Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Posted Oct 3, 2025 14:55 UTC (Fri) by mbunkus (subscriber, #87248)In reply to: Sidebar on the CRA, which was mentioned by davecb
Parent article: F-Droid and Google's Developer Registration Decree
So yeah, if you're the completely altruistic OSS developer only ever spends their time & money on such a project without even trying to make server infra costs back, you'll be fine. But a ton of us out there will have to deal with it.
All of this is my own understanding without any kind of legal advice or experience behind it. Just to be clear.
The article itself is not bad & does quote Greg much more extensively. It's worth a read. I'm only angry at the headline, but that's The Register for you.
Posted Oct 3, 2025 16:53 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (2 responses)
As far as I'm aware, though, the people on the ground who are Europeans (eg me) are all quite happy with the CRA. The people voicing the loudest concerns (like pizza) are not - an American?
Doesn't that say something? I'd be interested to know if there are Europeans (who've bothered to read, learn and inwardly digest - there've been plenty of pointers to the legal texts themselves) who are seriously concerned.
Cheers,
Posted Oct 3, 2025 17:15 UTC (Fri)
by pizza (subscriber, #46)
[Link]
...I see the CRA as a warning of what's coming next. While the CRA's worst bits (with respect to individual F/OSS authors) were watered down after the massive outcry (from EU-based entities), it has yet to be actually implemented in individual member nations and as such there's still a lot of room for things to go sideways (even if only unintentionally). That said, only a fool would say that some form of strict individual liability for software authors -- and SaaS providers -- isn't looming. And it will apply regardless of said software/SaaS is ultimately funded (or not).
Posted Oct 3, 2025 18:35 UTC (Fri)
by mbunkus (subscriber, #87248)
[Link]
Posted Oct 3, 2025 18:11 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (56 responses)
I specifically asked a lawyer in Germany, and donations or income from ads on the website are not enough to trigger the CRA.
But a $0.5 app in an appstore is enough, because at this point you're actually selling a product. I'm personally pretty OK with it.
Posted Oct 3, 2025 18:30 UTC (Fri)
by mbunkus (subscriber, #87248)
[Link]
Posted Oct 3, 2025 18:34 UTC (Fri)
by pizza (subscriber, #46)
[Link] (1 responses)
Thanks; it's good to get some actual legal advice here.
But this also creates an incentive pushing folks to releasing advertising-supported (and/or datamining-supported) applications.
Posted Oct 5, 2025 3:46 UTC (Sun)
by mathstuf (subscriber, #69389)
[Link]
Posted Oct 4, 2025 9:02 UTC (Sat)
by peniblec (subscriber, #111147)
[Link] (40 responses)
I specifically asked a lawyer in Germany, and donations or income
from ads on the website are not enough to trigger the CRA. Aaand bookmarked. I’d have liked something more authoritative than
“second-hand lawyer account from LWN comment section”, but beggers can’t be choosers.
Thanks!
Posted Oct 4, 2025 14:07 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (39 responses)
It's not that difficult, the thing to remember is the repeated references to "making available on the market" which is a generic legal term across lots of legislation. If you follow that up, you'll see it means roughly the same thing as "advertising for *sale* in the EU".
Hence the lawyer saying if you just make it available for free download, that's perfectly okay. If you solicit donations, that's *probably* okay. But as soon as you stick a 50c price tag on it, then the CRA kicks in. But let's say you advertise it as "suitable for Android 15", I don't know how long Google support their versions for, but you can reasonably expect all liability for your app to die when support ends for the advertised version of Android.
Cheers,
Posted Oct 4, 2025 17:35 UTC (Sat)
by pizza (subscriber, #46)
[Link] (36 responses)
*ahem*
(22) ‘making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
(Taken from the "definitions" section of the official CRA text)
In other words, something can be "commercial" even if it is provided free of charge. (which makes sense given that the overwhelming majority of the "free" apps out there are plastered with advertisements and explicitly commercial in nature)
Meanwhile, and more appropriately to F/OSS, paragraph 16 of the CRA states:
"Products with digital elements provided as part of the delivery of a service for which a fee is charged solely to recover the actual costs directly related to the operation of that service, such as may be the case with certain products with digital elements provided by public administration entities, should not be considered on those grounds alone to be a commercial activity for the purposes of this Regulation."
Paragraph (15) also states:
"[...] Supply in the course of a commercial activity might be characterised not only by charging a price for a product with digital elements, but also by charging a price for technical support services where this does not serve only the recuperation of actual costs, [...] Accepting donations without the intention of making a profit should not be considered to be a commercial activity."
The moment you accept payment for anything other than recovering your actual costs... BAM.
Posted Oct 4, 2025 18:35 UTC (Sat)
by mbunkus (subscriber, #87248)
[Link]
That's why I found Cyberax' quote from that layer to be very valuable, but it's still very murky and kind of scary. My worries are somewhat eased by how the process has gone so far & the fact that European lawmakers' intention seems to be not to burden F/OSS projects unnecessarily. So I guess the answers to my questions would be something along the lines of:
- no, I'm not in danger & don't have to stop accepting money as long as it doesn't exceed regular cost by a lot (with "a lot" to be determined, ten times is probably way too much, 50% might be OK, especially if we're talking about a low base)
These types of questions probably look dumb, or the answers obvious, to people who have experience with such processes or the law. For a lot of us F/OSS developers all of this is very new and unfamiliar.
Posted Oct 5, 2025 11:23 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (33 responses)
> (Taken from the "definitions" section of the official CRA text)
> In other words, something can be "commercial" even if it is provided free of charge. (which makes sense given that the overwhelming majority of the "free" apps out there are plastered with advertisements and explicitly commercial in nature)
I think you're reading that arse about face. If I provide an app all on its lonesome (for free) there is no liability. There is no commercial activity taking place between me and the downloader. Adverts, donations, etc are completely out of scope.
IF however, there IS commercial activity between me and someone else, and I tell them "to make this product (that you've paid for) work, you need to download this free app", THAT is when the CRA kicks in. That section you've quoted says "free downloads may be covered IFF there is commercial activity occurring ELSEWHERE" (as in, as part of the commercial activity, the downloader is EXPECTED to download the software).
A position I'm in at this exact moment - my insurer has told me to download a free app, which doesn't work, but without it my insurance is invalid! (I know what's wrong, I think, but I'm going to let them squirm for a little :-) So we have *commercial activity* - the insurance - and a *free* app that doesn't work. A clear case where the CRA DOES kick in.
Cheers,
Posted Oct 5, 2025 12:46 UTC (Sun)
by pizza (subscriber, #46)
[Link] (32 responses)
Please remember this sidebar is talking about stuff made available in a so-called "app store".
Regradless, what you describe is contradicted by the plain text of the CRA.
...I hope all of this goes to show you that your "just read the text of the CRA" is clearly inadequate.
Posted Oct 5, 2025 13:39 UTC (Sun)
by Wol (subscriber, #4433)
[Link]
> Please remember this sidebar is talking about stuff made available in a so-called "app store".
And? I was told to download the app FROM GOOGLE PLAY. Indeed, as far as I could tell, it was the only place *I* could get it from. (Oh, and it has loads of useful (if you're that way inclined) functionality that you don't need for your insurance to be valid.)
Cheers,
Posted Oct 5, 2025 16:07 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (30 responses)
And don't forget, the Americans tried to get the GPL etc declared invalid because *money* wasn't involved. Hence the wording "whether in return for payment of free of charge".
"Commercial Activity" means "exchange of value" by means of an agreed, enforceable agreement - call it a contract if you like. And this clearly includes offering software FOR MONEY, because it's called "an offer to treat, agreement, exchange of consideration" which is classed as a form of contract. But it CAN include Free Software, if that's mentioned in the agreement.
So as I keep on saying, "follow the contract". If there is no LEGAL agreement in place, then there can be no liability under the CRA. Indeed, my insurance contract is a classic example of where and where not the CRA is intended to apply ...
The insurer makes the app available to ANYone to download. NO liability.
It's not, actually, of any use to anyone without a paid up insurance contract in place. Commercial Activity.
For MOST policy holders, the app is a "take it or leave it" job - it gives the policyholder the means to check up on their policy. NO liability
For SOME policy holders the app is a contractual responsibility - the insurer can check up on the policy holder (I accepted that partly because I didn't realise what was going on, partly because it halved the premium). Contract (commercial activity) in place. Contract covers use of the app. CRA LIABILITY.
This is meant to protect people like Google, Microsoft et al. Just because you pay Google for extra storage, doesn't let you claim CRA for a bug in GSheets. Just because you've paid for Windows and MSDN, doesn't mean you get to claim CRA against the software in MSDN (because, iirc, you're not supposed to use it for commercial activity! ... It's "evaluation and development" only, so by definition it shouldn't be a security risk.
Cheers,
Posted Oct 5, 2025 17:57 UTC (Sun)
by farnz (subscriber, #17727)
[Link] (29 responses)
This is a lot of what makes the CRA a challenge to interpret; it's trying to prevent you avoiding liability for your security flaws by saying "we don't sell software, we sell storage" and things of that nature. Instead, stuff that you're giving away in order to make money elsewhere also comes into scope - sure, Google give away GSheets access for free, but the CRA liability for security flaws comes in because it's given away for free in order to encourage you to spend money on other things Google sells.
Posted Oct 5, 2025 19:04 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (28 responses)
My company has a support contract in place with Google, we pay for Google Suite, so the CRA most definitely DOES apply.
> Google give away GSheets access for free, but the CRA liability for security flaws comes in because it's given away for free in order to encourage you to spend money on other things Google sells.
I would disagree very strongly. Just because you take advantage of Google's "for free" offer, this does not, and is not meant to, bring the CRA into it. As soon as you *spend* that money, and Google Suite (or whatever else) is even *mentioned* in some sort of "for consideration" agreement, then the CRA kicks in for that product and customer, but not before. The whole point of the "Free Software" part of the CRA is to make sure that a "no strings attached" offer cannot invoke CRA liability. Whether it's a lone developer or billion-dollar company. As soon as strings are attached, it's no longer classed as being offered for free, and is "on the market" (ie offered *for*sale*), and the CRA does kick in. That's the point about my insurance. The software is offered to everyone for free. There are contractual strings attached to MY use of it, therefore *I* can invoke the CRA.
(I get your point about Google selling "Google One" disk space, but that was very much in the forefront of the minds of the Free Software people getting the rules clarified. Selling one service should not have any impact on how an unrelated service is treated. Selling on-line disk space should not have any impact on how making software available online or for download is treated. Debian / FSF guidelines explicitly forbid allowing terms that impact on unrelated software, do they not? Making that clear was a major part of the changes to CRA.)
That's why I said the CRA doesn't apply to MSDN - part of the terms of having an MSDN subscription is you shouldn't be using it where it can be a security risk. (Plus the subscription entitles you to the latest version extant at the time of your subscription - all rights explicitly die with the subscription.)
Cheers,
Posted Oct 6, 2025 7:52 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (27 responses)
The exceptions that might apply are exceptions where the storage space cannot be used for GSheets (making it fully independent and unrelated), or where there is no profit or attempt to profit from monetization. Neither of those apply here, and thus the fact that Google sells "Google One" subscriptions, which benefit you if you use GSheets, is enough to bring CRA liability into play.
If we take my car dealership hypothetical from earlier a step further; once the dealership stops selling Kias and switches to selling Fords, if it still offers its Kia app for free, it no longer incurs CRA liability for future downloads of the app; because the app is now unrelated to any commercial activity on the dealership's part, its CRA liability ends the appropriate amount of time after the last download of the app that preceded them stopping selling Kias.
This is very, very deliberate on the part of the drafters of the CRA, because otherwise it becomes too simple to escape liability by making a "no strings attached" offer for the security-relevant components, while charging for other things that are useless without the "free" bit attached.
Posted Oct 6, 2025 10:45 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (26 responses)
Where do you draw the line? I think you're drawing it far too oppressively.
> while charging for other things that are useless without the "free" bit attached.
Couldn't agree more with this bit. But applying the CRA to Gsheets, because the customer is paying for disk space, is taking it too far ...
Cheers,
Posted Oct 6, 2025 11:18 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (25 responses)
Exception one is for cases where you give away the product with digital elements for free, and do not have an income from the software or related services that exceeds your costs, or that is intended to exceed your costs. GSheets does not fall under this exception, because storage for my GSheets spreadsheets is part of my Google One account, and therefore this exception does not apply.
Exception two is for cases where use of the product with digital elements does not relate to your commercial activities, and thus the free application cannot be an incentive for the user to spend on your commercial activities. For GSheets, that's not true - GSheets uses my storage, and if I wasn't paying for a Google One account, I would currently be unable to use GSheets due to a lack of storage quota at Google. Thus, since one reason for me to pay for storage is to allow me to use GSheets, this exception can't apply either.
Once again, this is extremely deliberate; it's so easy to factor digital products into pieces, and so you want it to be very hard to factor out a "safe" product (cloud storage) from the high security risk products, as otherwise it becomes easy for the big players to avoid any CRA liability whatsoever.
Posted Oct 6, 2025 15:04 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (8 responses)
And in this case YOU DO NOT NEED AN EXCEPTION.
> (22) ‘making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
If I supply JAM in the course of a commercial activity, then I am making my JAM "available on the market". If I am placing software on my jam-business server as a favour to whoever wants to download, that is NOT in the course of a commercial activity, therefore is NOT "making available on the market".
Let's do a quick Gedanken experiment. As an *absolute* *minimum*, a commercial activity requires record keeping, no? So I turn off logging and have no records whatsoever about who downloads what. What impact will that have on my jam business? *None* *whatsoever*.
So simply making downloads available for free CANNOT be "in the course of a commercial activity" therefore cannot be "making available on the market", therefore cannot trigger CRA liability.
Google is under no legal obligation to keep track of who uses Gsheets. Therefore if they turned logs off, that would be the end of any possible CRA liability. (The CRA explicitly permits SOME logging and data collection that will not trigger liability - limited pretty much to data needed to improve the software.)
In order to trigger CRA liability, the supply of the software MUST be "in the course of commercial activity". That is why when I download my insurer's app, it DOES trigger the CRA, because my insurance requires me to use it. When a different customer downloads it, it DOESN'T trigger the CRA, because the insurer doesn't care whether they use it or not.
Cheers,
Posted Oct 6, 2025 15:14 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (7 responses)
For example, a jam sugar vendor putting out a basket of free fruit suitable for jam making outside the store for anyone to pick from is making that fruit available in the market, because it's related to their commercial activities of selling jam sugar.
Given that, Google is absolutely unable to escape CRA liability for GSheets as long as it sells storage for use with GSheets (among other Google products). It can't say "we only do the storage as a commercial activity", precisely because if no Google product used Google storage, many fewer people would buy Google storage.
Posted Oct 6, 2025 16:00 UTC (Mon)
by zdzichu (subscriber, #17118)
[Link] (6 responses)
Posted Oct 6, 2025 16:04 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (5 responses)
Posted Oct 6, 2025 16:38 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (4 responses)
My motto is "trust but verify" when dealing with "the professionals", because they're wrong more often than not. And that includes when I'm paying them! Lawyers especially, but we (as a family) have been badly hurt by doctors, too ...
Seriously, putting free fruit outside your door for other people can be classed as a business activity? It is a cardinal principle of Free Software, that whatever you do with one piece of software MUST NOT impact what you're allowed to do with a different piece of software.
Saying that your jam sugar business is affected - in any way whatsoever - by the fact that you leave surplus fruit outside your door (and vice versa), is a complete breach of Free Software principles. And it's almost certainly a breach of business principles too, otherwise what's the point of breaking a company up in to subsidiaries? One reason they do it is to prevent legal liabilities leaking between entities!!!
And I can't see a Judge buying the claim that leaving fruit outside your door in a "wing and a prayer" hope that they'll buy your sugar, connects the two activities in any legal way shape or form whatsoever.
Gedanken experiment again - if you have ABSOLUTELY NO RECORDS - how are the Revenue going to tax the free fruit you left outside? And if there are no records, how are they going to prove it was you? (There's a strong argument that other peoples' testimony is irrelevant, because if "I saw someone leaving fruit outside your door" is innocent for pretty much everyone, surely that "everyone" includes you!)
Cheers,
Posted Oct 6, 2025 17:00 UTC (Mon)
by pizza (subscriber, #46)
[Link] (2 responses)
WTF do the "Cardinal Principles of Free Software" have to do with the legal definition of commercial activity in your (or any other) jurisdiction?
(BTW, in my jurisdiction, the threshold for "commercial activity" is _very_ low indeed)
Posted Oct 6, 2025 23:14 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (1 responses)
If two things have no causal connection, they should not affect each other in any way. Be it Free Software (as required by DSG), or business activity. Certainly in the UK, one major point of subsidiaries in business is show the absence of causal connection between them.
> (BTW, in my jurisdiction, the threshold for "commercial activity" is _very_ low indeed)
How low? Kids collecting stamps and swapping them in the playground? I'd define it as "an activity that requires keeping records in pursuit of being sustainable". I didn't use the word "profit", because we have the concept of non-profits, but they have to avoid losing money in order to survive.
Cheers,
Posted Oct 6, 2025 23:39 UTC (Mon)
by pizza (subscriber, #46)
[Link]
How *you* define it doesn't matter one scintilla. What matters is what the IRS or HRMC (or the equivalent for your jurisdiction) says it is.
Posted Oct 6, 2025 17:08 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
The details are complex, and the reason it's set the way it is is that they want to stop you breaking into parts in order to escape a liability that you would otherwise incur; that's why the original CRA drafts had no exceptions at all (which would have been a disaster for open source), and why the exceptions to liability that now exist are non-trivial.
Posted Oct 6, 2025 16:09 UTC (Mon)
by paulj (subscriber, #341)
[Link] (15 responses)
If the CRA doesn't put obligations on you there, and you can happily get people to fund you and put the ongoing code onto a public git without fear of CRA obligations: What if that code starts to become useful to others, see use, and you start to get bug reports and feature requests, and you try handle those where you can, and you have some kind of "If you found this useful, consider donating to help with the development costs" - does the CRA then kick in?
Posted Oct 6, 2025 16:44 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (13 responses)
Read the CRA. The answer is "no". If you solicit donations with no INTENTION of making a profit, then whether you actually do or not is irrelevant.
I used to run the refreshment stall as a student rep, when the Uni had course choice open days. We put up a big sign saying "suggested donation ..." but we did NOT enforce it. It's illegal to sell alcohol without a licence. If anyone said "I haven't any money", we said "take it, you can always put extra in next time". We always made a profit, and the Revenue couldn't touch us. If we'd said "no donation, no drink ..." and been caught I think we'd have been in front of the beak in *very* short order.
Cheers,
Posted Oct 6, 2025 16:51 UTC (Mon)
by paulj (subscriber, #341)
[Link] (12 responses)
Is there some line where this can cross over into the kind of commercial activity that brings the CRA down on my head?
What if someone approaches me and says "I could really use this feature, why don't you tell me how long it'd take you and how big a donation I should make to have you work on that exclusively?". Does the CRA kick in then?
Where is the line?
Posted Oct 6, 2025 17:03 UTC (Mon)
by corbet (editor, #1)
[Link] (10 responses)
Posted Oct 6, 2025 17:11 UTC (Mon)
by paulj (subscriber, #341)
[Link] (9 responses)
Maybe it's already covered elsewhere in the debate, and I missed it.
I genuinely have no idea what the implications of the CRA are for me... By some accounts here, it's nothing. By others, fairly normal Free Software activities might tie conceivably me up in CRA obligations for years to come. I really don't know.
Posted Oct 6, 2025 17:16 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (8 responses)
The people who need to care are those who are making enough from a project outside of their employment that €1,000 for a lawyer is under a tenth of the annual income from their project, and those intending to make a profit (even if they're not making one now).
Posted Oct 7, 2025 9:22 UTC (Tue)
by paulj (subscriber, #341)
[Link] (7 responses)
What if I, as part of this journey from a research project sponsored by donations towards a self-sustaining Free Software project that lives off both general sponsorship and specific contracts to continue the work, am at the stage where I want to setup a small company (non-profit[1]) to hold the assets and be the nexus for donations and allocating funds to the sponsored developers. Do I need to start worrying at that stage about CRA lawyers? That's an additional expense over the accountants fees to setup and maintain the company.
From what you say, the technical stewards of such an effort, would need to start worrying about CRA at about that point.
1. Non-profit, but not a charity. The whole 501(c)(3) thing in the USA for Free Software sponsorship foundations largely stinks - at least certainly is ripe for abuse (which I have seen, in the brief time I was with a small foundation). Thankfully, charitable status is much much harder to get over here in the Celtic Isles.
Posted Oct 7, 2025 12:04 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (6 responses)
Very much so. BUT. You're now a small company. You are providing services, for which you need to keep books. You just make it EXplicit in your contracts whether or not you are affixing the CE mark (or CRA equivalent) to your software.
The software needs a CRA mark. Does your contract say you are a middle-man providing development services to your customers - in which case presumably they affix the mark and pay you extra to fix problems; or are you providing them with the software as a product, in which case you affix the mark and need to budget for bug-fixing from your own budget.
Once you're a company your contracts will state who is liable.
I won't say that's simpler - as you know my position is "no contract no liability", but that seems to be a bit contentious ...
Cheers,
Posted Oct 7, 2025 12:24 UTC (Tue)
by paulj (subscriber, #341)
[Link] (5 responses)
That's fine. Throw X hundred per month at the accountants to whatever is necessary to maintain the necessary web portal for me to add whatever required records and them to take care of whatever else is necessary. They don't know anything about and aren't going to touch CRA stuff though. ;)
> Does your contract say you are a middle-man providing development services to your customers - in which case presumably they affix the mark and pay you extra to fix problems;
Aha. Ok... So, that avoids the issues. I just remain a "development services" firm/NPO, and the Free Software I/we publish is just the sample code of what I/we can provide services for?
I'd hate to think that I could get stuck with loads of red-tape obligations or, worse, must-do-free-work obligations (e.g. requiring me to handle security reports), just cause I/we put some code that we developed for a /paying/ "customer" on a consultancy / development services basis on whichever GitHub. ?
Posted Oct 7, 2025 13:58 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (4 responses)
The idea of the CRA is to apply *exactly* the same logic. A CRA mark *MUST* be applied to every digital component. In the case of a fault, the authorities will follow the chain, from the finished product manufacturer, all the way down to guys who applied the CRA mark to the faulty software.
And if Jo Bloggs Inc downloads your software, puts it into their product as a component, and has trouble with it, the authorities will go hunting for the guys who affixed the mark. If they find you, and you go "Huh? Who's Jo Bloggs Inc?" the authorities will go back to Jo Bloggs Inc and demand to know who affixed the mark. If you have no contract with Jo Bloggs Inc, they have absolutely NO evidence that a mark exists, therefore the authorities will say "You (Jo Bloggs) affixed your mark to your product. Because paulj's software had no mark, therefore Jo Bloggs applied the mark to paulj's software, therefore it's Jo Bloggs' problem".
So it's down to you whether you sell development services and don't affix a mark, or sell a maintenance contract which presumably will include a mark (your customer would be mad to accept a maintenance contract without it). And because the mark is part of the maintenance contract, nobody else can come along and say "hey I'm going to use the same mark".
Cheers,
Posted Oct 10, 2025 16:15 UTC (Fri)
by kleptog (subscriber, #1183)
[Link] (3 responses)
Right. This is the critically important thing I see many people missing here. The terms of the CRA do not apply to the product itself, they apply to the *contract between you and the customer*. They're basically standard Terms and Conditions.
Hence, statements like "is Google Sheets covered by the CRA?" are meaningless. The correct statement is "when I am using Google Sheets, does the CRA apply to our contractual relationship?". Now, since Google probably doesn't feel like maintaining two different versions of Google Sheets, if you're using it for free you probably get the benefits of the CRA, except Google doesn't actually owe you anything. Only the people who actually pay to use Google Sheets (Google Workspace users basically).
You're a non-profit holding some trademarks and keeping a website in the air? The CRA doesn't apply because you don't even know who is downloading stuff. Who are the parties to the contract it would apply to?
Someone clicked on your "donate" button and gave you some money? Again, you never offered them anything so there is no contract for the CRA to apply to.
The only people that need to care are people offering services to do things with free software. They need to make clear they're not actually selling the software, but the end-user is getting that from the original source. I'm sure FSF-Europe or similar have some standard verbiage for that. There are provisions to prevent companies saying things like "you're buying a Splunk service, the Splunk software itself is free and so no CRA". The basic principle is not complicated though.
Posted Oct 10, 2025 18:01 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
I got a preliminary reply about that, and it's apparently a gray area. While Google is not getting money from you directly, it's still getting (significant) income from showing ads for the free GSheets version. So even it is likely to be covered by the CRA.
Posted Oct 10, 2025 18:59 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
And again, if Google is receiving money from the ad vendors, it is the VENDORS who are covered by the CRA, not users.
Cheers,
Posted Oct 10, 2025 18:57 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
Simply said, you're paying Splunk for a service. So everything Splunk says you need to access the service is covered. Take eg a mail-server.
If Splunk says "you can use the mail client of your choice to access our server", then the client isn't covered. BUT.
If Splunk says "you can only access our server if you're using Outlook", then Splunk is on the hook for security problems with Outlook. Sounds unfair? Well, if you can't access the service you've paid for, without using dodgy insecure software, the CRA doesn't care. Splunk had better have a contract in place with Microsoft !!!
Cheers,
Posted Oct 6, 2025 22:54 UTC (Mon)
by Wol (subscriber, #4433)
[Link]
> Where is the line?
Sorry Jon, but yes I would say this is at serious risk of crossing the line. You are entering into an agreement, a contract. "A donation in return for you committing to this feature" is not a donation. It's probably easy to avoid CRA liability - make the contract say you'll write the code, add it to the free software, and that's the end of your liability. But this is where I *would* get advice from a lawyer. One who SPECIALISES in the subject. After all, now you're being paid BY CONTRACT, you can pay for the lawyer :-)
Cheers,
Posted Oct 6, 2025 17:09 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
Your downstream users, of course, may well still have CRA obligations; just because your supplier is exempt doesn't mean you are too.
Posted Oct 5, 2025 13:23 UTC (Sun)
by Wol (subscriber, #4433)
[Link]
They are describing a support contract. So it means, if you have a support contract in place, you cannot delay fixing security issues. So if you offer support contracts, the CRA is basically saying you MUST include security issues, and you MUST issue timely fixes. So any attempt to dodge this issue in your contract is void.
If you're accepting donations towards your hosting costs (or charging for the cost of providing said host, and explicitly NOT including support services) you can't be held liable for anyone else's software, and quite likely not your own either.
> Accepting donations without the intention of making a profit should not be considered to be a commercial activity."
So actually making a profit (if it wasn't your intention) isn't a problem.
Cheers,
Posted Oct 7, 2025 17:06 UTC (Tue)
by logical-per (guest, #179735)
[Link] (1 responses)
"any supply of a product for distribution, consumption or use on the Community market in the course of a commercial activity, whether in return for payment or free of charge."
EU law does not work by reading one regulation in isolation. The CRA depends on the definitions from the framework it belongs to.
Posted Oct 7, 2025 17:39 UTC (Tue)
by Wol (subscriber, #4433)
[Link]
In fact, that is often used by businesses to dispose of goods which would be illegal in a commercial activity - out-of-date, licenced, yada yada. I work for a supermarket ...
Cheers,
Posted Oct 4, 2025 12:44 UTC (Sat)
by mbunkus (subscriber, #87248)
[Link] (11 responses)
Posted Oct 4, 2025 21:02 UTC (Sat)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
Posted Oct 5, 2025 19:18 UTC (Sun)
by Wol (subscriber, #4433)
[Link]
As soon as you sell SOMETHING ELSE and say "you need to download this app to make it work", you have commercial activity, you have a contract, and you're on the hook. Even if it's not your software!
Cheers,
Posted Oct 5, 2025 15:06 UTC (Sun)
by farnz (subscriber, #17727)
[Link] (8 responses)
Having the app on the app store for free, by itself, is placing the app on the market, but just placing something on the market is necessary but not sufficient for the CRA to kick in.
For the CRA to kick in, you need to place software on the market, and attempt to make a profit from it, either directly (by attaching it to an income stream that exceeds, or that you expect to exceed, your costs) or indirectly (by using the software to drive sales of something else, such as hardware you sell under your own brand, or hardware you resell). This does imply that, for example, a Kia dealership not owned by Kia/Hyundai who offers a free app to make Kia ownership better incurs CRA liability, even though they don't make Kias, because they're attempting to indirectly profit by making it more likely that someone will buy a Kia, and thus more likely that they'll sell a car.
Note, though, that the CRA is only about long-term security support; you already, by placing your free app on the market, incur liability under EU laws relating to fitness for purpose etc. It's just the security side that's new, not the functionality side.
Posted Oct 5, 2025 17:40 UTC (Sun)
by mbunkus (subscriber, #87248)
[Link] (4 responses)
> Having the app on the app store for free, by itself, is placing the app on the market
I guess having it downloadable from any website that's reachable from any of the market's locations is making it available there. So it's good that just by having in the store (for the same condition as it's already available from that other location) is not imposing anything extra here.
Posted Oct 5, 2025 20:05 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (3 responses)
> (21) ‘placing on the market’ means the first making available of a product with digital elements on the Union market;
> (22) ‘making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
Okay, I agree that clause 22 could be clearer, but as I read it, it is "the act of supply", which means that whether it is commercial activity or not can depend on the supplier charging for it, or on the relationship of the recipient to the supplier.
As such, if the supplier makes it available for download for free no strings attached, that is clearly NOT commercial activity. If the supplier makes a charge for it, it is clearly commercial activity. If you can pay for a code that makes your copy ad-free, that makes a non-commercial download into a commercial transaction.
So the SAME software, from the SAME site, can be both commercial, or non-commercial, depending on the status of the downloader.
As I see it, it is extremely clear. If the downloader incurs no liabilities towards the supplier on download, likewise the supplier incurs no liabilities (including the CRA) towards the downloader.
Cheers,
Posted Oct 6, 2025 8:03 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (2 responses)
That's not the CRA's standard, because the CRA has exceptions where the monetized product on the market is independent and unrelated to the product you're claiming incurs CRA liability, and where the monetization neither exceeds nor is intended to exceed the costs incurred in creating the product and putting it on the market.
The whole reason there's been such a fuss in open source circles around the CRA is that those exceptions didn't appear originally in the CRA, and that meant that it was completely impossible for an open source developer who makes a profit from some other activity (e.g. jam-making) to provide a product for free without incurring liability for security fixes in the future under the CRA. The exceptions have been added to protect people who are doing this "for the love of open source", while not providing wiggle room for someone like Google or Facebook to say "our products are provided for free, therefore we're not liable for keeping them secured".
Posted Oct 6, 2025 10:56 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (1 responses)
Because of terms like "place on the market", and "commercial activity" weren't made clear in the act itself.
Saying "but if I sell jam, my software falls under the CRA" is *clearly* crying wolf. Supplying software clearly has nothing to with selling jam, and once you look up those terms, that's extremely clear. The issue was, is, and always has been companies who both sell and give away software - to what extent does selling software (or hardware that needs software) bleed over into giving stuff away.
How do we make sure that giving software away "no strings attached" does not trigger the CRA - I think you're far too eager to make it trigger when it shouldn't.
But if I can't use the hardware I paid you for, without software (free or not, provided by you or not), then the CRA needs to kick in (likewise if the software I paid you for requires other 3rd-part software to work, the CRA needs to kick in).
Cheers,
Posted Oct 6, 2025 10:58 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
This was not the intention of the Act's drafters, and they resolved this once it was brought to their attention - it would, however, have been a disaster for open source if the original wording had been intended, since it covered most software in the EU (MSDN samples would have been an exception, since they're not supplied as a product, but as documentation).
Posted Oct 5, 2025 19:25 UTC (Sun)
by Wol (subscriber, #4433)
[Link]
Where does it say that? Trying to drive sales is perfectly okay, and doesn't trigger the CRA as far as I can tell (why should it?).
It's the inverse that's the problem - driving downloads by making that a requirement for the correct functioning of products you sell. That's a clear example of trying to do an end run around the CRA, and you'll get slammed for it.
Cheers,
Posted Oct 6, 2025 12:12 UTC (Mon)
by pizza (subscriber, #46)
[Link] (1 responses)
...In this context, does "monetizing the software via embedded advertisements" count as direct income, indirect income, or not at all?
Posted Oct 6, 2025 12:54 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
Note that the only reason the CRA has direct and indirect income at all is to make clear that you can't say things like "I'm not charging for the app - I'm charging for extra storage", or "the app makes a loss; it's the car maintenance services that make a profit" to avoid security liability. Instead, if you're putting the app on the market as an attempt at making a profit, or if you're putting it on the market and actually making a profit, then you're liable for security fixes into the future.
Note, too, that the CRA only requires security fixes to be available at no extra cost; it does not impose other liabilities on suppliers (other liabilities, like fitness for purpose, are pre-existing, and have been around for decades).
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
- sure, if costs will rise or expenses are on the horizon taking more now would be OK as long as they're still in the just mentioned vicinity
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
Wol
Google is a dangerous example here, because the CRA is also meant to stop Google claiming that your "Google One" subscription is just for storage, and thus they cannot be liable to you for security issues in GSheets.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
The CRA applies because it is a product on the market, and none of the exceptions apply - it's something that Google does try to make money from it, and thus the CRA applies whether or not you are paying Google for GSheets specifically.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
The CRA says that unless one of two exceptions apply, placing the product on the market (which is what is done when you publish software, even for free) incurs liability for security support, in addition to your pre-existing liability for fitness for purpose (which is independent of the CRA - the CRA doesn't mandate that the product works, or that it's useful for a purpose, because that's covered by existing EU law). The exceptions exist for the benefit of open source, so that we don't incur liability for placing open source on the market for free.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
No, a commercial activity does not require record keeping in the EU. Making a download available for free, or offering something that I can pick up for free, absolutely can be "making available in the market", if it's related (not tied to, but related to) something from which I expect to make money.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Because your post sounds like a speculation and applying "common sense" to law matters. Which helps noone but increase disinformation and noise on LWN.
This is not legal advice - this is forwarding on conversations I've had with a lawyer.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
This is definitely a case where you're applying your "common sense" ideas of what the law "should" be, and ought to talk to an actual lawyer.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
To all of the folks debating (again) this issue... do we really think that we are going to come to any sort of useful conclusion here? Please think twice before going around the circle yet again.
Do we really want to continue?
Do we really want to continue?
A fair rule of thumb is that if you're doing the project as part of an institution, your institution's lawyers will handle the CRA for you - not least because if they're publishing it, they're the ones who face CRA liability, not you. If you're not trying to make a profit, and you're not making enough from the project in a year that paying for a lawyer to get you an answer backed by their professional insurance seems like a reasonable price to pay for peace of mind, then you're also not likely to be at risk.
Do we really want to continue?
Do we really want to continue?
Do we really want to continue?
Wol
Do we really want to continue?
Do we really want to continue?
Wol
Do we really want to continue?
Do we really want to continue?
Do we really want to continue?
Wol
Do we really want to continue?
Wol
Sidebar on the CRA, which was mentioned
Wol
You're rapidly getting into "ask a lawyer" territory - there are exceptions for cases where it's a genuine multi-institution project with no one institution in control, as well as for cases where you're asking for donations and not covering your total costs.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
I've spoken to a lawyer about this, and got the following non-legal advice (noting that for this to be legal advice, it'd have to be from a paid-for lawyer, not one you're speaking to socially, nor indirect via me).
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
By your standard, all suppliers incur CRA liabilities, since all downloaders incur a liability towards the supplier on download to not breach the copyrights in the app.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Those are standard terms of art in EU law; they have a very clear meaning, and in the original drafts, where the exceptions to the CRA did not exist, would have resulted in liability for all software placed on the market in the EU.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
As I understand it, it'd count as income, and therefore if it exceeded your costs, or if you intended it to exceed your costs (noting that your costs include market rate for your labour), then it'd bring you into the CRA's liability regime for security issues.
Sidebar on the CRA, which was mentioned