Is Your Open-Source Code Fueling Human Rights Abuses?
This story is the first in a series on cultural battles facing the open-source community. You can read the second article, on governance, here, the third article, on the rights of end users, here, and the fourth article, on open-source incentives and the trajectory of #EthicalSource, here.
* * *
People generally agree that open source has problems — but what those problems are depends on who you ask.
If you ask Ruby developer and activist Coraline Ada Ehmke, the problem is ethics. Open-source developers can’t prevent organizations from using their code to unjust ends, and community leaders haven’t drawn moral boundaries around the use of their repositories.
According to author and media studies professor Nathan Schneider, the problem is governance. Open-source communities are largely monarchial — one leader with no term limit. Beyond that, they’re loosely organized. In the absence of official community structures, unofficial ones form, sometimes to the detriment of contributors, Schneider said.
Open-source consultant Tobie Langel talks about a disregard for end users. Open-source technology affects the lives of average people — why is there nothing in place to protect them?
Philosopher-engineer Don Goodman-Wilson pointed to big business. Corporations can take open-source code and use it to turn huge profits. Contributors to the original codebase don’t see a dime.
Ehmke, Schneider, Langel and Goodman-Wilson are among the people at the forefront of the Ethical Source Movement, which Ehmke founded. Their interests differ, but their goal is the same: to create an open-source ecosystem that is, in their view, more just.
Some open-source advocates think people like them are the problem.
How Open Source Took Over
Open-source code shows up everywhere — from household-name apps to military software. So what happens in open-source spaces affects the technology industry as a whole.
But that wasn’t always the case. To gain mainstream acceptance, free software advocates fought a long battle against corporate interests, finally establishing open source as the cutting edge of software development. (Consider: Microsoft, once one of free software’s staunchest opponents, now owns GitHub, the primary platform for open-source development.)
To win that uphill battle, free software trailblazers relied on a few de facto values.
One was meritocracy: May the best code win. This attitude pushed projects forward quickly, leading to indispensable software like the Linux kernel, which powers operating systems around the world.
Another was neutrality. Technological historian Melvin Kranzberg’s first law of technology states: “Technology is neither good nor bad; nor is it neutral.” Free software took a less nuanced approach, placing no limitations on the types of software its contributors could create, or how that software could be used. From a moral standpoint, technology was treated as neutral.
A third was volunteerism. Open-source contributors usually aren’t paid for their work. Many contributors add to projects as part of their day jobs. Some work for the enterprise arms of open-source projects. Others are there purely out of interest in the technology or a desire to build their resumes.
In the past few years, however, open source saw a series of shake-ups that called these values into question.
In 2018, for instance, Amazon Web Services added MongoDB, an open-source database project, to its suite of product offerings. MongoDB didn’t make any money from this addition. So, the project changed its license in an attempt to require Amazon to open-source the code for the rest of its services.
A few months later, AWS unveiled Amazon DocumentDB, a program similar to MongoDB but built with AWS code. DocumentDB implements the open-source MongoDB API and is designed to “emulate the responses that a MongoDB client expects from a MongoDB server,” according to the AWS website.
This didn’t sit well with MongoDB owners who wanted a slice of the financial pie, nor with the contributors who watched the project shift toward a more proprietary license without consulting them or setting up a remuneration plan.
“It made me feel like there was something to this, that the creators of software are disempowered when it comes to how their software will be used.”
In 2019, tech writer Shanley Kane uncovered a $100,000 contract between software automation company Chef and U.S. Immigration and Customs Enforcement (ICE). After seeing Kane’s tweet about the contract, Seth Vargo, a former Chef employee and author of several related open-source libraries, deleted his code in protest. Vargo, presumably, did not feel neutral about ICE’s policies and practices, and he wanted control over how his code was used.
For Ehmke, Vargo’s reaction spoke to a broader sentiment.
“It made me feel like there was something to this, that the creators of software are disempowered when it comes to how their software will be used,” Ehmke told Built In. “I saw that as a problem.”
So, she wrote the Hippocratic license, a software license that prohibits the use of programs for human rights abuses under the United Nations Universal Declaration of Human Rights.
The license was not ready, nor intended, to be adopted in its first form, Ehmke said. Rather, it was meant to serve as a “lightning rod” to start conversations about the intersection of software and social justice.
And it did. A few months later, Ehmke started the Ethical Source working group, which now has more than 150 members. The group worked with a legal team to legitimize the Hippocratic license, currently in version 2.1, and began advocating for its adoption. It also put forth a seven-point Ethical Source definition, which addresses issues like user safety and contributor compensation.
Objections to Ethical Source...
Ehmke is no stranger to controversy — her Contributor Covenant, a document laying out the boundaries of acceptable behavior for open-source contributors, had plenty of detractors. (It’s now been adopted by hundreds of thousands of open-source projects.)
Not everybody loves Ethical Source, either.
In February, Open Source Initiative co-founder Eric Raymond re-joined the OSI mailing list after a long hiatus. Within days, he publicly accused Ehmke and other Ethical Source supporters of attacking the “best features of the open-source subculture” with “identity politics and vulgar Marxism.”
Raymond was subsequently banned from the list — his message contained personal attacks against Ehmke. But he’s not the only one who sees Ethical Source as an undesirable paradigm shift for the open-source ecosystem. The Hippocratic license goes against the OSI’s definition of open source, which restricts discrimination based on “field of endeavor,” as well as the Free Software Foundation definition, which grants users “the freedom to run the program as [they] wish, for any purpose.”
For many open-source participants, that’s a dealbreaker. The free software movement was revolutionary in part because it sought to give users power over their programs and freedom from the control of developers. Even after free software rebranded as “open source” to better fit with corporate interests, freedom of use remained a central tenet.
“Ms. Ehmke can get what she wants by lobbying for better law, and in that would have my support.”
Bruce Perens, who led that rebranding as a co-founder of the OSI and penned the Open Source Definition, published a blog post last September titled, “Sorry, Ms. Ehmke, The ‘Hippocratic License’ Can’t Work.”
In it, he laid out a number of objections to the license — mainly, that copyright law isn’t the right place to punish unethical conduct. Perens argued that, unlike criminal or civil laws, Ehmke’s license is unenforceable, and its mandate to avoid harming underprivileged groups is too slippery.
“Ms. Ehmke can get what she wants by lobbying for better law, and in that would have my support,” he wrote.
Other commentators raised different concerns. Kevin Fleming, who works in the office of the CTO at Bloomberg, told TechTarget that, for companies in certain sectors, the Hippocratic license would be an impossible obstacle.
“None of us are saying that we want to violate anyone’s human rights or that any of our customers want to violate human rights,” Fleming told reporter Beth Pariseau. “But if we were to build into the license agreement for software that we sell to banks something that said, ‘By the way, you have to agree that you will never do anything that the U.N. would classify as a human rights violation,’ they would never use our software — legally, they can’t take that risk.”
Even Heather Meeker, the lawyer who represented MongoDB when it put forth a new license, the Server Side Public License, to protect its programs from Amazon, doesn’t consider herself an Ethical Source supporter.
“I am simply rarely inclined to impose my views on particular issues of the day upon others,” she wrote in an email to Nathan Schneider, which he included in a 2020 paper. “Personally, I prefer software authors to have choices. I just want them to have good choices instead of bad choices.”
...and the Rebuttals
Despite detractors, Ethical Source has gained traction, fueled by a growing group of developers dissatisfied with the open-source status quo.
In February, Langel posted a poll on Twitter, asking, “What do you think about adding a clause to the [popular open-source] MIT license that forbids using open source in violation of human rights?”
More than 1,200 people responded: 51 percent were in favor, 19 percent thought it would never work, 15 percent wanted more information and 15 percent supported the FSF’s freedom of use.
In March, Ehmke and Langel both ran for OSI’s 2020 board election on an Ethical Source platform. Neither won a seat, but together they earned support from 35 percent of voters.
As for critiques of the movement, Ehmke has an answer for everything.
No, the Hippocratic license may not hold up in court, she said. But that’s not unique.
“That’s really no different from the first open-source licenses,” Ehmke said. “Those are still being tested in court.”
In fact, the Hippocratic license was purposely designed not to go to court, but instead to require arbitration based on the Hague Rules.
“We don’t want to have a U.S. judge trying to make a determination if an act by a company like Amazon is a human rights violation, because that’s not really their jurisdiction. Human rights laws vary from country to country,” she said. “We don’t want this to go to court because corporations have every advantage in a court setting. In the end, the project maintainer, the owner, the creator, is disempowered unless some Good Samaritan comes along and offers to pay the legal fees.”
“Bruce Perens was talking about the gray areas, but what I’m more focused on are the extremes.”
Yes, Ehmke said, ethics often involve areas of gray, as Perens’ blog post noted. But this isn’t about those areas.
“Bruce Perens was talking about the gray areas, but what I’m more focused on are the extremes,” she said. “The Universal Declaration of Human Rights was ratified in 1948. It was a global effort. It’s what we’ve all agreed on as a baseline set of human rights and values. And there’s nothing slippery about that.”
And yes, it would often be impossible for developers to predict the ultimate uses of the technology they’re building.
“But that’s no excuse to be lazy,” Ehmke said. “People are working on deepfake technologies, without appearing to give a damn about how that’s going to be used and abused. Why are we even creating that technology? And is anyone actually asking that question?”
As for Fleming and other corporate leaders worried about what the Hippocratic license would do to relationships with clients and prospects?
“I don’t want my software used by a bank that is scared of making that guarantee, and I really wonder why [Fleming] would want to do business with them,” she told TechTarget.
Who’s in Charge Here?
The battle surrounding the Hippocratic license isn’t the only front in what’s been dubbed an open-source culture war.
Some open-source companies and project owners are scrambling for new, source-available licenses that protect their intellectual property from large competitors while still making their code shareable. Chinese developers created a license that compels companies to comply with local and international labor laws, like overtime pay. Many argue these licenses are not in the spirit of open source.
At the same time, developers are calling for a more diverse and inclusive open-source community. Open-source contributors are 95 percent male, and leadership is largely white. Open source’s loosely structured governance — and its expectation that contributors have the time to work for free — has likely contributed to the man-heavy atmosphere, according to Schneider.
Google, meanwhile, called trademark management the “next great challenge” in open source.
Some of these efforts intersect with Ehmke’s. But she’s staying focused on perhaps the biggest question the free software movement has still to answer: Who’s in charge here?
“We are absolutely an existential threat to a lot of people’s worldviews.”
For her, the answer is developers — not companies, not licenses. According to Ehmke, developers, not the OSI or FSS definitions, determine what is and what isn’t open source. And many developers want to know that their efforts are supporting projects that help their contributors and end users instead of harming them.
“Developers have choices in the projects we decide to contribute to,” she said. “One thing I hope the Ethical Source definition does is give people some criteria for evaluating the projects they could potentially donate their free labor to.”
The Ethical Source definition calls for free and open code. It also calls for just communities, safe and accessible software, user privacy and fair compensation for maintainers. It’s not apolitical, as open source often purports to be. It’s not libertarian, as official open-source definitions may actually be.
It’s something that is — for better or worse — new.
“We are definitely going after the status quo, because the status quo is harmful. A lot of people are invested in the status quo; a lot of people are successful because of the status quo,” Ehmke said. “We are absolutely an existential threat to a lot of people’s worldviews.”
* * *
Editor’s Note: An earlier version of this story stated that Amazon created a new database product in response to MongoDB license changes. The story has been updated to reflect that DocumentDB was already in progress at the time.