France Proposes Software Security Liability For Manufacturers, Open Source As Support Ends

It sometimes seems as though barely a week can go by without yet another major software-related hardware vulnerability story. As manufacturers grapple with the demands of no longer building simple appliances but instead supplying them containing software that may expose itself to the world over the Internet, we see devices shipped with insecure firmware and little care for its support or updating after the sale.

The French government have a proposal to address this problem that may be of interest to our community, to make manufacturers liable for the security of a product while it is on the market, and with the possibility of requiring its software to be made open-source at end-of-life. In the first instance it can only be a good thing for device security to be put at the top of a manufacturer’s agenda, and in the second the ready availability of source code would present reverse engineers with a bonanza.

It’s worth making the point that this is a strategy document, what it contains are only proposals and not laws. As a 166 page French-language PDF it’s a long read for any Francophones among you and contains many other aspects of the French take on cybersecurity. But it’s important, because it shows the likely direction that France intends to take on this issue within the EU. At an EU level this could then represent a globally significant move that would affect products sold far and wide.

What do we expect to happen in reality though? It would be nice to think that security holes in consumer devices would be neutralised overnight and then we’d have source code for a load of devices, but we’d reluctantly have to say we’ll believe it when we see it. It is more likely that manufacturers will fight it tooth and nail, and given some recent stories about devices being bricked by software updates at the end of support we could even see many of them willingly consigning their products to the e-waste bins rather than complying. We’d love to be proven wrong, but perhaps we’re too used to such stories. Either way this will be an interesting story to watch, and we’ll keep you posted.

Merci beaucoup [Sebastien] for the invaluable French-language help.

French flag: Wox-globe-trotter [Public domain].

58 thoughts on “France Proposes Software Security Liability For Manufacturers, Open Source As Support Ends

  1. It would be far better for companies to have dedicated sub contractors to handle end of support issues such as maintenance and security upgrades. Just making something open source is like handing a hacker your companies secrets. Who looks after open source? What are your expectations for open source programs? Security upgrades are one thing but don’t expect open source to provide continual development of a discontinued product.

    1. One might argue that companies would be motivated to get their security right in the first place if they had to eventually open-source the code. Internal leaks and clever or lucky reverse-engineering will quickly hand vulnerabilities to the public anyway. If it can’t be secure and open-source, then it’s not secure.

      I don’t like this dedicated sub-contractor idea. We already offload every risk and expense conceivable onto contractors. I realize it will only continue and grow according to the hallowed laws of the market, but I think it’s obviously a shit idea as far as building good society goes. More and more people are those screwed contractors each day, and the companies who hire them get away with even more bullshit than usual.

      1. There are companies which don’t employ any engineering staff; they contract out the entirety of design and manufacturing their widgets to other firms. Would you prevent the engineering-less firm from contracting out the end of support issues? Or must the original engineering firm be on the hook for the end of life issues?

        1. IMO if your company selling the product and it’s your brand name on the thingymajiggy, you get grilled by the law if there’s any kind of security fuckup.

          The contractor idea only cultivates a “LOL, not our responsibility nor our problem” way of thinking for those companies.

          It’ll also ensure they don’t pick the contractor(s) doing it the cheapest, but those doing only well thought out high quality work, IF contractors are involved.

          1. Here in dschermany I have heard not one single case of a company selling consumer products getting sentenced, let alone sued because of security flaws. They just throw their crap out there and move on to the next device(s). It is pretty sad actually.

      1. Easy. It’s France, so French citizens will pay, as they usually do.

        In all cases, if you have a flaw in a obsolete device, you are currently paying for replacing it (and if you are smart, you do that before damages, right ?).
        If this proposal is accepted (I doubt it), then companies will be responsible for these devices and therefore, will either have to disclose some secrets (in their code) or maintain old devices or face penalties after bad advertisement from a (public) trial, yet does not exempt them from support. All cases leads to longer support of your devices, since it’ll be cheaper. This should reduce e-waste (but also progress ?).

        Now, it’s a political point of view wether company should spend less in R/D and more in support, and France seems to go for this. In the end, if (very hypothetical if) this pass, the application will be so screwed that it will either have so many wormhole that it’s useless, or it’ll ends up in some “compensation” for companies obtained from taxpayers…

        1. What’s with the Frenchbashing? Are you a French complaining about your country but not going to live elsewhere, or are you a French living in another country and you just can quit complaining? In the first case, quit complaining and go live elsewhere, where the grass is greener. In the second case, just quit complaining, you wont pay anything.

          As for the rest of what you said, blahblahblah…what is wrong with open sourcing stuff you don’t care to support anymore? Do you just complain because it is free? (it is not by the way)

          1. Hypothetically lets say you have a web camera with proprietary piece of code that is excellent at compressing and decompressing live video and audio and streaming it from on device to another, but your security is a little lacking. The EEPROM is small which was fine at the time before you were aware of the security issues in the other elements of the firmware/software.

            New updates to patch the security wont fit, so you stop supporting the device, bring out a better one with more features and continue to use that code. Now the EU have brought in a rule that says support the old device (which is not possible) or release the code (which is your IP by the way and is what your whole device is known for – lag free live high quality streaming of video).

            Your code, which is what set you apart from the competition, will now be freely available to all. Which is fine if that’s what you intended but if you’re a smaller company that cannot absorb the losses you are now bankrupt!

  2. Well, one very nice outcome could begin the establishment of a set of well-known, vetted protocols that multiple manufacturers could use as the underlying basis of their products. (Am strongly resisting the urge to use the word Linux ;-) That would make it a lot easier for multiple companies– particularly smaller companies– to put together and build on top of a (presumably) modular infrastructure that could then continue to be maintained and extended beyond the support life of the product– and of course it could also assist the company during its support period as well.

        1. i figure a code blob can be used so long as that blob is maintained. companies would have to choose between support and release. the blob would also have to follow those restrictions so if they decide not to support their product it too should be open sourced. the code blob people would also have to supply documentation on changes to its interface or provide strong legacy support.

    1. Well, if you bought it, it came with support, right?
      The goal of open sourcing at end of life is clearly and obviously to allow for the devices to be kept operational, if anything, by volunteers.

      But if you have other ideas to fight planned obsolescence feel free to share them

    2. Came here to say just that – these are not self-contained blobs of code with one single ownership and that no part of it has any further value going forward in other products that might still be available. Just because that one product as a combined whole is obsolete, maybe it just didn’t sell well, this doesn’t mean that there isn’t current software libraries bought in from other vendors, drivers for hardware, USB or IP stacks etc and all maybe running on a licensed RTOS. Season with patented algorithms. Say it used embedded Windows – do you ask Microsoft to open source because your media streaming product failed? France could just become a very unattractive place to do business for tech.

      1. Apart from the fact that the French don’t believe in or practice it any more?

        Personally, I blame American influences. There’s a very good reason why so many countries, (not just China and the Islamic theocracies), keep complaining about the Americans polluting their cultures.

    1. My grandfather washing machine is still running since maybe 50 years. It’s still washing perfectly. Can you say the same about your iPhone 4 ? How old is your washing machine ?

      One way or the other, it’s obvious the system will need to find a better balance than the current deprecation policies. Do you have a better idea to solve this issue ?

      1. You have a choice to buy open-source hardware and software. Let the free market economy work, and you’ll see that 99.999% of consumers don’t give a crap (On s’en tape) about re-using old hardware. Rather than trying to solve a 0.001% problem, how about enforcing recycling of old hardware instead of putting it into landfills? That would be a better a better place to focus regulatory efforts.

        1. Recycling electronics still uses a lot of energy and it is almost never done in accordance to environmental regulations which is why they ship hardware off the third third world so best not to design throwaway hardware in the first place.
          Apple may have solar panels on their offices but they are one of the least green companies on the planet as that is less than 2% of the total energy cost associated with an iphone.

          1. 2%? That’s pretty high. I would push that figure even lower, even if you add in the energy required to obtain & convert the raw materials that go into an iPhone to turn it into a product.
            As far as one the least green, Apple are one of the worst companies on the planet when it comes to planned obsolecence (recall the story on these very pages about Apple deliberately degrading performance of older hardware?).
            I for one will not buy an Apple product on principle. There is not as if there are not other (and sometimes better) products out there.

        2. Please….

          free market…lol. yeah consumers are not educated enough to know, so how are they supposed to get the market to be better by buying the better thing? they cant. If a thing still works its should be CRIMINAL to hold on to code that would stop people from fixing their stuff. Look what the “free market” decided for inkjets. Disposable loss-leader printers that uneducated consumers throw away and replace when they run out of ink, cause they dont realize the included cartridges are “starter” cart and think its cheaper. This is an environmental disaster and it the same as thgose companies dumping stuff in a landfill.

          Libertarian ideas sound nice, but in practice they amount to let the people with economic power do whats best for them, and thats NOT whats bets for us and our children.

          Free market. lol These giants are so huge they warp the markets with their media and power of ubiquity. Free markets are an illusion, the tycoon will ALWAYS exert force f the markets and make them not “free” unless the collective power of the people step in and keep it balanced. Free markets dont exist, we should aim for balanced markets.

          The crazy streak of libertarian ism that runs through the computer crowd kills me. The internet is/was a free market of ideas and that works so good you all get confused and try to transfer that stuff to meatspace with already dominant power players controlling everything…wake up

          1. “If a thing still works its should be CRIMINAL to hold on to code that would stop people from fixing their stuff.”

            Spoken like a true millennial, or RMS.

            You paid for a product which worked for its designed warranty lifetime. You’ve got zero claim to the work and tools that went into making the product (i.e. source code). That’d be like forcing Toyota to give you the machines and molds to stamp out body panels to fix your 20 year old car. Not gonna happen.

            Feel like you’re being wronged? Go make your own devices to do the same thing. You’ll have a greater appreciation for the work that went into your iGadget or whatever.

        3. How old is “old hardware”? Is your 1,5 year old Apple or android device “old hardware”? Likely not. This is the timespan most companies distribute updates for their devices. Make it 2,5 years and it is still (read: can be) a short time in the life of a device. If your tablet or phone does not get any security updates you can consider it unsafe and broken. Like really, physically broken. What we need is longer mandatory warranty including support for software updates. At least 3 years, better 4. This means devices will be more expensive and companies will not sell as many devices, but throwaway cycles slow down. The “free market economy” atm does not even give you a choice. I would buy a phone with 4 years of warranty and support, but I don’t know of any company offering that…

  3. I’ve been proposing this for years. Place the code in “escrow” such that if meaningful support ever ends for whatever reason, the code is automatically released so users can build and support their own gear.

    I’ve framed it as a way to keep obsolete-by-corporate-suicide hardware out of landfills by ensuring that secondary uses can drive the hardware.

    1. I was thinking the same thing. Enforcing it would be a horrendous problem though. The companies that are likely to be diligent about keeping the escrow’d code current are probably the ones least likely to go out of business. The crap-mongers may not even have internal revision control…

  4. Could we change the title to: “France soon to have the most expensive software based products in the world”

    The liability insurance rates for this will be extreme. A better solution would be to first require that all software based products be updatable. And then hold vendors liable if they possess security patches and don’t distribute them in a timely manner.

    1. I understand the plan, but I think we’ve seen what happens when we try to have ad-hoc accountability. If they are liable after the fact, they simply aren’t held accountable by any competent agency. They get away either completely unmolested or with a token fine equivalent to a five-cent speeding ticket.

      The cost of bad security is something we’re already paying, just not as part of the sticker price of the product. It’s something we pay as a society. And usually it’s not the company paying, and not particularly the customers either. It’s everyone.

  5. Wouldn’t this end with a final option of a liability waiver that allows you to continue using the product as-is or an update that contains no licensed code? Sure, it still reads, but you are limited to 1.2MBytes/sec. Instead of bricking, they all run openwrt. Sweet!, my fridge can now be used as a captive portal! Too bad it no longer keeps the food cold.

    1. I’m always impressed by people who complain about their country, but instead of doing something about it, like going to live somewhere else, where the grass is greener, or act up to change whatever they complain about, they just go trashing about on the internet. Sure, that helps.

      To the point, did you happen to miss that most other countries had the same issue with their military and/or sensitive personnel and facilities?

      1. yes, but remember that France doesn’t really exist as a totally separate country any more, it is just part of the EU superstate, which they have significant influence over. This kind of nonsense could become EU-wide law.

    1. Good, that way companies that make products that last and/or that are open source, won’t have to get that insurance. They will thus be cheaper. Conversely, the bad, expensive, closed-source products with limited life span, would be more expensive, because, as you said, would have to include such insurance.

      1. Open source projects would sill need the insurance though. Unless you believe the hype that open source projects are miraculously free from defects.
        Sure, if you open source it and don’t sell it, you might dodge the legislation depending how it’s worded, but if so, there’s likely some clever dodge.

  6. The companies will just build in from manufacture the shut down day of the device. Or you will not be able to purchase a device only lease it for X years after that you must return it just like that electric car a few years back. Once the lease was up they were all collected and crushed.

    They’ve effectively been bricking computers for years. So to extend it to other devices is not a difficult proposition

  7. If you want to sell a product you need to make sure it is secure in today’s interconnected world. We’ve been here for 20 years. It’s your responsibility manufacturer, this is not a new problem, and you are responsible for it as surely as you are for any other design defect.

  8. >>little care for its support or updating after the sale.

    Sounds just like Android. My phone hasn’t had an update after the first 18 months or so.

    Oh, and Android is “open source.” That hasn’t helped the 90%+ of Android devices that are no longer being updated.

    Pardon me for saying this plan isn’t so great.

    1. This is because the vendor of your device has not open-sourced the complete kernel code + drivers for the device, or better yet, integrated support into the mainline kernel. If you have that you (or some other person) could build a new Android version for your device. It is certainly not Androids fault. Plus, see if maybe LineageOS supports your device.

  9. First it’s not France (as state) but a report from French Army intelligence subdivision, yes the same one that fight to keep over 128bit cryptography ban for decades.
    So very far from being a law proposal or government wish…

  10. Just a thought but here is what Id prefer to see come out of this, Appliance manufacturers agree on a standard connection port and protocol and just sell the appliance with minimal controls. They all contribute to a opensource software holding group say “openappliance”. If you want a smart appliance then you buy a screen and SBC or micro-controller and flash it with software from openappliance, If you dont want to do it yourself well then you hire it done. If you have a good idea for a new feature then you submit it to openappliance and they check if its feasible and popular enough to add, or you roll your own addon and submit it. Manufacturers win as they dont carry the liability and the consumer wins cause they can use the device the way they want.

  11. Software and firmware needs to be subjected to peer review and audit, just as other critical professions are. be it through opensourceing/coupled with paid registered security auditors to make review. No Audio, no license to see the product in the borders of a free society.

    If your produce is as safe and secure as your sales team say it is, then this should not be a problem.

    If you rely on 3rd party black box components, then that company should have less of a problem conforming to international software audit standards.

    only thing is the software market remains completly self regulating, and any attempt to change this will be fought tooth and nail by some of the worlds most well funded lobby groups.

    free software = free society – RMS
    software = law – Lessig

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s