If it’s bundled with the OS, it probably does.
Components “placed on the market separately” are explicitly included a being part of the product.
Let me try to gather this together:
The manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person shall, on request, provide the market surveillance authorities with the name and address of any economic operator who has supplied them with a software product, including software or hardware components being placed on the market separately;
Economic operators shall, on request, provide the market surveillance authorities with the following information: (a) the name and address of any economic operator who has supplied them with a product with digital elements;
‘economic operator’ means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;
‘product with digital elements’ means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;
Zak@lemmy.world 1 week ago
The who has supplied them part is the critical point here.
I’ll give an example outside of digital technology. If Ford sells a car with Michelin tires on it, Ford has some responsibility for those tires even though I can also buy them from Joe’s Tire Shop and put them on any car with the right size wheels. I can also buy Continental tires from Joe’s Tire Shop and put them on my Ford car. Ford has no responsibilities in relation to Continental Tires or Joe’s Tire Shop.
If Samsung preloads WhatsApp and Android on a phone, Samsung has to know where it got WhatsApp and Android. If I download Signal from signal.org/android/apk/ and install it on a Samsung phone running Google Android, neither Samsung nor Google is a party to that.
The CRA, including the parts you’re quoting does not impose any obligation on anyone with respect to a product or component they never touch.
General_Effort@lemmy.world 1 week ago
I don’t see what makes you so certain. The EU unambiguously wants computing devices to be more locked down. It wants responsible developers to be tracked.
If your argument holds, then that only means that there is a loophole allowing devs to distribute apps anonymously. That’s where the car analogy fails. There are exceptions for small enterprises and “open source stewards”. These exist so that small players and start-ups won’t be overwhelmed by bureaucracy. They are not supposed to protect dev privacy or user freedom.
I can only repeat that I find your argument valid. I just don’t believe it would stand up in court. If Google was pushing back on this, I would still back them up on such arguments. But they understandably don’t.
Unless there is a major change in attitudes in Europe, we are going to see much more mandated control and surveillance, anyway.
Zak@lemmy.world 1 week ago
Reading the text of the law makes me pretty certain. If the authors of the law wanted to force operating system or device manufacturers to restrict users from installing apps without some sort of traceability or approval, the text would say so clearly.
Google’s own statements about the policy are also a factor. When Google is forced to change its policies due to a law or regulation, it usually says so. Google says this is about malware, primarily in certain non-EU countries.
Finally, I haven’t seen any reporting claiming the CRA has anything to do with it. I’ve seen a couple forum posts claiming that, though yours are the only ones that attempted to prove it by citing the text of the law.