Dependencies: Both Technological And Human, On Display In The Story Of A Developer Who Deleted Code Being Used By ICE

from the our-interconnected-world dept

Three years ago, we had a pretty fascinating story about how a developer, after getting an ambiguously threatening note from a company about how a bit of his code might violate the trademark of another company, deleted all of his code from NPM (Node Package Manager), a key repository for node.js code. One of the bits that the developer deleted (totally unrelated to the potential trademark dispute) was simple code that tons of websites relied on -- leading many of them to break in response. The story raised all sorts of interesting questions not just about trademark, but namespaces, who controls code, dependencies, and much more. Indeed, the story was so interesting to me that I (very loosely) used it as inspiration for a science fiction story I recently wrote that will be released very soon (more on that very soon as well!)

Having been thinking a lot about all of that lately thanks to the story I was working on, I was surprised to see a similar situation pop up last week, with slightly different issues. This one involved an IT automation company, Chef, that helps lots of organizations better manage the configuration of various physical and virtual servers. The story kicked off with some controversy as someone noticed that Chef had signed a contract with ICE. Lots of people got (reasonably) angry about this, following on a pattern that has been playing out in the tech sector over the last few years.

Chef's CEO put out a pretty lame email and blog post, basically saying "but we signed this deal under the previous administration," which (among other things) fails to recognize that ICE was pretty fucking terrible during the previous administration as well.

But here's where the story gets a lot more interesting. A former Chef employee named Seth Vargo, who had created a bit of open source software called Chef Sugar, got quite reasonably upset to learn that ICE was using his code to more efficiently detain children.

"I was having trouble sleeping at night knowing that software—code that I personally authored—was being sold to and used by such a vile organization," he told Motherboard in an online chat. "I could not be complicit in enabling what I consider to be acts of evil and violations of our most basic human rights."

Vargo asked the company to explain this (prior to that awful blog post mentioned above) and then, after a few days went by without a response, took down his code from two key repositories: Github and RubyGems. As he wrote:

I have removed my code from the Chef ecosystem. I have a moral and ethical obligation to prevent my source from being used for evil.

Of course, because no one has learned anything, multiple other systems depended on that code being in those repositories, and those systems started breaking as well. Even more fascinating, some of the people who this caused problems for still supported Vargo's decision:

props to the Google Engineer who yanked code from Chef for working with ICE. You've made my job harder today, but I really don't mind.

— marea rosa (@smrt_fasizmu) September 19, 2019

This certainly started getting much wider attention -- leading Chef's CEO to issue an update on Friday, which first seemed to unnecessarily attack Vargo:

On Thursday, September 19th an action was performed by a trusted community member in violation of the standards of open source software (OSS) development. The individual yanked several RubyGems that they authored while employed by Chef. In order to remove the gems, they first removed the other owners and took unilateral action to yank the gems, violating established processes for making OSS changes and improperly removing property which Chef owned. This ownership has been established through the Github history of commits, licenses, etc. The individual did not have Chef’s permission to remove these items from the RubyGems site.

So, obviously, some may point out that since Vargo's work was initially done on Chef's dime as an employee, he has less ground to stand on. But, again, as an act of protest, it's pretty fascinating.

Also, it turned out to be incredibly effective. By Monday, Chef had completely reversed its position and said that it would not renew its work with ICE:

As many of you know, we began our work with the U.S. Government in earnest in 2014 and 2015. This included DHS and its various departments under a different set of circumstances than exists today. The overarching goal was to help them modernize their computing infrastructure and create a cooperative community of IT professionals inside the government that could share practices and approaches in a similar way to many open source communities. Policies such as family separation and detention did not yet exist.

While I and others privately opposed this and various other related policies, we did not take a position despite the recommendation of many of our employees. I apologize for this. I had hoped that traditional political checks and balances would provide remedy and that our relationship with our various government customers could avoid getting intermingled with these policies. However, it is clear that checks and balances have not provided relief to the fundamental issues of the policies in question. Chef, as well as other companies, can take stronger positions against these policies that violate basic human rights. Over the past year, many of our employees have constructively advocated for a change in our position, and I want to thank them.

After deep introspection and dialog within Chef, we will not renew our current contracts with ICE and CBP when they expire over the next year. Chef will fulfill our full obligations under the current contracts.

The company also promised to donate the equivalent revenue that it had received from the contracts to charities helping people impacted by ICE's family separation policy.

This whole story is quite interesting on multiple levels. Seeing tech workers recognize that they have some moral stake in how tech they develop is used is quite amazing -- especially given the exaggerated (and incorrect) stereotype that Silicon Valley never cares or thinks through these things. That's never been true, but it's especially interesting to see people taking some element of ownership over how what they've developed is eventually used. Second, it's another interesting example of how interdependence on code hosted elsewhere is creating a somewhat fragile web in certain places. I'm almost surprised that we haven't seen this as an attack vector -- gaining control over repositories and doing something with them that impacts lots of other services.

Either way, it's a representation of how interconnected the entire world is -- at both a technological and human level.

Filed Under: code, dependencies, ice, open source, seth vargo
Companies: chef

Do Citizens Have A Right To See The Algorithms Used By Publicly-Funded Software?

from the public-money-means-public-code dept

In 2009, the Spanish government brought in a law requiring electricity bill subsidies for some five million poor households in the country. The so-called Bono Social de Electricidad, or BOSCO, was not popular with energy companies, which fought against it in the courts. Following a 2016 ruling, the Spanish authorities introduced new, more restrictive regulations for BOSCO, and potential beneficiaries had to re-register by 31 December 2018. In the end, around 1.5 million households were approved, almost a million fewer than the 2.4 million who had benefited from the previous scheme, and a long way from the estimated 4.5 million who fulfilled the criteria to receive the bonus.

The process of applying for the subsidy was complicated, so a non-profit organization monitoring public authorities, Civio, worked with the National Commission on Markets and Competition to produce an easy-to-use Web page that allowed people to check their eligibility for BOSCO. Because of discrepancies between what the Civio service predicted, and what the Spanish government actually decided, Civio asked to see the source code for the algorithm that was being used to determine eligibility. The idea was to find out how the official algorithm worked so that the Web site could be tweaked to give the same results. As Civio wrote in a blog post, that didn't go so well:

Unfortunately both the government and the Council of Transparency and Good Governance denied Civio access to the code by arguing that sharing it would incur in a copyright violation. However, according to the Spanish Transparency Law and the regulation of intellectual property, work carried out in public administrations is not subjected to copyright.

Civio was not the only one to have problems finding out why details of the algorithm could not be released. The non-profit research and advocacy organization AlgorithmWatch also asked several times exactly whose copyright would be violated if the source code of the governmental BOSCO software were shared, but without success. The fact that code, apparently public-funded and thus not subject to copyright, is nonetheless being withheld for reasons of copyright, is one unsatisfactory feature of the BOSCO saga. Another is that secret government algorithms are being used to make important decisions about citizens. As Civio says:

"Being ruled through secret source code or algorithms should never be allowed in a democratic country under the rule of law," highlights Javier de la Cueva, Civio's lawyer and trustee, in the lawsuit. "The current interpretation of the law by the [Council of Transparency and Good Governance] will allow public administration to develop algorithms hidden from public scrutiny," he warns. For this reason, we appealed the refusal of the Transparency Council before court.

There is another issue beyond the lack of transparency of governmental algorithms that impact people's lives. Supporters of open access rightly point out that it is only fair for the public to have free access to academic research they have paid for. Similarly, it seems only fair for the public to have free access to the source code of software written and used by the government, since they have paid for that too. Or as a site created by the Free Software Foundation Europe on precisely this issue puts it: "If it is public money, it should be public code as well".

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: bosco, open source, publicly funded software, source code, spain

Open Source Makes Kodi Add-ons Proliferate -- And Hard To Eradicate

from the welcome-to-the-hydra-effect dept

As Techdirt noted a year ago, the entertainment industry has been trying to convince the authorities around the world that "fully-loaded" Kodi boxes, which allow the viewing of unauthorized video streams, are the devil's spawn, and must be eradicated. That obsession has led to efforts to stop even vanilla Kodi boxes being promoted and sold, despite the fact that the open source software they run is perfectly legal. TorrentFreak has a report about the latest salvo in this war on Kodi, and its interesting consequences.

It concerns a third-party Kodi add-on called "Exodus", which, like many others, allowed unauthorized streaming videos to be viewed with little effort. The excellent design and resulting popularity of Exodus meant that it was soon targeted by copyright companies. The pressure worked, and the development of the add-on was halted, leaving millions of happy users somewhat less happy. But Exodus had an important hidden feature: it was released under an open source license. That meant that anyone could pick up the code and continue its development independently of the original, without needing to ask permission from anyone. As TorrentFreak points out, that is precisely what has happened, and on a surprisingly large scale. The TVAddons site recently published an article that discusses 12 forks of Exodus, which is only part of the Exodus ecosystem: "Too many Exodus forks are out there to investigate them all."

This "hydra" effect -- chop off one head, and two grow in its place -- makes eliminating open-source add-ons for Kodi extremely difficult. Although individual developers may be persuaded to stop working on a particular fork, the code is still out there, and can easily be maintained and improved by others. Since the latter can be anywhere in the world, that makes shutting them down even harder. However, TorrentFreak rightly notes that this doesn't mean that the efforts of the copyright companies are entirely in vain:

the continued efforts from rightsholders to shut down these add-ons may have a more subtle effect. While hardcore pirates will always find a new fork, there's also a group of people who will get frustrated by the repeated shutdowns, and give up eventually.

That's certainly true, but it's not an insurmountable problem. For example, it would be straightforward for developers to create a common standard for key aspects of their add-ons that would allow simple switching between them. That way, once one add-on was shut down, non-technical users could migrate easily to new ones, perhaps even automatically. When the code is open source, there is no problem with proprietary rights being asserted over programming modules or configuration files -- another reason why developers may decide to adopt it when writing Kodi add-ons.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: add-ons, exodus, hydra, kodi, open source

Free Software Foundation Europe Comes To Its Senses After Calling For EU To Fund Open Source Upload Filters

from the producing-better-shackles dept

Most EU digital rights groups are still reeling from the approval of the EU Copyright Directive and its deeply-flawed idea of upload filters, which will seriously harm the way the Internet operates in the region and beyond. Matters are made even worse by the fact that some MEPs claim they blundered when they voted -- enough of them that Article 13 might have been removed from the legislation had they voted as they intended.

But one organization quick off the mark in its response was the Free Software Foundation Europe (FSFE), the local offshoot of the main Free Software Foundation. Shortly after the EU vote, it issued a press release entitled "Copyright Directive -- EU safeguards Free Software at the last minute". This refers to a campaign spear-headed by the FSFE and Open Forum Europe called "Save Code Share" that sought successfully to exclude open source software sharing from Article 13. As the press release said:

We are glad we were able to raise awareness and understanding of what drives software development in Europe nowadays among many policy makers. The exclusion of Free Software code hosting and sharing providers from this directive is crucial to keep Free Software development in Europe healthy, solid and alive.

It went on to say:

As upload filters are now introduced, we urge the European Commission to avoid filtering monopolies by companies this directive actually intended to regulate.

That is, indeed, a real threat: Google has spent over $100 million developing its Content ID filtering system for YouTube. Few other companies will be able to match that. Rather ironically, Article 13 may end up giving Google a near-monopoly over large parts of the upload filtering market. Here’s how the FSFE proposed to tackle that problem:

We call on the European Commission to promote the dissemination of Free Software filter technologies, including financial support, for instance within the framework of research programmes Horizon2020 and Horizon Europe.

Perhaps the FSFE was so keen to promote free software everywhere that it didn't really think this through. Anyway, a couple of days later, the FSFE came to its senses, and deleted the call for "Free Software filter technologies", and half-apologized:

The original version of this press release urged the European Commission to act to avoid filtering-monopolies, but our description of our position on filters was unclear and incomplete. The FSFE is not, and has never been, in favour of developing "fundamentally flawed filtering technologies". The FSFE has been fighting against upload filters since the beginning, e.g., as a signatory of Copyright for Creativity or Create Refresh, and joined more than 80 organisations asking the EU member states to reject the harmful Article 13 (now, Art. 17). The FSFE will support solutions to preserve users' right to be in control of technology and ethical standards for service operators.

That's more like it: the correct response to the authorities making shackles compulsory is not to try to make better shackles, but to point out how bad any kind of shackle is. The FSFE now seems to agree unequivocally.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: copyright, eu, eu copyright directive, filters, free software, open source
Companies: fsfe

Red Hat Hysteria: Aren't We Past The Point Of Being Surprised That 'Free' Is A Part Of The Business Model?

from the seriuosly? dept

As you have likely heard by now, a few days ago, IBM announced that it was purchasing Red Hat for $34 billion. I've seen a fair bit of hand-wringing over this buyout, but don't really feel that strongly one way or the other about it. It was nice having a giant company like Red Hat to point to in explaining how of course open source software could be a big business, but... that still exists within the confines of IBM.

There could be some concerns on the patent side, as Red Hat at least has long positioned itself as a fighter against patent trolls, though in practice the company has sometimes been a bit wishy washy on that, and some have accused the company of selling out its vision on patents in the past. Of course, since Red Hat is a founding member of the License On Transfer (LOT) network, that at least should prevent any of its existing patents from getting out to patent trolling entities. Still, IBM has, for decades, had the reputation of being a very aggressive patent litigator, and has at least some history of trolling and bad practices. But, IBM has long embraced open source, and its announcement pledges to uphold Red Hat's various other commitments towards open source and against patent trolling: "IBM and Red Hat will remain committed to the continued freedom of open source, via such efforts as Patent Promise, GPL Cooperation Commitment, the Open Invention Network and the LOT Network."

However, what struck me most about the deal was't so much the deal itself, but some of the coverage of it. I'll use Wired as the unfortunate example of the kind of coverage I find bizarre (especially for a publication like Wired). Here's how it opens:

IBM JUST SPENT $34 billion to buy a software company that gives away its primary product for free.

IBM Sunday said it would acquire Red Hat, best known for its Red Hat Enterprise Linux operating system. Red Hat is an open source software company that gives away the source code for its core products. That means anyone can download them for free. And many do. Oracle even uses Red Hat’s source code for its own Oracle Linux product.

Spending billions to acquire an open source software company might seem strange.

Come on, Wired. It's 2018. Are we really still in an age where the idea that companies use "free" as part of their business model is somehow shocking or confusing to people? At this point, the idea that you can use free software to sell all sorts of other things, such as services, is pretty damn well established, and it's insulting to act like it's a huge shock that a business could possibly exist while giving away free software.

Just the fact that Red Hat has been so successful for so many years should have put the idea that "free" can't be a part of the business model to rest. Hell, IBM itself is another example of that, as it has invested heavily in open source software and made money by selling services as well. Perhaps Wired thinks very little of its readership, but to frame it as somehow surprising or confusing that a company that has open source software could somehow be worth so many billions of dollars is odd. Even more bizarre is to frame it as shocking that some other company needs to buy it out to validate that price. After all, Red Hat's market cap as a publicly traded company has been in the billions for years, and was approaching a similar valuation to IBM's buyout price around May and June before taking a hit on recent earnings.

Either way, there are potentially many interesting things to discuss concerning IBM purchasing Red Hat, from questions about the future of its products, to questions about cloud computing, open source, software services, patents and more. But... one thing that really isn't that interesting at this point in time is the fact that Red Hat built a business based on free software that it gave away. As we've said for over a decade, free never is the business model, but it absolutely can be part of any business model.

Filed Under: cloud computing, free, linux, mergers, open source, patents
Companies: ibm, red hat

A Decade After Trying To Block Open Source Patent Pool From Buying Its Patents, Microsoft Joins The Pool Entirely

from the times-change dept

Almost exactly a decade ago, for reasons I still don't quite understand, Microsoft invited me to sit down one-on-one with their then Deputy General Counsel for intellectual property, Horacio Gutierrez (who is now General Counsel at Spotify). It was, to say the least, a bizarre conversation in which he repeatedly tried to justify Microsoft's position on software patents, with us getting into a spirited debate over Microsoft's ridiculous FUD campaign about Linux. Suffice it to say, while the conversation was fun, we agreed on almost nothing. For a few years, Microsoft had been trotting out claims that Linux violated over 200 of its patents, and kept making these vague threats about it. It never named the patents in question. It never sued. It just kept obliquely warning that those who used Linux might somehow eventually face some patent infringement suits from Microsoft. Some might call this a patent chilling effect. Or FUD. Or a shakedown. No matter what you call it, I stand by the claim that it was despicable.

Partly in response to all this nonsense saber rattling by Microsoft, in 2005 a group of companies who relied heavily on Linux got together to create the Open Invention Network (OIN), which was designed as a giant patent pool, mainly to protect Linux. Basically, all the companies who join agree to license their patents freely for use in Linux (and Linux offshoots) to other members of the network. A large part of the reason for this was to allow various companies working on Linux to freely share patents among each other and protect them from Microsoft-style shakedowns. In 2009, OIN ended up buying a bunch of Microsoft patents for itself to help with its mission -- but here's part of what was amazing about that: Microsoft tried to block the sale, refusing to let OIN be a part of the bidding on those patents. Instead, OIN had to use a third party as a shell bidder so that Microsoft didn't know that OIN was trying to get those patents.

That's why the news last week that Microsoft had joined OIN and agreed to freely license all of its patents to every other member in the pool is so shocking. Microsoft's Erich Andersen, who now holds the role that Gutierrez held a decade ago, admitted quite frankly in his blog post about this decision that many will be surprised, but it represents a real "evolution" in the way Microsoft thinks about Linux. I would say that's an understatement.

We know Microsoft’s decision to join OIN may be viewed as surprising to some; it is no secret that there has been friction in the past between Microsoft and the open source community over the issue of patents. For others who have followed our evolution, we hope this announcement will be viewed as the next logical step for a company that is listening to customers and developers and is firmly committed to Linux and other open source programs.

Andersen notes that Microsoft has been making a number of moves along these lines lately, which is really good to see:

Joining OIN reflects Microsoft’s patent practice evolving in lock-step with the company’s views on Linux and open source more generally. We began this journey over two years ago through programs like Azure IP Advantage, which extended Microsoft’s indemnification pledge to open source software powering Azure services. We doubled down on this new approach when we stood with Red Hat and others to apply GPL v. 3 “cure” principles to GPL v. 2 code, and when we recently joined the LOT Network, an organization dedicated to addressing patent abuse by companies in the business of assertion.

I had missed that Microsoft also joined the LOT Network -- which is another creative attempt at stopping operating company patents from ending up with patent trolls (by enabling an automatic "license" should those patents be "transferred" to companies outside the network). This is another good step by Microsoft in rehabilitating some of the FUD and trolling activities that it had done in the past. Obviously, much of this is driven by the business realities of the the cloud market and Microsoft's relative position in these markets these days -- rather than some grand enlightenment about how abusive the company was with its patents in the past.

However, it should be recognized and applauded for what it is, which is an absolute step in the right direction. Maybe in another decade we'll be talking about how Microsoft is going even further and doing an Elon Musk style announcement that all its patents are available to anyone. Wouldn't that be something?

Filed Under: erich andersen, horacio gutierrez, linux, open source, patent pools, patents
Companies: microsoft, oin, open invention network

Applicant For Major EU Open Access Publishing Contract Proposes Open Source, Open Data And Open Peer Review As Solution

from the Elsevier-not-invited dept

We've just written about growing discontentment among open access advocates with the role that the publishing giant Elsevier will play in monitoring open science in the EU. That unhappiness probably just went up a notch, as a result of the following development, reported here by Nature:

Elsevier last week stopped thousands of scientists in Germany from reading its recent journal articles, as a row escalates over the cost of a nationwide open-access agreement.

The move comes just two weeks after researchers in Sweden lost access to the most recent Elsevier research papers, when negotiations on its contract broke down over the same issue.

The open science monitoring project involving Elsevier is only a very minor part of the EU's overall open science strategy, which itself is part of the €80 billion research and innovation program called Horizon 2020. A new post on the blog of the open access publisher Hindawi reveals that it has put in a bid in response to the European Commission's call for tenders to launch a major new open research publishing platform:

The Commission's aim is to build on their progressive Open Science agenda to provide an optional Open Access publishing platform for the articles of all researchers with Horizon 2020 grants. The platform will also provide incentives for researchers to adopt Open Science practices, such as publishing preprints, sharing data, and open peer review. The potential for this initiative to lead a systemic transformation in research practice and scholarly communication in Europe and more widely should not be underestimated.

That last sentence makes a bold claim. Hindawi's blog post provides some good analysis of why the transition to open access and open science is proving so hard. Hindawi's proposed solution is based on open source code, and openness in general:

Our proposal to the Commission involves the development of an end-to-end publishing platform that is fully Open Source, with an editorial model that incentivises Open Science practices including preprints, data sharing, and objective open peer review. Data about the impact of published outputs would also be fully open and available for independent scrutiny, and the policies and governance of the platform would be managed by the research community. In particular, researchers who are currently disenfranchised by the current academic reward system, including early career researchers and researchers whose primary research outputs include data and software code, would have a key role in developing the policies of the platform.

Recognizing the flaws in the current system of assessment and rewards is key here. Open access has been around for two decades, but the reliance on near-meaningless impact factors to judge the alleged influence of titles, and thus of the work published there, has barely changed at all. As the Hindawi blog post notes:

As long as journal rank and journal impact factor remain the currency used to judge academic quality, no amount of technological change or economic support for open outputs and open infrastructure will make research and researchers more open

Unfortunately, even a major project like the Horizon 2020 open research publishing platform -- whichever company wins the contract -- will not be able to change that culture on its own, however welcome it might be in itself. Core changes must come from within the academic world. Sadly, there are still precious few signs that those in positions of power are willing to embrace not just open access and even open science, but also a radical openness that extends to every aspect of the academic world, including evaluation and recognition.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: eu, open access, open data, open peer review, open source, publishing
Companies: elsevier, hindawi

Open Source Industry Australia Says Zombie TPP Could Destroy Free Software Licensing

from the another-reason-not-to-ratify dept

It seems incredible, but the TPP trade deal is still staggering on, zombie-like. It's official name is now the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), but even the Australian government just calls it TPP-11. The "11" refers to the fact that TPP originally involved 12 nations, but the US pulled out after Donald Trump's election. The Australian Senate Standing Committee on Foreign Affairs, Defence & Trade is currently conducting an inquiry into TPP-11 as a step towards ratification by Australia. However, in its submission to the committee (pdf), Open Source Industry Australia (OSIA) warns that provisions in TPP-11's Electronic Commerce Chapter "have the potential to destroy the Australian free & open source software (FOSS) sector altogether", and calls on the Australian government not to ratify the deal. The problem lies in Article 14.17 of the TPP-11 text (pdf):

No Party shall require the transfer of, or access to, source code of software owned by a person of another Party, as a condition for the import, distribution, sale or use of such software, or of products containing such software, in its territory.

In its submission to the committee, the OSIA writes:

Article 14.17 of CPTPP prohibits requirements for transfer or access to the source code of computer software. Whilst it does contain some exceptions, those are very narrow and appear rather carelessly worded in places. The exception that has OSIA up in arms covers "the inclusion of terms and conditions related to the provision of source code in commercially negotiated contracts". If Australia ratifies CPTPP, much will turn on whether the Courts interpret the term "commercially negotiated contracts" as including FOSS licences all the time, some of the time or none of the time.

If the Australian courts rule that open source licenses are not "commercially negotiated contracts", those licences will no longer be enforceable in Australia, and free software as we know it will probably no longer exist there. Even if the courts rule that free software licenses are indeed "commercially negotiated contracts", there is another problem, the OSIA says:

The wording of Art. 14.17 makes it unclear whether authors could still seek injunctions to enforce compliance with licence terms requiring transfer of source code in cases where their copyright has been infringed.

Without the ability to enforce compliance through the use of injunctions, open source licenses would once again be pointless. Although the OSIA is concerned about free software in Australia, the same logic would apply to any TPP-11 country. It would also impact other nations that joined the Pacific pact later, as the UK is considering (the UK government seems not to have heard of the gravity theory for trade). It would presumably apply to the US if it did indeed rejoin the pact, as has been mooted. In other words, the impact of this section on open source globally could be significant.

It's worth remembering why this particular article is present in TPP. It grew out of concerns that nations like China and Russia were demanding access to source code as a pre-requisite of allowing Western software companies to operate in their countries. Article 14.17 was designed as a bulwark against such demands. It's unlikely that it was intended to destroy open source licensing too, although some spotted early on that this was a risk. And doubtless a few big software companies will be only too happy to see free software undermined in this way. Unfortunately, it's probably too much to hope that the Australian Senate Standing Committee on Foreign Affairs, Defence & Trade will care about or even understand this subtle software licensing issue. The fate of free software in Australia will therefore depend on whether TPP-11 comes into force, and if so, what judges think Article 14.17 means.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: australia, copyright, cptpp, open source, source code, tpp

EU's Mandatory Copyright Content Filter Is The Zombie That Just Never Dies

from the back-again dept

For the past few years, there's been a dedicated effort by some to get mandatory filters into EU copyright rules, despite the fact that this would destroy smaller websites, wouldn't work very well, and would create all sorts of other consequences the EU doesn't want, including suppression of free speech. Each time it pops up again, a few people who actually understand these things have to waste a ridiculous amount of time lobbying folks in Brussels to explain to them how disastrous the plan will be, and they back down. And then, magically, it comes back again.

That appeared to happen again last week. EU Parliament Member Julia Reda called attention to this by pointing out that, despite a promise that mandatory filters would be dropped, they had suddenly come back:

The draft of the proposal included a requirement that any site that doesn't have licensing agreements with rightsholders for any content on their site must take "appropriate and proportionate technical measures leading to the non-availability of copyright or related-right infringing works...." In other words, a mandatory filter.

Incredibly, as Reda discovered, despite the fact that this issue is now in the hands of the EU Parliament, rather than the EU Commission, the metadata on the draft rules showed it was created by the EU Commission. After meeting with the MEP who is in charge of this, Reda posted that that individual, Axel Voss, claimed it was a "mistake" to include the requirement for "technical measures" (uh, yeah, sure), but still plans to make platforms liable for any infringement on their platforms.

One of the many problems with this is that the people who demand these things tend to have little to no understanding of how the internet actually works. They get upset about finding some small amount of infringing content on a large internet platform (YouTube, Facebook, etc.) and demand mandatory filtering. Of course, both YouTube and Facebook already have expensive filters. But this impacts every other site as well -- sites that cannot afford such filtering.

Indeed, Github quickly published a blog post detailing how much harm this would do to its platform, which in turn would create a massive headache for open source software around the globe.

Upload filters (“censorship machines”) are one of the most controversial elements of the copyright proposal, raising a number of concerns, including:

• Privacy: Upload filters are a form of surveillance, effectively a “general monitoring obligation” prohibited by EU law
• Free speech: Requiring platforms to monitor content contradicts intermediary liability protections in EU law and creates incentives to remove content
• Ineffectiveness: Content detection tools are flawed (generate false positives, don’t fit all kinds of content) and overly burdensome, especially for small and medium-sized businesses that might not be able to afford them or the resulting litigation

Upload filters are especially concerning for software developers given that:

• Software developers create copyrightable works—their code—and those who choose an open source license want to allow that code to be shared
• False positives (and negatives) are especially likely for software code because code often has many contributors and layers, often with different licensing for different components
• Requiring code-hosting platforms to scan and automatically remove content could drastically impact software developers when their dependencies are removed due to false positives

A special site has been set up for people to let the EU Parliament know just how much damage this proposal would do to free and open source software.

Of course, the requirements would hit lots of other platforms as well. Given enough uproar, I imagine that they'll rewrite a few definitions just a bit to exempt Github. It appears that's what they did to deal with similar concerns about Wikipedia. But, that's no way to legislate. You don't just build in a list of exemptions as people point out to you how dumb your law is. You rethink the law.

Unfortunately, when it comes to this zombie censorship machine, it appears it's an issue that just won't die.

Filed Under: axel voss, censorship, code, copyright, eu, filters, julia reda, open source
Companies: github

Crowdfunded OpenSCHUFA Project Wants To Reverse-Engineer Germany's Main Credit-Scoring Algorithm

from the opening-the-black-boxes dept

We've just written about calls for a key legal communications system to be open-sourced as a way of re-building confidence in a project that has been plagued by problems. In many ways, it's surprising that these moves aren't more common. Without transparency, there can be little trust that a system is working as claimed. In the past this was just about software, but today there's another aspect to the problem. As well as the code itself, there are the increasingly-complex algorithms, which the software implements. There is a growing realization that algorithms are ruling important parts of our lives without any public knowledge of how they work or make decisions about us. In Germany, for example, one of the most important algorithms determines a person's SCHUFA credit rating: the name comes from an abbreviation of its German "Schutzorganisation für Allgemeine Kreditsicherung", which means "Protection Agency for General Credit Security". As a site called Algorithm Watch explains:

SCHUFA holds data on round about 70 million people in Germany. That's nearly everyone in the country aged 18 or older. According to SCHUFA, nearly one in ten of these people living in Germany (some 7 million people) have negative entries in their record. That's a lot!

SCHUFA gets its data from some 9,000 partners, such as banks and telecommunication companies. Incredibly, SCHUFA doesn't believe it has a responsibility to check the accuracy of data it receives from its partners.

In addition, the algorithm used by SCHUFA to calculate credit scores is protected as a trade secret so no one knows how the algorithm works and whether there are errors or injustices built into the model or the software.

So basically, if you are an adult living in Germany, it's a good chance your financial life is affected by a credit score produced by a multimillion euro private company using an automatic process that they do not have to explain and an algorithm based on data that nobody checks for inaccuracies.

A new crowd-sourced project called OpenSCHUFA aims to change that. It's being run by Algorithm Watch and Open Knowledge Foundation Germany (full disclosure: I am an unpaid member of the Open Knowledge International Advisory Council). As well as asking people for monetary support, OpenSCHUFA wants German citizens to request a copy of their credit record, which they can obtain free of charge from SCHUFA. People can then send the main results -- not the full record, and with identifiers removed -- to OpenSCHUFA. The project will use the data to try to understand what real-life variables produce good and bad credit scores when fed into the SCHUFA system. Ultimately, the hope is that it will be possible to model, perhaps even reverse-engineer, the underlying algorithm.

This is an important attempt to pry open one of the major black boxes that are starting to rule our lives. Whether or not it manages to understand the SCHUFA algorithm, the exercise will provide useful experience for other projects to build on in the future. And if you are wondering whether it's worth expending all this money and effort, look no further than SCHUFA's response to the initiative, reported here by netzpolitik.org (original in German):

SCHUFA considers the project as clearly directed against the overarching interests of the economy, society and the world of business in Germany.

The fact that SCHUFA apparently doesn't want people to know how its algorithm works is a pretty good reason for trying to find out.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: algorithms, credit scores, germany, open source, schufa