Open Source Liability is Coming

No good deed goes unpunished (at least in Europe)

Those who know me know I wrote my first code in the early 80s, and though I never made a career of it, I dabbled early-on like all the other geeks. In those days, we all wrote and swapped simple games and trivial tools. At that time, it was one of the main functions of the bulletin boards that would one day spawn the internet. The idea we’d pay for software one day was lurking, but free was more the norm. Bandwidth and storage were what was monetized back then. The idea someone might sue us for a program bug or unexpected crash was not even remotely on our minds.

Ah, to be so innocent and naive again.

You might be surprised to learn that, as I write, the EU is finalizing rules that will make open-source creators and licensees liable for any user harm their software might cause. The focus for lawmakers is that, like cars and chainsaws, software is complex and can be inherently dangerous. Policymakers believe that consumers are at a disadvantage when things go horribly wrong: how can they prove someone sold them faulty software when they can’t hope to understand how apps work or how they’re created? The solution they’re adopting is to shift the onus to the software and app creators to prove their code didn’t do anything wrong. This will be burdensome but is at least possible if you write and market your own code. But what if you’re just part of a collaborative open source project, give away your app, or if there’s open source code in the product you put on the market? Who gets blamed when open source might be the heart of the problem?

EU policymakers are clear; going forward, someone must be liable for software harm. Data was lost, customers couldn’t transact, files got garbled, hackers made entries – someone in the software chain must make the user whole. Today you can license-away that liability by putting the onus on the user to accept the risk, since bugs happen and hackers hack. Not your fault, you did your best, and you told the user that upfront. My read of the emerging regime changes that. It forces you to prove your code wasn’t the cause of the harm – “strict liability” in legal circles. Products like cars often get regulated this way. Essentially, the carmaker is at fault when something goes wrong unless they can prove they’re not. It’s a way of shifting societal costs back to the party that profits from the product in question. It allows consumers to be confident that cars are safe, without having an expert reverse engineer them before use or agreeing to accept that the brakes may fail – too bad for you. The carmaker designed and built a complex thing so they should be in the best position to prove they implemented appropriate safeguards.

So, how is open-source software implicated? If a commercial software product causes harm, whoever put the software on the market will soon be strictly liable. You will need to prove that your code wasn’t to blame to escape the costs. But what if you’ve embedded open-source code, used open-source tools, or called open-source APIs? Under the pending rules, you’d be liable for any errors in those sources as well, regardless of whether you directly contributed or not. A license like the one Apache provides won’t help, since state-imposed strict liability isn’t a harm that can be licensed away by private actors. The user must be made whole, and that’s on you. Worse still, how will you in turn identify or sue the collaborator or collaboration that actually wrote the faulty open-source code to recoup your costs? In that case, the license you signed likely insulates your open-source partners from your claims.

Let’s unpack that and put it simply. If a user is harmed by software, the person they paid (targeted ads would count) must compensate them for the harm – unless the software provider can prove their software played no role in the breach/loss/failure/psychological/physical/financial or other harm. If open source resources are in/called/touched your code, you’re responsible for their performance too. The open source resource licensed away their liability to you. Oops.

So what will the world look like when this change takes place? First off, despite the fact that many open source tools and resources are more robust and better reviewed than anything you could produce in-house, you’ll need to decide whether you accept the cost if they harm your users. That includes the burden of proving they didn’t, if you think that’s the case. Put another way, it may be hard to prove your code isn’t at fault without reviewing and defending every open source element involved. The open source community will have two choices: leave the licensing regime in place and leave those who use the code to hold the bag, or collaboratively assess and defend projects as claims emerge – even though that kind-of-means you need to assess your licensee’s code to ensure they didn’t just dump their own problem on you. More likely than not the open source community will choose the simpler path, stay the course,  and leave others to deal with the new complexities.

The economic impact of this change reduces the value of open source software by placing the burden of bugs and breaches on developers who use and incorporate this code – even if they can prove the open source was at fault. Users must be made whole, open source add-ons have licensed away liability, and so the middle man is on the hook unless they can prove both the open source and closed source code they use is blame free. But that’s not a huge change – just the strict liability burden with open source collaborations getting a free pass. So why am I preaching doom?

What if an open source project is used directly by consumers, and causes them harm? The public policy is clear: they must be compensated. Does it matter if they signed a license or didn’t pay someone? Their business is bankrupt, their files are in a hacker’s hands, or their own customers are suing them. Someone should be strictly liable. But who?

The EU is grappling with that very question, and it culminates in whether “open source” is exempt from liability in a law designed to protect consumers. So far the answer is “probably not?” Exemption means consumers bear the cost – exactly what the law is trying to change. Perhaps if the open source in question remains an academic or research tool, versus reaching consumers, we’re okay? The proof may come when the first consumer demands compensation, and the courts step in. But lawmakers know enough to realize that much of the open source out there – by definition – belongs to no one, or many someones, or really nobody that can be named and made liable. So waiting on a court case might provide clarity but no compensation and no one to even argue the case. Not the clarity a law is designed to provide.

My prediction, for what it’s worth, is that open source’s days outside academia and hobbyists are numbered. At some point, some government authority will require a single throat-to-choke when open source causes consumer harm. Someone, or some entity, will need to accept financial and legal responsibility for what the project does in consumer hands. No license can insulate them from that. Given that existing open source licenses don’t contemplate a private purchase, they’ll need to either wind down, release licensees from taking them commercial, or find a means to restrict consumer use (which may be hard with no one in control). Policy makers simply won’t allow a dangerous animal to wander around unchained, and a lack of owner won’t make the situation better.