We had the chance to interview James Vasile, an attorney with the Software
Freedom Law Center (SFLC). Now people often think of the SFLC as the
group that “goes after” people who violate the GPL, and that’s certainly the aspect that the press focuses on, but James points out that enforcement is a very
small percentage of what they do. More interesting were James insights
into how businesses learn that their secret sauce has very little to do with
locking up the code. And if you’re looking for more, James maintains his own blog at hackervisions.org
- The role of the Software Freedom Law Center in the world of free software
- Fostering voluntary compliance with the GPL
- Handling violations without putting people on the defensive
- How communities protect themselves with self-regulation
- Negotiating the urge for proprietary “secret sauce” in the marketplace
- Niche markets where open source has not had much impact
Scott Swigart: Could you take a minute to introduce yourself and tell us a little bit about what you do, as it relates to open source and free software?
James Vasile: Sure. Primarily, I work for the Software Freedom Law Center, doing legal work for people that make and support free software.
My client list includes the GPLed content management systems, like Joomla and Drupal. I go to work for WordPress as well, but I also end up doing work with organizations like GNOME, Samba, and KDE.
Just about any large free software project is going to come through the Law Center at some point. We try to give them whatever help we can, and that help varies quite a bit from client to client.
The legal challenges that free software projects face are sometimes unique, and sometimes mundane. The unique challenges are often about making sure that these projects can continue to operate as free software projects, in a world that is occasionally hostile to freedom and open source software.
More mundane legal issues also arise, because it turns out that running a medium or large free software project is an awful lot like running a small business. The main difference is that nobody gets paid. But you have a lot of the same legal issues trying to get out there and distribute your software all over the world and manage the wealth of resources that it takes to make world class software.
The other side of my work is that I help free software projects with managerial stuff, trying to help them make decisions that put them on the best footing for managing their project, creating new strategies, and getting the word out.
It turns out that we at the Law Center talk to more people in the free software world than almost anyone else. That gives us a pretty good point of view to tell them how a given path has or has not worked well in the past.
We offer that experience to people not as a legal service, but just as an ear to listen, and we offer advice where we can. In that capacity, I sit on the board of Open Source Matters and on the advisory board of GNOME. We give a lot of off-the-cuff advice to software projects.
Scott: We’ve talked to a lot of people about the different ways of building open source software, whether it’s corporate built or community built. We have also had a lot of conversations about choosing between different licenses, such as deciding between a GPL license versus an Apache license, or something like that.
One aspect of how I view your organization is as an entity involved with enforcing the GPL. Is that an accurate characterization? And what are some of the issues that people bring to you, and how do you help resolve those issues?
James: We do a lot of the GPL enforcement, at least in America, but that’s definitely not the majority of what we do. Even though we do a certain amount of enforcement, most notably for BusyBox, and Samba, I wouldn’t say that we think of ourselves as primarily GPL enforcers.
More often, we’re trying to help people to find reasons to comply. I think the GPLed CMS world is a really good example of that, because like most of the rest of the GPLed world and the free software world, enforcement is a non-starter. I mean, the vast majority of licenses are respected, because people voluntarily respect them.
Most people know that if they violate a license, the chances of them actually getting rapped on the knuckles for it, or even called out on it, are pretty low. People comply to avoid the risk of the embarrassment at having to retract some code, but more importantly, there are social norms at play that help them decide this is the right thing to do. There are structures that incentivize compliance that have nothing to do with lawsuits or lawyers.
For example, we just had a really good discussion about this in the WordPress community. It was recently decided that WordPress themes have to comply with the GPL.
I won’t say that this was a new development in the WordPress community, but there were a lot of theme distributors and theme publishers in the WordPress community that were not compliant with the GPL. This is a shift in strategy for WordPress, in the sense that they’ve decided they want to encourage people to comply.
Obviously, this can be controversial when people are making a living selling themes, but most of the people who decided to come under compliance were fully aware that WordPress was never going to launch a bunch of lawsuits trying to get people to comply. Rather, the reason to comply was to get along well with the rest of the community, rather than thumbing their nose at the project that is producing their livelihood.
More to the point, there are reputational benefits to complying with the GPL in some of these communities. If you work with the project, as opposed to against it, the project is happy to link to you, for example, include you in their extensions directory, their theme directory, and that kind of thing.
There are some practical benefits to complying, but for the most part, it has nothing to do with a legal analysis. Our work in GPL enforcement is not really about trying to whack people upside the head. Sometimes we do that, but for the most part, that’s the option of last resort.
Scott: A lot of times, projects grow up kind of isolated, and then they might reach critical mass, like WordPress or Drupal. On the way to becoming practically household words in the developer and IT community, I imagine that they go a learning process as they decide what kind of a cultural identity they will have.
I could see it being a fairly seismic shift in something like the WordPress community for them to decide that enforcement is important to them. That seems to fit with the notion that the goal is not to file a bunch of lawsuits, but rather to create the conditions where complying with the GPL is the logical thing to do.
As you’ve worked with different projects, have you observed a set of conditions that need to be present for compliance with the GPL to become self-enforced, in a matter of speaking?
James: Its actually extremely varied. Every project has its own culture associated with it and its own values, even. The things that different projects think are important is hugely variable, and so there is no mental checklist.
It really just comes down to looking at a project and the structures and values they have in place, as well as their history. Based on that, one can make a case to people that the license they’re using should be respected for the good of the community.
We point out the ways in which the community benefits as a whole and the way the individuals benefit within that community. Eventually people start talking to each other about how much they care about licensing.
A really good example of that is in the Joomla world, because Joomla started out as a project called Mambo, and Mambo was released by software company in Australia under the GPL. A bunch of people flocked to the product and started making changes to it. The company said, “Thank you very much for the changes, but now we’re going to close the code and release it under proprietary licenses, and basically take this code private.”
It was the GPL that protected them from having this happen, protected their investment in the code, and kept the code free. Even then, though, many people within the Mambo community did not think the GPL was that important, and they did not have a community norm of respecting the GPL.
They sort of treated the code base as quasi-open for most people and then occasionally closed when they needed it to be closed. Certainly, they weren’t requiring third-party extension developers to comply with the GPL.
The shift from that world to the current world where the license is a big part of every conversation about what to do with the project has been one of pointing out to them how much the protections of the GPL mattered in the past. That becomes a reason for maintaining those protections in the future.
But obviously with a project like WordPress, which has never had a crisis of who can access the code base and who can make derivative works of it, that sort of argument isn’t going to be available. So every project, having its own history and culture, is going to have its own reasons for caring about and wanting to respect the GPL.
Scott: I would imagine that it can be an interesting challenge if someone starts out small with a great theme, starts welding more functionality into it, and eventually starts to sell a significant amount. In a case like that, how do you go about making that initial communication?
I picture it being somewhat like music downloads. In that case, of course, the industry decided they needed to bring it under control, so they picked a bunch of people and said, “We’re going to go after you,” and then they created a culture. You are fortunate that you don’t need to take an aggressive approach like that, but how do you educate people who may not even really suspect that they are violating a license?
James: The initial contact can be very difficult, because we need to convey to people that they’re probably violating a license. That rings alarm bells for anybody, especially someone running a small business.
We want to communicate that to them, but in a non-threatening manner. The challenge is to reach them without making them sort of shut down, call their lawyers, and never talk to you again. We want to engage them to talk about ways they can come in from out of the cold and come into compliance.
Having that conversation with people and letting them know, “I’m not here to knock you about, I’m not here to extract money from you, and I’m not here to change anything you’re doing except for this one tiny thing of you agreeing to freely license your product, ” is very difficult, because people have a great lot of fear about what is going to happen if they comply.
Scott: Sure. The small business owner probably hasn’t ever talked to a lawyer except when they originally set up their articles of incorporation, if they even have done that. How do you typically play it out from there?
James: Sometimes we do it well, and I’m the first to admit that sometimes that interaction doesn’t necessarily go well. Usually by the time a case gets to me, the project has already contacted this person, so the discussion has happened outside of my view and certainly outside of my control.
Even though we never know what that is going to look like, obviously there are best practices here. It typically works best to send an initial polite email saying, “It looks like you might be violating. We should have a discussion about that. We’re not here to ask you for money, we’re not here to give you bad publicity, and we’re not here to do anything but discuss ways that we can convince you to come into compliance.”
I think that phrasing of “We would like to have the opportunity to convince you,” is probably the most important aspect, because it can help people realize that force isn’t really what’s on the table. After all, Word Press isn’t going to waste its precious resources suing a bunch of theme designers.
Scott: What’s it like for you educate the projects themselves on how to engage? I imagine that a project owner who has invested their heart and soul in building an Open Source project might be less than diplomatic in approaching someone they feel has violated the license. How do you help them be constructive?
Conversely, how do you educate something like a three-man design team that it’s in their best interest to rewire how they’re going to market? How do you educate them about the fact that doing so will ultimately benefit them?
James: When projects make the first contact, the reason it can be a little bit dicey is that sometimes the people involved truly feel wronged. When they contact the people who seem to be violating the license, some of that unhappiness often shows through as impatience and negativity.
That’s probably not the most auspicious beginning, especially since the theme designer probably doesn’t agree with that position. From the very first sentence of the email, they tend to have diverging viewpoints, and the conversation can go awry.
Projects get better at it just by doing it more often, either in tandem with my office or just by thinking about it a lot more. They can generally benefit from consulting with us before they make the effort and running the emails past us for the first couple times they do it.
Honestly, though, once they’ve done it a couple of times, anyone who regularly does compliance work gets into a rhythm about what the techniques are for getting people to actually talk to you as opposed to shutting you out.
It really is just a question of experience and reminding yourself that the person on the other end of that email has a very different point of you than you do. That’s how we address the initial contact, but what we actually say to people to convince them to comply in the theme context has a lot to with introducing them to theme designers that are complying and making money.
It turns out that the way people find themes is not very GPL aware. In the same way that designers don’t care much about the GPL, customers don’t care much about the GPL. When people grab a theme off the Internet, whether it’s GPLed or not, it’s probably available from both its authoritative official source and some FTP server or bit torrent somewhere.
And the GPL is not going to change that fact. In the same way that Joomla is not going to run around wasting money suing theme designers, theme designers aren’t going to run around wasting money suing FTP sites.
That means that the legal rights they are giving up by GPLing their themes are rights that they were probably never going to exercise in the first place. It turns out that the protections that theme designers hold onto are not worth a whole lot, and giving them up does not cost them anything. GPL compliance is a zero cost proposition in 99.9% of cases.
In the theme and extension world, that makes the decision a lot easier, and it helps people realize that they can comply with the community standards without it costing them a dime. Most people truly want to comply, and they don’t want to be in violation of the standards of the community in which they operate.
Sean Campbell: In view of the fact that most people want to follow the rules, what do you think the projects themselves can do to facilitate that? What should they be putting on their own sites to help educate people before they download source and get started building with it?
Do you think they should be doing more educating?
James: I think that, in the same way that GPL compliance is less about the license and more about the community, open source is less about the openness of the source and more about the community.
The openness of the source code creates great communities, and I think when you’re talking to potential clients, customers, downloaders, and users, the thing to lead with is not the fact that they can look at the source code, or that there is a license that they probably don’t care much about anyway.
Projects should explain to them all the benefits of the community, and why they would want to download software that has a community behind it as opposed to just a company behind it.
They should also talk about what it means to join that community. They should explain that extending the software or building on top of it happens in this community context, where there are certain norms.
I think that’s probably the best approach, because that gives people what they really want to know, which focuses on the social context, rather than legal obligations. It also helps them understand what is so great about the world of free software, which is that we are a collection of people who provide support in this mode for the software that we build.
Scott: You said something very interesting about the idea that following the GPL is essentially a zero-cost proposition. Most people getting paid to write code are working for companies that may not have a strong participatory connection to open source, and that has been even more true looking back some number of years.
In companies large and small, I think there is the perception that releasing their code under the GPL could compromise their business position. They are often concerned that they would be ceding control of their product.
That position, of course, isn’t supported by something like MySQL. No one is going to take over MySQL, because the company building it has all of this expertise around that code base, as well as enhancing it, supporting it, maintaining it, and providing services around it. And when you get down to consumer-level products, that’s even more true. My mother isn’t going to want to go search for the source code. She’ll pay $15 for a theme because it will just work.
In light of that, it was fascinating to me the way you phrased it, that 99% of the time there is no cost to using the GPL. The fear people have that if they go the GPL route, they’re out of business because they’re forced to basically give products away instead of selling them isn’t really well-founded in most cases.
That’s a message that I don’t see out there a lot. What success stories can you point to, where people have gone the GPL route and it didn’t cost them anything, and in fact may have given them benefits they would otherwise not have had?
James: I think you give some good examples. Nobody is going to buy MySQL from anybody except MySQL, at least not currently. The people within MySQL over at Sun have concentrated all the expertise in deploying MySQL and using it. It’s possible that competitors could spring up, but on top of having the expertise in deploying it, the people at MySQL and Sun have the apparatus to support it long term.
It turns out that the people who actually make the software have a huge competitive advantage over everybody else in monetizing that software. No reputable company is going to take the cut-rate deal and compromise on the quality when what they really want is the best support they can get for a reasonable price.
As the people who make the software, you are the best positioned to do other things related to it, and so you become the best source when it comes to servicing that software.
That’s the big reason that it’s a zero-cost proposition. At the end of the day, no matter who might want to go into competition with you using the GPL rights you give them, you are going to out-compete them every day of the week.
The only business they would take from you is business that you wouldn’t get anyway, because you would be pricing too high for that customer. Anyone who could afford to pay your rates would pay your rates, because they want the best that they can get, and you are the best.
Therefore, by definition, anyone who is making GPL-ed software and selling it is in the best possible market position to monetize that software, no matter what the business model ends up being. That’s definitely true both at the high end and at the consumer end for things like games, which are a highly proprietary market where very few companies allow free redistribution of their games.
It turns out that even though you don’t allow free redistribution of your games, there is free redistribution of your games. There is rampant pirating of gaming software for both console games and PC games, and despite that the PC game manufacturers, the game manufacturers continue to sell lots and lots of copies of their games.
The reason for that is that at the low end, at the retail end of things, just like you were saying, your mother doesn’t necessarily want to troll through FTP and BitTorrent sites to try to find a theme or to download the source code for the theme and try to figure out how to install it.
People want one-click convenience and easy, supported deployment of software, and companies that GPL their software are able to do that just as well as companies that don’t. In fact, sometimes they can do it better.
Whatever the mechanism by which you are making money and being “the source” for this software, none of that changes when you go GPL. We used to say that business models might have to be adjusted for people that sell GPL software or distribute GPL software, but it turns out that that’s not really the case. In most cases, you make money off your proprietary software in the exact same ways you make money off your GPL software, and we’ve seen that time and time again.
I think you’re right that we need to start putting up more examples of that and start showing people the examples of companies that have been successfully GPLing software and people that are successfully servicing GPL software that they make.
That’s probably the biggest thing we could do to alleviate the fear that people have, which is that once they GPL it, the door is open and they can never go back, and all their profits will disappear.
Scott: What is the corresponding message in the most extreme cases, where somebody feels like they have an algorithm that really is their competitive differentiator. I’m thinking of something like a gaming engine, a compression algorithm, or a market-analysis algorithm where they know they’re doing things that nobody else is doing.
I guess, what’s your message to those companies that are convinced–perhaps correctly–that they’ve got a relatively small amount of code that gives them a huge competitive differentiation?
James: First, in most cases they’re probably wrong, because most of the time, people who cook their own algorithms are not going to beat the combined wisdom of everyone else trying to solve the same problem cooperatively.
That said, it might be true that in some cases, a private algorithm could beat whatever the current state of the art is. Still, they’re probably not going to beat it for long, and moreover if what you’ve done is truly novel, there are other mechanisms for protecting the patents and whatnot that come into play.
Most of those people are probably mistaken about their unique competitive advantage, and a lot of what’s left would probably benefit from having everybody work to produce a better model or algorithm, to combine the advantages of many different services.
If you have five different companies, each with their own private competitive advantage, imagine what they could do if they got together and gave everybody the benefits of all their advantages in one package.
I think that there are still a lot of reasons to go the free software route, even at that point. At the same time, your expertise matters, and your awesome algorithm is best used by you. Even if you free it and let other people improve upon it, you are in the best position to use those improvements. You still have the competitive advantage there and it’s quite a large one.
Imagine if Google were to release the source code behind Gmail. Nobody else on the planet would be able to deploy Gmail, because none of them have access to the technology that Google has, meaning the entire stack that is so uniquely developed for them and their unique purposes.
I’m sure Gmail connects to tons and tons of applications and pieces of infrastructure that don’t exist anywhere but within Google, so even if Google were to hand me the source code to Gmail tomorrow, it would be almost no good to me at all.
Scott: We see that sort of effect with the company I believe is called Aquea that’s wrapped around Drupal. Likewise, Cloud Air is wrapped around Hudu. They would have to do really bad by the project for a long time before somebody could fork it and get the community of users to move over to them.
It sort of happened with Netscape and Firefox. You can see examples, and you mentioned Mambo becoming Joomla.
James: Even in the case of Mambo and Joomla, when the company tried to close source Mambo, that wasn’t even enough to cause a fork. It was a couple years later that the fork happened, after the community tried very hard for a long time to work with this company. And the company tried hard to work with the community as well, and finally it wasn’t working to anyone’s satisfaction, so there was a fork.
Experience shows us that every time people are in a situation where forking might be good, they choose not to do it, because it’s tremendously costly to try to split a community in half and figure out who’s going to do what.
Scott: You mentioned games as being an area that’s very closed and proprietary. Search is another of those areas, as are financial analysis, oil and gas, seismic analysis, and others.
Are you seeing any areas where there is starting to become a real credible GPL-licensed option that there is a lot of community effort around that may be a game changer a year or two or three from now in some of these areas that have traditionally been very dominated by closed source?
James: I wish I could say that I did see a lot of these imminent game changes attracting large communities, but unfortunately I haven’t. The thing about free software currently is that it usually starts with somebody scratching an itch or somebody trying to solve a fairly widespread problem.
In these niche markets where there isn’t a lot of free software adherence already, there aren’t a lot of coders sitting around directly going to benefit from a problem being solved in that area, and it breaks down pretty quickly. One place we see that quite clearly is in the small business application market.
Think about medical billing, for example. Medical offices spend tens of thousands of dollars on software that is by any measure extremely rudimentary, and all it does is help them manage appointments and then submit invoices to insurance companies.
That software is ripe for being knocked off by a free software project, and yet I’m not aware of anybody that has cobbled together more than one or two programmers committed to working on it, giving it any significant amount of attention or time.
It turns out that the free software community has been relatively bad at supporting these niche areas. There are business models that would allow easy entry into these areas and make it possible for free software developers to make the software and make a good living supporting it, and yet still nobody is taking that opportunity.
That failure is one of the things that I’m curious about, and one that I’m seeking solutions to over time.
Scott: This has been a great conversation. One of the things we usually do at the end is to ask whether there’s anything interesting that we didn’t ask about.
James: I think the most interesting thing about the work that I do is really the community-building aspect of it. I touched on that earlier when I said that it’s not about the legal structures or the legal norms, but rather about the social and community norms.
That’s true across the board, and one of the things that I see on project after project is people confusing the value of what they do as license-based as opposed to community-based.
You see people with religious allegiances to certain licenses or even people denigrating other licenses or worrying about who’s using what license in other projects and things like that. What they miss is that the value of the code they’re writing isn’t just based on what license it’s under.
Scott: Thank you very much for taking the time to chat with us.
James: Thank you.