The European Cyber Resilience Act

Posted Sep 25, 2023 16:13 UTC (Mon) by pizza (subscriber, #46)
In reply to: The European Cyber Resilience Act by Wol
Parent article: The European Cyber Resilience Act

> Liability needs to start at the point a "manufacturer" includes this stuff in a PHYSICAL product. Because it's at that point the RISK also really starts.

So in other words, Microsoft will face zero liability for defects found in Windows, as long as they don't supply any hardware.
And hardware makers face zero liability as long as it's the end-user that installs the software.

>Who cares if my pet project is vulnerable as hell? So long as it's just me, it's the same liability as the lone inventor tinkering in his shed with things like gas bottles. Any disaster will be localised, and I'll bear the brunt of it.

Are you really sure that you don't care that you "bear the brunt of it"? After all, we're talking about potential financial ruin here, with no upside.

> (Oh, and I don't think pizza needs to worry about manufacturers saying "go download this software from over there". If the product needs the software to function, and the software malfunctions, that's "not fit for purpose", which brings a world of hurt on its own.)

Are you sure about that? That just means the hardware "purpose" will get dialed way back until all it's legally "fit" for is along the lines of "it takes up space, blinks a couple of lights, and won't electrocute you." And if you want it to do anything more, you'll have to look elsewhere for the software. Not unlike today when you can buy a motherboard or even a complete barebones PC without any OS. It's no longer a "complete product" but a "kit" that requires the user to assemble or otherwise complete. And the user bears all responsibility for the consequences.

to post comments

The European Cyber Resilience Act

Posted Sep 25, 2023 17:17 UTC (Mon) by farnz (subscriber, #17727) [Link]

Liability starts at the point something is included in a physical product today. The point of the CRA is to push liability backwards down the chain until either you get to a creator, or you leave the world of commercial relationships, and to add liability for things that occur "in cyberspace".

So, in a CRA world, Microsoft is liable for defects in Windows, because you can't get Windows legally via any route other than a commercial deal with Microsoft. Similarly, hardware makers are liable for the software they include with the hardware, and for ensuring that the hardware is supplied with sufficient software to make the hardware useful for the claimed purposes of the system. This means that if I sell you a "car", it's got to function as a car - and if you have to install software to make it function as a car, then I'm required to bundle that software with the car (and thus be liable for it). I could sell you a "kit of parts" that you need to assemble, but then I can't do anything that might make you think I'm selling you a car, just a set of parts that don't work for any purpose.

Similarly, in the CRA as it currently stands, me putting my pet project up on GitHub, or publishing it on my website, or selling tapes with the source code on at the cost of the tape plus shipping, does not make me liable for flaws in it. Only the selling tapes is a commercial transaction, and the CRA as it stands has an exception where I'm doing that at cost. If it's awful, and blows up in my face because it's so vulnerable, that's my problem to deal with - I'm liable for the damage my systems do, and it's my code on my systems. But because you have no relationship with me that would make me liable to you for flaws in my code that I gave away for free, without so much as a service contract, if you take a copy of my code and run it, you're still liable for the damage your systems do, and you don't have a relationship that lets you push that liability back to me.

The European Cyber Resilience Act

Posted Sep 25, 2023 17:50 UTC (Mon) by Wol (subscriber, #4433) [Link] (3 responses)

> > Liability needs to start at the point a "manufacturer" includes this stuff in a PHYSICAL product. Because it's at that point the RISK also really starts.

> So in other words, Microsoft will face zero liability for defects found in Windows, as long as they don't supply any hardware.
And hardware makers face zero liability as long as it's the end-user that installs the software.

So maybe I shouldn't have said "physical". I think MS is a manufacturer and Windows is a "product placed on the market" according to the Blue Book, so as things stand they're liable. And are you sure you don't want things to change? Because that could kill MS' pre-installed monopoly just like that, so that actually could be a good thing. It would mean all of a sudden people would start installing linux left right and centre because they would see the real cost of Windows. :-)

> >Who cares if my pet project is vulnerable as hell? So long as it's just me, it's the same liability as the lone inventor tinkering in his shed with things like gas bottles. Any disaster will be localised, and I'll bear the brunt of it.

> Are you really sure that you don't care that you "bear the brunt of it"? After all, we're talking about potential financial ruin here, with no upside.

And that's different to the current situation how? Given the current propensity of Americans to sue anybody (including foreigners) for anything, I think having a rich American take a dislike to you will leave you facing potential financial ruin whether you're a saint or a devil.

No I'm not downplaying the risks. But life is a game of Russian Roulette, and given that the CRA is a gun that probably won't fire, I've got rather more important things to worry about. Life is a fatal disease, don'cha'no?

> > (Oh, and I don't think pizza needs to worry about manufacturers saying "go download this software from over there". If the product needs the software to function, and the software malfunctions, that's "not fit for purpose", which brings a world of hurt on its own.)

> Are you sure about that? That just means the hardware "purpose" will get dialed way back until all it's legally "fit" for is along the lines of "it takes up space, blinks a couple of lights, and won't electrocute you." And if you want it to do anything more, you'll have to look elsewhere for the software. Not unlike today when you can buy a motherboard or even a complete barebones PC without any OS. It's no longer a "complete product" but a "kit" that requires the user to assemble or otherwise complete. And the user bears all responsibility for the consequences.

And nobody will buy it. Which might be a bloody good thing.

You said something about not being European. Well, Europe doesn't tend to indulge in all these nasty extra-territorial shenanigans that some other countries hint hint like to do. Keep out of Europe, and the CRA can't touch you. Even if it touches your software, the authorities will go after the people who recklessly imported it, not you.

Something I'd like to know. You said the CRA defines you as "offering a product" which makes you a "manufacturer". Where on earth did you find that in the CRA? Because when I was looking, I've mentioned the "Blue Book" before (which someone else here pointed me at), and if you're right and the CRA is trying to redefine the term, I think we're in for a far bigger world of hurt than just computer security. You're looking at this far too much in isolation. As others have said, this interacts with tax law. I've made repeated references to the Blue Book and Consumer Protection legislation.

Yes, there is no upside to being sued. And no there is no defence against some random guy trying to sue you. For ANYTHING. But in any jurisdiction where Equity is important, like the UK, like I suspect most of Western Europe, you'll get off much more lightly than anywhere else in the world.

If some random company sued me under the CRA, my reaction would be to ask the Judge what grounds do they have to sue me, because their suit should be illegal under the slavery acts. So what if that argument doesn't legally fly, if the Judge thinks yes I have a real case, that argument makes sense, said random company is pretty much certain to lose provided I line my ducks up properly. What's worse, they'll probably end up paying for my target practice.

You said your side business enabled you to keep a roof over your head when $dayjob let you down? In other words, your side business saved you from financial ruin? So there's a hell of a lot of historic upside - it's proven it can save you from financial ruin - TWICE. Don't you think a current score of 2-nil says it's worth the risk?

Or are you - like a lot of people actually - so focussed on the pessimistic downside that you'll actually happily ruin your life trying to avoid a possible imaginary disaster? What a STUPID waste.

I can't say there's no risk. But as it says in the Flanders & Swan song ... "here in a nuclear testing ground, is no place to bury your ..." Live for NOW, write PROPERLY DESIGNED software, and try and keep your nose clean. Unfortunately, we all have no control over being dragged into the legal sausage machine, so don't worry about what MIGHT happen (other than to watch out for really stupid laws).

Cheers,
Wol

The European Cyber Resilience Act

Posted Sep 25, 2023 20:55 UTC (Mon) by pizza (subscriber, #46) [Link] (2 responses)

> And are you sure you don't want things to change? Because that could kill MS' pre-installed monopoly just like that, so that actually could be a good thing.

I don't consider it a good thing if it also destroys the ability for F/OSS projects to accept any sort of commercial funding.

>And that's different to the current situation how?

In my documentation, I explictly state: "This free software comes with ABSOLUTELY NO WARRANTY and is licensed under the GNU GPL (v3 or later); see the 'COPYING' file for more details." And later on, "[this software] may have half-developed features that don't quite work, with giant bugs that come out at midnight to eat your cat."

The social contract underpinning this is that I give this software away freely, but at the same time, you have no recompense if it doesn't work. The CRA changes this implicit contract so that you (and everyone else who downloads that software) *do* have grounds to demand recompense, without giving *me* some sort of proportional benefit.

> Well, Europe doesn't tend to indulge in all these nasty extra-territorial shenanigans that some other countries hint hint like to do.

I assume you've heard of the GPDR? That is explcitly extra-terroritoral. This will need to be as well, or it won't be worth the paper it's printed on.

(Meanwhile, my previous two employers were subsidiaries of European companies, and one involved a lot of travel to the EU. My current employer will probably be acquired by an EU company. So I'm probably not going to escape from this without ditching _something_)

> You said the CRA defines you as "offering a product" which makes you a "manufacturer". Where on earth did you find that in the CRA?

There are several blanket exemptions in the CRA for F/OSS activities, but the act of money changing hands eliminates most of them. Accepting donations to cover costs? That's fine, unless that donation is from a recurring corporate sponsor. (which hits quite a few larger F/OSS projects!) Accepting funds for anything other than covering costs, eg a feature or bug bounty? You're now commercial. Run an actual business that provides servive, support, and other such things? Bingo! It doesn't matter if the money is for software or services, if it's directly related, or even _how much_ revenue you take in that's related to that software. It only matters that you're conducting some sort of commercial activities while providing software, which makes you into a manufacturer with obligations enforced with massive punitive penalties.

The European Cyber Resilience Act

Posted Sep 25, 2023 21:59 UTC (Mon) by kleptog (subscriber, #1183) [Link]

> The CRA changes this implicit contract so that you (and everyone else who downloads that software) *do* have grounds to demand recompense, without giving *me* some sort of proportional benefit.

Eh, no. You're talking about liability and you can only have product liability with respect to someone you have a direct commercial relationship with. Just because you receive some money from someone, doesn't mean suddenly you suddenly have a commercial relationship with everyone in the world. If you don't want to provide any warranty, that's fine. Just tell them that any version not the latest may have security bugs and they must upgrade immediately when there's a bugfix. As an open-source project this is trivial to arrange.

> That's fine, unless that donation is from a recurring corporate sponsor. (which hits quite a few larger F/OSS projects!)

The thing is, most F/OSS projects are not delivering a product to market. They're publishing source code, which isn't a product by itself.

> It doesn't matter if the money is for software or services

Ofcourse it matters. Services are not covered by the CRA, products are. The normal approach with F/OSS is that the software is free and the services are not. So the software is delivered non-commercially as open-source download, together with commercial services. It's probably a good idea to make that clear in your contract.

Now, the Apache Project selling OpenOffice online, that sounds like it might be a problem. Isn't that supposed to be super buggy?

The European Cyber Resilience Act

Posted Sep 25, 2023 21:59 UTC (Mon) by Wol (subscriber, #4433) [Link]

> > Well, Europe doesn't tend to indulge in all these nasty extra-territorial shenanigans that some other countries hint hint like to do.

> I assume you've heard of the GPDR? That is explcitly extra-terroritoral. This will need to be as well, or it won't be worth the paper it's printed on.

Extra-territorial in what sense? How is the EU going to prosecute an American company, or American people? They can prosecute them if they are based in the EU. And it's the EXPORT of the data that matters. (Which is why and how American companies get clobbered, if they export the data of the European employees / customers.) And even for American companies like Google, they are operating in the EU, therefore they have to abide by European law.

In order to break the law, you HAVE to be in possession of personal data belonging to Europeans.

It's like some British sexual abuse laws - they apply to all Brits, no matter where the offence took place. But you need that connection with Britain.

This is very unlike America, where they will extradite Brits for doing stuff - in Britain - that is perfectly legal under British law.

> (Meanwhile, my previous two employers were subsidiaries of European companies, and one involved a lot of travel to the EU. My current employer will probably be acquired by an EU company. So I'm probably not going to escape from this without ditching _something_)

> > You said the CRA defines you as "offering a product" which makes you a "manufacturer". Where on earth did you find that in the CRA?

> There are several blanket exemptions in the CRA for F/OSS activities, but the act of money changing hands eliminates most of them. Accepting donations to cover costs? That's fine, unless that donation is from a recurring corporate sponsor. (which hits quite a few larger F/OSS projects!) Accepting funds for anything other than covering costs, eg a feature or bug bounty? You're now commercial.

> Run an actual business that provides servive, support, and other such things? Bingo! It doesn't matter if the money is for software or services, if it's directly related, or even _how much_ revenue you take in that's related to that software. It only matters that you're conducting some sort of commercial activities while providing software, which makes you into a manufacturer with obligations enforced with massive punitive penalties.

But here you are taking *payment*, YOU HAVE A CONTRACT, because you have a mutual exchange of money for agreed benefits. Whereas if you were taking donations, where on earth does it say that's a commercial relationship? If there's no goods or services agreed going in the other direction, how on earth are they going pin anything on you.

And you STILL haven't pointed at where - in the draft CRA - all this stuff is. Is it because it isn't actually there?

I still can't believe the CRA is trying to redefining the meaning of "commercial transaction" or "offering a product". And if it isn't, then most of what you're worried about is scaremongering.

Cheers,
Wol