EC wants software makers held liable for code

EC wants software makers held liable for code

Summary: Software companies could be held responsible for the security and efficacy of their products, if a new European Commission consumer protection proposal becomes law.

Software companies could be held responsible for the security and efficacy of their products, if a new European Commission consumer protection proposal becomes law.

Commissioners Viviane Reding and Meglena Kuneva have proposed that EU consumer protections for physical products be extended to software. The suggested change in the law is part of an EU action agenda put forward by the commissioners after identifying gaps in EU consumer protection rules.

A priority area for possible EU action is "extending the principles of consumer protection rules to cover licensing agreements of products like software downloaded for virus protection, games or other licensed content", according to the commissioners' agenda. "Licensing should guarantee consumers the same basic rights as when they purchase a good: the right to get a product that works with fair commercial conditions."

EU consumer commissioner Kuneva said that more accountability for software makers, and for companies providing digital services, would lead to greater consumer choice.

"If we want consumers to shop around and exploit the potential of digital communications, then we need to give them confidence that their rights are guaranteed," said Kuneva. "That means putting in place and enforcing clear consumer rights that meet the high standards already existing in the main street. [The] internet has everything to offer consumers, but we need to build trust so that people can shop around with peace of mind."

The Business Software Alliance (BSA), which represents the interests of software makers including Apple, IBM and Microsoft, criticized the proposals.

"Digital content is not a tangible good and should not be subject to the same liability rules as toasters," BSA director of public policy Francisco Mingorance told ZDNet UK on Thursday. "Unlike tangible goods, creators of digital content cannot predict with a high degree of certainty both the product's anticipated uses and its potential performance."

Mingorance said the performance of a piece of software depends on the environment it operates in, how the code is updated, whether it is possible to adapt and modify the software, and whether the code is attacked.

According to Mingorance, the proposed regulatory extension would cover all software, including beta products, and would cover both proprietary and open-source software.

Right now, under the current EU Sales and Guarantees Directive, physical products are expected to carry a guarantee of two years. Extending those terms to software would have the effect of limiting customer choice, as contract terms would have to be extended to a minimum of two years, Mingorance added.

"Extending the scope would force the businesses to maintain update services for such contracts beyond the contractual term and ultimately limit the choice of offers," the BSA director said. "It is like renting your house for a summer month and being then obliged to extend the rent for another 23 months."

In addition, Mingorance said that extending consumer regulation to software could lead to less interoperability between software products, as manufacturers might decide to limit how far third-party developers could access their code.

Software companies have long argued against accepting responsibility for the security and efficiency of their code. Linux kernel developer Alan Cox in 2007 told a House of Lords Committee that neither proprietary nor open-source developers should be held accountable for their code.

This article was originally posted on ZDNet UK.

Topics: CXO, Government, Government UK, Open Source, Software, IT Employment

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • ABOUT TIME!!!!

    This goes for everyone...

    Only in software can you find a known defect and
    then have to pay for the "upgrade" to fix the
    • What products are you buying?

      I have never had to pay for an upgrade to fix a bug in any software I have owned or managed. Not sure what you are buying, but thats not right at all and I would not buy from them again. I think this is too dependent on situations outside of the software makers control to be a successful program. Maybe if you were selling software to only people that had great computing practices, but we all know that is not the case by far. In theory its a great idea, but in reality is not at all.
      • Any Microsoft OS for one...

        There are numerous bugs, holes, etc in, say NT,
        98, etc that will never be fixed.

        There are many bugs, issues, etc in Office that
        go unfixed only to be fixed "in the next

        Heck, you can even look at Apple, SAP, etc. for
        evidence of this.
        • So just admit it....

          Your post was a shot at microsoft and then you try to cover it up with even evidence of this from Apple and SAP. You could probably make your statement for just about any software in the world. My main concern is if the product is doing what I need it to do. Every product has a bug at sometime, I don't care what it is, but I never had a bug that wasn't fixed stand in my way of doing what I needed the software to do. I never had to go buy the upgraded product to get the fix and I am sure many others out there have the same exact experience? But thats just my experience.
          • Not at all.

            I don't have to patch the computer in my car -
            it starts each and every time.

            I don't have to patch my DVD player - it works.

            Software should be the same thing....
          • Ummm, you want to try again?

            You should present things in the correct context. That woiuld be for Cars, you should talk about maintenance. If you didn't change the oil and do regular maintenance, it will not continue to start "Every time"
            But furthermore, and more importantly, allow me a simple example of how misleading and actually just plain wrong your argument is.
            I bought a Honda Accord in 1995 and I think it's safe to say they are known for quality, the CD player had to be replaced immediately after I found out it didn't work. Even more distressing was that I had to bring the thing in for about a dozen recall items over the first few years, that in some cases were BUGS that could cause the car to EXPLODE, shutdown or cause a fire, if not repaired.
            Want to try again?
          • I think what itguy08 means is that...

            Often a piece of software will have a known bug and the company will
            issue a "workaround". Basically, it's just a series of steps that allow you
            to get around the bug. The company hasn't fixed the bug, but they've
            forced you to work around the bug. Adobe and Macromedia come to
            mind, but Apple and Microsoft do engage in this sort of thing as well.
            Oftentimes, but not always, the next paid upgrade will fix the bug, but
            you have to pay for that. I've seen this many times so I don't think any
            specific examples are required to make the case.
          • Stop it...

            So because [i]you[/i] had a problem with car in 1995, this guys post is wrong. You, my friend, are arrogant and conceited. His point could have been easily made about cd players or dvd players or microwave ovens of any hardware that requires control software or an OS. How about not being so 'clever' and showing people a little bit of respect.
          • Jack. I understood his point...and his earlier posts too...

            where he, of course, throws the main dig at MS.
            Sorry but doesn't even the MS haters club get tired of that? <br>
            Anyway, this is not just a software phenomenon. There have been thousands of suits against manufacturers for defective parts that are non computer related. It's too subjective to claim whether they were on purpose or not. <br>
            The car analogy is still a bad one. And I'm just pointing this out, unlike what "Bored" had to say, that car recalls are very very common. Perhaps bored has never owned a new car, or he's really special and has never had one with a recall. Recalls have been issued for everything from autos to toys. Someone is liable. <br>
            This would be like calling for all engineering to be responsible for every product ever manufactured on this earth that required engineering. That is my point and singling out software developers is asinine. The EU has shown how asinine government can be many times in the past though, so it's not a surprise.
          • @bored. could you please try to have some level of...

            civility in your posts. The OP had a string of posts. He dings MS, as I said to Jack, and it's tiring.
            But my point was no aimed at being "clever" and I don't ever even consider the idea of being "clever" when I post. Nor do I try to be offensive or hurtful or hate filled or radical or religiously fervent.
            You are talking about the I hate MS club when that level of emotion and hate and anger are contained in a post. Try telling them off. (like you would).
            I'll repeat my point. All products, software or not, have defects. Recalls are VERY common, even if you've not had a car that was recalled. That was one example. every car we've owned has had at least one recall. Most all new cars do in the first 2 or 3 years...or more. You are trying to say I was purposely being "clever" with that? <br>
            You need to get out. Do you have a job and a car? Never a recall? Never owned a product or heard of products with recalls? There are toys being recalled all of the time and not just those made in china. <br>
            AGain, my point is if software makers are to be punished for bugs, then every product maker should be punished. And if it's the developers as the scapegoats for software, then it's the engineers are architects for other "hard" goods when they fail. Why not?
            It's the same damn thing. <br>
            The EU displays a lack of common sense far too often IMHO.
          • Appliences as apposed to general purpose computers

            Your DVD player and engine managemnt computer are dedicated appliances. Closed systems that are tasked with doing specific jobs. They don't also have to route your mail, run your webserver, talk to an Oracle database, defrag large multiterrabyte disks, mount small 2MB flashdrives, play .aac .m4a .mp3 .ogg .avi .mov .qt files in what ever player you choose. It doesn't have to secure your banking, provide protection to other software running in the car, manage the network, provide a rich complex GUI etc.

          • Re: Not at all

            Are you referring to your thinking. Not everyone's car or DVD player starts every time. Also, if someone smashes your car or dvd player it may stop working. This proposal must come from an inexperienced person or an idiot. This could lead to software manufacturers having to take strict controls on how you use their software in oder to ensure proper operation. Ah, you were surfing dangerous areas. No longer covered. no more updates.
            Col Mustard
          • I had to patch both of those

            I my car I had O2 Sensor that kept failing. I took it in and the sensor was fine but the chip wasn't registering it right. So they flashed the chip with newer version of the software.

            An older DVD player I had to download patch, burn it CD then run it in my DVD player. This was to fix a problem with some commercial DVDs that the player couldn't read.
    • Sounds good in theory

      No so much in practice.

      Using the toaster analogy, would you expect the toaster to work underwater? How about a US toaster taken to Europe or Japan? Oh, and what do you mean this toaster can't handle bagels? It's a toaster, innit?

      Oh, some SOB used a *toaster* to smash open my car window! Quick, sue General Electric for making a dangerous product! I bet that thing could *kill* somebody if you hit them with it...

      Most significant software starts at a line count of at least 100,000 lines of code. Now lets say there's a law that says developers are responsible for software security flaws.

      I create a new program and market it, using best security practices. It's immune to every known security hack.

      Then a week after it goes on sale some twisted genius comes up with a bizarre *new* attack nobody ever heard of. It's brilliant, and cuts through most security like swiss cheese.

      Should I be responsible because I didn't forsee a mad genius's new hack? According to this proposed law I would be.

      How's that fair again? Of course such a law would favor big corporations, who could afford the massive testing you'll need to comply. Guess who's now screwed?

      Open source, for one. The little mom and pop shops for another. Individual programmers who can't possibly afford the efforts required.

      Oh, and innovation? Forget it. Everybody's too busy locking things down, pulling *out* features that are too hard to secure.

      Best practice, security wise. If a feature's *NOT* there you can't attack it. Make developers responsible for security breaches and that's exactly what they'll do. It's what *I* would do, and I'm a developer.

      Of course, programs will be *very* secure. They'll cost 5 times as much, be delivered in 10 years as opposed to 6 months, and not do a whole lot--but by God you won't be able to break them with a sledgehammer!

      That the software landscape you want?
      • it is good

        [i]Guess who's now screwed?

        Open source, for one. The little mom and pop shops for another. Individual programmers who can't possibly afford the efforts required.
        Nope, FOSS can not be technically held accountable because you got a free product and the contributors can't control how their software will be used and reused.
        It is the proprietary companies that have to lose a lot.
        Linux Geek
        • That's not how law works

          Proprietary companies can't control how people will use their software, no more than toaster companies can.

          However, FOSS *won't* be excluded, especially if/when FOSS becomes an important component of the software eco-system.

          You know how lawsuit-happy people can be. How'd you like to be on the receiving end of a class-action lawsuit--or worse, a DOJ lawsuit? (Should this law eventually make its way into US law-makers heads).

          Don't think it can't happen, because it easily could.
          • I agree with your points...

            ...but, believe it or not, individuals in the EU are generally [i]less[/i] litigeous. Litigation is mainly B2B.
        • If you get a free toater and it electrocutes you

          the company building the toaster is liable.

          Free does not get you off the hook of a lwasuit:

          If your product contributes to someone's loss, then your company will be in court.

          Plus, proprietary companies [i]cannot control how their software will be used and reused[/i]
        • If they go...

          after the delvelopers even FOSS will be gone after the first couple of developers get held accountable then the rest will be running scared.
        • Libre != Free

          At my site, we pay for quite a lot of "Free Software"
          We pay for maintenance and updates on system based on Centos, which uses a MySQL database, we pay for VMWare which contains a Redhat based service console, and can read and write NFS drives, and uses many free GNU utilities along with the proprietary VMWare commands.

          However, there should be a basic fit-for-purpose test, but then I test drive all the cars I intend to buy, and I trial any software I intend to buy. If the vendor is still around after two years, I would expect patches, support and udates.
          (my Ford Mondeo had a recall for an earthing strap fault, was fixed at the next service for nothing) I can subscribe to updates for Vista and it gets patched, and my betbook as Ubuntu LTS, so I will get pathces on it for three years. All currently better than what the EU is asking for.