In early 2007, the European Commission's Consumer Affairs Directorate released the Green Paper "on the Review of the Consumer Acquis," a document inviting comment on specific aspects of current consumer protection regulations and how they might be improved.

After over three hundred responses (apparently a high number) from stakeholders ranging from the business sector to consumer organizations and public authorities at various levels, the Commission has released a proposal that has many in the software industry in a bit of a sweat.

The Hot Button Issue

The thing that has people concerned is a section on whether the EC's Consumer Sales Directive (Directive 1999/44/EC) -- a directive covering "certain aspects of consumer goods and associated gurantees" -- should be extended to cover digital content services, such as software and data.

The key point here is whether or not some of these digital things are going to be considered as the same class of goods as the consumer goods covered by the directive.

The EC Directive gives certain rights to consumers. For example, according to it says that goods sold to consumers must conform to the contract; it provides remedies where they do not; and it says that where goods come with a guarantee, that guarantee should be legally enforceable

According a Commission staff working paper, the software industry is strongly opposed to this move, citing the fact that unlike physical goods, software "has to be updated regularly, is never bug-free and its conformity may depend on how it is used by consumers and how the computer and other software applications inter-operate."

However, consumer organizations, academics and a number of member states are enough in favor that the European Parliament has asked the Commission to examine the issues and return a set of recommendations.

What's Really at Stake?

While no one's surprised that entities such as the Business Software Alliance -- which represents the interests of Microsoft, Cisco, and others -- objects to the proposal, people may be surprised that there are also objections from the open source community.

When Alan Cox, a key Linux kernel developer, addressed the United Kingdom's House of Lords, he was asked whether software companies should accept legal liability for losses caused as a result of security holes.

His response was, "I do not think they can be. The response of any rational software vendor if they were told they were liable because of this business about adding software in combination would create a combatorial explosion."

Cox offered an example where someone purchases a PC and then installs a word processor, a media player, and a couple of games. "All these can interact in strange and wondrous ways and as you add more software the combination increases."

Cox stated that a sensible vendor faced with liability would forbid the installation of any third party software. He added, though, that he wasn't sure if there might be an argument for holding software companies to higher legal standards in the longer term, once the industry gets better at writing secure software.

Open Source Projects and Liability

When it comes to open source, Cox and other experts feel that in many cases open source projects simply couldn't be held liable, as code is typically shared around the community and liability could ultimately be impossible to enforce.

The difference, according to security guru and proposal supporter Bruce Schneier, is that with a commercial vendor there's a contract, while there's no contract with free software. However, he adds that the fact that some companies sell open source software (whether or not they wrote it) would mean they would need liability protection.

Is the Basic Idea Feasible?

While the idea of holding companies accountable for shoddy code or sloppy security might sound great on the surface, it will take a while to sort out just how feasible such a policy is, and the devil as always will be in the details.

Done well, this effort might inspire better software. Done poorly, it could cause even more damage than the software patent debacle. Americans tend to lean on market forces and class actions. Europeans lean more on policy. We'll be watching closely (and staying tuned to the EC's website) as this battle for how best to compell better software unfolds.