Chapter 11½ - Ethics & Copyright #
Programming is awesome. If you get into creative coding, you’ll be able to use it to make art. You’ll likely use it to automate tasks you find boring. If you’re like me, you might use it to make your own website or start to make products you intend to sell. That’s great. But there are a few things you need to consider as what you make becomes more professional. If you’re just making something for you and a few friends, don’t worry about it- hack it together and have fun. But as you start making things for a business or that something impact systems that are deeply meaningful in someone’s life, you need to be careful.
The Code I’m Still Ashamed Of is great. Ever since I read it, it has come back to me every now and then. And sure, it’s a pretty extreme example, but it’s also a lot easier to put into that kind of situation than you’d probably like to think.
I do want to highlight Software Bugs That Cause Real World Harm by @Love2Code too. She makes a fantastic point about how something as simple as an alarm clock app failing can have disastrous consequences.
There’s a pretty big list of considerations you should keep in mind when what you’re making starts to grow in impact, but honestly most of them just come down to being an empathetic, good person as best you can.
User Data & Privacy #
- Is user data secure?
- Do users have control over their data?
- Do users have a way to export their data?
- If this data were leaked, what would the impact be?
- Should the users have deniability (Soatok.blog)
- Can the code be open source?
- Is there an open API?
- Maybe what you’re making can’t be open, but interaction could be. Sorta like having 3rd party Twitter or Reddit apps.
Development Considerations #
- Does it rely on other tools or libraries that don’t follow these ideals?
- ᶜᵒᵘᵍʰ Windows ᶜᵒᵘᵍʰ
- Have you given credit to any tools or libraries you depend on?
- Have you given funding to any of those tools, if you’re making money off of them?
- Have you contributed code to any of them?
- Do you really need to use that library?
- Every library is a threat vector
- … at the same time, not using industry standard stuff can be bad. For example, you probably shouldn’t ever use your own cryptography code.
Localization #
- Can users of other in other regions still use it?
- Qwerty isn’t standard everywhere, neither is left-to-right text.
- Does it comply with local laws and regulations?
- Not all illegal services are morally wrong- take Sci-Hub for example.
- Does it force units of measurement?
Monetization #
- How is copyright infringement handled?
- This gets very complicated, read more in Philosophy: Copyright after finishing the Copyright secion focused on code specifically below!
- If something on what you’re making is paid, is Purchasing Power Parity an option so that users in less fortunate areas can still have access?
- If you know what you’re making will be pirated, can you release a ‘Here, but seriously please pay me’ version?
User Experience #
- Can differently-abled people still use it?
Color Blindness?
- Hearing Impaired?
- Bad vision?
-
super tiny text
-
- Motion? Flashing Lights? Light sensitivity?
- Are the elements of interaction standard / automatable
- This largely ties into differently-abled access
- Does it really need to use as many resources as it does?
- Could it still work if your internet was 100x slower?
- Could it still work if your internet was spotty?
- Could it still work if your hardware was 10 years older?
- How long does it take a user to find a feature they know exists without help?
- Avoid ‘Dark Patterns’
- Don’t use stupid progress bars
Social Duties #
- Can it be used for Hate Speech? Spreading misinformation?
- How does content moderation work?
- How does this conflict with free speech?
- Does it matter that it does?
- Can it be used for exploitation of vulnerable people?
- The elderly? Children? Those in abusive relationships?
- Does it make assumptions about social norms?
- Does it assume something about FirstName LastName naming conventions?
- Does it assume binary sex/gender fields? Does it assume Hetro relationships?
Here’s a nice video from TomScott on this topic:
The Rise of User Hostile Software (Den Delimarsky) and Hacker News Comments
CAPTCHAs don’t prove you’re human - They prove you’re American
Stop over validating your forms
Moral Machine - “A platform for gathering a human perspective on moral decisions made by machine intelligence, such as self-driving cars.”
[TODO] Racist AI, Deepfake loods
[TODO] Amazon Demands Echo not be referred to as a Microphone (Jason Koebler on Twitter, from Vice.com)
Open Source, Licenses, and Copyright #
Open source enables a development method for software that harnesses the power of distributed peer review and transparency of process. The promise of open source is higher quality, better reliability, greater flexibility, lower cost, and an end to predatory vendor lock-in.
- The Open Source Initiative Mission Statement
Disclaimer #
I am not a lawyer, and neither are any of my contributors to this section. This is not legal or financial advice.
To Begin #
So you’ve decided to make your project open source. Great! Before you publish anything, there are two things you should do.
First, decide on a definition of success for your project. There is more than one, and open source is all about community. Establishing community rules and expectations early is critical.
Second, decide on a license. That’s what this section is about.
A license defines the legal terms you will bind your users and contributors to under copyright law. If you release code to the world without specifying a license, it is extremely unclear what people can and cannot do with your software. In fact, it would require actual IP lawyers to untangle exactly what they are allowed to do, and it might be different in different countries!
Fortunately, this is largely a solved problem for open source. Other organizations have already hired lawyers in the past to do the heavy lifting, and have allowed anyone who wants to create an open source project to copy their license text and apply it to their own works.
A good starting point to address both of these can be found by asking yourself:
- Is control of the project’s future important? Or do I simply want it to be available to anyone?
- If someone else (perhaps a Fortune 500 company) were to use my software in a proprietary product to make money, would I want some?
- Who are my contributors and why do they contribute?
The next section will address how licenses can help support your intentions.
Choosing a License #
Except for edge cases, there are really only three options you should consider:
- If you want to encourage maximum adoption among a variety of users and contributors, use the Apache 2.0 Software License.
- If you want to encourage a hobbyist/community focus and prevent its use in proprietary software for profit, use the GNU Affero General Public License (AGPL) v3.
- If you want to release it “as is” and don’t care about its future, consider a Creative Commons Zero Public Domain Dedication.
These choices are explained in detail below.
Strong Copyleft: the GPL and friends #
The Free Software Foundation envisioned open source software as a collaborative community. To keep it that way, they basically wanted everyone who used the software to become a part of that community and share.
They created the term copyleft to capture this principle:
Copyleft is a general method for making a program (or other work) free (in the sense of freedom, not “zero price”), and requiring all modified and extended versions of the program to be free as well.
While I mentioned making money earlier, the GPL does not forbid profiting. Instead, it forbids closed source software based on the business model of “trade secret.” In practice, though, this means most of the people who turn a profit from software can’t use it.
The license also goes to great lengths to make sure that other areas of law cannot be abused by the covered software. For example, in the United States, a patent troll could use your software, discover it contains a software “invention” they hold the rights to, and sue you and all of your users. Even though you wrote it, and don’t even know who they are!
If you think this sounds far-fetched, it isn’t. The craziest things have been patented, and patent lawyers are extremely expensive — even by the standards of other lawyers.
The main drawback (and main source of pushback on the internet) is the way this license interacts with other software. Because the GPL requires that all the same rights be included in the software you distribute, creating software out of both GPL and non-GPL code binds your users to terms that may be confusing, or in the worst case, impossible to follow.
The Free Software Foundation has given their own legal analysis of common licenses, and whether they are GPL compatible.
Weaker Copyleft: Apache 2.0 #
The Apache Software foundation exists as a charity to give its software away for the greater good. As a result, it is also a copyleft license, using the terms to encourage use and distribution instead of restriction. Unlike the GPL, it does not require its downstream users to be just as open. In particular, they may use it in closed source software and turn a profit.
This is one of the “least political” licenses in the license debates, and is a safe default if you really don’t know what to do about licensing.
Other Licenses: BSD, MIT, X11, Oh My! #
There are other licenses, that are much shorter, that seem to be similar to the Apache 2.0 License in spirit. However, I don’t recommend them, and will explain why.
Common other open source licenses include:
- The MIT license
- The BSD license, which comes in flavors. The most common is the “2 clause” version.
- The ISC license.
- The Unlicense (auto-suggested by GitHub for option three instead of CC0)
These licenses probably look okay to non-lawyers, and are designed to provide maximum flexibility. However, they have other problems.
First, they lack the protections of the Apache 2.0 and GPL family of licenses against patent trolls.
Second, they may not have been examined by non-US courts. Aside from the Unlicense which relies on the US public domain, the liability protections in the licenses may not fit with product liability law in Europe.
If you still don’t like any of the three recommended options, the Free Software Foundation has given their own legal analysis of common licenses, whether they are GPL compatible, and any flaws in their opinion. It is worth reading before choosing anything else.
Special Case: Cryptography #
If you are writing your own cryptography and live in the United States, there are extra legal steps you have to do. This has to do with the history of The Crypto Wars.
But you know what? I’m not going to talk about it. It’s a bit murky without actual lawyers, but more importantly, you shouldn’t be writing your own cryptography, period. Seriously. Don’t do it.
Just use the open source algorithms placed into the public domain already. Let Bruce Schneier, Dan Bernstein, and other famous cryptographers worry about export regulations, and just use their stuff.
If you are trying to write your own cryptography to learn, I recommend doing the Cryptopals Crypto Challenges instead. If that’s not enough, do A Self Study Course in Block Ciphers by Bruce Schneier.
You will learn more, and avoid regulations, mockery, and public facepalms all over the internet.
What if I don’t have a project? #
Simple: contribute to someone else’s! That’s what makes open source work!
[TODO]
actually contribute on GitHub, make an issue, submit a pull request, make a custom repo,
Links #
Setting new expectations for open source maintainers
How to break the Internet: Cory Doctorow at TEDxOxbridge (YouTube)
https://github.com/Marak/faker.js/issues/1046
No, “Open Source” does not mean “Includes Free Support” + The update to that post.