An interview with Eben Moglen
Ice in the Wintertime
Few have had a closer view of the Free Software revolution than Eben Moglen, former lead counsel for the Free Software Foundation and founder of the Software Freedom Law Center. We asked Moglen about the legal basis for the GPL's famous copyleft protection and the long, steady effort to tell the world about the benefits of free software.
Linux Magazine: You started out with the Free Software Foundation (FSF) a little after the first GPL came out, right? So you weren't around at the founding.
Eben Moglen: GPLv2 was released in July of 1991. Around that time, I began working with a fellow called Philip Zimmermann, who had created a program called Pretty Good Privacy (PGP), which the United States government considered to be mutinous because it was crypto software. And there was a criminal investigation going on, claiming Mr. Zimmermann had violated the Arms Export Control Act by making PGP.
I and some other lawyers were working for Mr. Zimmermann. I had a conversation with John Markoff of the New York Times about the situation, and I said that the right to speak PGP is like the right to speak Navajo, which is a Native American language the United States government used as a form of radio encryption during World War II. So, John published that statement in an article in the Times, and when Richard Stallman read the article and saw my quote, he thought I might be able to help him with a personal legal problem he had at that time, so he got in touch.
I told him I used Emacs everyday, so it would be a long time before he exhausted his entitlement for free legal help from me, so I helped him. By this time, I was a law professor, so I had stopped making software for a living, which I did from the time I was 14 until I was getting out of law school. I had worked for IBM for a good long while.
When I started clerking in federal courts after law school, I had to drop my employment relations with IBM. I clerked for Edward Weinfeld in the southern district of New York and then for Thurgood Marshall at the U.S. Supreme Court. When I took a teaching job at Columbia, one of the things I wanted to do with my time was to work on problems of technology and freedom, so I started looking around for work to do, and that is when I found PGP and Philip Zimmerman, and I thought, if I want to understand the agenda for technology and freedom in the 21st century (this was 1993), if there is one email address known to everyone on Earth who has a problem of computers and freedom, it's rms@gnu.org," and I had a feeling Richard would be able to help me figure out the big picture. So, I started to help Richard, and after a couple of years, I did conclude that, indeed, I saw what the big picture was, and the big picture was right under my nose: It was free software.
By that time, I was teaching at Harvard as a visitor in '94 and '95, and Richard and I could actually spend some time together. I said, look, you need a General Counsel. And so I went to work on all the various legal business of the Free Software Foundation. Richard told me that the most important task was bringing industry behind the Free Software idea, showing that copyleft was not only beneficial to users whose rights were secured and to programmers interested in "Freedom" like Richard and me, but it would be good for business also. So, I went to work trying to convince businesses of the value of Free Software. By 1999, IBM had come to see the value, and then Hewlett-Packard, and then we could really begin to get something done to change the way the world worked.
LM: Convincing businesses of the value of Free Software seems like less of a legal counsel thing and more of a spokesman or evangelist role.
EM: Of course, part of the question is, how do these arrangements really work and why should we trust them? The real task is to show people why the interest that they have and the interests that your people have coincide. Why it is that working together will work? The real task is in creating trust.
We have a trust economy that lies underneath and alongside what economists call the "real economy." The trust economy is actually primary, as everybody knows who talks about the effects of corruption and other forms of untrustworthy conduct in affecting economic and social globe. In the world we live in, although we believe very strongly in the rule of law, we don't sue about everything, and we don't have to. We don't actually have to sue people to get them to clean up their dog's mess on the streets of New York City. When I was a child, people let their dogs go wherever they wanted to, and we had to walk around it. After a generation of training people to pick up after their dogs, they do! Sure, there are some tickets out there given to people for not cleaning up after their dogs, but the number is infinitesimal.
Similarly with respect to Free Software; sure, underneath there's copyright, and that creates potential actions for copyright infringement for people who don't play by the rules of copyleft. But, fundamentally, what we're trying to do is create trust and reliability. The work was demonstrating to people – not merely describing but demonstrating – how it was that a nonprofit structure intended to create social benefit could turn out to be a totally reliable partner over which to work on matters that ultimately cost these businesses billions of dollars of investments and represents fundamental parts of their business strategy.
LM: Along with this work of reaching out to companies, were you also involved with legal actions? There were people back then who didn't think GPL was enforceable and just tried to ignore it, right? To what extent did you have to depend on litigation?
EM: Well, litigation was the last stop, and it took an awfully long time to get there. I started working for Stallman in 1993, and we didn't have to bring a lawsuit on behalf of anybody until 2006. FSF didn't have to sue anybody until around 2009. I never thought that litigation was the way that trust in the license was created.
When I went to work for Stallman in '93, Richard said "Never allow a settlement for compliance to be held up by a demand for damages," and I took that instruction to mean that, at the beginning of every call asking people to help us by complying with the rules, I could say the magic words "we don't want money." In fact, what I said to people for years and years was first, we don't want money; second, we don't want publicity; and third, we do want compliance. We don't need more, and we won't settle for less.
In other words, the question became, what is it going to cost you to comply? And we always tried to make clear to people that what it would cost them was basically ice in the wintertime. They were receiving valuable material, out of which they were making products or providing software to people, and we wanted them to observe the requirements associated with the materials. In situations in which we thought that there was a possibility of repetition of whatever the problem was we were working on, we asked the organization to appoint a compliance officer and to make it possible for us to communicate directly with that compliance officer so that we could talk to people directly if any recurring trouble came up.
So, basically, we settled everything on the basis that people would play right and distribute their bits in an appropriate way. The truth is it was a persuasion process. Almost never were we dealing with people who were really determined in bad faith to misuse our rights.
Sometimes in the early days we ran into problems. I worked on a problem for people who were just becoming my clients at the Samba project in 1995, in which we did have a bad faith infringer – somebody who was significantly engaged in making deliberate misappropriation of Samba – and we got those people to stop. We did that without going to court and without other kinds of expensive legal maneuvering, but we did what we needed to do, and sometimes I found myself in a situation where I needed to apply some pressure. But anyone will tell you that litigation is wildly wasteful and enormously cumbersome, and nobody wants to use it if they don't have to.
LM: So, if somebody misused the GPL and there was a lawsuit over it, would they be able to point to a legal precedent that affirms the validity of the GPL and the copyleft protection?
EM: See, it never really worked that way. And the reason it never really worked that way is that it's not the GPL doing the job; it's copyright law. The reason it is possible to have a very strong principle of copyleft without many resources behind it is that the copyleft itself is a permission. The GPL points out that it's not a license you have to accept unless you want to avail yourself of the freedoms that copyright law otherwise accords the author.
So, here's the situation: I write a program; copyright law says I have exclusive power to copy, modify, and redistribute this work. I say to other people, I will give you permission to do all the things that I can do and only I can do, but you have to agree to exercise that permission in the following way. I don't need to go to court and test whether or not I'm allowed to give permission. I don't need to go to court to test whether or not the permission I have just given is a permission that I have a right to give with the conditions on it. Because the copyright law gives me all the power; if I want to give less than all of it away, nobody is going to doubt that I have a right to do that. And when you break the rules, you're not just breaking the rules of the license; you are infringing copyright.
So, what you have on the other side is that copyright law has rules of injunctive relief and damages, as well as extra damages for intentional infringement. What really happens is you go to people and say, look, you know it's my client's program, nobody disputes that my client's program has a copyright on it, and if you want to do whatever you are doing you need permission. The only permission you have is GPL, so you better be within its terms. If you're not within its terms, you don't have any permission at all. That's why parties didn't want to go and litigate that; what are they going to say, "Judge I'm going to use this copyright program; he gave me permission. I'm not following the permission, but that's OK; I can do it anyway"?
The real point is the copyright law stands behind with a stick, and GPL comes forward with the carrot: you can do this, as long as dot dot dot.
That's why it was comparatively easy to get people to trust us, but there's one more piece of this. Under US copyright law, there is no copyright in an infringing work. So, suppose somebody takes GPL code and puts it in a wonderful proprietary program and goes out to sell it. I go to him and I say, "You know you're violating my client's rights, because you've got our copyright work in there and it's under GPL, and you're not following the rules." Now what I'm really telling him is, "You have no copyright on your product." So, if he goes to war with me and loses, then there is capital punishment for his copyright, because there is no copyright for infringing works, and if I prove it's an infringing work, then he has no copyright.
LM: He loses his own copyright?
EM: Yes! That's the important point. So, you see that what really is happening here is that the phenomena of copyright law are being used to allow us to give a permission to people, and they can't screw around with it too much, because it comes at the ultimate expense of the very thing they are trying to maintain, which is the copyright of their own work. This is why you get very good cooperation when you show up.
Now, most of the time, what people were distributing was software. The world of embedded products is a lot more complicated for a manufacturer and a lot more difficult, because you've got units in the field, and you've got big investments in those units, and getting to them and knowing where they are, and dealing with them may be hard. It was a lot easier to begin in a world of almost entirely pure software distribution.
LM: Internationally, the legal system could be very different from what we see in the United States?
EM: Well, the most the important part here is that you want to make use of a set of legal principles that is as close to general as you can get. And, as you say, because of the international agreement that is now more than 120 years old called the Berne Convention, we do have a lot of copyright law around the world, which is more or less harmonized. Still, GPLv2 was a pretty Americanized license; it depended upon some distinctly American features of the copyright laws. And, what we did in GPLv3 was to try and make a license that would be more dependent only on generic, internationally available principles of copyright law. Or, it took whatever it was that the local law provided and tried to deal with it exactly the way the local law did.
LM: So, GPLv3 made the license a little more international?
EM: What GPLv3 did actually was to say, in order to figure out whether something invokes a copyright of the license, there are only two questions you need to be able to answer: First, under the local copyright law for where you are, does the thing you are doing require permission? So, you don't need an expert on GPL and you don't need an expert on software law; you can go to any lawyer who knows the local copyright and say, hey, I'm doing this, do I need a license? If the answer is yes, then that is called propagation under GPLv3: I am doing something for which a license is required.
The second question is a purely factual question that an engineer could answer. Is someone other than me receiving a copy as a result of whatever I am doing? If what I am doing a) requires a license under local copyright law, which your local lawyer should be able to tell you, and b) someone else is receiving a copy, which is an engineering fact you can establish for yourself, then you have obligations under the license. So, what we tried to do was rely upon one piece of local copyright law (do I need a license for what I'm doing?) and one fact (is someone else receiving a copy?). If so, then you've got to follow the rules. That's how we did it in GPLv3.
LM: That brings up the question of web services, which has been another active topic in recent years. Do I understand correctly you've also put in some work on the Affero license?
EM: Yes, the Affero GPL is another example of a license (actually, there are two different versions that work two different ways). The Affero GPL is designed to be like the GPL copyleft except there is a separate trigger. Under the GPL family of licenses, the trigger of copyleft is that someone else is getting a copy – a binary, if language is distinguished between source code and object code. The Affero GPL adds another trigger; it says, if you are delivering services over a network to someone other than you, you have to respect those users' rights in a similar (though not exactly the same) way that you respect people's rights when you deliver them a copy. The first version of the Affero GPL was a GPL-incompatible modification; and then in GPLv3, we took the LGPL and the AGPL, and we harmonized them with the new license in particular ways. The result was a GPLv3 that is a version of the GPL that also triggers the copyleft when services are provided using the code to other parties over the network. In that case, what the license says is you must have a facility in the program that will allow users over the network to request the source code.
LM: I remember that era when the GPLv3 was in development as being sort of contentious in a lot of ways, and you were in the middle of it. What are your memories of that era? What were the forces at play that you were trying to mediate?
EM: Well, look, you know, Richard and I started working on GPLv3 pretty much when we met. So, what did we spend, 13 years thinking about how to do this job? We worked at it very carefully. We began to talk in public about how we were going to do it a year before we started to do it. And, we explained that we were going to release a discussion draft, and then we were going to have a discussion period, and then we were going to release another discussion draft and have another discussion period, and then we were going to release a candidate license, and then we were going to promulgate the license. And, we were going to have a whole series of public committees, which were going to help us to give us those drafts. So, we spent the late 2004 and beginning 2005 getting all that together.
In the fall of 2005, Richard Stallman moved to New York City, and he and I spent months going through every single word of the first discussion draft and writing a great big long justification of everything, explaining every change from GPLv2 and, in many cases, why we were or weren't changing. We had a conference at MIT in February of 2006, and we announced the one year process of committee work that considered this license. We built a new web application called STET, which allowed us to regulate a web-based comment system for the draft, so that everybody could see everybody else's comments.
From that MIT conference, we carried away four committees of people who wanted to be directly involved in making the license. The committee I chaired had some of the world's largest IT patent holding companies: IBM and Hewlett-Packard, as well as Red Hat, Apple, and Intel. We spent a lot of time talking about the patent provisions. But all the committees were busy.
I ran that process out of the new Software Freedom Law Center with my then legal assistant, Richard Fontana, who is now a fairly senior Red Hat lawyer, and Richard [Stallman], and the FSF old GPLv3 team managing all the conference calls, mailing lists, and all the rest of it. A pretty extensive legislative history of the GPLv3 license is still available at gplv3.fsf.org. Sometimes, the discussion was contentious, and sometimes it was a complex negotiation among multiple companies and parties with many different views of how the world should operate. But, mostly, I think of it as a great big seminar of these issues – complex, with lots of teaching and learning going on. I don't want to sign up to do it again, but those 16 months of my life that I spent with Richard on GPLv3 were a very great learning experience indeed.
LM: Was it a disappointment when the Linux kernel developers decided not to adopt GPLv3?
EM: Well, I guess it's a disappointment in the sense that I had some optimism that we might actually be able to produce a license that they would want to use. That it was possible that the kernel would remain under GPLv2 seemed pretty likely all the way along. I would say that probably from roughly September of 2006, I assumed that the kernel would remain using GPLv2, at least for the short term. I did not think at that time that Java was going to be under GPLv2. I thought that Java would move to GPLv3.
Now [Java and MySQL maintainer] Oracle is the world's largest GPLv2 licensor. The kernel is one part the GPLv2 user community, but it isn't the only part. I like GPLv3 very much, as I do GPLv2, and I think GPLv3 is a better license, but I do not think that either one of them is the only license to use. I think copyleft has enormous social importance, and I think both GPL and GPLv2 and GPLv3, along with their associated families of licenses, are good copyleft licenses. I'm not disappointed when anybody uses any one of them.
LM: Describe a little more about what you're doing now, with the Software Freedom Law Center (SFLC).
EM: Yeah, I'm not the legal director, my law partner Mishi Choudhary is. My titles around here are President and Executive Director, which basically means I figure out how we get the money. SFLC is a 501c3 charity, which is chartered also as an educational foundation by the state of New York. It's a teacher practice. I teach people here how to be working lawyers for FOSS. That means that we have a lot of FOSS clients. Mishi handles the law practice; she makes sure that everything gets done and that clients are communicated with and that their instructions are taken and executed.
What we do is provide free legal representation to nonprofits that make and distribute free and open source software. Our clients include all the people you would expect: Samba, OpenSSL, and the Apache Software Foundation, as well as all sorts of people in the blockchain world. In pretty much every direction, we have some relationship to one or more projects providing free legal help.
LM: Is this a network of volunteers, who are working with you, or do you just do it all yourself?
EM: This is a training process. The volunteers we have are law students learning. The lawyers we have are lawyers who work for us in New York and New Delhi. We are supported by the donations of companies that know that a stronger ecosystem with better lawyers for the nonprofits is good for them, and we are very grateful for the generous support of companies like IBM, HP, Oracle, Red Hat, Qualcomm, and so on.
With some [for-profit] companies and with individual developers who need help with their employment or other arrangements – for which we are not given money by our donors to provide for free – we provide commercial legal assistance. We charge as reasonably as we can, because we're experts we don't need to spend a lot of extra time on things. All the work we do is in support of the general mission of helping people use clean open source software correctly. But when business or other solvent parties can afford to pay us for our help, they do! And, we give advice to companies and other entities in the world trying to understand the Free Software communities, how do they work, how do we make them better, and so on.
LM: So, if I knew somebody who was starting a free software project, and they had some questions about licensing, I could just tell them to call Software Freedom Law Center?
EM: Yes, they would write to the email address help at SoftwareFreedom.org, and we would go through a little back and forth to say we're not your lawyers yet, and this isn't secret, but we'll help you if we can using public resources. But, if it looks to us like the problem is one that can't be resolved by pointing somebody at a publication, we would say "look, we'll send you a retainer agreement, which says we're going to work for you for nothing, and if you sign off, we'll give you the help you need."
LM: Free Software has certainly come a long way over the years; if there were anything you could fix, anything missing you would like to see, what would it be?
EM: I wish I thought that all we had left was our wish list. We have some significant challenges. We are not in a world where copyleft is just like all other free software; it never was and isn't now. Most of the free software licensing that we have, what we call permissive licensing, is designed to create respect for programmers' rights. Respect for programmers' rights is very important, and it's great to do that, and I'm not going to talk it down at all, but the unique part of copyleft is that it protects users' rights. And the world where we live right now, if your rights as a user of that thing [phone] you are holding in your hand aren't respected, then you don't have any political or social rights at all.
It is particularly easy to teach this message today. You go around the world and you hold up a smart-ass phone, and you say "Folks, if you don't have any rights to know what's going on in here, then you don't have any liberty." That used to be a hard lesson, but people now realize that they are dependent upon technology networks for everything in their lives, and if they don't have rights respected, they're in trouble, because their other rights depend on the technology. But we do not have uniform respect for copyleft as a way of protecting users' rights around the world. Governments don't care quite so much about users' rights; the FCC and other regulatory agencies don't care much about users' rights.
We're not in a world where we can sit back and worry about our wish list; we have to explain to people again why copyleft is so important. We have to make sure that federal research grants in the United States don't say, as an increasing number of grants from the NSF or DARPA say, "You must make all your software under open source license, but no bad viral licenses like GPL or NPL." I've got dozens of those funding solicitations now being published over the last year, and that has become a major headache for me.
I've just been given the gift of working again on the Board of Directors of SFLC with my old friend and colleague Daniel Weitzner, who was in the White House office of Science and Technology policy under President Obama. Danny and I are going to be talking to federal research entities about the importance of not discriminating against copyleft. Similar problems are beginning to crop up elsewhere in the world outside of the United States.
Our job now is selling copyleft and making sure that everybody understands why it's so important – that licenses that respect users' rights are crucial. They're not a by-the-way or an accident or an anti-business this or an anti-capitalist that. Licenses that respect users' rights are an attempt to secure technological liberty in the 21st century, without which social and political liberty does not exist. And that's not less of a job than it was 20 years ago; that's more of a job than it was 20 years ago.
Buy this article as PDF
(incl. VAT)