Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Posted Oct 5, 2025 15:06 UTC (Sun) by farnz (subscriber, #17727)In reply to: Sidebar on the CRA, which was mentioned by mbunkus
Parent article: F-Droid and Google's Developer Registration Decree
I've spoken to a lawyer about this, and got the following non-legal advice (noting that for this to be legal advice, it'd have to be from a paid-for lawyer, not one you're speaking to socially, nor indirect via me).
Having the app on the app store for free, by itself, is placing the app on the market, but just placing something on the market is necessary but not sufficient for the CRA to kick in.
For the CRA to kick in, you need to place software on the market, and attempt to make a profit from it, either directly (by attaching it to an income stream that exceeds, or that you expect to exceed, your costs) or indirectly (by using the software to drive sales of something else, such as hardware you sell under your own brand, or hardware you resell). This does imply that, for example, a Kia dealership not owned by Kia/Hyundai who offers a free app to make Kia ownership better incurs CRA liability, even though they don't make Kias, because they're attempting to indirectly profit by making it more likely that someone will buy a Kia, and thus more likely that they'll sell a car.
Note, though, that the CRA is only about long-term security support; you already, by placing your free app on the market, incur liability under EU laws relating to fitness for purpose etc. It's just the security side that's new, not the functionality side.
Posted Oct 5, 2025 17:40 UTC (Sun)
by mbunkus (subscriber, #87248)
[Link] (4 responses)
> Having the app on the app store for free, by itself, is placing the app on the market
I guess having it downloadable from any website that's reachable from any of the market's locations is making it available there. So it's good that just by having in the store (for the same condition as it's already available from that other location) is not imposing anything extra here.
Posted Oct 5, 2025 20:05 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (3 responses)
> (21) ‘placing on the market’ means the first making available of a product with digital elements on the Union market;
> (22) ‘making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
Okay, I agree that clause 22 could be clearer, but as I read it, it is "the act of supply", which means that whether it is commercial activity or not can depend on the supplier charging for it, or on the relationship of the recipient to the supplier.
As such, if the supplier makes it available for download for free no strings attached, that is clearly NOT commercial activity. If the supplier makes a charge for it, it is clearly commercial activity. If you can pay for a code that makes your copy ad-free, that makes a non-commercial download into a commercial transaction.
So the SAME software, from the SAME site, can be both commercial, or non-commercial, depending on the status of the downloader.
As I see it, it is extremely clear. If the downloader incurs no liabilities towards the supplier on download, likewise the supplier incurs no liabilities (including the CRA) towards the downloader.
Cheers,
Posted Oct 6, 2025 8:03 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (2 responses)
That's not the CRA's standard, because the CRA has exceptions where the monetized product on the market is independent and unrelated to the product you're claiming incurs CRA liability, and where the monetization neither exceeds nor is intended to exceed the costs incurred in creating the product and putting it on the market.
The whole reason there's been such a fuss in open source circles around the CRA is that those exceptions didn't appear originally in the CRA, and that meant that it was completely impossible for an open source developer who makes a profit from some other activity (e.g. jam-making) to provide a product for free without incurring liability for security fixes in the future under the CRA. The exceptions have been added to protect people who are doing this "for the love of open source", while not providing wiggle room for someone like Google or Facebook to say "our products are provided for free, therefore we're not liable for keeping them secured".
Posted Oct 6, 2025 10:56 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (1 responses)
Because of terms like "place on the market", and "commercial activity" weren't made clear in the act itself.
Saying "but if I sell jam, my software falls under the CRA" is *clearly* crying wolf. Supplying software clearly has nothing to with selling jam, and once you look up those terms, that's extremely clear. The issue was, is, and always has been companies who both sell and give away software - to what extent does selling software (or hardware that needs software) bleed over into giving stuff away.
How do we make sure that giving software away "no strings attached" does not trigger the CRA - I think you're far too eager to make it trigger when it shouldn't.
But if I can't use the hardware I paid you for, without software (free or not, provided by you or not), then the CRA needs to kick in (likewise if the software I paid you for requires other 3rd-part software to work, the CRA needs to kick in).
Cheers,
Posted Oct 6, 2025 10:58 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
This was not the intention of the Act's drafters, and they resolved this once it was brought to their attention - it would, however, have been a disaster for open source if the original wording had been intended, since it covered most software in the EU (MSDN samples would have been an exception, since they're not supplied as a product, but as documentation).
Posted Oct 5, 2025 19:25 UTC (Sun)
by Wol (subscriber, #4433)
[Link]
Where does it say that? Trying to drive sales is perfectly okay, and doesn't trigger the CRA as far as I can tell (why should it?).
It's the inverse that's the problem - driving downloads by making that a requirement for the correct functioning of products you sell. That's a clear example of trying to do an end run around the CRA, and you'll get slammed for it.
Cheers,
Posted Oct 6, 2025 12:12 UTC (Mon)
by pizza (subscriber, #46)
[Link] (1 responses)
...In this context, does "monetizing the software via embedded advertisements" count as direct income, indirect income, or not at all?
Posted Oct 6, 2025 12:54 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
Note that the only reason the CRA has direct and indirect income at all is to make clear that you can't say things like "I'm not charging for the app - I'm charging for extra storage", or "the app makes a loss; it's the car maintenance services that make a profit" to avoid security liability. Instead, if you're putting the app on the market as an attempt at making a profit, or if you're putting it on the market and actually making a profit, then you're liable for security fixes into the future.
Note, too, that the CRA only requires security fixes to be available at no extra cost; it does not impose other liabilities on suppliers (other liabilities, like fitness for purpose, are pre-existing, and have been around for decades).
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
By your standard, all suppliers incur CRA liabilities, since all downloaders incur a liability towards the supplier on download to not breach the copyrights in the app.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Those are standard terms of art in EU law; they have a very clear meaning, and in the original drafts, where the exceptions to the CRA did not exist, would have resulted in liability for all software placed on the market in the EU.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
As I understand it, it'd count as income, and therefore if it exceeded your costs, or if you intended it to exceed your costs (noting that your costs include market rate for your labour), then it'd bring you into the CRA's liability regime for security issues.
Sidebar on the CRA, which was mentioned