It’s really interesting how tech has had a lot of special exemptions from rules that apply to normal businesses, and how these are being rolled back slowly.
On the face of it, having a product security obligation doesn’t seem too extreme, since most manufactured goods and service offerings operate under similar rules.
I’m a bit worried that the “move fast, break things” mindset in SaaS startups isn’t going to be easy to change, and that, in the context of product liability, might have big impacts on future profitability and valuations too.
> It seems like some (most?) of the security vulnerabilities are analogous to things that physical goods manufacturers do not have liability for either.
I don't think this is true — just shipping whatever junk you've piled together by some deadline has become frustratingly common. Also note the article has this to say:
Software makers can avoid liability if they prove a defect was not discoverable given the “objective state of scientific and technical knowledge” at the time the product was put on the market.
That sounds like most bugs wouldn't be able to avoid liability? Most bugs are stuff like memory corruption or sql injection, and could be discovered if you looked hard enough
Yes and no — I think there'll be an expectation that you follow best practices and use the tools available. The legal system doesn't expect "mathematical" perfection in cases like this; if you can show that you worked diligently (kept up on tools, have a test suite, use static analyzers and sanitizers, etc.) I'm reasonably sure you'll be off the hook.
And/or follow some industry standard in process and product. Even if that standard is less than perfect. Lot of documentation. It might not entirely make sense for your use case, but having the trail that you did things is often good enough.
Unlike in the US, I do not expect European courts to be neutral between domestic vs foreign tech companies. They need to fix their system to encourage fair play before adding more rules.
You remember the Roundup cases where US juries started convicting and handing out huge damages the very second the US manufacturer was bought by a European company?
I know multiple instances where even with reciprocity agreements/treaties (if approved in USA/Europe by that jurisdiction's authority bodies it is auto approved in the other) Europe will still fail approval. I have not ran into the USA doing the same. Europe has a history of using it's authority bodies to pick European winners.
1. A lock maker does not have liability if someone uses a battering ram on my door, or if I give a key to the wrong person.
2. A lock maker may certainly have liability if the lock has a design defect and can be readily opened without a key.
I see no problem with holding software liable for the latter category and not the former, provided the liability is proportionate to the value being protected.
Software makers have skated by with poor quality software for a long time, based mostly on the fact that users can't tell the difference. As the field gets more sophisticated and software is relied on for more and more important things, this needs to change.
Has that actually ever happened? Lockpicking Lawyer shows most locks are almost effortless to pick. The same locks sold by the millions to all of us.
Even so of course we know there IS liability for some things and maybe just locks are not a good example.
But then maybe that just means that security itself is not a good example and the authorities are being inconsistent by going after security only in software.
Or maybe it just means the liability should not be just security in general, but responsibility for when you hold something for someone else.
Most other forms of liability are for the safety of an object sold to the public, or it's very basic functionality. If a normal expected use of a lock cuts peoples fingers off, or if it fails to latch at all, not if it is easy to defeat.
Lockmakers don't generally claim that their locks are completely resistant to bad actors, but good lockmakers will sometimes claim they are resistant to specific kinds of attack.
On the legal side, "almost effortless to break" is not the same as non-functioning. In many cases the legal purpose of a lock is to establish intent and culpability: you can't aimlessly wander into a locked room, even if it has the world's shittiest Master lock on it. You gotta break the lock to do that. It serves as a semiotic indicator that an area or item was supposed to be off-limits; as a member of society the onus is on you to respect that.
Locks are likely a poor analogy for software engineering.
> Has that actually ever happened? Lockpicking Lawyer shows most locks are almost effortless to pick. The same locks sold by the millions to all of us.
The job of a home lock is not to be completely impervious to picking (or other bypass methods like shimming or drilling). It is to make getting in by defeating the lock harder than getting in by breaking the door or breaking a window to the kind of bad guy that most homeowners in the lock's target market will encounter.
Putting too high a security lock on your house doesn't really reduce your break in rate and it can makes it more expensive if you ever lose your keys if the lock is too hard for the locksmith you call to easily pick.
The locksmith may have to drill it, and then you need to replace the lock. If it is a high enough security lock that the locksmith can't get passed it you'll end up breaking a window anyway, and you probably have to pay for at least 1/2 hour of the locksmith's hourly rate for them to have come out to tell you to break a window.
#2 isn’t, practically speaking, true. Ordinary hardware store door locks can be opened in a few seconds (using techniques like “bump keys”). Is that a “design defect” if every professional knows it to be true? Locks get security ratings based (partially) on how long it will take to open them without a key.
Perhaps the lock analogy is good, but that means the eventual answer is that software will have security ratings like locks (on a sliding scale, not binary secure/insecure), and you’ll get what you pay for.
That’s why the lock analogy is good, though — not everything protected by software is like a bank vault. Door locks cost a lot less than vault locks, and as the customer I get to choose the appropriate level of security and pay accordingly. Right now as a software customer you don’t pay based on how secure you want the software to be, and the vendor isn’t liable for not meeting your expectations. In the end the customers are going to have to finance all this improved security, it won’t come for free.
I think we're agreeing here. Sane regulation would create a system where liability could exist for certain products, and consumers would have some idea of what they're paying for.
We are agreeing! Just trying to bring out the price differential that will result from a liability regime. We had this explosion of cheap software partially because nobody was paying for security (either with money or with inconvenience). Now it seems like people expect to fix it for free just by passing a law insisting it be so.
The physical lock market is much more mature, and we don’t see “bank vault” security as the median lock, far from it.
>the producer has to provide compensation irrespectively of whether there is negligence or fault on their part.
This sounds terrible, anybody gaining access to a unix based shell and running rm -rf /*. It is going to make properitery products close up even tighter so they don't have something similar to the US's "Hot Coffee" incident on GTA and reduce modding ability.
If this goes, we can assume that like other practices where practitioners are liable:
- insurance industry will come in and be the real winner.
- practitioners will be required to have some sort of license to practice (eg be professional engineers).
- there will be norms, standards, certification authorities, and review committees for when something falls through. The auditing business might also come into the case.
- there will appear some sort of a cast system, such as doctors/nurses/medical assistants, dentists/dental assistants/dental receptionist, lawyers/legal assistants, etc.
- costs and delays will go up for the customers, by much more than the occasional payoff from a lawsuit will bring
- quality, notably of compliance and security will go up, which is what's desired by that law.
I wonder how do you expect a high school kid or collage student to afford insurance and get "some sort of license to practice"?
Say goodbye to Linux - released by college student.
Say goodbye to Winamp - released by a high schooler.
Say goodbye to GTK+ and GIMP - released by 2 college students.
Say goodbye to web browsers - why would Tim Barners-Lee or his employer CERN release a free product not related to their core mission if they could get sued by thousands of people?
Linux, open source, not covered under this requirement.
Wikipedia tells me 'Winamp was first released in 1997, when Justin Frankel and Dmitry Boldyrev,[6][7][8] formerly students at the University of Utah', which makes them not high-schoolers. It was released by Nullsoft, Inc.
GTK+ and GIMP, open source, not covered under this requirement.
CERN httpd, open source, not covered under this requirement.
By 'not covered under this requirement' I mean the following text in the directive applies:
> Free and open-source software, whereby the source code is openly shared and users can freely access, use, modify and redistribute the software or modified versions thereof, can contribute to research and innovation on the market. Such software is subject to licences that allow anyone the freedom to run, copy, distribute, study, change and improve the software. In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity, since products so developed or supplied are by definition not placed on the market.
And how does it apply to open source software if commercial activity is done with it. You install a PBX at a customer site? You install LibreOffice at a government site? The way I read this it's the first person that uses this for a commercial application that becomes liable.
That has squat all to do with a 'high school kid or collage student' or CERN, which was the concern of the comment I replied to.
If you install a PBX which is two years out of date and has a high-severity, easily-triggered security hole which has since been patched, who is responsible? Who should be responsible?
My reading of this: the EU wants to give its old fashioned SME software houses a chance with their software products, against the likes of FAANG that typically offer the software for free.
Of course this also hurts EU startups, but that does not concern Brussels because the whole EU establishment is always defending the incumbents. And this is imho one of the reasons the EU is falling behind, because incumbents don't react well to paradigm shifts. It's a losing strategy. For all its many faults the US seems to have realized a long time ago that you cannot protect incumbents at the cost of startups.
>For all its many faults the US seems to have realized a long time ago that you cannot protect incumbents at the cost of startups.
I think it wasn't an American realization as much as it was a success of "the American experiment" 250 years ago, a European experiment undertaken by Europeans living in North America, taking European ideas from the Enlightenment and applying them broadly, to politics, to religion, to the economy, and it flourished.
The tendency to protect incumbents was harder to root out back where the incumbents were more firmly entrenched.
If you want to take the "loose analogy" approach even further, consider that the Enlightenment was also the integration of Northern European ideas stemming from individual self reliance because you need to when it's cold as fuck outside, as opposed to southern European/Roman Empire successful ideas of depending on huge bureaucracies to gather and apportion more abundant resources.
this is not a proof of anything, just a pointing out/noticing type set of ideas. To me it seems tied in to other intellectual trends we see in history, where the , e.g., Romantic era was a movement in music, and in art, and in literature, and in politics/social theory, seemingly unrelated areas moving in concert, a reflection of how our brains work.
(probably similar ideas can be found outside the West, but it's not something I'm that educated about)
Europeans were the ones that drove us away using things like threats of death, actual death/murder/vigilantly sprees/burning our homes/crops, creating mass starvations, etc. all because our families were of the wrong faith or ethnic background according to the Europeans.
People that had no fall back, who had traveled across a very hostile ocean, and lost plenty of loved ones in the process, and were determined to carve out a life for themselves in a European centric world that had shown itself up to that point very much against them. Americans that were determined to keep that government power/tyranny of the majority that had been used to murder/opress/expel them in check.
American's had/have a much different attitude than 'European'. There's a reason many of us think of it as a pretty museum not a place to emulate. Europe didn't want us. Funny how Europe is so quick to forget this bit of our 'common' bond.
> Americans that were determined to keep that government power/tyranny of the majority that had been used to murder/opress/expel them in check.
By using majority tyranny to work enslaved Europeans, Native Americans, and later Africans as engines of the fields?
You have a very blinkered rosy eyed picture of the colonial settlement of the USofA.
The colonies were very much European sponsored investment enterprises with owners and stockholders with European values in addition to being opposed to Crown taxes raised by batshit loons with Royal blood (an issue in Europe and not just the US).
Post independance trade continued and the original colonies remained Anglophile (the English colonies at least, the Dutch and other colonies also retained European ties).
I am not a lawyer (very definitely not) and may have missed context and or other paragraphs but the directive says
"(14) Free and open-source software, whereby the source code is openly shared and users can
freely access, use, modify and redistribute the software or modified versions thereof, can
contribute to research and innovation on the market. Such software is subject to licences
that allow anyone the freedom to run, copy, distribute, study, change and improve the
software. In order not to hamper innovation or research, this Directive should not apply to
free and open-source software developed or supplied outside the course of a commercial
activity, since products so developed or supplied are by definition not placed on the
market. Developing or contributing to such software should not be understood as making it
available on the market. Providing such software on open repositories should not be
considered as making it available on the market, unless that occurs in the course of a
commercial activity. In principle, the supply of free and open-source software by
non-profit organisations should not be considered as taking place in a business-related
context, unless such supply occurs in the course of a commercial activity. However, where
software is supplied in exchange for a price, or for personal data used other than
exclusively for improving the security, compatibility or interoperability of the software,
and is therefore supplied in the course of a commercial activity, this Directive should
apply"
see also the following recitals.
I think this sounds pretty sensible. If you want to build a business you are responsible for defects in your wares. If you are gifting software you not "selling".
This is obviously a completely useless carve out. The EU will define something as commercial based on even having paid support or enterprise features, so if there’s any company behind the open source code at all, you can be sued by your free users picking it up and misusing it.
So this seems like a really great way to stop any software from being released into Europe.
> This is obviously a completely useless carve out.
I'm a Debian Developer. To me, that carve out is a major comfort. I doubt I'm alone. I expect it is viewed as very useful by everyone who develops open source.
Business who sell open source - well yeah, it probably is useless to them. That's kinda the point.
It's possible... but if it's open-ended what you're supposed to solve (eg, "security") it seems hard to be confident you won't be run into the ground trying to satisfy unlimited demands.
So in order to use any open-source software you must commit to fix security bugs and accept liability? And software users will actually do this?
It would raise the cost of open source software a lot if you do this, and the cost of all other software. This seems very unlikely to actually happen. By which I mean, government and commercial users seem to me very, very unlikely to be willing to pay for this when they could just as well just use software from outside the EU, and this will just really suck for EU software developers and companies.
Not to use it but to sell it comercially (apparently except for "proffesional use" in the current iteration).
And that isn't really that outlandish as you make it (maybe inadvertently) sound.
If a wheel falls off of your car because the foundry that made the steels of the screws got their recipe wrong, initally the whole liabilty is on the car manufaturer and they got to fixt that.
For you as a customer it stops there.
The manufacturer may (if their contract permits) try to get some money back from screw factory and they in turn from the steel mill etc. If someone goes bankrupt along the supply chain, tough luck for the one up chain.
So car manufacturers (and their suppliers) are really motivated to QA their parts because recalls are expensive and they may not even get back everything or anything.
You can't blame the universe for putting the wrong ore composition into the ground. You can only blame the people who failed to do proper checks on the way.
Software may follow a similar trajectory with Open source being the ore in the ground. You must take reasonable (see directive) steps to prevent that (e.g. good development practices, updates, react to CVEs etc).
> You can't blame the universe for putting the wrong ore composition into the ground. You can only blame the people who failed to do proper checks on the way.
Almost all mining companies in the EU are government-sponsored or owned (or, more often, owned by politicians or royal families, e.g. Total and (ex-)Frech presidents and ministers or Shell and the Dutch Royal Family, which then "somehow" results in government support for them, often with suspiciously little people supporting the mining effort. You know, suspiciously little support, given that they're democracies).
Needless to say, I've not heard of these sorts of companies being convicted to fix damages they've caused. If anything is done, it's always the government offering to do it from taxes (e.g. a harbor upgrade in Le Havre demanding the contracting company fixes Total refinery pollution). Have you?
Cars are different because while the German and French states have HUGE interests in car manufacturing, none of the others have. So any car defect, depending on if it's Renault or Mercedes/VW turns into the EU siding with the German or French camp in the EU and either demanding the companies fix it, or demanding nothing happens. Italy tried participating in this game, but, well, we all know what happened. So car QA is indeed done, to avoid the year-long EU-wide diplomatic incidents a recall causes.
Or take the example of public works contractors. These tend to be temporary alliances (e.g. need a big bridge? A company is created by 5 contracting companies just for the explicit purpose of building THAT one bridge, THAT specific tunnel, THAT train station, ordering for pre-agreed amounts of dollars from the specific contractors). Sometimes this company keeps existing to provide maintenance afterwards. If shit hits the fan, which is often, the company immediately goes bankrupt and nobody from whatever government approved the bid is held responsible, nor are the 5 contractors, but whatever repair money comes from the government budget anyway.
So, how will it work for software? Because your explanation sounds vaguely reasonable in theory, if you compare it to actual practice it becomes very unclear.
Is this created to make it impossible to have any kind of software company in the EU without government support, like for contractors? Is this made to be a threat or a weapon against American or Chinese companies?
Thanks. It seems to beg the question for how long should there be some implied requirement to fix things, if you were just paid to work on a FOSS project (and what was paid for is available under a liberal license).
IOW if I got paid for some work on an existing project under a liberal license, what would I be getting myself into? (I assume the answer is 'nothing' if it happened before this directive, but if it happened after?)
You don't know. The EU "makes laws", it is then to be interpreted by the member states into actual laws and then interpreted again by the judges of those member states. So you don't know.
However, I highly doubt that EU citizens and companies will now suddenly be willing to pay for liability insurance for people they buy software from (and that will be more expensive the smaller the developer and/or company is)
Today it really boils down to the buyer accepts the work (usually work done in the period) as reasonable and pays for it, or not. Sometimes there are contractual requirements to make good on bugs afterwards on your own time. But often the hirer accepts the risk of bugs needing solving.
This sounds like there might be extra requirements for an unending? unspecified? period, I don't see how anyone can make a living if so.
This kind of liability is not new Europe. In fact it applies to a lot of products. Therefore similar (though obviously not identical) questions are already settled law.
As a layman it may be similar to the questions of how long a manufacturer can be held responsible for material fatique under regular use?
> However, where software is supplied in exchange for a price, or for personal data used other than exclusively for improving the security, compatibility or interoperability of the software
I'm really glad that the legislation treats the exploitation of private information as a price.
This is better than blanket liability for unpaid maintainers, but it's unclear how it relates to OSS activities not "on the market" per se but nonetheless connected to the larger software market.
Two examples come to mind: donations to OSS maintainers, and OSS maintainers who provide consulting services instead of selling software. The former is arguably covered by donations not being "sales," but some projects/groups do provide invoices (with no particular obligations) to make donations fit into the sale-shaped financial slot that most companies understand.
If you got the software itself without paying, then you aren't really paying for the software. If you buy consulting or warm fuzzies later then that's something different.
I provide a source license to my software. How does this affect me and my European customers?
More specifically, the directive says:
> Information is not, however, to be considered a product, and product liability rules should therefore not apply to the content of digital files, such as media files or e-books or the mere source code of software.
All I send is a license and copy of 'the mere source code of software'. Does that mean my product is not included under this directive?
Nice to see, it is about time liabilities start be taking into account, specially if this is the only way to make software companies care about best practices.
For me, you can wait as long as you feel like waiting.
Here is one example of best practices,
"A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to--they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980 language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law."
-- C.A.R Hoare's "The 1980 ACM Turing Award Lecture"
The EU should be trying to move away from greater liability burden, as the US has also realized it is a mistake with its current litigation nightmare.
It saddens me how poorly the bloc seems to be governed right now. It should basically be all hands on deck for capital markets formation.
Tort reform is one of the major ways economists/prominent policymakers believe we could improve in the US, but of course the EU goes the exact opposite direction.
I am no fan of Ayn Rand at all. We have an obligation to help those worse off than us.
Germany is now poorer on a per-capita basis than Mississippi, one of our most underinvested in regions. I am no libertarian at all. The EU has such great potential it saddens me to see the level of mismanagement currently ongoing. Of course, they are also facing larger exogenous problems right now.
Comparing across countries on US-Dollar-adjusted per-capita income is easy to calculate but a pretty tricky metric to get a lot of value from. Another easy metric to look at that adds a couple more dimensions is the Human Development Index. It includes per capita GNI as a third of its weight, but Germany gets a 0.95 and Mississippi a 0.858. And the GINI score (lower is less inequality) for Germany is roughly .3 and for Mississippi it’s close to .5.
None of these high level economics stats really captures what is going on and how people live. Higher economic output isn’t strictly better, nor is lower inequality. You may be right - Germany as one of the main EU economies may be massively suffering due to EU mismanagement, but I think you need to provide different support for that argument.
Differences in real exchange rates reflect real differences in the value of goods being produced. It quite literally reflects that the marginal euro holder values the dollar and things that can be purchased at it quite high. HDI is certainly not a better comparison. HDI has a 1/3 weighting on education and direct life expectancy comparisons are difficult when the US has significant genetic predisposition to diabetes/obesity relative to the EU.
The Boston Fed discusses this better than I could [0] that the differences in real exchange rates make poorer countries materially poorer across numerous different channels, here's one:
> Consider the implications of a higher relative price of capital goods
for a developing economy attempting to invest in a balanced mix of
machinery and structures. There is no consistent trend in the relative
price of structures across economies: Rich economies can use bulldozers
to dig foundations, but poor economies can use large numbers of
low-paid unskilled workers to dig foundations. But the higher relative
price of machinery capital in developing countries makes it more and
more expensive to maintain a balanced mix: The poorer a country, the
lower is the real investment share of GDP that corresponds to any given
nominal savings share of GDP.
In reference to gini scores, you're absolutely right (~0.45 vs 0.32) - and it means that pay for the median German is better than pay for the median Mississippian (roughly 62% higher median pay in Germany). Mississippi (and the US) need to do more to redistribute. The EU (and Germany) appear to be more output-constrained than redistribution-constrained.
Thanks for the engaged discussion, I am not an economist but find this fascinating to learn about.
My understanding is that paper's key point is the higher the absolute economic output the larger fraction of that output can be re-invested in efficiency/technological improvements, which compounds over time and leads to increasing gaps between different countries. Did I get that right even if very simplified? I'd also be curious to read De Long's most recent book since he says he has significantly changed his opinions in the intervening 30 years and has swung significantly leftwards.
As for the issue of comparing Mississippi and Germany, backing out state-level vs US growth for comparison adds some challenge, but best I can figure for the period since 1997 that I can find data, they both have roughly the same 1.4x real GDP growth, which lags the US at 1.7x. I still take issue with the implication that Germany is somehow doing worse than Mississippi, but agree the US is clearly doing better at growing in absolute terms.
Why are you confident HDI is "certainly not" a better comparison than GNI? You seem to imply that comparing achieved education levels is a bad thing or worthless? Life expectancy is confounded by population-level differences, but I would be surprised though to learn that genetic predisposition to diabetes/obesity accounts for a majority of the difference in life expectancy. In particular, diabetes rates in MS have been increasing rapidly over the last decade but falling in Germany, much more than genetic pool changes would account for. That points to environmental causes - access to healthcare, nutrition, etc.. which are very much within the abilities of the state to impact.
I think it's rather simple. Would an average person rather live in Germany or Mississippi?
Money is a proxy for quality of life, but it's not complete. GDP alone is virtually worthless to average people. Everyone on Earth is searching one thing and one thing only: the best quality of life.
I think the analogy with locks is that most locks on the market will be given away for free, and then the liability rests on the person who selects the lock - protect your bank vault with a Masterlock screwed into 2x4 and you are in trouble. Select a FOSS solution you might also be in trouble but the developers aren’t
I have a slightly different analogy (law it seems is made like Hollywood films “It’s like Alien but on a Cruise ship”)
Software is a form of literacy - not a product.
The product is the hardware. And the actions the hardware takes.
So want to add two numbers together ? There is a specific set of transistors that does that. And machine code. But at some point the python code or the Haskell code is an expression of human thought - literacy.
And you can choose different software to do the same adding up.
One can write an article many different ways, biases, slants etc.
But the publisher only chooses one
And so businesses offer software products like publishers offer articles and books
The publisher is liable
And if your business is publishing other peoples articles and you not only have not read it but cannot even read, why is it the authors problem?
I think this take on FOSS vs an article written for hire might be useful
Inwoukd also suggest that there is a level of reliance on the “canon” - importing a standard library would not suggest liability for that library
There was a lot of commotion about 2018 GDPR but it turned out to be rather uneventful, some basic practices have been adopted, very few companies were fined a small amount and the question is largely settled. For small companies and individual devs, pretty much nothing changed apart from adding a boilerplate ToS and PP to their projects.
I would expect this this legislative change to follow a similar path. If you run a business, liability is a big concern from the start and this extension of the liability scope seems reasonable overall. I'd say they even tread lightly here as "damages for professional use are explicitly excluded".
If this actually becomes law, it instantly makes it too dangerous to bother for me to ever ship software into the EU again.
Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the “objective state of scientific and technical knowledge” at the time the product was put on the market.
Look the the liability standard they are pushing! Not willful negligence, not reasonable care, but rather it sounds more akin to “could the bug have even theoretically been prevented given perfect information and unlimited funds”.
Yeah, no thanks, I’m human, so I won’t be accepting that level of liability for words I write into a text editor any time soon.
And kinda mind boggling that anyone who knows anything about how software actually works wouldn’t see this as completely batshit insane.
A more reasonable standard (malicious intent or reckless disregard for human safety would be a good starting point) would go a long way toward fixing this.
This current standard would get any developer sued out of existence by armies of AI lawyers long before you can ship a patch when someone complains that your software divide by zero bug caused them “damages”.
And get a load of this;
Burden of proof: When the injured consumer is faced with excessive difficulties to prove the defectiveness of the product or the causal link between its defectiveness and the damage, a court may decide that the claimant is only required to prove the likelihood that the product was defective or that its defectiveness is a likely cause of the damage.
There’s a reason why EU GDP has completed stagnated versus the US, and the EU tech sector is a virtual rounding error in the world… and this trash mentality is a big part of it.
But wait, it gets worse…
Circular economy: When a product is repaired and upgraded outside the original manufacturer’s control, the company or person that modified the product should be held liable.
Bye bye downstream distro patches! And knowing the EU, they’ll say that “import Foo from Bar as MyFoo” is a “modification” and try to make anyone with cash in their pocket liable for any bug in any dependency they link to…
Online platforms can be held liable for a defective product sold on their platform just like any other economic operators if they act like one.
Bye bye app stores! Of course some will probably cheer this blindly ignoring or not comprehending the extraordinary value creation app stores are responsible for.
I'm actually surprised software has been exempted for so long. Based on the lawsuits started against companies like Crowdstrike, it probably isn't, but nobody has bothered to write it down yet.
What we have here is an intention, research into why it's necessary, and a process. None of this is law yet, this isn't even a legal proposal. The conclusions taken by this news publication are damn certain about something that's currently just a vague idea existing in a politician's drafts folder.
It's obvious software vendors have to comply with some standard of warranty because lawsuits against buggy software are regularly won. Most documented cases I've found are actually from the US, so perhaps Europe is behind on the US for winning such cases, often in the form of class action suits.
The EU isn't alone in wanting software vendors to be liable for their flaws; the White House also called for a law (see "Strategic objective 3.3"). This version has been wrapped in a soothing layer of "cybersecurity" but the implication is the same.
It’s even worse to proscribe liability when the “flaw” is not even an actual operating failure, but the ability for a bad actor to break the software maliciously.
Software is only as insecure as the user’s willingness to expose it to untrusted inputs, combined with the user’s willingness to give the software unfettered access to sensitive data.
“Don’t let hackers control the input stream” is literally the end of any and all security issues.
"This software is deemed compliant with best practices when used on systems 100% offline on a network without connectivity to the internet. A customer's choice to use this software outside of our recommended best practices is at the customer's discretion and assumption of liability."
Obviously if you want secure an air gapped system is the recommended best practice.
Better take US and Commonwealth countries of the list as well, although you might get lucky if Trump wins, these kind of laws aren't on his ballpark, so he might stop ongoing legislation roadmap.
It’s really interesting how tech has had a lot of special exemptions from rules that apply to normal businesses, and how these are being rolled back slowly.
On the face of it, having a product security obligation doesn’t seem too extreme, since most manufactured goods and service offerings operate under similar rules.
I’m a bit worried that the “move fast, break things” mindset in SaaS startups isn’t going to be easy to change, and that, in the context of product liability, might have big impacts on future profitability and valuations too.
Does a (mechanical) door lock maker have liability when someone batters down the door? Or when someone’s key is left exposed and copied?
It seems like some (most?) of the security vulnerabilities are analogous to things that physical goods manufacturers do not have liability for either.
> It seems like some (most?) of the security vulnerabilities are analogous to things that physical goods manufacturers do not have liability for either.
I don't think this is true — just shipping whatever junk you've piled together by some deadline has become frustratingly common. Also note the article has this to say:
Software makers can avoid liability if they prove a defect was not discoverable given the “objective state of scientific and technical knowledge” at the time the product was put on the market.
That sounds like most bugs wouldn't be able to avoid liability? Most bugs are stuff like memory corruption or sql injection, and could be discovered if you looked hard enough
Yes and no — I think there'll be an expectation that you follow best practices and use the tools available. The legal system doesn't expect "mathematical" perfection in cases like this; if you can show that you worked diligently (kept up on tools, have a test suite, use static analyzers and sanitizers, etc.) I'm reasonably sure you'll be off the hook.
If you can show that.
And/or follow some industry standard in process and product. Even if that standard is less than perfect. Lot of documentation. It might not entirely make sense for your use case, but having the trail that you did things is often good enough.
And how will you get paid for doing that in perpetuity? Are they asking you to do this for free?
Unlike in the US, I do not expect European courts to be neutral between domestic vs foreign tech companies. They need to fix their system to encourage fair play before adding more rules.
You remember the Roundup cases where US juries started convicting and handing out huge damages the very second the US manufacturer was bought by a European company?
I know multiple instances where even with reciprocity agreements/treaties (if approved in USA/Europe by that jurisdiction's authority bodies it is auto approved in the other) Europe will still fail approval. I have not ran into the USA doing the same. Europe has a history of using it's authority bodies to pick European winners.
I mean, to use the same analogy:
1. A lock maker does not have liability if someone uses a battering ram on my door, or if I give a key to the wrong person.
2. A lock maker may certainly have liability if the lock has a design defect and can be readily opened without a key.
I see no problem with holding software liable for the latter category and not the former, provided the liability is proportionate to the value being protected.
Software makers have skated by with poor quality software for a long time, based mostly on the fact that users can't tell the difference. As the field gets more sophisticated and software is relied on for more and more important things, this needs to change.
Has that actually ever happened? Lockpicking Lawyer shows most locks are almost effortless to pick. The same locks sold by the millions to all of us.
Even so of course we know there IS liability for some things and maybe just locks are not a good example.
But then maybe that just means that security itself is not a good example and the authorities are being inconsistent by going after security only in software.
Or maybe it just means the liability should not be just security in general, but responsibility for when you hold something for someone else.
Most other forms of liability are for the safety of an object sold to the public, or it's very basic functionality. If a normal expected use of a lock cuts peoples fingers off, or if it fails to latch at all, not if it is easy to defeat.
Lockmakers don't generally claim that their locks are completely resistant to bad actors, but good lockmakers will sometimes claim they are resistant to specific kinds of attack.
On the legal side, "almost effortless to break" is not the same as non-functioning. In many cases the legal purpose of a lock is to establish intent and culpability: you can't aimlessly wander into a locked room, even if it has the world's shittiest Master lock on it. You gotta break the lock to do that. It serves as a semiotic indicator that an area or item was supposed to be off-limits; as a member of society the onus is on you to respect that.
Locks are likely a poor analogy for software engineering.
> Has that actually ever happened? Lockpicking Lawyer shows most locks are almost effortless to pick. The same locks sold by the millions to all of us.
Then we need new rules for lockmakers too.
The job of a home lock is not to be completely impervious to picking (or other bypass methods like shimming or drilling). It is to make getting in by defeating the lock harder than getting in by breaking the door or breaking a window to the kind of bad guy that most homeowners in the lock's target market will encounter.
Putting too high a security lock on your house doesn't really reduce your break in rate and it can makes it more expensive if you ever lose your keys if the lock is too hard for the locksmith you call to easily pick.
The locksmith may have to drill it, and then you need to replace the lock. If it is a high enough security lock that the locksmith can't get passed it you'll end up breaking a window anyway, and you probably have to pay for at least 1/2 hour of the locksmith's hourly rate for them to have come out to tell you to break a window.
We should really talk about locks on businesses.
A house can have a lighter lock than a bank, and different legal principles apply.
#2 isn’t, practically speaking, true. Ordinary hardware store door locks can be opened in a few seconds (using techniques like “bump keys”). Is that a “design defect” if every professional knows it to be true? Locks get security ratings based (partially) on how long it will take to open them without a key.
Perhaps the lock analogy is good, but that means the eventual answer is that software will have security ratings like locks (on a sliding scale, not binary secure/insecure), and you’ll get what you pay for.
Well, it's an analogy and that's where it breaks down, as all analogies do.
A hardware store lock might protect a single shed, locker, or house.
A software "lock" on a critical system is more equivalent in importance to the full physical security system surrounding a bank vault.
That’s why the lock analogy is good, though — not everything protected by software is like a bank vault. Door locks cost a lot less than vault locks, and as the customer I get to choose the appropriate level of security and pay accordingly. Right now as a software customer you don’t pay based on how secure you want the software to be, and the vendor isn’t liable for not meeting your expectations. In the end the customers are going to have to finance all this improved security, it won’t come for free.
I think we're agreeing here. Sane regulation would create a system where liability could exist for certain products, and consumers would have some idea of what they're paying for.
We are agreeing! Just trying to bring out the price differential that will result from a liability regime. We had this explosion of cheap software partially because nobody was paying for security (either with money or with inconvenience). Now it seems like people expect to fix it for free just by passing a law insisting it be so.
The physical lock market is much more mature, and we don’t see “bank vault” security as the median lock, far from it.
> A lock maker may certainly have liability if the lock has a design defect and can be readily opened without a key.
Masterlock has entered the chat.
Yeah, smart door locks are notoriously easy to break
Some of the early ones let you yell "Alexa, open the door!" from outside the house, heh.
I didn’t even know this lol. I was talking about picking them normally.
>the producer has to provide compensation irrespectively of whether there is negligence or fault on their part.
This sounds terrible, anybody gaining access to a unix based shell and running rm -rf /*. It is going to make properitery products close up even tighter so they don't have something similar to the US's "Hot Coffee" incident on GTA and reduce modding ability.
If this goes, we can assume that like other practices where practitioners are liable:
- insurance industry will come in and be the real winner.
- practitioners will be required to have some sort of license to practice (eg be professional engineers).
- there will be norms, standards, certification authorities, and review committees for when something falls through. The auditing business might also come into the case.
- there will appear some sort of a cast system, such as doctors/nurses/medical assistants, dentists/dental assistants/dental receptionist, lawyers/legal assistants, etc.
- costs and delays will go up for the customers, by much more than the occasional payoff from a lawsuit will bring
- quality, notably of compliance and security will go up, which is what's desired by that law.
I wonder how do you expect a high school kid or collage student to afford insurance and get "some sort of license to practice"?
Say goodbye to Linux - released by college student.
Say goodbye to Winamp - released by a high schooler.
Say goodbye to GTK+ and GIMP - released by 2 college students.
Say goodbye to web browsers - why would Tim Barners-Lee or his employer CERN release a free product not related to their core mission if they could get sued by thousands of people?
Linux, open source, not covered under this requirement.
Wikipedia tells me 'Winamp was first released in 1997, when Justin Frankel and Dmitry Boldyrev,[6][7][8] formerly students at the University of Utah', which makes them not high-schoolers. It was released by Nullsoft, Inc.
GTK+ and GIMP, open source, not covered under this requirement.
CERN httpd, open source, not covered under this requirement.
By 'not covered under this requirement' I mean the following text in the directive applies:
> Free and open-source software, whereby the source code is openly shared and users can freely access, use, modify and redistribute the software or modified versions thereof, can contribute to research and innovation on the market. Such software is subject to licences that allow anyone the freedom to run, copy, distribute, study, change and improve the software. In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity, since products so developed or supplied are by definition not placed on the market.
And how does it apply to open source software if commercial activity is done with it. You install a PBX at a customer site? You install LibreOffice at a government site? The way I read this it's the first person that uses this for a commercial application that becomes liable.
That has squat all to do with a 'high school kid or collage student' or CERN, which was the concern of the comment I replied to.
If you install a PBX which is two years out of date and has a high-severity, easily-triggered security hole which has since been patched, who is responsible? Who should be responsible?
The manager who explicitly demanded you install that version because that's what their nephew said was the best version?
By my reading, that means you are not a manufacturer of the software so are not covered under this directive.
My reading of this: the EU wants to give its old fashioned SME software houses a chance with their software products, against the likes of FAANG that typically offer the software for free.
Of course this also hurts EU startups, but that does not concern Brussels because the whole EU establishment is always defending the incumbents. And this is imho one of the reasons the EU is falling behind, because incumbents don't react well to paradigm shifts. It's a losing strategy. For all its many faults the US seems to have realized a long time ago that you cannot protect incumbents at the cost of startups.
>For all its many faults the US seems to have realized a long time ago that you cannot protect incumbents at the cost of startups.
I think it wasn't an American realization as much as it was a success of "the American experiment" 250 years ago, a European experiment undertaken by Europeans living in North America, taking European ideas from the Enlightenment and applying them broadly, to politics, to religion, to the economy, and it flourished.
The tendency to protect incumbents was harder to root out back where the incumbents were more firmly entrenched.
If you want to take the "loose analogy" approach even further, consider that the Enlightenment was also the integration of Northern European ideas stemming from individual self reliance because you need to when it's cold as fuck outside, as opposed to southern European/Roman Empire successful ideas of depending on huge bureaucracies to gather and apportion more abundant resources.
this is not a proof of anything, just a pointing out/noticing type set of ideas. To me it seems tied in to other intellectual trends we see in history, where the , e.g., Romantic era was a movement in music, and in art, and in literature, and in politics/social theory, seemingly unrelated areas moving in concert, a reflection of how our brains work.
(probably similar ideas can be found outside the West, but it's not something I'm that educated about)
No, Americans.
Europeans were the ones that drove us away using things like threats of death, actual death/murder/vigilantly sprees/burning our homes/crops, creating mass starvations, etc. all because our families were of the wrong faith or ethnic background according to the Europeans.
People that had no fall back, who had traveled across a very hostile ocean, and lost plenty of loved ones in the process, and were determined to carve out a life for themselves in a European centric world that had shown itself up to that point very much against them. Americans that were determined to keep that government power/tyranny of the majority that had been used to murder/opress/expel them in check.
American's had/have a much different attitude than 'European'. There's a reason many of us think of it as a pretty museum not a place to emulate. Europe didn't want us. Funny how Europe is so quick to forget this bit of our 'common' bond.
Europeans "drove you away" by issueing an Royal Charter for the formation of a Company that you bought shares in?
https://en.wikipedia.org/wiki/Charter_of_the_Massachusetts_B...
https://en.wikipedia.org/wiki/Thirteen_Colonies
> Americans that were determined to keep that government power/tyranny of the majority that had been used to murder/opress/expel them in check.
By using majority tyranny to work enslaved Europeans, Native Americans, and later Africans as engines of the fields?
You have a very blinkered rosy eyed picture of the colonial settlement of the USofA.
The colonies were very much European sponsored investment enterprises with owners and stockholders with European values in addition to being opposed to Crown taxes raised by batshit loons with Royal blood (an issue in Europe and not just the US).
Post independance trade continued and the original colonies remained Anglophile (the English colonies at least, the Dutch and other colonies also retained European ties).
exactly. The EU needs to focus on fair play for all market participants urgently, it is quite literally making them poorer.
How does this apply to FOSS under a license that explicitly doesn't provide any warranty?
I am not a lawyer (very definitely not) and may have missed context and or other paragraphs but the directive says
"(14) Free and open-source software, whereby the source code is openly shared and users can freely access, use, modify and redistribute the software or modified versions thereof, can contribute to research and innovation on the market. Such software is subject to licences that allow anyone the freedom to run, copy, distribute, study, change and improve the software. In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity, since products so developed or supplied are by definition not placed on the market. Developing or contributing to such software should not be understood as making it available on the market. Providing such software on open repositories should not be considered as making it available on the market, unless that occurs in the course of a commercial activity. In principle, the supply of free and open-source software by non-profit organisations should not be considered as taking place in a business-related context, unless such supply occurs in the course of a commercial activity. However, where software is supplied in exchange for a price, or for personal data used other than exclusively for improving the security, compatibility or interoperability of the software, and is therefore supplied in the course of a commercial activity, this Directive should apply"
see also the following recitals.
I think this sounds pretty sensible. If you want to build a business you are responsible for defects in your wares. If you are gifting software you not "selling".
This is obviously a completely useless carve out. The EU will define something as commercial based on even having paid support or enterprise features, so if there’s any company behind the open source code at all, you can be sued by your free users picking it up and misusing it.
So this seems like a really great way to stop any software from being released into Europe.
As if US and Commonwealth countries aren't also doing the same.
TFA specifically states that US has gone in a totally different direction than the EU on this?
Here are some news then,
https://www.cisa.gov/cybersecurity-performance-goals
https://cybersecurity-centre.europa.eu/news/cisa-and-enisa-e...
https://www.cisa.gov/news-events/news/cisa-and-fbi-release-p...
https://www.whitehouse.gov/oncd/briefing-room/2024/03/27/rea...
I was wondering if the EU decides to do this first, maybe it'll be such a fiasco even the US will be sensible enough to not follow in their footsteps.
> This is obviously a completely useless carve out.
I'm a Debian Developer. To me, that carve out is a major comfort. I doubt I'm alone. I expect it is viewed as very useful by everyone who develops open source.
Business who sell open source - well yeah, it probably is useless to them. That's kinda the point.
Maybe we will now see companies that will absorb the liability, e.g. reselling a FOSS package with a different license slapped on.
It's possible... but if it's open-ended what you're supposed to solve (eg, "security") it seems hard to be confident you won't be run into the ground trying to satisfy unlimited demands.
Combined with the EU Cyber Resilliance Act they would be required to report security issues back to the original project.
But in FOSS the original project is not under any requirement to care, and may use a license that explicitly disclaims caring.
Maybe it means the original project will get forked (or perhaps helped) if it doesn't take care of everything itself.
So in order to use any open-source software you must commit to fix security bugs and accept liability? And software users will actually do this?
It would raise the cost of open source software a lot if you do this, and the cost of all other software. This seems very unlikely to actually happen. By which I mean, government and commercial users seem to me very, very unlikely to be willing to pay for this when they could just as well just use software from outside the EU, and this will just really suck for EU software developers and companies.
Not to use it but to sell it comercially (apparently except for "proffesional use" in the current iteration).
And that isn't really that outlandish as you make it (maybe inadvertently) sound.
If a wheel falls off of your car because the foundry that made the steels of the screws got their recipe wrong, initally the whole liabilty is on the car manufaturer and they got to fixt that.
For you as a customer it stops there.
The manufacturer may (if their contract permits) try to get some money back from screw factory and they in turn from the steel mill etc. If someone goes bankrupt along the supply chain, tough luck for the one up chain.
So car manufacturers (and their suppliers) are really motivated to QA their parts because recalls are expensive and they may not even get back everything or anything.
You can't blame the universe for putting the wrong ore composition into the ground. You can only blame the people who failed to do proper checks on the way.
Software may follow a similar trajectory with Open source being the ore in the ground. You must take reasonable (see directive) steps to prevent that (e.g. good development practices, updates, react to CVEs etc).
It's really nothing fundamentally new.
> You can't blame the universe for putting the wrong ore composition into the ground. You can only blame the people who failed to do proper checks on the way.
Almost all mining companies in the EU are government-sponsored or owned (or, more often, owned by politicians or royal families, e.g. Total and (ex-)Frech presidents and ministers or Shell and the Dutch Royal Family, which then "somehow" results in government support for them, often with suspiciously little people supporting the mining effort. You know, suspiciously little support, given that they're democracies).
Needless to say, I've not heard of these sorts of companies being convicted to fix damages they've caused. If anything is done, it's always the government offering to do it from taxes (e.g. a harbor upgrade in Le Havre demanding the contracting company fixes Total refinery pollution). Have you?
Cars are different because while the German and French states have HUGE interests in car manufacturing, none of the others have. So any car defect, depending on if it's Renault or Mercedes/VW turns into the EU siding with the German or French camp in the EU and either demanding the companies fix it, or demanding nothing happens. Italy tried participating in this game, but, well, we all know what happened. So car QA is indeed done, to avoid the year-long EU-wide diplomatic incidents a recall causes.
Or take the example of public works contractors. These tend to be temporary alliances (e.g. need a big bridge? A company is created by 5 contracting companies just for the explicit purpose of building THAT one bridge, THAT specific tunnel, THAT train station, ordering for pre-agreed amounts of dollars from the specific contractors). Sometimes this company keeps existing to provide maintenance afterwards. If shit hits the fan, which is often, the company immediately goes bankrupt and nobody from whatever government approved the bid is held responsible, nor are the 5 contractors, but whatever repair money comes from the government budget anyway.
So, how will it work for software? Because your explanation sounds vaguely reasonable in theory, if you compare it to actual practice it becomes very unclear.
Is this created to make it impossible to have any kind of software company in the EU without government support, like for contractors? Is this made to be a threat or a weapon against American or Chinese companies?
Thanks. It seems to beg the question for how long should there be some implied requirement to fix things, if you were just paid to work on a FOSS project (and what was paid for is available under a liberal license).
IOW if I got paid for some work on an existing project under a liberal license, what would I be getting myself into? (I assume the answer is 'nothing' if it happened before this directive, but if it happened after?)
You don't know. The EU "makes laws", it is then to be interpreted by the member states into actual laws and then interpreted again by the judges of those member states. So you don't know.
However, I highly doubt that EU citizens and companies will now suddenly be willing to pay for liability insurance for people they buy software from (and that will be more expensive the smaller the developer and/or company is)
I am certain there are already established practices for "freelancer" liability since this kind of employment happens a lot in other industries.
However I'd be cautious when it comes to these finer details. It's where business liability insurances and lawyers a wise investment.
Today it really boils down to the buyer accepts the work (usually work done in the period) as reasonable and pays for it, or not. Sometimes there are contractual requirements to make good on bugs afterwards on your own time. But often the hirer accepts the risk of bugs needing solving.
This sounds like there might be extra requirements for an unending? unspecified? period, I don't see how anyone can make a living if so.
This kind of liability is not new Europe. In fact it applies to a lot of products. Therefore similar (though obviously not identical) questions are already settled law.
As a layman it may be similar to the questions of how long a manufacturer can be held responsible for material fatique under regular use?
This is better than blanket liability for unpaid maintainers, but it's unclear how it relates to OSS activities not "on the market" per se but nonetheless connected to the larger software market.
Two examples come to mind: donations to OSS maintainers, and OSS maintainers who provide consulting services instead of selling software. The former is arguably covered by donations not being "sales," but some projects/groups do provide invoices (with no particular obligations) to make donations fit into the sale-shaped financial slot that most companies understand.
If you got the software itself without paying, then you aren't really paying for the software. If you buy consulting or warm fuzzies later then that's something different.
> If you buy consulting or warm fuzzies later then that's something different.
I happen to agree, but the law itself doesn't make that clear. That's what matters.
So sell the service and not the product.
Put in a condition that Europeans are not allowed to use the code or the software in any way.
I provide a source license to my software. How does this affect me and my European customers?
More specifically, the directive says:
> Information is not, however, to be considered a product, and product liability rules should therefore not apply to the content of digital files, such as media files or e-books or the mere source code of software.
All I send is a license and copy of 'the mere source code of software'. Does that mean my product is not included under this directive?
Nice to see, it is about time liabilities start be taking into account, specially if this is the only way to make software companies care about best practices.
What “best practices” are you even taking about. Point to one piece of bug free software that performs a useful task. I’ll wait.
For me, you can wait as long as you feel like waiting.
Here is one example of best practices,
"A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to--they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980 language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law."
-- C.A.R Hoare's "The 1980 ACM Turing Award Lecture"
Law is finally catching up.
This is neither a best practice, nor does it result in bug free code.
All boils down to
Your opinion. My Opinion. Legislators Opinion.
The EU should be trying to move away from greater liability burden, as the US has also realized it is a mistake with its current litigation nightmare.
It saddens me how poorly the bloc seems to be governed right now. It should basically be all hands on deck for capital markets formation.
Tort reform is one of the major ways economists/prominent policymakers believe we could improve in the US, but of course the EU goes the exact opposite direction.
Someone’s been reading a bit too much Ayn Rand
I am no fan of Ayn Rand at all. We have an obligation to help those worse off than us.
Germany is now poorer on a per-capita basis than Mississippi, one of our most underinvested in regions. I am no libertarian at all. The EU has such great potential it saddens me to see the level of mismanagement currently ongoing. Of course, they are also facing larger exogenous problems right now.
Comparing across countries on US-Dollar-adjusted per-capita income is easy to calculate but a pretty tricky metric to get a lot of value from. Another easy metric to look at that adds a couple more dimensions is the Human Development Index. It includes per capita GNI as a third of its weight, but Germany gets a 0.95 and Mississippi a 0.858. And the GINI score (lower is less inequality) for Germany is roughly .3 and for Mississippi it’s close to .5.
None of these high level economics stats really captures what is going on and how people live. Higher economic output isn’t strictly better, nor is lower inequality. You may be right - Germany as one of the main EU economies may be massively suffering due to EU mismanagement, but I think you need to provide different support for that argument.
Differences in real exchange rates reflect real differences in the value of goods being produced. It quite literally reflects that the marginal euro holder values the dollar and things that can be purchased at it quite high. HDI is certainly not a better comparison. HDI has a 1/3 weighting on education and direct life expectancy comparisons are difficult when the US has significant genetic predisposition to diabetes/obesity relative to the EU.
The Boston Fed discusses this better than I could [0] that the differences in real exchange rates make poorer countries materially poorer across numerous different channels, here's one:
> Consider the implications of a higher relative price of capital goods for a developing economy attempting to invest in a balanced mix of machinery and structures. There is no consistent trend in the relative price of structures across economies: Rich economies can use bulldozers to dig foundations, but poor economies can use large numbers of low-paid unskilled workers to dig foundations. But the higher relative price of machinery capital in developing countries makes it more and more expensive to maintain a balanced mix: The poorer a country, the lower is the real investment share of GDP that corresponds to any given nominal savings share of GDP.
In reference to gini scores, you're absolutely right (~0.45 vs 0.32) - and it means that pay for the median German is better than pay for the median Mississippian (roughly 62% higher median pay in Germany). Mississippi (and the US) need to do more to redistribute. The EU (and Germany) appear to be more output-constrained than redistribution-constrained.
[0]: https://www.bostonfed.org/-/media/Documents/conference/40/co...
Thanks for the engaged discussion, I am not an economist but find this fascinating to learn about.
My understanding is that paper's key point is the higher the absolute economic output the larger fraction of that output can be re-invested in efficiency/technological improvements, which compounds over time and leads to increasing gaps between different countries. Did I get that right even if very simplified? I'd also be curious to read De Long's most recent book since he says he has significantly changed his opinions in the intervening 30 years and has swung significantly leftwards.
As for the issue of comparing Mississippi and Germany, backing out state-level vs US growth for comparison adds some challenge, but best I can figure for the period since 1997 that I can find data, they both have roughly the same 1.4x real GDP growth, which lags the US at 1.7x. I still take issue with the implication that Germany is somehow doing worse than Mississippi, but agree the US is clearly doing better at growing in absolute terms.
Why are you confident HDI is "certainly not" a better comparison than GNI? You seem to imply that comparing achieved education levels is a bad thing or worthless? Life expectancy is confounded by population-level differences, but I would be surprised though to learn that genetic predisposition to diabetes/obesity accounts for a majority of the difference in life expectancy. In particular, diabetes rates in MS have been increasing rapidly over the last decade but falling in Germany, much more than genetic pool changes would account for. That points to environmental causes - access to healthcare, nutrition, etc.. which are very much within the abilities of the state to impact.
I think it's rather simple. Would an average person rather live in Germany or Mississippi?
Money is a proxy for quality of life, but it's not complete. GDP alone is virtually worthless to average people. Everyone on Earth is searching one thing and one thing only: the best quality of life.
My guess is that FOSS is the big winner here.
I think the analogy with locks is that most locks on the market will be given away for free, and then the liability rests on the person who selects the lock - protect your bank vault with a Masterlock screwed into 2x4 and you are in trouble. Select a FOSS solution you might also be in trouble but the developers aren’t
I have a slightly different analogy (law it seems is made like Hollywood films “It’s like Alien but on a Cruise ship”)
Software is a form of literacy - not a product.
The product is the hardware. And the actions the hardware takes.
So want to add two numbers together ? There is a specific set of transistors that does that. And machine code. But at some point the python code or the Haskell code is an expression of human thought - literacy.
And you can choose different software to do the same adding up.
One can write an article many different ways, biases, slants etc.
But the publisher only chooses one
And so businesses offer software products like publishers offer articles and books
The publisher is liable
And if your business is publishing other peoples articles and you not only have not read it but cannot even read, why is it the authors problem?
I think this take on FOSS vs an article written for hire might be useful
Inwoukd also suggest that there is a level of reliance on the “canon” - importing a standard library would not suggest liability for that library
There was a lot of commotion about 2018 GDPR but it turned out to be rather uneventful, some basic practices have been adopted, very few companies were fined a small amount and the question is largely settled. For small companies and individual devs, pretty much nothing changed apart from adding a boilerplate ToS and PP to their projects.
I would expect this this legislative change to follow a similar path. If you run a business, liability is a big concern from the start and this extension of the liability scope seems reasonable overall. I'd say they even tread lightly here as "damages for professional use are explicitly excluded".
That’s because the EU is very discretionary in its enforcement.
> For small companies and individual devs, pretty much nothing changed apart from adding a boilerplate ToS and PP to their projects.
A significant portion of these players are probably non-compliant but nobody cares
To quote a wise hackernewsian:
https://news.ycombinator.com/item?id=41916279
the “objective state of scientific and technical knowledge”
snort
If this actually becomes law, it instantly makes it too dangerous to bother for me to ever ship software into the EU again.
Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the “objective state of scientific and technical knowledge” at the time the product was put on the market.
Look the the liability standard they are pushing! Not willful negligence, not reasonable care, but rather it sounds more akin to “could the bug have even theoretically been prevented given perfect information and unlimited funds”.
Yeah, no thanks, I’m human, so I won’t be accepting that level of liability for words I write into a text editor any time soon.
And kinda mind boggling that anyone who knows anything about how software actually works wouldn’t see this as completely batshit insane.
A more reasonable standard (malicious intent or reckless disregard for human safety would be a good starting point) would go a long way toward fixing this.
This current standard would get any developer sued out of existence by armies of AI lawyers long before you can ship a patch when someone complains that your software divide by zero bug caused them “damages”.
And get a load of this;
Burden of proof: When the injured consumer is faced with excessive difficulties to prove the defectiveness of the product or the causal link between its defectiveness and the damage, a court may decide that the claimant is only required to prove the likelihood that the product was defective or that its defectiveness is a likely cause of the damage.
There’s a reason why EU GDP has completed stagnated versus the US, and the EU tech sector is a virtual rounding error in the world… and this trash mentality is a big part of it.
But wait, it gets worse…
Circular economy: When a product is repaired and upgraded outside the original manufacturer’s control, the company or person that modified the product should be held liable.
Bye bye downstream distro patches! And knowing the EU, they’ll say that “import Foo from Bar as MyFoo” is a “modification” and try to make anyone with cash in their pocket liable for any bug in any dependency they link to…
Online platforms can be held liable for a defective product sold on their platform just like any other economic operators if they act like one.
Bye bye app stores! Of course some will probably cheer this blindly ignoring or not comprehending the extraordinary value creation app stores are responsible for.
I'm actually surprised software has been exempted for so long. Based on the lawsuits started against companies like Crowdstrike, it probably isn't, but nobody has bothered to write it down yet.
What we have here is an intention, research into why it's necessary, and a process. None of this is law yet, this isn't even a legal proposal. The conclusions taken by this news publication are damn certain about something that's currently just a vague idea existing in a politician's drafts folder.
It's obvious software vendors have to comply with some standard of warranty because lawsuits against buggy software are regularly won. Most documented cases I've found are actually from the US, so perhaps Europe is behind on the US for winning such cases, often in the form of class action suits.
The EU isn't alone in wanting software vendors to be liable for their flaws; the White House also called for a law (see "Strategic objective 3.3"). This version has been wrapped in a soothing layer of "cybersecurity" but the implication is the same.
It’s even worse to proscribe liability when the “flaw” is not even an actual operating failure, but the ability for a bad actor to break the software maliciously.
Software is only as insecure as the user’s willingness to expose it to untrusted inputs, combined with the user’s willingness to give the software unfettered access to sensitive data.
“Don’t let hackers control the input stream” is literally the end of any and all security issues.
Just put a best practices line:
"This software is deemed compliant with best practices when used on systems 100% offline on a network without connectivity to the internet. A customer's choice to use this software outside of our recommended best practices is at the customer's discretion and assumption of liability."
Obviously if you want secure an air gapped system is the recommended best practice.
Better take US and Commonwealth countries of the list as well, although you might get lucky if Trump wins, these kind of laws aren't on his ballpark, so he might stop ongoing legislation roadmap.