Advocacy Prompts Reconsideration of Anti-GPL Letter

Many people have noted that there has been a reaction (see also this AP story) to the story posted a few days ago about the GPL in government. (More links: Wired, Newsforge.) This is good, I guess: Congress should consider carefully how the government licenses the code it funds, because it's an important public policy question: it shouldn't be decided by a backroom push from business lobbyists (the lead Representative listed, Adam Smith, represents a district fairly close to but not including Microsoft headquarters). There are certain things that bother me about this whole story though, and I'm going to try to trace the trajectory of it below.

As far as I can tell, it started with this Newsforge story (Newsforge is also part of OSDN, Slashdot's corporate parent). The Newsforge story was excerpted and copied by an Australian newspaper, and from there, it was off and spreading. The headline chosen, "Washington State Congressman attempts to outlaw GPL", is not particularly accurate, but it did a great job at stirring up outrage. Outlaw the GPL! Over my dead keyboard!

From there it really started making the rounds. It was repeatedly submitted to Slashdot with all sorts of flaming, incorrect commentary - in fact, after reading a dozen different submissions, I didn't think any of them were even close to accurate. I picked one and posted it, trying to do my best to a) provide an accurate headline and b) provide an accurate summary of the issue at stake in a few sentences. To recap again: when the Federal government creates computer code (or any copyrightable work) directly, it gets no copyright whatsoever and the work is true public domain (quirk of the U.S. copyright laws - the 50 states, corporations, individuals, and other legal entities all get copyrights automatically, but the Federal government does not). If you want to copy, reproduce, or sell an .mp3 of the U.S. Congress singing "God Bless America" after September 11, go right ahead: there is no copyright on it whatsoever. (Actually, the song itself is still under copyright, but Congress' performance of it wouldn't be...)

However, when the Federal government hires a non-employee to create code or copyrighted works, there is no clear rule regarding the copyright status of the work. Sometimes the contract calls for rights to the work to be assigned to the Federal government (the Feds don't get original copyrights, but if someone else gets an original copyright, the Feds can acquire it). Sometimes the contractor keeps the copyright and gets to do whatever they want with it. Sometimes the contract doesn't specify. Note that this is NOT a BSD-vs.-GPL dispute, not by a long shot. Very little code financed by the Federal government is ever licensed under either of these two licenses - the choice is basically agency-proprietary (the Federal agency asked for the rights in the contract, and kept them) or company-proprietary (the agency didn't ask for the rights, and the contractor kept them).

And most of the time it doesn't matter. I've written code for the Federal government as both a contractor and an employee, and 99% of it was so specific and customized that it would be of use to no one else, regardless of its licensing or copyright status. Probably the majority of code written for the Federal government falls into that category - internal use software for very specific needs.

But some of it is undoubtedly useful. Some major projects funded by the government in conjunction with academia have escaped from licensing purgatory, typically through the efforts of the researchers working on them who approach the issue from an academic freedom viewpoint and want to see their work widely adopted. GRASS is one major one that I know of. A commenter pointed out ADA as an example. For code which is useful to others, either a BSD-like or GPL-like license would be truly beneficial and easily defensible as a public policy choice. In the non-code world, the government makes choices like that all the time - it might choose to purchase a particular piece of land and commit to making it available to everyone forever by declaring it a National Park and committing to maintain it, a GPL-like philosophy; alternately, it might choose to just dump a particular piece of property on the market, putting it up for auction and letting the purchaser do what he wills with it, a BSD-like philosophy.[1] Either of these two options might be optimal; but paying for code which ends up remaining proprietary is like buying a new stadium to benefit a very specific corporation which owns a very specific sports team: the type of use of public funds which is generally seen as sleazy and the opposite of good governance.

Either of the first two choices can be appropriate in certain situations. What does not seem appropriate is paying for proprietary code, although this is generally what happens when the government contracts for code. Since the government has the ability to provide a benefit to the public (open code) at essentially zero cost, it should do so. An example which has struck me several times over the past few years: every airport in the world has the same problem, coordinating planes taking off and landing and keeping them from running into each other. Yet each nation (and often each airport) solves the problem over and over, paying heavily for custom-designed, one-shot software development. Imagine if the world's airports could simply install GNU-AirTrafficControl 2.7, and have a complete, working, bug-free and cost-free air traffic control system. It would cost every nation less to do it this way, but it would also make a lot less money for the consultants retained to develop these systems.

But leave off the advocacy for moment - I was following the story itself. As noted above, the outcry has prompted many of the other Representatives who originally signed the letter to reconsider. The AP story even suggests that some of the signatories were actively misled - that the letter they thought they were signing didn't mention the GPL at all. However it actually played out, some good has been done.

That's good. What's not so good is that much of the outcry was probably generated by stories titled "Washington State Congressman attempts to outlaw GPL". The right outcome occurred, but for the wrong reasons and in the wrong manner. I am left wondering whether the community would have made the same sort of response on this issue if every story that had been posted about it was 100% accurate and non-inflammatory.

[1] If you're not familiar with the BSD-like and GPL-like classes of software licenses, this won't make a lot of sense to you, so please read up if necessary.

BSD Should Be Used

[BurritoWarrior]

...because the BSD license is essentially no license at all. So, when the government releases the SuperFoomatic 1.0, anyone can do with it as they please.

If we want a GPL'ed SuperFoomatic, we just take that code and release it under the GPL license. No point in having it release originally under the GPL as the released code can be GPL'ed "retroactively".

The only addiition I can think of is that perhaps it should be dual licensed, so that corporations have to pay for its use, with those monies paying for additional governmental software research.

Re:hmmm

[ryepup]

If the code is good, it doesn't matter whose hands it falls into. Odds are that if it falls into bad hands that find an exploit, it will also fall into good hands that find that same exploit, and alert the developers.

GPL is anticompetitive in this case

[mesocyclone]

Forcing the government to release code under GPL is *removing* competition from the market. Public domain is much better. The code can be taken up by private companies and they can improve and sell it. And nothing I am aware of keeps that same code for forming the basis of a GPL and/or BSD project.

So turn the code loose with no strings at all, and let the best licensing system win!

Re:GPL is anticompetitive in this case

[bwt]

Forcing the government to release code under GPL is *removing* competition from the market. Public domain is much better.

Perhaps it does stifle some competition, but only competition that may be destructive to the purposes the government created the software in the first place. The big functional difference between the GPL and BSD or public domain is that the GPL is robust to "embrace, extend, and extinguish".

If the public finances the creation of software, it seems grossly unfair to allow proprietary extensions to that software that break compatibility. The GPL offers a quid-pro-quo that seems clearly in the public interest. It says: we the people created this IP -- you can use it, modify it, distribute it, etc... but any IP that you create that piggy-backs off of this work must be accessable by the public. The payment for using the GPL code is not monetary, it is IP. This way, the public gets not just the IP they funded, but a continuing return on their investment in the form of IP extensions to the original code.

Contrast this with the BSD or public domain licences. Let's say the public creates an email app by hiring a contractor. That app has a nice open mailbox format. A private entity could take the app, convert the mailbox format to a proprietary format and actually compete against the original app by leveraging the things it does well. That is wrong. Yet it is exactly the model that pervades many software companies.

Re:GPL is anticompetitive in this case

[abe+ferlman]

You are wrong. The GPL ensures that everyone competes fairly by removing the ability of actors in the marketplace from gaining monopolies on proprietary extensions to the software.

The GPL does nothing but prevent vendor lockin. It removes bad (read: abusing the idea ownership system) competition and allows good (service, support, distribution, update speed) competition among vendors, as evidenced by the strong competition evident among linux companies today.

Far from removing competition, the GPL removes lockin barriers that prevent entrance in to the market in the firstplace.

Or have you forgotten that "intellectual property" is a government-granted monopoly, which is the diametrical opposite of competition?

Interesting notes

[dh003i]

Here's some interesting things I noted:

Microsoft, whose Windows operating system competes with Linux, says open-source hurts a company's right to protect its intellectual property.

What hogwash. News sites shouldn't even post such outright lies. Whether or not I GPL a program I write, MS still has the same "rights" t o their proprietary software as they did before. My GPLing a program has absolutely no effect on MS or any other company "protecting their intellectual property". If you write something on top of (addition/modification of) GPL'ed source, then you have to license it under the GPL. This is fair play; communities have rules, even free communities (having some restrictions does not necessarily mean that something isn't free; indeed, we need restrictions to protect freedom, as there is no freedom in an anarchy). The basic rule of the FS community is that if you modify GPL'ed code or add onto GPL'ed code, then you have to give back to the community by licensing that modification under the GPL. Quid-pro-quo, and perfectly fair. It's like saying "I'll help you if you help me". Every business that modifies/adds-to GPL'ed code knows damn well that it's GPL'ed, and what the consequences of that are. They can stop their pathetic whining. If you don't want to license your software under the GPL, don't base it around GPL'ed code; if its only "one line" of GPL'ed code in your program, then it shouldn't be that hard to replace it.

Microsoft is Smith's top source of donations. According to the Center for Responsive Politics, Microsoft employees and its political action committee have given $22,900 to Smith's re-election campaign.

In other words, as we all know, Smith is bought and paid for and owned by MS, as are most politicians owned by big intellectual property interests (i.e., the RIAA, MPAA, BSA, and pharmaceuticals).

D-Texas

What, a democrat in Texas? I thought that was an extinct species.

gpl like encryption

[dollargonzo]

see, the gpl license is very much like modern encryption alogrithms. prior to the days of RSA, ala world wars, encryption and security was based around the fact that people can hide secure algorithms well enough to keep things secret. in other words, if anyone found out the algorithm, the encryption scheme became utterly pointless.

relatively recently, encryption has undergone a complete turn-around in ideology. now, most every cryptologist believes that the algorithm should not only be simple but also VERY OPEN. the more eyes that look at it, the more errors can be spotted, and as time has told, today's crypto systems, for example RSA, are much more secure than the enigma. everyone and their dog knows how it works, and still no one can break it.

the same thing goes for software. the whole "falls into the wrong hands" argument works exactly the same as crypto-systems. if a crypto-system falls into the wrong hands (as someone else noted), it will also fall into the right hands, and errors will be fixed.

licensing government software under the gpl opens it up, and in the long run reduces the error rate and effectively, it's security, etc. people still think that if they hide the source to the software, it will be more secure. PLEASE look at what happened to cryptology in recent times and act accordingly.

Re:gpl like encryption

[drinkypoo]

Well yes, a cryptosystem being open or closed does not change how well it functions. You can know everything about how a one time pad functions, for example, and as long as there is sufficient randomness in the key generation knowing it all won't help you. If you know how the key is generated, and it's not random enough, then THAT can be a weakness. But you cannot assume that someone may not learn what you're up to, so the weakness isn't having the process be open, it's the process.

Having a cryptosystem which depends on obscurity is nothing more than a fancy puzzle box. Enough monkeying around by someone who knows what to look for will open the box, because various operations always leave telltale signs, and there happens to be a vast number of shortcuts out there which is why repeatedly encrypting something with the same cryptosystem, even using different keys, can result in no more security than a single pass.

On the other hand, hiding the source to the software DOES make it more secure. It does not make it secure but it does make it more secure. Consider the case of someone wanting to reprogram a missile, something I know dick about but about which I can craft a fairly plausible scenario due to what (little) I know about programming. Let's say the basic control software is running on a hardened 80186 CPU. You would like to replace this software with your own ingredients and send the missile to a different target.

Now, you can either download and disassemble the software when you get there and muck around in x86 assembler trying to figure out what they're doing, and why, and how to make it do what you want, or you can have the source ahead of time and have the code ready to install when you get there.

Not to mention the fucking comments. Have you ever disassembled some software and taken a look at it? Figuring out what it does can be as confusing as being a snake in a hose factory. You might have just a hundred lines of code with no calls and still spend hours trying to decide what it's really accomplishing, especially if the programmer is clued. With decent comments, you'll be able to tell at a glance.

This comment should not be taken as indicating that security through obscurity is effective, only that it is more effective than no security. Hence, saying that obscurity doesn't help is incorrect.

Re:hmmm

[Emmettfish]

This is a weird subject, really. GPL is good, but when you really think about it, source code for government software isn't really something that should fall into the wrong hands...

Software doesn't kill people, people kill people.

Okay, maybe that's too glib, but the song remains the same. Anything that would be considered a serious security threat would be classified as such; The mechanisms to do this with governmental data already exist.

I would hate for something as artistic as software to fall into an anti-terrorist mantra, because there's a forest-for-the-trees problem. Sometimes a cigar is just a cigar, and sometimes an MTA application is just an MTA application, even though it could be used to deliver mail with contents that aren't in the best interests of the commonwealth.

The problem with the 'wrong hands' argument is that we need to trust whomever is entrusted with the definition of 'wrong hands.' If that is a large, bureaucratic judicial system, it's probably inefficient, if it's an efficient corporation, the chances of ever seeing the code is nearly non-existent. :)

Emmett Plant
CEO, Xiph.org Foundation

BSD vs. GPL vs. Public Domain

[Mahrin+Skel]

For this purpose, there is a significant difference between the BSD and GPL, but not much of one between BSD and Public Domain.

If you release it under the GPL, all derived code must itself be released under the GPL. Like it or not, this *does* interfere with commercialization of the software, nobody is going to spend millions of dollars writing code they'll have to give away, under most circumstances.

On the other hand, BSD or Public domain carries no such strings. Someone can pick up the BSD or PD code, alter and adapt it, and make the result proprietary, *and* someone else can take the same original PD/BSD code, alter and adapt it, and release it under the GPL or a similar required open-source liscense. The best of all possible worlds, if making something government-generated generally useful requires a lot of up-front investment, in ways that don't appeal to OSS communities, someone can take that opportunity and make an investment with reasonable hope of return. And if something of benefit can be derived in ways that "scratch an itch", the result can be released or recreated under the GPL and kept available.

The problem is that some systems should never be made public. I don't want the command computer source code for the ICBM system running around loose, "many eyes" security methods are a bad thing when intrusion impacts are measured in megatons. So, like it or not, some code will have to remain forever closed.

--Dave

Re:BSD vs. GPL vs. Public Domain

[abe+ferlman]

If you release it under the GPL, all derived code must itself be released under the GPL. Like it or not, this *does* interfere with commercialization of the software, nobody is going to spend millions of dollars writing code they'll have to give away, under most circumstances.

You are performing one of the great fallacies of free software discussions, and these issues are subtle so I can see how you'd confuse the following:

this *does* interfere with commercialization of the software

this *does* interfere with making the software proprietary

The distinction is very important. You can commercialize GPL'd software, it's right there in the license. You can not make proprietary extensions to that software.

It's like bottled water. You can get water for free from public drinking fountains everywhere, the chemical code for it is known by elementary school children, but people still buy the stuff in very profitable bottles. I think there are two lessons here:

1. never underestimate the power of marketing, even (especially?) in absurdly commodified markets
2. the public availability does not make something commercially unfriendly, it just changes the terms under which vendors must operate to be more consumer-friendly.

Vendor lockin is very, very bad for business. Many projects have been killed or not started out of the fear that Microsoft will include similar functionality in a later release of their operating system that replaces or possibly outright breaks their implementation. In a level playing field (a gpl-frienly environment) Microsoft would be foolish to extinguish rather than interoperate with other vendors. Bottom line: GPL allows non-lockin commercialization, true capitalist-style competition instead of government-sponsored monopolies.

Wow, a good /. editor

[loosifer]

Someone who actually understands the issue at hand, in context, even, and is able to give a relatively straightforward and largely unbiased review of what has occurred and why you should care. Crazy!

And for the record, if there were a GNU-AirTraffic piece of software, it would take about 10 years to get to anything resembling 2.7; it would probably spend most of that ten years at version 0.9.x or whatever. What is up with OS projects being totally unwilling to actually go up in versions? Sheesh.

GPLed Software that already exists

[dachshund]

The case that nobody's mentioning is a situation where the software already exists and is licensed under the GPL.

I don't feel that the government should GPL all its code on principle. But should the government be forbidden to make modifications to a mature GPL software project if that software fills the requirements of some particular project? Imagine that the government wants to use Linux for a particular application, because they feel it's the best tool for the job-- should they be forbidden from adapting it to suit their particular needs (as companies like Tivo have), or even releasing bug-fixes?

It strikes me that in many cases the public and the government can both benefit from this sort of transaction. It's certainly far more efficient than the typical "pay a contractor to develop something and then let them retain the copyright" scenario.