Open Letter to Biden: Cybersecurity for FOSS needs copyleft and consumers' right to repair
byon February 1, 2022
Inspired by the log4j situation, The White House recently met with Big Tech on the issue of security vulnerabilities in FOSS used in the nation's infrastructure. While we are glad these issues have received attention at the highest levels of the administration, we are concerned that representation in these discussions is skewed. Hobbyists, and communities organized around public interest and consumer rights, who both use and develop a large portion of FOSS, were not represented. Additionally, the entities represented at the meeting were biased toward copyleft-unfriendly organizations. Unsurprisingly, these entities focused on Software Bill of Materials (SBOM) as a panacea for the problem of FOSS security. While SBOMs are a useful small step toward hardening the nation's software infrastructure, we believe the proper solution is to favor copylefted FOSS.
Consumers must have access to source code, the right to modify and reinstall it (or hire anyone they'd like in the free market to do so). Without these rights, businesses, individuals, and the government — all of whom rely on software as part of their critical infrastructure — cannot identify and repair security vulnerabilities. Furthermore, the widespread incorporation of non-copyleft FOSS, which companies can and do proprietarize, creates a false sense of security — as many users may not realize that “FOSS inside” (as listed on their SBOM) does not mean the software is any better than proprietary software.
Our open letter to the White House which addresses our concerns is included in full below, and is also available as a PDF:
Dear President Biden, Deputy Advisor Neuberger, Director Inglis, et al:
Firstly, we appreciate very much that your administration has taken the issue of the log4j software vulnerability so seriously, and also appreciated President Obama’s efforts to take the OpenSSL vulnerability (so-called “HeartBleed”) seriously during his administration. While we at the Software Freedom Conservancy believe deeply that Free and Open Source Software (FOSS) is a better and more reliable method to develop software, we also readily acknowledge that no method of software development is perfect. (Flaws can and do occur.) However, sound planning — which includes meaningful investment in infrastructure — will not only limit potential vulnerabilities, but is also essential to respond to them adequately when they do inevitably occur.
As you likely agree, our nation’s infrastructure and national security — both of which increasingly depend on software — demand this type of care and attention. While we are pleased that your administration has taken some basic steps to focus on this critical issue, we send this open letter to request necessary improvements to the current methodology that your administration is using to address the issue of software security vulnerabilities in FOSS. In short, your administration has taken a great first step — one which the for-profit software industry has embraced — but we have deep concerns. We expect the powerful technology industry to resist the mandatory steps necessary to ensure the security of FOSS. This is due to the basic fact that the necessary changes mean that companies and their shareholders will have to live with more modest profits if your administration demands the necessary changes to ensure cybersecurity for FOSS.
Your meeting earlier this month included some important entities, but unfortunately was biased in one specific direction. Specifically, we observed that the meeting only included representatives from companies and organizations that prefer a specific form of FOSS — the form of FOSS that allows entities to change the software into their own proprietary technology. Roughly speaking, there are two forms of FOSS: non-copylefted FOSS, which allows vendors to take the publicly available software and make trade-secret changes; and copylefted FOSS, which — by contrast — is licensed in a manner that requires full disclosure of all source code (and the necessary means to repair vulnerabilities in that software) to customers. Non-copyleft FOSS has a fatal flaw: it can easily be incorporated into a proprietary product — including with modifications that may introduce vulnerabilities. Vendors can keep all details about those changes secret from everyone — including their customers and the government. Furthermore, a company may disclose that the software is based on a particular FOSS project, which perpetuates a false sense of security. Consumers will often assume that since it’s labeled as FOSS, that the key benefits of FOSS de-facto apply — such as easily auditing the software themselves (or hire an third-party firm) to examine the software for vulnerabilities and/or repair discovered vulnerabilities. However, if that FOSS is not under a copyleft license, there are no such guarantees. Imagine what can happen when a vendor goes out of business while the customer (who could be the federal government itself) still relies on that software for essential infrastructure.
As one of the leading organizations dedicated to FOSS, we believe it is extremely important to share our expertise at this critical moment. We reiterate our sincere appreciation for your administration’s interest and promulgation of Software Bill Of Materials requirements. On the surface, this is a small step in the right direction. We fear, however, that, without meaningful and informed improvements, it merely serves as camouflage and creates a false sense of security. A simple list of software included will give only vague clues as to how to repair vulnerabilities of a vendor’s software. No existing SBOM formats actually require full disclosure of software source code — nor means for its modification — to the customers who receive, use, and rely on it. Having an SBOM for your non-copylefted, proprietary software is like having a list of parts that you know are under the hood of your car, but discovering that the manufacturer has welded the hood shut, and forced you to sign an agreement that they could sue you for millions of dollars if you attempt to open it. The car may look safe and secure from the outside, but there is no way to know if the car is safe, reliable and, maintainable.
We are pleased to note that many software companies do chose to use copyleft licenses responsibly and provide the necessary source code; they serve as model citizens for other companies. Interestingly, the early positive revolution of FOSS in the software industry occurred precisely because copylefted FOSS was originally the more common form of FOSS; companies who seek higher profits and control of their customers have campaigned to limit the amount of copylefted FOSS developed. The history behind this is politically intriguing and not unique to FOSS. We see tech companies wielding power in problematic ways in other areas, too. Specifically, they have spent the last few decades pressuring hobbyist creators and small businesses to abandon copyleft licenses. As a result, non-copylefted FOSS is much more commonplace now than ever before (and the reason why this is such a critical issue). We at the Software Freedom Conservancy urge your administration to carefully consider the larger context of software cybersecurity—particularly as it relates to FOSS. We also offer up our guidance and expertise, and hope you will make room for additional seats at the table as you continue discussions and make decisions of this magnitude.
At the White House Meeting on Software Security on January 13, 2022, Big Tech was well-represented, and even overrepresented since it primarily included companies that are considered anti-copyleft. (Indeed, some Microsoft executives in the past have even called copyleft licensing “against the American Way” and a “cancer” on the software industry.) Yet, it is common knowledge in the technology sector that key components of our nation’s software infrastructure, such as Linux and the GNU Compiler Collection, were initially written by hobbyists and activists under copyleft licenses. Hobbyists and activists, who are the founders of FOSS, deserve a seat at the table—alongside Big Tech companies and their trade associations—as you continue to discuss these important national cybersecurity issues. The Software Freedom Conservancy is proud to serve and and give a voice to these hobbyist and activities, and we are also willing to recommend other organizations, academics, and individuals if you feel we’re not an ideal fit but nevertheless do want to diversify your committees on FOSS cybersecurity.
More generally, we ask that your administration reconsider how it solicits advice on these matters from technologists, and that you not succumb to the monoculture of opinion and manufactured consent from large technology companies and their trade associations. We appreciate that in other areas, your administration has valued inclusivity and actively seeks input from experts who disagree with the status quo. We believe you are truly interested in working on meaningful solutions to this critical issue facing our nation, and thank you for your consideration of our points raised in this letter.
Bradley M. Kuhn
Policy Fellow, Software Freedom Conservancy
Matcher Interview - Tony Sebro
byon January 3, 2022
The second of our series of interviews with donors, we have another longtime Software Freedom Conservancy supporter (and former employee!) Tony Sebro. Tony recently served as Deputy and Interim General Counsel to the Wikimedia Foundation and is now General Counsel at Change.org. We "sat down" with him to talk a bit about us and what he's excited about right now.
Software Freedom Conservancy: “Why do you care about software freedom?”
Tony Sebro: “For one, I am inspired by people dedicating their time, creative energy, and technical talents to the public interest. I am also impressed by what they produce: FOSS communities have created some of the most important, innovative, and irreplaceable products that societies rely on. ”
SFC: “What do you appreciate about Software Freedom Conservancy?”
TS: “I appreciate that Conservancy supports the creation of ethical technology from multiple vantage points. Conservancy supports FOSS developer communities through services, education, and mentorship. Conservancy supports end users by defending their rights. And, Conservancy advocates for groups underrepresented in technology by providing them with gateways into FOSS communities -- which, in turn, infuses these communities with fresh talent.”
SFC: “What's got you most excited from the past year of our work?”
TS: “While I am intrigued to see what happens with the lawsuit against Vizio, I am most excited by Outreachy's continued growth, as evidenced by the record number of interns admitted into the December 2021 cohort. I admit, I'm biased. :) ”
SFC: “you think we are doing a good job reaching a wider audience and do you see us at places you expect?”
TS: “I got a good chuckle out of seeing Karen and Bradley pop up in this recent NFT project.”
SFC: “What other (non-tech) organizations are you supporting this year?”
TS: “My wife and I support other charities, as well as our local church.”
SFC: “You were Software Freedom Conservancy's second employee! What are your thoughts about how the organization has changed and grown since the beginning of your involvement in the organization?”
TS: “Conservancy has grown in virtually every direction! More projects; more commentary and scholarship. Greater investment in diversity, equity, and inclusion. Conservancy has also expanded into providing resources to educate tech employees about their employment rights.”
SFC: “Until recently, you were Deputy General Counsel at Wikimedia. Did the principles of software freedom impact your work there?”
TS: “Certainly! Free knowledge isn't just freely-licensed content, it should also be freely consumed. The Wikimedia Foundation hosts Wikipedia and its other free knowledge projects on a FOSS stack. The public can inspect the code, and can trust that Wikimedia isn't hiding anything that would bias or pervert the editorial decisions of the communities who maintain the project content Wikimedia hosts.”
SFC: “As a former employee, a member of the board of directors and as an organizer of Outreachy you've participated in many facets of Software Freedom Conservancy and have such a unique perspective. What are you most proud of? What do you think the organization should do in the future?”
TS: “I enjoyed providing advice and counsel to the various member projects -- getting to understand their specific cultures and needs. Outreachy continues to have a special place in my heart. That said: my favorite part of working at Conservancy was the deep conversations about ideology and strategy that I'd have with Karen, Bradley, and Denver. The team cares deeply about the work they do, and their passion for the mission was and is infectious.”
SFC: “Congratulations on starting your role at change.org! What can we look forward to seeing you work on there?”
TS: “Change.org's mission is to empower individuals to make a difference, and more than 450 million people use the platform to amplify their voice. I am leading the Legal & Policy department, which includes the organization's legal, trust and safety, platform policy and public policy functions.”
Outreachy's Grant Funding: Ford Foundation, ARDC and most recently CZI!
byon December 30, 2021
As most readers of this blog know, Outreachy, one of Software Freedom Conservancy's flagship projects, is a diversity initiative that provides paid, remote internships. Outreachy interns work with mentors from free software communities. Outreachy creates an inclusive experience for people who are subject to discrimination or systemic bias, and impacted by underrepresentation in the technical industry of the country they are living in. In the years since 2010, we've had 840 successful graduates of the program.
Outreachy is a resource intensive program, which is described as "high touch", in that we seek to have a deep involvement with our interns rather than a quick experience like a short intro or training session. There's a lot of work at every step of the process, from the application process where we make sure that our opportunities are going to the people who really need them, to onboarding communities that we have confidence our interns will have a good experience with, to supporting the actual internships when they happen.
To do all of this, we rely on our small staff supplemented by a serious volunteer effort. In the last comnpleted internship cohort (May 2021), there were 125 volunteer mentors representing 37 free software communities. Mentors worked with over 700 applicants, and ultimately chose 71 interns (the current round has 61 interns from over 700 final applicants). Applicants and mentors are all supported by 4 Outreachy organizers. Two Outreachy organizers are volunteers and two are paid staff. Software Freedom Conservancy's staff is also a lean operation with just a few employees supporting the financial, legal and administrative needs of the program.
Funding for Outreachy's core operations is essential to running our internship program. This "core support" funding allows us to hire staff who write documentation, organize volunteers, support interns, advise mentors, and promote the program to diversity in tech organizations. Outreachy staff are continuously looking for ways to make our internship program more inclusive and welcoming.
We rely on funding from a variety of sources, including corporate sponsorships and generous donations from individuals, but this blogpost highlights the critical core support Outreachy receives through grants. Over the past few years, we have received several grants from the Ford Foundation, Amateur Radio Digital Communications, and (we're now pleased to say) the Chan Zuckerberg Initiative.
These grants are essential to Outreachy operations. We wanted to take a moment to show how the existing grantmaking has helped us, and thank our awesome grantmakers.
The first substantial grant that Outreachy received was from the Ford Foundation in 2018. Noting that we were "punching above [our] weight administratively" due to our long hours and amazing volunteers, Ford stepped up to help us stabilize the program.
Ford provided it first grant to improve our documentation, which allowed us to create our Applicant Guide and Community Guide. These guides help both potential interns, and new mentors. A new community for the December 2021 internship cohort said the reason they decided to mentor was because our documentation was so thorough.
Ford's subsequent grants have helped us shore up our processes and staffing. In November 2020, Outreachy hired its first full-time employee, Sage Sharp and was able to increase the hours of our contractor, Anna e só. Having dedicated staff is essential to providing solid support to Outreachy interns and for ensuring the program runs smoothly.
Ford has continued to support Outreachy in the years since. In addition to the financial support, Ford also invited us to several training sessions with other grantees. In particular, these trainings helped us to more effectively fundraise from others, and also provided us with media training that has been very useful over the years (Outreachy tends to spark strong reactions in how people talk about the program and engage with us).
We're so grateful to Michael Brennan at Ford! Michael has helped us coordinate with Ford and has provided insightful advice throughout the years.
Ford's funding has been transformative to Outreachy. It's hard to imagine the program being as strong is it is and in the position to grow without these grants. Ford's focus on social justice and its goals of addressing inequality matches Outeachy's goals well and has helped us to grow without compromise.
The second grantmaker to step in to support Outreachy was Amateur Radio Digital Communications (ARDC). ARDC's mission is focused on communication science and technology. Their aspirational goals include social over commercial benefit, inclusion of underrepresented groups, and empowerment of individuals. There's a natural alignment with Outreachy, especially since so many of the internships we offer are to work on software that underpins and supports the Internet and communications technologies .
We were honored to be in one of the initial rounds of grantmaking by ARDC. Along with Ford's grant, ARDC's support gave us the ability to commit to funding 10 humanitarian open source projects in the December 2020 round. Rosy Schechter and Chelsea Parrága at ARDC have been so supportive of our work on Outreachy and we have loved to watch their giving program grow.
We're pleased to announce that the Chan Zuckerberg Initiative is joining as a new grantmaker of Outreachy! We've enjoyed working with Carly Strasser to get this in place.
In conjunction with the grants we've received from Ford and ARDC, we'll use these new funds to
- continue to provide our internships twice a year, and strive to provide even more internships
- Increase our staffing!
- Analyze and publish data from Outreachy historic participation
- Focus on spreading the word about the program
- Evaluate additional activities to better support our interns, mentors and alums
- Work on fundraising from individuals so that we can better diversify Outreachy's funding (you can donate here!)
Grants have been critical to Outreachy's success
The grants we receive have given Outreachy an independence that is essential to continuing to serve our mission well. We've been able to refuse money from problematic sources without having to be anguished about having to shrink the program. It's much easier to take the high road when you know that you won't have to cut the number of internships that are providing much needed opportunities to people who really need them. This funding allowed us to hire contractors to review applicant essays about the discrimination, systemic bias, and underrepresentation they face (we usually have around 3000 initial applicants each with essays to review in every round).
These grants, combined with corporate sponsorship and individual giving give us the breadth and stability of funding that allow us to continue our operations with confidence and plan for the future. We're so excited for all that's in store for Outreachy in the coming years!
One More Small Step Toward The Right to Software Repair
byon December 28, 2021
Our Motion to Remand in Vizio Lawsuit Shows How the Law Brings Software Freedom to All Users
Yesterday afternoon, we filed a Motion for Remand in our lawsuit against Vizio for their flagrant GPL & LGPL violations, alleged with great detail in our complaint in California state court. Vizio's response to that complaint was to “remove” the case to federal court. Vizio argues that the lawsuit can only be brought by a copyright holder as a copyright infringement lawsuit in federal court. In response, we have asked the federal court to return (“remand”) the case to state court.
While Vizio's original request to “remove” the case from state court to federal court is, in the general sense, a standard litigation tactic and our response is a relatively standard response (on which we expect to prevail), the implications of these early procedural maneuvers deserve special attention for those of you that care deeply about copyleft as a strategy to achieve software freedom and rights. If you seek a deeper understanding of these essential issues in copyleft policy, we encourage you to first read our motion to remand, and then read this article as supplemental strategic context for that filing.
Many of our longstanding Sustainers will recall that we previously have enforced the GPL for BusyBox in federal court. As part of that large lawsuit against 14 defendants, we learned how the process of copyright-only GPL enforcement works in US federal court. We still believe that federal litigation brought by copyright holders is an essential component of copyleft enforcement.
But many lawyers have advised us that contract law is a useful parallel avenue. This approach has the advantage of empowering users of the software who are not necessarily copyright holders. The mantra of “the GPL is not a contract” is a mistruth that has been so often repeated that it became widely accepted and typically unchallenged. (We expect you'll hear this theory repeated even more loudly now that the our Vizio lawsuit brought the question to the forefront in a federal court case.) Yet, prominent legal experts outside of FOSS social circles have long scoffed at the assertion. Indeed, case law in the USA has held the opposite. In multiple cases, courts have been convinced, specifically, that the GPL operates as both a contract and a copyright license. The law appears clear on this, and this is among the reasons why we believe our motion to remand will succeed. In short, we'll say it plainly here and now for everyone: the GPL operates both as a copyright license and as a contract; litigation can proceed under either of those legal theories. Our motion to remand in the Vizio case explains the legal details as to why that's true.
While this seems a minor matter of legal detail, it stems from the longstanding and fundamental principles of copyleft itself. Specifically, the point of copyleft was not to further empower copyright holders. As early as 2001, I and other copyleft proponents already argued publicly that copyleft was a method for software authors to unilaterally disarm the inappropriate power held by copyright holders when they created software. Like the Constitutional Bill of Rights in the USA (which exercised government power by guaranteeing each citizen's rights), the GPL allows software authors to exercise their power in choosing a license to grant rights to all software users. Those users deserve the right to seek redress when companies impugn their rights. In short, the GPL was designed as a tool for software authors to exercise their default power of licensing control to benefit the general public (instead of only themselves).
Accordingly, this legal diversification of claims is not only a tactical matter. It's not an esoteric debate; it drives to the very heart of copyleft's policy goals. Our Vizio case is landmark GPL litigation because, in addition to seeking the source code for our immediate use to create alternative firmwares, the lawsuit trailblazes a path for consumers to assert their software right to repair. If the entire case is ultimately successful, we will have shown that individual users who purchase a device and wish to repair the copylefted software in it have a fundamental legal right to take action on their own to seek redress from the court.
Further, our claim in this lawsuit asks for what lawyers call specific performance. CCS for a specific product has unique value that cannot be replaced by awarding monetary damages instead. Once ordered to specifically perform, the vendor has no choice but to produce the CCS for all copylefted software. Our lawsuit focuses on this remedy under contract law because it is the most relevant to the policy aims of the GPL. In short, money is no substitute for CCS, and we plan to explain why to the Court as the case continues.
Nevertheless, copyright litigation under GPL also remains an important tool, and we expect that we'll work with our lawyers to bring copyright claims again in the future — when that's the best tool to do the job that needs to be done. However, we believe a consumer-led enforcement strategy (which doesn't require holding copyrights) empowers users in a fundamental way and is consistent with GPL's original policy goals. As it stands today, we receive regular reports from individuals who request source code for GPL'd devices, only to have companies ignore them — unless and until a copyright holder assists them. We provide that assistance when we can, but realistically we can't commit to provide such assistance for every copyleft violation in the world. Companies (at their peril) rely on the false notion that they need only fear a copyright holders' accusation of copyleft non-compliance. We seek to change these anti-patterns — starting with our lawsuit against Vizio.
The Vizio lawsuit may take years to complete, but we are confident that we'll win this first skirmish. We believe the remedy we seek — that Vizio acknowledge their obligations under relevant copyleft licenses and release the CCS — is reasonable and achievable. While we pursue that remedy, we know that not everyone will have the time or inclination to study every move in this lawsuit. If you don't have the time to do that, we thank you now for the trust you've shown by donating to our organization to support this work. We assure you that we take the public trust of our charitable mission very seriously and will focus this work, including our litigation, to benefit the general public. However, if you have the time and inclination, we again commit ourselves to transparency and updates like this one to explain to you the nuances and important fundamental issues of strategy that inform our every decision in our copyleft enforcement work. We believe in the power of copyleft to bring consumers a meaningful right to software repair, and we believe in upholding that right under the full scrutiny of that same public.
We thank all of you so much for your support of our work, and the many encouraging emails that so many of you have sent us about this Vizio lawsuit. While I always hate to ask for money, I'd be remiss if I didn't note that your donations helped us get to this point, and I ask that you take a moment to become a sustainer during our match donation period, which ends soon.