AfterBites: Expanding Consumer Protection Laws to Software
The Story:
Source: http://news.cnet.com/8301-1001_3-10237212-92.htmlEU Commissioners Call For Expanding Consumer Protection Laws to Software
(May 9, 2009) - European Union Commissioners Viviane Reding and Meglena Kuneva have proposed that the EU Sales and Guarantee Directive, which applies tophysical products, be extended "to cover licensing agreements of products like software" as well. The directive requires that products carry a two-year guarantee. Kuneva said that the change would give customers a broader choice and software companies would be held to a higher standard of accountability. Business Software Alliance Senior Director of Public Policy in Europe Francisco Mingorance disagreed, saying that it would in fact limit consumers' choices. He said that "creators of digital goods cannot predict with a high degree of certainty both the product's anticipated uses and its potentialperformance," and that it could lead to decreased interoperability between products if manufacturers decide to limit how much of their code could be accessible to third-party developers.
This has been tried before and - it should come as no surprise to anyone - the software industry has some mighty powerful lobbyists. Indeed, some of them speak out in this little tidbit. I think it would have been more honest if Business Software Alliance Senior Director of Public Policy in Europe Francisco Mingorance had said "Good luck, bwaaaahaaahaaahaaaa!" instead of hewing the ridiculous party line that the software industry has been spouting for decades. I like intellectual honesty when I encounter it.
Here's the problem: "creators of digital goods cannot predict with a high degree of certainty both the product's anticipated uses and its potential performance" utterly ignores the fact that customers buy software with an expectation that it will perform (AKA "work") at least somewhat as advertised. Nobody buys an operating system expecting that they're going to need to patch it every week. Nobody buys a file-viewer with the expectation that they'll need to periodically download new versions, rummage for a CD or a licence key, and reboot their machine. I suspect that, if people did buy software under such expectation, that they'd be willing to pay about $15.99/year for it, instead of hundreds or thousands of dollars. Most of us have a dollar amount that represents the pain-point we're willing to write off - we'll put up with a lot of nonsense from something that cost us nothing (example: Linux) - but we expect things to work if we actually spent real money (for personal users, I'd guess that's about $50, for corporate - maybe $1000) on them. Back when I was the CEO of NFR I discovered this was absolutely true: customers didn't hesitate to grab me by the collar at conferences and lecture me about every bug they'd ever found in our product. Executives at smaller companies like Tenable are reachable; we can't hide behind an EULA and we don't have professional spokesthings to protect us from the media.
There should probably be an exemption for things that are programmable, if the end user has tried to program them. You can write logic-errors in any programming language that supports if statements, while loops, or function calls. But if your product installs out of the box - like, say, an operating system, browser, image editor, database, word processor - then it ought to work, and keep working. Especially operating systems, because they're what ultimately makes everything else work. Sun's Java End User License Agreements ("EULA"s) includes:
Oh, I didn't realize that the license agreement says "you shouldn't use this for anything that matters."
Java technology is not fault tolerant and is not designed, manufactured, or intended for use or resale as on-line control equipment in hazardous environments requiring fail-safe performance, such as in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, direct life support machines, or weapons systems, in which the failure of Java technology could lead directly to death, personal injury, or severe physical or environmental damage.
Fail-safe performance, to me, means that my telephone should work. Especially since my phone company put it in the phone without giving me a choice in the matter. If I just cut my arm with my circular saw or fell off my high horse and broke my hip, and I'm calling for help, my phone is mission critical.
The bottom line here is that the current state of affairs will not continue forever. But, obviously, software manufacturers are going to enjoy it while they can. What they don't realize is that Software-As-A-Service (SAAS) is a direct response to their EULAs and unreliability. Because customers who are looking at SAAS are looking at uptime and performance guarantees as part of their terms of service.
I give the current state of affairs under 20 years, probably closer to 15. If I'm still alive I'll link back to this blog entry and say "I told you so!" and you can all laugh at me if I'm wrong. :D
mjr.
---
PS - a special tip of the hat to (deleted) who noticed that I've been using Comic SANS as the font for my quoted SANS articles, and made the connection.
Related Articles
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates
October 25, 2024Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.