Open source is still not a business model

Posted on January 22, 2021 by Ben Cotton

If you thought 2021 was going to be the year without big drama in the world of open source licensing, you didn’t have to wait long to be disappointed. Two stories have already sprung up in the first few weeks of the year. They’re independent, but related. Both of them remind us that open source is a development model, not a business model.

Elasticsearch and Kibana

A few years ago, it seemed like I couldn’t go to any sysadmin/DevOps conference or meetup without hearing about the “ELK stack“. ELK stands for the three pieces of software involved: Elasticsearch, Logstash, and Kibana. Because it provided powerful aggregation, search, and visualization of arbitrary log files, it became very popular. This also meant that Amazon Web Services (AWS) saw value in providing an Elasticsearch service.

As companies moved more workloads to AWS it made sense to pay AWS for Amazon Elasticsearch Service instead of paying Elastic. This represented what you might call a revenue problem for Elastic. So they decided to follow MongoDB’s lead and change their license to the Server Side Public License (SSPL).

The SSPL is essentially a “you can’t use it, AWS” license. This makes it decidedly not open source. Insultingly, Elastic’s announcement and follow-up messaging include phrases like “doubling down on open”, implying that the SSPL is an open source license. It is not. It a source-available license. And, as open source business expert VM Brasseur writes, it creates business risk for companies that use Elasticsearch and Kibana.

Elastic is, of course, free to use whatever license it wants for the software it develops. And it’s free to want to make money. But it’s not reasonable to get mad at companies using the software under the license you chose to use for it. Picking a license is a business decision.

Shortly before I sat down to write this post, I saw that Amazon has forked Elasticsearch and Kibana. They will take the last-released versions and continue to develop them as open source projects under the Apache License v2. This is entirely permissible and to be expected when a project makes a significant licensing change. So now Elastic is in danger of a sizable portion of the community moving to the fork and away from their projects. If that pans out, it may end up being more harmful than Amazon Elasticsearch Service ever was.

Nmap Public Source License

The second story actually started in the fall of 2020, but didn’t seem to get much notice until after the new year. The developers of nmap, the widely-used security scanner, began using a new license. Prior to the release of version 7.90, nmap was under a modified version of the GNU General Public License version 2 (GPLv2). This license had some additional “gloss”, but was generally accepted by Linux distributions to be a valid free/open source software license.

With version 7.90, nmap is now under the Nmap Public Source License (NPSL). Version 0.92 of this license contained some phrasing that seemed objectionable. The Gentoo licenses team brought their concerns to the developers in a GitHub issue. Some of their concerns seemed like non-issues to me (and to the lawyers at work I consulted with on this), but one part in particular stood out.

Proprietary software companies wishing to use or incorporate Covered Software within their programs must contact Licensor to purchase a separate license

It seemed clear that the intent was to restrict proprietary software, not otherwise-compliant projects from companies that produce proprietary software. Nonetheless, as it was written, it constituted a violation of the Open Source Definition, and we rejected it for use in Fedora.

To their credit, the developers took the feedback well and quickly released an updated version of the license. They even retroactively licensed affected releases under the updated license. Unfortunately, version 0.93 still contains some problems. In particular, the annotations still express field of endeavor restrictions.

While the license text is the most important part, the annotations still matter. They indicate the intent of the license and guide the interpretation by lawyers and judges. So newer versions of nmap remain unsuitable for some distributions.

Licenses are not for you to be clever

Like with Elastic, I’m sympathetic to the nmap developers’ position. If someone is going to use their project to make money, they’d like to get paid, too. That’s an entirely reasonable position to take. But the way they went about it isn’t right. As noted in the GitHub issue, they’re not copyright attorneys. If they were, the license would be much better.

It seems like the developers are fine with people free-riding profit off of nmap so long as the software used to generate the profit is also open source. In that case, why not just use a professionally-drafted and vetted license like the AGPL? The NPSL is already using the GPLv2 and adding more stuff on top of it, and it’s the more stuff on top of it that’s causing problems.

Trying to write your business model into a software license that purports to be open source is a losing proposition.

Book review: Habeas Data

Posted on May 29, 2018 by Ben Cotton

What does modern technology say about you? What can the police or other government agencies learn? What checks on their power exist? These questions are the subject of a new book from technology reporter Cyrus Farivar.

Habeas Data (affiliate link) explores the jurisprudence that has come to define modern privacy law. With interviews with lawyers, police officers, professors, and others who have shaped the precedent. What makes this such an interesting subject is the very nature of American privacy law. Almost nothing is explicitly defined by legislation. Instead, legal notions of privacy come from how courts interpret the Fourth Amendment to the United States Constitution. This gives government officials the incentive to push as far as they can in the hopes that no court cases arise to challenge their methods.

For the first two centuries or so, this served the republic fairly well. Search and seizure were constrained to the physical realm. Technological advances did little to improve the efficiency of law enforcement. This started to change with the advent of the telegraph and then the telephone, but it’s the rapid advances in computing and mobility that have rendered this unworkable.

As slow as legislatures can be to react to technological advances, courts are even slower. And while higher court rulings have generally been more favorable to a privacy-oriented view, not everyone agrees. The broad question that courts must grapple with is which matters more: the practical effects of the technology changes or the philosophical underpinnings?

To his credit, Farivar does not claim to have an answer. Ultimately, it’s a matter of what society determines is the appropriate balance between individual rights and the needs of the society at large. Farivar has his opinions, to be sure, but Habeas Data does not read like an advocacy piece. It is written by a seasoned reporter looking to inform the populace. Only by understanding the issues can the citizenry make an informed decision.

With that in mind, Habeas Data is an excellent book. Someone looking for fiery advocacy will likely be disappointed, but for anyone looking to understand the issue, it’s a great fit. Technology law and ethics courses would be well-advised to use this book as part of the curriculum. It is deep and well-researched while still remaining readable.

It has its faults, too. The flow of chapters seems a little haphazard at times. On the other hand, they can largely be treated as standalone studies on particular issues. And the book needed one more copy editing pass. I saw a few typographic errors, which is bound to happen in any first-run book, but was jarred by a phrase that appeared to have been accidentally copy/pasted in the middle of a word.

None of this should be used as a reason to pass on this book. I strongly recommend Habeas Data to anyone interested in the law and policy of technology, and even more strongly to those who aren’t interested. The shape that privacy law takes in the next few years will have impacts for decades to come.

American Broadcasting Companies v. Aereo

Posted on June 25, 2014 by Ben Cotton

The Internet is abuzz with discussion in the wake of today’s ruling in American Broadcasting Companies v. Aereo, but I can’t let it go by without offering my own opinion. As a “cord cutter” who lives an hour away from most of the over-the-air broadcasters, I have a personal interest in an Aereo-like service. I’d much rather pay $8/month to receive local television broadcasts over the Internet than to pay to install and maintain an aerial antenna. So it was with much dismay (but little surprise) that I read that the Supreme Court ruled 6-3 against Aereo.

I won’t presume to say that I know the law better than six justices of the nation’s highest court. Indeed, I’m not convinced that the ruling is incorrect from a legal standpoint. It’s certainly true, as the majority held, that Congress acted in 1976 to prevent the retransmission of broadcasts by community antenna TV (CATV) systems. Aereo, according to the majority, is similar to the old CATV systems. The fact that the underlying technology is substantially different from CATV (particularly in that there’s a 1:1 correspondence between receiver and customer as opposed to the one-to-many of CATV) is irrelevant, only the customer-facing experience matters.

As Justice Scalia noted in his dissent, that’s a lousy argument. I’ll grant that Aereo was slavishly devoted to the strict letter of the law (a less generous description is “exploiting the hell out of loopholes”), but the technical implementation matters. Aereo subscribers have their own antenna (ephemerally-assigned, as I understand it) and their recordings are stored in their own account. It’s not much of a leap (except in the cost) to provide an antenna and run a coaxial cable directly from the antenna to the customer’s television. At that point, it would be very difficult to argue that the service provider is “performing”, even by the ludicrously broad definition in the 1976 update to the Copyright Act.

Even if the Court’s ruling today is technically correct for this specific case, I worry about the impact it will have on technological advances in general. While the majority took care to say that “those who act as owners or possessors of the relevant product”, you have to imagine that some enterprising entertainment lawyer is looking to step up the attack on services like Slingbox. Just as rulings against Napster, Grokster, and others have failed to end file sharing, consumers will still be able to find content they want online. It’s just a matter of whether or not the creators and distributors get paid for it. The content industry has shown to be remarkably out of tune with the consumer, and the Aereo ruling only delays the inevitable.

Of course, Aereo isn’t exactly being forced to shutter. They can stay in business by paying retransmission fees to the broadcasters (assuming such an option is economically viable for them). This is probably the outcome that would make the broadcasters happiest. The real money these days is in retransmission fees, not advertising, so broadening the viewer base without broadening the pool of people paying for content they’re entitled to (by virtue of living within the broadcast range of the station) isn’t nearly as lucrative. Alternately, if Aereo provided a specific antenna to each user (such that the user owned the antenna and Aereo just housed it), that might be sufficient to meet the conditions established in today’s ruling.

It’s unlikely that Aereo will do anything but shut down. Aereo’s CEO has said “there is no plan B”. While the Court’s ruling today may have been correct, it is wrong.

Liable for sending texts to drivers?

Posted on August 31, 2013 by Ben Cotton

On episode 225 of This Week in Law, the panel discussed a recent appeals court ruling in New Jersey. According to a summary by Jeremy Byellin, the court left open the possibility that someone sending a text message to a driver might be held liable for civil damages if the driver is distracted and gets into an accident. I haven’t been able to find the actual text of the decision, so all I have to go on is Byellin’s summary. Given that disclaimer, this seems like a questionable thing to put into a ruling. To be clear, the defendant in this case was not held liable. The court appears to be saying “but if you know someone is driving and will immediately look at your text, you may be partially liable for any damages they cause.”

From a theoretical perspective, it makes sense. If you know you’ll be distracting someone operating a four-wheeled killing machine, there’s a compelling interest to disincentivize such behavior. In the real world, this is tough to prove. The easiest defense is ignorance, since the court required active knowledge to hold a person liable. Unless the driver explicitly said “I’m driving and immediately viewing all messages I receive,” there’s little to prove that the sender had sufficient knowledge to be liable.

Even if the driver did send such a message, it might never see a court room. Because the parties to the conversation would likely delete incriminating messages and most carriers limit the amount of time they store messages, Byellin says “only a very narrow percentage of cases will the content actually be discoverable.”

TWiL panelist Gordon Firemark brought up an interesting point as well. Is the government repsonsible for distracting drivers with Wireless Emergency Alert (WEA) messages? From the New Jersey ruling, the government would not be liable because it could not know if a particular recipient is driving. Still, it’s easy to see how this opens the door for additional litigation. Even if every defendant wins, there’s a real cost to having to defend against a suit.

The slippery slope that I find particularly interesting is the non-SMS case. Indiana’s texting-and driving law was wisely written to cover more than just SMS messages. However, a pedantic reading could apply it to any method of data transfer. GPS-enabled applications, such as Google Maps or Waze, can reasonably determine if a phone is mobile or not. By design, they distract drivers from the road. Could Google be sued for not disabling Maps while the car is in motion?

Probably not. Really, this is all just an academic exercise. To my knowledge, no one has ever been held liable for texting a driver, in part because it’s so monumentally difficult to prove the plaintiff’s case. But the fact that a court would basically invite unwinnable suits strikes as little more than a stimulus program for the Bar Association.

Student speech rights

Posted on June 3, 2013 by Ben Cotton

To continue the legal theme from a few days ago (with the addition of some “old news is so exciting!”), a high school in Kansas suspended the senior class president for comments he made on Twitter. What did he say? ““Heights U” is equivalent to WSU’s football team“. WSU’s football team doesn’t exist. That’s it. For that, the school deemed his initial tweet and responses were disruptive to the school.

It’s not clear to me if the Heights High School is acting in accordance with legal precedent (their decision is certainly unjust, but that’s another matter). The Supreme Court has affirmed and re-affirmed restrictions on the free speech rights of students. Bethel School District v. Fraser, Hazelwood v. Kuhlmeier, and Morse v. Frederick have all served to limit what students can say.

In Tinker v. Des Moines, the Court protected non-disruptive political speech, with the disruption being the critical factor. In Bethel, Hazelwood, and Morse the speech in question was part of a school-sanctioned activity even if the activity was not on school grounds (as in Morse). It would be a great stretch to consider Mr. Teague’s Twitter account to be a school-sanctioned activity, as it appears to be his personal account. To my knowledge, no Supreme Court ruling has ever addressed a school’s ability to restrict speech that occurs outside of school events.

Arguably, the concept of in loco parentis could be used to support the ability of schools to respond to behavior that happens outside the school. I don’t agree with this, but it would be interesting to see how this argument played out in the courts. In the meantime, I expect that this may end up being discussed in court rooms for years to come. If no suit is filed, it should at least be used as an exercise in high school government classes across the country.

Facebook’s post policing

Posted on May 30, 2013 by Ben Cotton

Casey Johnston had an article on Ars Technica today about Facebook’s announcement that they would step up monitoring and removal of what they deem to be hate speech. Because this appears to be driven by complaints from women’s advocacy groups, the commentary has been largely political. I’d like to set aside the specifics of this and focus on the general case. It’s an interesting move on Facebook’s part because it sets a precedent.

Long, long ago, when telephones were still a thing, there was a legal idea of a “common carrier” (it still exists, of course, I’m just employing some blogtistic license). Common carriers offered services to the general public and were generally prohibited from doing anything about the content. For example, AT&T could not cut off your phone service if you did nothing but swear and say profane things when you were on the phone.

Although phone provides are still considered common carriers, internet service providers (ISPs) generally are not. ISPs, while protected from liability under various laws (e.g. Comcast can’t be shut down because a customer used a Comcast connection to transmit child pornography), can [in my understanding] theoretically terminate service if they don’t like what you’re “saying” on your connection.

Moving up the stack, websites such as Facebook or Funnel Fiasco are neither ISPs nor are they telecommunications common carriers. The general consensus, though untested in court as far as I know, is that sites are privately owned and can allow or disallow whatever content they like. This seems to be a pretty reasonable position, but there’s a difference between Facebook and Funnel Fiasco.

Apart from having a smarter and better-looking founder, Funnel Fiasco doesn’t allow just anyone to have a presence on the site. Facebook, especially for businesses/organizations, is more than just a blog or a message board, it’s a key part of digital presence. While that doesn’t make it an ISP, it does move it away from being just a website. Perhaps some additional category (e.g. “hosting provider”) needs to enter the understanding in this context.

What makes Facebook’s policy interesting to me from my perch as an armchair lawyer is the selective enforcement. While they are well within their legal rights, does it set a dangerous precedent for them? By choosing to police some content, are they liable (legally or otherwise) for not policing other content? Can they be held liable for policing content when other substantially similar content was not policed? Can the publicness of Facebook make it a common carrier?

Eventually this will become better defined. Whether it be by legislation, regulation, or litigation.

Blog Fiasco

The world's only(?) FOSS/weather/sports/marketing/high-performance computing blog

Tag Archives: technology law