The OS or a phone both fit that definition.
Yes it does, and it means someone making and selling either has to have a certain level of knowledge about it supply chain.
An app fits the definition of a component.
If it’s bundled with the OS, it probably does. In that case, the OS vendor is a manufacturer and has a variety of obligations relative to the app detailed in article 13.
If the user is obtaining it directly from the developer and installing themselves, it doesn’t really matter if it’s a component or a product because the OS vendor is not distributing or manufacturing anything. If the app/OS combination were to be treated as a system of which the app is a component, it is the user who has manufactured that product by combining the two. If the user is not selling that system, they have no obligations under the CRA.
General_Effort@lemmy.world 1 week ago
Components “placed on the market separately” are explicitly included a being part of the product.
Let me try to gather this together:
The manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person shall, on request, provide the market surveillance authorities with the name and address of any economic operator who has supplied them with a software product, including software or hardware components being placed on the market separately;
Zak@lemmy.world 1 week ago
The who has supplied them part is the critical point here.
I’ll give an example outside of digital technology. If Ford sells a car with Michelin tires on it, Ford has some responsibility for those tires even though I can also buy them from Joe’s Tire Shop and put them on any car with the right size wheels. I can also buy Continental tires from Joe’s Tire Shop and put them on my Ford car. Ford has no responsibilities in relation to Continental Tires or Joe’s Tire Shop.
If Samsung preloads WhatsApp and Android on a phone, Samsung has to know where it got WhatsApp and Android. If I download Signal from signal.org/android/apk/ and install it on a Samsung phone running Google Android, neither Samsung nor Google is a party to that.
The CRA, including the parts you’re quoting does not impose any obligation on anyone with respect to a product or component they never touch.
General_Effort@lemmy.world 1 week ago
I don’t see what makes you so certain. The EU unambiguously wants computing devices to be more locked down. It wants responsible developers to be tracked.
If your argument holds, then that only means that there is a loophole allowing devs to distribute apps anonymously. That’s where the car analogy fails. There are exceptions for small enterprises and “open source stewards”. These exist so that small players and start-ups won’t be overwhelmed by bureaucracy. They are not supposed to protect dev privacy or user freedom.
I can only repeat that I find your argument valid. I just don’t believe it would stand up in court. If Google was pushing back on this, I would still back them up on such arguments. But they understandably don’t.
Unless there is a major change in attitudes in Europe, we are going to see much more mandated control and surveillance, anyway.
Zak@lemmy.world 1 week ago
Reading the text of the law makes me pretty certain. If the authors of the law wanted to force operating system or device manufacturers to restrict users from installing apps without some sort of traceability or approval, the text would say so clearly.
Google’s own statements about the policy are also a factor. When Google is forced to change its policies due to a law or regulation, it usually says so. Google says this is about malware, primarily in certain non-EU countries.
Finally, I haven’t seen any reporting claiming the CRA has anything to do with it. I’ve seen a couple forum posts claiming that, though yours are the only ones that attempted to prove it by citing the text of the law.