Comments on: EC wants software makers held liable for code

After identifying gaps in EU consumer protection rules, the European Commission is proposing that software makers give guarantees about the security and efficiency of their code.

[someguy999]

Too funny! So now the EU wants a guarantee on code! I'm sure some brilliant guy thought of this as a way to get at MS... but now what for open source? Does that mean that any site that offers as a download a piece of opensource code is now liable?

This is the type of thing that somebody says without thinking of all of the downstream affects. Effectively you'd be limiting software to be able to be developed by only the most well funded so basically we're back to a world where it woudl be MS/Oracle/IBM and now Google as well...

Sometimes the EU needs to think before they speak.

[monkeyfun14]

This would screw Apple and Linux too..

[NickH]

> This would screw Apple and Linux too..

I think thats his point.

[bigpicture]

I thought the article was about software licensing agreements, you know the ones with the fine print that basically take away all of the consumer rights. When you read them you realize you don't own the software that you thought you bought. Sort of like the same kind of thing Obama is onto with the credit card companies. You know the ones: stealing money from the customer without providing any kind of service. The same kind of thing that brought on this economic condition. Steal but don't produce a useful product business model.

[michael_j_x]

You know that in the UK if a software is sold as a CD it is considered a tangible good, thus it falls under the Consumer Protection Act, whilst if it is downloadable then it does not. Funny.

[ferricoxide]

@bigpicture:
> I thought the article was about software licensing agreements,
> you know the ones with the fine print that basically take away all
> of the consumer rights.

Pretty much *all* software carries a license, even free software (things like the GNU, BSD and other licensing models). So, the EU is essentially looking to make all software production and distribution move offshore. I know for a fact that, were I to be held individually or jointly liable for code I contributed in good faith to OSS projects, I'd stop contributing.

[ajhoughton]

@michael_j_x:
No, the tangible good is the CD (i.e. the medium on which the program is distributed), and possibly the box it is in. The software is still intangible and still doesn't fall under the Consumer Protection Act.

So the Consumer Protection Act can be invoked if the CD is itself defective in some way, but not if there is a bug in the software you bought.

[Seaspray0]

The next thing you know, the EU will make doctors liable for patients that die, even if the doctor did everything by the book and in good faith.

[pentest]

Why should software houses get a free ride on liability for producing crap?

I bet you wouldn't cry about a defective toaster burning down a house.

[NickH]

The problem here is this: If you make toasters, maybe 1% have manufacturing issues, and you get warranty claims on those. With software, there is no such thing as a manufacturing defect, every copy is identical, so if one bug crops up, you face claims for 100% of your customers. Couple this with the fact thats its mathematically impossible to verify any significant peice of software is 100% defect free, and you create an impossible situation for software makers.

If this goes through, expect a good deal less software available in the EU, and significant increases in price in the medium term.

Mrs Reding ought to spend some time educating herself on the realities of software engineering.

[monkeyfun14]

What can you expect though from some gray hairs that grew up in the 50's and 60's though.

[Mergatroid Mania]

Your comment is as much a joke as the software warranties.

[jnork]

@monkeyfun14:

"What can you expect though from some gray hairs that grew up in the 50's and 60's though."

Um, you're talking about me, right? Hair's not grey yet, lots of salt in my beard. Though I'd say it's more silver than gray. Born January 1957.

I'd say that the EU commission definitely has no clue. Require to adhere to license terms, yes. Improve license terms, yes. But software isn't hardware, well, NickH has the right of it.

So what CAN you expect from a gray-hair from the '60s? Oh, pretty much the same as any other group: from each depending on his level of ignorance.

[pentest]

The problem is that software companies know they are off the hook and use that fact to release shoddy software.

It is possible to produce quality, reliable software.

[rmva]

I have an idea. Let's all take the month of August off and hope that the economy is still there when we get back.

[sharmajunior]

THe software manufacturers really have to get their acts together then. If they can't get common bugs during testing that a normal consumer may run into, then they should be sued and pay for it. THey should perhaps hire professional hackers, etc. to look for loopholes in their software and make them better. Of course any exploit caused by the stupidity of the user would be not be ruled for.

[monkeyfun14]

Look there are millions of things that can go wrong something might be up with a certain piece of hardware it may conflict with other running programs etc etc...

[nachurboy]

Maybe the EU should hold authors liable for having spelling and grammatical errors as well? I mean, that's what they're proposing when they make the claim that software vendors should be held liable for bugs. Bugs are simply due to spelling or grammatical error in code. Spelling error would be like a bug where something crashes due to some syntactical error. A grammatical error would be a logic error where something crashes or doesn't work right because it wasn't written to act in the proper way.

[Mmmhmm]

@nachurboy

The obvious difference being that if an author of a book makes a grammatical error it doesn't run the risk of burning another page out of the book, or that of a different book on your bookshelf, or crash your bookshelf to the floor, or unlock your front door so a thief can sneak in and read through your library... ;)

[TamarC]

@Mmmhmm but I could argue that it affected my vocabulary and in such cauzed me personal harm and in my mind financial stability. The simple problem with this law is, People who know nothing about Software are trying to pass a law about software.

[Qtechbg]

@TamarC - So what? They're seeing the problem from the consumer's stand point.About time someone does. I understand software companies do not want to advance deadlines or prolong software development in the name of The user, but they also tend to publish unfinished and flawed products then wash their hands with these EULAs. It is bad for bussiness to increase warranty or production time but it is worse for the customers to suffer their greediness. Pick your side but don't blame EU for trying to stop this bad practice...

[ajhoughton]

Speaking *as* a software developer, the problem is that what consumers regard as "common bugs" that "should be caught during testing" may very well differ markedly from the actual reality.

Put another way, if your software contains a bug, then however difficult it is to trigger it you will get someone e-mailing or phoning you up to tell you that it's appalling that you shipped it with a bug and that you should have caught it during your testing (ignoring the fact that you may have to dance naked around a maple tree on a full moon while chanting the words to Hallelujah backwards in Greek in order to trigger it; this may sound like an exaggeration but software quite often has bugs that can only be triggered by events just as random or stupid).

It is, I think, generally right that developers should make a reasonable effort to put right any defects (and I think most do), but I think you have to be realistic about (a) how often customers are likely to encounter it, (b) whether the developer can in fact reproduce the problem, and (c) the amount of effort required to fix it. None of these things are necessarily obvious to a layman, which is one very good reason that politicians (who are not also programmers) shouldn't be legislating about this without taking advice from people in the industry.

If you think otherwise you're really arguing that software should be *much* more expensive than it currently is, because we'll all have to write our code the way the safety critical people do, which is no fun at all (so no indie developers), takes aeons and costs a small fortune. In that world, all software is written by boring men in grey suits, and while it's 100% reliable, they won't be able to implement half the features you want because of time constraints and because it's impossible to prove that some of them work.

[jnork]

Sounds easy, doesn't it?

"Of course any exploit caused by the stupidity of the user would be not be ruled for."

Hah. Courts love to stick it to the big, bad corporations these days, no matter who is actually at fault. Chances are they'd find for the user on the grounds that the software should have anticipated the action and prevented it.

I'm serious.

"If they can't get common bugs during testing that a normal consumer may run into, then they should be sued and pay for it."

What's a "common bug"? Define, please, and be unequivocal. That means there can be no doubt whether a specific bug is "common". Like, say, in court., which is where you want this to go.

And... betas? The whole IDEA of a beta is to find problems by letting people play with it who will likely try things you never thought of. This commission has the cart before the horse.

[brian.lee]

I don't see why posters have such a problem with this idea, it would give software developers more credibility perhaps even consider it an actual profession. If you look at any professions out there doctors, engineers (not software engineers), nurses, even insurance salesmen have to be insured to be legally allowed to do their job. Why should software developers get off so easily?

[Imalittleteapot]

Because there is no known way to make a program "secure". The only thing we know how to do is make it more secure or less secure so a good developer will attempt to make it as secure as possible, but it'll still have a hole in it. Finding a way to remove all bugs from a program would be the holy grail. If you could figure out how to remove all bugs you'd basically be praised as a God in the technology community and you'd probably be considered the smartest man/women alive on the face of the earth. There's many reasons for this, but it takes a few years of study to understand why this happens.

Until that time the only promise you can make is that once you know of a flaw you'll do your best to fix it. Problem is fixing one bug usually leads to introducing a new bug. They don't know how to stop that from happening either. If anyone figures out how please let me know.

[unknown unknown]

"I don't see why posters have such a problem with this idea"

You mean other than raising costs and putting an end to amateur and smaller scale development? Not to mention the difficulty of find bugs in non-trivial software and the extensive use of third party libraries.


"it would give software developers more credibility perhaps even consider it an actual profession."

Your apparent lack of understand does not negate software engineering and development as a legitimate profession. This wouldn't create credibility just increase cost (try debugging a non-trivial program). You might also want to familiarize your self with the definition of profession http://dictionary.reference.com/dic?q=profession&search=search

[pentest]

"You mean other than raising costs and putting an end to amateur and smaller scale development? "

***?

Amateurs should not be writing software. Period. Many "professional" programmers are amateurs as well.

[Jim1900]

This proposal is probably being financed by some U.S. manufacturer. It would cause MS (among others) to pull out of Europe. The whole continent would collapse into a technological backwater. The U.S. would rule the world.

[JCPayne]

Yep all the U.S. companies will have to sell off their European interests and focus on the US, Canada, and Japan alone instead... After all Brazil has a Linux programme in place already. Africa is going Linux. and China has Red Flag Linux supported by the government....

[nachurboy]

This wouldn't only affect desktop applications. It would affect just about everything, as any computing device from cell phones to missile control, planes, cars, etc. run on software, not just desktop PC's.

[TamarC]

I actually don't see this is a much of a bad thing, They should pull out atleast for a while. The EU is such Bigots these days, run by Power hungry and DUMB people.

[Imalittleteapot]

On the rare occasions I do write a piece of software ( as I'm not a software developer) I always give a guarantee. I guarantee you that it will have unknown bugs. Some of which will cause it to crash at random times. Others will cause it to not work properly. Others may lead to your system being compromised, and others in rare circumstances could lead to a compromise of security.

But then again, that's just like every other software program. Use at your risk, don't like it GO AWAY and get it from someone else.

However, I also guarantee that once I find or am made aware of such bugs I'll work quickly to patch them up as long as it is within my power. That's the only guarantee I'll ever make.

[SergeM256]

I would take many years of arguing to come up with definition of what software defect is (as opposed to improper use from user). If your crash your car into a wall and car breaks - is it a defect? If user clicks OK button to allow execution of unknown file from unknown source - how is it different from driving into a wall? I guess MS and others would have to modify warning messages, something like "click OK to allow execution of this file but if you click OK we are not responsible for anything that may happen".

[kheechun]

LOL, EC is always a joke. So, MS should come out with a built in antivirus, and then the EC will get at them with the antitrust law?

[JCPayne]

Microsoft shares to crash.... LOL

[nachurboy]

If their idiotic law is passed, you can guarantee no one will fix bugs as it would be an admission of a bug and they would be held liable. Besides, no one outside the software company could verify any denials since the source would not be available. If the company is compelled by law to release source, first of all, who would the prosecution hire to go through the code and figure out if it's that specific application that's at fault (and not the system or another application) and where in millions of lines of code the error is, and second no one would make proprietary software since the court would expose any trade secrets by hiring an expert to examine the code.

If they had any idea about how programs are written (which they obviously don't), they would immediately drop this unenforceable proposal.

[unknown unknown]

"Besides, no one outside the software company could verify any denials since the source would not be available."

It's possible to verify bugs without the source code.

[nachurboy]

How do you know it's the software and not the OS, your hardware, or something was hacked?

[nachurboy]

Case in point. I thought the OS I installed was having device driver problems because the system crashed at random. Turns out, it was a bad memory stick. Unless you are technically skilled, a normal user might be under the impression (and I've seen people swear it is) the software is buggy.

[bigpicture]

I thought this was about the license and not about the code. Have you ever read an EULA? It basically says: THIS SOFTWARE IS A PIECE OF CRAP AND WE DON'T GUARANTEE THAT IT IS FIT FOR ANYTHING, BUT YOU OWE US $250.00 AND IF IT DOES NOT WORK YOU HAVE NO RIGHT TO SUE US. I have never seen that kind of warranty come with a Toaster. As to Open Source, if they don't charge for the software, and put in a provision that it was experimental and for educational purposes only, they would probably be off the hook.

[unknown unknown]

"How do you know it's the software and not the OS, your hardware, or something was hacked?"

Process of elimination and there are debuggers that can be attached to programs. They allow you to examine the decompiled code and see the content of the process memory space, parsing out variables etc. I wasn't talking about the average user, just responding to your general statement that source code is need to confirm bugs.

[nachurboy]

"Process of elimination and there are debuggers that can be attached to programs. They allow you to examine the decompiled code and see the content of the process memory space, parsing out variables etc."

Actually, a debugger will only show you assembly code, if it's from a compiled language. Without the source and symbol files, you won't see variables, or intended logic (since the machine code output is the compiler's interpretation of my source) with a debugger. The problem with that obviously is, I can argue that the compiler could have introduced a bug. Will the prosecution test the compiler to see if it's the source of the error?

I'm not saying logically you couldn't point to the application as being faulty. I'm saying legally speaking, you couldn't prove it because observable fact isn't really fact, and can be countered with reasonable doubt (ie. something else could have caused the problem) without examination of source.

[unknown unknown]

The E.C is just determined to make the E.U an unappealing market. If you think software like Windows and Office are expensive now, just wait until they have to guarantee it for unknown system configurations with unknown third party software.

[professionaladventurer]

What a bunch of crying baby's, get a grip. Evey time someone talks about regulation of some kind, baby's scream it will kill the little guys. Hasn't happened yet. You think you lazy coders in a rush to market can keep throwing out crap and calling it pudding? That's right consumers don't need any protection whether your code works as advertised. If they enact this law it will be the end of the world and the EU will fall in to ruin. Get over yourselves. The EU is a pretty big part of the world and anyone who does business there will do well. Bo Ho, your code has to be stable and work as you say it does. Ford is not responsible for a car engine blowing up if the consumer puts rocket fuel in it.

[Jim1900]

No, anyone who does business in the EU under the proposed rules will go broke. Just try it and see. Is any version of Windows (for example) bug free or totally secure? Do you want to wait for a version that is? How many decades?

[rapier1]

Obviously you've never ever written an application before.

[magicmaster]

Why not?

Read the End-User Licensing Agreement (EULA) and found out why the clauses are overwhelmingly unfair.
I knew few ever read it (Yeah, right).

Read the dlsclaimer section. THIS SECTION IS ALL WRITTEN IN BOLD, JUST LIKE THIS. THIS SECTION IS INVALID. COMMERCIAL "PRODUCTS" SHOULD BE HELD LIABLE FOR THEIR DEFECTS.

Why? If the softwares are to be used to handle health records, financial informations, judicial records, government records, personal records or other vital informations that has direct connection with people's lives, properties and fames, you will expect your records to be kept safe and free of errors. What happened if you have no criminal records, and software defects caused the records to show improper entries that may endanger your job search, relationship, or reputations? You can't say softwares are not liable for their defects. They can't simply walk away with your money and claimed no responsibilities.

[Imalittleteapot]

If developers knew a way to make software without flaws they would already be doing it to drive their competitors into the ground. The reason they're not doing it isn't because they don't want to. It's because they don't know how.

"They can't simply walk away with your money and claimed no responsibilities."

You're right, but they can just walk away. Nobody can make promises like that. Software doesn't work like that. That means you no longer have software to to handle health records, financial informations, judicial records, government records, personal records or other vital information because honest software developers will simply refuse to write it because they cannot make those promises to you.

The only software you would have is from people that lie. Ask yourself, who do you want to buy your software from? Someone who's honest and says look man, we have some of the smartest developers in world. We'll try as hard as we can, but we can't promise anything because as smart as we are, we're just not that smart yet. Or do you want to buy software from someone who lies and tells you their stuff is secure when they know it isn't?

Look, we don't know how to build software like that, just like we don't know how to build time machines. Liken it to a time machine. That's what you're asking for here. It would be like a company selling you a time machine. You and I know nobody knows how to make a time machine so who would you give your money to? A guy that is trying to sell you a time machine or a guy that says look man, I'll help you anyway I can, but I have no friggin clue how to build a time machine. Which would you trust?

[Imalittleteapot]

I mean crap, it's basically like telling doctors they have to promise that their patients won't die on the operating table. It's just not going to happen. No one knows how to do such a thing.

[magicmaster]

@imalittleapot
They enjoyed the rights, and so do the responsiblities.

Imagine the toaster developers argued:
"Since we can't predict that under what condition and circumstance the consumer uses our toasters,
we have to disclaim all responsiblities."

And book authors already are held accountable for what they write----Slander and Libel.
Software developers are no exceptions.

[ajhoughton]

@magicmaster:
Only a toaster is about fifty million times simpler than many of the bits of software you use every day. It's both possible and reasonable to test every function of a toaster.

If you think this is reasonable for software, I suggest you grab a copy of the Unicode book and have a read. The Unicode spec deals with the business of encoding human language and information, and with the algorithms you need to process it. You will find that it is a very big specification, and probably that you won't understand most of it.

Once you have been impressed by the complexity and volume of the specification, consider that Unicode is just a tiny part of the implementation of a modern wordprocessor. There is font rendering (very complicated), paragraph layout and page layout (complicated), graphics of various sorts (ranges from simple to very complicated), printing (which is a whole can of worms in and of itself, because there is often now a second rasteriser involved and your document and fonts may need to be turned into some other format in order to control that), colour management (highly mathematical but perhaps not that complicated; still I guarantee you wouldn't understand it without at least a few days' dedicated study), editing (much more complicated than it looks)? the list goes on and on.

Consumers (and that includes politicians) usually fail to understand just how incredibly complicated software is. Often that's because we developers have slogged our guts out trying to make it easy to use, coming up with all kinds of clever things that you will either never see or never appreciate, though they make your life much easier than it would otherwise be. And that is why non-experts should not be legislating in this area without expert advice, and it's why non-experts should *take* that advice rather than snubbing it.

[Imalittleteapot]

@magicmaster

It's not quite the same. In fact, I'll bet you $1000 you couldn't write a single line of code without a bug in it and that would function properly in all situations. Not one line of code. Software contains millions of lines of code. It just can't be done.

[Michael too]

The solution is I see it is that every software package will be sold as 'beta' software. Users will be invited to try out a beta version for a reduced fee, with no expectation of the software as a finished product. Amazingly enough, however, the final product will never ship.

[rapier1]

The articles states that the BSA feels that this would apply to beta and open source code as well.

"According to Mingorance, the proposed regulatory extension would cover all software, including beta products, and would cover both proprietary and open-source software."

[Bytrat]

You wouldn't even see the beta version of any program as the software company would still be held liable for any software released. Software development would grind to a halt as companies would be required to generate perfect code. Cost would spiral out of control and companies would stop development to keep costs under control. If this were to be implemented we would still be at DOS 1.0 and there would be no WINDOWS/OS X/LINUX. There would be no incremental increases in technology as innovation would stop untill any product is perfectly 100% useable in ALL configurations that could not be anticipated. Talk about the dark ages or the return to the dark ages.

[keeler7]

Seeing as it is impossible to prove that code is secure or efficient, I really cant see them enforcing this. You can say with some amount of certainty that it is probably safe and will probably be efficient but it is near impossible to ensure this.

[the_unknown_architect]

EULA:
This software is guaranteed free of defected under the condition that said software is installed on a system meeting the requirements of; Core2Duo extreme Q6850, 4GB DDR3 Ram, HD4870 1GB, and an ASUS P5E64 WS EVO running Windows Vista 64 Bit with default drivers from the factory as of 5-9-09. no other third party software may be installed or run with or along side of said software. failure to meet these requirements waives any guarantee that said software will run free of bug or defect.

Essentially If thats the system i run and if i develop software on it and it runs great for me then you can run it too, with a 2yr backing ill fix any issues, as long as you run on it that exact system. enjoy the new EULA, EC.

[ferricoxide]

Let's not forget: "and not attached to a network".

[Dave007B]

And keep it power down permanently. It ensures you'll have the safest system.

[pentest]

You obviously are clueless if you think you need exact specs to guarantee quality.

[James Anderson Merritt]

On a somewhat related note, was everyone here aware that people who hold garage sales, yard sales, and flea markets in the US are also liable for the sales of dangerous or toxic products under recently-passed consumer product safety laws? There are some pretty stiff fines for violators. Here is the link to a government handbook that speaks to the issue:

http://www.cpsc.gov/cpscpub/pubs/thrift/thrguid.pdf

Regulations are often "sold" as protection for the public. But it usually doesn't take very long for those same regulations to become restrictions ON the public. The typical outcome is that compliance becomes so difficult and expensive, that amateurs and small-time players find something else to do -- or else they just flout the law and do their best to avoid getting caught. Big-time players take every opportunity to limit the functionality of their products (including their ability to function with or during the simultaneous operation of other products) to whatever seems to be the least "actionable" feature set.

If passed, the proposed EC laws will be a bonanza for makers of "software lifecycle" systems, automated test harnesses, "malpractice insurance" companies and, of course, lawyers. While some purveyors of shoddy goods may be chased away, I doubt that the good done by these "consumer protection" laws will outweigh the bad that happens because of them.

[Mmmhmm]

And the only result of a law like this would be another row of lawsuits against company X or Y and the legalistic battles over who owes who exorbitant amounts of undeserved money. Just what the world really needs.

[Altotus]

I suspect the EU is as serous as a heart attack. The EULA is the source of this a backlash the consumer has been harshly treated given the economic conditions I would not think so lightly on this. The software people are generously protected by copyright and patents costing fortunes for governments around the world to assess record and enforce. The consumer gets a bug ware complete with failures and worse thats after your ID has been stolen (the fault not of software but goverment and corporate stupidity in using socal security numbers to track its citizens) and has to use The Geek Squad (you are aware the cost is targeted at $200+ dollars per visit for those black and white Bugs and vans) sooo right now the people (cash cows) are in danger of becoming political and things like the gov crack down on copyright protection (largely political show but it has unfortunate legal complications and kind of real bad press) has focused public attention. To keep this blunt and straight forward the people elect the legislators the lobby (like RIAA) provides the money but in this a voter can turn the industry cash to trash unless the industry is willing to spend geometric progression of funds whose amount will eventually bankrupt the lobby and leave the legislators demanding much much more. If I am mixing apples and oranges it wont matter because its all cash crop like the RIAA and etc it tastes good so good and you cant just walk away now buddy its always election time. Now its necessary to balance the scale quid pro quo. Now rooms and buildings and cities of lawyers are saying what no liability, thats what we pay our bills with (do you know what kind of debt a student runs up I bet you do). So there thinking just watch what a few words on paper can do! Thats the way I see it I put it to you crude and rude but I am not a lawyer or politician. Stay with me here now as i gaze into the crystal ball (yes sarcastic humor) software will now be risky this requires underwriters ie big expensive Insurance contracts (entire cities full of lawyers will be supported). Actually wow what a plan taken all the cash out of big software and make its profits part of the insurance industry. I guess that will go a long way to recovery required by all that toxic asset mess big money is embarrassed about. Well what do you know I guess consumers aren't the only cash cows out there.
Is that what the big picture looks like?

[bigpicture]

You are mixing up politics, business, and consumer rights here a bit. Also the US joke political system, with the European political system. The disconnect being that the US politicians are voted in by the electorate, but actually represent the interests that pays for them to be elected, (such as the RIAA, MS etc.) and the electorate are too "uneducated" to see that. They get bamboozled by the big "change" propaganda when it is the same old system in a new costume.

That the EU might actually represent the interests of the electorate and not big business, is a alien concept in the US. The US "for the people by the people" is only a window dressing joke and they think that the rest of the world can't see through that. Can you not make the connection between this and who owns the media? It probably would not have even been an issue at all in places where the US business interests does not own the media. Do you think that this made it into MSM in China? Why do you think that China is trying so hard to shake off the US dollar as a world currency, because you don't want the selfish, greedy and corrupt to be in control of the money. The same kind of legal system that allows the EULAs. The EU is basically saying get rid of this unfair US alien crap, the same as a whole lot of the rest of the world is doing. Deregulation works so well in the US, that they should export it to the rest of the world? LOL.

[unknown unknown]

more euro whining.