Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Posted Oct 5, 2025 16:07 UTC (Sun) by Wol (subscriber, #4433)In reply to: Sidebar on the CRA, which was mentioned by pizza
Parent article: F-Droid and Google's Developer Registration Decree
And don't forget, the Americans tried to get the GPL etc declared invalid because *money* wasn't involved. Hence the wording "whether in return for payment of free of charge".
"Commercial Activity" means "exchange of value" by means of an agreed, enforceable agreement - call it a contract if you like. And this clearly includes offering software FOR MONEY, because it's called "an offer to treat, agreement, exchange of consideration" which is classed as a form of contract. But it CAN include Free Software, if that's mentioned in the agreement.
So as I keep on saying, "follow the contract". If there is no LEGAL agreement in place, then there can be no liability under the CRA. Indeed, my insurance contract is a classic example of where and where not the CRA is intended to apply ...
The insurer makes the app available to ANYone to download. NO liability.
It's not, actually, of any use to anyone without a paid up insurance contract in place. Commercial Activity.
For MOST policy holders, the app is a "take it or leave it" job - it gives the policyholder the means to check up on their policy. NO liability
For SOME policy holders the app is a contractual responsibility - the insurer can check up on the policy holder (I accepted that partly because I didn't realise what was going on, partly because it halved the premium). Contract (commercial activity) in place. Contract covers use of the app. CRA LIABILITY.
This is meant to protect people like Google, Microsoft et al. Just because you pay Google for extra storage, doesn't let you claim CRA for a bug in GSheets. Just because you've paid for Windows and MSDN, doesn't mean you get to claim CRA against the software in MSDN (because, iirc, you're not supposed to use it for commercial activity! ... It's "evaluation and development" only, so by definition it shouldn't be a security risk.
Cheers,
Wol
Posted Oct 5, 2025 17:57 UTC (Sun)
by farnz (subscriber, #17727)
[Link] (29 responses)
This is a lot of what makes the CRA a challenge to interpret; it's trying to prevent you avoiding liability for your security flaws by saying "we don't sell software, we sell storage" and things of that nature. Instead, stuff that you're giving away in order to make money elsewhere also comes into scope - sure, Google give away GSheets access for free, but the CRA liability for security flaws comes in because it's given away for free in order to encourage you to spend money on other things Google sells.
Posted Oct 5, 2025 19:04 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (28 responses)
My company has a support contract in place with Google, we pay for Google Suite, so the CRA most definitely DOES apply.
> Google give away GSheets access for free, but the CRA liability for security flaws comes in because it's given away for free in order to encourage you to spend money on other things Google sells.
I would disagree very strongly. Just because you take advantage of Google's "for free" offer, this does not, and is not meant to, bring the CRA into it. As soon as you *spend* that money, and Google Suite (or whatever else) is even *mentioned* in some sort of "for consideration" agreement, then the CRA kicks in for that product and customer, but not before. The whole point of the "Free Software" part of the CRA is to make sure that a "no strings attached" offer cannot invoke CRA liability. Whether it's a lone developer or billion-dollar company. As soon as strings are attached, it's no longer classed as being offered for free, and is "on the market" (ie offered *for*sale*), and the CRA does kick in. That's the point about my insurance. The software is offered to everyone for free. There are contractual strings attached to MY use of it, therefore *I* can invoke the CRA.
(I get your point about Google selling "Google One" disk space, but that was very much in the forefront of the minds of the Free Software people getting the rules clarified. Selling one service should not have any impact on how an unrelated service is treated. Selling on-line disk space should not have any impact on how making software available online or for download is treated. Debian / FSF guidelines explicitly forbid allowing terms that impact on unrelated software, do they not? Making that clear was a major part of the changes to CRA.)
That's why I said the CRA doesn't apply to MSDN - part of the terms of having an MSDN subscription is you shouldn't be using it where it can be a security risk. (Plus the subscription entitles you to the latest version extant at the time of your subscription - all rights explicitly die with the subscription.)
Cheers,
Posted Oct 6, 2025 7:52 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (27 responses)
The exceptions that might apply are exceptions where the storage space cannot be used for GSheets (making it fully independent and unrelated), or where there is no profit or attempt to profit from monetization. Neither of those apply here, and thus the fact that Google sells "Google One" subscriptions, which benefit you if you use GSheets, is enough to bring CRA liability into play.
If we take my car dealership hypothetical from earlier a step further; once the dealership stops selling Kias and switches to selling Fords, if it still offers its Kia app for free, it no longer incurs CRA liability for future downloads of the app; because the app is now unrelated to any commercial activity on the dealership's part, its CRA liability ends the appropriate amount of time after the last download of the app that preceded them stopping selling Kias.
This is very, very deliberate on the part of the drafters of the CRA, because otherwise it becomes too simple to escape liability by making a "no strings attached" offer for the security-relevant components, while charging for other things that are useless without the "free" bit attached.
Posted Oct 6, 2025 10:45 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (26 responses)
Where do you draw the line? I think you're drawing it far too oppressively.
> while charging for other things that are useless without the "free" bit attached.
Couldn't agree more with this bit. But applying the CRA to Gsheets, because the customer is paying for disk space, is taking it too far ...
Cheers,
Posted Oct 6, 2025 11:18 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (25 responses)
Exception one is for cases where you give away the product with digital elements for free, and do not have an income from the software or related services that exceeds your costs, or that is intended to exceed your costs. GSheets does not fall under this exception, because storage for my GSheets spreadsheets is part of my Google One account, and therefore this exception does not apply.
Exception two is for cases where use of the product with digital elements does not relate to your commercial activities, and thus the free application cannot be an incentive for the user to spend on your commercial activities. For GSheets, that's not true - GSheets uses my storage, and if I wasn't paying for a Google One account, I would currently be unable to use GSheets due to a lack of storage quota at Google. Thus, since one reason for me to pay for storage is to allow me to use GSheets, this exception can't apply either.
Once again, this is extremely deliberate; it's so easy to factor digital products into pieces, and so you want it to be very hard to factor out a "safe" product (cloud storage) from the high security risk products, as otherwise it becomes easy for the big players to avoid any CRA liability whatsoever.
Posted Oct 6, 2025 15:04 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (8 responses)
And in this case YOU DO NOT NEED AN EXCEPTION.
> (22) ‘making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
If I supply JAM in the course of a commercial activity, then I am making my JAM "available on the market". If I am placing software on my jam-business server as a favour to whoever wants to download, that is NOT in the course of a commercial activity, therefore is NOT "making available on the market".
Let's do a quick Gedanken experiment. As an *absolute* *minimum*, a commercial activity requires record keeping, no? So I turn off logging and have no records whatsoever about who downloads what. What impact will that have on my jam business? *None* *whatsoever*.
So simply making downloads available for free CANNOT be "in the course of a commercial activity" therefore cannot be "making available on the market", therefore cannot trigger CRA liability.
Google is under no legal obligation to keep track of who uses Gsheets. Therefore if they turned logs off, that would be the end of any possible CRA liability. (The CRA explicitly permits SOME logging and data collection that will not trigger liability - limited pretty much to data needed to improve the software.)
In order to trigger CRA liability, the supply of the software MUST be "in the course of commercial activity". That is why when I download my insurer's app, it DOES trigger the CRA, because my insurance requires me to use it. When a different customer downloads it, it DOESN'T trigger the CRA, because the insurer doesn't care whether they use it or not.
Cheers,
Posted Oct 6, 2025 15:14 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (7 responses)
For example, a jam sugar vendor putting out a basket of free fruit suitable for jam making outside the store for anyone to pick from is making that fruit available in the market, because it's related to their commercial activities of selling jam sugar.
Given that, Google is absolutely unable to escape CRA liability for GSheets as long as it sells storage for use with GSheets (among other Google products). It can't say "we only do the storage as a commercial activity", precisely because if no Google product used Google storage, many fewer people would buy Google storage.
Posted Oct 6, 2025 16:00 UTC (Mon)
by zdzichu (subscriber, #17118)
[Link] (6 responses)
Posted Oct 6, 2025 16:04 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (5 responses)
Posted Oct 6, 2025 16:38 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (4 responses)
My motto is "trust but verify" when dealing with "the professionals", because they're wrong more often than not. And that includes when I'm paying them! Lawyers especially, but we (as a family) have been badly hurt by doctors, too ...
Seriously, putting free fruit outside your door for other people can be classed as a business activity? It is a cardinal principle of Free Software, that whatever you do with one piece of software MUST NOT impact what you're allowed to do with a different piece of software.
Saying that your jam sugar business is affected - in any way whatsoever - by the fact that you leave surplus fruit outside your door (and vice versa), is a complete breach of Free Software principles. And it's almost certainly a breach of business principles too, otherwise what's the point of breaking a company up in to subsidiaries? One reason they do it is to prevent legal liabilities leaking between entities!!!
And I can't see a Judge buying the claim that leaving fruit outside your door in a "wing and a prayer" hope that they'll buy your sugar, connects the two activities in any legal way shape or form whatsoever.
Gedanken experiment again - if you have ABSOLUTELY NO RECORDS - how are the Revenue going to tax the free fruit you left outside? And if there are no records, how are they going to prove it was you? (There's a strong argument that other peoples' testimony is irrelevant, because if "I saw someone leaving fruit outside your door" is innocent for pretty much everyone, surely that "everyone" includes you!)
Cheers,
Posted Oct 6, 2025 17:00 UTC (Mon)
by pizza (subscriber, #46)
[Link] (2 responses)
WTF do the "Cardinal Principles of Free Software" have to do with the legal definition of commercial activity in your (or any other) jurisdiction?
(BTW, in my jurisdiction, the threshold for "commercial activity" is _very_ low indeed)
Posted Oct 6, 2025 23:14 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (1 responses)
If two things have no causal connection, they should not affect each other in any way. Be it Free Software (as required by DSG), or business activity. Certainly in the UK, one major point of subsidiaries in business is show the absence of causal connection between them.
> (BTW, in my jurisdiction, the threshold for "commercial activity" is _very_ low indeed)
How low? Kids collecting stamps and swapping them in the playground? I'd define it as "an activity that requires keeping records in pursuit of being sustainable". I didn't use the word "profit", because we have the concept of non-profits, but they have to avoid losing money in order to survive.
Cheers,
Posted Oct 6, 2025 23:39 UTC (Mon)
by pizza (subscriber, #46)
[Link]
How *you* define it doesn't matter one scintilla. What matters is what the IRS or HRMC (or the equivalent for your jurisdiction) says it is.
Posted Oct 6, 2025 17:08 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
The details are complex, and the reason it's set the way it is is that they want to stop you breaking into parts in order to escape a liability that you would otherwise incur; that's why the original CRA drafts had no exceptions at all (which would have been a disaster for open source), and why the exceptions to liability that now exist are non-trivial.
Posted Oct 6, 2025 16:09 UTC (Mon)
by paulj (subscriber, #341)
[Link] (15 responses)
If the CRA doesn't put obligations on you there, and you can happily get people to fund you and put the ongoing code onto a public git without fear of CRA obligations: What if that code starts to become useful to others, see use, and you start to get bug reports and feature requests, and you try handle those where you can, and you have some kind of "If you found this useful, consider donating to help with the development costs" - does the CRA then kick in?
Posted Oct 6, 2025 16:44 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (13 responses)
Read the CRA. The answer is "no". If you solicit donations with no INTENTION of making a profit, then whether you actually do or not is irrelevant.
I used to run the refreshment stall as a student rep, when the Uni had course choice open days. We put up a big sign saying "suggested donation ..." but we did NOT enforce it. It's illegal to sell alcohol without a licence. If anyone said "I haven't any money", we said "take it, you can always put extra in next time". We always made a profit, and the Revenue couldn't touch us. If we'd said "no donation, no drink ..." and been caught I think we'd have been in front of the beak in *very* short order.
Cheers,
Posted Oct 6, 2025 16:51 UTC (Mon)
by paulj (subscriber, #341)
[Link] (12 responses)
Is there some line where this can cross over into the kind of commercial activity that brings the CRA down on my head?
What if someone approaches me and says "I could really use this feature, why don't you tell me how long it'd take you and how big a donation I should make to have you work on that exclusively?". Does the CRA kick in then?
Where is the line?
Posted Oct 6, 2025 17:03 UTC (Mon)
by corbet (editor, #1)
[Link] (10 responses)
Posted Oct 6, 2025 17:11 UTC (Mon)
by paulj (subscriber, #341)
[Link] (9 responses)
Maybe it's already covered elsewhere in the debate, and I missed it.
I genuinely have no idea what the implications of the CRA are for me... By some accounts here, it's nothing. By others, fairly normal Free Software activities might tie conceivably me up in CRA obligations for years to come. I really don't know.
Posted Oct 6, 2025 17:16 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (8 responses)
The people who need to care are those who are making enough from a project outside of their employment that €1,000 for a lawyer is under a tenth of the annual income from their project, and those intending to make a profit (even if they're not making one now).
Posted Oct 7, 2025 9:22 UTC (Tue)
by paulj (subscriber, #341)
[Link] (7 responses)
What if I, as part of this journey from a research project sponsored by donations towards a self-sustaining Free Software project that lives off both general sponsorship and specific contracts to continue the work, am at the stage where I want to setup a small company (non-profit[1]) to hold the assets and be the nexus for donations and allocating funds to the sponsored developers. Do I need to start worrying at that stage about CRA lawyers? That's an additional expense over the accountants fees to setup and maintain the company.
From what you say, the technical stewards of such an effort, would need to start worrying about CRA at about that point.
1. Non-profit, but not a charity. The whole 501(c)(3) thing in the USA for Free Software sponsorship foundations largely stinks - at least certainly is ripe for abuse (which I have seen, in the brief time I was with a small foundation). Thankfully, charitable status is much much harder to get over here in the Celtic Isles.
Posted Oct 7, 2025 12:04 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (6 responses)
Very much so. BUT. You're now a small company. You are providing services, for which you need to keep books. You just make it EXplicit in your contracts whether or not you are affixing the CE mark (or CRA equivalent) to your software.
The software needs a CRA mark. Does your contract say you are a middle-man providing development services to your customers - in which case presumably they affix the mark and pay you extra to fix problems; or are you providing them with the software as a product, in which case you affix the mark and need to budget for bug-fixing from your own budget.
Once you're a company your contracts will state who is liable.
I won't say that's simpler - as you know my position is "no contract no liability", but that seems to be a bit contentious ...
Cheers,
Posted Oct 7, 2025 12:24 UTC (Tue)
by paulj (subscriber, #341)
[Link] (5 responses)
That's fine. Throw X hundred per month at the accountants to whatever is necessary to maintain the necessary web portal for me to add whatever required records and them to take care of whatever else is necessary. They don't know anything about and aren't going to touch CRA stuff though. ;)
> Does your contract say you are a middle-man providing development services to your customers - in which case presumably they affix the mark and pay you extra to fix problems;
Aha. Ok... So, that avoids the issues. I just remain a "development services" firm/NPO, and the Free Software I/we publish is just the sample code of what I/we can provide services for?
I'd hate to think that I could get stuck with loads of red-tape obligations or, worse, must-do-free-work obligations (e.g. requiring me to handle security reports), just cause I/we put some code that we developed for a /paying/ "customer" on a consultancy / development services basis on whichever GitHub. ?
Posted Oct 7, 2025 13:58 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (4 responses)
The idea of the CRA is to apply *exactly* the same logic. A CRA mark *MUST* be applied to every digital component. In the case of a fault, the authorities will follow the chain, from the finished product manufacturer, all the way down to guys who applied the CRA mark to the faulty software.
And if Jo Bloggs Inc downloads your software, puts it into their product as a component, and has trouble with it, the authorities will go hunting for the guys who affixed the mark. If they find you, and you go "Huh? Who's Jo Bloggs Inc?" the authorities will go back to Jo Bloggs Inc and demand to know who affixed the mark. If you have no contract with Jo Bloggs Inc, they have absolutely NO evidence that a mark exists, therefore the authorities will say "You (Jo Bloggs) affixed your mark to your product. Because paulj's software had no mark, therefore Jo Bloggs applied the mark to paulj's software, therefore it's Jo Bloggs' problem".
So it's down to you whether you sell development services and don't affix a mark, or sell a maintenance contract which presumably will include a mark (your customer would be mad to accept a maintenance contract without it). And because the mark is part of the maintenance contract, nobody else can come along and say "hey I'm going to use the same mark".
Cheers,
Posted Oct 10, 2025 16:15 UTC (Fri)
by kleptog (subscriber, #1183)
[Link] (3 responses)
Right. This is the critically important thing I see many people missing here. The terms of the CRA do not apply to the product itself, they apply to the *contract between you and the customer*. They're basically standard Terms and Conditions.
Hence, statements like "is Google Sheets covered by the CRA?" are meaningless. The correct statement is "when I am using Google Sheets, does the CRA apply to our contractual relationship?". Now, since Google probably doesn't feel like maintaining two different versions of Google Sheets, if you're using it for free you probably get the benefits of the CRA, except Google doesn't actually owe you anything. Only the people who actually pay to use Google Sheets (Google Workspace users basically).
You're a non-profit holding some trademarks and keeping a website in the air? The CRA doesn't apply because you don't even know who is downloading stuff. Who are the parties to the contract it would apply to?
Someone clicked on your "donate" button and gave you some money? Again, you never offered them anything so there is no contract for the CRA to apply to.
The only people that need to care are people offering services to do things with free software. They need to make clear they're not actually selling the software, but the end-user is getting that from the original source. I'm sure FSF-Europe or similar have some standard verbiage for that. There are provisions to prevent companies saying things like "you're buying a Splunk service, the Splunk software itself is free and so no CRA". The basic principle is not complicated though.
Posted Oct 10, 2025 18:01 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
I got a preliminary reply about that, and it's apparently a gray area. While Google is not getting money from you directly, it's still getting (significant) income from showing ads for the free GSheets version. So even it is likely to be covered by the CRA.
Posted Oct 10, 2025 18:59 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
And again, if Google is receiving money from the ad vendors, it is the VENDORS who are covered by the CRA, not users.
Cheers,
Posted Oct 10, 2025 18:57 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
Simply said, you're paying Splunk for a service. So everything Splunk says you need to access the service is covered. Take eg a mail-server.
If Splunk says "you can use the mail client of your choice to access our server", then the client isn't covered. BUT.
If Splunk says "you can only access our server if you're using Outlook", then Splunk is on the hook for security problems with Outlook. Sounds unfair? Well, if you can't access the service you've paid for, without using dodgy insecure software, the CRA doesn't care. Splunk had better have a contract in place with Microsoft !!!
Cheers,
Posted Oct 6, 2025 22:54 UTC (Mon)
by Wol (subscriber, #4433)
[Link]
> Where is the line?
Sorry Jon, but yes I would say this is at serious risk of crossing the line. You are entering into an agreement, a contract. "A donation in return for you committing to this feature" is not a donation. It's probably easy to avoid CRA liability - make the contract say you'll write the code, add it to the free software, and that's the end of your liability. But this is where I *would* get advice from a lawyer. One who SPECIALISES in the subject. After all, now you're being paid BY CONTRACT, you can pay for the lawyer :-)
Cheers,
Posted Oct 6, 2025 17:09 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
Your downstream users, of course, may well still have CRA obligations; just because your supplier is exempt doesn't mean you are too.
Google is a dangerous example here, because the CRA is also meant to stop Google claiming that your "Google One" subscription is just for storage, and thus they cannot be liable to you for security issues in GSheets.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
The CRA applies because it is a product on the market, and none of the exceptions apply - it's something that Google does try to make money from it, and thus the CRA applies whether or not you are paying Google for GSheets specifically.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
The CRA says that unless one of two exceptions apply, placing the product on the market (which is what is done when you publish software, even for free) incurs liability for security support, in addition to your pre-existing liability for fitness for purpose (which is independent of the CRA - the CRA doesn't mandate that the product works, or that it's useful for a purpose, because that's covered by existing EU law). The exceptions exist for the benefit of open source, so that we don't incur liability for placing open source on the market for free.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
No, a commercial activity does not require record keeping in the EU. Making a download available for free, or offering something that I can pick up for free, absolutely can be "making available in the market", if it's related (not tied to, but related to) something from which I expect to make money.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Because your post sounds like a speculation and applying "common sense" to law matters. Which helps noone but increase disinformation and noise on LWN.
This is not legal advice - this is forwarding on conversations I've had with a lawyer.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
This is definitely a case where you're applying your "common sense" ideas of what the law "should" be, and ought to talk to an actual lawyer.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
To all of the folks debating (again) this issue... do we really think that we are going to come to any sort of useful conclusion here? Please think twice before going around the circle yet again.
Do we really want to continue?
Do we really want to continue?
A fair rule of thumb is that if you're doing the project as part of an institution, your institution's lawyers will handle the CRA for you - not least because if they're publishing it, they're the ones who face CRA liability, not you. If you're not trying to make a profit, and you're not making enough from the project in a year that paying for a lawyer to get you an answer backed by their professional insurance seems like a reasonable price to pay for peace of mind, then you're also not likely to be at risk.
Do we really want to continue?
Do we really want to continue?
Do we really want to continue?
Wol
Do we really want to continue?
Do we really want to continue?
Wol
Do we really want to continue?
Do we really want to continue?
Do we really want to continue?
Wol
Do we really want to continue?
Wol
Sidebar on the CRA, which was mentioned
Wol
You're rapidly getting into "ask a lawyer" territory - there are exceptions for cases where it's a genuine multi-institution project with no one institution in control, as well as for cases where you're asking for donations and not covering your total costs.
Sidebar on the CRA, which was mentioned