This is the request which will allow the three european standardization organizations (CEN, CENELEC, ETSI) to draft the required 41 standards for the Cyber Resilience Act (CRA). See page 17 and following for the list.
To participate in the standardization you have to be part of a "national body" and they will "send" you to participate in EU standardization.
I know no one from my FOSS circles who has any experience there, as most relevant standards for us are written outside of these organizations (W3C, IETF etc.)
If you are interested in this please send me an email, we're trying to put together a guide on how to engage in "official" standardization efforts as Open Source people.
The effort from this blog post is (amongst other things) trying to establish a whole new way of engaging with the EU. We need both approaches.
I'd like to give my comments on the new standards, but I'm never going to be chosen to be part of an elite squad of standards-writers. Is there any chance of the standards developing more in the open, with a community in addition to the committee?
It is not so much an elite squad as more a bunch of people willing to spend the entrance fee and to commit their time. The exact requirements depend on the country you're in though.
So if that is your only concern but you are willing to spend time feel free to reach out.
The effort from the blog post is partially about a long term plan to get the EU to change this. But in the short term it'll be hard to change the rules in time for the CRA standards.
My only fear is that every vendor will now have to implement secure boot and other mechanisms in order to make sure that only signed software runs on their devices, while providing no way for the customer to take ownership of the device back, so that they can run their own software.
I really hope that we eventually get a mandate so that every device, that requires an internet connection for any and all features, will also have to allow the customer to overwrite and use their own software in case they have to make any software/security repairs themselves.
Strict launch integrity (unlike "secure boot") depends on a customer-defined root of trust. OpenCompute (OCP) Caliptra is an effort by hyperscalers to enforce a platform root of trust with OSS firmware, mandating dual signature by server OEM and hyperscaler customer. The platform RoT is responsible for validating device firmware and OS boot.
> Often we see.. great security.. compromised by other great ideas for mgmt and other things.. starts to weaken its security posture.. want to keep Caliptra very clean [via OSS firmware transparency]
Isolation architectures like pKVM on Android can run banking or wallet applications in a security-controlled VM, alongside arbitrary user-defined VMs. In contested environments, both security and the freedom to innovate are necessary to survive an arms race with a competent adversary.
Personally, I have more trust in open source software than anything the vendor puts on their devices. But very often either the vendor software is only allowed to run, or you have to disable secure boot to run your own software, weakening your security.
So I would like to have a process where the actual end-user and owner of the device is the root of trust, and then transfer that trust to the vendor software or to their own software if they so choose, instead of having the manufacture, vendor or some agency be the root of trust. Of course, it can come with a sensible setup, where the vendor is already trusted, but that trust should always be revokable.
There should also be a way to remove or transfer the ownership to another person, if the device is sold.
pKVM goes in a different direction, where software that is run, does not trust the host system, which IMO is not very nice. Trust is something that goes both ways and need to be earned, if I put trust in a software and install it on my system, then I assume that the software also trusts me. If the software doesn't trust me, why should I trust it?
If there is no trust between us, then it should not run on my system but on someone elses and let me communicate with it via a well-defined API we can both trust.
Since this regulation is happening, necessary and welcome, it's good
to see some of the most respected FOSS groups taking the
lead. Hopefully many others representing smaller development
communities will join the Eclipse initiative. I would characterise
"Apache Software Foundation, Blender Foundation, OpenSSL Software
Foundation, PHP Foundation, Python Software Foundation, Rust
Foundation, and Eclipse Foundation" as BigFOSS. :) Joe Hacker
also needs a seat at this table.
> establishment of common specifications for secure software
> development based on existing open source best practices.
The problem with "best practices" is that there are always better
practices. Hopefully this group don't ossify around "best practices"
that are already out of date but become research focused. To be blunt,
a problem is not that "best practices" are never followed, but that we
have about 30 years of technical security debt to catch up with.
This foundation is also going to be a money pit, because it needs to
help other developers. It cannot rule, dictate or enforce anything.
Since most European devs are going to want to join in, it's going to
be paying out for conferences, education, development grants and
T-shirts. It'll need a pipeline of money from EU and commerce - and
there's the danger of corruption.
Whether they'd have something to contribute with their resources is a completely different question.
A bit of a tangent: FSF has a separate legal entity within the EU (https://fsfe.org/) which is (IMHO) way better at advocating than its American counterpart. There's also FSFI (India) and FSFLA (Latin America), but I'm unfamiliar with their work.
> I would characterise "Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation" as BigFOSS
While names cited are associated to long-standing well-recognized projects, it strikes me at odd to include Rust Foundation here. Not only the language itself is still relatively new and used in few real life projects, but the foundation is very new (2021).
Moreover, looking at its last annual report, it spent half of it's budget (1.5M$) on "membership & admin". It seems like the true action of this foundation is to beg money from big corps and give it to a few selected members.
Here's[0] a breakdown from the foundation on that budget category. They also commit to breaking it down better in the future:
Salaries, benefits, payroll taxes, payroll service provider fees: $1.17m
Travel, event sponsorship, & support: $192k
Legal and Professional Fees: $66k
Fund transfer to the Grants Program from membership fees: $40k
Fund transfer to the Specification work from membership fees: $20k
Marketing: $36k
General Admin: (software, bank fees, meeting rooms, etc.) $20k
It's mostly salaries. They employ four engineers (software, security, infrastructure) that work on Rust, who they pay "at or above the average in their local market."
I guess the foundations are hyped because CRA basically forces companies to pay for security of OS projects (which the foundations try to be the main receiver of the money)
But in the end the OS ecosystem becomes much more secure.
Otherwise all the SV dudes complaining about the over burocratics: How to improve Software security? Only alternative I can think of, is the goverment pays for the security. For me thats a worser solution.
"Hyped" is not the word I'd use.
Most of us are or were concerned and it took a lot of long meetings to even move "us" out of the category of "software manufacturer" and into a new category of "steward" which is currently not well defined.
Also not hyped because the required standards are written at the EU level and there is no established process for foundations to participate in these standards.
So it's more like: Trying to do the best with the cards we've been dealt.
Suppose that applies to your open source because you are using a commercial split license and / or providing premium support or otherwise clearly commercialising the activity.
If you comply with all the CRA requirements (whatever they are) but the (free) USER of your software (user, not customer) gets hacked because of a security hole in one of your dependencies (that was not known) or a security hole in your own code (after all, is it possible to create something bulletproof) - are you liable for damages and what does it mean exactly in practice?
How does it differ from a situation where you offer proprietary software free of charge as a commercial activity? Can the right EULA protect you from receiving such damages. In order words, does it make the "THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND..." well-known license even worse from the liability standpoint than a proprietary license agreement?
Would it not even invalidate those licenses since the license text cannot comply with the law? This is a big blow to open source. It does not matter whether it's monetised or not, open source is open source. They are messing with the definition. And to achieve what effect? The biggest cybersecurity problem that dwarfs all others combined and one that especially governments should worry about is the fact that memory vulnerabilities are everywhere, everything from the OS, the web browser and most popular GCed language interpreters are built on C++. And someone as determined as the people behind xz could probably bypass this regulation, if it could be of any help (obstacle to the attacker) at all in the first place.
It does potentially shut down a project I have considered commercialising (like, I may release, as "hobby open source" and dump it because I otherwise have no incentive to give my free time). If for every paying customer I am to be liable for 100 - 1,000 non-paying users, no thanks. Maybe I would not do it anyway, I have something else in sight, but I was very serious to experiment with it since I have most of it built anyway and it's just this opportunity to try it out as a side gig for a couple years, taken away by some bureaucrats. I have yet to do some more research on this (check my question in the second paragraph) but it does not sound like fun.
I'm thinking about Maw Gergel's Isopropyl book, and how in the 1960'sthey basically threw dangerous chemical waste out the window or buried it after a fire, scarring a kid.
That's the state of our industry today. In some ways, Open source seems among the better students of the class. In other ways, Open source is like a million people each contributing a few parts to a society critical factory, nobody noticing how big we grew. Of course that makes people uneasy.
I think something like this is unavoidable. How to get the max impact with minimal overhead is the most important discussion now, so I applaud apache's initiative.
Am I getting older? On a modern display... reading that text is awful.
Had to zoom it to 150%. At 'default' it's damn near 'fuzzy' looking.
Apache, omg, use a readable font and size for goodness sake.
It's text size 14px + a relative thin font + font with "serifs" + #404040; instead of black. Which is a gray which looks black but is 25% white.
I.e. thin small text of a font type which is well known to yield less good results on screens with unnecessary low contrast == bad UX.
Sadly way to many people today assume in their choices (sometimes without realizing it) everyone has mac book level HiRes OLED display and good eye sight where this should still looks quite fine (the contrast is better due to the screen, the font might lock wider due not using traditional sub pixel anti-aliasing, and the serifs aspect is less "bad" on high resolution displays).
But if you display it on a 1080p ISP display (assuming it's a decent 1080p ISP display) it will not be a very pleasant experience in a very subtle way due to lower contrast potentially thinner text and serifs in generally leading to decreased readability on non HiRes screens (hence why for years the general recommendation was not to use them for digital content).
At this stage there's only a few websites where I'd like reader mode off, really. It removes a lot of advertising, bypasses cookie modals, doesn't execute a lot of javascript, etc etc.
I wonder how long before we get browsers that run in readability mode first and foremost? O:-)
Slightly off topic but this is potentially a disaster for desktop apps and anything not SaaS. Correct me if I am wrong, the law requires to provide 5 years of security updates for apps. Some apps can leverage models such as "use it forever, but you only get updates for certain time without renewing". That allows companies *that ship apps where you can own your data* use a yearly subscription model and remain profitable. Now the desktop app vendor will be required to support users 5 years back, possibly shipping multiple builds (legacy versions with security updates and new version with features). Meanwhile the SaaS vendor charges a monthly fee and only has to care about security for the period of the subscription. I wonder how JetBrains is going to deal with that, I am pretty sure that their perpetual fallback is not updated for 5 years. But it's a big company, a small startup wanting to ship a desktop app will cry and despite the best intentions may as well change the direction to ship SaaS... The act provides the incentive to enshittify everything.
NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure. There is a growing backlog of vulnerabilities submitted to the NVD and requiring analysis. This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.
> Starting February 12th, thousands of CVE IDs have been published without any record of analysis by NVD. Since the start of 2024 there have been a total of 6,171 total CVE IDs with only 3,625 being enriched by NVD. That leaves a gap of 2,546 (42%!) IDs.
> NIST is going to open up the program to a consortia of vetted organizations from the industry in order to deal with the backlog of vulnerabilities that need to be analyzed.. Budget cuts happening for the first time in a decade.. hopefully a pivot to a private-public sector partnership can be reached quickly to scale up the program
Processes/tooling to easily allow CNAs to adopt enhancements to CVEs would also encourage improving the data, ideally as easy as something like a GitHub pull request. We, as projects that need to respond to security issues, could all do things in our own ways. Many of us have open source backgrounds and realise the power of collaboration and would much prefer to work together and build something none of us alone could achieve. We need the tools, processes and core support from the CVE project to make it happen.
Part of the problem is people who write up CVEs simply to get them on their resume. ("Curriculum Vitae Enhancement"?)
The SQLite maintainers refuse to engage with the CVE process, partially for this reason:
"While the original idea being CVEs is sound, the current processes for creating and managing CVEs are inadequate. There are countless grey-hat hackers running fuzzers against a wide-variety of open-source software products (SQLite as well as many others) and writing up CVEs against any problems they find. The grey-hats are rewarded, sometimes with prestige and sometimes financially, by the number and severity of the CVEs they write. This incentive results in a proliferation of CVEs which are often not well-vetted and which can have exaggerated impact claims. The quality-control procedures for CVEs are unable to cope with this flood of inputs, making it difficult to correct exaggerated, misleading, omitted, or inaccurate claims."
This just further incentivises over-regulatory EU to keep making burdensome regulation that slows down innovation for everyone.
It is better for open source projects to just pass a license claiming, software is not available for free in EU and to make EU companies pay sky high fees to use the software that is freely available for everyone else.
That way EU bureaucrats will stop trying to be the World Police without paying the price that USA has to pay to keep its global influence (like funding military of other nations while americans die in hospitals, in homelessness , intentionally making american exports disadvantageous just to keep its global reserve currency status, etc).
It is absolutely insane to me how EU thinks it can decide what charging port everyone should use USB-C , cookie banners for everyone, GDPR nightmare for everyone, and now this new government rule on opensource contributors to software being held liable for security breaches.
Absolutely crazy. They just want free lunch while trying to control everyone and everything.
CRA requires integrators of open source components to perform their own due diligence. Open Source contributors are not held liable for security breaches. In fact this regulation will probably increase investment in open source projects because companies are obliged to share vulnerabilities they have discovered including any relevant patches they might have developed.[1]
That exemption only covers non-commercial open source. Anyone who monetises the open source project (e.g. by offering related consultancy or hosting business, or offering the code under a commercial license as well) is still liable.
It only covers pure hobby projects by pure hobby developers.
> (10c) the mere fact that an open-source software product receives financial support by manufacturers or that manufacturers contribute to the development of such a product should not in itself determine that the activity is of commercial nature.
> (10) Accepting donations without the intention of making a profit should not be considered to be a commercial activity.
> (10c).. for the purpose of this Regulation, the development of products qualifying as free and open-source software by not-for-profit organisations should not be considered a commercial activity as long as the organisation is set up in a way that ensures that all earnings after cost are used to achieve not-for-profit objectives.
> the mere fact that an open-source software product receives financial support by manufacturers or that manufacturers contribute to the development of such a product should not in itself determine that the activity is of commercial nature.
That just means that a business can donate to a non-profit project. Such a business would still need to not profit from the project in anyway. Why would a business help develop something it does not profit from?
> for the purpose of this Regulation, the development of products qualifying as free and open-source software by not-for-profit organisations should not be considered a commercial activity as long as the organisation is set up in a way that ensures that all earnings after cost are used to achieve not-for-profit objectives
So again, an organisation can, provided it no profit.
The idea is that you can accept donations to cover the costs, but not beyond that.
So an organisation can pay developers to work on it, cover hosting costs etc. but they have to be careful not to accept donations for more than that. A non-profit can accept more provided it is used for the right objects.
I have no idea (neither does the author of the article) where that leaves an individual developer who accepts donations to cover the value of their time.
If I offer a product under both open source and commercial license, and then someone uses an open source version without paying me anything, neither for the license nor consultancy, am I liable for damages?
This is just the final draft, this was not their intention before. They wanted to hold opensource devs legally liable before. Only after several months of backlash, lobbying and bad PR, they changed it into that.
They will most likely bring that clause back in a few years after the current bill is passed. Once they realise that their current law is essentially subsidizing security of the whole world, by making only EU businesses pay for it.
Laws like this should only be applied to billion dollar companies not small businesses or startups. It just hurts EU innovators while benefiting everyone else.
Laws don’t matter, they almost always sound sweet in decent governments like EU. What effects those laws cause in the real world when accounting for all players in the market matter a lot more.
And this law will yet again benefit non-EU startups while hurting EU startups.
I recommend actually reading the CRA[1] the requirements for non-critical software are easy to follow.
If your product does not fall into the categories described in Annex III you are making non-critical software.
The requirements are described in Annex IV, V and VI. You must do a conformity assessment and provide a declaration of conformity. For non-critical software you can do the assessment yourself see the first five points in Annex VI. The only thing that maybe requires a bit of effort is that you must write some technical documentation including a cybersecurity risk assessment. For critical software the process is more involved because it requires certification by a "notified body".
If a startup in the EU fails because they have to write a bit of documentation once in a while they deserve to fail. Also if a startup wants to create security relevant software I expect that they follow some security standard and the CRA makes sure of that.
None of these requirements are something only a billion dollar company can do.
You could say all of that of other things e.g. the MDR, where the end result in practice is complete crap. The system of "notified bodies" is commercial bureaucracy with random efficiency. If an agency wants to audit me, just dot it. The FDA does, with lower delays than commercial EU notify bodies... (right now the EU is accumulating more and more years of delay on putting medical devices on the market, even locally developped)
> They wanted to hold opensource devs legally liable before
No, the legislators hadn't considered open source software at the early stages. Once that gap was realised, there were negotiations and exceptions were carved out.
> It just hurts EU innovators while benefiting everyone else
Believe it or not, but the EU's higher priority is EU people and consumers, not startups. It will be possible to run a startup under CRA, just as it is now possible under GDPR.
> It is better for open source projects to just pass a license claiming, software is not available for free in EU and to make EU companies pay sky high fees to use the software that is freely available for everyone else.
I have been wondering whether it would be possible to a add a limitation of liability in line with GPL3 7 a) that allows "Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License" to prevent redistribution that exposes the authors to any liability. it is definitely possible to add an indemnification clause to cover any risk under clause 7 f.
No matter what that it is not possible to override the law with a license.
Of course if it is outside your local jurisdiction you can ignore but you don't need a license text for that.
If it applies to you it does so regardless of your license. A court would simply rule the terms illegal.
But as others said this will (arguabely) only apply to real commercial activy and in that realm you (usually9 cannot dislaim liability anyway.
> No matter what that it is not possible to override the law with a license.
That is not what I am suggesting. I am wondering about ways to not allow people to redistribute in ways that increases your liability. i.e. the law would apply, but the people using it in the way that exposes you to liability would be in breach of copyright.
Sadly, looking more closely at the wording, this cannot be done in a GPL comaptible way. maybe we need new licenses to cover this.
> but as others said this will (arguably) only apply to real commercial activy
Aguably? maybe, but we need certainty. It does look as though a lot of smaller projects and developers will be at risk here if (for example) they dual license with a paid for version available, or sell support of consultancy services.
The EU's approach is the result of the industry not advancing enough to self-regulate. Legislation is required to outline the lines we can no longer afford to cross, and we can't turn normal people into tiny cash cows to make the already rich even richer.
Both GDPR, DSA, DMA and related policy have been a win for consumers and normal people using electronic services (which is practically everyone). I expect the CRA to bring much needed awareness regarding security and that it's no longer OK to just put together something with spit and chewing gum and let people submit their personal data into it!
"cookie banners for everyone" -> cookie banners only if your website is using cookies in a way that needs a cookie banner. There are plenty of sites or web analytics technologies that don't mandate the use of a cookie banner.
With the same logic EU had tried to make Micro USB mandatory for everyone, it was a very poorly executed charging port which would break often and easily.
If it was made industry standard back then, USB-C would have probably never come along or would have taken much much longer.
The road to hell is paved with good intention, I doubt any decent government (which EU is) would pass laws that is bad for its people in short term.
It’s just that these burden some regulations backfire in the long term.
The problems with GDPR and Cookie Banner are well documented, it puts EU startups at a disadvantage because of having to pass all regulations before they can innovate and get up from the ground. Regulations like this should not apply to startups, the harm done to economy is far more than harm done to the public.
Or else , EU citizens will forever be left using American Software, driving Japanese cars (EU car makers are in decline), use Chinese and American Robots (Largest German Robot company (KUKA Robotics) sold to China), use Chinese Solar Panels, Korean Phones, etc.
I get what you’re saying, it all sounds sweet and good on paper.
But it ends up being a race where brilliant european minds are running with 20kg weights on their shoes, while other major nations are supplying stimulants for their innovators to win the gold medal.
It’s just the reality of what’s happening, if it continues EU will die a slow and painful death (Saying the truth as a well wisher for europe, they are pro-consumer in great many ways, but they are over regulating and hurting their next generation)
The EU tried making micro USB mandatory only after first asking the industry to cooperate and self-standardize. Legislation was the very last thing tried.
After years of Apple stalling not cooperating, the EU got fed up, and forced them.
GDPR was similar: Only after years of abuse by adtech etc.., the regulator took action.
Maybe this is a communication mismatch between US and EU culture? EU companies tend to take the hint from the EU and do something before they are forced. US companies say: ...but there is no law forcing me? Then act surprised when said law is written.
> If it was made industry standard back then, USB-C would have probably never come along or would have taken much much longer.
USB-C is a clusterfuck of a connector, and I'm not just talking about the various voltages and how using the wrong cable can fry your equipment. I'm talking about the physical connector itself. See, the USB-C port has a shroud around the outside and a "tongue" in the middle where all the contacts are. The USB-C plug has a shroud which fits into the port's shroud, but inside the plug's shroud are all the contacts which align with the contacts on the tongue. This tongue is fragile, necessitating replacement of the whole port if it breaks or is otherwise damaged. If I am not very careful with my phone's USB-C connector, it can get flaky and make even charging (let alone data transfer) difficult and annoying within a year.
Do you want to see an example of a good design? Look at Apple's Lightning connector, where the fragile tongue is on the more easily replaceable plug, and the port is just the shroud. Meaning my wife just plugs or unplugs her iPhone all the time, never worrying about what kind of damage dirt or lint might cause if it gets into the port or whether inserting or removing the plug too hard might permanently harm the port. It Just Works, every time.
Mandating USB-C just made the connector situation worse for everybody. Mandating an open standard doesn't really help much if it's a shitty standard. It just squelches any improvements a company might make.
I don't have an opinion on this. The female plug always holds the power and the male taps into it. Doing it the other way around is unusual, you get a naked male plug with power on it just dangling around.
While true for clear one way connections, usbc is bi-directional or symmetrical.
1 Either side may provide power.
2 usbc power delivery requires a fancy communication and management chip, and there is no power until after a handshake has been negotiated.
So in that case a lightning style cable could be ok. (besides, even with plain usb2, lightening already existed for years without a problem)
But while lightning-style may be good, F lightening specifically. The design was good for the reasons stated. Put the weak points in the more disposable part of the system. But for standards purposes I am not interested in any good design that anyone owns.
All in all, lightning is not good. If it's good but you can't use it, then it's not good.
MicroUSB was even worse though in my experience - I managed to break the charging port on ALL my MicroUSB phones after enough time but my USB C phones so far have not yet encountered that failure mode.
> "GDPR nightmare for everyone" -> only for companies that intend touse personal data in non-ethical ways
You do not understand GDPR. It is a burden even for businesses or non-profits that keep a minimal amount of data and do not trade it. As with all Eu regulation it is designed around big business. It actually helps the like of FB because they are more able to push people into agreeing to let them use their data.
> "cookie banners for everyone" -> cookie banners only if your website is using cookies in a way that needs a cookie banner.
Yes, but it does little good, and it stops end users from white-listing sites allowed to set cookies because you need to allow the cookies that track your cookie options.
> "USB-C" -> Good for consumer, I believe.
I disagree. It stops new connectors being introduced (because you will still have to provide USB-C). There is little gain: essentially slightly lower sales of charger cables.
Add to that messes like VAT MOSS which was ridiculously heavy and even lead to some small businesses stopping sales to other EU countries to avoid complying with it.
> I disagree. It stops new connectors being introduced (because you will still have to provide USB-C).
And just like with the predecessor Micro-USB: nothing stops the EU Parliament from adopting new legislation to update to new technologies. Unlike the US Congress, the EU Parliament is still able to regularly pass new laws.
> There is little gain: essentially slightly lower sales of charger cables.
No charger included means thinner packaging of products like laptops and phones and thus better transport efficiency (you can store more products in one container), less e-waste from chargers and cables that end up in the "never used" bin, and an easier time for consumers: no need to carry half a bag worth of power bricks, a single Anker dual-port power supply is all I need when going on vacation - it powers our laptops, phones, Switch, everything.
In general USB chargers work with Apple devices. You just need another cable. Cables are small, fragile (so do not last anyway) and have minimal impact on transport or waste production.
While legislation can be changed, it takes time and influence to do so. What manufacturer would introduce a new charger unless they are sure the EU would allow it? It essentially means it will only change if a big manufacturer lobbies for it BEFORE launching products, or if a standard gets established in the rest of the world before the products are launched in the EU. Not exactly encouraging innovation.
> You do not understand GDPR. It is a burden even for businesses or non-profits that keep a minimal amount of data and do not trade it. As with all Eu regulation it is designed around big business. It actually helps the like of FB because they are more able to push people into agreeing to let them use their data.
It's not a burden to have to do common sense things. Is it a burden not to leave medical or private or financial data publicly readable stored on a share everyone can access? Yes, it is, but when you have such data you also have a responsibility to protect it. Since private entities were incapable of that, GDPR tells them how they should do that. Reminder that Americans that do not have access to protections such as GDPR, have their private information leaked frequently, and abuse is rampant (any random company you interact with selling whatever they can - be it telecoms, services, up to Grindr selling HIV status).
> I disagree. It stops new connectors being introduced (because you will still have to provide USB-C). There is little gain: essentially slightly lower sales of charger cables.
There's an explicit mechanism for the connector to be refreshed periodically, so no, it doesn't.
> It's not a burden to have to do common sense things
It depends on your scale. Suppose I ran a small website that provided news and articles and forums about some small hobby that I am into. Maybe 100 users worldwide. I include articles about European things related to that hobby, written specifically to better serve the European visitors to my site.
The only personal information I store is IP addresses in my Apache logs.
Such a site could be run for less than $100/year in hosting costs.
If my processing of personal information counts as "occasional" then as far as I can tell GDPR imposes no burden on me, other than having to deal with it when someone requests that I remove their personal information.
If my processing does not count as "occasional" then under Article 27 I would need to appoint a representative in the Union that people and regulators could contact when they have GDPR related matters involving me.
There are companies that provide "in-Union GDPR representative as a service" but the least expensive I've seen is around €100. If I had to use such a service I'd be at least doubling my costs which would probably push the costs past what I'd be willing to do for a hobby site that is not monetized.
Would my processing be "occasional"? The recital for Article 27 doesn't provide any guidance on what "occasional" means.
One the one hand one might argue that a low traffic site is almost by definition "occasional" in everything it does. On the other hand one might argue that my site is processing IP addresses on every single request it processes and that something that happens 100% of the time surely can't be "occasional".
At some point this issue will arise and the GDPR regulators in some member state will issue a ruling that clarifies it, and if we are lucky no other member state's regulators will issue a ruling that goes the other way.
Even if it is eventually decided that processing such as mine is definitely "occasional" the fact that I have to think about it in the first place is somewhat burdensome.
Surely the basis for the processing matters? If you're storing IP addresses in your access logs, you're presumably doing this for security reasons? And presumably you periodically purge old data? If so, that's a legitimate interest, no consent required.
It's not a consent problem. Even if you have consent, or some other legal justification for what you are doing with user data, users need to contact you if they want to exercise some of their GDPR rights such as the right to have their data deleted.
Article 27 is about requiring that you at least support one specific method of contact: a representative in the Union. It applies if your site is covered by GDPR and is not in the Union.
There's an exception for sites whose processing of personal data is occasional, does not include certain particularly sensitive kinds of data (e.g., genetic data, health data, criminal conviction records), and is unlikely to pose a risk to the rights and freedoms of natural persons.
There's some commentary here [1] about Article 27. It says that
> The aim of Article 27 GDPR is to ensure that the level of protection afforded to EU-based data subjects is not reduced where non-EU based controllers or processors process their data. It aims to both provide a contact point for data subjects and ensure that there is legal accountability for processing activities by mandating the appointment of a representative.
I see that page also has something to say about what "occasional" mean:
> The term "occasional" has been interpreted by the WP29 to mean processing that is not carried out regularly and that falls outside of the scope of the regular activities of the controller or processor. Similarly, Millard and Kamarinou have interpreted the term "occasional" to mean "non-systematic" processing, or in other words, processing that happens on an ad hoc and infrequent basis and not in a regular way
It sounds like automatically logging all visits to your web server in the Apache logs would not be "occasional".
The costs of poor cybersecurity are born mostly not by the people producing the "bad" software but by their consumers.
In the end we have law enforcement dealing with ransomware attacks, cybercrime etc. and this will never fully go away but some products don't even apply basic security principles and therefore distribute the cost of this amongst everyone.
Yay, they get to produce cheap crap but at which cost?
I'd rather have securer products to get started with and then take it from there.
> I'd rather have securer products to get started with and then take it from there.
Look forward to great American, Chinese and Korean software and hardware, who’ll invest 100% of their funds into innovation and growth, while EU startups keep paying for Open Source software security and subsidising this security advantage for the whole world.
The non-EU companies will grow big and then buy out the EU companies, while EU citizens will be left with wonder why all the major high paying tech and R&D jobs are all outside EU.
Laws like these need to be agreed upon, by all major countries together. No one country should pass policies like this which just sabotages their own people’s innovative dreams.
You present one possible outcome but it is far from certain.
Another possible scenario is that companies investing in these principles will be way ahead when similar regulation will pop up _everywhere_ else.
You also present your opinion as a factual statement: "Laws like these need to be..." -> No, they don't as can be seen by GDPR, CRA and others.
I am personally affected by the CRA, I have a startup here in Europe and I see this as a great chance for EU, FOSS and Software Development in general.
> No, they don't as can be seen by GDPR, CRA and others.
You’re optimism is great, tbh I am extremely cynical.
But name one Fortune 50 tech company making great profits giving high salaries to EU devs and R&D folks that isnt relying on Government Funding from EU except SAP & ASML.
Europe has far higher education outcomes for its young graduates, than both America and India. There is almost no student debt in most major EU countries.
Yet why is it that not just America, even India a significantly poorer country, with worse infrastructure, bad quality colleges which forces their brightest minds to come to EU, America and Australia to study in higher education.
And YET they do better than Europe when it comes to Tech ?
Why ? It’s not just cheap labour, other places have even cheaper labour and more lax regulations.
I’m just saying the reality, I love your optimism, but I wish EU bureaucrats were actually that effective. GDPR just allows non-EU companies to grow big in their domestic markets and then they think about regulations more and enter the EU market. While EU companies have to think of laws from the beginning.
Security isn’t some black magic science which can be an intellectual secret, or give bleeding edge. It’s grunt work mostly, and gets postponed to invest in more profit generating parts of the business. If non-EU businesses think they are losing money due to lax security, they’ll flip the game, but this law doesnt do that, non-EU companies just first expand in their large domestic markets and then think about the rest later once they have more money to think of it.
Consumer will definitely win from CRA, just like they did with GDPR, USB-C just in the short term. It’ll just continue forcing EU pioneers to move to America to start their business.
I hope you are right and I am wrong, it would be great if a region like EU can prove that one can be great innovators while also being heavily regulated and pro-consumer in the long term.
It just hasn’t happened yet, and continues to go the opposite direction. Now ASML is threatening to move elsewhere too (albeit for different reason).
" But name one Fortune 50 tech company making great profits giving high salaries to EU devs and R&D folks that isnt relying on Government Funding from EU except SAP & ASML. " You are aware that big corp from Silicon Valley have big offices in Europe ? E. g. Apple in Munich?
" even India a significantly poorer country, [..] And YET they do better than Europe when it comes to Tech ? Why " citation needed
" GDPR just allows non-EU companies to grow big in their domestic markets " Local business in Germany complain about bureaucratic laws. But no one ever about GDPR. Its just a non-issue outside of AdTech.
" Consumer will definitely win from CRA, just like they did with GDPR, USB-C just in the short term. It’ll just continue forcing EU pioneers to move to America to start their business. " Currently according to State of European Tech 2023 more people move from the US to Europe than vice versa.
> You are aware that big corp from Silicon Valley have big offices in Europe ? E. g. Apple in Munich?
Its done for tax reasons and lobbying efforts, its used more as a weapon than for actual reasons.
Apple pays an effective tax rate of 5-6% on EU revenue and profits, while EU businesses pay much higher, this scenario is constantly used by big EU businesses like Seimens to get more tax credits and public grants while threatening germany from moving headquarters of company elsewhere. Apple having offices here pales in comparison to an EU owned tech giant granting great salaries, dividends to EU pension fund holders, instead they make American pension funds, income taxes get better, while EU companies cannot compete due to regulatory burden. Startups matter a lot, Apple started from a garage with 3 people.
China bought KUKA , the largest global robotics giant and a EU owned company, now it owns 100% has delisted the stock from EU exchange (so EU citizens with their pensions wont get the future profits and dividends generated by KUKA) AND China has said they are only committing to keeping those high tech EU jobs till 2025 after that they are moving all those jobs to Asia.
> India a significantly poorer country, [..] And YET they do better than Europe when it comes to Tech ? Why " citation needed
There are a lot of major Indian software companies paying america like salaries for their best talents (even without adjusting for purchasing power parity), most of these tech unicorns register their companies in Singapore or America so it doesnt show up, but in reality they are employing tons of Indians and driving innovation in that country. A lot of US stock exchange listed companies are in reality Indian businesses primarily employing Indians. It’s why such a small sector in terms of employment in India contributes 15% or higher in GDP growth to the 5th largest economy in the world. Even with all the disadvantages India has.
> But no one ever about GDPR. Its just a non-issue outside of AdTech.
Adtech is 98% revenue of Google and Facebook, both of them combined at their highest valuation were worth more than entire EU stock exchanges combined. Each of these “adtech companies” can buy out some of the major EU businesses in a heart beat.
I feel a lot of this feels like sports contest, you’re rooting for how team EU is so amazing, while I’m trying to show how its shooting itself in the foot.
We both want EU to win, but it’s not necessary to worship them, the policy makers are making a lot of decisions which will hurt EU for decades to come into the future.
EU has the power to be the tech and innovation capital of this world, with great colleges, minimal student debt, innovators not having to worry about outrageous healthcare costs for their family, allowing them to take more risks and going without a salary while working on their startups, yet EU continues to underperform and declines.
It’s because of government policies.
> Currently according to State of European Tech 2023 more people move from the US to Europe than vice versa.
Currently EU is also the #1 destination for illegal migrants and refugees. How many americans come to EU is meaningless. The net economic and strategic contributions of the ones who are leaving EU for USA vs vice versa is much more important.
Im sorry you didnt provide any source for your Indian claim.
You deny the quality of Silicon Valley offices on their European location (which is a huge insult for their engineer working their)
Currently EU is also the #1 destination for illegal migrants and refugees. How many americans come to EU is meaningless. The net economic and strategic contributions of the ones who are leaving EU for USA vs vice versa is much more important.
"Currently EU is also the #1 destination for illegal migrants and refugees. How many americans come to EU is meaningless. The net economic and strategic contributions of the ones who are leaving EU for USA vs vice versa is much more important."
You can easily assume that legal emigration is mostly for high qualified labours (illegal US emigration is a None - Issue) so yes the economic and strategic contributions are important.
But given your missing claims I guess I opt out of the discussion.
There's a technical existence proof of a secure architecture for problematic IoT hardware, from Microsoft (of all places) Azure Sphere, with a Mediatek MCU based on Pluton (from Xbox and Ryzen). It has hardware separation of security-critical software (Linux Kernel) from IoT application software, allowing each to be updated independently, even if the device vendor goes out of business or cannot afford to invest in security in the first place.
If the security properties of the Azure Sphere design could be generalized beyond Microsoft/AMD/Mediatek by Arm or RISC-V, so that OSS software like Debian or Zephyr could be used in the security-critical hardware compartment, we could have a vendor-neutral starting point for sustainable, low-cost, networked devices sold and supportable by multiple vendors.
This is the request which will allow the three european standardization organizations (CEN, CENELEC, ETSI) to draft the required 41 standards for the Cyber Resilience Act (CRA). See page 17 and following for the list.
To participate in the standardization you have to be part of a "national body" and they will "send" you to participate in EU standardization. I know no one from my FOSS circles who has any experience there, as most relevant standards for us are written outside of these organizations (W3C, IETF etc.)
So we're currently trying to get an official seat at the table via the established ways (e.g. DIN in Germany, https://standards.cencenelec.eu/dyn/www/f?p=CEN:5 see this for your own country).
If you are interested in this please send me an email, we're trying to put together a guide on how to engage in "official" standardization efforts as Open Source people.
The effort from this blog post is (amongst other things) trying to establish a whole new way of engaging with the EU. We need both approaches.
reply