Unintended Consequences: They're not just for ED

The biggest threat to Moodle in Europe might not be Canvas or Brightspace or Learn

Was this forwarded to you by a friend? Sign up, and get your own copy of the news that matters sent to your inbox every week. Sign up for the On EdTech newsletter. Interested in additional analysis? Try with our 30-day free trial and Upgrade to the On EdTech+ newsletter.

We have covered quite a bit of the impacts of proposed and ongoing regulations from the US Department of Education (ED), from TSP expansion to OPM bundled services exception guidance to Gainful Employment / Financial Transparency proposals. An underlying theme is how ED’s regulatory activism, typically driven by hold them accountable consumer protectionism, often leads to predictable but unintended consequences. In fact, ED’s regulatory moves were the trigger for the launch of the premium On EdTech+ newsletter.

But ED is not the only regulatory body with accountability proposals and rules that could have far-reaching impacts on EdTech. One other action to follow is the European Union’s (EU) Cyber Resilience Act (CRA) that was recently modified and endorsed by the EU parliament and likely to be made effective soon. The particular unintended consequence I’d like to focus on is partially sacrificing open source models by trying to make everyone in the virtual supply chain liable for the cybersecurity of the end product.

The CRA poses a significant threat to the largest Learning Management System (LMS) in the world - Moodle. Likely a greater threat that the commercial offerings from Instructure Canvas, D2L Brightspace, or Anthology (Blackboard) Learn.


From Brian Fox writing at DevOps.com:

The European Union (EU) is currently considering approval of the Cyber Resilience Act (CRA), a proposed regulation that is a major threat to the future of the global open source industry. While the intention of the act is to enhance cybersecurity (which is extremely welcome), its current form lacks clear liability exemptions for many open source developers and maintainers, which could be a death knell for open source in the EU and which could spark additional, global implications.

The CRA regulation for the EU was proposed on September 15, 2022, by the European Commission. The intent is to improve cybersecurity and cyberresilience in the EU through common cybersecurity standards for products with digital elements. In theory, this is welcome. But there are some notable areas that many open source developers and industry organizations are concerned about.

Modern applications are comprised of 90% open source code; penalizing open source developers would lead to a fragmented community and hinder important projects across various sectors, including critical infrastructure, health care and even military systems.

The seemingly purposeful omission of exemptions for open source would put undue onus on open source foundations and maintainers and poses a serious risk to not just EU innovation and security but global collaboration.

Like many of the ED actions, the EU appears overly-focused on accountability and reining in companies, which has led to a view towards enforcing legal liability for developers of software components that end up in products or services. The idea is to make everyone in the virtual supply chain liable for the cybersecurity of the end product. The problems for open source are that developers typically don’t know when and how the product is incorporated down the line (it’s openly licensed, after all) and that the development ecosystem is complex, not from a single company or subcontractors or partners with contracts.

The EU regulators put in an exemption for not-for-profit developers, but that description ignores how open source is actually developed. From Bill Budington writing at the Electronic Frontier Foundation:

Open source software serves as the backbone of the modern internet. Contributions from developers working on open source projects such as Linux and Apache, to name just two, are freely used and incorporated into products distributed to billions of people worldwide. This is only possible through revenue streams which reward developers for their work, including individual donations, foundation grants, and sponsorships. This ecosystem of development and funding is an integral part of the functioning and securing of today’s software-driven world.

Budington describes how open source contributers who accept donations or tips or any risk-balancing financing could face liability that would damage the usage of open source solutions. In other words, industry insiders are calling out that the CRA as written (and as modified in a July 19th vote) will end up stifling the usage of open source software in the EU. CRA appears set to hold for-profit software developers accountable but will also harm open source initiatives - not by strengthening open source models to produce enhanced cybersecurity, but by making a lot of software models unrealistic.

The EdTech Angle

Moodle published an open letter this week also calling for changes to CRA, calling out two recommendations that get to the heart of the liability issues.

Subscribe to On EdTech+ to read the rest.

Become a paying subscriber of On EdTech+ to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In

A subscription gets you:
New content 3-4 times per week
Shared Q&A discussions
More coming soon