EU chat control law will ban open source operating systems

1 februari 2023  PRIVACY

Update: Open source OSes might be saved from being covered depending on the interpretation of EU regulation 2019/1150 2.2.c.

To be considered an online intermediation service it requires a contractual relationship between the service and any businesses using it. The open source licenses regulating the distribution of the software are legal agreements between the copyright holders and the distributors. Even so, a liberal interpretation might consider that not to count based on the nature of the agreements

The proposed Chat control EU law will not only seize totalitarian control of all private communication. It will also ban open source operating systems as an unintended consequence.

The EU is currently in the process of enacting the chat control law. It has been criticized for creating an EU-wide centralized mass surveillance and censorship system and enabling government eavesdropping on all private communication. But one little talked about consequence of the proposed law is that it makes practically all existing open source operating systems illegal, including all major Linux distributions. It would also effectively ban the F-Droid open source Android app archive.

Article 6 of the law requires all "software application stores" to:

  • Assess whether each service provided by each software application enables human-to-human communication
  • Verify whether each user is over or under the age of 17
  • Prevent users under 17 from installing such communication software

Leaving aside how crazy the stated intentions are or the details of what software would be targeted, let's consider the implications for open source software systems.

A "software application store" is defined by Article 2[*] to mean "a type of online intermediation services, which is focused on software applications as the intermediated product or service".

This clearly covers the online software archives almost universally used by open source operating systems since the 1990s as their main method of application distribution and security updates. These archives are often created and maintained by small companies or volunteer associations. They are hosted by hundreds of organizations such as universities and internet service providers all over the world. One of the main ones, the volunteer run Debian package archive, currently contains over 170,000 software packages.

These software archive services are not constructed around a concept of an individual human user with an identity or an account. They are serving anonymous machines, such as a laptop, a server or an appliance. These machines then might or might not be used by individual human users to install applications, entirely outside the control of the archive services.

To even conceptually and theoretically be able to obey this law would require a total redesign of software installation and sourcing and security updates, major organizational restructuring and scrapping, centralizing and rebuilding the software distribution infrastructure.

This is of course only theoretical as the costs and practical issues would be insurmountable.

If and when this law goes into effect it would make illegal the open source software services underpinning the majority of services and infrastructure on the internet, an untold numbers of appliances and the computers used by software developers, among many other things. To comply with the law all of it would have to shut down, globally, as the servers providing software and security updates can't tell the difference between a web server, a Japanese software developer, a refrigerator and an EU teenager.

It may seem unbelievable that the authors of the law didn't think about this but it is not that surprising considering this is just one of the many gigantic consequences of this sloppily thought out and written law.

[*] To define a software application store the law makes a reference to the EU Digital Markets Act, Article 2, point 12 which defines “virtual assistant”. What they actually mean is point 14, which does define “software application store”.