Recently, two members of the European Commission, Viviane Reding and Meglena Kuneva, proposed that the European Union’s (EU) consumer protection rules for physical products be extended to software. This expansion of the consumer protection rules to include software would make software companies liable for their products. A policy like this could make companies like Microsoft pay billions in damages. The world wide cost of damages caused by conflicker alone are estimated to be 9.1 billion USD.
The proposed expansion would cover both proprietary software and free or open source software. The topic of developer liability has been discussed by Alan Cox and Bruce Schneier before. Bruce Schneier believes developers should be liable for their code but only when there is a business relationship, a buyer and seller. That would allow free or open source software developers to remain immune from liability. Alan Cox, a Linux kernel developer, believes that neither proprietary nor open source developers should be held liable for their code.
As a developer, I find this proposal a bit unnerving, mostly because I don’t have millions to pay out if an exploit is found in my software. Following all of the secure coding techniques and development cycle greatly reduces vulnerabilities but problems may still arise. From a security standpoint it would probably force programmers to develop more secure code but even better code may still not be perfect. I think there are a number of places to start that would, in the long run, do more to advance secure coding. I believe all schools should make secure coding a requirement and security should be a core part any programming language. Cyclone is an example of a language that enforces secure coding.
While the proposed policy extension would threaten the profits of big companies, it could drive smaller companies out of business and stop open source development. Larger companies would probably buy software liability insurance but independent developers who cannot afford insurance would be open to lawsuits. The proposal could backfire on the European Commission as companies, those not based in the EU, may simply refuse to sell their products in the European Union.