ell1e

It doesn’t seem to be voluntary at all, from what I can tell from the draft:

“Upon that notification, the provider shall, in cooperation with the EU Centre pursuant to Article 50(1a), take the necessary measures to effectively contribute to the development of the relevant technologies to mitigate the risk of child sexual abuse identified on their services. […]”

“In order to prevent and combat online child sexual abuse effectively, providers of hosting services and providers of publicly available interpersonal communications services should take all reasonable measures to mitigate the risk of their services being misused for such abuse […]”

These quotes sound mandatory, not voluntary. And let’s look what these technologies referenced are:

“In order to facilitate the providers’ voluntary activities under Regulation (EU) 2021/1232 compliance with the detection obligations, the EU Centre should make available to providers detection technologies […]”

“The EU Centre should provide reliable information on which activities can reasonably be considered to constitute online child sexual abuse, so as to enable the detection […] Therefore, the EU Centre should generate accurate and reliable indicators,[…] These indicators should allow technologies to detect the dissemination of either the same material (known material) or of different new child sexual abuse material (new material), […]”

Oops, it sounds again like mandatory scanning.

Source: https://cdn.netzpolitik.org/wp-upload/2025/11/2025-11-06_Council_Presidency_LEWP_CSA-R_Presidency-compromise-texts_14092.pdf

The new draft seems to pretend better to look less mandatory, but it still looks mandatory to me. Feel free to correct me if somebody can figure out that I’m wrong.

It doesn’t seem to be voluntary at all, from what I can tell from the draft:

“Upon that notification, the provider shall, in cooperation with the EU Centre pursuant to Article 50(1a), take the necessary measures to effectively contribute to the development of the relevant technologies to mitigate the risk of child sexual abuse identified on their services. […]”

"In order to prevent and combat online child sexual abuse effectively, providers of hosting services and providers of publicly available interpersonal communications services should take all reasonable measures to mitigate the risk of their services being misused for such abuse [...]"

These quote sound mandatory, not voluntary. And let’s look what these technologies referenced are:

“In order to facilitate the providers’ voluntary activities under Regulation (EU) 2021/1232 compliance with the detection obligations, the EU Centre should make available to providers detection technologies […]”

“The EU Centre should provide reliable information on which activities can reasonably be considered to constitute online child sexual abuse, so as to enable the detection […] Therefore, the EU Centre should generate accurate and reliable indicators,[…] These indicators should allow technologies to detect the dissemination of either the same material (known material) or of different new child sexual abuse material (new material), […]”

Oops, it sounds again like mandatory scanning.

Source: https://cdn.netzpolitik.org/wp-upload/2025/11/2025-11-06_Council_Presidency_LEWP_CSA-R_Presidency-compromise-texts_14092.pdf

The new draft seems to pretend better to look less mandatory, but it still looks mandatory to me. Feel free to correct me if somebody can figure out that I'm wrong.

I continue to believe the risk is real and supported by my links and quotes. You might notice some people in the linked discussions who seem to be thinking it's not entirely baseless. You're free to disagree. I'm not a lawyer anyway.

I will stop discussing since suddenly this is about "normal" and I guess "abnormal" donations, and I don't think we're having a clear-headed debate here.

Did you actually read the quote I gave? I'm honestly confused.

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402847

Supply in the course of a commercial activity might be characterised not only by charging a price for a product with digital elements, but also by charging a price for technical support services where this does not serve only the recuperation of actual costs, by an intention to monetise, for instance by providing a software platform through which the manufacturer monetises other services, by requiring as a condition for use the processing of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software, or by accepting donations exceeding the costs associated with the design, development and provision of a product with digital elements

TL;DR, just donations can already be a problem, apparently. But IANAL.

As far as I understand the license doesn't matter at all for EU regulation, other than "non-free" software is treated even worse.

Generally if you give something away for free, you can’t be claimed to be the owner.

The CRA from what I can tell applies to software given away for free, sadly. I'm not a lawyer, though. But you can perhaps see why people don't trust the EU.

I admit it's a complex topic, but if you read the post in detail, it should answer your questions. The "owner" is typically the maintainer, if in doubt that's the person with repository write access. And the EU can apparently potentially require whatever to be maintained, not that I understand the exact details. The point was that the regulation doesn't seem to avoid FOSS fallout well.

The EU has been so far bad at making sure FOSS isn't seen as a paid product in the eyes of regulation, even in cases where it's clearly unpaid, see here. They can't be trusted to get this differentiation right.

Therefore, unlockable bootloader seems like the better idea. Get people to Linux and open Android variants if the closed-source companies won't serve them.

Real time is a privacy risk.

check the API rules

That was what I was wondering about above. For Bgpview I can't find much.

So is it only me, or wouldn't it be possible to write a script that 1. gets the ASN list from some place like here https://bgpview.io/reports/countries/GB and then 2. queries the list of IP ranges from here https://www.enjen.net/asn-blocklist/index.php?asn=&type=iplist and 3. commits that to a repository on Github or such, and the script could be rerun every two weeks or so? It seems like there are no terms of use attached to any of these two services that forbid this, but does anybody know?