Bruce Perens Wins Victory for Free Speech

February 2020 finally saw the end to a legal battle that threatened the ability of open source commentators to express opinions about open source licensing compliance. With the opinion of the Ninth Circuit in Open Source Security v. Perens, the court upheld the right to publicly comment on open source licensing issues free from the threat of meritless litigation.  

Bruce Perens is one of the founders of the Open Source movement. He co-founded the Open Source Initiative and created the Open Source Definition. In the late 1990s, Perens served as Debian Project Leader, and has written software that is now used across the technology world, like the Busybox utilities for Linux. He was a key technician at Pixar for over a decade, and has been a tireless supporter of open source software over the years. Perens maintains a blog, perens.com, where he posts commentary about issues in open source licensing. He is well known and highly respected in the open source community.

Open Source Security, Inc. (OSS) runs a business providing security patches for Linux under the brand Grsecurity. (Patches are updates to software that fix problems in between major updates.) OSS does not share these patches with the kernel maintainers, and that had generated bad blood between them, because most Linux developers share patches freely for everyone’s benefit, as contemplated by the GNU General Public License that applies to the Linux kernel.   Like the kernel, Grsecurity is governed by the GPL. But in an attempt to discourage its customers sharing patches, OSS used a customer agreement that said that OSS had the right to cease supplying future Grsecurity security updates to users that redistribute the Grsecurity software. 

The customer agreement was brought to the attention of Perens, who posted about the agreement on his blog.  He expressed his opinion that customers should avoid the Grsecurity product because the user agreement posed a risk of violating the GPL.  The blog post also stated that Perens was not an attorney, and stated the facts that formed the basis for his opinions, including that the Grsecurity patch is inseparable from Linux and that GPL section 6 prohibits the addition of restrictions on certain rights such as distribution — the main clause that keeps free software free. 

The blog post was then shared to Slashdot, and, true to its tradition of spirited discussion, extensive public comment ensued — on the issue raised in Perens’s post and a host of other issues, including best practices for improving the security of the Linux kernel. Even before that, OSS’s practices were no stranger to controversy.  Linus Torvalds — the primary kernel maintainer who is well known for bluntness in expressing his opinions on the kernel — publicly called the Grsecurity product “pure garbage.” 

Rather than join the Slashdot discussion or contact Perens about his opinion, on July 17, 2017, OSS filed a lawsuit against Perens, asserting that his blog post constituted defamation (among other claims) and seeking millions in damages.  If that sounds surprising, it was. Defamation claims do not usually apply to businesses, and even when they are available under law for comments in a business context, most businesses avoid such claims because of the “Streisand effect” — where it brings more attention to the controversy than if they remain silent.

The defamation claim was deeply flawed, but nevertheless dragged on for over two years through appeal.  To win a defamation claim, a plaintiff must establish that the defendant made a provably false statement of fact. Coastal Abstract Serv., Inc. v. First Am. Title Ins. Co., 173 F.3d 725, 730 (9th Cir. 1999). Opinions, particularly those whose factual basis is disclosed, are not usually actionable due to protections of free speech and public participation. 

In its Complaint ¶¶ 22-23, Open Source Security v. Perens, Case No. 3:17-cv-04002, Dkt. 1 (N.D. Cal. July 17, 2017), OSS claimed that two statements in Bruce’s post were provably false facts: 

  • “It’s my strong opinion that your company should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.” 
  • “As a customer, it’s my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity.”  .  

OSS argued that these statements should be considered the equivalent of facts, rather than opinions, mainly because Perens was a known expert on open source licensing. Opp. to Mot. to Dismiss at 16–17, Open Source Security v. Perens, No. 3:17-cv-04002, Dkt. 20 (N.D. Cal. Oct. 2, 2017).

OSS filed its lawsuit  in the Northern District of California. The case was decisively dismissed: The court found that the blog post contained opinions about an unsettled legal issue—whether the Grsecurity Access Agreement violated the GPL—and not provably false statements of fact.    Order at 2, Open Source Security v. Perens, No. 3:17-cv-04002, Dkt. 53 (N.D. Cal. Dec. 21, 2017).

But Grsecurity had taken a risk in filing and pursuing the lawsuit based on Perens’s expressed opinions, and that risk came to fruition. The U.S. legal system generally does not support broad “fee-shifting” — unlike some jurisdictions that allow the winner of a lawsuit to get attorneys’ fees from the loser.  But there are exceptions, one of which applied in the Perens case. Many states in the United States have laws to deal with specious claims, called “anti-SLAPP” suits. (SLAPP stands for Strategic Lawsuit Against Public Participation.) Anti-SLAPP claims help protect those who speak out on issues of public interest from lawsuits that threaten to stifle their ability to engage in public debate by burdening them with lawsuits and legal fees — exactly the kind of suit that OSS was using to try to silence Perens because it disagreed with his opinions. OSS argued that Perens’s blog post was not a matter of public interest because it was a matter of concern only to a “relatively small, specific audience,” (Opposition to Mot. to Dismiss at 14, Open Source Security v. Perens, Dkt. 20 (Oct. 2, 2017).)but the Ninth Circuit Court of Appeals rejected this argument. The Court recognized that an issue of interest to the open-source software community could meet the public interest threshold by being of critical interest to a narrow segment of society (without deciding that the impact of Perens’ blog post was so limited). Open Source Security, Inc. v. Perens, No. 18-15189 (9th Cir. 2020).

In fact, many questions about the interpretation of GPL are still unsettled. But OSS sought to use the defamation lawsuit to litigate the GPL interpretation question by proxy. That was problematic for a number of reasons including because the contributors to the Linux kernel code — those who may have had a legal right to enforce the GPL relating to OSS’ actions — were not parties to the case.

In its December 21, 2017 order dismissing OSS’s claims, the trial court noted that Mr. Perens’s statements were protected opinions made in a public forum and concerned issues of public interest, and dismissed the case. The court also went on to award Perens attorneys’ fees of over a quarter of a million dollars. Order, Open Source Security v. Perens, No. 3:17-cv-04002, Dkt. 95 (N.D. Cal. June 9, 2018).

OSS appealed both the dismissal and the attorneys’ fees award to the Ninth Circuit.  The appeal was handled by the Electronic Frontier Foundation, working with the law firm O’Melveny & Myers, which handled the case in the district court.  The case was argued on January 22, and on February 6, the Ninth Circuit affirmed the trial court’s decision.

The case underscored an important constitutional principle. Those who comment about legal matters of public interest, particularly unsettled ones, should not have to risk lawsuits and legal fees for expressing their opinions. That is why the anti-SLAPP statutes exist: to prevent bullies with lawyers from shutting down discussion. Expressing opinions on legal topics is also key to the functioning of a society of laws. We should all sleep more soundly knowing that public discourse is protected by outcomes like this one.

Note: I was part of the legal team at O’Melveny that handled this case. Thanks to my excellent colleagues Melody Drummond-Hansen and Kaitlyn Gosewehr for their contributions to this summary, to the entire team at O’Melveny and EFF for their dedicated and excellent work.

Cryptographic Autonomy License Approved by OSI

After a submission process of over a year and three versions, the CAL was approved last week by OSI.

CAL is a copyleft license, requiring a redistributors to make source code available, but more importantly, also contains a requirement to “maintain user autonomy” with respect to user data processed using the software:

4.2. Maintain User Autonomy.
In addition to providing each Recipient the opportunity to have Access to the Source Code, You cannot use the permissions given under this License to interfere with a Recipient’s ability to fully use an independent copy of the Work generated from the Source Code You provide with the Recipient’s own User Data.
“User Data” means any data that is an input to or an output from the Work, where the presence of the data is necessary for substantially identical use of the Work in an equivalent context chosen by the Recipient, and where the Recipient has an existing ownership interest, an existing right to possess, or where the data has been generated by, for, or has been assigned to the Recipient.
4.2.1. No Withholding User Data. Throughout any period in which You exercise any of the permissions granted to You under this License, You must also provide to any Recipient to whom you provide services via the Work, a no-charge copy, provided in a commonly used electronic form, of the Recipient’s User Data in your possession, to the extent that such User Data is available to You for use in conjunction with the Work.
4.2.2. No Technical Measures that Limit Access.  You may not, by the use of cryptographic methods applied to anything provided to the Recipient, by possession or control of cryptographic keys, seeds, or hashes, by other technological protection measures, or by any other method, limit a Recipient's ability to access any functionality present in the Recipient's independent copy of the Work, or deny a Recipient full control of the Recipient's User Data.
4.2.3. No Legal or Contractual Measures that Limit Access.  You may not contractually restrict a Recipient's ability to independently exercise the permissions granted under this License. You waive any legal power to forbid circumvention of technical protection measures that include use of the Work, and You waive any claim that the capabilities of the Work were limited or modified as a means of enforcing the legal rights of third parties against Recipients.

The intention of this license was to help preserve a user’s access to its own data. The license was promulgated by Holochain, which develops a framework on which developers can build their own applications. Holochain is a distributed ledger technology that was designed to avoid the scalability issues of familiar block-chain based systems like Bitcoin and Ethereum. It uses peer-to-peer networking for processing where “every device on the network gets its own secure ledger, or Holochain, and can function independently while also interacting with all the other devices.” The conditions of the license disallow use of the software with distributed-ledger applications that withhold from a user cryptographic keys that control the user’s own data in the network.

We want Holochain apps to be trusted as maximizing end-user autonomy and control. As that starts to happen, we can’t let someone claim their software is a “Holochain” app if they are actually maintaining central control of end-user cryptographic keys. Otherwise, people will think they’re in control of their accounts, money, personal information, or communications without realizing, at any moment, someone could strip them of their autonomy via revocation keys or a master seed.

https://medium.com/holochain/understanding-the-cryptographic-autonomy-license-172ac920966d

At the center of the OSI license approval controversy was whether the conditions requiring sharing users’own data were effectively a restriction in violation of section 6 of the Open Source Definition, or a necessity to compel behavior to preserve freedom, similar to the “Installation Information” requirements of GPL3.

The controversy over the scope of copyleft these days remains brisk. Regarding CAL, it was so heated that OSI founder Bruce Perens resigned in protest, as the license approached approval. There is a also a larger controversy over whether copyleft licenses written by single companies, and not part of the community drafting process, should be approved, regardless of content.

New Slide Presentation: Basics of Open Source Software Licensing

I am very pleased to announce that my narrated slide presentation on the basics of open source software licensing is now live on COSS Media.

The presentation is suitable for initial training for engineers, lawyers and businesspersons in corporate settings. This is a compact version of the training I have been giving to clients for years.

Creative Commons Non-Commercial Does Not Exclude Copy-for-Hire

The end of 2019 brought an interesting decision that could bear on open source licensing. The case interpreted a Creative Commons license, but raised an issue that crops up regularly for open source.

In Great Minds v. Office Depot, the Ninth Circuit affirmed dismissal of a copyright infringement claim by a publisher against a copy shop.  Great Minds published a curriculum called Eureka Math. It sold copies, but also made Eureka Math available for download online under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (“CC-NC”).

Schools and school districts, intending to use the materials under CC-NC, paid Office Depot to make copies of Eureka Math for use in their schools. Two principles were taken as given: that the schools’ intended use of the materials was authorized under CC-NC, but that if Office Depot were considered a licensee under CC-NC License, its use would not be authorized.

The Court held that Office Depot was not a licensee, because a “licensee’s hiring of a third-party copy service to reproduce licensed material strictly for the licensee’s own permitted use does not turn that third party into a licensee” under the CC-NC License.  The Court specifically addressed Section 2(a)(5)(A) of CC-NC , concluding that Office Depot was not a “downstream recipient” of Eureka Math.  The Court also disagreed with Great Minds’ “volitional” arguments, explaining the “absurd” results of treating copies made by a third-party copy shop differently from copies made by the schools’ own employees. 

This case bears on a common question for open source licensing: If a company has customized but not distributed GPL software that was developed by others, can the company engage a contractor to test or further develop that software without licensing the contractor under GPL? Most companies that ask this question put it a different way: Is engaging an contractor “distribution” that invokes copyleft requirements?

Based on this case, and on custom and practice, the answer is no. The contractor need not be licensed under GPL. Companies often take this issue seriously, because they wish to preserve their right to use “private copies” without disclosing source code under GPL.

Thanks to Patrick Nack-Lehman for his help preparing this post.

Top Ten (+1) Happenings of 2019

Happy Holidays! It’s time to write the obligatory top 10 lists for the closing year. Here are some of the most interesting developments from 2019 in my little corner of the world: open source licensing and software licensing, as well as a few more broad-ranging IP topics.

  1. Patent Troll Sues Non-Profit, Apparently Unclear on the Concept. In this unexpected lawsuit, Rothschild Patent Imaging, LLC sued the GNOME Foundation, a non-profit foundation that runs the GNOME project, for patent infringement. In the entirely expected aftermath, the GNOME project rallied broad support across the industry to fight the case, including offering bounties for prior art. The plaintiff violated the most sacrosanct rule of trolling, which is to only sue people with money.
  2. Huawei was Blackballed by the US Government. Major Chinese mobile device manufacturer Huawei was placed on the “Entity List,” limiting exports to it, and many of its non-US affiliates, from technology providers in the US. Open source projects generally enjoy a relief from the export regulations that govern software: Sections 734.7 and 742.15 of the EAR provide that “published” source code escapes most regulation. (For a good explanation, see the EFF page here.) But the move shed light on the challenges export law can present for open source and standards efforts.
  3. Red Hat replaces Oracle as OpenJDK Steward. The sooner the better. But the industry needs a clear successor to Java whose rights are not owned by a private entity with no particular loyalty to a developer community. Maybe WASM?
  4. AI Applies for a Patent. A patent application was filed for an invention that was created by an AI. (The invention is a “container lid designed for robotic gripping and a flashlight system for attracting human attention in emergencies.”) The US PTO initially rejected the application because the PTO requires that inventors be listed by their legal names, and the AI did not have a legal name. But that end-run will soon give way to the larger substantive issue of whether non-humans can be inventors, an issue that has not yet been addressed by lawmakers.
  5. Oracle v. Google Going to the Supremes. After nearly a decade of litigation, including two trials and two appeals to the Federal Circuit, the landmark software copyright case was granted cert by the US Supreme Court. Arguments and a decision should follow in early to mid-2020. EFF’s summary of the case is here.
  6. GITHUB is More Prepared Than the Rest of Us for the Zombie Apocalypse. In a conservation move no one realized was necessary, GITHUB archives open source software in a cave in Norway, near the Global Seed Bank. Presumably the intrepid survivors of the human race will be more interested in agronomy than coding, but you never know.
  7. The Mainstream Media Notices Open Source. In the last few weeks, CNBC and the New York Times both published the kind of story you would expect from journalists who don’t give a tinker’s damn about technology, and have just now noticed that the entire world runs on open source software and has done so for about a decade. The NYT particularly showed its journalistic savvy by noticing the biggest trend of 2018 (the “strip-mining” controversy) about one year late. For a better article, consider the Economist.
  8. Ethos Licensing and Programmer Activism. Ethos licensing is an attempt to impose software use conditions that are directed toward social engineering. Most of these licenses are effectively political manifestos without concrete effect. This trend culminated in late 2019 in the Vaccine License, which was submitted under a coy pseudonym to OSI for approval, presumably as a form of nerdy performance art. OSI has not yet approved or rejected it (which portends rejection). Other coders voted with their feet by removing their key software from popular repositories and disrupting the software build chain.
  9. PolyForm. The PolyForm project launched with five licenses available for adoption by those who want to use source-available licenses instead of open source licenses. They include source code licenses with non-commercial and evaluation-only limitations.
  10. Blue Oak Council launched with, among other resources, a ranked list of permissive licenses and open source use policies that leverage that list.
  11. RMS is driven out of MIT AI Lab and FSF. I have put this one last (and at number 11) because, though it was undeniably a significant development, I am tired of writing, talking and thinking about it. In an embarrassing moment for free software that played to negative social stereotypes of computer programmers, Mr. Stallman became a casualty of the Epstein scandal combined with his social tone-deafness on gender issues. His resignation created a power vacuum at the top of Free Software Foundation, which as of today is seeking a new president.

Happy holidays, everyone, and best wishes for more fun and drama in 2020.

Good and not Evil: the Advent of Ethos Licensing

For years, my clients have asked me what to do about the “Good not Evil” license, which is most famously applied to JSON (JavaScript Object Notation), a widely used format for storing and transporting data between servers and web pages.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. The Software shall be used for Good, not Evil.

https://www.json.org/license.html

A reader could be forgiven for missing the problem in that clause. That license is essentially a conventional MIT-type license until its last line: The Software shall be used for Good, not Evil. *

This license is widely understood to violate the open source definition. The FSF’s page “Various Licenses and Comments about Them” makes this comment about the JSON license: “This is a restriction on usage and thus conflicts with freedom 0. The restriction might be unenforceable, but we cannot presume that.”

FSF’s comments represent the prevailing view about a class of licenses that might be called ethos licenses. They are open source licenses, overlaid with restrictions or conditions that are intended to change licensee behavior according to the licensor’s political beliefs. Freedom Zero, the most important quality of free software licenses, is “The freedom to run the program as you wish, for any purpose.” Its analog in the Open Source Definition straddles a few of the elements of the definition, such as “No Discrimination Against Fields of Endeavor.”

Nevertheless, the JSON license has resulted in little practical controversy, because most users could convince themselves that they were not engaged in evil activities.

More Ethos Licensing

In the last couple of years, there has been a spate of new ethos licenses. They have ranged from DIY “crayon licenses” (the pejorative term used to refer to licenses drafted without benefit of any professional license drafting experience) to sophisticated attempts to be open source licenses or something like them. Here is a list of the ethos licenses that have received the most attention.

  • Anti-996 License. A professionally drafted license with its own GITHUB discussion page, Anti-996 was intended to address working conditions for software engineers and others by requiring licensees to adhere to local labor laws, or at a minimum, the UN “Core International Labor Standards” which include prohibitions against human trafficking. “996” refers to a working day of nine a.m. to nine p.m., six days per week. This license remains the most professional and serious ethos license out there.
  • Anti-ICE License. A “crayon license” that was issued and quickly withdrawn, this license purported to withdraw permission to use the software to any organization that contracted with US Immigration and Customs Enforcement.
  • Hippocratic License. This license requires the licensee to use the software to do “No Harm: The software may not be used by anyone for systems or activities that actively and knowingly endanger, harm, or otherwise threaten the physical, mental, economic, or general well-being of other individuals or groups, in violation of the United Nations Universal Declaration of Human Rights.” It clearly violates Freedom Zero.
  • Vaccine License. This license was professionally written, addresses the needs for vaccination and an implied disdain for the anti-vax movement. It was submitted to OSI in October, 2019, resulting in a fair amount of discussion on the OSI discussion lists, but its chances for approval are probably nil. The license was submitted under the name Filli Liberandum, which roughly translates as “free the children.” The anonymity of the submission caused as much controversy as its content, and some have posted that it was submitted to test OSI’s appetite for ethos licenses.

The Arcane but Crucial Difference between Restrictions and Conditions

Comparing the Anti-996 License and the ICE License illustrates some of the controversy over ethos licensing and the OSD. Of the licenses listed listed above, Anti-996 comes the closest to meeting the open source definition. It is a thoughtfully drafted document, and its authors include a WIKI explaining some of their drafting choices. Its development team says it is “designed to be compatible with all major open source licenses.” The conditions of the license say:

The individual or the legal entity must strictly comply with all applicable laws, regulations, rules and standards of the jurisdiction relating to labor and employment ….In case that the jurisdiction has no such laws, regulations, rules and standards or its laws, regulations, rules and standards are unenforceable, the individual or the legal entity are required to comply with Core International Labor Standards.

While this is properly written as a condition rather than a restriction, the license is thought by some not to be OSD compliant, perhaps because the conditions do not relate to the use of the software or the exercise of the copyright. The license was never submitted to OSI for approval, so the isuse of its OSI compliance was never examined in detail. Moreover, this license is clearly not compatible with GPL, because it imposes conditions that are not in GPL, and GPL expressly prohibits imposing additional conditions.

In contrast, the ICE license prohibited use by any organization that contracted with US Immigration and Customs Enforcement and specifically banned 16 organizations, including Microsoft, Palantir, Amazon, Northeastern University, Johns Hopkins University, Dell, Xerox, LinkedIn, and UPS. The project to which the license was applied, Lerna, had not been implemented by all of these companies. The license has been withdrawn but its pull request for the project is here. This prohibition was a clear violation of Freedom Zero. The prohibition had been applied by one of the developers of the project, apparently without the consensus of other developers of the project, but with the approval of the core maintainer, who later stated:

Despite the most noble of intentions, it is clear to me now that the impact of this change was almost 100% negative, with no appreciable progress toward the ostensible goal aside from rancorous sniping and harmful drama….I am reverting the license changes. In the future, such changes (if any) will go through a much more thorough, completely public, and fair-minded process.

The project withdrew the modified terms and kicked the developer out of the project for various conduct violations.

Access vs. Licensing

But licensing is not the only tool in the developer/activist’s arsenal. Take, for example, the problem caused earlier this year in the Chef development product environment.

In September,2019, the developer of an open source Ruby library called Chef Sugar (a Ruby library useful for Chef) pulled his code down from his personal repository, where the code resided stating that “Chef was found to have entered into an agreement with US Immigrations and Customs Enforcement (ICE), best known for their inhumane treatment, denial of basic human rights, and detaining children in cages.” The code was developed while the developer worked at Chef, but resided in the developer’s person GITHUB repository; the developer had continued to maintain it after he moved to a different company. The takedown of the code resulted in broken links that disrupted the use of Chef in the field. Chef quickly restored the code to a different repository. The controversy continued, however, until Chef promised not to renew its contracts with ICE.

This disruption echoed an earlier takedown that “broke the internet” by removing a very simple white space padding routine (left-pad) on the popular NPM repository, a massive code development platform used to locate open source Javascript dependencies. Ironically, this disruption happened because of a trademark dispute between the developer and a company that asked him to rename a routine he had posted to NPM. The dispute became heated and profane, NPM joined in asking the developer to rename his routine, and the developer reacted by simply removing his code from NPM. (The dispute was characterized by the developer as a patent dispute, but that does not appear to be accurate.) The takedown included not only the routine that was the subject of the dispute (kik), but the 11-line left-pad. Suddenly, many software packages would no longer build properly. left-pad was a dependency — direct or indirect — for many software packages. The alternative package left-pad.io was created, and the issue was soon solved, but not before wreaking havoc for a day or two. The left-pad crisis was not an overtly political dispute, but it demonstrated that build chains are only as strong as their weakest link, and those links may be subject to the whims of developers, political or not.

What Works, and What Doesn’t

There is a war of ideology at work here. Free and open source software is built on the premise that use of software should be like free speech: without moral and political judgement that function like a prior restraint. Today’s developers, however, being just as politically polarized as the society at large, prefer to impose their ethical strictures upon others. While the two approaches are mutually exclusive, open source philosophy has already won. But a few things are clear.

First, ethos licensing inevitably results in a crazy quilt of incompatible, possibly unenforceable, and often vague restrictions. As a result, the most likely result is that no one will adopt software under such licenses. The administrative burden of ensuring compliance is significant, even if the user is morally upstanding. That adds to the already non-trivial cost of open source compliance, and most users will weigh the costs as heavier than the benefits of using the software. I have not yet had a client ask me whether it is compliant with the Hippocratic License, but I doubt any lawyer could responsibly answer that question.

Second, ethos licensing tends to focus on political issues that, by their nature, are ephemeral in the grand scheme of things. Even if one agrees that a company should not supply tools to ICE in 2019 because doing so facilitates inhumane treatment, what happens when ICE changes its policies? What if vaccinations become obsolete due to gene therapy? The license restrictions in ethos licenses may be a cure that outlives the disease — they will persist long after their justification is gone. Those who have tried to write open source licenses know how difficult it is to write terms that will work for the foreseeable future. Licensors may assume that, once conditions change, they can then re-state the license terms. But that is an assumption that only young people make. Unfortunately, licensors, too, are ephemeral, because we are all mortal. Developers who want to create a legacy with the fruits of their labor needs to think about the effect of their actions in the long term.

Third, ethos licensing is not an effective tool to control behavior. If ethos licenses impose license conditions, then the only real remedy for violating them is an injunction not to use the software. There is no legal mechanism to curb immoral behavior, nor compel good behavior, with a license condition.

Fourth, ethos licensing is ineffective in gross. What actually works best is good old-fashioned advocacy. For example, the Anti-996 License was as much an exercise in advocacy as in licencing, and it generated robust interest and discussion about working conditions. And the Chef/ICE issue had a real result, but not because of the takedown, which was ultimately toothless and at most mildly disruptive; it happened because of the concomitant advocacy, mostly by those in the community at large.

In short, ethos licensing is a publicity stunt. If we believe in free speech, then we must acknowledge that people can write whatever licenses they want in order to garner attention. But developers should not be so quick to trample Freedom Zero, which is an idea so powerful that it has fundamentally changed the world.

* Lexicographers might ponder why the terms “Good” and “Evil” are capitalized. If you think this does not matter, you are not a lawyer! Perhaps the author spoke German as a native language, or was referring to avatars of good and evil? But no, the capitalization is probably not the key to understanding this license.

A Chronicle of a Sad Time for Free Software: the Fall of RMS

I am ambivalent about writing this post, because it almost seems like piling on. But the recent scandal regarding Richard Stallman is such big news in the open source community that many people have asked me what happened. Also, some of the information is not persistent (for reasons explained below), so here is a summary for those who don’t follow the day-to-day developments (or can’t bear to read them). Also, the Stallman scandal demonstrates some of the themes I have written about previously here regarding changing community norms in open source licensing.

Richard Stallman (often referred to as RMS) is the prime mover behind the GPL, founded the Free Software Foundation, and founded the GNU project. He worked at the MIT artificial intelligence laboratory for many years and acts as an tireless spokesman for free software. He was also, famously, a prickly character, and could be callous in his interactions with others. To me it seems everyone has a Stallman story:

Nevertheless, he has been respected widely by the open source community for his vision and leadership, and for begetting the copyleft model, which is, and always will be, a brilliant judo move that uses the power of copyright law to make people share their copyrightable works.

Stallman has for many years espoused eclectic political views alongside his views on free software. His personal blog has never shied away from controversy, and even today, advocates Netflix shutting down, that US states form a union to collectively bargain with large corporations, and for a holiday called grav-mass (celebrating Isaac Newton’s birthday as an alternative to Christmas), to name a few. But it also contains many, more mainstream, electronic freedom positions against abuse of facial recognition, e-voting, and non-cash transactions.

Many of his personal political positions enjoyed sympathy, and he clearly separated his personal views from FSF or GNU. In September of this year, however, things went terribly wrong, causing the two to collide at the expense of both Stallman and the organizations with which we was affiliated.

September 7, 2019:

MIT Media Lab director Joi Ito resigned after criticism that he sought to conceal donations by financier and sex offender Jeffrey Epstein, including by marking them as anonymous.

September 12, 2019:

Stallman makes “catastrophically insensitive” statements in an MIT listserv post.

I think it is morally absurd to define “rape” in a way that depends on minor details such as which country it was in or whether the victim was 18 years old or 17. I think the existence of a dispute about that supports my point that the term “sexual assault” is slippery, so we ought to use more concrete terms when accusing anyone.

Richard Stallman

The same listserv string contains this rather prescient statement:

When this email chain inevitably finds its way into the press, the seeming insensitivity of some will reflect poorly on the entire community. Regardless of intent, this thread reads as grasping at straws to defend our friends around potential involvement with Epstein, and that isn’t a reputation I would like attached to my [CSAIL] affiliation.

(Author unclear from context of the string)

The email string was promptly published on Medium in a post calling for Stallman’s removal. The Medium article quotes another statement by Stallman, which was what eventually got the most press:

We can imagine many scenarios, but the most plausible scenario is that she presented herself to him as entirely willing…. Assuming she was being coerced by Epstein, he would have had every reason to tell her to conceal that from most of his associates. I’ve concluded from various examples of accusation inflation that it is absolutely wrong to use the term ‘sexual assault’ in an accusation.

It may be surprising to learn that the person who published the post, Selam G., did not know Stallman’s reputation when she first published about it. Her follow-on post about the fallout from her initial publication makes for interesting reading. But ironically, it may have taken someone who was not overawed by RMS to call out his comments at face value.

September 14, 2019: As this scandal unfolded, Stallman retracted a previous statement about pedophilia, one of his more unorthodox personal views.

Many years ago I posted that I could not see anything wrong about sex between an adult and a child, if the child accepted it. Through personal conversations in recent years, I’ve learned to understand how sex with a child can harm per psychologically. This changed my mind about the matter: I think adults should not do that. I am grateful for the conversations that enabled me to understand why.

September 15, 2019: Unsurprisingly, the fallout from his statements on the listserv was quick and far reaching. First, Stallman resigned from CSAIL.

I am resigning effective immediately from my position in CSAIL [Computer Science and Artificial Intelligence Laboratory] at MIT. I am doing this due to pressure on MIT and me over a series of misunderstandings and mischaracterizations.

September 17, 2019: After that, Stallman resigned as head of the Free Software Foundation, the non-profit organization he started in 1985. (Interestingly, the Wikipedia page for FSF is, as of October 14, 2019, silent on the Stallman scandal and resignation.)

September 29, 2019: Stallman’s web site stallman.org was hacked, then restored and moved. Some speculated that unauthorized changes were made by an FSF employee or one of the volunteers who update the site daily.

After this point, it became unclear whether Stallman was still the head of the GNU project, the main project of FSF.

28 September 2019: According to archives, Stallman wrote, “I hereby step down as head of the GNU Project, effective immediately.”

But it’s unclear whether this statement was legitimate or part of the suspected hack.

On October 7, 2019, 28 maintainers of the GNU project issued a joint statement saying “Stallman’s behavior over the years has undermined a core value of the GNU project: the empowerment of all computer users. GNU is not fulfilling its mission when the behavior of its leader alienates a large part of those we want to reach out to.”

On October 7, 2019, Stallman wrote:

I recently resigned as president of the FSF, but the FSF continues to provide several forms of crucial support for the GNU Project. As head of the GNU Project, I will be working with the FSF on how to structure the GNU Project’s relationship with the FSF in the future.

As of October 14, 2019, Stallman’s continued control of the GNU project is hard to handicap. The FSF is seeking a new president. Stallman’s unexpected departure may result in substantial change of direction for the organization, and some speculate that FSF will re-take the reins of enforcement activity that it has eschewed in the recent past.

This stream of events illustrates a few points worth considering.

  • Inclusiveness, diversity and community conduct are important ongoing issues in open source community stewardship. The last few years have seen a spate of blowups over codes of conduct and hateful behavior. The blunt and freewheeling exchanges that have been common in open source discussions are no longer viable now that open source has eaten the world. In this respect, open source is a victim of its own success; scrutiny of casual discussion within projects is now intense because so many more people pay attention.
  • The old guard is being phased out. The first generation of engineers, businesspersons, (and lawyers!) involved in open source are ageing, retiring, sometimes dying, sometimes faltering in their leadership, and need to pass the torch. Perhaps it’s no surprise when the views of the first generation sound retrograde. Open source was once known for the libertarian views of leaders like Stallman and Eric Raymond, but in an era of deep political division, those views are every more likely to generate conflict and discourage participation.
  • The popularity of the BDFL (benevolent dictator for life) paradigm may be fading. Many open source projects have been run for a long time by men with strong personalities and sharp tongues, who have a tendency to shout others down in the name of code quality or ideology. The cost of that behavior can’t be easily measured; people vote with their (virtual) feet or by staying silent when they otherwise might contribute. It’s notoriously hard to set standards for behavior that simultaneously promote excellence, candor and respect, but the social trend is toward greater emphasis on formalizing the rules of civil discussion.
  • The lines between personal and professional communication are breaking down. Everything we say online is persistent and public, and we will be held to account for it, for better or worse. Most of us already knew that. Any who think they are immune will eventually be unpleasantly surprised.