Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Posted Oct 6, 2025 11:18 UTC (Mon) by farnz (subscriber, #17727)In reply to: Sidebar on the CRA, which was mentioned by Wol
Parent article: F-Droid and Google's Developer Registration Decree
The CRA says that unless one of two exceptions apply, placing the product on the market (which is what is done when you publish software, even for free) incurs liability for security support, in addition to your pre-existing liability for fitness for purpose (which is independent of the CRA - the CRA doesn't mandate that the product works, or that it's useful for a purpose, because that's covered by existing EU law). The exceptions exist for the benefit of open source, so that we don't incur liability for placing open source on the market for free.
Exception one is for cases where you give away the product with digital elements for free, and do not have an income from the software or related services that exceeds your costs, or that is intended to exceed your costs. GSheets does not fall under this exception, because storage for my GSheets spreadsheets is part of my Google One account, and therefore this exception does not apply.
Exception two is for cases where use of the product with digital elements does not relate to your commercial activities, and thus the free application cannot be an incentive for the user to spend on your commercial activities. For GSheets, that's not true - GSheets uses my storage, and if I wasn't paying for a Google One account, I would currently be unable to use GSheets due to a lack of storage quota at Google. Thus, since one reason for me to pay for storage is to allow me to use GSheets, this exception can't apply either.
Once again, this is extremely deliberate; it's so easy to factor digital products into pieces, and so you want it to be very hard to factor out a "safe" product (cloud storage) from the high security risk products, as otherwise it becomes easy for the big players to avoid any CRA liability whatsoever.
Posted Oct 6, 2025 15:04 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (8 responses)
And in this case YOU DO NOT NEED AN EXCEPTION.
> (22) ‘making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
If I supply JAM in the course of a commercial activity, then I am making my JAM "available on the market". If I am placing software on my jam-business server as a favour to whoever wants to download, that is NOT in the course of a commercial activity, therefore is NOT "making available on the market".
Let's do a quick Gedanken experiment. As an *absolute* *minimum*, a commercial activity requires record keeping, no? So I turn off logging and have no records whatsoever about who downloads what. What impact will that have on my jam business? *None* *whatsoever*.
So simply making downloads available for free CANNOT be "in the course of a commercial activity" therefore cannot be "making available on the market", therefore cannot trigger CRA liability.
Google is under no legal obligation to keep track of who uses Gsheets. Therefore if they turned logs off, that would be the end of any possible CRA liability. (The CRA explicitly permits SOME logging and data collection that will not trigger liability - limited pretty much to data needed to improve the software.)
In order to trigger CRA liability, the supply of the software MUST be "in the course of commercial activity". That is why when I download my insurer's app, it DOES trigger the CRA, because my insurance requires me to use it. When a different customer downloads it, it DOESN'T trigger the CRA, because the insurer doesn't care whether they use it or not.
Cheers,
Posted Oct 6, 2025 15:14 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (7 responses)
For example, a jam sugar vendor putting out a basket of free fruit suitable for jam making outside the store for anyone to pick from is making that fruit available in the market, because it's related to their commercial activities of selling jam sugar.
Given that, Google is absolutely unable to escape CRA liability for GSheets as long as it sells storage for use with GSheets (among other Google products). It can't say "we only do the storage as a commercial activity", precisely because if no Google product used Google storage, many fewer people would buy Google storage.
Posted Oct 6, 2025 16:00 UTC (Mon)
by zdzichu (subscriber, #17118)
[Link] (6 responses)
Posted Oct 6, 2025 16:04 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (5 responses)
Posted Oct 6, 2025 16:38 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (4 responses)
My motto is "trust but verify" when dealing with "the professionals", because they're wrong more often than not. And that includes when I'm paying them! Lawyers especially, but we (as a family) have been badly hurt by doctors, too ...
Seriously, putting free fruit outside your door for other people can be classed as a business activity? It is a cardinal principle of Free Software, that whatever you do with one piece of software MUST NOT impact what you're allowed to do with a different piece of software.
Saying that your jam sugar business is affected - in any way whatsoever - by the fact that you leave surplus fruit outside your door (and vice versa), is a complete breach of Free Software principles. And it's almost certainly a breach of business principles too, otherwise what's the point of breaking a company up in to subsidiaries? One reason they do it is to prevent legal liabilities leaking between entities!!!
And I can't see a Judge buying the claim that leaving fruit outside your door in a "wing and a prayer" hope that they'll buy your sugar, connects the two activities in any legal way shape or form whatsoever.
Gedanken experiment again - if you have ABSOLUTELY NO RECORDS - how are the Revenue going to tax the free fruit you left outside? And if there are no records, how are they going to prove it was you? (There's a strong argument that other peoples' testimony is irrelevant, because if "I saw someone leaving fruit outside your door" is innocent for pretty much everyone, surely that "everyone" includes you!)
Cheers,
Posted Oct 6, 2025 17:00 UTC (Mon)
by pizza (subscriber, #46)
[Link] (2 responses)
WTF do the "Cardinal Principles of Free Software" have to do with the legal definition of commercial activity in your (or any other) jurisdiction?
(BTW, in my jurisdiction, the threshold for "commercial activity" is _very_ low indeed)
Posted Oct 6, 2025 23:14 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (1 responses)
If two things have no causal connection, they should not affect each other in any way. Be it Free Software (as required by DSG), or business activity. Certainly in the UK, one major point of subsidiaries in business is show the absence of causal connection between them.
> (BTW, in my jurisdiction, the threshold for "commercial activity" is _very_ low indeed)
How low? Kids collecting stamps and swapping them in the playground? I'd define it as "an activity that requires keeping records in pursuit of being sustainable". I didn't use the word "profit", because we have the concept of non-profits, but they have to avoid losing money in order to survive.
Cheers,
Posted Oct 6, 2025 23:39 UTC (Mon)
by pizza (subscriber, #46)
[Link]
How *you* define it doesn't matter one scintilla. What matters is what the IRS or HRMC (or the equivalent for your jurisdiction) says it is.
Posted Oct 6, 2025 17:08 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
The details are complex, and the reason it's set the way it is is that they want to stop you breaking into parts in order to escape a liability that you would otherwise incur; that's why the original CRA drafts had no exceptions at all (which would have been a disaster for open source), and why the exceptions to liability that now exist are non-trivial.
Posted Oct 6, 2025 16:09 UTC (Mon)
by paulj (subscriber, #341)
[Link] (15 responses)
If the CRA doesn't put obligations on you there, and you can happily get people to fund you and put the ongoing code onto a public git without fear of CRA obligations: What if that code starts to become useful to others, see use, and you start to get bug reports and feature requests, and you try handle those where you can, and you have some kind of "If you found this useful, consider donating to help with the development costs" - does the CRA then kick in?
Posted Oct 6, 2025 16:44 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (13 responses)
Read the CRA. The answer is "no". If you solicit donations with no INTENTION of making a profit, then whether you actually do or not is irrelevant.
I used to run the refreshment stall as a student rep, when the Uni had course choice open days. We put up a big sign saying "suggested donation ..." but we did NOT enforce it. It's illegal to sell alcohol without a licence. If anyone said "I haven't any money", we said "take it, you can always put extra in next time". We always made a profit, and the Revenue couldn't touch us. If we'd said "no donation, no drink ..." and been caught I think we'd have been in front of the beak in *very* short order.
Cheers,
Posted Oct 6, 2025 16:51 UTC (Mon)
by paulj (subscriber, #341)
[Link] (12 responses)
Is there some line where this can cross over into the kind of commercial activity that brings the CRA down on my head?
What if someone approaches me and says "I could really use this feature, why don't you tell me how long it'd take you and how big a donation I should make to have you work on that exclusively?". Does the CRA kick in then?
Where is the line?
Posted Oct 6, 2025 17:03 UTC (Mon)
by corbet (editor, #1)
[Link] (10 responses)
Posted Oct 6, 2025 17:11 UTC (Mon)
by paulj (subscriber, #341)
[Link] (9 responses)
Maybe it's already covered elsewhere in the debate, and I missed it.
I genuinely have no idea what the implications of the CRA are for me... By some accounts here, it's nothing. By others, fairly normal Free Software activities might tie conceivably me up in CRA obligations for years to come. I really don't know.
Posted Oct 6, 2025 17:16 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (8 responses)
The people who need to care are those who are making enough from a project outside of their employment that €1,000 for a lawyer is under a tenth of the annual income from their project, and those intending to make a profit (even if they're not making one now).
Posted Oct 7, 2025 9:22 UTC (Tue)
by paulj (subscriber, #341)
[Link] (7 responses)
What if I, as part of this journey from a research project sponsored by donations towards a self-sustaining Free Software project that lives off both general sponsorship and specific contracts to continue the work, am at the stage where I want to setup a small company (non-profit[1]) to hold the assets and be the nexus for donations and allocating funds to the sponsored developers. Do I need to start worrying at that stage about CRA lawyers? That's an additional expense over the accountants fees to setup and maintain the company.
From what you say, the technical stewards of such an effort, would need to start worrying about CRA at about that point.
1. Non-profit, but not a charity. The whole 501(c)(3) thing in the USA for Free Software sponsorship foundations largely stinks - at least certainly is ripe for abuse (which I have seen, in the brief time I was with a small foundation). Thankfully, charitable status is much much harder to get over here in the Celtic Isles.
Posted Oct 7, 2025 12:04 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (6 responses)
Very much so. BUT. You're now a small company. You are providing services, for which you need to keep books. You just make it EXplicit in your contracts whether or not you are affixing the CE mark (or CRA equivalent) to your software.
The software needs a CRA mark. Does your contract say you are a middle-man providing development services to your customers - in which case presumably they affix the mark and pay you extra to fix problems; or are you providing them with the software as a product, in which case you affix the mark and need to budget for bug-fixing from your own budget.
Once you're a company your contracts will state who is liable.
I won't say that's simpler - as you know my position is "no contract no liability", but that seems to be a bit contentious ...
Cheers,
Posted Oct 7, 2025 12:24 UTC (Tue)
by paulj (subscriber, #341)
[Link] (5 responses)
That's fine. Throw X hundred per month at the accountants to whatever is necessary to maintain the necessary web portal for me to add whatever required records and them to take care of whatever else is necessary. They don't know anything about and aren't going to touch CRA stuff though. ;)
> Does your contract say you are a middle-man providing development services to your customers - in which case presumably they affix the mark and pay you extra to fix problems;
Aha. Ok... So, that avoids the issues. I just remain a "development services" firm/NPO, and the Free Software I/we publish is just the sample code of what I/we can provide services for?
I'd hate to think that I could get stuck with loads of red-tape obligations or, worse, must-do-free-work obligations (e.g. requiring me to handle security reports), just cause I/we put some code that we developed for a /paying/ "customer" on a consultancy / development services basis on whichever GitHub. ?
Posted Oct 7, 2025 13:58 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (4 responses)
The idea of the CRA is to apply *exactly* the same logic. A CRA mark *MUST* be applied to every digital component. In the case of a fault, the authorities will follow the chain, from the finished product manufacturer, all the way down to guys who applied the CRA mark to the faulty software.
And if Jo Bloggs Inc downloads your software, puts it into their product as a component, and has trouble with it, the authorities will go hunting for the guys who affixed the mark. If they find you, and you go "Huh? Who's Jo Bloggs Inc?" the authorities will go back to Jo Bloggs Inc and demand to know who affixed the mark. If you have no contract with Jo Bloggs Inc, they have absolutely NO evidence that a mark exists, therefore the authorities will say "You (Jo Bloggs) affixed your mark to your product. Because paulj's software had no mark, therefore Jo Bloggs applied the mark to paulj's software, therefore it's Jo Bloggs' problem".
So it's down to you whether you sell development services and don't affix a mark, or sell a maintenance contract which presumably will include a mark (your customer would be mad to accept a maintenance contract without it). And because the mark is part of the maintenance contract, nobody else can come along and say "hey I'm going to use the same mark".
Cheers,
Posted Oct 10, 2025 16:15 UTC (Fri)
by kleptog (subscriber, #1183)
[Link] (3 responses)
Right. This is the critically important thing I see many people missing here. The terms of the CRA do not apply to the product itself, they apply to the *contract between you and the customer*. They're basically standard Terms and Conditions.
Hence, statements like "is Google Sheets covered by the CRA?" are meaningless. The correct statement is "when I am using Google Sheets, does the CRA apply to our contractual relationship?". Now, since Google probably doesn't feel like maintaining two different versions of Google Sheets, if you're using it for free you probably get the benefits of the CRA, except Google doesn't actually owe you anything. Only the people who actually pay to use Google Sheets (Google Workspace users basically).
You're a non-profit holding some trademarks and keeping a website in the air? The CRA doesn't apply because you don't even know who is downloading stuff. Who are the parties to the contract it would apply to?
Someone clicked on your "donate" button and gave you some money? Again, you never offered them anything so there is no contract for the CRA to apply to.
The only people that need to care are people offering services to do things with free software. They need to make clear they're not actually selling the software, but the end-user is getting that from the original source. I'm sure FSF-Europe or similar have some standard verbiage for that. There are provisions to prevent companies saying things like "you're buying a Splunk service, the Splunk software itself is free and so no CRA". The basic principle is not complicated though.
Posted Oct 10, 2025 18:01 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
I got a preliminary reply about that, and it's apparently a gray area. While Google is not getting money from you directly, it's still getting (significant) income from showing ads for the free GSheets version. So even it is likely to be covered by the CRA.
Posted Oct 10, 2025 18:59 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
And again, if Google is receiving money from the ad vendors, it is the VENDORS who are covered by the CRA, not users.
Cheers,
Posted Oct 10, 2025 18:57 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
Simply said, you're paying Splunk for a service. So everything Splunk says you need to access the service is covered. Take eg a mail-server.
If Splunk says "you can use the mail client of your choice to access our server", then the client isn't covered. BUT.
If Splunk says "you can only access our server if you're using Outlook", then Splunk is on the hook for security problems with Outlook. Sounds unfair? Well, if you can't access the service you've paid for, without using dodgy insecure software, the CRA doesn't care. Splunk had better have a contract in place with Microsoft !!!
Cheers,
Posted Oct 6, 2025 22:54 UTC (Mon)
by Wol (subscriber, #4433)
[Link]
> Where is the line?
Sorry Jon, but yes I would say this is at serious risk of crossing the line. You are entering into an agreement, a contract. "A donation in return for you committing to this feature" is not a donation. It's probably easy to avoid CRA liability - make the contract say you'll write the code, add it to the free software, and that's the end of your liability. But this is where I *would* get advice from a lawyer. One who SPECIALISES in the subject. After all, now you're being paid BY CONTRACT, you can pay for the lawyer :-)
Cheers,
Posted Oct 6, 2025 17:09 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
Your downstream users, of course, may well still have CRA obligations; just because your supplier is exempt doesn't mean you are too.
Sidebar on the CRA, which was mentioned
Wol
No, a commercial activity does not require record keeping in the EU. Making a download available for free, or offering something that I can pick up for free, absolutely can be "making available in the market", if it's related (not tied to, but related to) something from which I expect to make money.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Because your post sounds like a speculation and applying "common sense" to law matters. Which helps noone but increase disinformation and noise on LWN.
This is not legal advice - this is forwarding on conversations I've had with a lawyer.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
This is definitely a case where you're applying your "common sense" ideas of what the law "should" be, and ought to talk to an actual lawyer.
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Sidebar on the CRA, which was mentioned
Wol
Sidebar on the CRA, which was mentioned
To all of the folks debating (again) this issue... do we really think that we are going to come to any sort of useful conclusion here? Please think twice before going around the circle yet again.
Do we really want to continue?
Do we really want to continue?
A fair rule of thumb is that if you're doing the project as part of an institution, your institution's lawyers will handle the CRA for you - not least because if they're publishing it, they're the ones who face CRA liability, not you. If you're not trying to make a profit, and you're not making enough from the project in a year that paying for a lawyer to get you an answer backed by their professional insurance seems like a reasonable price to pay for peace of mind, then you're also not likely to be at risk.
Do we really want to continue?
Do we really want to continue?
Do we really want to continue?
Wol
Do we really want to continue?
Do we really want to continue?
Wol
Do we really want to continue?
Do we really want to continue?
Do we really want to continue?
Wol
Do we really want to continue?
Wol
Sidebar on the CRA, which was mentioned
Wol
You're rapidly getting into "ask a lawyer" territory - there are exceptions for cases where it's a genuine multi-institution project with no one institution in control, as well as for cases where you're asking for donations and not covering your total costs.
Sidebar on the CRA, which was mentioned