Should open source sniff the geopolitical wind and ban itself in China and Russia?
Can it even do that? And does FOSS deserve an exemption to sanctions?
Opinion In 2022, information technology collided with geopolitics like never before. After Russia's illegal invasion of Ukraine, many nations decided that Vladimir Putin's regime and populace should be denied access to technology and even to services from the companies that make and wield it.
The USA, meanwhile, extended its restrictions on technology exports to China, citing its belligerence and repression of human rights.
The bans appear to have been somewhat effective: China and Russia both started efforts to replicate technology they could no longer easily, or legally, obtain.
Yet plenty of sophisticated top-tier tech still crossed their borders because open source code still flows around the world unimpeded.
Which got me wondering: should open source contributors, and the organizations that facilitate their work, consider the positions their governments adopt? Should they be concerned that their efforts are being used for nefarious purposes? Might they be restrained from doing so? If they did want to limit distribution, how would that even work, license wise?
I asked the Linux Foundation and The Apache Foundation to comment on these issues.
The Linux Foundation declined to comment and then did not reply when I asked why it had declined to comment. The Apache Foundation did not reply.
The US government, however, is in no doubt that open source projects can and should be subject to its sanctions: in August 2022 the US Treasury's Office of Foreign Assets Control (OFAC) added a tool called "Tornado Cash" to its Specially Designated Nationals And Blocked Persons List (SDN list), a document that names entities with which US citizens are not permitted to do business.
The SDN list names terrorists, narcotics traffickers, and organizations known to support America's enemies.
Tornado Cash is a "mixer" that improves the anonymity of cryptocurrency and on GitHub bills itself as a "privacy solution for Ethereum." The US government says North Korea likes the privacy the tech affords and Pyongyang has used Tornado Cash to launder millions to funnel into weapons development.
GitHub implemented the US Treasury's sanctions by removing the Tornado Cash repository, before restoring it in read-only mode.
Some in the open source community have also addressed the ethical implications of FOSS.
Open source advocate Coraline Ada Ehmke in 2020 delivered a speech titled: The Rising Ethical Storm In Open Source [webm].
In the speech, she opined: "Open source software today is playing a critical role in mass surveillance, anti-immigrant violence, protester suppression, racially biased policing and the development and use of cruel and inhumane weapons."
"And open source's complicity isn't a bug. It's a feature," she added. "This is actually by design. The open source definition allows for use of software for any purpose including specifically for evil."
Ada Ehmke went on to argue that open source developers cannot ignore their social responsibilities.
"I believe that as technologists we have a moral imperative to prevent our work from being used to harm others," she said.
She's put that belief to work in a set of ethical licenses that resemble conventional open source licenses but add restrictions on activities such as acts of war or "surveilling or tracking individuals for financial gain."
Others believe the FOSS should flow, regardless of geopolitics, because that's the purpose of FOSS.
"As an open source contributor, I never considered the technology to be used by authoritarian government, just like I haven't considered the technology to be used by every single type of government that exists in the planet," wrote Fagner Brack, co-author and a contributor to a project called js-cookie.
"It would have been impossible to control who's using the software and who's not," he added.
"Allowing authoritarian government to potentially use Open Source software is not something that I intentionally decided and also not something that pleases me. It's merely a side-effect of a free distributed system where the tradeoffs of not allowing authoritarian governments to use would mean to apply restrictions that would make access to the source code impossible and therefore destroy the idea of Open Source Software with all its other benefits."
Brack commented in his personal capacity, not as a community member or developer. "It's solely based on my experience as an Open Source researcher and not-for-profit developer," he told The Register.
OpenStack contributor Tom Fifield pointed out that open source software is often ubiquitous and used without acknowledgement so contributors and developers don't know where their code is used.
"Many small purpose-built projects are so ubiquitous that right now that they are in your car, your plane and even your Mars helicopter," he told The Register.
"For the overwhelming majority of the 12,000 open source developers whose code is running on Mars, they had no idea until NASA announced it."
He then asked: "If that autonomous helicopter was instead on Earth, and participating in armed conflict, is there feasible recourse?
"For most of those small projects there is not. Just as the manufacturer of a bolt cannot be expected to change behavior based on seeing a bolt almost but not quite entirely unlike theirs being used on military vehicles in a faraway land, the low-common-denominator open source software developer should not. The feasibility for acting is low, there is a highly indirect relationship with the nefarious use, and the effectiveness of acting is low."
- Apple accused of censoring apps in Hong Kong and Russia to maintain market access
- US adds 36 Chinese entities to naughty list, drops 25 after checking it twice
- China reportedly bars export of homebrew Loongson chips to Russia – and everywhere else
- Chipmakers cripple products to dodge US China ban
Fifield does, however, feel that developers of projects with obvious applications in war should act.
"What about a larger open source project that aims to provide an autopilot for drones? Drones have direct military applications, as we've seen in Ukraine. Drones also have innumerable civilian applications. A classic 'dual use' technology, the regular fodder for export restrictions regulations. It may be reasonable for developers of such software to consider nefarious use and take steps to avoid it."
But he worries it is hard to know where to draw a line.
"However, with software such as this, there becomes a point where it becomes commoditized. It seems like everyone has a domestic drone autopilot capability these days, or the ability to acquire one commercially. Does providing another, albeit potentially cheaper, drone autopilot to market have an outsized effect in military operations? If the software facilitates significant civilian use, but the impact elsewhere is moot, should developers have to act?"
Fifield, and others we spoke to for this story, also pointed out that open source software is designed to be copied and shared. If one Git-as-a-service operation takes it down, that won't and can't stop those who already have the code from sharing it or making downloads available elsewhere.
He pondered a further step – "collecting personal information prior to download, or requiring manual approval by the developer prior to download."
But he feels those are bad ideas because it would inevitably restrict distribution, deter contributors, and therefore reduce the viability of FOSS projects.
Fifield thinks it would also weaken FOSS projects.
"Fewer developers and fewer people with access to the code base undermine one of the traditionally-touted benefits of open source – that anyone can analyze the source code for flaws."
Another issue that came up in my chats with developers is dependencies because if one piece of code is banned, myriad projects could fail as a result. Regulators can surely imagine what would happen if banning widely used code caused pain for business and government users.
Or perhaps they don't need to worry about FOSS at all.
Brian Prentice, a member of analyst firm Gartner's CIO Research Group, argued that open source alone only gets an organization so far.
"There is not much unadulterated Linux," he said. "The reality for a lot of FOSS is it sits there as a base" made usable by for-profit businesses.
"Whether or not Russia could build its internet on unadulterated FOSS is debatable."
"Huawei is forking Android," he added. "It doesn't mean that a fork of a baseline Android will get you a competitive solution."
Prentice also pointed out that open source exists, and thrives, because organizations realize they must create their own digital goods or become beholden to a value chain dependency.
His view is that Google created Android so it would not have to follow rules set by an operating system vendor. Facebook, he said, has just realized how badly that plays out as Apple changed its privacy rules and kicked a $10 billion hole in its annual revenue.
Geopolitics, he said, won't stop entities – including nation states – from realizing that open source is the way to encourage development of the digital goods they need.
And even nation states can't kill open source because it's a license, although the tale of Tornado Cash shows nations can make it harder to access and modify open source projects.
Let's end with a hypothetical: in late 2023, China announces a CPU built on the open source RISC-V architecture that outperforms anything else on the planet, plus its own version of Linux designed just for the silicon.
Xi Jinping proclaims that this chip has already allowed it to accelerate its development of AI to exceed the nation's 2030 goals, in applications such as missiles capable of evading all known air defenses, which he proves by sending three of the missiles over Taiwan at low altitude.
What do the open source community and governments do then? ®