[The following is the first draft of an essay assignment for my Law & IT class on the threat of SaaS (Software as a Service) and cloud computing to open source licensing models like the GPL. The given title was “The only major threat to open source software license models like the GPL is the spread of ‘cloud computing’ and Software as a Service (SaaS) business models.” Please criticise, and please let me know if I’ve missed a relevant example. You can also download the report as a PDF.]
Cloud computing, the latest computing paradigm, is a topic of particular importance for advocates of open source software license models such as the Free Software Foundation’s GNU General Public License. As cloud computing continues to grow in popularity, the open source community must determine what risk, if any, the paradigm poses and how the movement should respond. As cloud computing may endanger the open source movement through a loophole found in almost all open source licenses, it is critical to estimate the possible damage this may cause and how best to close the loophole. If cloud computing truly encapsulates one of the largest changes to the computing industry for some time, then it will be critical for open source organisations to react accordingly.
In this paper, I will introduce both cloud computing and open source software, including the relevant caselaw, describe the proposed and actualised reactions of the open source community, namely the FSF’s Affero GPL license, and discuss what the continued uptake of cloud computing is likely to mean for the future of open source.
Cloud computing is, fittingly, a nebulously defined concept, primarily focusing around location-independent computing, where servers provide software, data and computational resources to other networked computers on demand. At its heart is so-called “Utility Computing”, a paradigm that treats computational power as a generic utility to be used, much like water or electricity. Like these more commonplace utilities, all of the work is done at a centralised processing station; as electricity is managed and produced at a power plant, so too is computing power produced in a collection of computer servers called a data centre. This concept of utility computing has been around since 1966, but only recently has it become a mainstream phenomenon.
Cloud computing has multiple layers, according to the level of access that is provided: Infastructure as a Service, Platform as a Service, and Software as a Service. The lowest level, Infrastructure as a Service or IaaS, provides rather direct access to these machines, allowing users to implement whichever platforms and applications they wish. The next one up is Platform as a Service, PaaS, which provides common software (such as the open source LAMP stack, which provides Linux, the Apache web server, the MySQL database software, and PHP, a web programming language) upon which applications can be written. Perhaps most common is the highest level, Software as a Service or SaaS. In this model, complete user-ready software running on the server is made available, typically through a web browser, to users. Probably the best known example of SaaS is Google’s online office application Google Docs.
The Cloud Computing Manifesto details the advantages, challenges, and goals of the cloud computing movement, and serves as a good indicator of the ideal cloud computing system of the future, extolling the virtues of open standards and potentially the use of open source software.
Open Source Software
Many of the software components of common Cloud computing platforms are open source programs. These programs are so named because their software licenses require that their source code, the human readable ingredients of the program, are distributed with the program and all derivatives thereof. This allows wide communities of developers to work together to improve these pieces of software, in contrast with closed source software where a single owner of the software is the only contributor.
While it is difficult to estimate how much of the world’s code is open source, it is widely known that open source software are well used in the software industry; the Apache web server represents upwards of 70% of the market, while the web browser Firefox holds 30% of the web browser market. 60% of web servers also run a version of the open source Linux operating system, although less than 5% of desktop computers run Linux. Each of these pieces of software is licensed with a different open source license.
While there are a multitude of open source licenses available, very few are widely used. One of the most popular open source licenses is the GNU Public License or GPL, produced by the Free Software Foundation and principally written by free software advocate and Free Software Foundation founder Richard Stallman.
The major point of the license is its “copyleft” provision, which to ensure that to ensure the source code remains open, strictly controls the distribution of derivative works. It requires that the license cannot be changed or removed, e.g. in a case where the derivative work is made closed source, or the work cannot be distributed.
Using normal copyright law to enforce this behavior has made the license very powerful, so much so that Microsoft CEO Steve Ballmer remarked in 2001 that the license made Linux “a cancer that attaches itself in an intellectual property sense to everything it touches.” This license is attached to an estimated 66% of all open source projects, and has allowed the open source community to develop software that in many cases rivals the functionality of closed source alternatives without fear that this software would then be used in a closed source program.
Open Source Caselaw
As the GPL is the license of choice for the most open source projects, it has seen the most tests in court. In all cases, in the United States, Germany and elsewhere, the GPL has found to be legally enforceable, resulting in a number of cases in which companies who have incorporated open source software into their own closed source implementations have been forced to stop distribution of their software until they release their source code and therefore become compliant with the terms of the GPL license.
In Germany, “a series of court decisions… has held the General Public License (GPL) enforceable, including its prohibition on commercial exploitation of Open Source Software (OSS).”
The first of these was tried in Munich Regional Court in 2004 between a German corporation that produced routers, and Linux software developer Harald Welte. The defendant used GPL protected software in routers that were later offered for sale in Germany, without releasing the source code or reproducing the GPL license. The court held that “…the distribution of the software without complying with the conditions of the GPL constitutes an infringement of copyright leading to a claim for injunctive relief.”
After the case, Harald Welte founded gpl-violations.org, an organisation dedicated to “raising public awareness of the infriging use of free software” and legally pressure companies to cease violating the GPL. One of the most interesting cases came in 2008, when Welte filed against Skype for distributing a phone that used GPL code without abiding by the terms of the license. After Skype lost in a lower court in 2007 and appealed, the Munich Regional Court indicated that any further actions would be likely to lead to a Skype loss, and Skype decided to withdraw its appeal.
While these and other decisions were based on contract law, rather than copyright law, in each case the defendants were forced to stop distributing their software until they complied with the GPL by releasing their source code.
While these cases was initially lauded as an open source victory, open source licenses like the GPL are very complex and proving violations is difficult; this is further compounded by the fact that so few cases, particularly in the U.S., have actually been ruled on by the court. While many companies immediately decide to yield when faced with the threat of legal action, lacking many tried cases has left supporters of the GPL and other open source licenses in a suboptimal position, even though they have never lost a case.
Cloud Computing and Open Source
With the development of GPL version 3 in late 2005, the GPL had a very strong history behind it. The new version was intended to provide increased protections for specific issues that had been small annoyances for the Free Software Foundation, specifically “software patents,compatibility with other licenses, the definition… of source code, and dealing with Digital Restrictions Management”, i.e. hardware restrictions on software modification. The cloud computing revolution had not yet taken off.
Just a year later, as the GPLv3 remained in the draft stages, two major events in what would become cloud computing took place: First, Google acquired Upstartly, a four person software house that produced the collaborative online Office suite called Writely. This acquisition soon blossomed into what is perhaps the most widely used SaaS product, Google Docs. Secondly, Amazon announced its Amazon Web Services, allowing anyone to use their computing power on demand, and really kicked off the cloud computing trend.
These events worried the Free Software Foundation, as due to a legal loophole software run on the cloud was not pursuant to the GPL. As the GPL only applies when the protected code is distributed further, just using or running the code does not trigger the license; likewise, modifying a GPL protected program for private use is completely permissible. While this wasn’t of concern when the GPL version 2, the most common version of the GPL, was drafted in 2001, this loophole meant that any power the Free Software Foundation had to prevent open source code from being used in closed source applications could not be brought to bear.
Tim O’Reilly, the founder of O’Reilly Media, a company that publishes a popular series of computer user manuals and noted open source advocate, had this to say:
“all of the killer apps of the Internet era… run on Linux or FreeBSD, but they’re not apps in the way that people have traditionally thought of… one of the fundamental premises of open source is that the licenses are all conditioned on the act of software distribution, and once you’re no longer distributing an application, none of the licenses mean squat.”
The Open Source Response
Clearly, the GPL license was in trouble – if the cloud computing paradigm became the dominant form of software, changes and improvements to open source software could be hidden away in technically private modifications and run on the cloud. The FSF’s answer came in the form of the Affero General Public License (more commonly known as the Affero GPL or AGPL) version 3.
This license is nearly identical to GPL version 3, save for one additional provision, section 13:
“if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software.”
While the Free Software Foundation did provide a method of tying the two licenses (AGPL and GPL) together, they stopped short of merely including the relevant clause into the GPLv3 proper, as its inclusion could have prevented adoption of the new version, which contained other important provisions they wanted to ensure were included. Eben Moglen, counsel to the Free Software Foundation, reportedly said that “if Google starts getting too parasitic, then we’ll re-evaluate” having Affero as a separate license.
Chris diBona, Google’s manager of open source programs, was interviewed soon afterward about Google’s potentially parasitic perception:
“I think it is a largely incorrect perception… Google is releasing every year, not counting Android or the really large open-source projects like GWT, a new project every two or three weeks… patching hundreds of projects a month.”
Given these industry pressures, the Free Software Foundation’s final wording, found on the GPL website, is not particularly strong:
“We recommend that people consider using the GNU AGPL for any software which will commonly be run over a network.”
Unfortunately for the Free Software Foundation and other open source advocates worried about cloud computing’s effect on open source, cloud computing has become the new paradigm of choice for many software organisations, with Amazon and Google leading the way; Microsoft, Oracle, HP and many others also have cloud computing branded programs, and the movement receiving mainstream media coverage.
In other daunting news, uptake of the Affero General Public License has been incredibly slow, with only 706 of the 260,000 open source projects listed on project directory SourceForge having an AGPL license, and none have more than 5000 downloads a week. This is an incredibly low number for a Free Software Foundation backed license compared to the 109,000 open source projects licensed under the GPL on SourceForge.
Perhaps some of the reason for this incredibly low adoption rate can be traced back to the Free Software Foundation itself – on its page “Why the Affero GPL”, it states:
“One problem which the GNU Affero FPL does not address is the problem of Software as a Service (SaaS). It is impossible, as far as we know, to address this problem with a software license.”
This seems to be a case of the Free Software Foundation’s idealism overcoming its practical considerations. Instead of providing a license and supporting it to the fullest, the FSF have given a license with one hand but cried out against the whole SaaS paradigm with the other.
The “Why the Affero GPL” page links to a Richard Stallman article entitled “Who does that server really serve?” The article is an attack on SaaS cloud computing on moral grounds, arguing that “SaaS is equivalent to total spyware and a gaping wide back door, and gives the server operator unjust power over the user. We can’t accept that.” It goes on to recommend that users “don’t trust a server run by a company” and that peer-to-peer replacements for web applications should be developed. While Stallman’s motivations may be pure, his advice is incredibly impractical and merely serves to underscore the lack of practical guidance the FSF has issued on the topic.
Open Source Cloud Computing Today
While the Affero license has suffered, open source cloud computing software protected by standard licenses have continued to develop, although generally in the realms of Infrastructure as a Service and Platform as a Service rather than Software as a Service (SaaS). Many of the biggest programs in use by cloud computing leaders like Amazon and Google have open source equivalents, such as the MapReduce equivalent Hadoop and Amazon’s EC2 equivalent OpenStack. While these open source implementations have proved popular, the lack of access to the source code of industry leaders like Amazon and Google caused by failure to adopt the AGPL has no doubt hindered the technical progression of the paradigm as a whole.
One open source Software as a Service success story of note has been SugarCRM, a customer relationship management package. Like closed source equivalent Salesforce.com, SugarCRM provides a common interface for businesses to manage business processes such as sales, marketing and customer service.
SugarCRM’s strategy has been to allow its users to freely modify its source code in order to achieve speedier development cycles and tap into the community aspect of open source. While it was originally released under the GPLv3 license, it has since changed to become one of the only well-known adopters of the maligned Affero GPL license.
SugarCRM’s success has shown that even though open source projects have suffered from a lack of a strong, well-supported licensing option, open source solutions can still find a place in the SaaS environment. Marc Osofsky of Optoros enumerated the disadvantages of closed source SaaS, namely limited customisation, vendor lock-in and long release cycles, and the advantages of open source SaaS:
“Unique experiences are the strength of open source with direct access to the code. No lock-in, customers can shift the hosting of the system at will and they control the code if they wish to modigy or migrate it, and short release cycles; open source projects are focused on creating powerful new releases…”
For open source software to weather the threat of SaaS, open source projects must embrace these strengths. Given the poor uptake of the Affero GPL license, particularly by industry giants Google and Amazon, it is more critical than ever that the few open source projects that are protected by the license flourish and continue to provide viable alternatives to closed source software. If enough succeed, the license will reach a tipping point and once that occurs the open source software movement as a whole will be in the same position as it was before the massive uptake of cloud computing paradigms in 2006.
While initiatives from organisations like the Open Cloud Manifesto have been steps in the right direction, more open source advocates need to focus their attention on the cloud computing space, as it seems to be the major growth area for computing at the moment, and victory here could provide the open source movement with a solid foundation for the continued development of computing paradigms, whether that be cloud computing or not.