Advocacy Prompts Reconsideration of Anti-GPL Letter

Many people have noted that there has been a reaction (see also this AP story) to the story posted a few days ago about the GPL in government. (More links: Wired, Newsforge.) This is good, I guess: Congress should consider carefully how the government licenses the code it funds, because it's an important public policy question: it shouldn't be decided by a backroom push from business lobbyists (the lead Representative listed, Adam Smith, represents a district fairly close to but not including Microsoft headquarters). There are certain things that bother me about this whole story though, and I'm going to try to trace the trajectory of it below.

As far as I can tell, it started with this Newsforge story (Newsforge is also part of OSDN, Slashdot's corporate parent). The Newsforge story was excerpted and copied by an Australian newspaper, and from there, it was off and spreading. The headline chosen, "Washington State Congressman attempts to outlaw GPL", is not particularly accurate, but it did a great job at stirring up outrage. Outlaw the GPL! Over my dead keyboard!

From there it really started making the rounds. It was repeatedly submitted to Slashdot with all sorts of flaming, incorrect commentary - in fact, after reading a dozen different submissions, I didn't think any of them were even close to accurate. I picked one and posted it, trying to do my best to a) provide an accurate headline and b) provide an accurate summary of the issue at stake in a few sentences. To recap again: when the Federal government creates computer code (or any copyrightable work) directly, it gets no copyright whatsoever and the work is true public domain (quirk of the U.S. copyright laws - the 50 states, corporations, individuals, and other legal entities all get copyrights automatically, but the Federal government does not). If you want to copy, reproduce, or sell an .mp3 of the U.S. Congress singing "God Bless America" after September 11, go right ahead: there is no copyright on it whatsoever. (Actually, the song itself is still under copyright, but Congress' performance of it wouldn't be...)

However, when the Federal government hires a non-employee to create code or copyrighted works, there is no clear rule regarding the copyright status of the work. Sometimes the contract calls for rights to the work to be assigned to the Federal government (the Feds don't get original copyrights, but if someone else gets an original copyright, the Feds can acquire it). Sometimes the contractor keeps the copyright and gets to do whatever they want with it. Sometimes the contract doesn't specify. Note that this is NOT a BSD-vs.-GPL dispute, not by a long shot. Very little code financed by the Federal government is ever licensed under either of these two licenses - the choice is basically agency-proprietary (the Federal agency asked for the rights in the contract, and kept them) or company-proprietary (the agency didn't ask for the rights, and the contractor kept them).

And most of the time it doesn't matter. I've written code for the Federal government as both a contractor and an employee, and 99% of it was so specific and customized that it would be of use to no one else, regardless of its licensing or copyright status. Probably the majority of code written for the Federal government falls into that category - internal use software for very specific needs.

But some of it is undoubtedly useful. Some major projects funded by the government in conjunction with academia have escaped from licensing purgatory, typically through the efforts of the researchers working on them who approach the issue from an academic freedom viewpoint and want to see their work widely adopted. GRASS is one major one that I know of. A commenter pointed out ADA as an example. For code which is useful to others, either a BSD-like or GPL-like license would be truly beneficial and easily defensible as a public policy choice. In the non-code world, the government makes choices like that all the time - it might choose to purchase a particular piece of land and commit to making it available to everyone forever by declaring it a National Park and committing to maintain it, a GPL-like philosophy; alternately, it might choose to just dump a particular piece of property on the market, putting it up for auction and letting the purchaser do what he wills with it, a BSD-like philosophy.[1] Either of these two options might be optimal; but paying for code which ends up remaining proprietary is like buying a new stadium to benefit a very specific corporation which owns a very specific sports team: the type of use of public funds which is generally seen as sleazy and the opposite of good governance.

Either of the first two choices can be appropriate in certain situations. What does not seem appropriate is paying for proprietary code, although this is generally what happens when the government contracts for code. Since the government has the ability to provide a benefit to the public (open code) at essentially zero cost, it should do so. An example which has struck me several times over the past few years: every airport in the world has the same problem, coordinating planes taking off and landing and keeping them from running into each other. Yet each nation (and often each airport) solves the problem over and over, paying heavily for custom-designed, one-shot software development. Imagine if the world's airports could simply install GNU-AirTrafficControl 2.7, and have a complete, working, bug-free and cost-free air traffic control system. It would cost every nation less to do it this way, but it would also make a lot less money for the consultants retained to develop these systems.

But leave off the advocacy for moment - I was following the story itself. As noted above, the outcry has prompted many of the other Representatives who originally signed the letter to reconsider. The AP story even suggests that some of the signatories were actively misled - that the letter they thought they were signing didn't mention the GPL at all. However it actually played out, some good has been done.

That's good. What's not so good is that much of the outcry was probably generated by stories titled "Washington State Congressman attempts to outlaw GPL". The right outcome occurred, but for the wrong reasons and in the wrong manner. I am left wondering whether the community would have made the same sort of response on this issue if every story that had been posted about it was 100% accurate and non-inflammatory.

[1] If you're not familiar with the BSD-like and GPL-like classes of software licenses, this won't make a lot of sense to you, so please read up if necessary.

BSD Should Be Used

[BurritoWarrior]

...because the BSD license is essentially no license at all. So, when the government releases the SuperFoomatic 1.0, anyone can do with it as they please.

If we want a GPL'ed SuperFoomatic, we just take that code and release it under the GPL license. No point in having it release originally under the GPL as the released code can be GPL'ed "retroactively".

The only addiition I can think of is that perhaps it should be dual licensed, so that corporations have to pay for its use, with those monies paying for additional governmental software research.

Re:BSD Should Be Used

Let's look at two cases:

1) A company invests a lot of research and spends 3 years writing supersoftware X, and sells it under a proprietary license.

2) A company finds an agency that needs supersoftware X, spends 3 years writing it on contract, and then sells it under a proprietary license.

Case 1 is the typical copyrighted software situation; collectively we gave up the rights to make copies of that code, so that the company would have the incentive to write it in the first place. Then we pay. We pay 2 times: once with our right to copy it, whether we use it or not, and once with our money, if we actually use it.

Case 2 is also unfortunately typical. In this case we pay for our software 3 times: once when we paid to have it written, once when we gave up our rights to copy it, and once when we bought it.

How many times do I have to pay for what is essentially MY SOFTWARE since MY MONEY paid to create it ?

I want tax-funded software under the GPL, so that I will never face a copy of MY OWN CODE wrapped up in a new interface being sold to me for $500 under an oppressive EULA.

There is another issue in this:

Copyright is only constitutional in the US as long as it creates an incentive to create more works. Since software written for a government contract is going to be written whether there is coyright or not, there is no new incentive created. Therefore, prosecuting someone for copying and selling software written under government contract is unconstitutional.

Now, since as a society we seem to have collectively decided to ignore that document, maybe constitutionality has no bearing. But if you buy into that constitution stuff, the government can't release it under the GPL because that's a copyrighted license; they can only simply release it. However, including any part of it into a proprietary work, or making a derived work from it, may also place that work outside the scope of copyrightable material.

Re:BSD Should Be Used

[eXtro]

It's not just your own code, corporations pay a lot of taxes as well. BSD is probably the more appropriate Open Source license under these circumstances. You, as a tax payer, are entitled to the code which was produced using your taxes. You can then modify it and hoard it or set up a server and share it or charge for your improvements. Corporations, as tax payers, can also take this code, modify it and hoard it, or set up a server and share it or charge for its improvements. At no point does the original work paid for become encumbered, but derivative works might become encumbered.

Re:BSD Should Be Used

[Stonehand]

Yes, you're missing the boat -- or perhaps being deliberately obtuse.

If it's BSD licensed, not only can a company get the code but YOU can get the code with all the rights the company had. Ergo, the company has NOT taken the code away or restricted your rights to the code "you" (more likely, people wealthier than you, paying a larger percentage) paid for. What you AREN'T necessarily getting is exactly what you DID NOT pay for (even if you're in the highest tax bracket...) -- the additional work done by the company.

Now, considering that this incredibly obvious and correct point has been made before, you're either deliberately trolling or not reading any responses in order to maintain your pro-GPL ignorance.

Re:hmmm

[ryepup]

If the code is good, it doesn't matter whose hands it falls into. Odds are that if it falls into bad hands that find an exploit, it will also fall into good hands that find that same exploit, and alert the developers.

GPL is anticompetitive in this case

[mesocyclone]

Forcing the government to release code under GPL is *removing* competition from the market. Public domain is much better. The code can be taken up by private companies and they can improve and sell it. And nothing I am aware of keeps that same code for forming the basis of a GPL and/or BSD project.

So turn the code loose with no strings at all, and let the best licensing system win!

Re:GPL is anticompetitive in this case

[bwt]

Forcing the government to release code under GPL is *removing* competition from the market. Public domain is much better.

Perhaps it does stifle some competition, but only competition that may be destructive to the purposes the government created the software in the first place. The big functional difference between the GPL and BSD or public domain is that the GPL is robust to "embrace, extend, and extinguish".

If the public finances the creation of software, it seems grossly unfair to allow proprietary extensions to that software that break compatibility. The GPL offers a quid-pro-quo that seems clearly in the public interest. It says: we the people created this IP -- you can use it, modify it, distribute it, etc... but any IP that you create that piggy-backs off of this work must be accessable by the public. The payment for using the GPL code is not monetary, it is IP. This way, the public gets not just the IP they funded, but a continuing return on their investment in the form of IP extensions to the original code.

Contrast this with the BSD or public domain licences. Let's say the public creates an email app by hiring a contractor. That app has a nice open mailbox format. A private entity could take the app, convert the mailbox format to a proprietary format and actually compete against the original app by leveraging the things it does well. That is wrong. Yet it is exactly the model that pervades many software companies.

Re:GPL is anticompetitive in this case

[abe+ferlman]

You are wrong. The GPL ensures that everyone competes fairly by removing the ability of actors in the marketplace from gaining monopolies on proprietary extensions to the software.

The GPL does nothing but prevent vendor lockin. It removes bad (read: abusing the idea ownership system) competition and allows good (service, support, distribution, update speed) competition among vendors, as evidenced by the strong competition evident among linux companies today.

Far from removing competition, the GPL removes lockin barriers that prevent entrance in to the market in the firstplace.

Or have you forgotten that "intellectual property" is a government-granted monopoly, which is the diametrical opposite of competition?

Flawed analogy

[lpontiac]

In the non-code world, the government makes choices like that all the time - it might choose to purchase a particular piece of land and commit to making it available to everyone forever by declaring it a National Park and committing to maintain it, a GPL-like philosophy; alternately, it might choose to just dump a particular piece of property on the market, putting it up for auction and letting the purchaser do what he wills with it, a BSD-like philosophy.

I think this analogy is completely flawed. Under the BSD license, the original piece of code will always remain free for everyone to use. When the government sells a piece of property, it's no longer available to the public. FreeBSD didn't go away when Apple incorporated pieces of the code into OS X.

Both the BSDL and GPL keep the original code free for all, the difference is in the derived works - the GPL stipulates that they, too, must remain free, wheras the BSDL doesn't. I think a more appropriate analogy would be: the BSD license would allow a photographer to take a picture of the sunset in a national park, and retain all rights to it. Under the GPL, the photographer could still make and sell the photograph, but he couldn't stop people who bought the photograph from making copies and giving them away, or selling them.

Interesting notes

[dh003i]

Here's some interesting things I noted:

Microsoft, whose Windows operating system competes with Linux, says open-source hurts a company's right to protect its intellectual property.

What hogwash. News sites shouldn't even post such outright lies. Whether or not I GPL a program I write, MS still has the same "rights" t o their proprietary software as they did before. My GPLing a program has absolutely no effect on MS or any other company "protecting their intellectual property". If you write something on top of (addition/modification of) GPL'ed source, then you have to license it under the GPL. This is fair play; communities have rules, even free communities (having some restrictions does not necessarily mean that something isn't free; indeed, we need restrictions to protect freedom, as there is no freedom in an anarchy). The basic rule of the FS community is that if you modify GPL'ed code or add onto GPL'ed code, then you have to give back to the community by licensing that modification under the GPL. Quid-pro-quo, and perfectly fair. It's like saying "I'll help you if you help me". Every business that modifies/adds-to GPL'ed code knows damn well that it's GPL'ed, and what the consequences of that are. They can stop their pathetic whining. If you don't want to license your software under the GPL, don't base it around GPL'ed code; if its only "one line" of GPL'ed code in your program, then it shouldn't be that hard to replace it.

Microsoft is Smith's top source of donations. According to the Center for Responsive Politics, Microsoft employees and its political action committee have given $22,900 to Smith's re-election campaign.

In other words, as we all know, Smith is bought and paid for and owned by MS, as are most politicians owned by big intellectual property interests (i.e., the RIAA, MPAA, BSA, and pharmaceuticals).

D-Texas

What, a democrat in Texas? I thought that was an extinct species.

Irony

[Boglin]

Adam Smith supports legislation that increases barriers to entry? My Econ teacher is probably having convulsions right now.

Re:hmmm

[FyRE666]

This is a weird subject, really. GPL is good, but when you really think about it, source code for government software isn't really something that should fall into the wrong hands...

Security through obscurity doesn't work. Ask Microsoft.

gpl like encryption

[dollargonzo]

see, the gpl license is very much like modern encryption alogrithms. prior to the days of RSA, ala world wars, encryption and security was based around the fact that people can hide secure algorithms well enough to keep things secret. in other words, if anyone found out the algorithm, the encryption scheme became utterly pointless.

relatively recently, encryption has undergone a complete turn-around in ideology. now, most every cryptologist believes that the algorithm should not only be simple but also VERY OPEN. the more eyes that look at it, the more errors can be spotted, and as time has told, today's crypto systems, for example RSA, are much more secure than the enigma. everyone and their dog knows how it works, and still no one can break it.

the same thing goes for software. the whole "falls into the wrong hands" argument works exactly the same as crypto-systems. if a crypto-system falls into the wrong hands (as someone else noted), it will also fall into the right hands, and errors will be fixed.

licensing government software under the gpl opens it up, and in the long run reduces the error rate and effectively, it's security, etc. people still think that if they hide the source to the software, it will be more secure. PLEASE look at what happened to cryptology in recent times and act accordingly.

Re:gpl like encryption

[drinkypoo]

Well yes, a cryptosystem being open or closed does not change how well it functions. You can know everything about how a one time pad functions, for example, and as long as there is sufficient randomness in the key generation knowing it all won't help you. If you know how the key is generated, and it's not random enough, then THAT can be a weakness. But you cannot assume that someone may not learn what you're up to, so the weakness isn't having the process be open, it's the process.

Having a cryptosystem which depends on obscurity is nothing more than a fancy puzzle box. Enough monkeying around by someone who knows what to look for will open the box, because various operations always leave telltale signs, and there happens to be a vast number of shortcuts out there which is why repeatedly encrypting something with the same cryptosystem, even using different keys, can result in no more security than a single pass.

On the other hand, hiding the source to the software DOES make it more secure. It does not make it secure but it does make it more secure. Consider the case of someone wanting to reprogram a missile, something I know dick about but about which I can craft a fairly plausible scenario due to what (little) I know about programming. Let's say the basic control software is running on a hardened 80186 CPU. You would like to replace this software with your own ingredients and send the missile to a different target.

Now, you can either download and disassemble the software when you get there and muck around in x86 assembler trying to figure out what they're doing, and why, and how to make it do what you want, or you can have the source ahead of time and have the code ready to install when you get there.

Not to mention the fucking comments. Have you ever disassembled some software and taken a look at it? Figuring out what it does can be as confusing as being a snake in a hose factory. You might have just a hundred lines of code with no calls and still spend hours trying to decide what it's really accomplishing, especially if the programmer is clued. With decent comments, you'll be able to tell at a glance.

This comment should not be taken as indicating that security through obscurity is effective, only that it is more effective than no security. Hence, saying that obscurity doesn't help is incorrect.

Define "very little"

[JordanH]

• Very little code financed by the Federal government is ever licensed under either of these two licenses - the choice is basically agency-proprietary (the Federal agency asked for the rights in the contract, and kept them) or company-proprietary (the agency didn't ask for the rights, and the contractor kept them).

NASA uses and produces software under the GPL license.

Any number of of projects funded by NSF, and other Governmental Agency, grants end up licensing software under the GPL.

There is an aspect to this discussion that I don't think gets enough play. The GPL is a great boon to academics who don't have to purchase costly software, and risk throwing obstacles in the way of those who would reproduce their work, or reinvent wheels. This boon comes with the very small cost that the software so produced should be shared with others. I think that this is in harmony with the spirit of Scientific Research, the "standing on the shoulders of Giants" as Newton said.

Re:hmmm

[Emmettfish]

This is a weird subject, really. GPL is good, but when you really think about it, source code for government software isn't really something that should fall into the wrong hands...

Software doesn't kill people, people kill people.

Okay, maybe that's too glib, but the song remains the same. Anything that would be considered a serious security threat would be classified as such; The mechanisms to do this with governmental data already exist.

I would hate for something as artistic as software to fall into an anti-terrorist mantra, because there's a forest-for-the-trees problem. Sometimes a cigar is just a cigar, and sometimes an MTA application is just an MTA application, even though it could be used to deliver mail with contents that aren't in the best interests of the commonwealth.

The problem with the 'wrong hands' argument is that we need to trust whomever is entrusted with the definition of 'wrong hands.' If that is a large, bureaucratic judicial system, it's probably inefficient, if it's an efficient corporation, the chances of ever seeing the code is nearly non-existent. :)

Emmett Plant
CEO, Xiph.org Foundation

BSD vs. GPL vs. Public Domain

[Mahrin+Skel]

For this purpose, there is a significant difference between the BSD and GPL, but not much of one between BSD and Public Domain.

If you release it under the GPL, all derived code must itself be released under the GPL. Like it or not, this *does* interfere with commercialization of the software, nobody is going to spend millions of dollars writing code they'll have to give away, under most circumstances.

On the other hand, BSD or Public domain carries no such strings. Someone can pick up the BSD or PD code, alter and adapt it, and make the result proprietary, *and* someone else can take the same original PD/BSD code, alter and adapt it, and release it under the GPL or a similar required open-source liscense. The best of all possible worlds, if making something government-generated generally useful requires a lot of up-front investment, in ways that don't appeal to OSS communities, someone can take that opportunity and make an investment with reasonable hope of return. And if something of benefit can be derived in ways that "scratch an itch", the result can be released or recreated under the GPL and kept available.

The problem is that some systems should never be made public. I don't want the command computer source code for the ICBM system running around loose, "many eyes" security methods are a bad thing when intrusion impacts are measured in megatons. So, like it or not, some code will have to remain forever closed.

--Dave

Re:BSD vs. GPL vs. Public Domain

[abe+ferlman]

If you release it under the GPL, all derived code must itself be released under the GPL. Like it or not, this *does* interfere with commercialization of the software, nobody is going to spend millions of dollars writing code they'll have to give away, under most circumstances.

You are performing one of the great fallacies of free software discussions, and these issues are subtle so I can see how you'd confuse the following:

this *does* interfere with commercialization of the software

this *does* interfere with making the software proprietary

The distinction is very important. You can commercialize GPL'd software, it's right there in the license. You can not make proprietary extensions to that software.

It's like bottled water. You can get water for free from public drinking fountains everywhere, the chemical code for it is known by elementary school children, but people still buy the stuff in very profitable bottles. I think there are two lessons here:

1. never underestimate the power of marketing, even (especially?) in absurdly commodified markets
2. the public availability does not make something commercially unfriendly, it just changes the terms under which vendors must operate to be more consumer-friendly.

Vendor lockin is very, very bad for business. Many projects have been killed or not started out of the fear that Microsoft will include similar functionality in a later release of their operating system that replaces or possibly outright breaks their implementation. In a level playing field (a gpl-frienly environment) Microsoft would be foolish to extinguish rather than interoperate with other vendors. Bottom line: GPL allows non-lockin commercialization, true capitalist-style competition instead of government-sponsored monopolies.

Re:hmmm

[Sean+Riordan]

While I agree that some pieces of software that have security concerns for one reason or another might not be best released as open code, but the vast majority of government funded code is for more mundane applications and could be useful to the general public without potential harm from security issues. I have spent the last couple of months working on a piece of software for a government contract that has been written literally dozens of times before but is considered proprietary by the contractors that developed it. The cost and inefficiency is staggering. That is my opinion at least.

Wow, a good /. editor

[loosifer]

Someone who actually understands the issue at hand, in context, even, and is able to give a relatively straightforward and largely unbiased review of what has occurred and why you should care. Crazy!

And for the record, if there were a GNU-AirTraffic piece of software, it would take about 10 years to get to anything resembling 2.7; it would probably spend most of that ten years at version 0.9.x or whatever. What is up with OS projects being totally unwilling to actually go up in versions? Sheesh.

GPLed Software that already exists

[dachshund]

The case that nobody's mentioning is a situation where the software already exists and is licensed under the GPL.

I don't feel that the government should GPL all its code on principle. But should the government be forbidden to make modifications to a mature GPL software project if that software fills the requirements of some particular project? Imagine that the government wants to use Linux for a particular application, because they feel it's the best tool for the job-- should they be forbidden from adapting it to suit their particular needs (as companies like Tivo have), or even releasing bug-fixes?

It strikes me that in many cases the public and the government can both benefit from this sort of transaction. It's certainly far more efficient than the typical "pay a contractor to develop something and then let them retain the copyright" scenario.

Re:SETHROB

[swillden]

Although your post included hints that obscurity is sometimes of use in security, you didn't say it outright, so allow me:

The relationship between security and obscurity is a complex one. Naive people often equate them, slightly more educated people make more complex errors, but errors they remain.

The fact is that obscurity can be a valuable impediment to potential attackers, but only if adequate effort can be applied to make sure that the underlying security is good. Most companies, for example, do not have the resources required to adequately ensure the security of complex systems (i.e. pretty much anything running on a computer), which means that they're far better off publishing and allowing the public security community to find their holes for them.

However, public scrutiny is not a magic bullet, because it's not uncommon that something gets published but it doesn't get that much attention. In the case of an organization like the U.S. Government, the resources are available to hire teams of top analytical talent and have them focus 100% on a particular system for years on end, or even in perpetuity. No published code gets that kind of scrutiny.

For example, the NSA practices obscurity but have you ever met a cryptographer who thinks they'd be better off publishing their cipher designs for the community to pound on? The NSA has a huge pool of very talented people and is perfectly capable of doing thorough security reviews completely internally. Adding a layer of obscurity on top of that has all sorts of bonuses for them, such as allowing them to avoid revealing their capability in cipher design (which would imply things about their capabilities in cryptanalysis, for example).

I think the case of the ICBM C&C system is comparable. The DoD can afford to have extensive review by talented people, and then keeping the software secret adds an additional layer of complexity for any would-be attacker. Even more important, of course, are the policies, procedures, clearances, vault doors and armed guards that stand between a potential attacker and the system, and various security and obscurity mechanisms applied to those.

I work a great deal with another class of systems in which obscurity is important. Obscurity slows the defect-discovery process for both white and black hats, and that's usually a bad thing because when white hats find a problem, even though the black hats also find out about it, it gets fixed and is no longer a problem. But what about when you know in advance that if someone finds a defect it will not be *possible* to correct it? White hat security research will essentially hand the keys to the system to the black hats because we can't update the system to correct the problem.

So the logical approach in this case is to (1) do as good a job on the security as you can, (2) keep the software secret, to slow the inevitable discovery of defects, (3) keep an internal team of security analysts working continually to find defects (they can see the code and are more efficient than the black hats, even though they're probably vastly outnumbered) and (4) devise and integrate audit procedures into the initial system security design so that if a bad guy does break it (a) you will find out, so you can try to respond and (b) you have an evidentiary trail that can lead to arrest and prosecution of the attacker.