

EU Wants Developers to be Liable for Code; Provide Guarantees That Software will Work - mdasen
http://news.zdnet.co.uk/software/0,1000000121,39649689,00.htm

======
jackowayed
This is almost sort of reasonable, until

> _According to Mingorance, the proposed regulatory extension would cover all
> software, including beta products, and would cover both proprietary and
> open-source software._

So I'm now liable for that project I wrote in one night for myself that I
released under the MIT License if anyone from the EU finds it, uses it, and
runs into some security hole?

That's going lead to a whole new brand of licenses that say, "Anyone may use
this, unless you're in the EU, in which case I can't handle the liability.
Sorry, your parliament sucks."

In fact, I would argue that this law would void open source licenses in the EU
anyway.

From the MIT License:

 _THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE._

Doesn't that imply that the software can't be used anywhere where a warranty
is mandatory? The license states that there's no warranty, so you're violating
the license by having a required warranty.

~~~
paulgb
IANAL, but it looks like this only covers commercial transactions. I'm
guessing it applies to things like Red Hat Enterprise Linux, but not free as
in beer software.

~~~
thingie
It's about consumers rights, where consumer is: (quote)

any natural person who, in contracts covered by this Directive, is acting for
purposes which are outside his trade, business, craft or profession;

~~~
paulgb
I can't tell whether that would include a "consumer" of free-as-in-beer
software.

After reading the link you posted above, it seems that a money-back guarantee
would comply with the regulation. That should be easy enough for someone
writing free-as-in-beer software to offer :).

------
andr
This was proposed by Meglena Kuneva, the consumer protection comissioner for
the EU. I attended a talk she gave in Harvard. While she seems dedicated to
her work she often blames companies for consumers' lack of judgment. For
example, she blamed Apple for corrupting the youth with iPods.

------
marcusbooster
As soon as they can guarantee all government services will work.

~~~
joubert
Maybe there's a build dependency between govt. services and software and
sometimes it breaks?

------
rsynnott
Every now and again, a government representative decides that they would like
to do something relating to technology, or medicine, or whatever. Whether this
something is practical, possible, or legal is largely immaterial. They will
bring it up, and it may even get passed (American CDA, Australian internet
filtering thing); at that point it will die amongst legal challenges or simple
impracticality. Business as usual.

~~~
ubernostrum
Judging from some of the stories which come out of the EU, it seems that bad
policies don't die there -- instead they are thoroughly enforced.

(see, for example, the endless variations on "this product is the wrong size
to meet the EU definition of a strawberry", etc.)

------
gills
I guess the EU won't be using a whole heck of a lot of software then, will
they?

------
10ren
This is about risk allocation, the idea being to make the party bear the cost
is who in the better position to do something about it.

If corporations were liable for defects in their software, they would need
insurance to cover claims, and this would be passed on to consumers as higher
prices. They would also be more precise in specifying and communicating how
the software should be used. They would start using techniques that might not
be efficient or clever, and they might be overkill and more expensive, but
that were known to work - similar to how civil engineers design bridges that
don't fall down. And they'll need teams of lawyers to handle the litigation.

Software will cost more in the EU.

This focus on security and consumer rights is what happens after the cowboy
phase of an industry is over. But as we move into cloud computing, SaaS, and
netbooks and smart phones, that age is yet over for us. Probably it will last
at least as long as Moore's Law holds.

------
pmjordan
Although I'm certainly not sold on this idea [1], I find it amusing that the
BSA representative is against it; after all, one of Microsoft's main arguments
against F/OSS is that there's nobody liable for its correct function. Maybe
because the EU laws covering warranties only apply to consumers, not
businesses, and Microsoft would have to offer consumer-level customer support
of some kind as part of the license. (as far as I know you currently have to
pay per issue for support unless you have some kind of contract with MS)

[1] I don't see how someone writing open source software in his or her spare
time in any way deserves to be liable for malfunction, for example; another
worry is the amount of ambiguity involved at all stages, from "intended use"
to the definition of "efficacy and security", along with the technical
complexity and explosion of possible combinations of software on the average
computer

~~~
gdee
Oh, that's just one part of the inconsistency shown in the BSA quotes.

"Digital content is not a tangible good and should not be subject to the same
liability rules as toasters" is also interesting seeing how in regards to
[intellectual] property they very much push the opposite stance.

"extending consumer regulation to software could lead to less interoperability
between software products" is just shameless seeing how the EC had to force
some (much fought against) interoperability down some of the bigger memberst
of the BSA.

------
godDLL
There is no mathematically rigorous way of proving that any given piece of
code does or doesn't do anything. It all depends on the context in which the
code is being used.

Building software is a trial-and-error process, and building large pieces of
software is a large trial-and-error process. They are asking for the
impossible, like providing airport security or anything of a similar scale.

If a law is made of this it will serve nothing but annoyance to actual users
of said software. There is just no conceivable way anyone could regulate and
enforce that law. It's a good idea in general but it shouldn't have an
application in legislation, that's like forbidding pigeons to litter monuments
-- no offence, but what the...

~~~
yummyfajitas
_There is no mathematically rigorous way of proving that any given piece of
code does or doesn't do anything._

Sure there is.

<http://en.wikipedia.org/wiki/Formal_verification>

~~~
godDLL
Run it on MS Word X, then. Or OOO v3.

And draw any meaningful conclusions from that data.

Better yet, how do I write reliable software that runs on a buggy processor?
What do I use to test that the chip I'm making does what it is supposed to
every time for all scenarios? It's programmable, after all.

That, I'm sure, you can identify with.

------
dgallagher
There's a reason why most entrepreneurial endeavors start in the United States
and not in Europe. Bureaucratic laws like this stifle innovation rather than
promote it.

How about we make the EU politicians and lawmakers liable for the laws they
pass? If a law they make happens to harm the economy in any way, they'll have
to cover any such losses out-of-pocket.

~~~
axod
This isn't a law. It's a bizarre, stupid suggestion.

>> "There's a reason why most entrepreneurial endeavors start in the United
States and not in Europe"

I'd like to see your data for that one. I really don't think it's due to
bureaucracy. Starting up in the UK at least is ridiculously simple, and cheap
- £25 will get you a Ltd company.

~~~
dgallagher
Good question. Note by "entrepreneurial endeavors" I meant start-ups, and not
mom/pop "home businesses." Companies which plan to scale to a reasonable size
(20-1000+ employees), essentially.

I've come to that perception from economic classes I took in college, and from
general observation of start-ups. This is a good article which elaborates on
entrepreneurial differences between the U.S. and Europe, citing economic,
government, and social differences, among other things:

[http://www.economist.com/specialreports/displaystory.cfm?sto...](http://www.economist.com/specialreports/displaystory.cfm?story_id=13216037)

Noteworthy quote: "And far fewer start-ups in those countries become big
businesses. Janez Potocnik, the EU commissioner for science and research,
points out that only 5% of European companies created from scratch since 1980
have made it into the list of the 1,000 biggest EU companies by market
capitalisation. The equivalent figure for America is 22%."

It's not that doing a start-up in Europe means you're doomed. There's just
less of them which make it big.

Also, "Europe" encompasses a bunch of different nations with different
attitudes and laws. The U.K. is much different than Finland, or Denmark,
etc... So bunching them all together as I did isn't entirely fair.

If you look at one of the charts in the article, Denmark/Sweden/Finland all
in-line with the U.S. when it comes to venture capital. If you look at Europe
as a whole at the bottom of the chart, averaging all nations together, you see
a much different picture.

------
fauigerzigerk
If this proposal passes (which I doubt) I'm going to write a letter to the
commissioner, demanding that everyone gets to try washing machines for 60 days
and keep a copy of the machine after returning it.

------
dexen
If you are an open-source developer, you could write in license or
documentation, `This software does whatever its source code states it does'.
Joe the Average User don't need to to read through code himself; there are
enough geeks on his friendlist to have this covered. In spite of reeking of
RTFM-ness, this approach actually is about the only honest; all other ways of
documenting are simplifications, approximation and literally shuffling dirt
under the rag by assuming nonexistence of bugs.

However, due to to exceptionally high complexity, and hard to predict
interactions between various software and hardware components of system, you
need to put strong disclaimers in place: `Unless there are faults in compiler,
libraries, the underlying OS your hardware' makes any responsibility very
diluted and hard to prove at best. And let's not forget about the -- very
uncommon, but occurring nonetheless -- random flips of bits in memory, which
may bring the system down or silently corrupt code or data in unreproducible
ways, regardless of software and hardware quality.

Only actual cure for software reliability is to use simpler systems, made up
of loosely coupled components, where failure of one doesn't affect others, and
it's easy to re-start from previous step. It's the big, opaque, monolithic,
all-encompassing application or systems that bomb and trash your data that are
the most problematic. Outlaw those.

------
anigbrowl
They should put forward computer scientists to refute this, rather than
business representatives. Oh well, we can laugh at their ignorance but it's
easy to miss overlook the fact that companies in a large fragmented market
sometimes gouge consumers for years and falsely shift the blame for high
prices onto whatever government happens to be handy. Having worked for some
privatized utilities over there, management is often focused on accumulating
as much money as possible rather than improving service for the consumer.

------
axod
The EU needs disbanding :( Complete waste of money. This is just another
example of them making up work for themselves to do to justify their
existence.

Only someone with no clue about programming would suggest something like this.

It's very worrying that unelected 'officials' being paid by us can try to pass
laws that no one wants.

~~~
zcrar70
_Only someone with no clue about programming would suggest something like
this._ _It's very worrying that unelected 'officials' being paid by us can try
to pass laws that no one wants._

Unfortunately, that type of thing happens all over the world, not just in the
EU parliament. I don't think that disbanding the EU would resolve the problem
of politicians making decisions about things they have little to no
understanding of.

~~~
axod
True, but at least without the EU, the UK would be free again to govern itself
unhindered, with its own elected politicians.

~~~
weavejester
I don't think our politicians are any better, really. Local politicians make
equally bone-headed moves, such as the UK's DNA retention schemes, or France's
3-strikes rule. In these cases, the EU has actually been the one opposing
political idiocy.

It's also worth noting that most dumb ideas from the EU (including this one)
come from the unelected European Commission. The EU parliament, whilst far
from perfect, doesn't seem to be quite so stupid, and unlike the EC, the EU
parliament is made up of elected MEPs.

I'd be in full favour of getting rid of the EC, but the EU has been a very
powerful economic equalizer in Europe, which in the long term is probably a
good thing for all European countries. It's also a force that discourages
local politicians from being dumber than average, so schemes like punishing
people outside the judicial system, or keeping the DNA of innocent people tend
to be resisted by most MEPs.

At least, that's been my experience with the EU. Feel free to come up with
counterexamples :)

------
elecengin
As an electrical engineering grad, I have thought about the option of becoming
a Professional Engineer. The idea behind the PE certification is professional
responsibility - I see very little wrong with requiring that an engineer
stands behind their work.

Unfortunately, software does have the formal verification problems discussed
above, so there may have to be modifications made to how this responsibility
is handled.

At the same time, I find it very troubling that software engineers who produce
shoddy products - bad security, unsafe control system code - are not held
responsible. If nobody takes responsibility to "sign off" on a design, who is
the one that is going to spend the time necessary to verify its function to
the proper degree it deserves?

------
gustavo_duarte
Here's Marcus Ranum on Software Liability:

Inviting Cockroaches to the Feast
([http://www.ranum.com/security/computer_security/editorials/l...](http://www.ranum.com/security/computer_security/editorials/lawyers/index.html))

