Free Software Always Costs Something

Back in the late 1960s, University of California, Berkeley, published its first public BSD licenses promoting free software that could be reused by anyone. A few years later, in the 70s, BSD Unix was released by CSRG, a research group inside of Berkeley, and laid the foundation for many operating systems (including Mac OS X) as we know it today. It gradually evolved over time to support socket models, TCP/IP, Unix’s file model, and a lot more. You’ll find traces of all of these principals – and very often, core code itself, still used 50 years later in cutting edge operating systems. The idea of “free software” (whether “free as in beer” or “free as in freedom”) is credited as a driving force behind today’s technology, multi-billion dollar fortune companies, and even the iPhone or Android device sitting in your pocket. Here’s the rub: None of it was ever really free.

All of this incredible technology that can be dated back decades, primarily originated from projects funded through DARPA. Berkeley’s CSRG, which created BSD based on AT&T’s UNIX operating system, was funded primarily by DARPA, as were projects that brought forth TCP/IP, Arpanet, and many others. If you like Mac OS, thank the government – because it sucked until it started incorporating Unix. If you like the Internet, thank the government. Code was made public and free as a result of its federal funding sources, and even today most code is released in a similar way by FFRDCs or other government-funded organizations. Also consider the IETF and IEEE, both well respected organizations, and also very well financially backed by private industry. IEEE brings in well over $300 million annually in revenue (and almost all of it gets invested back into spreading knowledge, developing standards, and other good things). So while there is indeed a great sense of “good will” and desire for science and knowledge in computer science, much of the altruism displayed with the advent of our technology was much easier an ideal to hold coming from universities and organizations with heavy funding.

I’m certainly not questioning anyone’s motives here. I’ve developed free software under numerous OSS licenses for some 25+ years of my life, and I believe whole heartedly that our society is better off for sharing knowledge. What I’m trying to convey is this: free software has never been free, and it never will be. Whether you pay for it with your tax dollars, or you pay for it in a licensing fee, there has always been a price to free software. Today, open source development has moved out from underneath universities and migrated more towards people’s garages – anyone can write a free and open project, publish it on GitHub, and get an immediate user base. This is excellent – but this also comes at a price.

While indy F/OSS today is free from tax dollars, and often free from licensing fees, you pay for it in a different way: quality; specifically, security. Consider OpenSSL. The team members on this project have worked tirelessly for nearly two decades, with the same good will and altruism that the rest of us adopted, however it’s no secret that lack of funding has been one of the major obstacles in auditing and hardening one of these core cryptographic components in use on the Internet. As a result, the OpenSSL project has seen a series of awful compromises that have left millions of machines susceptible to attack – and many have been. The problem got so bad that the OpenSSL project was eventually abandoned by many large companies, such as Apple, who now uses their own crypto engine. The project itself has been forked into other, better maintained projects, such as LibreSSL. Ostensibly free software has cost us dearly here.

I lay no blame on the OpenSSL group, and my using them as an example here isn’t intended as a criticism. My hats off (sincerely) to those guys for working so hard to bring us a critical component of our infrastructure. My point, rather, is to demonstrate that without the same financial backing that open source used to have back in the DARPA days (namely, defense grants and university backing), we’ve gone from creating software that’s developed in a resourceful setting to software that’s developed whenever we’re not busy working, changing diapers, cooking dinner; you get the idea: free software today is developed on a shoe-string budget of our time as well as financially. As a result, there are many quite awful projects out there, many of which pose serious widespread vulnerabilities. The money simply isn’t there to work on them full time, to have them audited and peer-reviewed, to put together effective test and QA processes, or sometimes even to interface with engineers reporting problems. Due to lack of time and budget, most open source projects have a “if you want it fixed, do it yourself, send me patches” policy. That’s not helping anybody improve anything (especially when the same maintainer has a curmudgeony patch acceptance policy).

That’s not to say that there’s not any good F/OSS left today. There most certainly is. Ed Snowden uses the example of Tor, and I personally have endorsed Whisper Systems’ Signal project. There are a number of great open source tools out there that get the auditing and resources they need to be properly developed in such a way that they don’t suffer in quality – and all of these will have one thing in common: They have financial backing. Instead of university grants, most funding today is now private / commercial funding, although there is still plenty of government money floating around for those who can get it.

My point is this: what we consider crucial and secure open source has always been, and continues to be today, dependent on funding. So why is funding the exception today, and not the rule?

In short, the unrealistic and overly altruistic licensing of yesterday.

While all of this great free software was flowing out of Berkeley and other universities, licensing models to support their core values started popping up. Even as late as the 80s, when the GPL became popular, all of this altruism was still largely embedded in projects that were the result of defense funding or special grants. It was easy to say, “here, take this and use it, spread knowledge – be free”, when all the bills were paid and the lights were kept on by other people’s money. I’m not suggesting that anyone’s motives were false – but perhaps a bit naive. Commercial entities do not usually share this altruism. Because of such loose licensing, some of today’s multi-billion dollar companies have based their entire fortune on free open source software (which is great) without giving very much back to these open source projects (which is awful). Some give back code, but money can also be helpful to these projects. Some don’t even give back code. Instead, licensing such as the GPL has allowed for companies operating on SaaS and similar models to simply ingest and privately capitalize on other people’s work without needing to contribute a penny or a single line of code. Why? Because they’re not distributing.

The GPL was designed at a time when software distribution was key to controlling intellectual property. Back in the 80s, we were still selling CD-ROMs of software in stores. There were still Linux general stores and we still exchanged fonts on floppies at user group meetings. Distribution was how anyone made a buck, built a business model, or conveyed an idea. The popular licensing model at the time, obviously, was that you could use the software all you wanted, but if you distributed it (under certain conditions), you had to either GPL your own software or acquire private licensing from the author. When the GPL was formed, it was designed to prevent abuse via the main vein of commercial revenue at the time.

In contrast, today’s business model has evolved to where distribution is no longer the driving force behind revenue. Everything wants to be a thin client. Services are provided centrally. Facebook, Twitter, Amazon, eBay, you name it – distribution doesn’t affect these guys one bit. Had we enough insight into how software would eventually have evolved, a GPL that policed commercial use rather than distribution would have dramatically leveled the playing field.

Licensing based on commercial use would have left us with one of two results for anyone looking to use your project: either platforms (such as Facebook, Amazon, eBay, PayPal, etc for example) would have had to be open sourced (benefitting the tech community, a free market, and the advancement of knowledge) – or – the authors of projects that these companies relied on (the Apache foundation, the Linux foundation, PHP, you name it) would have received what today are substantial royalties that would have continued to fund their projects. That infusion of capital would have been used to make significant improvements. In other words, projects like OpenSSL, under such a licensing model, would have likely ended up being much more secure as a result of funding had we not been so naive in how software would be used after the 1980s. You can argue that RMS must have foreseen this – but it’s hard to believe when we were also saying that the future included red leather zipper jackets. I was there in the 80s. We didn’t have much foresight.

I’m not sure what the complete answer is, but I do think that open source licensing needs to be overhauled to meet today’s business models. While I still believe we need that altruism and zeal for knowledge we had back in the day, that also needs to be tempered with the sobriety of today’s commercial interests. The GPL, to its credit, did attempt to prevent overt intellectual property theft. Business models have evolved, but open source licensing hasn’t. It’s probably about time we take a look at that. Developers whose projects are widely adopted in commercial ventures not only deserve funding, but need either funding or contributions to keep the project safe for its large audience. It’s simply ludicrous that we can have so much money floating around tech, but can barely keep the lights on for guys like the OpenSSL project, long enough to do a complete security audit, pen-tests, external peer-review, and so on.

Paying for open source up front is much cheaper than paying for it later. If we must pay for open source by means of data breaches, then commercial organizations are getting what they deserve by failing to support it. Unfortunately, the end-user becomes the one who ultimately pays, though.

Somebody always pays for open source. It’s never free. Remember that.