Placing on the market
Placing on the market
Posted Sep 20, 2023 12:07 UTC (Wed) by Wol (subscriber, #4433)Parent article: The European Cyber Resilience Act
Simply put, root liability should lie with any organisation "placing goods or services on the market". This very clearly and explicitly (to my understanding) would exclude any and all developers (big, small, commercial, whatever) who effectively do a code dump and say "here's some open source code, make of it what you will". Placing on the market means you need a product, which you advertise, and presumably charge for (I don't think you have to charge, you could be giving it away in an advertising campaign, but there does have to be a clear exchange of value somewhere).
So let's say I made a router, and plonked OpenWRT on it. As soon as I advertise that router and sell it, or say "free with my ISP service", or whatever, I am accepting responsibility for that router (including the software on it). I need to get that software certified, whether I do it myself, or pay OpenWRT to do it, or employ some third party to do it.
But the crucial point needs to be that if I just download OpenWRT off the internet, NO LIABILITY transfers to the OpenWRT project. They've made a code dump available to all and sundry, and liability rests firmly with the downloader. Only if I come to some commercial arrangement with OpenWRT will liability transfer to OpenWRT (under the contract).
This will also (I think) cover Farnz's case of providing hardware and telling your customer to "download the free software off the internet". If my router only works with OpenWRT, I'm providing a product that is "not fit for purpose as supplied". Which means I'm still on the hook for any problems the customer may have.
Cheers,
Wol
Posted Sep 20, 2023 12:26 UTC (Wed)
by pizza (subscriber, #46)
[Link] (4 responses)
So, if you download OpenWRT and plonk it onto a router, is the original manufacturer liable, OpenWRT liable, or are you personally liable for a security flaw on the unit that gets exploited to attack $gov_facility?
It stands to reason that the manufacturer should be absolved here, unless by virtue of "allowing modifications" they then become complicitly liable. If you follow tha tline of reasoning then everything is going to be heavily locked down and protected by go-directly-to-jail DRM, effectively ending general purpose computing. It also stands to reason that OpenWRT should face _some_ sort of obligation/liability should they ship a dangerous bug that can be exploited. Or a router maker could just ship a software-less box and say "Get your software from somewhere else" to avoid liability. If the liability instead falls to the user because they're the ones who "modified someone else's product" then what's to stop the hw maker from saying "The user chose to install this software, they're responsible, not me!"
This is why this is such a thorny problem. How do you craft an exception for F/OSS activities in a way that doesn't absolve commercial players, when the definition of "commercial" is so broad that it essentially encompasses anything that's not done on a purely "disorganized volunteer that gets ZERO funding, not even banner ads on a web page" basis?
Posted Sep 20, 2023 13:53 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (3 responses)
> So, if you download OpenWRT and plonk it onto a router, is the original manufacturer liable, OpenWRT liable, or are you personally liable for a security flaw on the unit that gets exploited to attack $gov_facility?
$gov_facility is liable for not properly securing their site ...
My router is quite clearly NOT a "product placed on the market". I over-wrote the supplied firmware with OpenWRT. The manufacturer of the commercial router cannot be held liable because I mod'd it.
Likewise, OpenWRT just placed their software on the internet for anyone to download. I downloaded it, installed it, configured it, and quite possibly (probably?) messed up. OpenWRT can't be held liable unless I *bought* a pre-configured setup off them.
$govt may not like the fact that they are both liable, and the victim, but if the rest of us have to suffer that on a daily basis, why not them? What needs to be driven home to the legislators is that your vision of a world of locked down hardware is a dystopian cure even worse than the disease.
If manufacturers are forced to clean up the dystopian world of the "internet of things", the background security level will rise sharply.
Cheers,
Posted Sep 20, 2023 14:19 UTC (Wed)
by pizza (subscriber, #46)
[Link] (2 responses)
Ah yes, they should face liability because they only paid for a 10Gbps connection instead of a 1Tbps connection capble of handling a DDOS.
> My router is quite clearly NOT a "product placed on the market". I over-wrote the supplied firmware with OpenWRT. The manufacturer of the commercial router cannot be held liable because I mod'd it.
So in other words, OpenWRT is not liable, the manufacturer of the equipment is not liable... which leaves you. But since you didn't "place this product on the market" you're not liable for any damage it causes either.
That seems... quite wrong.
What if it's not "you personally" but "you as the owner of a small business whose employee over-wrote that firmware and placed it into service with no access controls?"
> If manufacturers are forced to clean up the dystopian world of the "internet of things", the background security level will rise sharply.
Doing so by effectively outlawing general purpose computing and independent software development sounds like a pretty dystopian outcome to me.
Posted Sep 20, 2023 16:00 UTC (Wed)
by ebee_matteo (subscriber, #165284)
[Link]
No. You are privately liable under European (or EU specific-country law) for failing to secure properly your devices.
It's just not due to the CRA. It's law already in place.
Posted Sep 20, 2023 16:02 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
> That seems... quite wrong.
I agree with you. BUT. How different is it to anywhere else? Not at all, as far as I can tell. What if I buy a bunch of aftermarket car mods, rally-fix my car so it's totally illegal, and go road-racing with my mates?
It only needs a fatal smash and a bunch of innocent bystanders are left with no recourse because at best I'm a man of straw not worth suing - at worst I'm dead too (many people would think that was for the best! :-) and there isn't anyone to sue. Tough. That's life. And death.
> > If manufacturers are forced to clean up the dystopian world of the "internet of things", the background security level will rise sharply.
> Doing so by effectively outlawing general purpose computing and independent software development sounds like a pretty dystopian outcome to me.
And the alternative is?
It's a "damned if you do, damned if you don't" world out there.
Stuff needs to be field-updateable. Stuff needs to have the code available for audit.
I'd like to see something along the lines of "If you lock it down you have to implement a kill switch. If a serious bug is found you implement a fix, and then you trip the kill switch. If you CAN'T implement a fix, then you trip the kill switch anyway! And unless the product is end-of-life, tripping the kill switch is a warranty failure". Although if the customer didn't apply the fix, you do get to charge them for the privilege of you doing it for them, and they get a "pay for" upgrade rather than a replacement piece of kit.
Let's take routers for example. How difficult would it be for - Netgear let's say - to sponsor an engineer to certify OpenWRT on their hardware. (That is, Netgear employs the engineer to say "Yes I've audited it". He's not personally liable for it.) Another couple of manufacturers chip in so they set up a compliance testing trade association - bear in mind that sort of organisation is not allowed to be choosy about membership. So the engineers are busy fixing and improving OpenWRT, and providing value to the association members in the form of certification! Not a member? No certification!
Basically, if you provide a product, you should be responsible for making sure that (a) it works as advertised, and (b) customers and bystanders are not hurt by it working as designed. Like in the automotive industry, you should not be held responsible for unauthorised modifications, but you are responsible for the safety of the product you supplied.
And this is what I meant about the dystopian Internet World of Things, where security etc is an afterthought, if it's even a thought at all. People get hurt by commercial products acting "as designed" (as in, design consists of just throwing components together, compatible or not who cares.)
Cheers,
Posted Sep 20, 2023 14:31 UTC (Wed)
by nim-nim (subscriber, #34454)
[Link] (1 responses)
They need to nail down the language to avoid this kind of sheenigan while avoiding to hurt innocent bystanders.
And I don’t think anyone here is surprised that they suspect the Googles, Amazons and Microsofts, IBMs etc will attempt this kind of shell game.
Posted Sep 25, 2023 16:13 UTC (Mon)
by Wol (subscriber, #4433)
[Link]
If your supplier goes bust, that's no excuse!
It's the same as all these companies supplying TVs with GPL'd firmware, but their suppliers didn't give them the software. The US may be rubbish at enforcing it, but in the EU it only takes a company to get dinged twice for repeatedly importing products they are unable to comply with the licence for, and the typical EU remedy would be "next time you import a product, you have to prove to Import that you have the software you need to comply with your obligations".
I gather they did manage to get that through in the US, but it would have been so much easier here - "repeat offender? You need to PROVE you're compliant before you can resume business".
Cheers,
Placing on the market
Placing on the market
Wol
Placing on the market
Placing on the market
Placing on the market
> So in other words, OpenWRT is not liable, the manufacturer of the equipment is not liable... which leaves you. But since you didn't "place this product on the market" you're not liable for any damage it causes either.
Wol
Placing on the market
Placing on the market
Wol