Open Source is Technically Illegal

---

You are probably breaking the law

PyData London, July 2023: video recording

Casper da Costa-Luis

• name
• follow-up to talk I gave last time
• title sounds scary
  • and it is, but not for the reason you think

Licences Aren't Necessarily Legal

• prereq knowledge
• SW licences not automatically legally binding

It's just “clickwrap” text

• Signing a paper contract doesn't necessarily make it legally enforceable
• FOSS licence terms haven't really been tested in court
  • except in rare cases (theregister.com/2023/06/github_copilot_lawsuit)
• "it is a necessary condition of a [...] law that it should be enforceable"

• it doesn't matter how many lawyers/NGOs produced a free & open source SW (FOSS) licence - it's not really legally binding until parliament and/or courts say so
• FOSS licences have a "no warranty" clause, but this hasn't been tested in court. Even other clauses are rarely tested:
  • ongoing case against MS/GH/OpenAI for ignoring licences when acquiring training data
  • similar cases are rare; only target an extremely small fraction of licence-infringers -- the ones who make big money
• aside: law must be enforceable; suing just a few companies & ignoring millions of smaller infringements = expressly opposite of the definition "law". Not meant to be selectively applied.

The Accountability Crisis

• underlying problem: laws can't address both fraud & indecency (too broad scope) crime & rudeness

Previously, at PyData London

• March 2023: Open Source is Bad
  • lack of warranties in open source
  • could be solved by public funding

• talk a couple months ago: lamenting lack of warranties in FOSS cause host of problems
  1. individual frustrated maintainers breaking the entire internet by unpublishing a package
  2. SW low-quality/unfit-for-purpose (but go viral regardless)
     • similar problem in closed-source but diff is legal accountability via warranties
• conclusion was FOSS can continue to mean non-paying users, but doesn't need to mean unpaid devs
  • govts & NGOs should fund warranties & support-contracts for critical FOSS infra
  • chronic problem in Python: orgs like NumFOCUS great work, but only focus on scientific SW (tiny fraction of all SW). PSF: events & communities, not SW quality
  • not detracting from great work; just pointing out massive hole/elephant in room
  • gap proposing govts fill

Be Careful What You Wish For

• because everybody loves governments

EU Acts

• Sept 2022: Cyber Resilience Act & Product Liability Act
• "consumer economic & legal interests"
• "safety of products & services, and liability"
• 131 feedback submissions + ongoing meetings

Concerns

• Apr 2023: Python Software Foundation (PSF) declares opposition
• threatens to block python & pip installs in EU if enacted
• think the proposed law could hold individual FOSS devs unfairly accountable

• EU proposed CRA & PLA in Sept last year
  • acts aimed at holding profiteering companies accountable
  • specifically in 2 areas: "consumer interests" as well as "product safety/liability"
  • forbid profit-making companies from hiding behind a "no warranty" clause
  • not yet enacted, still consulting with hundreds of companies, NGOs, interested parties (on both sides of arg)
• PSF issued statement in opposition
  • counter-intuitive? PSF should be happy with law restricting profiteering companies?
  • let's delve into the details

When is “NO WARRANTY” allowed?

+------+-----------+------+------+
|      | strategic | paid | paid |
| FOSS |  “F”OSS   | OSS  |  S   |
+------+-----------+------+------+
       |                  |
       |                  |
   <yes|no>           <yes|no>
  EU proposal          current

• types of SW
  • on one extreme genuinely FOSS
  • "strat" ie giveaway "free". marketing tactic to raise awareness of related paid SW that integrates well with "free" SW
  • 2 types of paid SW (depending on whether or not code is released)
• monetary value increases to the right
• current: "black box" comes with warranty because end user can't audit code
  • btw: even if "black box" sold with "NO WARRANTY" clause; the clause is very likely to be thrown out in court
• proposed: anything of direct or indirect monetary value comes with warranty

Concerns

• can liability traverse dependency graph?
  • can BigCo. push blame onto its FOSS dependencies?
• treating "strategic" OSS (ie indirect monetary value) as paid
  • how is this defined?
  • should this include independent developers?

• can profiteering company selling bad SW claim the bug is actually with some FOSS sub-package, go sue that unpaid indie dev
• what does "indirect" monetary gain mean?
  • could argue every indie FOSS dev is self-promoting, helping career releasing FOSS
  • does this mean you can sue everyone with a SW hobby?

Concerns about the Concerns

• FOSS devs & non-profits are fighting on behalf of BigCo. (to dilute proposed laws)
  • understanding English != understanding legal jargon
• I'd rather have a "indie exception" rather than weaker law
  • remove sole-maintainer packages from dependency graph
• Somebody should be accountable if critical infra (e.g. PyPI) breaks

Casper da Costa-Luis

• I have counter-args to counter-args
• FOSS devs fighting on behalf of worst-offending profiteering companies
• some measure of arrogance or stupidity
  • just because we can understand English; doesn't mean we can understand legal jargon which happens to be written in English. I have consulted with an IP lawyer & IMO proposed laws cannot be abused to hurt FOSS devs
  • I think most modern debates rely on media sensationalism & misunderstanding jargon -- same case here
• minor improvement: expressly exclude indie packages
• controversial option: someone should be held legally accountable if Python or PyPI breaks
  • critical infra, lives depend on it
  • if PSF isn't paid enough to provide warranty, great EU should fund it
• I'm Casper; email on GH & website; always happy to have a chat :)
  • thx for listening