With all of the recent churning issues such as DVD/Music/IP 'piracy' via 'illegal' software (DeCSS, Napster, cphack); Source Code as Free Speech court decision, possible Melissa/911/etc virii lawsuits/prosecutions, UCITA laws passing, anti-reverse engineering, patents and other sundy lawsuits, the question of how open source programmers can or even should look toward the application of code they write is raised.
Let's create a fictitious example, so as not to harm or point to anyone in particular:
Example:
Johnny_Minor, a fictional script_kiddie
mmap, a fictional piece of software authored by
Larry Ceiling, a fictional open source author
Irrita Bill Gashines, aka IBG, a fictional international company with loads of fictional lawyers, some of them even honest lawyers (hey, I did say fictional)
Now, how does the screwdriver fit in? These days, if you are walking along and are picked up (or even searched) for anything at all (jaywalking?), it's entirely possible for that screwdriver (or pocket knife or whatever) in your back pocket to be called a burglar tool. It's no lock pick, it's just a standard hardware store screwdriver, but in theeyes of the law, it's a tool that can be used for crime.
Now imagine the possiblities of mmap! It's a handy dandy network tool. It slice and dices, it zips, gzips, bzips, and tars. Now how much would you pay for it? But wait folks, it does more... it ftps, telnets, email and ircs. Now how much would you pay? Act now, and we'll throw in a cracklib, a portscanner and an orange peeler. And call in the next 15 minutes and say that Linus sent you and we'll throw in the source code! Act fast, the site will be slashdotted soon!
Johnny_Minor gets hold of mmap, and uses it in a "bad" way on IBG. (yes, we all saw it coming, even as he downloaded it..)
IBG discovers that Johnny has money, or maybe his parents have money, or hey, Larry has money, or maybe Larry's employer has money, or Larry's web provider has money, or maybe http://www.2699.com which provided a link which Johnny followed, etc etc....... (and Yes, with sites getting sued over illegal auctions/links/content, this might well happen one day...) Look at lawsuits with gun makers, tobacco companies, and so on.... As software companies become worth billions, expect more lawsuits....
The questions are: Where does the responsbility lie? In the end user? In the author? In the company? In the victim? (which is _who_?) Does a simple warning that "no warranty is implied" or that "java should not be used in nuclear control center software" enough?
If Larry sees that mmap can be used for 'wrong,' does he have to do anything about it? Does he have to even acknowledge the possiblity of it? If his source code has sections commented, even commented out, or if his CVS has old code that does 'bad things,' can he be held accountable?
Suppose that in one country it's illegal, and another it's legal... but Larry lives in one and Johnny another. It's happened... and the results aren't pretty.
Is the GPL, BSD, or other license enough to make someone held harmless, and where is that line drawn? If the source code is modified at all, are you safe? If source code is free speech, can you write "Hello World, FIRE IN THE THEATER!" so long as you don't compile it?
Making money is no longer an issue, thanks to the DMCA. Thanks to UCITA. Thanks to lawyers and judges who treat screwdrivers like lockpicks and treat software like crowbars.
Even among software professionals, we talk about white hats, black hats, grey hats, not to mention Red Hats.... If someone is a black hat, and released software with seemingly only 'bad' uses, ( BO2K comes to mind) and white hats find it useful, doesn't that seem to say that software is neutral, it's in how it's used that the problem lay?
I'm personally interested because some stuff I'm working on has the potential of being used in infinite ways and I don't want to limit usage or avoid writing code, or any number of 'protective' things just because someone someplace can't figure that hot coffee is really hot. And besides which, one person's illegal activity is another person's fight for freedom. Free Code is Free Speech, but what about countries without either?
I don't claim to have answers, this is meant to be start of what I hope will be an interesting discussion...
Let's get it said right up front: IANAL (I am not a Lawyer) aka IMANAL (I'm being an orifice but I'll say this) should apply to all of us, with the rare exception of lawyers speaking up for themselves.
-- Seth Cohn
[I just know I'll find a typo right after I submit this.... but....here goes]
the companies that lobbied to have the laws written on this digital millenium copyright thing in the u.s. are the ones now doing the suing.
making it illegal for a Computing Science lecturer to use a Blatantly Stupid Security System as an example of How Not To Do It, kids, is now illegal?
'scuse my french, but xxxx that.
It seems to me that most software can be put to illegal use. Certainly, Internet communications software such as email, ftp, nntp etc can all be used to transmit content illegally (whether 'illegally' means breach of copyright, libel, fraud, pornography, etc). The Internet is basically a system for making communication easier, so of course it can be used for illegal communications. So most software is dual use -- it can be used for legal and illegal purposes.
Should people writing open source then not have anything to do with Internet software? Of course not, that would be silly.
The only difference would be is something was only really capable of being used for illegal purposes. But software like Freenet, Napster, or DeCSS have plenty of legal uses, and so should be legal to develop.
As for morality, replace 'legal' with 'moral' and 'illegal' with 'immoral': Freenet etc have plenty of moral uses, so it is morally OK to develop them.
it really doesn't matter much what we think; lawyers live in a strange universe where all words mean different things and all decisions rest on historical precedent and analogy to facts none of us are familliar with.
to be fair to the lawmakers though, I think many of us (programmers) are still not quite able to take the internet and computer systems in general seriously. maybe it's because we still think of computers as the special toys we play with that make us unpopular with the other kids; maybe it's because the most visible people getting rich off the net are incomparable idiots; maybe it's because we've seen how horribly most computers get programmed anyway so we have no respect for existing software; but when someone suggests that computers have any sort of extension in the real world where we all live (most of us voluntarily) under rule of law, then we all cry out in protest that no! no laws shall ever effect the computer! the internet shall forever remain the utopia of my adolescence!
it's a little naive. if computers were still a vague idea in the back of babbage's head, ok maybe. but now, people have sunk significant amounts of their lives, their money, their political will, etc. into computers and the net and to a certain extent that "concretizes" the role computers play, and subsequently concretizes the damage one can do by screwing around with them.
I don't mean to imply that the DMCA or UCITA are good ideas, any more than the completely insane RIP bill is a good idea; but the response I see implicit in a lot of the arguing is the geeks saying "you can't control what people do on the net, it's an anarchy!" and that only works so long as everyone wants it to continue being an anarchy. Increasingly, people don't. If (heaven forbid) someone puts a hospital network online and some script kiddy happens to lay waste to a bunch of embedded linux hosts which just happen to be fibrilators, a lot of people can be pretty non-trivially affected by that.
In a case like that, honestly, a programmer who makes the "nuke-that-embedded-linux-box-3000" netcat/bash script is in a similar position to the morons who make assault weapons. the law does actually prohibit making and selling certain weapons. it's not that the law is a plot to tranquilize the citizenship into an evil one-world government, it's that the damage one idiot can do if they get a hold of the device is simply to great to justify the device's legality.
It really pains me to say it, but I can morally say it makes sense to me to have certain of the programs I could potentially write made illegal in my society by nature of the damage they could do. Which programs, where, when, and how they are banned are issues which the legal system is going to spend the next several years wrestling with. Personally, I don't think you can justify banning cp or perl because they have too many beneficial uses. But I really think it's naive to think that the worst damage you can do anymore is wiping out your own drive.
I'm sorry, but the author of a piece of software has no control over how it is used. That is why they always include a disclaimer. When was the last time you bought a screwdriver and it had a disclaimer?
There are only two parties involved in a damage case. That is the victim and the initiator. The initiator may have used your software, or someone elses software, but he decided to use the software that way. You didn't go to him and even imply that the software could be used that way. It is also the victim's job to prevent that. Now, if the devices had an obvious security hole what the creators knew about, then that's another story.
It all comes does the education. Education the initiator so that (s)he won't do that. Educate the device maker to make sure all bugs are fixed. Educate the victim to prevent things like that.
equally, software doesn't cause malicious damage (turn off the fibrillators), people cause malicious damage.
there are laws in certain countries and states that mandate that guns *must* be carried at all times. Texas, in the U.S., is one such state.
Attempting to pass laws out of a scared-shitless reaction to potential threat is, if you're asking me, futile, counter-productive, reduces threat-awareness and threat-response thresholds, reduces creativity in the development of counter-measures to threats, and generally makes for a much less interesting and much more threat-susceptible world!
It's a bit like getting rid of the common cold: your immune system would have nothing to do. If an accidental cold-virus outbreak occurred twenty years after it was last "eradicated", people would die in droves. From the common cold!
Imagine what would happen, say, if someone suggested that the development of medicine was to be stopped, because Drugs are Dangerous, right, and Drugs are developed by medicinal research.
Certain CDC centres across the world have the *last* remaining samples of very specific plague viruses. Why are they not destroyed? *think*.
A much more effective method to minimise threats is mind-control. It looks like most people think that passing laws is the way to do that (psychological mind-control).
He he, I'm fascinated to hear what people think of *that* idea :)
the central thesis here is that all people, at all times, with all possible combinations of tools, are equally likely and capable of causing trouble as all others.
I think that's plainly nonsense. all you need to do is look at the numbers. people in proximity to a tool which causes damage will, practically by brownian motion, cause damage with that tool.
that's why we regulate nuclear weapons. that's why we regulate harmful chemicals. that's why there's road-worthyness tests and speed limits. that's why it's the CDC and the CDC alone who has copies of smallpox. smallpox is not left in every highschool bio lab. why not? because the probability of someone releasing it increases with the number of ways it's possible for them to release it. it's a simple statistical equation -- break open your stats text if you forgot. this is the same reason why, in canada (shameless plug) we actually have fewer people per capita killed by firearms. because they're more tightly regulated, there are fewer of them just lying around in peoples' housess, so there are fewer ways of someone going about killing people.
why libertarian fanatics can't get this simple bit of discrete math is beyond me. if you want the awesome feeling of personal resposibility for life and death, join the military. if you want to work with deadly viruses, join the CDC. if you want to write software which automatically crashes planes, work for the FAA's internal auditing department. but outside a safe, controlled venue, don't expect the general public to be perfectly safe and reasonable with their decisions.
OB-On-Topic: the reason this debate breaks down into gun-control issues is because nobody actually cares how much financial damage is done to a company's britney spears intellectual property. this fact should be taken separately from the issue of responsibility for the creation of your tools. if you wrote a copy of lynx which had a command line flag that did criminal damage, i.e. it killed someone when you ran it the wrong way, afaik there'd be no question whatsoever in common morality (and the criminal courts) that you had made something you should not have. you are potentially an accomplice through negligence. again though, this mixes up things we by and large don't care much about (civil suits over corporate intellectual property) and things we do (criminal conviction over serious damage).
graydon, I hope you have read The Right to Read that was mentioned in the previous article. I support the BSD copyright, but what you just proposed is exactly what that except covers. You might as well let the government regulate computers because using computers you can steal other people's intelectual property with out any recourse. We might as well go and join the Amish, but oh, wait a minite. The Amish have tools that can be used to kill people such as pitch forks, guess we can't let them have those tools. Hmmmm, people might use glass shards to kill someone so we can't have any houses having windows. The who point of the argument is the fact that legitimate tools are used incorrectly and for illegal purposes.
Luke's point that the same people that made the laws are now taking advantage of them by suing is interesting... Might be a good proof that government is only a way to force some people to do what others want.
The whole question of making software 'illegal' seems to be a matter of lawmakers... Is DeCSS illegal? I propose that it IS our responsiblity as computer professionals (and wannabe professionals) to refuse to allow non-experts to make these decisions for us. And it is to us, while they claim to be doing it for us.
That is, until someone creates a datahaven away from all countries lawmakers. Any IPO rich coder wanna buy a island to start it off with?
Right now, the whole DeCSS whack-a-mole, the proliferation of software like Napster/Gnutella/Freenet etc is a sign that a lot of computer people aren't willing to let data just 'go away' cause some lawmaker someplace tried to censor the whole net. It might be a cliche, but as a whole, the net does tend to route around censorship, and I think it will do so more and more and more.
If (heaven forbid) someone puts a hospital network online and some script kiddy happens to lay waste to a bunch of embedded linux hosts which just happen to be fibrilators, a lot of people can be pretty non-trivially affected by that.
I work in healthcare.
I'm far more concerned about a script kiddy getting into a database.
I'm far more concerned that those embedded linux hosts be stable enough that I could portscan them and NOT crash them by accident.
In a case like that, honestly, a programmer who makes the "nuke-that-embedded-linux-box-3000" netcat/bash script is in a similar position to the morons who make assault weapons.
Then we'll fix that embedded-linux-box. It's a little hard to fix someone who has been shot. I value the programmer who finds a hole: better one who publishes than the one who keeps it quiet and sells 'deadly shell scripts' in secret to 3 letter organizations and immoral people.
</i> It really pains me to say it, but I can morally say it makes sense to me to have certain of the programs I could potentially write made illegal in my society by nature of the damage they could do.</i>
But having uneducated people make that decision is the wrong way to go. And right now, with things like DMCA and UCITA passing, did you read what Maryland had to say about its passage there?
Which programs, where, when, and how they are banned are issues which the legal system is going to spend the next several years wrestling with. Personally, I don't think you can justify banning cp or perl because they have too many beneficial uses.
But maybe that is the point: the LEGAL system isn't the place for that sort of decision. Imagine someone hiring a Johnny Cochrane type who sways a jury with lines like "If the code was strict, you must convict."
I'm sorry, but the author of a piece of software has no control over how it is used.
Tell that to the lawyers who filed a lawsuit against Napster.
Tell that to the lawyers who filed dozens of lawsuits over DeCSS.
Tell that to the lawmakers who prevent encryption export.
When was the last time you bought a screwdriver and it had a disclaimer?
When was the last time you read all the little print on items that told you common sense things, like "Do Not Ingest". Those notices aren't there except for some lawyer who either made them do it, or told them that if they didn't, they would be liable.
nobody actually cares how much financial damage is done to a company's britney spears intellectual property.
That is why I said 'do something bad' to IBG... and didn't specify. Does it matter what is done? Is there some sort of scale?
With things like $100,000 figures being put on a song, and loss of life being worth what? In 1972, it was $200,000. What is it today? $2 million? That's 20 songs worth by some standards.
if you wrote a copy of lynx which had a command line flag that did criminal damage
If reverse engineering is made illegal, made criminal, then a single flag might become just that. If saving a streamed mp3 into a non-protected form is illegal (and some might say it is - see the RealNetworks vs Streambox lawsuit), then lynx can almost do that now, and it would be a simple patch to add it.
The test that the courts will apply -- in my not entirely inexpert opinion -- is whether the software was intended to be used to a criminal end, and whether the software has legitimate noncriminal uses.
Guns are legal because the gun manufacturers have no (obvious) intent that their guns are to be used for illegal purposes, and because guns have a legitimate noncriminal use (self-defense). If a gun passes this test, certainly something like Perl will. Perl is the software analog of a Swiss army knife: no criminal purpose is intended, and a huge supply of legitimate noncriminal uses exists.
It is extremely unlikely that a software programmer will face criminal liability for anything other than programs which on their face are designed to be used to perpetrate crimes. Examples of this would be credit card number generators, software specifically designed to facilitate system intrusion, and software specifically designed to defeat copyright licensing systems (which is a criminal offense under the DMCA). Note that the existence of a significant noncriminal use for the software will negate the issue. Most tools which can be used to a criminal end (e.g., nmap) have significant noncriminal uses.
The issue of manufacturer liability for tools which have criminal uses has been effectively settled through litigation against gun manufacturers. Despite several efforts to prosecute gun manufacturers, nothing has been made to stick: it is legal to manufacture guns, and gun manufacturers are not liable for the crimes committed by those who buy them. (There are noises that gun manufacturers may yet be held liable for negligence in the sale and distribution of firearms. However, I can't see this as a likely development in software, at least not until the government requires software distributors to be licensed.) The fact that gun manufacturers have knowledge of a significant risk that their products will be used for criminal ends is not enough to impose liability.
Someone raised the issue of the UCITA earlier. UCITA is one of the biggest Chicken Littles I've seen in the free software community. Even under UCITA, the only liability that can be imposed is the same manufacturer liability that people have tried to stick to gunmakers -- which, as mentioned above, doesn't work. In negligence, no liability attaches to an actor -- even if otherwise negligent -- when the damages are attributable to a supravening cause. One case I read on this a while back involved a tanker car which exploded due to a deliberate arson by a third party. Despite the fact that the transportation of flammables is a ultrahazardous activity to which strict liability attaches as a matter of law, the tanker car company was held not liable because the arson (a criminal act and an intentional tort) constituted a supravening cause, and all liability for the damages resulting therefrom attaches to the arsonist. I can't imagine that a software author whose works are used by a criminal third party to tortious ends to be held liable, either criminally or civilly, unless the parties were somehow acting in concert, or the damages occured as a result of the failure of the software to operated as promised by the author, where the software was used in the manner intended by the author or in circumstances which the author could reasonably expect it to be used.
In my opinion, therefore, people who write software for legitimate, noncriminal ends have no reasonable worry of being sued as a result of that software being used for criminal purposes. The only people who stand to be sued are those who deliberately flaunt the law -- as DeCSS arguably does. And, of course, those who write buggy software and fail to disclaim warranty, but that's a different story.
kelly put it more verbosely than I could have, having no legal background, but of course we're not talking about richard stallman's "right to read" article. if there's a legitimate use, then you don't have liability. the copyright laws (that make it a greater crime to distribute albums than to kill people) are horrendous, yet orthogonal issues to the issue of responsibility for publishing software which is not designed to contravene laws.
what I question is the reasoning people propose for establishing legitimacy of the intended use. I think that there's reason to believe that the napster authors intended napster be used to facilitate exchange of unauthorized MP3s, and that the tribe flood network authors intended that it be used to hose large networks.
now, my personal intrest in these cases is essentially nil, since I don't personally care if the companies damaged by TFN or napster go bankrupt tomorrow. but if a similar program was used to poison my water supply or disable the local nuclear reactors, I'd be rightly pissed off. and I would expect any reasonable judge/jury to examine the program and check to see exactly how it was used. if the program has a command line switch --shut-down-nuclear-plant, then I feel that the author of the program has some pretty serious explaining to do.
I mean, am I the only person who lives in a country with laws? the right to free speech does not universally extend to the right to have all your speech-related activities go unregulated no matter how harmful they are. why don't you leap to the defense of spies who, by speaking a few key names and places, facilitate wars? why don't you leap to the defense of money launderers, who are simply trying to erase some information? or, if I break into a bank computer and try to steal all the money from people's accounts, why, aren't I just exercizing my freedom to speak to a computer? it's not my responsibility if that computer happens to control money... people don't control banks, computers do!
the problem (restated, from first response to this topic) is that most of us refuse to grow up and take even a minute out of our days to consider how our software will be run. we refuse to document it, refuse to debug it, refuse to support it, and most certainly will not be held accountable for it when it crashes, destroys property, or commits crimes. we loathe the notion of being held accountable for software because it is a deep cultural belief, supported by both our community and our employers, that we (programmers and software companies in general) must act like fast-shootin' cowboys, adapting to any situation with grace and in reward, living free and irresponsible. in any other industry, a worker with this sort of attitude would be fired.
what I think is happening is that the legal system, as well as the rest of society as a whole, is getting sick of this image and demanding some responsibility. the software industry senses this frustration, and is trying to pass UCITA for precisely this reason.
Graydon's point is valid. Most of you here are probably too young to readily remember when New Jersey proposed to require licensure of software engineers. This is not all that outlandish: civil engineers are subject to licensure in most if not all states. The proposal did not go through, but if software authors continue to be as reckless and carefree as they have in the past, it is a matter of time before governments step in and enforce discipline in the interest of protecting public interest. Don't count on the software industry to balk such schemes (as it did before): every other industry has a vested interest in having working software, or in the lieu of working software someone to sue when the software breaks.
If I was running a major e-commerce site (like, say, eBay or E*TRADE) I'd insist on a warranty from the manufacturer of the software I used that made them liable for lost profits in the event their software failed. Such a business utterly depends on the software working. An alternative is insurance, and I imagine the big e-commerce sites do either carry "software insurance", or else have negotiated deals with their software providers.
While Graydon is right that much of this is cultural, there is another contributing factor: the Microsoft monopoly. Microsoft's virtually complete market dominance has allowed it to dictate terms, including its waivers of liability. I assure you, VAX/VMS did not disclaim all liability, nor did most other large software systems sold in the days when there was a competitive market for software. Microsoft's dominance has allowed it to make "This software may kill your cat, and we don't care" an industry standard.
It's probably a matter of time before we start seeing mandatory warrantees on software just as there are mandatory warrantees on many other classes of product.
It's probably a matter of time before we start seeing mandatory warrantees on software just as there are mandatory warrantees on many other classes of product.
Seems to be some conflict within the GPL itself with that. Yes you can add a warranty to the software:
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
But you also cannot be forced to change the license or rights, and a key phrase of the GPL is NO WARRANTY. i.e. You cannot force me to warranty a GPL program. If you try, you lose the right to license or distribute it at all. Thus, according the GPL, required warranty means you cannot have the program at all.
Yes, it also says:
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
But that law might force me to warranty in which case, I can't give you the program at all.
This might be interesting if some form of UCITA requires warrantees. Similar to porn, vendors might be forced to ask location and refuse to sell due to local community laws and standards. "Hello, Red Hat. No sir, I'm sorry, we can't sell to you if you live in Maryland."
Note that Corel did something similar with Corel Linux downloads requiring you be 18, and I seem to recall RMS saying that was ok to do, since it was a legal requirement to enforce a contract (anyone recall the specifics there?)
There really is no conflict with the GPL: a license or contract term in contravention of public policy is void.
Note that the GPL says "to the extent permitted by appropriate law". If appropriate law refuses to allow you to disclaim warrantees, then the license does not act as a disclaimer of them. The GPL warranty disclaimer is NOT a part of the license; it's there to protect the author from liability lawsuits. Whether this works or not is not clear, although under the UCITA it is more likely that a disclaimer of the sort which is in the GPL will in fact work.
The law CAN force you to do things that the license does not force you to do. No license is superior to the law; the law takes priority over and determines the interpretation of licenses and contracts.
It occurs to me that sethcohn probably don't understand exactly what the GPL does. Most people don't, it's not at all obvious at times to those not trained in the law.
"Luke's point that the same people that made the laws are now taking advantage of them by suing is interesting... Might be a good proof that government is only a way to force some people to do what others want. "
Sethcon, it's not the government's fault (U.S., in this case). They rely heavily on specialists to tell them what's at stake (having no clue about the topic, themselves), and those specialists either did not come forward to get this [particular] law thrown out or were not approached.
I worked for Internet Security Systems. It was sufficiently ludicrous for us to be unable to work on identifying software that is a serious security risk ,just because someone wants to hide behind copyright protection, that a specialist with an invested interest in ISS lobbied to have a clause added to allow "Security companies and Anti-Virus companies" to do reverse-engineering for "Security Evaluation" purposes.
I wouldn't complain about commercial software to be developed by licensed developers. The problem I have is the fact that myself as a hobbiest (though I have done programming for work) doesn't have the monies to warantee a piece of software I give away for free. Now if a company said I'd like a bug free version of your Fibonacci Heap code, I'd say, sure, just give me $25,000 plus 5% of the roalties of your software and I'll give you a version that is bug free in two weeks. The whole point is the free software developers are contributing their time for free. As soon as you inact laws that require a person be responsible for their software, the software industry will shrink to about 5% of what it is today because many people will stop producing software. There will then be an underground of software which is even worse than the currently unregulated software industry.
As soon as free software starts costing money to develop, projects like Advogato will dry up and disappear. It's just a bad idea.
I have no problems with adding expenses to developing commercial software such as requiring licensed programmers. I actually think that this would be benifical. Then we won't have as many problems with programs like Windows. There are way to many bad programmers out there in the world. Some projects are better weeding out bad developers than others.
New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.
Keep up with the latest Advogato features by reading the Advogato status blog.
If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!
del.icio.us
Digg
Google bookmark
reddit
Simpy
StumbleUpon
Furl
Newsvine
Technorati
Tailrank