140 lines
5.6 KiB
HTML
140 lines
5.6 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<html newsdate="2023-03-23">
|
|
<version>1</version>
|
|
|
|
<head>
|
|
<title>EU: Proposed liability rules will harm Free Software</title>
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<h1>EU: Proposed liability rules will harm Free Software </h1>
|
|
|
|
<p>
|
|
The EU is currently debating the introduction of liability rules for
|
|
software, including Free Software. The relevant proposals are the AI
|
|
Act, Product Liability Directive (PLD), and Cyber Resilience Act
|
|
(CRA). The way they are, all proposals will harm the Free Software
|
|
ecosystem and thus the society and the economy.
|
|
</p>
|
|
|
|
|
|
<figure>
|
|
<img src="https://pics.fsfe.org/uploads/big/d1b7eb0ca6ec38c89967dab6d3dd920b.png"
|
|
alt="While we welcome the discussion on more cyber security we doubt that the introduction of liability alone will lead to more cyber security" />
|
|
</figure>
|
|
<p>
|
|
The main debate happens around the Cyber Resilience Act. We will
|
|
therefore discuss the risks and solutions using this Act as an example.
|
|
</p>
|
|
|
|
<p>
|
|
While we welcome the discussion on more cyber security we doubt that the
|
|
introduction of liability alone will lead to more cyber security.
|
|
Especially in Free Software, far-reaching security measures are already
|
|
in place. Those measures differ from those of proprietary software.
|
|
</p>
|
|
|
|
<p>
|
|
The proposal to exclude Free Software “outside the course of a
|
|
commercial activity” would fail to address a large part of software that
|
|
will not be covered but is deployed. At the same time smaller and
|
|
non-profit projects would be harmed as they would have to bear major
|
|
costs.
|
|
</p>
|
|
|
|
<p>
|
|
We, therefore, propose a solution that will lead to more security while
|
|
safeguarding the Free Software ecosystem:
|
|
</p>
|
|
<ol>
|
|
<li>Liability should be shifted to those deploying Free Software instead of those developing Free Software and</li>
|
|
<li>
|
|
Those who significantly financially benefit from this deployment should
|
|
make sure the software becomes CE-compliant
|
|
</li>
|
|
</ol>
|
|
<p>
|
|
Free Software with its four freedoms to use, study, share, and improve
|
|
the code makes it easy for anyone to develop and improve the code while
|
|
making it available to everyone. In cases of security incidents,
|
|
developers - who might only get micro or small payments, are non-profit,
|
|
or even do not earn a single Euro for their work - might be
|
|
liable. To make them liable could lead to large burdens that
|
|
projects could not handle alone. Free Software is everywhere nowadays,
|
|
and those deploying Free Software, especially Free Software from small projects, must take on more
|
|
responsibility, if only out of their own interest.
|
|
</p>
|
|
|
|
<p>
|
|
Putting the burden of liability on these small or non-profit
|
|
entities would harm the Free Software ecosystem and thus society and
|
|
business equally, because due to the lack of funding and resources to go
|
|
through these procedures, some of these projects might have to stop
|
|
completely, but also it won't necessarily lead to more security.
|
|
Moreover, many small Free Software projects already have well-working security assessments in
|
|
place. Introducing new workflows or even consulting third parties
|
|
would have financial consequences that would be almost impossible to
|
|
bear. Ways to address the funding problem could be a dedicated fund to
|
|
support these projects, or the introduction of a scoring system that
|
|
shows how much a company invests in the security of the Free Software
|
|
projects it uses. However, neither of these proposals can be implemented
|
|
quickly, so the problem will persist. Therefore, transferring liability
|
|
to those who deploy the software and try to profit significantly from it seems
|
|
to be a better solution.
|
|
</p>
|
|
|
|
<p>
|
|
To address this, the current wording needs to be improved. The concept
|
|
of “commercial activity” should be replaced with an approach that
|
|
focuses on deployment rather than on development. And the responsibility to
|
|
fulfill these requirements should be on the entity that benefits in the
|
|
market. Likewise, exemptions for non-profit entities and micro
|
|
enterprises should be introduced. In other words, liability should be
|
|
moved towards those deploying these solutions that are substantial
|
|
profit-oriented companies.
|
|
</p>
|
|
|
|
<p>
|
|
This will ensure that all Free Software solutions that are used on a
|
|
significant level are assessed under the liability rules in the CRA, PLD,
|
|
and AI Act, but the financial burden will be shifted to those who
|
|
try to make a profit from these solutions. So they will be
|
|
the ones having to make sure that someone runs through the procedures needed for
|
|
their software to get the CE label. Deployers could collaborate and
|
|
ensure that they fund projects they use or could run through the
|
|
procedures themselves. They ought to make sure that modifications are fed back
|
|
into the projects.
|
|
</p>
|
|
|
|
<p>We presented this position also in a public hearing in the European Parliament.</p>
|
|
|
|
<figure>
|
|
<peertube url="https://media.fsfe.org/w/7X2vSXubdrbTPFTqjmT5Nm" />
|
|
</figure>
|
|
|
|
<p>
|
|
It is a complex debate with far-reaching implications and changing
|
|
positions every day. We will continue to work on this issue in the
|
|
upcoming month. If you are interested in getting involved or joining our
|
|
activities, please contact us via email.
|
|
</p>
|
|
|
|
</body>
|
|
|
|
<tags>
|
|
<tag key="front-page"/>
|
|
<tag key="european-parliament">European Parliament</tag>
|
|
<tag key="policy">European Public Policy</tag>
|
|
<tag key="AI">AI</tag>
|
|
<tag key="european-union">European Union</tag>
|
|
</tags>
|
|
|
|
|
|
|
|
<discussion href="https://community.fsfe.org/t/1005"/>
|
|
<image url="https://pics.fsfe.org/uploads/big/d1b7eb0ca6ec38c89967dab6d3dd920b.png" alt="While we welcome the discussion on more cyber security we doubt that the introduction of liability alone will lead to more cyber security"/>
|
|
|
|
|
|
</html>
|