Unintended Consequences: They're not just for ED
The biggest threat to Moodle in Europe might not be Canvas or Brightspace or Learn
Was this forwarded to you by a friend? Sign up, and get your own copy of the news that matters sent to your inbox every week. Sign up for the On EdTech newsletter. Interested in additional analysis? Try with our 30-day free trial and Upgrade to the On EdTech+ newsletter.
We have covered quite a bit of the impacts of proposed and ongoing regulations from the US Department of Education (ED), from TSP expansion to OPM bundled services exception guidance to Gainful Employment / Financial Transparency proposals. An underlying theme is how ED’s regulatory activism, typically driven by hold them accountable consumer protectionism, often leads to predictable but unintended consequences. In fact, ED’s regulatory moves were the trigger for the launch of the premium On EdTech+ newsletter.
But ED is not the only regulatory body with accountability proposals and rules that could have far-reaching impacts on EdTech. One other action to follow is the European Union’s (EU) Cyber Resilience Act (CRA) that was recently modified and endorsed by the EU parliament and likely to be made effective soon. The particular unintended consequence I’d like to focus on is partially sacrificing open source models by trying to make everyone in the virtual supply chain liable for the cybersecurity of the end product.
The CRA poses a significant threat to the largest Learning Management System (LMS) in the world - Moodle. Likely a greater threat that the commercial offerings from Instructure Canvas, D2L Brightspace, or Anthology (Blackboard) Learn.
From Brian Fox writing at DevOps.com:
Like many of the ED actions, the EU appears overly-focused on accountability and reining in companies, which has led to a view towards enforcing legal liability for developers of software components that end up in products or services. The idea is to make everyone in the virtual supply chain liable for the cybersecurity of the end product. The problems for open source are that developers typically don’t know when and how the product is incorporated down the line (it’s openly licensed, after all) and that the development ecosystem is complex, not from a single company or subcontractors or partners with contracts.
The EU regulators put in an exemption for not-for-profit developers, but that description ignores how open source is actually developed. From Bill Budington writing at the Electronic Frontier Foundation:
Budington describes how open source contributers who accept donations or tips or any risk-balancing financing could face liability that would damage the usage of open source solutions. In other words, industry insiders are calling out that the CRA as written (and as modified in a July 19th vote) will end up stifling the usage of open source software in the EU. CRA appears set to hold for-profit software developers accountable but will also harm open source initiatives - not by strengthening open source models to produce enhanced cybersecurity, but by making a lot of software models unrealistic.
The EdTech Angle
Moodle published an open letter this week also calling for changes to CRA, calling out two recommendations that get to the heart of the liability issues.
Subscribe to On EdTech+ to read the rest.
Become a paying subscriber of On EdTech+ to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In