Can the EU Hold Software Makers Liable For Negligence?

When it comes to introducing liability for software products, "the EU and U.S. are taking very different approaches," according to Lawfare's cybersecurity newsletter. "While the U.S. kicks the can down the road, the EU is rolling a hand grenade down it to see what happens." Under the status quo, the software industry is extensively protected from liability for defects or issues, and this results in systemic underinvestment in product security. Authorities believe that by making software companies liable for damages when they peddle crapware, those companies will be motivated to improve product security... [T]he EU has chosen to set very stringent standards for product liability, apply them to people rather than companies, and let lawyers sort it all out.

Earlier this month, the EU Council issued a directive updating the EU's product liability law to treat software in the same way as any other product. Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.

Although the directive is severe on software makers, its scope is narrow. It applies only to people (not companies), and damages for professional use are explicitly excluded. There is still scope for collective claims such as class actions, however. The directive isn't law itself but sets the legislative direction for EU member states, and they have two years to implement its provisions. The directive commits the European Commission to publicly collating court judgements based on the directive, so it will be easy to see how cases are proceeding.

Major software vendors used by the world's most important enterprises and governments are publishing comically vulnerable code without fear of any blowback whatsoever. So yes, the status quo needs change. Whether it needs a hand grenade lobbed at it is an open question. We'll have our answer soon.

Long overdue

[Alinabi]

But why the exception on professional use? Most of the damage from software defects is done by products used in a professional capacity.

Re:

[JaredOfEuropa]

Overdue? This will kill open source and small time developers. Who in their right mind would publish their software, whether a fledgling commercial effort or a hobby project, if they can be held liable for damages with the burden of proof not on the accuser but the defendant? Software is far too complex to demand perfection (see my sig), and while it is possible to create software that is proven to be safe to a degree, it is ridiculously expensive and out of reach of hobbyists or small businesses.

Re:Long overdue

[test321]

JaredOfEuropa: This will kill open source

No, it explicitly does not apply to open source:

(14) [...] In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity, since products so developed or supplied are by definition not placed on the market

JaredOfEuropa: with the burden of proof not on the accuser but the defendant?

No, it explicitly asks for the burden of the proof to lie on the accuser:

(42) [...] a person that claims compensation for damage caused by a defective product should bear the burden of proving the damage, the defectiveness of a product and the causal link between the two, in accordance with the standard of proof applicable under national law.

Re:

[JaredOfEuropa]

The first point is a relief, the second not much so. The accuser needs to prove damages and establish the software as the cause. That still requires software to be fault free if you wish to avoid suits for damages, rather than the much more reasonable standard of showing that common standards, practices and safeguards were applied.

Re:

[test321]

You're referring to the difference between obligations of means and of results. A medical doctor has obligations of means (do what they can, hope for the best) while most of the time a provider of services has an obligation of result (a cook has obligation of making the food safe and as enjoyable as one would expected from reading the name and seeing the picture). The objective of the Directive is clarified that here there is an obligation of result.

Illustration:
1) (physical malfunction) You buy a toaster a

Re:

[jonsmirl]

If the EU pursues this, the EU is going to end up much less software, many fewer products and a lot of software which never gets updated. A company's response to this is going to be to dramatically shrink the amount of software in products sent into the EU. I'm just thinking about the stuff I work on, my first idea would be to release the code for a couple of years into the rest of the world and then only after I've gone a year or so without any issues, release into the EU. And then once I do release into t

Re:

[gweihir]

Quite the contrary. The EU will have modern dependable software, while the rest of the world will still be stuck in crapware-land. Stop panicking and actually _read_ what is required. In all likelihood, doing good testing and documenting that will be quite enough.

Re:

[ShanghaiBill]

Quite the contrary. The EU will have modern dependable software, while the rest of the world will still be stuck in crapware-land.

Nope.

Software companies won't maintain two source trees, with a "good" one for the EU and a "bad" one for everyone else.

Not gonna happen.

Everyone will get the "good" code because one source tree is simpler for developers.

The difference is that everyone else will get it cheap, and Europeans will pay much more to cover the cost of lawsuits.

Re:

[gweihir]

No, it does not require "perfect" software. Can nobody read anymore? It just requires that the state-of-the-art is being followed.

Re:

[WaffleMonster]

No, it explicitly does not apply to open source:

It does apply to open source. The manufacturer becomes liable for the open source code when manufacturer integrates open source into their product. More importantly due to nexus of commercial activity if a manufacturer relies on an open source component and buys support from the maintainer then the maintainer of an open source project then the maintainer is on the hook for liability due to the corresponding commercial activity.

"Providing such software on open repositories should not be considered as makin

Re:

[jmccue]

What about SUSE ? They are based in Europe and sells support and their version of Linux. We just had the xz issue with OpenSSH. With this law would SUSE be in court ?

Or a much better example, SAP in Germany. Their software is very famous for causing harm, especially during install and implementation. SAP is rolling out a new version which is far different than R/3. Will they stop offering it in the EU until they are sure it has no issues ?

The law sounds good on paper, but I think Software Development

Re:

[schwit1]

Who would you sue if it were open source? I hope this would not apply to free software.

Re:

[gweihir]

No, it will not. FOSS is not even in scope as it is not a "product". Small-time developers that sell to individuals may have to do things like document their testing, but that is essentially it. The claim that this "demands perfection" is just uninformed bullshit.

Re:Long overdue

[test321]

why the exception on professional use?

It's a consumer protection law.

(28) [...] the aim of this Directive is to ensure that consumers and other natural persons can easily exercise their right to obtain compensation in the event of damage caused by defective products,

Re:

[AleRunner]

But why the exception on professional use? Most of the damage from software defects is done by products used in a professional capacity.

The professional is responsible for delivering a safe service to their client with whatever software they choose to use. Doing it this way avoids problems with either a professional not being able to use open source software because there's no company to be liable - doesn't matter, the professional is liable anyway. Alternatively it avoids problems with a professional using software in a way that the manufacturer didn't intend - doesn't matter, the professional is liable anyway.

This is actually a really cle

Re:

[gweihir]

The exception is probably to allow a gradual introduction. Professional uses come with huge potential damage and hence it may be good to collect some experience with this partial approach first. Also, in professional use, the buyer may be required to demonstrate defectiveness as professional products follow different standards (more skill and insight required from the buyer). I agree that this is long overdue.

Re:

[bloodhawk]

think of the negative impact on this. Open Source Devs especially could be personally bankrupted by a single coding error. Professional liability needs to be left to contracts and seperate laws.

SQL injection vulns

[phantomfive]

No more SQL injection vulns. It's been 20 years since even PHP got a way to easily avoid those. You can be 100% perfect with that.

Kiss F/OSS goodbye with this...

[ctilsie242]

I hope I'm wrong when reading this, but this would be the death of F/OSS as we know it:

1: Someone writes a program watch a serial line for packets and act on them if it notices a specified data pattern. Originally it was for a CS assignment, but was placed on a public GitHub repository.
2: Some company uses it for a critical operation, for example, how much load a power line is needing, and sending a message to increase/decrease load at the power generation sources.
3: The program fails or is run on an OS

Re:

[gweihir]

Bullshit. This is for contexts where you bought something. FOSS is not a "product".

Re:

[ShanghaiBill]

FOSS is not a "product".

FOSS is incorporated into many products.

Disaster of epic proportions

[WaffleMonster]

"In order to protect the health and property of natural persons, the defectiveness of a product
should be determined by reference not to its fitness for use but to the lack of the safety that
a person is entitled to expect or that is required under Union or national law. "

"When determining the defectiveness of a product, reasonably foreseeable use also encompasses misuse that is not unreasonable under the circumstances, such as the foreseeable behaviour of a user of machinery resulting from a lack of concentration or the foreseeable behaviour of certain user groups such as children."

"In so far as national law so provides, the right to compensation for injured persons should apply both to direct victims, who suffer damage directly caused by a defective product, and to indirect victims, who suffer damage as a result of the direct victimâ(TM)s damage"

With this kind of liability how would anyone be able to sell general purpose computers with general purpose operating systems to the general public? It is after all not fitness for use that matters it is the lowest denominator of human impairment and capability. Someone with an impairment pushes the wrong button and deletes their files you are liable for it and the follow on consequences. Ditto for a child that foreseeably sits in front of a computer and pushes random buttons to disastrous effect.

I don't understand how this wouldn't immediately create so much liability as to essentially collapse market for systems as we know it. I can easily see the decoupling of software from hardware where computers are sold without operating systems due to insane liability and nobody will even help you install an operating system because of the nexus to "commercial activity".

With physical products for example cars, saws, drills, jack hammers, nail guns it is understood that products are inherently dangerous within context of use and users are expected to exercise reasonable care and competency. With something like a general purpose computer no such framing exists. Anyone can contrive any of endless scenarios where any general purpose computer system can be used in a context where liability is accumulated even when fit for use and completely bug free.

There is no...

[MpVpRb]

..set of procedures, that if followed exactly, produces perfect code.
Yes, some software is poorly made, some incredibly poorly made, and some sort of penalty for incompetence is fine.
Unfortunately, the law deals in absolutes. Safe or unsafe, no middle ground. I see a slippery slope where unscrupulous lawyers use laws like this to extort good software makers because their code is not perfect

Re:

[gweihir]

That is bullshit. The law does not deal in absolutes. Follow sound practices, do reasonable testing and be able to provide proof for that and you are good. Sure, cretin organizations like Microsoft are in deep shit with such requirements.

Good move and overdue

[gweihir]

The limitation to individuals will eventually fall, I expect, and this is a gradual introduction. But essentially, commercial software is no different from any other engineering product and needs to come with the same requirements. The case of FOSS will sort itself out, no doubt. The EU is _very_ aware of the importance of FOSS.

Sounds like deliberate "shortcomings"

[aaarrrgggh]

It sounds like they want to hold software developers to the same untenable standards as architects and engineers. As a licensed engineer, it is likely the right approach. Assuming it ends up working like E&O insurance does in the US, the net effect is the company needs to get the insurance, and the employee ends up only having risk for gross negligence. In practice, some engineers are willing to commit gross negligence, but they do so with the knowledge that it could result in the loss of their license