The AGPL and Web Services

The AGPL & Web Services

Authors: Lloyd Hardy, Richard Stallman

Revision: 1.8 (2014/12/22)

7.0 – The AGPL & Web Services

The GPL offers us one method of releasing Free Software in a way that ensures its freedom cannot be compromised by its incorporation in Non-Free Software. The protection of the GPL does not come into effect until the software is 'distributed' to a user. 'Distributed' may mean when it is downloaded to a hard-drive or copied to a CD, DVD or USB storage. Other methods of distribution may include software deployed in an embedded controller. However, software that is used across a network (via an Intranet or the Internet) is not classified as 'distributed' under the terms of the GPL.

To address this 'network-distribution', the AGPL, the Affero General Public License (AGPL) v3 was created. The AGPL v3 contains a clause that extends the requirement to provide the source code even when the software is interacted with across a network. This is an interesting and highly relevant issue and we will explore the advantages of using the AGPL for licensing software which may be used on a server. Of course, simple distribution of the source code of software does not, alone, offer the 4 freedoms of Free Software. There are other threats to our freedom that are not addressed by this additional clause.

7.1 – Affero GNU General Public License v3

The AGPL v3 stipulates that: “...if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software.” [1]

This clause, additional to the GPL v3 means that the user should be able to access the corresponding source when using the software across a network. Simply having access to the source does not of course mean that the software being used is free. It does mean that it is free to be studied and this does have greater significance that the ability to study the software alone. For example, some web applications use software distributed across more than one web server from different vendors and others are entirely self-contained. The AGPL allows us to identify into which classification the software we are using falls.

7.2 – Web-Based Software

As our use of the Internet increases, we are beginning to take advantage of the possibilities of a networked world. This is a good thing for mobility, access to information and remote automation of mundane tasks. However, if not carefully considered, remote software can be a bad thing for computing control, privacy and software freedom.

Web browser-based software is fantastically useful. However, if you are using software remotely you might ask the following questions:

Who is in control of the software?
Who is in control of the hardware it is running on?
Who has the right to modify the software in the entire stack?

You need to know the answer to these questions is you before you have freedom. In addition, you might ask the following:

Where is the data stored?
Where is the data processed?

These questions may be answered in part by the implementation of the AGPL. The AGPL allows us to see whether or not third-party servers are used in the code. If they are not then we know that our data is processed on the server which we have control of, as long as the first 3 questions are answered with 'I do'.

7.3 – Web Services

As the Internet matures and development becomes more abstracted, developers may begin to use web services more frequently. Web services can provide a to short-cut to various programming tasks – such as a mathematical calculation or the parsing of a document. Some web services offer the retrieval or submission of data. Importantly, web servers operate from server to server – as opposed to browser-based software which mainly receives user input. Any software on a server may utilise third-party web services, however the user's freedoms are at risk.
If we take an example where software is released under the AGPL, we would be able to see which web services are used in a web application. However, we would not be able to see which subsequent web services those web services may use, unless they also provided us with source code – for example, by also being released under the AGPL.

With web services we must consider that we relinquish control of processing over to the server we are calling. If our application uses this as a critical component, then as developers we at vulnerable to the whim of the administrator that controls the providing web server. There are some cases that this may not be such a big risk as at other times.

For example, the task of parsing an entire document or providing and interactive map to users poses an array of concerns, from freedom to privacy, legal jurisdiction and computing control. A service that synchronises time does not pose the same risks at the same level – however, it may be a risk to privacy, depending on what is done with the information used to make the request (eg. IP address, time of request, computer name etc).

As a rule, if data is being processed remotely from you, you are using an application and you should be able to enjoy the freedoms you enjoy with free software locally. That generally means having control of over the remote server.

7.4– Public Software Peer Review & Upstream Changes

While not a software freedom issue, one additional benefit of the AGPL is peer review and software development. This benefit is more relevant to the philosophies of the open source software movement. We can expect that compromise of web based software would be much faster and simplistic with access to the source code. However, we could contend that this will also mean more rapidly developed software and a higher level of quality and security in the software. When we are not free to study, modify and distribute our modifications – this concern of 'openness' is not positioned to thrive. It is software freedom that gives us the opportunity to benefit from better software evolution. Without freedom, we are restricted in our activities.

7.5 – Public Networked Copyleft : Mass Effect

The major benefit of the AGPL as opposed to the GPL is the 'Networked Copyleft' effect of using the AGPL v3. GPL software may be used to provide a web server based service (for example an office suite) that the user has no control over. Much worse than proprietary software, this software and hardware may provide the user with no control whatsoever over their computing. The most worrying consideration is that the work of perhaps thousands of Free Software developers can be used to provide a service which strips users of their freedoms, under the ambiguous name of 'Software as a Service' or 'Cloud Computing'. These are terms which do not describe the destructive nature of the software which they are often representing. To take a users freedom away with the hardwork of Free Software developers surely must be the worst thing a service provider can do.

The AGPL begins to solve this problem by not allowing the service provider to be secretive about the code used to provide the service and also to distribute their changes where this is offered to users in public.

This means that other developers can use this software and users can download and install the software locally. It means that the modifications and enhancements cannot be non-free. AGPL v3 enforces copyleft, even when the software is distributed over the network. It also raises awareness about Free Software. It does not solve all of the problems of freedom, computing control and privacy – but it does go significantly further than the GPL alone which leads us to the conclusion that the AGPL is a vital tool for the deployment and concurrent distribution of Free Software online.

References

[1] http://www.gnu.org/licenses/agpl-3.0.html (Accessed: 2010/00/00)