|
|
Log in / Subscribe / Register

CRA

CRA

Posted Jan 2, 2026 19:44 UTC (Fri) by linuxrocks123 (subscriber, #34648)
Parent article: Kroah-Hartman: Linux kernel security work

The first thing I thought when reading this was, "What is the CRA? Did the EU do something stupid again?", and I looked it up and yes, the EU did something stupid again. I think I had probably heard about the CRA before but had forgotten.

Anyway, slightly off-topic, but things are getting to where I would really, very much like it if there were an organization maintaining a "countries, states, and provinces with stupid Internet laws" banlist. It could be subdivided into "hostile to websites that maintain user state" (California + EU), "hostile to websites dedicated to sexual content" (Texas, I'm disappointed to say, and probably other conservative US states thanks to a recent terrible Supreme Court decision), and perhaps other categories. Then, if I'm a webmaster, I can download a ready-made "f* these people" geoblock file which allows me to get on with my mission while ignoring these statist morons' edicts and punishing them and those who enable them with denial of service.

EFF would normally be a good organization to do this type of thing, but they aren't and won't be because they think their mission is to protect lusers instead of website operators. They were on the right side of the Texas sexual speech restrictions, at least. Maybe one day I'll maintain such lists if no one else steps up, but I thought I'd throw the idea out there in case these lists already exist and I'm just not aware of it, or in case someone wants to take the time to make it exist more than I do. My enthusiasm is at the level of "not a lot, but I'll do it if I have to for my own use, and, if I have to do it anyway, I'll make sure to share it."

to post comments

CRA

Posted Jan 2, 2026 20:42 UTC (Fri) by dskoll (subscriber, #1630) [Link] (7 responses)

Your comment reminds me of the Malibal guy, Matt DeVillier, who banned entire countries because someone annoyed him. I guess he realized he was being silly because he took down the bans from the Malibal website and got it excluded from The Internet Archive.

CRA

Posted Jan 2, 2026 21:34 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

Yes, I was reminded of this as well, but my search-fu failed me. Thanks for the reference :) .

CRA

Posted Jan 4, 2026 14:49 UTC (Sun) by linuxrocks123 (subscriber, #34648) [Link] (5 responses)

Matt DeVillier's actions were just petty. This wouldn't be to help people be petty. Rather, it would be to help people avoid subjecting themselves to hostile jurisdictions.

Like, let's say I have a message board hosted in Texas, and France wants to sue me because someone in France visited my website and I didn't annoy the hell out of him with the EU's required "I USE COOKIES" bullshit. Applying Zippo, a court may actually enforce a stupid EU judgment based on that against me ... BUT not if I geoblock the EU. And, while California's "cookie law" isn't as brain-damaged as the EU's, it's still pretty brain-damaged, so I'd want to geoblock them to avoid Zippo jurisdiction there, too.

In addition to California, I may want to make it a triple play by blocking New York and Florida, too, to avoid being sued by the human skid marks who abuse the ADA to suck settlement money out of random small businesses: https://instituteforlegalreform.com/blog/small-businesses...

A well-run jurisdiction monitoring organization could help me decide who to block and when to stop blocking them based on my particular website's needs.

CRA

Posted Jan 4, 2026 14:53 UTC (Sun) by dskoll (subscriber, #1630) [Link] (2 responses)

Everything you've posted is hypothetical. Care to cite any case where an individual running a personal website has been subjected to punishment under the laws you mentioned?

It's simply Malibal all over again, mixed in with a healthy dose of dog-whistle politics.

CRA

Posted Jan 5, 2026 2:41 UTC (Mon) by linuxrocks123 (subscriber, #34648) [Link] (1 responses)

Many of these stupid Internet laws, such as California's, allow civil suits for monetary damages. I'd prefer to make the first move by blocking the hostile jurisdictions at the outset than wait for a blood-sucking parasite to try to make a quick buck off of me with an abusive lawsuit about how I manage cookies.

Be reactive if you want, but I'll bet all the family-owned restaurants that didn't put alt text in their images wish they'd taken my approach.

CRA

Posted Jan 5, 2026 9:49 UTC (Mon) by kleptog (subscriber, #1183) [Link]

> Many of these stupid Internet laws, such as California's, allow civil suits for monetary damages.

I looked this up and it's interesting. The California law has statutory damages (which the EU doesn't) and allows for class actions (which we don't really have here in most member states*) and the combination leads to the interesting business case where you can start a class action against some site and claim statutory damages for a whole bunch of people who don't care and have no actual damages.

So yeah, the statutory damages thing does make California especially risky.

* We don't have class actions in NL, the way this is handled is to start a non-profit association that does a test case on behalf of its members and if they win they use that as leverage to settle the rest of the cases. This is the implementation of the Representative Actions Directive (2020/1828)

CRA

Posted Jan 5, 2026 18:26 UTC (Mon) by NYKevin (subscriber, #129325) [Link] (1 responses)

> In addition to California, I may want to make it a triple play by blocking New York and Florida, too, to avoid being sued by the human skid marks who abuse the ADA to suck settlement money out of random small businesses: [link]

The ADA is a federal law. Lawsuits under the ADA may be brought in any state, if there is personal jurisdiction over the defendant and venue is proper in that state. The Second Circuit case Bensusan Restaurant Corp. v. King suggests that merely having a website accessible from the forum state is probably not enough for personal jurisdiction, but it was decided in 1997, so things may have changed since then. See also International Shoe Company v. Washington.

Regardless, geoblocking one state will not prevent lawsuits from other states. If geoblocking is necessary (contrary to the Second Circuit's ruling), then you have to block the whole US (and avoid doing business in the US, which probably has implications for hosting etc.).

CRA

Posted Jan 8, 2026 15:57 UTC (Thu) by linuxrocks123 (subscriber, #34648) [Link]

> The ADA is a federal law.

Yes, but there's a huge-ass circuit split as to whether websites are always subject to the ADA, only subject to the ADA if there is a physical brick-and-mortar business they're connected to, or never subject to the ADA. If you can force the bottom-feeder into a circuit that says websites are never subject to the ADA, the bottom-feeder will drop the case and leave you alone because he and you both know he can't possibly win.

I hope the current Supreme Court takes up a case on this issue soon, because the current Court will probably decide "never," and I think that's the right answer because anything else is an unacceptable speech regulation. Or would it be constitutional for Congress to pass a law that says newspapers must be printed in Braille upon request?

> The Second Circuit case Bensusan Restaurant Corp. v. King suggests that merely having a website accessible from the forum state is probably not enough for personal jurisdiction

No, Bensusan v. King decided that New York hadn't given its own courts that jurisdiction under New York state law. The federal question the district court answered in violation of constitutional avoidance was not affirmed by the circuit. A better case to look at is Zippo v. Zippo:

https://en.wikipedia.org/wiki/Zippo_Manufacturing_Co._v._...

It's a district court case but was adopted by several circuits in the years following its decision. It promulgates a "sliding scale" test that says you're not subject to jurisdiction if your website is purely passive, are if your website is "extremely interactive," and might or might not be if your website is somewhere in the middle, depending on where in the middle you are.

CRA

Posted Jan 2, 2026 21:58 UTC (Fri) by fenncruz (subscriber, #81417) [Link] (1 responses)

I think the CRA is a good thing. Even though it's making alot of work for me at the moment (in a large software company) it's finally made upper management care about security. It's amazing how much developer time I can get allocated to fix technical debt when there's the possibility of fines on the line.

Sure some it is just paperwork and box tickings, but we are also getting resources to fix actual issues we've been fighting for, for years.

CRA

Posted Jan 4, 2026 14:18 UTC (Sun) by raven667 (subscriber, #5198) [Link]

I too think the EU CRA has a lot of positive benefit, and I'm happy when a compliance effort can produce real fruit because orgs actually do the work to fix things rather than malicious faux-compliance (like adding cookie banners instead of fixing privacy practices).

I'm rather enjoying the focus my org has on compliance with new US ADA enforcement rules (which to be honest are never going to be invoked because the Trump regime doesn't care about civil rights/accessibility and would only prosecute if the bribe check didn't clear) which has given me the opportunity to bring all the web apps up to the same HTML theme/template and coding style instead of three different ones depending on the era when the app was made and how maintained it is. I also got to make a mini web-app server-side framework to factor out duplicate code from the CGIs without taking a large dependency on something like Dancer or Mojolicious, so it's all still simple enough to fit into one persons head but benefits from standardization of how extensibility is performed.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds