German Court Says CEO Of Open Source Company Liable For 'Illegal' Functions Submitted By Community
from the unclear-on-the-concept dept
We just had an article mentioning that Germany has a ridiculous (and dangerously anti-innovation) view towards secondary liability, in which the country's courts often default to making third parties liable for actions they did not do. We noted that a court in Stuttgart had decided that the Wikimedia Foundation could be held liable for content submitted by a community member on the site, though only after the organization was alerted to the content (which still has significant problems for what are hopefully obvious reasons).And now it appears that a court in Hamburg has gone even further, saying that the CEO of Appwork, a company that offers the open source JDownloader software can be held personally liable for "illegal" code that was submitted by an anonymous programmer, and which automatically showed up in the nightly build of the JDownloader 2 beta (not the officially released product). The code in question allowed JDownloader to record certain copy-protect streams, violating an anti-circumvention law. Appwork made it clear that it had no idea the functionality had been added, that anyone can contribute to the source and that it goes out automatically in the nightly build of the beta. Furthermore, the company carefully reviews the code and features of any official releases, and would have blocked such functionality from appearing in that code. All of this would lead most people to realize that it's crazy to blame Appwork (and even crazier to blame the CEO).
But not the court, apparently. The court relied on the bizarre argument that since Appwork offers the product commercially, that makes it automatically liable for anything that appears in the open source beta. Basically, such a ruling will make it exceptionally difficult to have a commercial open source product in Germany, since you could face liability if someone contributes code that somehow is considered illegal. If these kinds of secondary liability rulings keep cropping up in Germany, the hot startup scene in Berlin may realize that the country's outdated laws make it quite difficult to do anything all that innovative, especially if it involves any contributions from outside the company. Given how important community contributions are these days, that cuts off a huge amount of internet innovation from the German market.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: germany, hamburg, jdownloader, jdownloader2, open source software, secondary liability
Companies: appwork
Reader Comments
The First Word
“As pointed out by silverscarcat, they do audit the code. They do not, however, audit the nightly builds - which (if it's like most open-source build tools) is automatically generated nightly from the working code base.
If you have user submitted code, it is your duty to audit it before releasing it.
If it's an open source project, "you" is often "the users." More specifically, the community of programmers that is actually writing and using the code. The beauty of open source is that if someone submits code that is questionable, it is almost immediately spotted and fixed - since otherwise, it wouldn't be useful to that community.
Moreover, "you" won't be the only one releasing it. Open source means that any user can branch the code, and release their version of it themselves. (Provided, of course, that they also release the source code, and allow others to do the same.)
What else is there in the code? Trojans? Malware? Who knows, we just get the binary, and they don't audit until they get sued...
If it's open source, then by definition, you also get the source code. If there are trojans, malware, or whatever, then either you or one of the thousands of programmers who look at the code will be able to tell.
It's the primary reason that open source code is generally more secure than closed source code.
As someone who has used, and contributed to, open source software, I can tell you flat out that your concerns are a fantasy. Your scenarios have never, once, happened with any open source software that I'm aware of.
Subscribe: RSS
View by: Time | Thread
Welcome to the age where people want to make money without doing any actual work. Let's blame phone carriers and auto makers for what's being done with the tools they provide.
[ link to this | view in thread ]
Re:
Obviously, them selling knives is the reason that people are getting stabbed! Let's shut them down so that people don't get stabbed any more!
[ link to this | view in thread ]
Re:
So yeah, I'd love to see a whole range of lawsuits aimed at gun, car, and knife and alcohol manufacturers, phone companies, mail services... all claiming they are responsible for what their customers use their products/services for, maybe after a few lawsuits like that the insanity of rulings like this would be exposed for the crazy that they are.
Well, that or they'd dial the crazy up to 11 and start ruling that those services/manufacturers were also suddenly liable as well, though given whereas a smaller tech company might not have much political clout and lawyers, the same would not be true of the others listed, I'd find that unlikely.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
"making third parties liable for [harmful] actions they did not do" but are in position to police.
Mike believes any and all "innovation" must be allowed in his libertarian fantasy land, that no corporation should be responsible, that alleged ignorance instead of due diligence is an excuse, and above all, that copyright must be done away with entirely: "record certain copy-protect streams, violating an anti-circumvention law".
Listen, kids: "innovation" is EASY when it's to steal and disrupt the good; building is the difficult part. Any silly holding that all "innovation" must be allowed and that all responsiblity can be dodged is anti-civilization.
Even if Mike is absolutely right about problems, he has no solutions to even suggest.
03:55:56[d-026-2] [ This suppresses the kids from fraud of using my screen name. ]
[ link to this | view in thread ]
Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
Do people buy those guns or knives?
Some of those people who buy guns and knives do bad things with them.
Should we shut down the stores for selling those guns and knives?
Should we outlaw guns and knives?
Or should we go after the ones who breaks the law?
Same thing here.
[ link to this | view in thread ]
Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
Still, you seem to find quite easy to do so. Why don't you volunteer to watch all 48 hours that are posted to youtube every minute to "police" the content eh mr cop? Maybe then you'll have enough to occupy your day and we'll be rid of your idiocy. See? It's a win-win scenario.
[ link to this | view in thread ]
Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
Wipe the foam from your mouth, read the article, then read up on how open source development works and rethink your comment (I know you wont do that, and probably wont read this either).
[ link to this | view in thread ]
Great logic.
If you have user submitted code, it is your duty to audit it before releasing it. What else is there in the code? Trojans? Malware? Who knows, we just get the binary, and they don't audit until they get sued...
[ link to this | view in thread ]
Re:
People don't understand that when you use other people's code, and allow others to submit in your code, it needs to be very carefully analyzed and tested. Claiming ignorance after failing such a blatant disregard for code security is hilarious at best.
[ link to this | view in thread ]
Re:
learn to read.
[ link to this | view in thread ]
Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
[ link to this | view in thread ]
Re: Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
This is the worst sort of "open source" development out there, the one where the people releasing code have no clue what's in it. They just release it, and fix if/when someone discovers something bad.
I'm not saying they're still leaving code unaudited, and hoping they learned what releasing software actually means, but if this taught us anything is that they are not serious developers, nor a serious company that cares about their code security.
[ link to this | view in thread ]
Re: Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
They released the code, not a third party. They control the code base, in which one of their main developers added "something illegal". They released a compiled beta with the illegal code in it. They did not audit the code inserted, just released it, assuming all was ok.
They need to learn how to release software.
[ link to this | view in thread ]
Re: Re:
Oh also, learn to read too.
[ link to this | view in thread ]
Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
Did you even read the article? We are talking about a nightly beta (is in test) release. The company stated that it does carefuly review the code for the actual releases.
And now everyone knows to police it rigorously.
Or move out of Germany.
Listen, kids: "innovation" is EASY when it's to steal and disrupt the good; building is the difficult part.
Ummm. They are "building". What do you think they are trying to produce, chopped liver?
Any silly holding that all "innovation" must be allowed and that all responsiblity can be dodged is anti-civilization.
Who, beside you, has ever stated that? Nice strawman.
Even if Mike is absolutely right about problems, he has no solutions to even suggest.
Well except for Mike suggesting, all the time, that we hold those actually responsible for the problems accountable, not the makers of the tools or the providers of the platform that are used.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
Gotcha.
Someone needs to learn how a release cycle works.
[ link to this | view in thread ]
Re: Re: Re:
YOu want stable, clean version? You wait for the official release.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
Also that sentence seems to have been made up by Mike. The original articles makes no mention of auditing or code reviewing of any kind.
Please link to the source if you have it.
[ link to this | view in thread ]
Re:
Look up the definition of "beta release" first:
https://en.wikipedia.org/wiki/Software_release_life_cycle#Beta
Then look at what is on Jdownloader's beta testing download page:
Beta testing is ALWAYS at your own risk.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
Cars actually kill lot more people then cars, but there is no bans for them. If they are going to go mad with laws against things like these, they might as well go all the way.
[ link to this | view in thread ]
Re: Re: Re: Whoops
[ link to this | view in thread ]
Re: Re: Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Run the linked article through Google Translate and you get this:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Nightly builds, anyone? That's EXACTLY the type of release where the code was found. And yet you are ignoring the fact that it's a goddamn open source project where anyone can butt in and give contributions and a retarded German judge is trying to blame entirely different parties for something that COULD be used for infringing activities (God forbid if cars were used for transporting drugs, eh?).
Also, fail at checking for facts. The company site itself has all the info you claim Mike made up.
[ link to this | view in thread ]
Re:
As pointed out by silverscarcat, they do audit the code. They do not, however, audit the nightly builds - which (if it's like most open-source build tools) is automatically generated nightly from the working code base.
If you have user submitted code, it is your duty to audit it before releasing it.
If it's an open source project, "you" is often "the users." More specifically, the community of programmers that is actually writing and using the code. The beauty of open source is that if someone submits code that is questionable, it is almost immediately spotted and fixed - since otherwise, it wouldn't be useful to that community.
Moreover, "you" won't be the only one releasing it. Open source means that any user can branch the code, and release their version of it themselves. (Provided, of course, that they also release the source code, and allow others to do the same.)
What else is there in the code? Trojans? Malware? Who knows, we just get the binary, and they don't audit until they get sued...
If it's open source, then by definition, you also get the source code. If there are trojans, malware, or whatever, then either you or one of the thousands of programmers who look at the code will be able to tell.
It's the primary reason that open source code is generally more secure than closed source code.
As someone who has used, and contributed to, open source software, I can tell you flat out that your concerns are a fantasy. Your scenarios have never, once, happened with any open source software that I'm aware of.
[ link to this | view in thread ]
A better analogy
[ link to this | view in thread ]
Re: Re: Re:
You pretty much have to do that with open source software. Otherwise, how is the community going to know what is in the code that they're helping to write?
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
A nightly build is the opposite of a stable release.
As indicated by the naming conventions:
"Nightly Build" is current code in flux containing code written on the same day.
"Stable" Release is after code has been (vetted, modified, debugged, tested) multiple times then frozen and retested.
[ link to this | view in thread ]
Maybe I'll sue...
[ link to this | view in thread ]
Re: Re: Re:
The larger issue - declaring CODE that COULD be used for infringing to be illegal through *criminal* law and holding the publisher liable - very much is (as is the even larger issue of making copyright infringement a subject of criminal law at all).
[ link to this | view in thread ]
Re: Maybe I'll sue...
[ link to this | view in thread ]
Re: Re: Re: Re:
As opposed to... what? It's an open source program, people kinda need to be able to download it to use and modify it, locking it down so it wasn't publicly available would rather defeat the whole purpose behind going open source.
[ link to this | view in thread ]
Re: Re: Re: Re:
Just like your dumb comment. Mike should be held liable for what your written stupidity right?
[ link to this | view in thread ]
Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
This isn't some random project on GitHub. This is something that a particular company was putting it's name on.
Also, while they were calling it a beta that's not what it really is. It sounds more like a raw unaudited dump of their source repository. Calling that a "release" of any kind is disturbing on a number of levels.
Plenty of open source developers have been paranoid about this kind of thing for quite some time already and actively discourage even talking about anti-circumvention stuff. It's not even a new issue really.
This company was just being sloppy.
Although criminal penalties for the CEO seem a hit harsh and overly fascist.
[ link to this | view in thread ]
Re: Re: Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
They can find malware but they cannot and probably will never find "illegal" code unless someone points out that it breaks the law and which law in which country.
[ link to this | view in thread ]
Re: Maybe I'll sue...
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
/sarscam
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Still, under these circumstances, I do not think anybody should be surprised that the court ruled like it did. Publishing software in Germany as a German company (or a German citizen for that matter) comes with increased risks thanks to the dismal legal situation there.
There is an interesting aspect to this story which was not explored in the trial of this particular case: What if the stream-ripping code in question was not in fact contributed by a random anonymous coder, but somebody associated with the plaintiff for the exact purpose of enabling legal action?
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Luck?
[ link to this | view in thread ]
Re: Re: Re: Re:
The ruling is absolutely ridiculous, as it makes it impossible to do open source development. The developers have to be able to download the code that is currently in development.
Being made available to developers is not the same thing as releasing it. Releasing it is giving it a stamp of approval, declaring that it has been vetted, and offering it to the public for use. Nightly builds are none of those things.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
Nightly builds don't allow write access to random people, so an official developer added this code. This is EXACTLY why nightlies are controlled. Security fail.
Open source does NOT mean EVERYONE can add code to the main repo/git/whatever. Learn what it means instead of defending your erroneous definition.
The judge is blaming an OFFICIAL developer (or the company for lacking basic security skills) for adding code into the main branch. Code which is still available to use today, because you know, revisions and interwebz.
Also, fail at fact check fail. Never said Mike made it up, said appears. Reading fail.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
*yawn*.
[ link to this | view in thread ]
Notice to German Chancellor Angela Merkel
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
Yeah, actually, that usually is what it means. In the case of JDownloader, you just need SVN access. Like almost all open source projects, they grant SVN write access to anyone that agrees to the license terms.
It's like you've never worked on an open source project before. I have (and am). Granting access to anyone who wants to upload code is SOP.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
And how do you imagine those volunteers get access to the code to audit it? Could it be that they download the source and the binary and play around with the nightly build?
Hmm....
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Or to distribute unfinished code to developers for testing and comment so you can become sure about it.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
[ link to this | view in thread ]
Re: Re: Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
Really, you should look at what the development process is for these types of projects. You do not audit the checkins that go into the nightly development build, because that would make the development process impossible. It doesn't matter anyway, because everyone using these builds know that they contain potentially dangerous code.
You audit & review the code before it goes into a build that is going to be released for general use. The build you are talking about is not this. It was a nightly build for developer use, not a release build for use by the general public.
It was not "released code".
[ link to this | view in thread ]
Re: Re:
I have no fucking clue what 'beta' means and just wanted everyone to know.
Regards,
AC"
[ link to this | view in thread ]
Re: Re: Re: Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
[ link to this | view in thread ]
Re: Re: Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
The automated nightly build process released the code, not a third party. They do control the beta code base, in which one of the opponents of open source software (aka anonymous developer)added "something illegal in certain countries in order to get a bad legal ruling". The nightly process released a compiled beta with the illegal code in it. The next day during an audit of the code by the open source community into which the code was inserted, identified it as a potential issue which would never have been released in the commercial version.
"They" (aka anonymous commenter) need to learn how to read the article.
FTFY (Bold omitted for the shade impaired...)
[ link to this | view in thread ]
Re: Re: Re: "making third parties liable for [harmful] actions they did not do" but are in position to police.
Are the benefits any good, do they take care of your health and dental funds?
Honestly, I do want to know. I think that I can do a much better job of shilling than you.
Open source software is the work of the Devil, it is evil incarnate. Terrorists and Paedefiles use Open source software.
see, makes about as much sense as what you have written, but I at least appeal to emotion, rather than just blatantly false statements.
[ link to this | view in thread ]
Re: Notice to German Chancellor Angela Merkel
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Common sense also dictates that there's a massive difference between an automatic nightly beta build and a released product. Why would a non-developer be on such a build, and what's the difference between this and Microsoft's development process other than you don't have to be an employee to contribute to JDownloader? That's what open source is, and it makes perfect sense.
But that's inconvenient to your arguments, isn't it? Let me guess, just another anonymous moron defending a legacy corporate business model.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
Either you're really this stupid,or you *really* need to find a new hobby.
[ link to this | view in thread ]
Hamburg
Basically, in germany you have what is called the "fliegender Gerichtsstand", (literarlly "the flying location of the court"), meaning that if you want to sue somebody over a civic issue, you can choose where in Germany you want to do it.
Hamburg proved to be… shall we say "friendly" towards every whim of the content-industrie, so over the last two decades, said court became the go-to adress for all things copyright, infringement and new media. It's like the Wizard of Oz for copyright owners. They're dashing out scandalous, contra-productive rulings left and right, but there's nothing we, the people, can do… in the end, it just sits with the german mentality: If you want your rights to be taken seriously, you should have become rich yourself.
On a broader note, though: The reason for this restrictive, backwards handling of copyright law is a deep rooted fear of the german industry: There's virtually nothing we've got left to make business with (no ressources, few relevant companies left in the consumer-marked, plus the big brain drain of talented people virtually fleeing the country), safe for the "german know how", that enormous pile of patents, inventions and trade secrets we came up with in the 20th century.
And once this iceberg has melted under the sun of todays realities, there won't be any poker chips left for our country. Streaming services, filesharer and transparency-advocates are just unfortunate victims of a much broader, deeper rooted fear of losing our intellectual "property".
[ link to this | view in thread ]
What a bunch of suckers!!
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]