Welcome to European Tribune. It's gone a bit quiet around here these days, but it's still going.

The ignition of the digital atmosphere

by Luis de Sousa Sun Oct 15th, 2023 at 03:48:39 PM EST

Foreword: This article was submitted a few weeks ago to EurActiv but was not published. Still, I believe it deserves to be read by a wider audience. You may replace the references to EurActiv for the company or institution your work for.

Image from Flickr.com

Software is everywhere, in the appliances and gadgets we use, running the services we rely on, in all the conveniences making modern life comfortable and straightforward. But that software is not perfect, it is vulnerable in places and on occasion fails, exposing sensitive data or allowing unauthorised access to critical systems. These failures result in costs, financial and other, that now the European Parliament, Commission and Council attempt to tackle with the Cyber Resilience Act (CRA). Whereas widely welcomed in its premises, the proposed legislation is about to set in motion a regressive process of unpredictable consequences.

Frontpaged - Frank Schnittger - an important contribution to a live current debate

A read of the draft CRA meets terms such as "finished product", "manufacturer", "market" or "commercial activity", alien to the reality of software development. Ninety percent of the software used worldwide is created under the open source paradigm, anyone can contribute to development and everyone benefits. Some economists call it a novel form of conducting business, based on cooperation rather than competition. The legislator leaves the impression of being unfamiliar with this reality, merely attempting to regulate the modern economy with concepts of the XX century.

A computer programme is not an industrial product, as an automobile produced in an assembly line or tomatoes packaged in a sealed box. Software development is eminently a creative process, akin to construction with lego pieces, constantly adapting to new standards and methodologies, swiftly responding to vulnerabilities. In this domain there are no products, rather projects, no manufacturers, but contributors, there is no industry, instead a community of persons and an ecosystem of projects. Enterprises operating in this space do not manufacture or sell products, they simply provide services to software users. In Europe almost all of these are small and medium enterprises (SMEs).

By missing the nature of software as a commons, the CRA falls into several fundamental errors, the most important being the equation of software to a manufactured product, for which someone is entirely responsible. Contributors become liable for vulnerabilities and their ultimate consequences, with fines starting at three million euros. To convey the outcome of this liability I must tell you a story.

My father was born in a small mountain village where today a community oven still exists. For centuries all the bread consumed in the village was cooked in this oven, that everyone used but belonged to no one. Every week one of the families would start the fire with their own wood, and for as long as the oven remained warm everyone else cooked their bread too. This simple system benefited everyone, against the occasional contribution of each individual family. Imagine now that a new law would make the family starting the fire liable for the wholesomeness of every loaf cooked in that occasion. It is not hard to guess the fate of the community oven under such circumstances.

If you watched the recent "Oppenheimer" masterpiece by Christopher Nolan, you might recall that on July of 1945, when the first atomic test was conducted, there was still a narrow theoretical chance of a runaway reaction igniting the atmosphere. The European digital space contemplates a catastrophe of similar magnitude with the CRA, an unintended knock-on effect of inter-dependent software projects outright exiting the EU. The terms "unworkable", "chilling", "paralysis" floated around in the community are no hyperbole. Early estimates point to one hundred thousand direct jobs at risk, affecting tens of thousands of European SMEs. And that is just the tip of the iceberg.

Euractiv is in itself the perfect example. The pages of this publication are managed and served by a software project named WordPress, a global leader in content management. Together with other heavy weights in this domain, the WordPress project made it clear in an open letter that it would not remain present in Europe in case the draft CRA is approved. In that scenario Euractiv must undergo an expensive migration to an alternative technology before the CRA comes into force (possibly early 2025). If a compliant alternative exists at all, and at an affordable cost. Otherwise, Euractiv might attempt to re-host its infrastructure outside the EU and serve its publication from abroad. And in your case? Are you aware of which open source projects depends the company or institution you work for?

On a broader perspective the proposed CRA leaves an especially bitter aftertaste for how detached from the real economy it reveals the legislator to be. Perhaps shedding some light on the sentiment of marginalisation fuelling populist and anti-democratic movements. It is time for the legislator to download the upgrade and enter the XXI century. Protecting citizens from cyber-threats is certainly possible without damaging the software ecosystem. The time has perhaps come for a bottom-up approach to legislation, with civil society invited to initiate the drafting process. If there is a community versed in creation through compromise is precisely that of open source.

by Oui (Oui) on Sun Oct 15th, 2023 at 04:19:55 PM EST
Standing On the Edge

We're standing on the edge
The edge of time
And it is dark, so dark on the edge of time

'Sapere aude'
by Oui (Oui) on Sun Oct 15th, 2023 at 04:26:43 PM EST
[ Parent ]
Hi Louis! Important questions...

I'm in IT, and most of the applications I work with (working for a subcontractor to a major pubic utility) are built largely or entirely from open-source components.

I haven't followed the issue, but it's a worry. I imagine it's one more case of lobby capture : such a model of liability would necessarily favour the bigger IT service providers as contractants to supply software and services, because (only) they are big enough to have any chance of covering most of the technical vulnerabilities that open product providers to liability under this new model, and are big enough to absorb liability without being broken by it.
So I imagine it's the big European IT companies and their lawyers who have written the proposed legislation.

A couple of nuances :
What is a product? The model in IT these days is in service provision. If you have an IT need, you are encouraged to subscribe to a service rather than to buy a product. If the CRA exempts services and applies only to products, then it threatens smaller software publishers and favours all service providers, regardless of size.

It is rightly acknowledged that people of faith have no monopoly of virtue - Queen Elizabeth II

by eurogreen on Tue Oct 17th, 2023 at 01:58:28 PM EST
This amendment proposed by the Council (from Oui's link above) seems to acknowledge the product/service distinction :

this Regulation should only apply to free and open-source software that is supplied in the course of a commercial activity. Products provided as part of the delivery of a service for which a fee is charged solely to recover the actual costs directly related to the operation of that service [...] should not be considered on those grounds alone a commercial activity.

A contributor to that discussion clarifies :

SaaS[Software as a Service] is NOT covered. The CRA defers to a new, yet-to-be-written, similar Regulation or Directive. That Regulation/Directive will be similar in spirit to the CRA.

This bunch of reactions from various open-source actors (including Microsoft and Huawei!) is very rich too.

It is rightly acknowledged that people of faith have no monopoly of virtue - Queen Elizabeth II

by eurogreen on Tue Oct 17th, 2023 at 03:22:01 PM EST
[ Parent ]
The lobbyists have definitely been active.  "The CRA defers to a new, yet-to-be-written, similar Regulation or Directive."  Rubbish.  It will never be written.  This entire charade is yet another move to put programmers who create a software product a buyer can actually own at a further disadvantage to those who create a "service" with a subscription the licensee is locked into.
by rifek on Tue Oct 17th, 2023 at 10:45:44 PM EST
[ Parent ]
There will be very few companies benefiting from this legislation. Microsoft is clearly on the receiving end, as their strategy has evolved around open source since they acquired GitHub [0]. Facebook is another example, their strategy around AI is rooted on open source development. Google obviously, with Android and Chromium.

Oracle and SAP have little to worry about. But they are well established in their markets, I doubt the CRA can have a meaningful impact.

Apple is the only outright benefiter I can think of. If the draft from the European Parliament is approved Linux will exit Europe. That means it wont be possible to sell Android phones in Europe anymore.

[0] The fate of code forges like GitHub is one of the big unknowns.


by Luis de Sousa (luis[dot]de[dot]sousa[at]protonmail[dot]ch) on Tue Oct 24th, 2023 at 09:26:13 AM EST
[ Parent ]

Go to: [ European Tribune Homepage : Top of page : Top of comments ]