I know that there are differences between free and open source. This post deals with software licenses that give one a significant autonomy to adapt the licensed piece of software to a project to make one's own great piece of software. Hence, free and open source have the same meaning in this blog post. Freedom is not risk free. Acting freely enables one to make a better job than average.
Software development evolves very quickly. Technology watch and agile management may help to cope with an ever changing environment. You follow this blog and know that it tends to shade differences between digital and tangible assets off.1 The software world seems to be a world of its own in the sense that it pays little attention to the people who have contributed to the state of the art or to a given project since a project may be redistributed very easily by other people than its author. When one can modify a piece of work without even bothering to contact its author, human relationships are generally loose. Law mainly deals with relationships between people. This is why free software or open source is challenging to the legal practitioner.
There are two other reasons why a legal practitioner may be surprised by the software world.
- The trust lawyer thinks about homes and family belongings while a software developer seems to see his world as an airport hall that is full of people passing by. It does not give the impression that a software developer wishes to continuously invest in a project as one maintains one's home unless he is a major contributor to this project.
- People are part of a software community mainly because they contribute to a project. Ideas are less important than the number of people who support them. Whenever some people are unhappy with something, they can create a fork of the project and take the leadership over this fork as a new project. This is not how a democracy works. A democracy is vivid as long as people who exercise power care about those who have not voted them, not because they are altruistic but because they know that these people are part of the society…and that any voter may change his mind before the next election. Pulling out and unifications of States are exceptional within societies while they are common in the world of free software or open source. Software developers are used to the idea that they may fork a project, often because they do not want to share their work that includes this software project. They may for example consider that their input adds value to their software and do not want their competitors to replicate this value too easily.
Software developers can be dedicated to a free or open-source project without feeling that they have a duty to do anything for anyone. Security issues may arise with any device regardless of the software license. Cooperative resolution of security issues does not only take place in open-source projects. Hardware manufacturers and public entities often react swiftly to protect the general public.2 An open-source project supported by a dynamic community of contributors can spot issues very quickly because anyone can have a look at anything whereas a company that deals with its software internally will probably be reluctant to show the inner components of its work to prevent people from exploiting its weaknesses. A software has multiple weak points; the open-source approach and the all-rights-reserved one are two opposite ways of addressing the same issues. One can see that open source can solve security issues effectively but that a team of dedicated people is needed to monitor changes to the software and to its environment. A single person cannot reach the same level of awareness. It is tempting to reuse some free or open-source material to add a function to another software. People may also be tempted to combine inoffensive source code with malicious code that is harder to notice. Similarly, people who wish to launder dirty money often try to mix it with clean money to get unnoticed. A recent security issue has been raised by a developer who has noticed that a popular compression tool caused an unexpected performance regression. The source code of XZ Utils has been inserted in a malicious package which contained a backdoor that could be used to intercept data.3 Software developers who want to implement a piece of software often look for a package that contains that piece of software. The software does not come as a standalone piece of source code but is included in a package that is more convenient to use. A package can contain a malicious piece of code that interacts with the component people are looking for. XZ Utils was working fine and the backdoor was also consuming resources. The workload caused a performance regression. This is a rough description since, as in money laundering, the use of the backdoor involved several intermediate operations. Few people will suspect a tool designed to compress and decompress files to intercept data. Moreover, it is obviously easier to distribute a malicious package of a well-known software than the malicious code itself since developers are less likely to integrate the latter to their own work.
People who praise the open source or free software may forget that there is no freedom without liability. In real life, one is exposed anytime one does anything to anyone. This does not mean that one will be held liable for anything done nor that one will have to pay damages. Software developers are citizens of a given country and behave accordingly to applicable laws. A British Court of Appeal has ruled that if some people had more influence over a Bitcoin network than others, they might owe a fiduciary duty to a user who lost the private keys that enabled him to transfer his cryptoassets.4 This is no surprise to you since you behave responsibly and you know that if, for instance, you rely on tools provided by a Tech giant, you are likely to depend on its infrastructure.5 You may also be held liable for your integration of a piece of software that is not yours.
In brief, anytime you do not conceive a solution that really meets the need of your clients or users, you restrict your autonomy and may be held liable for the legal consequences of technical choices that are not yours.
-
See for instance National Cyber Security Center (UK), ‘APT28 Exploits Known Vulnerability to Carry out Reconnaissance and Deploy Malware on Cisco Routers’ (18 April 2023) https://www.ncsc.gov.uk/news/apt28-exploits-known-vulnerability-to-carry-out-reconnaissance-and-deploy-malware-on-cisco-routers accessed 23 April 2024. ↩
-
See Goodin D, ‘Backdoor Found in Widely Used Linux Utility Targets Encrypted SSH Connections’ (Ars Technica, 29 March 2024) https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ accessed 23 April 2024. ↩
-
Tulip Trading Limited (A Seychelles Company) v Bitcoin Association For BSV & Ors [2023] EWCA Civ 83 [86]. ↩