The EU is already planning to make that happen through the Cyber Resilience Act[1], which imposes unreasonable constraints and litigation risks for FOSS users unless certified.
The EU tries really hard to kill any innovation in Europe at the source.
But this is even worse than that. It would allow for dubious security resellers to define adequate protections. That would basically be their own products.
Everyone in IT knows that there are borderline dubious products that heavily border scam. Not every security solution of course, but there is a lot of bad sheep that present as much a danger to security as direct attacks.
If you want to protect user data, don't collect it. Best security you can achieve.
Perhaps I am overanalyzing and this just tries to introduce formal processes to deal with security concerns. But it doesn't look like it. It seems you need a third party to certify your products for once and I believe this is lobbying for questionable security products and lawyers in one go.
The EU tries to regulate the Wild West that the internet opened up. That's not at all the same as "killing innovation". It's reasonable and realistic to try to regulate. I'm fearful of attempts to regulate the internet, because there are strong forces that want to
load the regulations with provisions that would be a dictator's wet dream. But to my mind, unregulated everything is a nightmare.
Regulation is sometimes necessary to ensure businesses operate in useful ways for the societies they serve. But a specific regulation is only helpful if it constrains undesirable behaviours without causing disproportionate amounts of collateral damage.
Unfortunately governments in general and the EU in particular have a poor track record of making helpful regulations for businesses operating in STEM fields. Not many politicians have a STEM background themselves and not many have much experience of smaller businesses or grass roots volunteer work beyond a quick photo op. A field like software where a single individual can make a disproportionate contribution and where a lot of the FOSS we depend on every day was written at least partially by volunteers is probably quite alien to them.
Until the politicians are better educated the overall state of regulation will continue to be poor. Unfortunately until the small businesses and the FOSS world can speak at the same volume as corporate lobbyists and PR firms with multimillion budgets the politicians will probably continue to be poorly informed. In most places we have nothing like that level of coordination among the smaller players yet.
> A field like software where a single individual can make a disproportionate contribution and where a lot of the FOSS we depend on every day was written at least partially by volunteers is probably quite alien to them.
Oh my! An awful lot of contributors to FOSS are europeans.
What does Wild West even mean here? You cannot consolidate software security that would fit any definition of "not being Wild West".
It could easily close most security issues by regulating data collection. That would seriously reduce the damage of possible data leaks. Any encrypted content is only safe for a limited amount of time. This hasn't changed for ages.
Just a like the saying "Fish don't know they're in water", people within different groups have cultural assumptions, in this case: The idea of "Permissionless innovation" vs what I like to call the idea of "Permissionful innovation'.
In the permission less school of thought, you don't need permission to use an existing API or data to do whatever you want as long as it isn't abusing the service or illegal.
In a permission full school of thought, you should always ask permission, from the authorities and whoever might have a vested interesting what you are doing.
It seems that in Europe it is far more common that many (most?) people expect you to get permission before you go off writing your random programs and putting them live on the Internet.
Where as in some other countries, people view pushing half baked ideas live as virtuous and artists manifest destiny and/or a existentially important economic function of startups.
When people from different cultures interact and they have completely different unspoken assumptions it can result in misunderstandings. In my case, the correct thing to do was apologize for the misunderstanding (definitely not arguing, you would never convince them to change their core cultural values!), and then not use the specific service or company involved (that had intractable permission issues due to any member being able to deny permission), and just work with other services that had no built in conflicts with the fundamental purpose of their service. (Organization names and the services involved redacted for courtesy.)
> It seems that in Europe it is far more common that many (most?) people expect you to get permission before you go off writing your random programs
No. In Europe it literally is what you pretend to be permissionless: "you don't need permission to use an existing API or data to do whatever you want as long as it isn't abusing the service or illegal."
Whereas permissionless is really just doing whatever, consequences be damned
>The EU tries to regulate the Wild West that the internet opened up. That's not at all the same as "killing innovation".
The results say otherwise. One way or another Europe killed off its tech companies and it's now entirely reliant on foreign companies for almost all IT services.
It's not a trope because they've already succeeded. You can't look at the EU where almost every IT service they use is made by a foreign company and say call it flourishing.
>But to my mind, unregulated everything is a nightmare.
Everything, like making food for your kids? Breathing air?
What 'killed' the tech market in Europe is having 27 countries with different languages and laws. It is extremely difficult to scale a software company in that environment. The regulations unify the market and is the only way out. Note that the tech market in Europe is far from dead, it's one of the best ones after the US. The other successful one being China, who isn't exactly a deregulated libertarian paradise either.
Are you aware of any innovation or successful startups that came out of the EU in the last 5 years? How can you regulate a field you have no players in?
Define successful startups. As far as I know, there have been quite a few, but they are usually just bought out by the giant MANGA corporations.
I think what is true is that it is harder to get VC backed capital here, and hence a lot of “winner takes all” markets are won in the US. But that doesn’t mean that there is no striving startup scene in Europe, they just have different goals or measures of success than “grow a lot”.
Regulating that might even help European companies :-)
Well, you've just defined "successful" to mean rapidly growing, and by implication unconstrained by regulations.
European telecom companies are large tech companies, heavily regulated and successful. Yes, they are incumbents now. But they weren't always; at least not all of them.
Somehow your definition of success doesn't have the actual definition of success: sustainable profitable business.
It's easy to see why: all the startups loudly hailed as successful are running into billions of dollars of debt every year, but keep being propped up by unlimited investor money. In any other industry this would be a failure.
Itsme is one of the best apps I use on a daily basis, I understand it is starting to expand internationally, I suspect it will be extremely successful. Another good innovation is PEPPOL.
Just from what I am using personally Figma and ChatGPT come to mind. The whole AI wave has nothing this side of the pond. Now the success of these AI tools is not yet guaranteed, so maybe I am wrong.
Sorry, disqualified according to your own arbitrary rules.
And regarding AI startups there's about a bazillion of them in EU, just as in the US. Sure, ChatGPT was invented by a US company but you can't really claim that there's "nothing" in the EU. Just because you haven't heard of it doesn't mean it doesn't exist.
Unregulated everything does lead to 'enshittification' yes. Because when there is no legal framework the only guideline is profit, nothing else.
Some stuff the EU does is really good, like the GDPR, the right to be forgotten, the right to repair (smartphones with replaceable batteries and standard USB connectors). I don't even think it kills innovation. It just makes sure it is aligned with society.
GDPR: clicking cookie banners till the end of time while any ad-supported startup this side of the pond died or jumped ship to the US.
Right to be forgotten: a blessing for corrupt EU politicians who can finally scrub their record clean after buying out newspapers. Since they couldn’t buy the tech gigants…
USB-C: the largest cable throwaway to avoid… throwing cables away.
Replaceable batteries: something I never needed or wanted but hey, the wise Brussels regulators must know better what is good for me.
I am happy for you. Now, what do you think, was the ability for you to delete accounts worth the fact that the mayor of my town keeps winning elections in spite countless corruption charges and scandals - all conveniently wiped off the internet?
Regulations are usually well intended but second order effects are rarely thought out at all.
> GDPR: clicking cookie banners till the end of time
Please tell me where exactly GDPR requires this cookie banners. A direct quote is preferred.
Hint: those cookie banners are put their by the unregulated industry you're so willing to defend. Because they truly believe they have the god-given right to your data.
Ever heard of second order effects? Dumb laws have consequences. I live in EU and browsing the web in EU has significantly degraded since GDPR compared to the US.
I can see a cause and effect, I don't need to invent conspiracies and accuse the industry that provides me goods and services I actually want.
"In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software."
The explanation at the end says that none of the large open source software projects would fall under the umbrella of open source software because somebody is making money off of it some way.
But this is exactly the point (which I think is good). This whole thing is applicable if you produce software commercially, regardless if OSS or not
I read it as this:
In effect, if you make money of the software you destribute you are responsible to address security issues
I hope that this is a change for the better. Now everyone who piggy-backed on some OSS project so far has to either maintain a fork (-> more contributions) or provide incentive for the dev to fix it (money?)
I have to say, I recently got a push into the direction of agreeing with "the EU" a whole lot. The CNCF was organizing a "security slam" where they surveyed CNCF project users what they would want for security compliance in the projects. See one such post here [1]. As you can see, we got some high profile users: Epic Games, the Space Force, and I personally know of two household name telcos who use it.
I asked the organizers about potential funding for the work that needed to be done since the project wasn't a commercial endeavour for us. They didn't even consider this before making demands for work that would consume several days if not weeks. The funding they had amounted to some gift cards and t-shirts. (They are very nice people, but there is not much they can do either.)
I am personally very frustrated with FOSS as it stands today. It's disingenuous: either the project is almost unusable on its own and you need to buy services from the people creating it (Kubernetes), it's missing parts you need, you get a pseudo-OSS license (BSL), sometimes funded by a foundation that has to do a whole lot of extra work to get donations and more often than not pays entry-level salaries or you run a project because you love doing it where you are expected to do the compliance work ... Why exactly?
And about 95% of the changes requested are basically paperwork to check off the boxes, ship material of bills, etc. Not the fun kind of problems. (Note: the CNCF doesn't pay its contributors anything, at least I didn't get a dime so far. The only thing I got was a truckload of paperwork, requests for more free work besides the project reviewing conference submissions for KubeCon, and more.)
I think, if you are a commercial FOSS user you should absolutely be on the hook for getting your wallet out and paying for people doing the ridiculous about of slog required for compliance. Pay a foundation for the compliance work, or hire the people working on the project to get it done. Does the EU get it right? No clue, but something has to be done. Supply chain security is important and the work needs doing, which somebody has to pay for.
But this is even worse than that. It would allow for dubious security resellers to define adequate protections. That would basically be their own products.
Everyone in IT knows that there are borderline dubious products that heavily border scam. Not every security solution of course, but there is a lot of bad sheep that present as much a danger to security as direct attacks.
If you want to protect user data, don't collect it. Best security you can achieve.
Perhaps I am overanalyzing and this just tries to introduce formal processes to deal with security concerns. But it doesn't look like it. It seems you need a third party to certify your products for once and I believe this is lobbying for questionable security products and lawyers in one go.