Can the Cyber Resilience Act make it illegal to retire?

Question

Suppose Alice develops some software and releases it under an open source licence. She receives just enough money to be counted as "commercial". This may be donations from users, it may be tokens for contributing to a cryptocurrency project, and it may be the software was developed for commission. She then retires, sells her computer, stops checking her email and tends to her garden. The software could be anything, example where critical tools are maintained by people who may want or have to stop working sometime include "The Internet is Being Protected by Two Guys Named Steve" who were largely responsible for OpenSSL (used by almost all servers and involved in the Heartbleed bug) and when the sole maintainer of the library core-js (used by 75% of the top 100 websites) went to prison for 18 months for lack of the money to settle. These would seem to fit the EU description of critical products.

Sometime later, but within five years and the expected product lifetime, a bug is identified that could count as a vulnerability that requires a security update. Alice knows nothing about it and does not provide an update or otherwise handle the issue effectively.

Assuming the EU passes the Cyber Resilience Act (CRA) as currently drafted, would Alice's behaviour breach the law?

As far as jurisdiction is concerned, assume that at least one user is in the EU, Alice may or may not be.

This is mostly based on the Cyber Resilience Act - Factsheet which says among other things:

Manufacturer’s obligations

Once sold, manufacturers must ensure that for the expected product lifetime or for a period of five years (whichever is the shorter), vulnerabilities are handled effectively;
Security updates to be made available for at least five years.

The law does not say that Alice has to write the fix, merely that she is responsible for the fix being written. She could hire Bob to write the fix on her behalf. — user1937198, Oct 30 '23 at 23:28
Where I'm from donations as a legal tax concept is reserved solely for non-profit organizations. These organizations by the very definition of there founding statements don't make profits and by law are required to serve some sort of humanitarian purpose. — Neil Meyer, Oct 31 '23 at 10:48
I am not a lawyer, but the phrasing "once sold" seems like it would exclude most FLOSS software that is freely given away by its creators. Perhaps commercial firms that incorporate libre software in their products might incur an obligation to provide security updates. — bjmc, Oct 31 '23 at 14:43
"went to prison for 18 months for lack of the money to settle." I'm confused by this. The article you reference says he went to jail for killing a pedestrian with a motorbike. — JimmyJames, Oct 31 '23 at 15:15
@JimmyJames From Explain XKCD: "He quit previous jobs to be able to maintain core-js, resulting in not having enough money to settle, and he was convicted for 18 months in an open prison". I have not actually found a primary source to confirm this. — User65535, Oct 31 '23 at 15:21
@User65535 As far as I can tell, he was looking for donations to help with his legal issues, but I see nothing that suggests he went to jail because he "couldn't settle". — JimmyJames, Oct 31 '23 at 15:30
Note that in the interpretation suggested in this question, Alice is not only prohibited from retiring, she is not even allowed to die! — Hagen von Eitzen, Nov 01 '23 at 09:15
Doesn't the first cited obligation just mean you have to express an expected product lifetime of a week or so in the fine print of the product description? — BlackJack, Nov 01 '23 at 13:06
@NickMatteo I'm not familiar with Russian law but I doubt you can 'settle' for causing a person's death. — JimmyJames, Nov 01 '23 at 17:44
@JimmyJames I do not, but I know nothing about the russian legal system. I wonder if that would make a good question? — User65535, Nov 01 '23 at 17:47
@maple_shaft What story is a lie? The Russian developer of core-js, or the issue of OS developers being forced into providing support? — User65535, Nov 01 '23 at 17:49
@maple_shaft The story of this guy going to jail seems to be legit. It's just this notion that you can 'settle' your way out of negligent homicide (or whatever the closest equivalent is in Russia) is suspect. I know it's not really very relevant to the question but this is a legal-focused forum so I think it's important to avoid propagating misconceptions about the law here. — JimmyJames, Nov 01 '23 at 17:52
@JimmyJames The developer says "The only way not to end up in prison was reconciliation with "victims" — a standard practice after such accidents — and a good lawyer. Within a few weeks after the accident, I received financial claims totaling about 80 thousand dollars at the exchange rate at that time from "victims'" relatives." — User65535, Nov 02 '23 at 22:43

score 32 · Answer 1 · answered Oct 30 '23 at 16:08

32

An obvious workaround for individuals would be to operate through a front company and then simply dissolve that front upon retirement.

Provided it is the front which offers the product to market and not the individual developer, the obligations will lapse with the front.

I suspect people who make a few bob as gigging developers are not the main target of this law however. Corporation with serious resources are.

It's worth noting that these rules are not unusual for anyone trading directly with the market.

If you lay brick for money, then you are potentially on the hook for a number of years afterwards for the quality of your workmanship and so on. You can't simply retire suddenly from your legal obligations.

These proposals simply begin to bring commercial software development (as distinct from hobby or employed development) into same world that other trades and professions operate in.

answered Oct 30 '23 at 16:08

Steve

2,615
8
15

11

What does "make a few bob as gigging developers" mean? – Azor Ahai -him- Oct 30 '23 at 23:19
16

@AzorAhai-him- “bob” is another term for a shilling; “a few bob” is roughly equivalent to “a few bucks”. The phrase “gigging developers” refers to the “gig economy”, for developers. A specific task for a short-ish period of time, in this case for software development. So put together, “making some money doing temp/freelance work as a software developer” – fyrepenguin Oct 30 '23 at 23:51
11

The difference between brick laying and software development is that it's typical in the construction industry to have defects fixed by a different contractor than the original builder, not the case for software development. So while you're not exempt from legal/financial consequences of a mistake on your last day laying bricks, you're not mandated to go fix it yourself 3 years after retirement. – Aubreal Oct 31 '23 at 13:00
3

Making a few bob for a side gig just happens to underpin a large part of the internet. See the examples given in the question. The guy that went to jail also had a campaign looking for funding so that he could actually dedicate the time necessary to his project as needed. But he was only making a few bob. – TheEvilMetal Oct 31 '23 at 13:07
5

@Aubreal, you're not obligated to physically fix the code either - only to arrange a fix. Just like a bricklayer. It's really quite normal in the commercial world that selling things is accompanied by legal responsibilities. – Steve Oct 31 '23 at 13:21
27

"not the main target of this law" -- This dodges a core concern of the question. Laws have consequences beyond the intent of the original drafters. – Indigenuity Oct 31 '23 at 14:20
4

@TheEvilMetal, I think that's what the powers-that-be now think is the problem - too many amateurs producing software without being held to any standard, and charging too little to meet an appropriate professional standard. – Steve Oct 31 '23 at 14:51
1

@Indigenuity, indeed but it might imply the attitude to the actual enforcement of the law, and how easy it will be for individuals to circumvent it, rather than the theoretical interpretation. – Steve Oct 31 '23 at 14:53
1

If individuals can escape responsibility by dissolving a company, wouldn't companies do the same? "Samsung Galaxy S2 inc." gets dissolved when it stops selling? – jpa Oct 31 '23 at 17:21
2

@jpa, I don't know exactly what shape the legislation will take, but I think it will be treated like manufacturers liability, rather than sale of goods liability, so just dissolving the consumer front isn't enough, it would have to be dissolved all the way back to the workers and raw materials. And there would be large overheads to such dissolution, as well as more likelihood that other regulations would prevent it occurring (such as a requirement to allocate resources to legacy liabilities). And finally, if such a thing did occur, the state can just re-legislate (including retrospectively). – Steve Oct 31 '23 at 18:17
4

@Steve Any bricklayer can fix another bricklayer’s faulty work. This is not true of software developers. It might easily take ten times as much work for someone other than the original developer to create the fix. – Mike Scott Oct 31 '23 at 20:59
2

@MikeScott, the distinction is not well-made. Fixing another bricklayer's faulty work can easily exceed the entire price of that faulty work in the first place. The fact that the original developer can probably fix the software far more quickly than any other workman, is precisely one of the justifications for imposing the liability upon them (and not their clients)! The simple fact about this law is that commercial developers can no longer go on as they have - selling crap to the open market "as-is", without any provision for handover or long-term maintenance. – Steve Nov 01 '23 at 07:41
2

@Steve "you're not obligated to physically fix the code either - only to arrange a fix." If this is the case for this law as well, then having the project be open source so that anyone could potentially make the fix or make a new branch and fix is the potential answer. You can retire. Just make it open source first. – TheEvilMetal Nov 01 '23 at 08:40
@TheEvilMetal, that's obviously ridiculous. When your fridge breaks down, has the seller "arranged" a fix by telling you to leave it outside and rely on the kindness of strangers? Obviously if the fix happens that way, then all is well, but responsibility for the execution would still rest with the developer who supplied the software as part of a commercial sale. The simple fact is that, as far as the security of software you have sold goes, you cannot simply retire from the obligation. You either have to remain available contingently, or arrange cover. That's how trading normally works. – Steve Nov 01 '23 at 09:03
@Steve The key point for the example projects is that they are open source, but only maintained by one person who has the expertise. They rely on donations, not sales. So it's more equivalent to say someone came to your house to repair your fridge for free. Is it up to them to fix any subsequent issues? I wouldn't expect so. – TheEvilMetal Nov 01 '23 at 09:38
3

@TheEvilMetal, if the funds transfers are true donations and not sales, and there is no sale of any ancillary services associated with your bespoke software (such as selling support for the software that on its own is freely usable, but which supports a business model based on charging for servicing), then I don't see how supplying the software can be considered a commercial supply (or "marketing") in the traditional sense. If you aren't trading the software in some way (including as a taster or loss-leader), then I don't see how liability can arise. – Steve Nov 01 '23 at 09:56
As the software is being offered freely on a for-donations basis, do you think that would just mean accepting the donations through the corporate front? – TylerDurden Nov 02 '23 at 07:39
@Seekinganswers, the software can't be offered on a for-anything basis, and I imagine the courts would be intolerant of trading activity which is disguised as a pattern of altruistic production and recurring donations from any kind of commercial entity. For example, a series of £5k "donations" from a corporation, together with a chain of communications requesting new features, is likely to be treated far less credulously than a fiver donated by a thousand private consumers amongst a million. It may end up being treated as an implied contract. – Steve Nov 02 '23 at 10:44

score 23 · Answer 2 · answered Oct 30 '23 at 15:27

The essence of this question is whether Alice, a natural person, is exempt from the EU rules for "economic operators". The EU definition of "economic operator" in the CRA specifically includes natural persons. Therefore, Alice falls under the obligations of the CRA.

score 5 · Answer 3 · answered Nov 02 '23 at 07:20

I think you are thinking about this in the wrong way:

The act does not make it illegal to retire after having sold software.

It makes it illegal to sell software just before you plan to retire, unless you arrange for someone else to maintain it.

If you want to sell software then you are expected to plan in advance for how that software is going to be maintained. If you plan to not retire for 5 years then you will have to either stick to that plan, or else make sure that someone else maintains the software. Having been paid (including asking for donations) then you are responsible for paying for the software to be maintained.

Can the Cyber Resilience Act make it illegal to retire?

3 Answers3