> It’s notable, I think, that you’re not absolved from operating “in the course of a commercial activity” just because you’re supplying software free-of-charge.
I can see why someone would have added this provision, if you think in terms of what loophole would exist without it.
Imagine a company that sells you a router, and they declare that the necessary software is provided "free of charge", and as an extra convenience they've pre-installed it for you.
Sure, maybe the device won't work with any other software, and maybe the software can't be installed on any other device, but anybody can download a copy from their website, so it is free...
> Imagine a company that sells you a router, and they declare that the necessary software is provided "free of charge", and as an extra convenience they've pre-installed it for you.
If this meant that routers booted off of swappable SD cards then that'd be awesome.
The author has a hard time understanding whether the CRA applies because he is thinking like a software engineer and not a lawyer.
It would be very clear to a lawyer what "in the course of a commercial activity" means. And accepting open source contributions from a business entity normally isn't considered "in the course of a commercial activity". (It's like buying apples from the supermarket is not a engaging in commercial activity on the part of the customer, even if the supermarket is.)
No disrespect to the author, but even consulting with a law student would clear up the issue. Maybe better access to law would be nice, but if the OSS community is really concerned with this issue some lawyer would have clarified this already.
It's probably fine; but it's not perfectly unambiguously fine, which means the first defendant may face years of uncertainty and millions of dollars of legal fees before they win. Maybe the other party would be ordered to pay some of that, and maybe they'd manage to collect. Against the €0 they've been paid, that's still a pretty bad bet. That's the good outcome, where they win. They probably won't lose, but if they do then it's potentially catastrophic.
Perhaps you could find a law student who didn't appreciate those second-order consequences, but no one who's ever had involvement with a real nontrivial proceeding would. I think whatever training you've received has given you some false confidence here.
A real lawyer's answer to almost any question is stereotypically "it depends", and that's for good reason. Even the smallest points of uncertainty can get expensive fast, both in legal fees and in expected value when a small probability gets multiplied by a very large worst-case loss. The EU has created a new such point here. That's probably more from sloppy drafting than from any intent, but it's unfortunate.
I get your point, but realistically you're talking about a minuscule chance of being sued as first defendant given the thousands of OSS devs in the region.
Is a rational person supposed to be worried about the < 0.1% chance of financial ruin? To the extent they have to take draconian measures to protect themselves while working on OSS?
"It depends" is correct but totally useless advice. Sure, a lawyer should probably remind the client that people sue others for unsubstantiated reasons as well so there's always some legal risk in new legislation where there's more uncertainty as to what the words mean... but as I said I'm not a lawyer and I'm certainly not the OP's lawyer or your lawyer. As in, I'd probably cover my ass a bit more if I were, but the fact is that the legislation wasn't intended to impose strict liability on OSS devs and unlikely will have that effect.
If the EU passed legislation to randomly select three people under its jurisdiction and bankrupt them, then I think that (a) my personal risk would be too low to be actionable, as you say; but (b) that's pretty bad legislation.
I think they've constructed roughly that effect here. I believe that's worth complaining about, both in principle and to the extent that same demonstrated carelessness might create more serious practical problems in future. That's especially true since as far as I can tell, this would have been an easy fix, just better drafting with no intended policy change.
Of course that's different from what a lawyer considering only their client's current personal interests should care about. There I think most developers would take no action (and I don't plan to myself), though the lawyer would probably consider that a business decision and leave it for their client to make in the context of their legal advice. I might take action if I worked on a high-risk (e.g. cryptocurrency per below) project, to use a pseudonym, minimize assets in the EU, etc.
> I get your point, but realistically you're talking about a minuscule chance of being sued as first defendant given the thousands of OSS devs in the region
There's that, and and there's also the fact there's no point in suing people with little money.
An aggrieved company isn't going to go after a random open source dev, because that cost more than it is worth. They will find an actual commercial vendor to sue.
That's true, but only if the thing they want is money. For example, a commercial software developer might fund lawsuits against its open-source competitor even with no hope of recovering significant cash, because the goal is simply to destroy that competitor.
Probably they'd lose eventually. The effect on the defendant would be big regardless though, and that's the point. A lawsuit doesn't have to win to be a useful economic weapon, just to survive long enough to inflict the intended pain on your opponent.
In the United States you have limited liability if you donate the apples to a food bank or a nonprofit feeding the hungry. Not sure about the case where you give away apples directly to random people on the street.
(This is what I learned in school, for common-law-ish jurisdictions.)
What you said is true, if there's negligence or malicious intent you're generally liable. In tort. (Edit: also criminally liable as well but that's far off topic)
However, whether you sold it or gave it out for free does matter, because for sales of goods, there's also contract law involved, there's usually additional implied warranties about the product being "merchantable" (you see this word in OSS disclaimers as well), and generally you can't disclaim your liability if you sold the product for money.
If there's no money and no other considerations involved when you give away the apple, then there's no contract, so only the tort part applies.
Generally the idea of holding the seller of a product liable for harms caused by the product is that the law (or society at large) don't like businesses profiting from selling stuff yet shifting risks to the consumer at the same time.
Perhaps it gets into a legal area that considers "reasonable expectations and behavior". You can absolutely sell buggy, non-functional, and even dangerous code. You just need to go to greater length too ensure that the buyer is informed about what they will be getting.
>Generally the idea of holding the seller of a product liable for harms caused by the product is that the law (or society at large) don't like businesses profiting from selling stuff yet shifting risks to the consumer at the same time.l
I think it is more about the law attempting to mirror social expectations than having high-minded objectives itself.
A tort is a civil wrong, other than breach of contract, that causes a claimant to suffer loss or harm, resulting in legal liability for the person who commits the tortious act. Tort law can be contrasted with criminal law, which deals with criminal wrongs that are punishable by the state. While criminal law aims to punish individuals who commit crimes, tort law aims to compensate individuals who suffer harm as a result of the actions of others
Although the implications for independent open source developers in the EU are pretty bad, the real problem here is actually the impact it will have on European software companies, or in fact, any company that wants to sell software in the EU, even if they are foreign. The EU already suffers from a severe lack of tech industry given its size, and the author just casually brushes off the fact that this will make it much much harder.
Most likely it will mean that European software suppliers must pay for very expensive outsourcing of liability protection or liability insurance, yielding higher prices for European customers, and many other companies will simply give up on selling their software in the EU at all. The fact that shipping faulty software is a strict liability crime there means that you can't even solve the problem by using high quality processes and standards, which is presumably the goal, because it literally doesn't matter how much effort you made in good faith to reduce the fault rate. This changes the economic equation for selling software in Europe quite considerably. Hopefully, the UK does not make the same problems when it attempts to draft a similar law, or better, it simply doesn't draft such a law at all.
It says a lot about the cultural problems in Europe, and I say that as someone who is born and lives there, that the author simply blows this problem off as only affecting "mega corporations".
Would it be possible to provide software under a license which is only valid if the manufacturer cannot be held liable for defects? That is, just turn the problematic scenario into copyright infringement.
Seems to me this would be perfectly enforceable in the US, but EU laws often feel like they'd rather force software authors to take on liability and not be able to opt out of the whole problem. I'm unfamiliar with this area of law.
I'm unsure if this modification would still qualify as Free software (as defined by FSF)... It would seem to interfere with Freedom 0 in a way that isn't really obvious. The legal environment would constrain what the software could be used for, because the license would terminate in case the author would be liable for defects.
One can argue that this is implicit in FOSS licenses, including the GPL. If the author can be held liable for any defects, then they can't really share their contributions, and FOSS contributions would only be possible by entities with well-paid lawyers. This is against the spirit of both Open Source and Free Software.
Furthermore, similar clauses have existed for patents. E.g., if you use an Apache licensed library, but sue one of the contributors for patent infringement having to do with the library in question, then any grants of the Apache license terminate, so you can then be countersued. The way you framed your text, this would qualify as an interference with Freedom 0, as you can't eat your cake and have it too.
Lest we forget, here's what the MIT license, one of the most permissive ones, have to say:
"THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."
So the MIT license already says what you think is against Freedom 0.
Agreed so far, but in the US that clause is enforceable and doesn't affect the ability to use or run the software, only the ability to receive support for it. My understanding is that any such disclaimer by businesses in the EU is not enforceable due to this new law. As someone who wouldn't want to accidentally be on the hook, I'd want a license which precludes uses where the law would kick in - but that is a restriction on use.
It does seem like they have explicit provisions to exempt those distributing non-commercial OS/FOSS from these requirements. This is in keeping with the EU's promotion/funding of public benefit software.
If a company uses free software in building their product, how does the law apply here. Does the liability fall on the commercial use or the original provider?
Or what if the open source library itself is provided by a company. Let’s say Intel’s IPMI library has a vulnerability that affects Dell servers and causes a breach at a bank in Paris.
What I understand (from having attended some Dutch government meetings about this), is that companies are liable and should make an assessment of all third party libraries that they are using with respect to the risk involved with cyber security. Furthermore, they should actively monitor any security updates of those third party libraries and incorporate fixes in their own software and push those to users of their software. This does include embedded software in the devices they sell.
This applies to all software that is part of a commercial interaction, no matter whether the other party has to pay for the software or not. The software could be part of a device or be part of a certain service.
I understood that as long as the developers of open software are not involved in a commercial interaction, they cannot be held liable. I guess that if you receive some kind of support (a grant) for developing open source software, you are not immediately in a commercial interaction. But if you have some kind of agreement with an organization to develop or maintain open source software specific for that organization, that could count as commercial interaction.
> But if you have some kind of agreement with an organization to develop or maintain open source software specific for that organization, that could count as commercial interaction.
I think that's the risk. It's not clear what counts as a commercial interaction. eg I built a lib used for data analysis of bio samples. I have occasionally done some consulting for users, but nothing in over a decade. Does that count as commercial interaction? It's unclear to me. I'm considering deleting the open source and/or updating the license to ban the EU.
Like obviously this is a very low probability risk, but I don't care to take any risks for something that I give away for free :shrug:
Separately, the idea that I have to have a security policy or any other thing; I decline.
I understand your worries as they were one of my reasons to join these government organized briefings.
It seems very unlikely that such a lib in itself has any cyber security risk as long as it itself does not query an external database through a network connection.
The users of the lib have to asses that it has no security risk.
Did you sign any formal agreement with the users of the lib? Is there still any obligsation on your side with respect to the lib?
If you would discover some security issue, like a buffer overrun, would you fix it? Then just mentioning it, would be enough. The users of the lib bear the greatest responsibility. They have to regularly check your lib for security problems.
> It seems very unlikely that such a lib in itself has any cyber security risk as long as it itself does not query an external database through a network connection.
It almost certainly has tons, because it was not designed to read attacker-controlled images or data files. If someone uses it that manner, I would be absolutely shocked if it doesn't. The testing suite focuses exclusively on correctness and speed.
> If you would discover some security issue, like a buffer overrun, would you fix it?
No. I don't use this work; I no longer work in science; etc. It's just a gift to other people of several years of work and a ton of time in vtune making it go fast.
It's on the commercial user. Basically if you don't pay for support you're liable for the issues, at least in my only experience: a company I worked for decided to stop paying for Atos/Bullion support because of how shitty/useless it was, and the only reason the CEO agreed was that we could instead use Redhat software and support to take on part of the liability.
That is what the safety and cyber security certification process is for. In your given example, that's iso27001/13/15 depending on what the bank itself does in their operation.
The company owning the certification owns the responsibility. No cheating through cheap cyber security consultant chop shops from India anymore.
AFAIK if you take open source software, provided without liability, and use it commercially then you take the liability for that product, since you can't shift it to the creator, since they're volunteering for free.
Which seems like common sense to me. It's good when the law mirrors common sense.
> AFAIK if you take open source software, provided without liability, and use it commercially then you take the liability for that product, since you can't shift it to the creator, since they're volunteering for free.
That is incorrect per my understanding. If that open source org offers eg paid support, they likely have liability, at least in the EU. Now they're probably, practically speaking, judgement proof. But they do have liability. see [1]
Okay, but then they're selling a product, not volunteering. And the law is that people who sell software can be liable for that software. Which makes sense. This is how every other product on the market works.
Note that "can be liable" does not mean "will pay so much money they go bankrupt". It just means that normal liability rules will apply and that person is not shielded from liability. If I sold you a broken car saying it was in perfect order, I may be liable, but if I can prove a mechanic told me it was in perfect order and I didn't break it after that, I may be able to transfer my liability to them. Now, if because the car was faulty, you crashed into a children's picnic, your car exploded into flames and and killed an entire orphanage, I or the mechanic may still go bankrupt paying their medical bills...
"selling" a product for $0 is an insane twisting of english and common sense.
And something now that only idiots do. And the reason no physical world analogies apply in the slightest is even if you give away (not sell) a car or some other physical possession, you don't sell a million copies and incur liability across a million users. For that same $0 cost. While that free download incurs effectively unbounded liability.
If I give away free cookies I baked just to feed people and they develop minor food poisoning, I may be shielded by the fact I was volunteering in good faith. If I give away free cookies with the logo of some big event to advertise that event, now it's commercial and I may be liable for the cookies because I'm backed by the money of that big event and should have been held to a higher standard.
The idea that selling one thing, ever, creates a financial obligation to anyone, ever, who downloads something for free is abject nonsense. And again, would lead anyone rational to wholesale blocking the UK or EU.
In ~2022 myself and a dozen other former and current volunteer Bitcoin contributors were sued in the UK by a shell company controlled by a fraudster/imposter.
The plaintiff alleged that they had 'lost' (through no fault or negligence of ours) in a 'hack' the private keys to some $4 billion dollars in Bitcoins and that we owed them tortuous and/or fiduciary duties to aid them in "recovering" these assets.
Our position was that there wasn't anything we could do to help, that even if there were we had no obligation to do so, owing to the fact the software we published was MIT licensed with a forceful disclaimer of liability which the plaintiff had accepted and without which we wouldn't have allowed the plaintiff to use or redistribute the software we wrote and the fact that normally no one has an active duty to save another (e.g. a police officer can stand holding a life preserver as you drown, and finally that their claim of ownership was obviously fraudulent.
(plaintiff's position was that we could help by publishing backdoored software, we were never able to pin them down how how we were supposed to force anyone to adopt it in order to give it any effect at all, among other issues)
We originally succeeded at getting the case tossed as having no reasonable prospect of success, but the dismissal was overturned by the appeals court.
Fortunately (???) the fraudster behind the claim brought an additional spurious claim against us (this time demanding hundreds of billions in damages) during the brief window before the initial dismissal was overturned. Owing to a spectacular tactical blunder by our opponent the new case was joined in with other cases involving him which were more advanced in their development, and we were able to factually destroy all of the evidence that his initial case used to show his ownership as a collateral effect.
All in all our litigation cost millions of dollars, tens of millions in for all parties across all the related cases. Fortunately good actors in the Bitcoin space stood up to pay our costs or otherwise we would have been personally ruined long before successfully winning the case on its merits, which was presumably his strategy. -- this is a thing often missed in these discussions: that it doesn't matter so much if you would ultimately win when if you can't immediately get a summary dismissal the legal costs will ruin you long before you get that opportunity. Not every project has supporters as wealthy as ours.
Unfortunately, we had essentially no support from the free software legal or online rights world. I hope we avoided the precedent created by the initial reversal trashing things up for the future, time will tell. I was disappointed by parties who denied us support out of ick at anything cryptocurrency... when it comes to defending civil liberties you can't necessarily pick who you defend. There is a lot of good free speech law in the US thanks to the deplorable people at the Westboro Baptist Church.
Our case was in the UK even though none of the defendants were there and many were in the US, because that's where the plaintiff brought it. Unfortunately when you write software that's used world wide you're potentially exposed to the systems of other countries, at least ones your own country will domesticate judgements from, regardless of your desires. (and perhaps an absence of choice of venue clauses is a defect in popular licenses...)
In the US and UK there is generally no duty to aid. And a duty to aid seems like bad policy, in the sense that it invites litigation over the "at risk" question. It's easy to make judgements after the fact. It's also sort of incompatible with the notion that you could be liable for gravely negligent "aid".
I wonder to what extent this is enforced in places that have it, and I assume it's only applicable to obvious life/death situations? Particularly given that a sizable part of the population freezes in response to danger/shock I'm having a hard time imagining that it's a real rule in practice.
> I guess somewhat a solution to this is to contribute anonymously, via Tor/VPN, incl. any emails so that nothing can be traced back to you.
Being strongly anonymous over a long period of time is extremely difficult. If you mean just throwing something over the wall and vanishing then that's potentially possible but any long term collaboration is almost sure to out you given enough time. And then when it does your anonymity is vulnerable to being spun to argue that you knew what you were doing was wrongful. You're also less likely to be protected in other ways since you thought your identity was a secret.
But perhaps most importantly, I believe the US is the only major jurisdiction where you have a right to defend yourself while anonymous. In the UK you can't even hire a solicitor as an anonymous party, and a related satellite case to ours (over the operator of Bitcoin.org who is anonymous) went all the way to the UK supreme court on this point. So if you're anonymous and the lawsuits come in you have to expose yourself there or lose by default. And if you lose by default and don't comply with the court's orders you could end up with an arrest warrant against you-- which is no problem, until your identity is somehow exposed and its suddenly a major problem.
A lot of the way that liability in this space is damaging is that just because a case is weak, even farcical, you have to defend it vigorously because there are no retries... and there are plenty of procedural footguns where someone who is obviously in the right can lose none the less.
At least for commercial software you can view liability as a cost of doing business, but the incentives for Open Source are shallow enough that they obviously can't cover it. Moreover, there might be a selection effect where more thoughtful contributors opt out while fools rush in-- ultimately to the detriment of the public.
Because that makes Kevin a manufacturer and thus subject to liability for a product that he gives away for free, which is a ludicrous proposition. And would lead anyone rational to ban all UK downloads, because you can't put your personal finances at risk to give someone free software.
Oh right. I had the opposite uncertainty, in that I presumed distributing source code counts as manufacturing with no distinction between the two. So you have to put it through a compiler to make it go, so what, same difference. (And what about bytecode and JIT and other gray areas?)
Could you just claim that "this software is intentionally defective and full of security vulnerabilities, was made as a training software for pentesting", so that (and good luck proving that) only if it's proven safe you can call it "defective"?
Stopped reading when I learned this was about the UK. That whole country is headed towards oblivion through mismanagement and draconian punishment of its own people.
It's not about the UK, which you'd know if you hadn't stopped reading ;) Last paragraph of the article:
> "Of course, here in the UK we aren’t subject to the EU CRA. I’m hoping that, by the time we get our own version, it will be clearer how the law will work."
The current British government is, of course, not very high quality and may well make very similar mistakes in the drafting of its own law. But that isn't clear because it isn't written yet. This article is purely about the EU.
I can see why someone would have added this provision, if you think in terms of what loophole would exist without it.
Imagine a company that sells you a router, and they declare that the necessary software is provided "free of charge", and as an extra convenience they've pre-installed it for you.
Sure, maybe the device won't work with any other software, and maybe the software can't be installed on any other device, but anybody can download a copy from their website, so it is free...