EC wants software makers held liable for code

Software companies could be held responsible for the security and efficacy of their products, if a new European Commission consumer protection proposal becomes law.

Commissioners Viviane Reding and Meglena Kuneva have proposed that EU consumer protections for physical products be extended to software. The suggested change in the law is part of an EU action agenda put forward by the commissioners after identifying gaps in EU consumer protection rules.

A priority area for possible EU action is "extending the principles of consumer protection rules to cover licensing agreements of products like software downloaded for virus protection, games, or other licensed content," according to the commissioners' agenda. "Licensing should guarantee consumers the same basic rights as when they purchase a good: the right to get a product that works with fair commercial conditions."

"Digital content is not a tangible good and should not be subject to the same liability rules as toasters."

--Francisco Mingorance, BSA director of public policy

EU consumer commissioner Kuneva said that more accountability for software makers, and for companies providing digital services, would lead to greater consumer choice.

"If we want consumers to shop around and exploit the potential of digital communications, then we need to give them confidence that their rights are guaranteed," Kuneva said. "That means putting in place and enforcing clear consumer rights that meet the high standards already existing in the main street. (The) Internet has everything to offer consumers, but we need to build trust so that people can shop around with peace of mind."

The Business Software Alliance (BSA), which represents the interests of software makers including Apple, IBM, and Microsoft, criticized the proposals.

"Digital content is not a tangible good and should not be subject to the same liability rules as toasters," Francisco Mingorance, BSA director of public policy told ZDNet UK on Thursday. "Unlike tangible goods, creators of digital content cannot predict with a high degree of certainty both the product's anticipated uses and its potential performance."

Mingorance said the performance of a piece of software depends on the environment it operates in, how the code is updated, whether it is possible to adapt and modify the software, and whether the code is attacked.

According to Mingorance, the proposed regulatory extension would cover all software, including beta products, and would cover both proprietary and open-source software.

Right now, under the current EU Sales and Guarantees Directive, physical products are expected to carry a guarantee of two years. Extending those terms to software would have the effect of limiting customer choice, as contract terms would have to be extended to a minimum of two years, Mingorance added.

"Extending the scope would force the businesses to maintain update services for such contracts beyond the contractual term and ultimately limit the choice of offers," the BSA director said. "It is like renting your house for a summer month and being then obliged to extend the rent for another 23 months."

In addition, Mingorance said that extending consumer regulation to software could lead to less interoperability between software products, as manufacturers might decide to limit how far third-party developers could access their code.

Software companies have long argued against accepting responsibility for the security and efficiency of their code. Linux kernel developer Alan Cox in 2007 told a House of Lords Committee that neither proprietary nor open-source developers should be held accountable for their code.

Windows 7 RC gets its first bug, and it's a doozy

The first documented bug in the Windows 7 Release Candidate (build 7100) is a doozy.

Yesterday, Microsoft published Knowledge Base article 970789, which provides details of a problem that affects the 32-bit (x86) English-language version of Windows 7 build 7100. The problem, in short, is that the installer incorrectly sets access control lists (ACLs) on the root of the system drive. The longer version is described as follows:

In the English version of Windows 7 Release Candidate (build 7100) 32-bit Ultimate, the folder that is created as the root folder of the system drive (%SystemDrive%) is missing entries in its security descriptor. One effect of this problem is that standard users such as non-administrators cannot perform all operations to subfolders that are created directly under the root. Therefore, applications that reference folders under the root may not install successfully or may not uninstall successfully. Additionally, operations or applications that reference these folders may fail.

For example, if a folder is created under the root of the system drive from an elevated command prompt, this folder will not correctly inherit permissions from the root of the drive. Therefore, some specific operations, such as deleting the folder, will fail when they are performed from a non-elevated command prompt. Additionally, the following error message appears when the operation fails:

Access is denied.

Furthermore, the missing security descriptor entries protect non-admin file operations directly under the root.In the English version of Windows 7 Release Candidate (build 7100) 32-bit Ultimate, the folder that is created as the root folder of the system drive (%SystemDrive%) is missing entries in its security descriptor. One effect of this problem is that standard users such as non-administrators cannot perform all operations to subfolders that are created directly under the root. Therefore, applications that reference folders under the root may not install successfully or may not uninstall successfully. Additionally, operations or applications that reference these folders may fail.

For example, if a folder is created under the root of the system drive from an elevated command prompt, this folder will not correctly inherit permissions from the root of the drive. Therefore, some specific operations, such as deleting the folder, will fail when they are performed from a non-elevated command prompt. Additionally, the following error message appears when the operation fails:

Access is denied.

Furthermore, the missing security descriptor entries protect non-admin file operations directly under the root.

A hotfix is available as an important update that should be delivered and installed automatically by Windows Update, assuming you have set up automatic updates. On one test system that I checked just now, the update had already been installed overnight. On two other systems, the update had been downloaded but was awaiting installation.

The hotfix package fixes the security descriptor of the root of the system drive, but it does not repair applications that are already installed, nor does it affect the permissions of folders that were created after the installation.

If you installed the x64 version of Windows 7, you are apparently unaffected by this issue.

If you haven’t yet installed the Windows 7 RC, it’s important to install this hotfix after you set up Windows and before you install any programs or restore any backed-up data.

This sounds like a pretty serious bug, and I’m surprised that it slipped through into the release candidate. I haven’t observed any deleterious effects from this issue yet but am doing further testing today. If anyone has any firsthand reports of being bitten by this bug, please leave a comment in the Talkback section with more details.