It’s really interesting how tech has had a lot of special exemptions from rules that apply to normal businesses, and how these are being rolled back slowly.
On the face of it, having a product security obligation doesn’t seem too extreme, since most manufactured goods and service offerings operate under similar rules.
I’m a bit worried that the “move fast, break things” mindset in SaaS startups isn’t going to be easy to change, and that, in the context of product liability, might have big impacts on future profitability and valuations too.
> It seems like some (most?) of the security vulnerabilities are analogous to things that physical goods manufacturers do not have liability for either.
I don't think this is true — just shipping whatever junk you've piled together by some deadline has become frustratingly common. Also note the article has this to say:
Software makers can avoid liability if they prove a defect was not discoverable given the “objective state of scientific and technical knowledge” at the time the product was put on the market.
That sounds like most bugs wouldn't be able to avoid liability? Most bugs are stuff like memory corruption or sql injection, and could be discovered if you looked hard enough
Yes and no — I think there'll be an expectation that you follow best practices and use the tools available. The legal system doesn't expect "mathematical" perfection in cases like this; if you can show that you worked diligently (kept up on tools, have a test suite, use static analyzers and sanitizers, etc.) I'm reasonably sure you'll be off the hook.
And/or follow some industry standard in process and product. Even if that standard is less than perfect. Lot of documentation. It might not entirely make sense for your use case, but having the trail that you did things is often good enough.
Unlike in the US, I do not expect European courts to be neutral between domestic vs foreign tech companies. They need to fix their system to encourage fair play before adding more rules.
You remember the Roundup cases where US juries started convicting and handing out huge damages the very second the US manufacturer was bought by a European company?
1. A lock maker does not have liability if someone uses a battering ram on my door, or if I give a key to the wrong person.
2. A lock maker may certainly have liability if the lock has a design defect and can be readily opened without a key.
I see no problem with holding software liable for the latter category and not the former, provided the liability is proportionate to the value being protected.
Software makers have skated by with poor quality software for a long time, based mostly on the fact that users can't tell the difference. As the field gets more sophisticated and software is relied on for more and more important things, this needs to change.
Has that actually ever happened? Lockpicking Lawyer shows most locks are almost effortless to pick. The same locks sold by the millions to all of us.
Even so of course we know there IS liability for some things and maybe just locks are not a good example.
But then maybe that just means that security itself is not a good example and the authorities are being inconsistent by going after security only in software.
Or maybe it just means the liability should not be just security in general, but responsibility for when you hold something for someone else.
Most other forms of liability are for the safety of an object sold to the public, or it's very basic functionality. If a normal expected use of a lock cuts peoples fingers off, or if it fails to latch at all, not if it is easy to defeat.
Lockmakers don't generally claim that their locks are completely resistant to bad actors, but good lockmakers will sometimes claim they are resistant to specific kinds of attack.
On the legal side, "almost effortless to break" is not the same as non-functioning. In many cases the legal purpose of a lock is to establish intent and culpability: you can't aimlessly wander into a locked room, even if it has the world's shittiest Master lock on it. You gotta break the lock to do that. It serves as a semiotic indicator that an area or item was supposed to be off-limits; as a member of society the onus is on you to respect that.
Locks are likely a poor analogy for software engineering.
#2 isn’t, practically speaking, true. Ordinary hardware store door locks can be opened in a few seconds (using techniques like “bump keys”). Is that a “design defect” if every professional knows it to be true? Locks get security ratings based (partially) on how long it will take to open them without a key.
Perhaps the lock analogy is good, but that means the eventual answer is that software will have security ratings like locks (on a sliding scale, not binary secure/insecure), and you’ll get what you pay for.
That’s why the lock analogy is good, though — not everything protected by software is like a bank vault. Door locks cost a lot less than vault locks, and as the customer I get to choose the appropriate level of security and pay accordingly. Right now as a software customer you don’t pay based on how secure you want the software to be, and the vendor isn’t liable for not meeting your expectations. In the end the customers are going to have to finance all this improved security, it won’t come for free.
I think we're agreeing here. Sane regulation would create a system where liability could exist for certain products, and consumers would have some idea of what they're paying for.
We are agreeing! Just trying to bring out the price differential that will result from a liability regime. We had this explosion of cheap software partially because nobody was paying for security (either with money or with inconvenience). Now it seems like people expect to fix it for free just by passing a law insisting it be so.
The physical lock market is much more mature, and we don’t see “bank vault” security as the median lock, far from it.
If this goes, we can assume that like other practices where practitioners are liable:
- insurance industry will come in and be the real winner.
- practitioners will be required to have some sort of license to practice (eg be professional engineers).
- there will be norms, standards, certification authorities, and review committees for when something falls through. The auditing business might also come into the case.
- there will appear some sort of a cast system, such as doctors/nurses/medical assistants, dentists/dental assistants/dental receptionist, lawyers/legal assistants, etc.
- costs and delays will go up for the customers, by much more than the occasional payoff from a lawsuit will bring
- quality, notably of compliance and security will go up, which is what's desired by that law.
I wonder how do you expect a high school kid or collage student to afford insurance and get "some sort of license to practice"?
Say goodbye to Linux - released by college student.
Say goodbye to Winamp - released by a high schooler.
Say goodbye to GTK+ and GIMP - released by 2 college students.
Say goodbye to web browsers - why would Tim Barners-Lee or his employer CERN release a free product not related to their core mission if they could get sued by thousands of people?
Linux, open source, not covered under this requirement.
Wikipedia tells me 'Winamp was first released in 1997, when Justin Frankel and Dmitry Boldyrev,[6][7][8] formerly students at the University of Utah', which makes them not high-schoolers. It was released by Nullsoft, Inc.
GTK+ and GIMP, open source, not covered under this requirement.
CERN httpd, open source, not covered under this requirement.
By 'not covered under this requirement' I mean the following text in the directive applies:
> Free and open-source software, whereby the source code is openly shared and users can freely access, use, modify and redistribute the software or modified versions thereof, can contribute to research and innovation on the market. Such software is subject to licences that allow anyone the freedom to run, copy, distribute, study, change and improve the software. In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity, since products so developed or supplied are by definition not placed on the market.
I am not a lawyer (very definitely not) and may have missed context and or other paragraphs but the directive says
"(14) Free and open-source software, whereby the source code is openly shared and users can
freely access, use, modify and redistribute the software or modified versions thereof, can
contribute to research and innovation on the market. Such software is subject to licences
that allow anyone the freedom to run, copy, distribute, study, change and improve the
software. In order not to hamper innovation or research, this Directive should not apply to
free and open-source software developed or supplied outside the course of a commercial
activity, since products so developed or supplied are by definition not placed on the
market. Developing or contributing to such software should not be understood as making it
available on the market. Providing such software on open repositories should not be
considered as making it available on the market, unless that occurs in the course of a
commercial activity. In principle, the supply of free and open-source software by
non-profit organisations should not be considered as taking place in a business-related
context, unless such supply occurs in the course of a commercial activity. However, where
software is supplied in exchange for a price, or for personal data used other than
exclusively for improving the security, compatibility or interoperability of the software,
and is therefore supplied in the course of a commercial activity, this Directive should
apply"
see also the following recitals.
I think this sounds pretty sensible. If you want to build a business you are responsible for defects in your wares. If you are gifting software you not "selling".
This is obviously a completely useless carve out. The EU will define something as commercial based on even having paid support or enterprise features, so if there’s any company behind the open source code at all, you can be sued by your free users picking it up and misusing it.
So this seems like a really great way to stop any software from being released into Europe.
It's possible... but if it's open-ended what you're supposed to solve (eg, "security") it seems hard to be confident you won't be run into the ground trying to satisfy unlimited demands.
> However, where software is supplied in exchange for a price, or for personal data used other than exclusively for improving the security, compatibility or interoperability of the software
I'm really glad that the legislation treats the exploitation of private information as a price.
This is better than blanket liability for unpaid maintainers, but it's unclear how it relates to OSS activities not "on the market" per se but nonetheless connected to the larger software market.
Two examples come to mind: donations to OSS maintainers, and OSS maintainers who provide consulting services instead of selling software. The former is arguably covered by donations not being "sales," but some projects/groups do provide invoices (with no particular obligations) to make donations fit into the sale-shaped financial slot that most companies understand.
If you got the software itself without paying, then you aren't really paying for the software. If you buy consulting or warm fuzzies later then that's something different.
Thanks. It seems to beg the question for how long should there be some implied requirement to fix things, if you were just paid to work on a FOSS project (and what was paid for is available under a liberal license).
IOW if I got paid for some work on an existing project under a liberal license, what would I be getting myself into? (I assume the answer is 'nothing' if it happened before this directive, but if it happened after?)
You don't know. The EU "makes laws", it is then to be interpreted by the member states into actual laws and then interpreted again by the judges of those member states. So you don't know.
However, I highly doubt that EU citizens and companies will now suddenly be willing to pay for liability insurance for people they buy software from (and that will be more expensive the smaller the developer and/or company is)
Today it really boils down to the buyer accepts the work (usually work done in the period) as reasonable and pays for it, or not. Sometimes there are contractual requirements to make good on bugs afterwards on your own time. But often the hirer accepts the risk of bugs needing solving.
This sounds like there might be extra requirements for an unending? unspecified? period, I don't see how anyone can make a living if so.
This kind of liability is not new Europe. In fact it applies to a lot of products. Therefore similar (though obviously not identical) questions are already settled law.
As a layman it may be similar to the questions of how long a manufacturer can be held responsible for material fatique under regular use?
>the producer has to provide compensation irrespectively of whether there is negligence or fault on their part.
This sounds terrible, anybody gaining access to a unix based shell and running rm -rf /*. It is going to make properitery products close up even tighter so they don't have something similar to the US's "Hot Coffee" incident on GTA and reduce modding ability.
Nice to see, it is about time liabilities start be taking into account, specially if this is the only way to make software companies care about best practices.
For me, you can wait as long as you feel like waiting.
Here is one example of best practices,
"A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to--they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980 language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law."
-- C.A.R Hoare's "The 1980 ACM Turing Award Lecture"
I provide a source license to my software. How does this affect me and my European customers?
More specifically, the directive says:
> Information is not, however, to be considered a product, and product liability rules should therefore not apply to the content of digital files, such as media files or e-books or the mere source code of software.
All I send is a license and copy of 'the mere source code of software'. Does that mean my product is not included under this directive?
My reading of this: the EU wants to give its old fashioned SME software houses a chance with their software products, against the likes of FAANG that typically offer the software for free.
Of course this also hurts EU startups, but that does not concern Brussels because the whole EU establishment is always defending the incumbents. And this is imho one of the reasons the EU is falling behind, because incumbents don't react well to paradigm shifts. It's a losing strategy. For all its many faults the US seems to have realized a long time ago that you cannot protect incumbents at the cost of startups.
>For all its many faults the US seems to have realized a long time ago that you cannot protect incumbents at the cost of startups.
I think it wasn't an American realization as much as it was a success of "the American experiment" 250 years ago, a European experiment undertaken by Europeans living in North America, taking European ideas from the Enlightenment and applying them broadly, to politics, to religion, to the economy, and it flourished.
The tendency to protect incumbents was harder to root out back where the incumbents were more firmly entrenched.
If you want to take the "loose analogy" approach even further, consider that the Enlightenment was also the integration of Northern European ideas stemming from individual self reliance because you need to when it's cold as fuck outside, as opposed to southern European/Roman Empire successful ideas of depending on huge bureaucracies to gather and apportion more abundant resources.
this is not a proof of anything, just a pointing out/noticing type set of ideas. To me it seems tied in to other intellectual trends we see in history, where the , e.g., Romantic era was a movement in music, and in art, and in literature, and in politics/social theory, seemingly unrelated areas moving in concert, a reflection of how our brains work.
(probably similar ideas can be found outside the West, but it's not something I'm that educated about)
There was a lot of commotion about 2018 GDPR but it turned out to be rather uneventful, some basic practices have been adopted, very few companies were fined a small amount and the question is largely settled. For small companies and individual devs, pretty much nothing changed apart from adding a boilerplate ToS and PP to their projects.
I would expect this this legislative change to follow a similar path. If you run a business, liability is a big concern from the start and this extension of the liability scope seems reasonable overall. I'd say they even tread lightly here as "damages for professional use are explicitly excluded".
If this actually becomes law, it instantly makes it too dangerous to bother for me to ever ship software into the EU again.
Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the “objective state of scientific and technical knowledge” at the time the product was put on the market.
Look the the liability standard they are pushing! Not willful negligence, not reasonable care, but rather it sounds more akin to “could the bug have even theoretically been prevented given perfect information and unlimited funds”.
Yeah, no thanks, I’m human, so I won’t be accepting that level of liability for words I write into a text editor any time soon.
And kinda mind boggling that anyone who knows anything about how software actually works wouldn’t see this as completely batshit insane.
A more reasonable standard (malicious intent or reckless disregard for human safety would be a good starting point) would go a long way toward fixing this.
This current standard would get any developer sued out of existence by armies of AI lawyers long before you can ship a patch when someone complains that your software divide by zero bug caused them “damages”.
And get a load of this;
Burden of proof: When the injured consumer is faced with excessive difficulties to prove the defectiveness of the product or the causal link between its defectiveness and the damage, a court may decide that the claimant is only required to prove the likelihood that the product was defective or that its defectiveness is a likely cause of the damage.
There’s a reason why EU GDP has completed stagnated versus the US, and the EU tech sector is a virtual rounding error in the world… and this trash mentality is a big part of it.
But wait, it gets worse…
Circular economy: When a product is repaired and upgraded outside the original manufacturer’s control, the company or person that modified the product should be held liable.
Bye bye downstream distro patches! And knowing the EU, they’ll say that “import Foo from Bar as MyFoo” is a “modification” and try to make anyone with cash in their pocket liable for any bug in any dependency they link to…
Online platforms can be held liable for a defective product sold on their platform just like any other economic operators if they act like one.
Bye bye app stores! Of course some will probably cheer this blindly ignoring or not comprehending the extraordinary value creation app stores are responsible for.
I'm actually surprised software has been exempted for so long. Based on the lawsuits started against companies like Crowdstrike, it probably isn't, but nobody has bothered to write it down yet.
What we have here is an intention, research into why it's necessary, and a process. None of this is law yet, this isn't even a legal proposal. The conclusions taken by this news publication are damn certain about something that's currently just a vague idea existing in a politician's drafts folder.
It's obvious software vendors have to comply with some standard of warranty because lawsuits against buggy software are regularly won. Most documented cases I've found are actually from the US, so perhaps Europe is behind on the US for winning such cases, often in the form of class action suits.
The EU isn't alone in wanting software vendors to be liable for their flaws; the White House also called for a law (see "Strategic objective 3.3"). This version has been wrapped in a soothing layer of "cybersecurity" but the implication is the same.
It’s even worse to proscribe liability when the “flaw” is not even an actual operating failure, but the ability for a bad actor to break the software maliciously.
Software is only as insecure as the user’s willingness to expose it to untrusted inputs, combined with the user’s willingness to give the software unfettered access to sensitive data.
“Don’t let hackers control the input stream” is literally the end of any and all security issues.
Better take US and Commonwealth countries of the list as well, although you might get lucky if Trump wins, these kind of laws aren't on his ballpark, so he might stop ongoing legislation roadmap.
The EU should be trying to move away from greater liability burden, as the US has also realized it is a mistake with its current litigation nightmare.
It saddens me how poorly the bloc seems to be governed right now. It should basically be all hands on deck for capital markets formation.
Tort reform is one of the major ways economists/prominent policymakers believe we could improve in the US, but of course the EU goes the exact opposite direction.
I am no fan of Ayn Rand at all. We have an obligation to help those worse off than us.
Germany is now poorer on a per-capita basis than Mississippi, one of our most underinvested in regions. I am no libertarian at all. The EU has such great potential it saddens me to see the level of mismanagement currently ongoing. Of course, they are also facing larger exogenous problems right now.
Comparing across countries on US-Dollar-adjusted per-capita income is easy to calculate but a pretty tricky metric to get a lot of value from. Another easy metric to look at that adds a couple more dimensions is the Human Development Index. It includes per capita GNI as a third of its weight, but Germany gets a 0.95 and Mississippi a 0.858. And the GINI score (lower is less inequality) for Germany is roughly .3 and for Mississippi it’s close to .5.
None of these high level economics stats really captures what is going on and how people live. Higher economic output isn’t strictly better, nor is lower inequality. You may be right - Germany as one of the main EU economies may be massively suffering due to EU mismanagement, but I think you need to provide different support for that argument.
Differences in real exchange rates reflect real differences in the value of goods being produced. It quite literally reflects that the marginal euro holder values the dollar and things that can be purchased at it quite high. HDI is certainly not a better comparison. HDI has a 1/3 weighting on education and direct life expectancy comparisons are difficult when the US has significant genetic predisposition to diabetes/obesity relative to the EU.
The Boston Fed discusses this better than I could [0] that the differences in real exchange rates make poorer countries materially poorer across numerous different channels, here's one:
> Consider the implications of a higher relative price of capital goods
for a developing economy attempting to invest in a balanced mix of
machinery and structures. There is no consistent trend in the relative
price of structures across economies: Rich economies can use bulldozers
to dig foundations, but poor economies can use large numbers of
low-paid unskilled workers to dig foundations. But the higher relative
price of machinery capital in developing countries makes it more and
more expensive to maintain a balanced mix: The poorer a country, the
lower is the real investment share of GDP that corresponds to any given
nominal savings share of GDP.
In reference to gini scores, you're absolutely right (~0.45 vs 0.32) - and it means that pay for the median German is better than pay for the median Mississippian (roughly 62% higher median pay in Germany). Mississippi (and the US) need to do more to redistribute. The EU (and Germany) appear to be more output-constrained than redistribution-constrained.
It’s really interesting how tech has had a lot of special exemptions from rules that apply to normal businesses, and how these are being rolled back slowly.
On the face of it, having a product security obligation doesn’t seem too extreme, since most manufactured goods and service offerings operate under similar rules.
I’m a bit worried that the “move fast, break things” mindset in SaaS startups isn’t going to be easy to change, and that, in the context of product liability, might have big impacts on future profitability and valuations too.
Does a (mechanical) door lock maker have liability when someone batters down the door? Or when someone’s key is left exposed and copied?
It seems like some (most?) of the security vulnerabilities are analogous to things that physical goods manufacturers do not have liability for either.
> It seems like some (most?) of the security vulnerabilities are analogous to things that physical goods manufacturers do not have liability for either.
I don't think this is true — just shipping whatever junk you've piled together by some deadline has become frustratingly common. Also note the article has this to say:
Software makers can avoid liability if they prove a defect was not discoverable given the “objective state of scientific and technical knowledge” at the time the product was put on the market.
That sounds like most bugs wouldn't be able to avoid liability? Most bugs are stuff like memory corruption or sql injection, and could be discovered if you looked hard enough
Yes and no — I think there'll be an expectation that you follow best practices and use the tools available. The legal system doesn't expect "mathematical" perfection in cases like this; if you can show that you worked diligently (kept up on tools, have a test suite, use static analyzers and sanitizers, etc.) I'm reasonably sure you'll be off the hook.
If you can show that.
And/or follow some industry standard in process and product. Even if that standard is less than perfect. Lot of documentation. It might not entirely make sense for your use case, but having the trail that you did things is often good enough.
And how will you get paid for doing that in perpetuity? Are they asking you to do this for free?
Unlike in the US, I do not expect European courts to be neutral between domestic vs foreign tech companies. They need to fix their system to encourage fair play before adding more rules.
You remember the Roundup cases where US juries started convicting and handing out huge damages the very second the US manufacturer was bought by a European company?
I mean, to use the same analogy:
1. A lock maker does not have liability if someone uses a battering ram on my door, or if I give a key to the wrong person.
2. A lock maker may certainly have liability if the lock has a design defect and can be readily opened without a key.
I see no problem with holding software liable for the latter category and not the former, provided the liability is proportionate to the value being protected.
Software makers have skated by with poor quality software for a long time, based mostly on the fact that users can't tell the difference. As the field gets more sophisticated and software is relied on for more and more important things, this needs to change.
Has that actually ever happened? Lockpicking Lawyer shows most locks are almost effortless to pick. The same locks sold by the millions to all of us.
Even so of course we know there IS liability for some things and maybe just locks are not a good example.
But then maybe that just means that security itself is not a good example and the authorities are being inconsistent by going after security only in software.
Or maybe it just means the liability should not be just security in general, but responsibility for when you hold something for someone else.
Most other forms of liability are for the safety of an object sold to the public, or it's very basic functionality. If a normal expected use of a lock cuts peoples fingers off, or if it fails to latch at all, not if it is easy to defeat.
Lockmakers don't generally claim that their locks are completely resistant to bad actors, but good lockmakers will sometimes claim they are resistant to specific kinds of attack.
On the legal side, "almost effortless to break" is not the same as non-functioning. In many cases the legal purpose of a lock is to establish intent and culpability: you can't aimlessly wander into a locked room, even if it has the world's shittiest Master lock on it. You gotta break the lock to do that. It serves as a semiotic indicator that an area or item was supposed to be off-limits; as a member of society the onus is on you to respect that.
Locks are likely a poor analogy for software engineering.
#2 isn’t, practically speaking, true. Ordinary hardware store door locks can be opened in a few seconds (using techniques like “bump keys”). Is that a “design defect” if every professional knows it to be true? Locks get security ratings based (partially) on how long it will take to open them without a key.
Perhaps the lock analogy is good, but that means the eventual answer is that software will have security ratings like locks (on a sliding scale, not binary secure/insecure), and you’ll get what you pay for.
Well, it's an analogy and that's where it breaks down, as all analogies do.
A hardware store lock might protect a single shed, locker, or house.
A software "lock" on a critical system is more equivalent in importance to the full physical security system surrounding a bank vault.
That’s why the lock analogy is good, though — not everything protected by software is like a bank vault. Door locks cost a lot less than vault locks, and as the customer I get to choose the appropriate level of security and pay accordingly. Right now as a software customer you don’t pay based on how secure you want the software to be, and the vendor isn’t liable for not meeting your expectations. In the end the customers are going to have to finance all this improved security, it won’t come for free.
I think we're agreeing here. Sane regulation would create a system where liability could exist for certain products, and consumers would have some idea of what they're paying for.
We are agreeing! Just trying to bring out the price differential that will result from a liability regime. We had this explosion of cheap software partially because nobody was paying for security (either with money or with inconvenience). Now it seems like people expect to fix it for free just by passing a law insisting it be so.
The physical lock market is much more mature, and we don’t see “bank vault” security as the median lock, far from it.
> A lock maker may certainly have liability if the lock has a design defect and can be readily opened without a key.
Masterlock has entered the chat.
Yeah, smart door locks are notoriously easy to break
Some of the early ones let you yell "Alexa, open the door!" from outside the house, heh.
I didn’t even know this lol. I was talking about picking them normally.
If this goes, we can assume that like other practices where practitioners are liable:
- insurance industry will come in and be the real winner.
- practitioners will be required to have some sort of license to practice (eg be professional engineers).
- there will be norms, standards, certification authorities, and review committees for when something falls through. The auditing business might also come into the case.
- there will appear some sort of a cast system, such as doctors/nurses/medical assistants, dentists/dental assistants/dental receptionist, lawyers/legal assistants, etc.
- costs and delays will go up for the customers, by much more than the occasional payoff from a lawsuit will bring
- quality, notably of compliance and security will go up, which is what's desired by that law.
I wonder how do you expect a high school kid or collage student to afford insurance and get "some sort of license to practice"?
Say goodbye to Linux - released by college student.
Say goodbye to Winamp - released by a high schooler.
Say goodbye to GTK+ and GIMP - released by 2 college students.
Say goodbye to web browsers - why would Tim Barners-Lee or his employer CERN release a free product not related to their core mission if they could get sued by thousands of people?
Linux, open source, not covered under this requirement.
Wikipedia tells me 'Winamp was first released in 1997, when Justin Frankel and Dmitry Boldyrev,[6][7][8] formerly students at the University of Utah', which makes them not high-schoolers. It was released by Nullsoft, Inc.
GTK+ and GIMP, open source, not covered under this requirement.
CERN httpd, open source, not covered under this requirement.
By 'not covered under this requirement' I mean the following text in the directive applies:
> Free and open-source software, whereby the source code is openly shared and users can freely access, use, modify and redistribute the software or modified versions thereof, can contribute to research and innovation on the market. Such software is subject to licences that allow anyone the freedom to run, copy, distribute, study, change and improve the software. In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity, since products so developed or supplied are by definition not placed on the market.
How does this apply to FOSS under a license that explicitly doesn't provide any warranty?
I am not a lawyer (very definitely not) and may have missed context and or other paragraphs but the directive says
"(14) Free and open-source software, whereby the source code is openly shared and users can freely access, use, modify and redistribute the software or modified versions thereof, can contribute to research and innovation on the market. Such software is subject to licences that allow anyone the freedom to run, copy, distribute, study, change and improve the software. In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity, since products so developed or supplied are by definition not placed on the market. Developing or contributing to such software should not be understood as making it available on the market. Providing such software on open repositories should not be considered as making it available on the market, unless that occurs in the course of a commercial activity. In principle, the supply of free and open-source software by non-profit organisations should not be considered as taking place in a business-related context, unless such supply occurs in the course of a commercial activity. However, where software is supplied in exchange for a price, or for personal data used other than exclusively for improving the security, compatibility or interoperability of the software, and is therefore supplied in the course of a commercial activity, this Directive should apply"
see also the following recitals.
I think this sounds pretty sensible. If you want to build a business you are responsible for defects in your wares. If you are gifting software you not "selling".
This is obviously a completely useless carve out. The EU will define something as commercial based on even having paid support or enterprise features, so if there’s any company behind the open source code at all, you can be sued by your free users picking it up and misusing it.
So this seems like a really great way to stop any software from being released into Europe.
As if US and Commonwealth countries aren't also doing the same.
TFA specifically states that US has gone in a totally different direction than the EU on this?
Here are some news then,
https://www.cisa.gov/cybersecurity-performance-goals
https://cybersecurity-centre.europa.eu/news/cisa-and-enisa-e...
https://www.cisa.gov/news-events/news/cisa-and-fbi-release-p...
https://www.whitehouse.gov/oncd/briefing-room/2024/03/27/rea...
I was wondering if the EU decides to do this first, maybe it'll be such a fiasco even the US will be sensible enough to not follow in their footsteps.
Maybe we will now see companies that will absorb the liability, e.g. reselling a FOSS package with a different license slapped on.
It's possible... but if it's open-ended what you're supposed to solve (eg, "security") it seems hard to be confident you won't be run into the ground trying to satisfy unlimited demands.
Combined with the EU Cyber Resilliance Act they would be required to report security issues back to the original project.
But in FOSS the original project is not under any requirement to care, and may use a license that explicitly disclaims caring.
Maybe it means the original project will get forked (or perhaps helped) if it doesn't take care of everything itself.
This is better than blanket liability for unpaid maintainers, but it's unclear how it relates to OSS activities not "on the market" per se but nonetheless connected to the larger software market.
Two examples come to mind: donations to OSS maintainers, and OSS maintainers who provide consulting services instead of selling software. The former is arguably covered by donations not being "sales," but some projects/groups do provide invoices (with no particular obligations) to make donations fit into the sale-shaped financial slot that most companies understand.
If you got the software itself without paying, then you aren't really paying for the software. If you buy consulting or warm fuzzies later then that's something different.
> If you buy consulting or warm fuzzies later then that's something different.
I happen to agree, but the law itself doesn't make that clear. That's what matters.
Thanks. It seems to beg the question for how long should there be some implied requirement to fix things, if you were just paid to work on a FOSS project (and what was paid for is available under a liberal license).
IOW if I got paid for some work on an existing project under a liberal license, what would I be getting myself into? (I assume the answer is 'nothing' if it happened before this directive, but if it happened after?)
You don't know. The EU "makes laws", it is then to be interpreted by the member states into actual laws and then interpreted again by the judges of those member states. So you don't know.
However, I highly doubt that EU citizens and companies will now suddenly be willing to pay for liability insurance for people they buy software from (and that will be more expensive the smaller the developer and/or company is)
I am certain there are already established practices for "freelancer" liability since this kind of employment happens a lot in other industries.
However I'd be cautious when it comes to these finer details. It's where business liability insurances and lawyers a wise investment.
Today it really boils down to the buyer accepts the work (usually work done in the period) as reasonable and pays for it, or not. Sometimes there are contractual requirements to make good on bugs afterwards on your own time. But often the hirer accepts the risk of bugs needing solving.
This sounds like there might be extra requirements for an unending? unspecified? period, I don't see how anyone can make a living if so.
This kind of liability is not new Europe. In fact it applies to a lot of products. Therefore similar (though obviously not identical) questions are already settled law.
As a layman it may be similar to the questions of how long a manufacturer can be held responsible for material fatique under regular use?
So sell the service and not the product.
Put in a condition that Europeans are not allowed to use the code or the software in any way.
>the producer has to provide compensation irrespectively of whether there is negligence or fault on their part.
This sounds terrible, anybody gaining access to a unix based shell and running rm -rf /*. It is going to make properitery products close up even tighter so they don't have something similar to the US's "Hot Coffee" incident on GTA and reduce modding ability.
Nice to see, it is about time liabilities start be taking into account, specially if this is the only way to make software companies care about best practices.
What “best practices” are you even taking about. Point to one piece of bug free software that performs a useful task. I’ll wait.
For me, you can wait as long as you feel like waiting.
Here is one example of best practices,
"A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to--they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980 language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law."
-- C.A.R Hoare's "The 1980 ACM Turing Award Lecture"
Law is finally catching up.
This is neither a best practice, nor does it result in bug free code.
All boils down to
Your opinion. My Opinion. Legislators Opinion.
I provide a source license to my software. How does this affect me and my European customers?
More specifically, the directive says:
> Information is not, however, to be considered a product, and product liability rules should therefore not apply to the content of digital files, such as media files or e-books or the mere source code of software.
All I send is a license and copy of 'the mere source code of software'. Does that mean my product is not included under this directive?
My reading of this: the EU wants to give its old fashioned SME software houses a chance with their software products, against the likes of FAANG that typically offer the software for free.
Of course this also hurts EU startups, but that does not concern Brussels because the whole EU establishment is always defending the incumbents. And this is imho one of the reasons the EU is falling behind, because incumbents don't react well to paradigm shifts. It's a losing strategy. For all its many faults the US seems to have realized a long time ago that you cannot protect incumbents at the cost of startups.
>For all its many faults the US seems to have realized a long time ago that you cannot protect incumbents at the cost of startups.
I think it wasn't an American realization as much as it was a success of "the American experiment" 250 years ago, a European experiment undertaken by Europeans living in North America, taking European ideas from the Enlightenment and applying them broadly, to politics, to religion, to the economy, and it flourished.
The tendency to protect incumbents was harder to root out back where the incumbents were more firmly entrenched.
If you want to take the "loose analogy" approach even further, consider that the Enlightenment was also the integration of Northern European ideas stemming from individual self reliance because you need to when it's cold as fuck outside, as opposed to southern European/Roman Empire successful ideas of depending on huge bureaucracies to gather and apportion more abundant resources.
this is not a proof of anything, just a pointing out/noticing type set of ideas. To me it seems tied in to other intellectual trends we see in history, where the , e.g., Romantic era was a movement in music, and in art, and in literature, and in politics/social theory, seemingly unrelated areas moving in concert, a reflection of how our brains work.
(probably similar ideas can be found outside the West, but it's not something I'm that educated about)
exactly. The EU needs to focus on fair play for all market participants urgently, it is quite literally making them poorer.
There was a lot of commotion about 2018 GDPR but it turned out to be rather uneventful, some basic practices have been adopted, very few companies were fined a small amount and the question is largely settled. For small companies and individual devs, pretty much nothing changed apart from adding a boilerplate ToS and PP to their projects.
I would expect this this legislative change to follow a similar path. If you run a business, liability is a big concern from the start and this extension of the liability scope seems reasonable overall. I'd say they even tread lightly here as "damages for professional use are explicitly excluded".
That’s because the EU is very discretionary in its enforcement.
> For small companies and individual devs, pretty much nothing changed apart from adding a boilerplate ToS and PP to their projects.
A significant portion of these players are probably non-compliant but nobody cares
the “objective state of scientific and technical knowledge”
snort
If this actually becomes law, it instantly makes it too dangerous to bother for me to ever ship software into the EU again.
Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the “objective state of scientific and technical knowledge” at the time the product was put on the market.
Look the the liability standard they are pushing! Not willful negligence, not reasonable care, but rather it sounds more akin to “could the bug have even theoretically been prevented given perfect information and unlimited funds”.
Yeah, no thanks, I’m human, so I won’t be accepting that level of liability for words I write into a text editor any time soon.
And kinda mind boggling that anyone who knows anything about how software actually works wouldn’t see this as completely batshit insane.
A more reasonable standard (malicious intent or reckless disregard for human safety would be a good starting point) would go a long way toward fixing this.
This current standard would get any developer sued out of existence by armies of AI lawyers long before you can ship a patch when someone complains that your software divide by zero bug caused them “damages”.
And get a load of this;
Burden of proof: When the injured consumer is faced with excessive difficulties to prove the defectiveness of the product or the causal link between its defectiveness and the damage, a court may decide that the claimant is only required to prove the likelihood that the product was defective or that its defectiveness is a likely cause of the damage.
There’s a reason why EU GDP has completed stagnated versus the US, and the EU tech sector is a virtual rounding error in the world… and this trash mentality is a big part of it.
But wait, it gets worse…
Circular economy: When a product is repaired and upgraded outside the original manufacturer’s control, the company or person that modified the product should be held liable.
Bye bye downstream distro patches! And knowing the EU, they’ll say that “import Foo from Bar as MyFoo” is a “modification” and try to make anyone with cash in their pocket liable for any bug in any dependency they link to…
Online platforms can be held liable for a defective product sold on their platform just like any other economic operators if they act like one.
Bye bye app stores! Of course some will probably cheer this blindly ignoring or not comprehending the extraordinary value creation app stores are responsible for.
I'm actually surprised software has been exempted for so long. Based on the lawsuits started against companies like Crowdstrike, it probably isn't, but nobody has bothered to write it down yet.
What we have here is an intention, research into why it's necessary, and a process. None of this is law yet, this isn't even a legal proposal. The conclusions taken by this news publication are damn certain about something that's currently just a vague idea existing in a politician's drafts folder.
It's obvious software vendors have to comply with some standard of warranty because lawsuits against buggy software are regularly won. Most documented cases I've found are actually from the US, so perhaps Europe is behind on the US for winning such cases, often in the form of class action suits.
The EU isn't alone in wanting software vendors to be liable for their flaws; the White House also called for a law (see "Strategic objective 3.3"). This version has been wrapped in a soothing layer of "cybersecurity" but the implication is the same.
It’s even worse to proscribe liability when the “flaw” is not even an actual operating failure, but the ability for a bad actor to break the software maliciously.
Software is only as insecure as the user’s willingness to expose it to untrusted inputs, combined with the user’s willingness to give the software unfettered access to sensitive data.
“Don’t let hackers control the input stream” is literally the end of any and all security issues.
Better take US and Commonwealth countries of the list as well, although you might get lucky if Trump wins, these kind of laws aren't on his ballpark, so he might stop ongoing legislation roadmap.
The EU should be trying to move away from greater liability burden, as the US has also realized it is a mistake with its current litigation nightmare.
It saddens me how poorly the bloc seems to be governed right now. It should basically be all hands on deck for capital markets formation.
Tort reform is one of the major ways economists/prominent policymakers believe we could improve in the US, but of course the EU goes the exact opposite direction.
Someone’s been reading a bit too much Ayn Rand
I am no fan of Ayn Rand at all. We have an obligation to help those worse off than us.
Germany is now poorer on a per-capita basis than Mississippi, one of our most underinvested in regions. I am no libertarian at all. The EU has such great potential it saddens me to see the level of mismanagement currently ongoing. Of course, they are also facing larger exogenous problems right now.
Comparing across countries on US-Dollar-adjusted per-capita income is easy to calculate but a pretty tricky metric to get a lot of value from. Another easy metric to look at that adds a couple more dimensions is the Human Development Index. It includes per capita GNI as a third of its weight, but Germany gets a 0.95 and Mississippi a 0.858. And the GINI score (lower is less inequality) for Germany is roughly .3 and for Mississippi it’s close to .5.
None of these high level economics stats really captures what is going on and how people live. Higher economic output isn’t strictly better, nor is lower inequality. You may be right - Germany as one of the main EU economies may be massively suffering due to EU mismanagement, but I think you need to provide different support for that argument.
Differences in real exchange rates reflect real differences in the value of goods being produced. It quite literally reflects that the marginal euro holder values the dollar and things that can be purchased at it quite high. HDI is certainly not a better comparison. HDI has a 1/3 weighting on education and direct life expectancy comparisons are difficult when the US has significant genetic predisposition to diabetes/obesity relative to the EU.
The Boston Fed discusses this better than I could [0] that the differences in real exchange rates make poorer countries materially poorer across numerous different channels, here's one:
> Consider the implications of a higher relative price of capital goods for a developing economy attempting to invest in a balanced mix of machinery and structures. There is no consistent trend in the relative price of structures across economies: Rich economies can use bulldozers to dig foundations, but poor economies can use large numbers of low-paid unskilled workers to dig foundations. But the higher relative price of machinery capital in developing countries makes it more and more expensive to maintain a balanced mix: The poorer a country, the lower is the real investment share of GDP that corresponds to any given nominal savings share of GDP.
In reference to gini scores, you're absolutely right (~0.45 vs 0.32) - and it means that pay for the median German is better than pay for the median Mississippian (roughly 62% higher median pay in Germany). Mississippi (and the US) need to do more to redistribute. The EU (and Germany) appear to be more output-constrained than redistribution-constrained.
[0]: https://www.bostonfed.org/-/media/Documents/conference/40/co...