safety. That fence, and its signage, is telling everyone to *please stay outside* for your safety. It is not telling you it will keep you out should you decide otherwise.

    • by lsllll ( 830002 ) on Monday October 28, 2024 @12:13AM (#64898977)

      Assuming it ends up working like E&O insurance does in the US, the net effect is the company needs to get the insurance, and the employee ends up only having risk for gross negligence.

      That would have made sense if this law was to start pushing this stringent spec on corporations, not individual developers. But it's being written the other way around. If the developer is responsible for the code he/she writes, then what's the responsibility of a corporation a developer works for?

      • Pay no attention to the little man behind the screen. Opening lawsuits to business brings them to heel. Just ask giant Internet media companies threatned with changes to section 230. Currently, they can individually buy all three of the Big 3 automakers, with petty cash. Automakers've been living under lawsuits for a century, and stock values match.

        Without that protection, the situation will normalize. If you feel that is normal.

        Remember suing lawyers is the most important faction.

  • Under the status quo, the software industry is extensively protected from liability for defects or issues, and this results in systemic underinvestment in product security

    Do you mean the dangers of putting all your security eggs in the one software/hardware monoculture.

    The Microsoft Monoculture: A Single Point of Failure [virtru.com]

    Warning: Microsoft 'Monoculture' [wired.com]
  • Simple Solution (Score:2, Insightful)

    by cstacy ( 534252 )

    For my personally owned company, and for my open-source software, henceforth I will amend (and re-license) all my work to explicitly forbid and disclaim any use within the EU.

    For any work I do under contract, or any employment (consulting or regular employee), I will require a contract wherein the company totally indemnifies me and assumes all liability. (Since I am officially retired now, this won't come up very often. So I can more easily tell employers to suck it, than when I did a lot of consulting in t

  • Hopefully an exception will be put in place to protect Free Software from such legal actions, although I would say that if a contract or agreement has been signed with the Free Software developer (or Open Source) although how that would apply to a distributor such as Red Hat would be interesting.

    As it's quite obvious that Free Software is incapable (without such agreements in place) of providing any sort of warranty, and we know it explicitly states that no warranty or fitness for a specific purpose is prov

    • Hopefully an exception will be put in place to protect Free Software from such legal actions

      Already is. Free and open source software are explicitly exempt under this directive.

  • Politicians and lawyers find it easy to hold others to standards they themselves can never approach. Software always contains bugs - good software has very few, but they're still there. Given that a program almost never runs in isolation, how will the courts decide which bit (user, application, libraries, kernel, compiler, hardware) is responsible. Nah, they'll go for joint liability as that way they can claim the maximum damages from everybody's pockets.
    If this goes through, I guess all open source soft

  • by gnasher719 ( 869701 ) on Monday October 28, 2024 @08:08AM (#64899499)
    First, the question "can the EU do something" is just daft. They can do whatever they want to do. Nobody stopping them.

    Now what's the effect: Software has a cost to produce, and makes money by selling it (alone or as part of a product, like iOS). Companies can spend more money on software to make it more secure with the same features, or reduce the number of new features to make it more secure at less or zero cost, or do what they should have always done and listen to developers who know how to make it secure but are under pressure to produce more versions quickly. On the other hand, making it secure avoids losses in the EU, while reducing sales due to fewer features, alternatively adding the extra development cost to the bill. Being more secure is something that the average consumer doesn't value, and software that is so secure that you can't sue might even be seen as a disadvantage in the USA :-(

    The big problem is that companies following the law will suffer financially, one way or another, while companies ignoring the law make sure they have extracted all the case so they can lose a case but are incapable of paying.
  • I detect many lawsuits coming in the direction of Microsoft and/or manufacturers of broken hardware over MS' crappy ACPI-table compiler. A product should function as the USER expects it to function, even when it's not used as expected. There are Linux users who buy a computer for which Microsoft's broken ACPI-table compiler has been used, this sometimes results in the machine not functioning as expected. The manufacturers expect said computers to be used with Windows, but someone wants to install Linux or s

  • What, you're happy with spending hundreds or thousands of dollars/Euros, and "we don't warrant this product as usable"?

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...