Recent searches
Search options
I'm amazed that there has been zero coverage of this:
EU's new Product Liability Directive got voted through last thursday.
No later than two years from now, software, stand-alone, cloud or embedded are subject to "no-fault liability" (ie: doesn't matter how or why, only that it is defective.)
Here's the directive:
https://data.consilium.europa.eu/doc/document/PE-7-2024-INIT/en/pdf
Gentlemen, start your panic…
PS: Yes, there is a FOSS exemption, but only "outside commercial activity". (Ie: The guy in Nebraska but not RedHat)
And yes, I'm they guy who has been calling for product liability on software for more than a decade, so even though EU didn't adopt my suggestion, I'm cutting notch in my keyboard for winning this one.
@bsdphk I found @bert_hubert 's summary showing it's all quite reasonable: https://berthub.eu/articles/posts/eu-cra-what-does-it-mean-for-open-source/
CRA is something entirely different (but also very relevant).
But I'd love to hear Bert's take on this one...
@bsdphk @bert_hubert Apologies. I conflated the two!
I'll wait for a summary somewhere, as 63 pages of legalese is too much 
It's not legalese, it's actually very clear and readable text.
I suggest you read pages 6, 7 and 51 - that's probably all you'll ever need to know about it.
@bsdphk @bert_hubert Oh right.
I think it boils down with what they mean with "commercial activity", which Bert Hubert's summary of the CRA goes into quite depth about.
Whether they are defined with the same meaning in both directives is unclear (to me).
Yes, and I guess that will depend on which EU country you are in, as this will have to be instantiated in each country's law.
@bsdphk @bert_hubert I'm in an ex-EU country (UK), but usually these directives spill over regardless? GDPR applies to EU citizens, and it doesn't matter where a company / organisation is based. Is this different?
It will spill over, and I would be very surprised if USA and UK will not do the same in the next year or two.
For EU what matters who "brought it into the EU market" and I'm sure legislators and lawyers will have a field day with that, but it seems to me that EU has done a great job of avoiding loop-holes.
@bsdphk The panic (by affected commercial entities) will start two months after the directive is in effect, and everyone will complain over EU regulation killing innovation in Europe or some such bullshit...
@bsdphk do you think it will have the impact you've been hoping for?
Time will tell.
It cannot possibly make things and worse, and it will end the "We're $BigCorp, we don't care" reign of terror, which is the root cause of the ransomware epidemic.
@bsdphk fingers crossed. 
@bsdphk good article for the most part, though I have a quibble with the comment on hot coffee. If it is a reference to the case where McDonald's was sued for its coffee being too hot, that suit has better grounding than the common portrayal implies. The plaintiff in the case suffered third degree burns and needed surgery due to the temperature of the coffee. She wanted McDonald's to cover her medical costs, but they wouldn't settle so the case went to court. https://en.m.wikipedia.org/wiki/Liebeck_v._McDonald%27s_Restaurants
@bsdphk What were you expecting, a blanket opt-out of liability for Red Hat because they provide source code? From what @maarten and I hear, the FOSS exemption is expected to be solid, by the way. You'd have to do quite some arguing that something is a commercial activity, government people tell us.
I expect it will be uphill to argue that millions or even billions in turnover is "not commercial activity" ?
Heck, I'm not even sure my one-man company will be able to claim that exemption ?
But if I make a living from FOSS, that's fair, isn't it ?
What surprises me is that there has been virtually /no/ coverage of this anywhere, even though it has been hurling down the EU-rails for two years.
I have not even spotted one single attempt at astroturfing by any of the big companies.
But friends in BXL tell me that the political will behind this one is so impressive that the lobbyists have all but given up.
Still: Surprised.
For people new to the topic, I recommend watching https://archive.fosdem.org/2024/schedule/event/fosdem-2024-3683-the-regulators-are-coming-one-year-on/ from 25:20 onwards and https://archive.fosdem.org/2024/schedule/event/fosdem-2024-3697-pld-when-software-causes-harm-who-pays-and-why-/
I know you understand strict liability, but I’ve seen many who do not (myself included). #FOSS #ProductLiabilityDirective
@bert_hubert @bsdphk @maarten I make around $1200 a year from GitHub sponsorships for my freely offered open source projects. There's no contract, no consideration involved. I read the doc and it's unclear whether that counts as commercial activity
@bert_hubert @bsdphk @maarten Also I'm in the US, do I need to start worrying if a European sponsors me. What about if a European corporation sponsors me
@rain @bert_hubert @bsdphk @maarten Ah, only noticed this reply after replying to the initial reply :) If you're a US citizen, this directive does not apply to you; it would instead apply to the reseller / distributor / entity receiving payment on your behalf. In the Github sponsorship scenario, that would be Microsoft. I think we can be reasonably certain they'll reach out if it potentially impacts their pockets. I'd just keep an eye on https://docs.github.com/en/sponsors/receiving-sponsorships-through-github-sponsors/tax-information-for-github-sponsors
@mihailim @rain @bert_hubert @bsdphk @maarten Citizenship is not the sole factor in deciding jurisdiction. A US citizen who's economic activity is performed in a EU country will for the purposes of this directive be subject to that country's jurisdiction.
@MartinClausen @rain @bert_hubert @bsdphk @maarten You are correct, my apologies! I'm however convinced that in practice the usual carve-outs for small sums would apply. Or, if it turns out to get, uh, complicated, then the intermediary would feel compelled to warn the users and/or pull out entirely due to their own risk assessment. So I wouldn't worry about this aspect too much in this particular scenario.
@rain @bert_hubert @bsdphk @maarten
My guess, or my initial argument (not a lawer) is that "if I don't have direct work agreement, I am not your vendor". And these are donations towards increase of common good, which is OSS.
The only thing I wonder, when I publish executable form, even to npm/cargo/etc., is it surely covered by an exemption?
@rain @bert_hubert @bsdphk @maarten Defining whether or not that's commercial activity wouldn't be in this document, because it's outside its scope. EU directives are not laws in and of themselves, but must be implemented and integrated by each member state in accordance with their own legislation. Whether or not that would be commercial activity fully depends on your country of fiscal residence. Almost all have carve-outs for small amounts, and $100/month certainly qualifies.
@rain @bert_hubert @bsdphk @maarten This is from the bottom of page 7:
"However, where software is supplied in exchange for a price, or for personal data ... is therefore supplied in the course of a commercial activity, this Directive should apply"
IANAL, with the usual disclaimers, but: I'd interpret github sponsorships to be exempt from this, as they are not transactional in nature: someone isn't giving you money in exchange for a given piece of software.
@wez @rain @bert_hubert @bsdphk @maarten
Sponsor can get code as is. Sponsorship provides something else: helping to grow commons.
@bert_hubert @bsdphk @maarten
We hear how open source devs sometimes tell "I am not your vendor" to some very ... charged calls. Now we have a clean language in the law.
@bsdphk what’s so bad about this? just seems like software will be held to a higher standard now
It's GREAT!
I think it is high time Microsoft's "Even if our software caused a genocide, and we knew it would, you'll get no more than $5" license term gets taken to the cleaner.
@bsdphk oh i misunderstood sry, the line of gentlemen start panicking sounded negative
@bsdphk Do you know of an explanation for the phrase "liability without fault"? A quick search leads to claims that it's equivalent to strict liability, which seems like an exceptionally large shift.
"no fault liability", as I understand it, in EU means that it does not matter how or why the product is defective, only that it is defective.
Not sure what that translates to in US law, if that's what you're asking ?
@bsdphk Yes. As you say, surprising that it’s not getting more attention
It will, if nothing else in a bit over two years from now when the EU countries enact the implementing laws. :-)
Do you know whether the extent of liability is limited to the losses that the supplier could reasonably expect? (I don't remember the name for the concept; I mean the limit that causes the liability from e.g. delayed supply of some trivial item not to be arbitrarily high by virtue of the item being necessary to satisfy a buyer's obligation that is connected with absurdly high delay penalties.)
@robryk
That's indirect liability. I'd be slightly surprised to see that here, but I haven't read the text yet.
@bsdphk @adamshostack
@bsdphk Did I get this right? Any commercial entity / company / freelancer who currently contributes to FOSS can be sued by anyone using the Software?
This does not seem like a good idea.
@chris @bsdphk
If you (company) supply a patch to FOSS but don't sell the software in any way, you don't matter.
Even if you do not contribute to FOSS software but sell it in some way (e.g. as part of your product) you are liable.
If commercial vendors who incorporate FOSS software in their products are smart, the next thing we will see is a foundation that checks and certifies FOSS software, so the commercial vendors can pool their resources.
@spz @chris @bsdphk In this context, what does it mean to "sell the software"?
Say, a company running some cloud-based service donates a patch to one of the open source components its serving stack is using.
Say, that patch had a bug (a honest mistake). Can they be sued for the damages this bug caused?
@vriesk @chris @bsdphk first, I'm not a lawyer, and you do have "before the law and on the high seas you're in Gods hand".
Given that bag of salt, I'd assume their customers could sue them. Also other service providers that sold services could be sued by their customers, but they could not sue the contributing company as long as they had no "maintain that software for me" nor "I bought thingie and it came with that software" relationship.
Anyone differing on that reading?
@vriesk @spz @bsdphk I read the directive as: A company that publishes the source to their software will be at a competitive disadvantage to closed source companies.
A company using open source software that includes third parties contributions in their products which they didn‘t completely verify (which is impossible) will be at a disadvantage to companies using closed source blobs.
I‘m expecting litigation war that will make SCO look like a picknick.
@spz @vriesk @bsdphk It‘s a lot easier for other people to find a bug in OSS than in closed source software. And it‘s a lot easier to spot products that use specific OSS that may have that bug than with closed source software.
So companies delivering software as obscured blobs will be more difficult targets for lawsuits than companies publishing their source for public scrutiny. So publishing source will become a liability.
@bsdphk @spz @vriesk Smaller companies will not be able to afford “winning in court”.
I don’t see how any small company with a business involving FOSS components can survive liability for all possible damages caused by the stack used all way down.
And I can’t imagine that any large company will still publish their source code for public scrutiny.
We’ll see, but I don’t expect any corrective measures before the damage is permanent.
@chris
You can still buy freebsd DVDs? This isn't 2003.
Also, I would presume that distribution costs for physical media of open source software do not constitute selling the software, unlike running it as a service. We may need that one to be tested in court, but I can't imagine it not being a clear ruling, as it's obviously not the spirit of the law.
@bsdphk @spz @vriesk
@dymaxion @bsdphk @spz @vriesk You can buy FreeBSD-DVDs, station wagon full of tapes etc.
This is a directive, not a regulation. “Clear rulings” will be made by (multiple instances of) courts in 27 member states, based initially on the individual national implementation into law.
Sudden no fault liability for software one didn’t write* will be a lot of fun for small companies or single devs.
___
* yes, there’s a good point to make here
@chris @bsdphk @spz @vriesk thinking about this from a US perspective I think that an assumption of good faith and trust of the legal system rather than an expectation of corruption and abuse, is just a foreign and unbelievable concept at this time, making it hard to parse this kind of accomplishment. "How is this going to be twisted to screw us?" Is the prevailing thought
@spz @vriesk @bsdphk At least this will safe #WindowsEmbedded from obscurity, they will be able to provide their customers with some insurance.