The EU Throws a Hand Grenade on Software Liability

It’s really interesting how tech has had a lot of special exemptions from rules that apply to normal businesses, and how these are being rolled back slowly.

On the face of it, having a product security obligation doesn’t seem too extreme, since most manufactured goods and service offerings operate under similar rules.

I’m a bit worried that the “move fast, break things” mindset in SaaS startups isn’t going to be easy to change, and that, in the context of product liability, might have big impacts on future profitability and valuations too.

>the producer has to provide compensation irrespectively of whether there is negligence or fault on their part.

This sounds terrible, anybody gaining access to a unix based shell and running rm -rf /*. It is going to make properitery products close up even tighter so they don't have something similar to the US's "Hot Coffee" incident on GTA and reduce modding ability.

If this goes, we can assume that like other practices where practitioners are liable:

- insurance industry will come in and be the real winner.

- practitioners will be required to have some sort of license to practice (eg be professional engineers).

- there will be norms, standards, certification authorities, and review committees for when something falls through. The auditing business might also come into the case.

- there will appear some sort of a cast system, such as doctors/nurses/medical assistants, dentists/dental assistants/dental receptionist, lawyers/legal assistants, etc.

- costs and delays will go up for the customers, by much more than the occasional payoff from a lawsuit will bring

- quality, notably of compliance and security will go up, which is what's desired by that law.

My reading of this: the EU wants to give its old fashioned SME software houses a chance with their software products, against the likes of FAANG that typically offer the software for free.

Of course this also hurts EU startups, but that does not concern Brussels because the whole EU establishment is always defending the incumbents. And this is imho one of the reasons the EU is falling behind, because incumbents don't react well to paradigm shifts. It's a losing strategy. For all its many faults the US seems to have realized a long time ago that you cannot protect incumbents at the cost of startups.

How does this apply to FOSS under a license that explicitly doesn't provide any warranty?

I provide a source license to my software. How does this affect me and my European customers?

More specifically, the directive says:

> Information is not, however, to be considered a product, and product liability rules should therefore not apply to the content of digital files, such as media files or e-books or the mere source code of software.

All I send is a license and copy of 'the mere source code of software'. Does that mean my product is not included under this directive?

Nice to see, it is about time liabilities start be taking into account, specially if this is the only way to make software companies care about best practices.

The EU should be trying to move away from greater liability burden, as the US has also realized it is a mistake with its current litigation nightmare.

It saddens me how poorly the bloc seems to be governed right now. It should basically be all hands on deck for capital markets formation.

Tort reform is one of the major ways economists/prominent policymakers believe we could improve in the US, but of course the EU goes the exact opposite direction.

My guess is that FOSS is the big winner here.

I think the analogy with locks is that most locks on the market will be given away for free, and then the liability rests on the person who selects the lock - protect your bank vault with a Masterlock screwed into 2x4 and you are in trouble. Select a FOSS solution you might also be in trouble but the developers aren’t

I have a slightly different analogy (law it seems is made like Hollywood films “It’s like Alien but on a Cruise ship”)

Software is a form of literacy - not a product.

The product is the hardware. And the actions the hardware takes.

So want to add two numbers together ? There is a specific set of transistors that does that. And machine code. But at some point the python code or the Haskell code is an expression of human thought - literacy.

And you can choose different software to do the same adding up.

One can write an article many different ways, biases, slants etc.

But the publisher only chooses one

And so businesses offer software products like publishers offer articles and books

The publisher is liable

And if your business is publishing other peoples articles and you not only have not read it but cannot even read, why is it the authors problem?

I think this take on FOSS vs an article written for hire might be useful

Inwoukd also suggest that there is a level of reliance on the “canon” - importing a standard library would not suggest liability for that library

There was a lot of commotion about 2018 GDPR but it turned out to be rather uneventful, some basic practices have been adopted, very few companies were fined a small amount and the question is largely settled. For small companies and individual devs, pretty much nothing changed apart from adding a boilerplate ToS and PP to their projects.

I would expect this this legislative change to follow a similar path. If you run a business, liability is a big concern from the start and this extension of the liability scope seems reasonable overall. I'd say they even tread lightly here as "damages for professional use are explicitly excluded".

the “objective state of scientific and technical knowledge”

snort

If this actually becomes law, it instantly makes it too dangerous to bother for me to ever ship software into the EU again.

Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the “objective state of scientific and technical knowledge” at the time the product was put on the market.

Look the the liability standard they are pushing! Not willful negligence, not reasonable care, but rather it sounds more akin to “could the bug have even theoretically been prevented given perfect information and unlimited funds”.

Yeah, no thanks, I’m human, so I won’t be accepting that level of liability for words I write into a text editor any time soon.

And kinda mind boggling that anyone who knows anything about how software actually works wouldn’t see this as completely batshit insane.

A more reasonable standard (malicious intent or reckless disregard for human safety would be a good starting point) would go a long way toward fixing this.

This current standard would get any developer sued out of existence by armies of AI lawyers long before you can ship a patch when someone complains that your software divide by zero bug caused them “damages”.

And get a load of this;

Burden of proof: When the injured consumer is faced with excessive difficulties to prove the defectiveness of the product or the causal link between its defectiveness and the damage, a court may decide that the claimant is only required to prove the likelihood that the product was defective or that its defectiveness is a likely cause of the damage.

There’s a reason why EU GDP has completed stagnated versus the US, and the EU tech sector is a virtual rounding error in the world… and this trash mentality is a big part of it.

But wait, it gets worse…

Circular economy: When a product is repaired and upgraded outside the original manufacturer’s control, the company or person that modified the product should be held liable.

Bye bye downstream distro patches! And knowing the EU, they’ll say that “import Foo from Bar as MyFoo” is a “modification” and try to make anyone with cash in their pocket liable for any bug in any dependency they link to…

Online platforms can be held liable for a defective product sold on their platform just like any other economic operators if they act like one.

Bye bye app stores! Of course some will probably cheer this blindly ignoring or not comprehending the extraordinary value creation app stores are responsible for.