WingNews logo WingNews
top | item 41963466

(no title)

zaroth | 1 year ago

If this actually becomes law, it instantly makes it too dangerous to bother for me to ever ship software into the EU again.

Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the “objective state of scientific and technical knowledge” at the time the product was put on the market.

Look the the liability standard they are pushing! Not willful negligence, not reasonable care, but rather it sounds more akin to “could the bug have even theoretically been prevented given perfect information and unlimited funds”.

Yeah, no thanks, I’m human, so I won’t be accepting that level of liability for words I write into a text editor any time soon.

And kinda mind boggling that anyone who knows anything about how software actually works wouldn’t see this as completely batshit insane.

A more reasonable standard (malicious intent or reckless disregard for human safety would be a good starting point) would go a long way toward fixing this.

This current standard would get any developer sued out of existence by armies of AI lawyers long before you can ship a patch when someone complains that your software divide by zero bug caused them “damages”.

And get a load of this;

Burden of proof: When the injured consumer is faced with excessive difficulties to prove the defectiveness of the product or the causal link between its defectiveness and the damage, a court may decide that the claimant is only required to prove the likelihood that the product was defective or that its defectiveness is a likely cause of the damage.

There’s a reason why EU GDP has completed stagnated versus the US, and the EU tech sector is a virtual rounding error in the world… and this trash mentality is a big part of it.

But wait, it gets worse…

Circular economy: When a product is repaired and upgraded outside the original manufacturer’s control, the company or person that modified the product should be held liable.

Bye bye downstream distro patches! And knowing the EU, they’ll say that “import Foo from Bar as MyFoo” is a “modification” and try to make anyone with cash in their pocket liable for any bug in any dependency they link to…

Online platforms can be held liable for a defective product sold on their platform just like any other economic operators if they act like one.

Bye bye app stores! Of course some will probably cheer this blindly ignoring or not comprehending the extraordinary value creation app stores are responsible for.

discuss

order

jeroenhd|1 year ago

I'm actually surprised software has been exempted for so long. Based on the lawsuits started against companies like Crowdstrike, it probably isn't, but nobody has bothered to write it down yet.

What we have here is an intention, research into why it's necessary, and a process. None of this is law yet, this isn't even a legal proposal. The conclusions taken by this news publication are damn certain about something that's currently just a vague idea existing in a politician's drafts folder.

It's obvious software vendors have to comply with some standard of warranty because lawsuits against buggy software are regularly won. Most documented cases I've found are actually from the US, so perhaps Europe is behind on the US for winning such cases, often in the form of class action suits.

The EU isn't alone in wanting software vendors to be liable for their flaws; the White House also called for a law (see "Strategic objective 3.3"). This version has been wrapped in a soothing layer of "cybersecurity" but the implication is the same.

zaroth|1 year ago

It’s even worse to proscribe liability when the “flaw” is not even an actual operating failure, but the ability for a bad actor to break the software maliciously.

Software is only as insecure as the user’s willingness to expose it to untrusted inputs, combined with the user’s willingness to give the software unfettered access to sensitive data.

“Don’t let hackers control the input stream” is literally the end of any and all security issues.

_DeadFred_|1 year ago

Just put a best practices line:

"This software is deemed compliant with best practices when used on systems 100% offline on a network without connectivity to the internet. A customer's choice to use this software outside of our recommended best practices is at the customer's discretion and assumption of liability."

Obviously if you want secure an air gapped system is the recommended best practice.

pjmlp|1 year ago

Better take US and Commonwealth countries of the list as well, although you might get lucky if Trump wins, these kind of laws aren't on his ballpark, so he might stop ongoing legislation roadmap.