The Python Software Foundation on European cybersecurity

I don't think anyone is arguing against the idea or nominal intent of the CRA, instead, the PSF and ISC join the many, many others that have pointed out how the text _as written_ muddies the notion of liability so badly that it's barely a stretch to see how that could lead to the cessation of F/OSS development in the EU, and not just at the non-profit/individual volunteer level, but also corporate-sponsored as well.

> There is, quite intentionally, no straightforward way to force a user to provide arbitrary PII in exchange for some arbitrary service - that is simply not a transaction you can enter into in the EU. Anyone who claims they can do this is either lying or unknowingly violating the law.

Compare that to American arbitration. Can't speak for Europe, but in the UK arbitration is never binding on the individual. Companies don't get to write their own law. And the UK definition forbids a conflict of interest for the arbitrator. Companies don't get to appoint their own judges to interpret their own laws.

Cheers,
Wol

Where I guess we will disagree is that I don't believe that just because some law was made the world immediately works the way described in the law. What does matter is what I see of it, and the fact is that GDPR clauses are making their way into contracts I can not change: employment, telco, apartment, etc. Because of the huge risk of fines by GDPR these clauses are as wide as possible.

Let me tell you a little story. Whenever we have government elections candidates need to show some minimal support to be put onto the ballot, which comes in the form of collecting peoples signatures -- personal data that falls under GDPR (or so they claim). So, they make everyone who signs the support thing also sign some GDPR thing, allowing them to handle your data. It's all voluntary of course. What then happened then is that half the country started receiving some weird SMS's relating to the election they definitely didn't want. Turns out:
1, That GDPR thing people signed contained a little more than they thought
2, The "data controller" turned out to be some foreign entity on the other side of the EU
3, To do anything, in a legal sense, you would need lawyers and courts in that small foreign country

This is what I meant by "practically" and "coax": no-one forced any of these people to sign anything -- it was all voluntary and no pressure was applied, yet I'm sure you can understand that it is not a very life-like scene that in an underpass hundreds of people are standing around the booth of some political party meticulously going through dozens of pages of dense legalese. Also realise how the enterprise was setup to make it as difficult and expensive as possible to try to get any sense of justice.

This is why I say that any law which allows "voluntary consent" to nullify parts or all of it (pretty much all EU things) just means that those parts are, in practice, nullified by default.

And yet, every second website does just trick the user into clicking "I agree" and is never punished for it. It seems the great European bureaucracy only has the bandwidth to prosecute the Facebooks and Googles of the world.

It would be neat if, like, every website with only an "I agree" button and no "I disagree" could get a $1000 fine (commercial sites) or $50 (personal sites) with just a few minutes of paperwork, let's say, upon report and maximum once a week. I suspect that would fall afoul of some rules against summary punishment. Now, no Apple or Netflix is going to care about a $1000 fine, but those ones can be fed through the big lumbering bureaucracy... meanwhile, say, Stack Exchange's CEO having to personally respond to a court order every week would be a significant motivation to fix the problem. (just an example - Stack Exchange recently fixed this problem)

> You can't say to the user "click agree or else you can't use our service" and call that "consent".

Apparently, at least to some extent, cookiewalls are legal and you can say "click agree or else you can't use our service unless you buy a long term subscription to it", because as long as you are offering an alternative, that is consent (even if the alternative is not really equivalent. Maybe you want to use the service just once and not in continuity for a long time as the cost of a subscription assumes). Many online newspapers in Europe use this business model, see https://www.repubblica.it/tecnologia/blog/cyber-law/2022/... (in Italian, Google translate works well enough with it) and https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/... (in French). Key document appears to be the Conseil d’État decision taken on June 2020 https://www.cnil.fr/fr/cookies-et-autres-traceurs-le-cons...

> It's like when you break apart a C program and find all the linked lists. Is this a sophisticated concurrent data structure which has been optimised to hell? Nope, it's just the first growable data structure this C programmer learned so they've used it everywhere. The answer to far more questions than you expect is "I don't know, I just copied what everybody else was doing".

Which is why nearly all my C programs simply malloc'd an array ... :-)

Cheers,
Wol

> are overwhelmingly cargo culting that UX

I'm not so sure. My impression is more that they are doing things in a way that abides by the letter of the law but still applies as much psychology as possible to increase the chances of you just hitting the "Agree to all" button, which is what the operator would generally like, instead of unchecking any of the unnecessary stuff. Just a few observations:

1, When you first visit, they pop up some box where you must agree to *something* before being able to use the site. There is seldom a button saying "I don't allow anything" (I have mostly seen such an option only on government run sites, but there are some others).
2, The button saying "I agree to everything" is always the single most prominent. So much so that the "configure/choose" option often masquerades as an inconspicuous tiny hyperlink.
3, When/if you get to the configure window there are usually 10-30 individual options to uncheck. Again, seldom is a "nothing" option available. This takes a while and is a pain in the ass. In an extreme case I have witnessed 30+ options, each of which took you to some site where you had to click to disable and then again to confirm it. Quite un-user friendly.
4, In the selection window the "Confirm Choices" button is *never* where you would usually expect it. Instead that location is prominently occupied by a "Agree to all" button.
5, If you decide to take the pain of deselecting something a few weeks later the website makes you go through the same dance. Strange that when clicking the "Agree to everything" button you never get reminded again.

This is why any legislation that allows "voluntary consent" simply changes the game, as it were, such that the bigger party tries as hard as they can to make you "voluntarily consent". Usually it is successful.

> Seems like a stupid system, but if this is really how the system works, then it's not the end of the world every time the corporate-money-making-ideas-machine spits out a really stupid idea. It's only the end of the world if the democracy-machine does not shoot down the stupid idea.

Problem is, the American democracy-machine seems to have pretty crap aim under these circumstances.

> A similar effect can be observed with the fines (point 3). Sometimes the maximum possible fine is set very high to give significant room for the judge's discretion.

EU maximum fines aren't that high. For a first offence! Thing is, if it's not a first offence, the maximum fine has a habit of doubling every time ... that makes repeat offenders rare ...

Cheers,
Wol

> I understand that the EU - de facto if not de jure - has separate bodies to represent the corporations and the people, and the corporate part seems to come up with most of the proposals which are quickly shot down by the actually democratic part.

I guess you mean the Commission with the "corporate part" and the EP with the "democratic part". It's not de facto, it's de jure - the EU is constituted such that the Commission is the body that introduces proposals. The EP has no power to initiate legislation - though it can formally request the Commission to do so. There is talk of giving the EP the right to initiate.

Commission: The political executive of the EU's civil service; the formal point of introduction for new legislation - but this is in a facilitating role.
European Parliament: Generally a scrutineering body. Can take out the Commission, by 2/3 majority vote, can propose amendments to legislation, can block legislation the Council is trying to put through, but this requires an absolute majority.
Council: The governments. Here lies the power, tempered by the EP.

> So putting on conferences (thus having some transactional revenue sources) isn't "commercial activity"?

Commercial activity is scoped. Just because their conferences might be considered commercial, doesn't mean everything else they do is commercial.

> By this logic, I, by virtue of having sold a couple hours of support services to an European client, am now (and possibly forever?) liable for any [mis-]use of my F/OSS in Europe.

That is a clearly absurd conclusion. And not the intention either.