Compliance Archives - FODINA 4 FOSS

Cookies — properly managed by bootScore

Karsten Reincke — Wed, 04 Oct 2023 19:01:35 +0000

Displaying an appropriate cookie dialog is one thing. Giving it a real meaning is another. Because asking permission alone is not enough. We also need to evaluate the responses: We must only store those cookies on our reader’s computers they — or the law — have consented to. A JavaScript function that implements this requirement sets the semantics of the cookie dialog. Based on such a function, we use properly managed cookies.

The plugin bs-cookie-settings itself only provides us with the cookie query. How to activate this, I had already described in a previous post. However, the bootScore developers leave the implementation of the corresponding semantics to the respective web designer. Here is a variant that can be freely reused:

[ en | de ]

Solution

Download the JS cookie library from cdnpkg.com (or wherever) and place it (unpacked) under the name js/js.cookie.min.js into your child-theme folder.
In your file functions.php extend the function bootscore_child_enqueue_styles() by the line

wp_enqueue_script('js-cookie',get_stylesheet_directory_uri().'/js/js-cookie-min.js', false, '', true););

Expand the file js/custom.js of your child theme in the following manner:

jQuery(function ($) {

  $(document).ready(function(){
    const bsCookieSettings='bs_cookie_settings';
    const analytics = 'analytics';
    const advertising = 'advertising';
    const analyticDemoCookie='bsAnalyticCookie';
    const advertisingDemoCookie='bsAdvertisingCookie';
    const necessaryDemoCookie='bsNecessaryCookie';
    const demoCookieValue='demo-cookie';

    // alert("adding cookie writing algorithm");
    const bsv=Cookies.get(bsCookieSettings);
    if (bsv) {
      const allowedCookies=JSON.parse(bsv);
      // alert(allowedCookies.level);

      if (allowedCookies.level.includes(analytics)) {
        // alert("writing analytic cookies");
        if (!(Cookies.get(analyticDemoCookie))) { 
          Cookies.set(analyticDemoCookie, demoCookieValue, { expires: 100, path: '/' });
        };
      };
      if (allowedCookies.level.includes(advertising)) { 
        // alert("writing advertising cookies"); 
        if (!(Cookies.get(advertisingDemoCookie))) { 
          Cookies.set(advertisingDemoCookie, demoCookieValue, { expires: 10, path: '/' });
        };
      };
      // alert("writing necessary cookies"); 
      if (!(Cookies.get(necessaryDemoCookie))) { 
        Cookies.set(necessaryDemoCookie, demoCookieValue, { expires: 14, path: '/' });
      };
    };
  });

  // Do your other stuff here

}); // jQuery End

Background

We could set and evaluate cookies with native JavaScript. Nevertheless, it’s easier with ready-made libraries. WordPress already brings jQuery with it. For using that, bootScore offers us a way to add custom JavaScript/jQuery functions to our bootScore child theme.

There used to be a real jQuery-Cookie-Plugin for cookie management. This has since been archived and migrated to an independent js-cookie-JavaScript library. To use that, we must download it and place it into the JavaScript folder of our child theme — under the name js/js.cookie.min.js. As described above, we also must enforce the function bootscore_child_enqueue_styles() of our file functions.php to load that library.

Eventually, we should implement an algorithm for evaluating the cookie settings by expanding the file js/custom.js. That algorithm should work like this:

First, we try to read the cookie bootScore-Cookie-plugin stores under the name bs_cookie_settings.
If it doesn’t exist yet, our reader hasn’t agreed to use cookies. So we are not allowed to write any yet.¹
Once our reader has ‘confirmed’ the cookie dialog to whatever extent, the bs cookie plugin stores the cookie bs_cookie_settings. Its value contains a JSON object:

{  "level": 
    [   "necessary",
        "analytics",
        "advertising"
    ],
    "revision":0,
    "data":null,
    "rfc_cookie":false
}

Thus, we must parse that JSON object before we can — on the JavaScript level — access the list of allowed cookie groups via allowedCookies.level and use the method includes of a list object to query which of the cookie groups necessary, analytics, and /or advertising our reader has allowed us to write.
And for each allowed group we now may write the corresponding cookies.²

And a last hint: JavaScript modifies pages dynamically. But the cache stores the respective results. Thus, sometimes it’s helpful if we delete the cache for getting the results of our modifications run.

And how does this …

… support our migration to bootScore? Well, besides her normal design work, the web-designer must deal with some legal requirements, as — for example — those of the DSGVO privacy, of having a cookie consent dialog and the respective semantic, of having a data privacy page, an imprint, an image reference page, and a FOSS compliance page. This post shall support you to manage your legal issues.

Yes, formally we may write the technically necessary cookies without our reader’s consent. But before we do that, we must inform her that we are going to do so. And the only way to convince ourselves that she has indeed read it is to wait for the written cookie.
whereby we refer to the legal permission for the technically necessary cookies

The post Cookies — properly managed by bootScore appeared first on FODINA 4 FOSS.

Cookies — properly used in bootScore

Karsten Reincke — Fri, 15 Sep 2023 10:03:01 +0000

Without permission, we may not write cookies to the hard disk of our reader. Because it belongs to her, not to us. By accessing our site, she has already implicitly given her consent to store our technically necessary cookies. Because they are technically necessary to read our post. But she must explicitly permit us to save the other cookies on her computer before we are going to do so. Moreover, we must have enabled her to query what these cookies are for before we offer her to answer our request. That’s the meaning if we talk about properly used cookies.

[ en | de ]

For this, bootScore offers us a configurable cookie approval dialogue evaluated by the bsCookie-plugin:

Solution

Download bsCookie.
Install the zip file via the plugin management of your WordPress backend.
Determine the cookies you want to install on your reader’s computer.¹
Assign each of these cookies to one of the groups ‘necessary’², ‘advertising’ or ‘analytics’.
In the dialog ‘Appearance/Widgets’ drag a widget ‘Customer HTML’ into the widget group Footer‑4.
Enter the script lines into that sub-widget as offered by bsCookie documentation.
For each of your plugins add an entry into the corresponding section.
Link your privacy page into the dialog by replacing #yourprivacypolicy accordingly.
Translate the texts into the language of your site (or create an additional entry according to your multilingual strategy).

Background

Asking for permission to write cookies via a dialogue is only one side of the coin. Cookies can also store (personal) (identification) data. So, the respective web server can ask for that information and hand it over to third parties. Hence, we must mention such cookies in our data protection concept additionally. To enable our readers to call this page directly from the cookie consent dialogue, the bsCookie dialogue text contains a link whose value #yourprivacypolice we should aling accordingly.

It has become a good tradition to group cookies functionally and to ask once for the complete group whether we may file the respective cookies. That’s legally not necessary: We could also let the use of cookies agree or disagree quite generally.³ Or we could make every single cookie selectable or deselectable — which would overload the dialogue.

However, at first, we need to know which cookies our site writes and what the cookies actually do. Our browsers can support us. For example, by means of its ‘Privacy and Security’ dialog. Or with the help of a browser plugin⁴, which shows directly for each called site/page, which cookies have been written by it. But what our cookies do, we have to determine separately.

Once we have grouped our cookies functionally, we only need to create the appropriate groups as sections in the bsCookie dialog. Then we must insert for each cookie — associated with that group — an entry in the respective section. For the three common groups ‘necessary’, ‘advertising’, and ‘analytics’ bsCookie already provides the respective code. If these groups fit our needs, it is sufficient for us to describe the cookies in and with the single entries. Assuming we wanted to get permission to write the three cookies necessaryBsCookie, advertisingBsCookie, and analizingBsCookie, the JavaScript code of the bsCookie consent dialogue should look like this:

Entering the information into the code of the cookie consent dialogue is one thing. Activating the code is another. To do that, we put the customized bs-cookie-settings JavaScript code into a Custom HTML element that we added to the Footer 4 widget. In principle, we could embed the Custom HTML element in other widgets as well. However, bsCookie suggests Footer 4 because the JavaScript code should be embedded at the end of a page. Anyway, all pages using a template containing the Footer 4 widget will then display the cookie. That’s the method of how we solve the problem of ‘deep links’.⁵

That left us with three final tasks:

First, we will often want to linguistically customize our consent dialogue as well. For that purpose, we can modify the JavaScript code mentioned above.

Secondly, the dialog color is determined by the definition of the functional color $warning. Those who nevertheless want to customize the dialog may use her file _bscore_custom.scss:


// design the bsCookie-Dialog
#c-inr {
  border-color: darkblue;
  border-width: 2px;
  border-style: solid;
  background-color: #eef;
  color: blue($color: #000000);
  padding: 5px;
}

#c-p-bn {
  border-color: darkblue;
}

#c-s-bn {
  border-color: darkblue;
}

Third, we need to implement the semantics of the cookie consent dialog. If we want to walk the talk, we need to implement our ‘storing the cookie JavaScript code’ in a way that it writes only the technically necessary cookies without consent, and that it otherwise stores only the cookies from the groups for which there is consent.

I will take up this last point in a separate post …

And how does this …

We have to keep in mind that our plugins can also try to store cookies. So it’s not enough to just look for the corresponding JavaScript commands in our own posts and pages
Cookies that we assign to this group will lastly be placed on our reader’s hard drive even without explicit consent, precisely because they are technically necessary. So we must be able to prove if necessary that these cookies are indeed technically necessary.
However, greater granularity is in our interest. Because if a reader doesn’t want one thing — e.g. advertising — she could still allow the other — e.g. analytics. That way, we would still learn at least a part of what we hoped to learn overall.
e.g. with the Cookie Editor
We must keep in mind that our readers could directly call links to deeper embedded pages. Even in this case, we may only write cookies, if we are allowed to do so.

The post Cookies — properly used in bootScore appeared first on FODINA 4 FOSS.

Using JavaScript Compliantly

Karsten Reincke — Wed, 17 May 2023 08:26:57 +0000

To speed up deliverability, the developers mostly distribute compressed JavaScript libraries that do not contain any whitespaces, line feeds, and comments. They have minified the libs. As a result, they usually contain only very rudimentary license information — at least not the license text itself. But all FOSS licenses require us to ship some compliance artifacts with the code — especially the license text. This is the challenge for using JavaScript compliantly — in bootScore and elsewhere:

[ en | de ]

Solution

Use the Bootstrap JavaScript library as delivered by bootScore
Use the JavaScript libraries as delivered by WordPress
Create a table containing the JavaScript compliance information
For each JavaScript library delivered by bootScore or WordPress create a respective row in your JS table.
Embed this table into your Open Source Compliance Page
Make this Open Source Compliance Page accessible by the footer of your pages

Background

bootSCore contains some JS components. For example, its own unfolded JavaScript libraries¹ — implicitly licensed under the MIT license but without any explicit licensing statement — and the minified Bootstrap JavaScript library² — explicitly licensed under the MIT by a respective licensing statement. But none of them contain the license text itself.

Also, WordPress brings with it some own and some minified 3rd party JavaScript libraries³, like the jQuery library⁴ that is licensed under the MIT and contains a respective licensing statement, but does not cover the license text itself. Regardless, of whom the site owner has got these libs — from bootScore or WordPress -, eventually it is she who has to fulfill the license requirements because it is her system that distributes the JavaScript libraries to her readers.

But what is actually the challenge?

Like the JavaScript libraries of Bootstrap and jQuery, most JS libraries are MIT licensed. It requires that the copyright line and the license text are distributed together with the open-source program. “The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.“⁵

For (L|A)GPL-licensed JavaScript libraries it is nearly the same. These licenses permit the distribution of the source code “provided that one conspicuously and appropriately publishes on each copy an appropriate copyright notice and disclaimer of warranty […] and gives any other recipients of the Program a copy of this License along with the Program”.⁶

So, we see a contradiction between the claim of the licenses and the everyday practice. On the one side, a browser not only loads down the page text (HTML) but also the JavaScript library. This download distributes the code and hence triggers the necessity to fulfill the open-source license requirements. On the other side, usually, the compressed libraries — although as a package often offered by the authors — no longer contain the required license information: the smaller the libs, the faster the machine can display the site using that libs.

As site owners, we have two options to deal with this challenge. Either we subsequently (and (semi) manually) heal the packages we implicitly have taken over by using WordPress and bootScore. Or we use them as we’ve got them. It’s clear: Healing would imply that we redo that job whenever we update WordPress or bootScore. So, we tend to go the other way.

The solution is this:

Whenever developers decide to distribute minified JavaScript libraries, they also assume that their ‘customers’ use their work in that version. That is a reasonable assumption. So, we may derive that they implicitly permit that kind of use even if it violated the license they’ve chosen. Nevertheless, we should offer our users another option to get the required information. A substitute for bundling the license text, the copyright information, etc. with the JavaScript libraries themselves. However, we must take care only to include the minified JavaScript libraries the developers themselves have provided. In the case of the Bootstrap-JS-Lib in bootScore and the Jquery-JS-Lib etc. in WordPress, we may assume that they did so.

If we apply this process to our 3rd. party JS libraries, we have a strong argument for our position in case of a legal dispute — I’ve never heard of one — and we’re in good company: Even the FSF is proposing to do so.⁷ And the FSF really doesn’t have a reputation for taking license compliance lightly.

And in what way is this …

… part of the overarching topic FOSS Compliance? For fulfilling the requirements of FOSS licenses, we have to consider specific individual cases as well as side effects — for software, pictures, or documents. We should unhide trends and write guidelines. Above all, however, we must drive forward the automation of license fulfillment, make our licensing knowledge freely available, cast it into smaller tools, and bring it into larger systems: Because FOSS thrives on freedom through license fulfillment, large and small. That’s what also this article is about.

cf. ./bootscore/js/theme.js
cf. ./bootscore/js/lib/bootstrap.bundle.min.js
cf. https://codex.wordpress.org/Javascript_Reference respectively ./wp-includes/js
cf. wp-includes/js/jquery/
cf. MIT License
pars pro toto cf. GPL‑2.0. Additionally, the (A)GPL requires that we license our code that uses the (A)GPL-licensed library, etc. also under the (A)GPL (copyleft effect). But that’s not the point in this context.
cf. https://www.gnu.org/licenses/javascript-labels.html, https://www.gnu.org/licenses/javascript-labels-rationale.html, and https://www.iusmentis.com/computerprograms/opensourcesoftware/license-notices-web-applications

The post Using JavaScript Compliantly appeared first on FODINA 4 FOSS.

Data Privacy, DSGVO, and Cookies

Karsten Reincke — Fri, 21 Apr 2023 09:33:10 +0000

Often the website operator is told, that Data protection is complex and has to be organized by experts. But what if she doesn’t have the money for that? If it seems somehow nonsensical to shoot at a sparrow blog with the cannon of a paid team of experts? Then — maybe and with the help of Google — she installs some popular WordPress plugins for data privacy and DSGVO and/or cookies — in the hope that all goes well. Or she investigates it in more detail. And in the end, she perhaps gathers rules of thumb, from which at least one well-workable way results. Here are my 3.7 rules of thumb, applied to my own data privacy file:

[ en | de ]

Solution

I. Use only the personal data that you really need for the functioning of your system.
II. If you collect personal data, tell the owners,
- that you are going to do so,
- for what purpose you use the data,
- what legal basis authorizes you to do so,
- with whom you share the data,
- how long you will store it,
- how they can ask you which data you have stored over time
- how they can have the data deleted again.
III. If you store data on the computer of your users, which they did not request directly or indirectly, ask them beforehand for permission.

Background

If I proceed according to this — so I make myself believe again and again — I will design my sites in a way that I avoid the roughest traps¹ and errors². Because I always have one thing in mind: with a mere cookie banner it is not done:

The first thing I consider is where my blog as a system collects personal data. The ones that I explicitly request in and with forms are the easiest for me to notice and remember. Here I know — qua office — what I do with them and to whom I pass them etc.
Furthermore, I am aware that IP addresses are also considered personal data — although the internet would not function without them.
Additionally, WordPress can collect, note, and send data to third parties — as well as the plugins I’ve activated, the JavaScript libraries I’ve installed, the Google fonts I’ve integrated, etc., etc.
Eventually, my commenters are usually made recognizable via the common Gravatar system.

I have to sort out this mishmash:

Rule (I) tells me that less is more: the fewer data I ask for and the fewer plug-ins I use, the leaner my data protection concept can be. So I clean out here, e.g. by treating productive and developing systems differently.
Rule (II) tells me that I must actually describe the remaining data sets in the data protection concept. So I also determine what data my plugins, font requests, and other technical components collect, how they store it, and where they pass it on.
Rule (III) tells me that I have to get permission to write files, i.e. cookies, to my user’s computer — either by law, as in the case of technically necessary cookies, or by consent of my user. And to get this consent, it is helpful to specify the purpose and effect.

My next posts describe how I have implemented this in my bootScore-based site concretely.

And how does this …

The post Data Privacy, DSGVO, and Cookies appeared first on FODINA 4 FOSS.

Getting Nice Pictures — Where From, If Not Steal?

Karsten Reincke — Thu, 02 Mar 2023 22:18:31 +0000

I love ZEN presentations. For that, you need pictures. Many pictures. Good pictures. Fortunately, it is technically easy to integrate photos from the internet into your own site. What is challenging, however, is getting nice pictures legally.

[ en | de ]

Solution

First, use image databases whose pictures are released under the terms of the CC0 license.¹ E.g. pxhere² or openclipart.³
Then evaluate image databases whose pictures have been published under any different Creative Commons license. E.g. Wikimedia⁴, flicker.com/creativecommons or piqs.de
But avoid images that are licensed under a CC-??-NC-??⁵ license.⁶
And meticulously fulfill the other conditions, such as attribution. A good place to do that is a page with image credits.
Finally, be careful if you use an image database that distributes its images under its own license, which is equivalent to a CC0 license, but excludes certain uses after all.⁷. E.g. pexel⁸, unsplash⁹, or pixabay¹⁰)
Avoid, if possible, image databases that mix commercial paid images with free.¹¹ E.g. freephotos or the nounproject
Definitely avoid meta image databases in any case.¹²

Background

Images, photos, and logos are also subject to copyright law. Often also of the trademark law. Without the photographer or owner granting us the rights of use, we are not allowed to use their photographs and logos. Moreover, even what is pictured can limit our exploitation — while the freedom of art expands our scope. How does a user get out of this ‘snake pit’ unscathed?

On the first attempt, it seems easy. After all, most of the time, the author will only want to ‘illustrate’ her posts. But if she has linked a web store or consulting offer to her site, she earns money indirectly with the images. And thus she uses the images commercially. So again the question is, what can she do?

I have outlined my way above. Two additions to this:

When it comes to ‘logos’, I search the web presence of the logo owners. Often they tell us explicitly what we can and cannot do with their logos. And this is even true for non-profit organizations, like the OSI((for logo usage cf. https://opensource.org/logo-usage-guidelines/)) or those of the Gimp((for logo usage cf. https://github.com/GNOME/gimp/blob/master/docs/Wilber.xcf.gz.README)).
When it comes to what is pictured, I follow two rules of thumb:
- Be careful with people and products depicted — they’d rather not.
- Caution with unknown buildings

And in what way is this …

We’re allowed to use those for no consideration, after all.
for licensing see https://pxhere.com/en/license
for licensing cf. https://openclipart.org/faq
for licensing cf. https://commons.wikimedia.org/wiki/Commons:Licensing/de
for the layer model of CC licenses, see https://creativecommons.org/licenses/
Because legally even the simplest blog can still be interpreted as a commercial enterprise.
Challengingly, these databases often allow commercial use, but at the same time prohibit the sale of the images, even in print, or their incorporation into other databases
for licensing cf. https://www.pexels.com/license/
for licensing cf. https://unsplash.com/license
for licensing cf. https://pixabay.com/de/service/license/
Too great the risk that you pick a non-free image.
What exactly applies here is very hard to track there.

The post Getting Nice Pictures — Where From, If Not Steal? appeared first on FODINA 4 FOSS.

A Picture Credit Page? Really?

Karsten Reincke — Wed, 01 Mar 2023 09:10:45 +0000

I don’t buy images. Never. I take my own pictures. Or I use free images released under a Creative Commons License. Or in the ‘public domain’. Some image databases offer their photographs under their own licenses, equivalent to the free licenses, as long as I do not make their images publicly available through another image database. I accept that as well. And as open-source licenses do, too, some ‘picture’ licenses impose certain duties on me. Thus, I need a picture credit page:

For example, sometimes I have to say where I got the image, who its photographer is, and what license it is under. The right place to fulfill such conditions is a page for image credits¹:

[ en | de ]

Solution

A Table For Image Credits

Create a page ‘Image Credits’ and include it on your site like your imprint
Install the plugin TablePress.
Create a table with the 4 columns ‘Picture’, ‘Download & Licensing’, ‘License’, and ‘Attribution’.
Include this table in your page Image Credits by using the TablePress shortcode.

A New Image Reference

Add a new row to the image reference table.
Concerning the first column ‘IMAGE’
- open the media library, click on the new image and remember its ID, which is displayed in the browser URL.
- enter the already-known short code wrong image data.
In the second column, link an appropriate text to the same image in the database. If the target page does not contain a licensing statement, add a second link in the same column that leads to the licensing statement of the picture database.
In the third column, link the license name to the license text, preferably in the version from the image database.
In the fourth column, enter all the information that the license requires.

Background

First things first: The WordPress plugin TablePress is actively maintained and is — according to the file readme.txt — GPL‑2.0 licensed. So this is a ‘flawless’ piece of Open-Source software.

Finally, the more complex aspects: Why do we need an image credit at all? Formally, we don’t! We just need to fulfill in some way every requirement of the license that has been linked to the image we are using. But the license compliance itself is non-negotiable for the sincere user: either she respects the terms of the license, or she does not use the image.²

That’s why I make things simple for myself: I enter every image into my table for image credits according to the marked pattern. Even those, where I am free to say nothing — like with PxHere pictures. And if I follow the pattern, nothing slips through my hands either. Hopefully.

To that end, I’ve written myself a set of short codes that make it a snap to add a new image to the table. I will gladly pass on these codes on request.

And how does this …

… support our migration to bootScore? Well, once started with improving the image handling, a web designer will also notice the blurred ‘featured images’ of bootScore. She will try and refine solutions. And she may also tackle them with new HTML‑5 techniques. Because with that, a fancier image strategy combined with an integrated license fulfillment process and its own logo will really make sense. However, pictures bring colors to reading. So they should be integrated into a customized color concept. This post also contributes something to this topic.

BTW: In the European legal space, there is no such thing as ‘public domain’. But we can usually use the images published in this way in America
I have already written about image trolls and their ‘business model’

The post A Picture Credit Page? Really? appeared first on FODINA 4 FOSS.

A Copyright Line As Feeding For Your Footer

Karsten Reincke — Tue, 07 Feb 2023 18:56:10 +0000

In the European legal area, exploitation rights inherently belong to the author of a work. She does not have to do anything else. In the American legal area, things are different. There, every work falls into the ‘public domain’ by default. Only when the author actively claims her ‘copyright’, the work belongs to her. Thus, having in copyright line in your footer could be helpful for you:

But what happens with original European works in the American legal area? Without claiming authorship, they probably fall into the public domain. So an author is well advised to mark her European publications with a copyright notice, even if this seems superfluous from the European viewpoint.¹ And so she should keep it with her Internet sites.

[ en | de ]

Solution

Add the following line to the file scss/_bscore_custom.scss of your child theme:

.bootscore-copyright {display: none;}

Add a text box to the new widget Footer Info arising under Appearance/Widgets.

Background

Until version bootScore 5.2.3.3, we had to create a widget for the copyright line ourselves and activate it in the footer.php file. With version 5.2.3.4, the bootScore authors have thankfully taken this idea of an editable CR-Line and provided the widget ‘Footer Info’ for it. In this sense, I have updated the solution and background information.

So, eventually, there is the question of location and copyright sign in the line. In this case, the form is rather secondary: you are not obliged to use the HTML tag $copy; for ©. You can also use images like or — very old-fashioned — the string (C). You also do not need to add a town or a country. In case of dispute, you only have to prove that You are You. That’s why I often add my place of residence and my nation. Does that work? No idea. I’m not a lawyer and I don’t give advice; I just tell. And I have never been involved in a dispute.

And how does this …

… support our migration to bootScore? Well, if a web designer must abandon her current WordPress theme, she needs a replacement. A free ‘off-the-shelf’ theme, she probably wants to personalize. First a bit cosmetically, then in terms of the gray value of her pages, multilingualism and internal reference techniques and linking. Finally, she perhaps enables special footers, a secondary menu or a copyright notice before checking the SEO features of the selected theme. This is a way that this post supports too.

Therefore the FSF says that the free GNU software is first put under copyright and then becomes copyleft software by means of the GPL.

The post A Copyright Line As Feeding For Your Footer appeared first on FODINA 4 FOSS.

The Bitkom Open Source Guide 3.0

Karsten Reincke — Mon, 11 Jul 2022 13:57:29 +0000

For 6 years, the Bitkom Open Source Guide 2.0 was a tutorial for the appropriate use of open-source software. It was a benchmark for German companies. But it has aged over time, naturally. Good that Bitkom and its ‘Open Source’ working group have taken up the topic again: In June 2022, there was officially released an expanded and refined Bitkom Open Source Guide 3.0, — again intended to be a manual and a benchmark for companies

[ en | de ]

The one amazing thing is that with this guide, Bitkom has published a ‘handout’ under a (kind of) open-source license for the first time, that is to say: under a Creative Commons license (CC BY-ND 3.0 DE). Apparently, the idea of a freely accessible service is also coming to the fore at Bitkom. That gives his voice even more weight. But it is understandable that Bitkom does not allow third parties to modify the work (ND = Non Derivation). It wants to preserve the gained quality and reliability. However, by using this CC license Bitkom permits any other type of use by third parties, including commercial use. And in the not-too-distant future, Bitkom will certainly bring itself to make the sources generally accessible, not just in a ‘closed’ GitHub organization.

The second astonishing thing is related to this. Bitkom has allowed its authors to organize themselves via and with GitHub. Anyone could take part. Anyone could become a member of the organization and thus access the GitHub repository containing the (partial) results. Bitkom has — again, for the first time and successfully — developed a book using the methods of open-source software development. The authors wrote the chapters of the Bitkom open-source guide in Markdown. Then they checked their modifications into the repository as snippets. Eventually, they combined them as a complete work via incidents and pull requests, although by no means all authors were familiar with GitHub from the beginning. This fact also points beyond itself: Git, GitHub or GitLab can significantly simplify (cross-company) cooperation and collaboration.

And the third amazing thing is the transformation of the content. While the release 2.0 still focused on the legal aspects of use, the new Bitkom Open Source Guide 3.0 is much more comprehensive and balanced: It discusses both, the benefits of FOSS and its development process. It analyzes the integration into business models and corporate strategies, explains open source compliance, and considers the FOSS history — each on almost the same number of pages. The other aspects of FOSS are no longer an appendage of compliance. The BOSL‑3.0 takes the prerequisites for the successful use of open-source software into account generally, without reducing the topic of ‘license compliance’. And each section, with only 10–20 pages, can easily be used to get a quick overview.

What does this mean for companies? Well, for the moment, BOSL‑3.0 is still a German guideline. But with it, the companies get another reliable guideline that external experts have reviewed several times.

And in what way is this …

The post The Bitkom Open Source Guide 3.0 appeared first on FODINA 4 FOSS.

CC-BY Image Trolls

Karsten Reincke — Sat, 26 Feb 2022 14:31:53 +0000

A presentation without images sucks. Therefore, we are sometimes tempted to take some from the Internet for beautifying our work. There are so many excellent pictures on the World Wide Web. But to legally inserting a foreign picture in one’s own presentation is not that easy. Unfortunately, a new type of troll has emerged recently, the CC-BY image trolls:

[ en | de ]

If we reuse pictures from the Internet, we have to respect the copyrights of the painters or photographers, just as we have to pay license fees to the patent owners, if we use their techniques, or as we have to fulfill the license requirements if we reuse open-source software. Recently, a new type of troll has emerged, the ‘image troll’.[1] It is good to know how they work and how we can protect ourselves from falling victim to them:

Often, free pictures are released under one of the Creative-Commons Licenses. They are similar to Open-Source Licenses: both follow the principle of ‘Paying by Doing’. Instead of paying for getting the right to use licensed objects, you have to do something. Which rights you get and what you have to do depends on the license. There exists a complex system of creative commons licenses[2], but nearly all of them have a ‘BY’ clause indicating, that you must give the photographer’s name, state the license version, and include a link to download the image and a link to download the license text.[3]

These BY-conditions are — as the discoverer of the image trolls said — “[…] easy to get wrong”.[4] That’s the one ingredient an image troll needs: the easier it is to miss the conditions, the more potential victims he has.

The second ingredient is, that earlier versions of the CC-licenses — like the license CC-BY 2.0 or the license CC-BY 3.0 — contain a “Termination” clause: “This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License.”[5] The meaning of this clause is, that you ‘lose’ the rights of use the moment you fail to fulfill a condition.

One can recognize the explosiveness of such a clause from the fact that the license CC-BY 4.0 also contains a termination clause, but additionally provides the possibility to heal a violation: It says that the terminated rights “[…] reinstates automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation […]”.[6]

As a third ingredient an ‘image troll’ needs a method to automatically find the users of his pictures and to analyze whether he failed to fulfill the requirements. Meanwhile, the internet offers a very well-established technique to automatically search for similar images on the Internet.

The fourth ingredient an ‘image troll’ needs is a legal system granting him large compensation payments for rights violations. The USA has such a legal system.

So, how does an image troll work? He only must create nice pictures and publish them in a well-used image database under any CC license with a termination clause. That becomes his “honeypot”. After that, he must automatically crawl the internet for his picture and analyze whether his ‘customers’ have fulfilled his conditions. If not, he can file a lawsuit against the respective user — his next victim. And at least in the USA, we talk about “statutory damages” up to $150.000.[7]

What can we do to protect ourselves from such attacks, which are legal but at the very least go against the spirit of free software and documents?

The best method to protect yourself is a) to perfectly know under which terms the pictures you are going to reuse are licensed, and b) to thoroughly fulfill all license requirements.
A good method is to focus on CC0 licensed pictures[8] as — for example — offered by pxhere.com[9]: a license, which does not require anything, cannot be misused to file a lawsuit against you.
Another good method is to focus on CC-BY-xyz 4.0 licensed pictures.[A] While you must also thoroughly comply with all licensing requirements, at least you have a chance to iron out your mistakes.
If you want to use CC-BY-xyz 3.0 or earlier licensed pictures, you should read and apply the license text, not only the summaries, offered by creative commons.

But ignoring image copyrights altogether and just grabbing off the internet what you think you need is the most certain way that any copyright owner will catch you up in a lawsuit. Just as using Open Source Software without fulfilling the license requirements or using patented techniques without paying the license fees.

And in what way is this …

[1], [4], [7]: cf. https://doctorow.medium.com/a‑bug-in-early-creative-commons-licenses-has-enabled-a-new-breed-of-superpredator-5f6360713299. This article reports on aspects that Cory Doctorow has outlined first. He talks about ‘copyleft trolls’. But I think that using pictures inadequately is the most dangerous.
[2]: cf. https://creativecommons.org/about/cclicenses/
[3]: cf. https://creativecommons.org/licenses/by/4.0/legalcode, Section 3 Attribution. It is worth to know the CC organization provide summaries that condense these conditions to the one sentence ‘Credit must be given to the creator’ (cf. https://creativecommons.org/licenses/by/3.0/). Hence, you are not free to acknowledge the author just as you want.
[5]: cf. https://creativecommons.org/licenses/by/2.0/legalcode or https://creativecommons.org/licenses/by/3.0/legalcode
[6]: cf. https://creativecommons.org/licenses/by/4.0/legalcode
[8]: cf. https://creativecommons.org/publicdomain/zero/1.0/
[9]: cf. https://pxhere.com/en/license
[A]: cf. https://creativecommons.org/licenses/by/4.0

The post CC-BY Image Trolls appeared first on FODINA 4 FOSS.