How free software and open source differ on the ground

Occasionally I see news stories that highlight the differences between the older free software social movement and the newer open source development methodology. The Free Software Foundation (FSF) has published a couple of essays on this topic (older essay, newer essay) and they’re both worth reading; elements of both essays continue to show up in the news. I recommend reading those essays to more fully understand references in this article.

The FSF told us

While free software by any other name would give you the same freedom, it makes a big difference which name we use: different words convey different ideas.

and we see that as open source philosophy plays out on the ground. Open source advocate Bruce Perens claimed ( copy) that the Open Source Initiative (OSI)

OSI was founded to evangelize the idea of Free Software with different language, because at the time RMS [free software founder and campaigner Richard M. Stallman] wasn’t really reaching business people – the message of a priori valuation of freedom over all else still plays best with programmers.

I suspect that free software businesses were “reaching business people” in a way the proprietary software business people didn’t like—software freedom threatened their business model directly by positing a need no proprietor can meet. Evaluating software on the basis of whether that program respects a user’s software freedom (the freedom to run, inspect, share, and modify published software even commercially) remains something incredibly important for computer users to do (including proprietors) but is also something no proprietor can compete with and proprietors know this. So proprietors figured out that they needed a way to chat up some of the same software without the freedom talk.

Part of this move took the form of objecting to “open source” entirely. The OSI obviously wouldn’t go for this but the OSI has consistently blurred the distinction between types of licenses they offer no clear terms to discuss. Take copyleft free software licenses as an example; copyleft is a strategy for preserving software freedom for derivative works. Copyleft free software licenses typically say that distributed copies of the covered work must be licensed under the same license, thus preserving software freedom for whomever gets the copy. The OSI, which eschews freedom-talk, has no way to discuss copyleft. Copyleft means preserving something the OSI was founded to not bring up—software freedom. Therefore all OSI-approved licenses are lumped together and listed as though copyleft and non-copyleft licenses are equivalent.

More recently there has been a shift toward thinking highly of gratis labor in the form of useful non-copylefted free software because those licenses are pushovers, allowing proprietary derivatives and add-ons (such as many web frameworks, the LLVM compiler, and unenforced GNU GPL-covered programs). Copylefted free software (particularly when defended in court) was not okay (consider Apple’s perverse hatred of the GNU GPL, for instance, which shows up in Apple being a GNU GPL licensor but not a GNU GPL licensee to the extent they are able—Apple got rid of Samba in MacOS X, Apple is working on getting rid of GCC as well, and Apple bought Easy Software which owned CUPS). The OSI has been around long enough to prepare a license list that explains the differences between OSI-approved licenses in a way that helps copyright holders differentiate among licenses based on protection of software freedom but nothing has materialized. Meanwhile, the FSF has long published their license list which makes precisely this distinction a major category of licenses.

Examples of how open source affiliated efforts don’t talk about software freedom (or eschew software freedom)

Open source software (OSS) enthusiasts want to argue that they’re for software freedom, but only in circumstances when talking about software freedom won’t interfere with business desires for more power over the user (which typically require proprietary software).

  • Red Hat announced that they became “partners” with Microsoft ( copy)—Red Hat and Microsoft encourage you to run Red Hat GNU/Linux (which Red Hat calls “Linux”) on a proprietary Microsoft-hosted virtual machine (VM). This means trading away a system where you have more control over what hardware to use for your system where you lose all of the freedom you would gain by hosting the hardware yourself (or on a free software VM system under your exclusive control). The VM hoster gains the power to monitor everything one does on that VM. So one who hosts with Microsoft’s VM service gives Microsoft that control.This is not a move toward software freedom but it is inextricably bound up with “open source” because open source was defined to get away from software freedom. Red Hat and Microsoft also say what they offer is “all about choice and flexibility” but choice can be a scam: a choice of 3 proprietary programs that do the same job (3 proprietary word processors, for example) offer “choice and flexibility” but not software freedom. Choice and flexibility are not suitable goals in themselves and proprietors know this. Proprietors frame the issue in this way because they don’t want you thinking about software freedom.

    Later, in 2019, Red Hat and Microsoft would announce a partnership (archive copy) aimed to convincing people to subordinate their free software system to Microsoft’s proprietary VM system. Microsoft CEO Satya Nadella is said to have “embraced open source” “because it’s driven by what I believe is fundamentally what our customers expect for us to do” which is framed as “[d]oing what’s best for both companies’ customers” with no apparent regard for software freedom and (so long as Microsoft’s VM system remains proprietary) no software freedom is delivered to Microsoft’s users.

  • Canonical made a comparable partnership with Microsoft ( copy) offering much the same thing as Red Hat above—Canonical encourages you to run a (possibly free software) Ubuntu GNU/Linux system atop a proprietary Microsoft-hosted VM. It’s efforts like these that give rise to Microsoft’s changing public position on open source which used to be seeing it as a threat to now welcoming it so long as Microsoft is truly in control. At no point does anyone involved in the effort champion software freedom for its own sake using unambiguous terminology meant to get you thinking about software freedom.

  • Paint.NET developer Rick Brewster argued self-contradictory claims ( copy) in service of software non-freedom while claiming he’s not “anti-OSS”. Krita is a free software paint program, Paint.NET is non-free (proprietary, user-subjugating) software:

    Paint.NET is also not something I want to be chopped up and swept into other projects like Krita. Remember, I make my living off of this — why would I just give away my IP like that? (although, of course, the whole conversation space here is much more complex — please don’t assume I’m anti-OSS or something)

    It’s impossible to reconcile the conflicts between what Brewster claimed without understanding that open source is really not interested in software freedom (hence their enthusiasts’ support for proprietor partnerships and acceptance of running proprietary software). In addition, Brewster also used the term “IP” meaning “intellectual property” which is ill-advised and carries a hidden assumption.

    Two of the freedoms of free software include the freedoms to modify one’s own copy of a program (make derivative works) and to distribute copies (modified or unmodified) of the covered program even commercially. Paint.NET’s license ( mirror) prohibits all of these freedoms (“You may not modify, adapt, rent, lease, loan, sell, or create derivative works based upon the Software or any part thereof.”).

  • On 2019-05-10, Hacker News linked to a repository of Commodore 64 ROMs with a headline which read “Unencumbered Open Source Commodore 64 ROMs”.

    The license for software in that repo around 8AM on 2019-05-10 read:

    This software is Copyright Paul Gardner-Stephen (2019). All rights reserved.
    It must not be used or distributed without prior written permission of the author.
    NOTE: This is a placeholder statement until a final license is selected.

    It’s not clear what license could be chosen, as it’s not clear that Paul Gardner-Stephen holds a copyright in the work and thus has the power to license the work to others. But this and the license on the work listed above didn’t stop this from being called “unencumbered open source”. Despite the text of the license the complete lack of respect for a user’s software freedom is certainly there.

The older FSF essay on the differences between free software and open source philosophy mentioned:

This manipulative practice would be no less harmful if it were done using the term “free software.” But companies do not seem to use the term “free software” that way; perhaps its association with idealism makes it seem unsuitable. The term “open source” opened the door for this.

And we can see that philosophical difference play out in front of us—what Perens referred to as open source’s “different language” gave room for proprietors to talk about their non-free software as though it were equivalent to free software, just another choice to consider. An organization committed to pitching for software freedom wouldn’t do this, but the OSI did this.

Pitching non-free software as “open source” is known as “openwashing” (a term coined by former FSF Executive Director and now Chief Technologist of the Software Freedom Conservancy Brad Kuhn). The term derives from “greenwashing” because both use whatever socially attractive sensibilities exist to make something non-compliant appear to be better than it is (environmentally-harmful goods and services are pitched as environmentally-friendly, software not licensed under an OSI-approved license are marketed as “open source”).

Proprietary software is free software’s enemy not open source. However the open source development methodology apparently does work as designed and gives ground to the notion that it’s right and proper to push software freedom and freedom talk aside anytime software freedom becomes inconvenient.

Free software security is defensible. Proprietary software is untrustworthy all the time and any claim of “security” is impossible to back up.

According to the neoliberal New York Times,

But [Firefox] became irrelevant after Google in 2008 released Chrome, a faster, more secure and versatile browser.

The Gray Lady gets it wrong again. Google Chrome is proprietary software, software that does not respect a user’s freedom and community. There’s no way to back up any claim of proprietary software being “secure” because there’s no way to determine what proprietary programs do or stop them if one discovers they do something harmful (malware). Proprietary software is often malware. Users lack the permission to inspect the program’s source code, alter the program, or distribute altered versions. Furthermore Google is a known international spy agency. There’s good reason to believe that Google Chrome spies on all of its users, behavior users are unlikely consider “secure”.

Firefox, by comparison, was never proprietary. Users were and are free to run, inspect, share, and modify Firefox; these freedoms are collectively known as “free software”. In fact, these freedoms are likely a main reason why TorBrowser (and so many other derivative browsers) are based on Firefox.

Software freedom isn’t about guaranteeing the user security, it’s about addressing the inequity between users and developers inherent in non-free software. Technical advantages and popularity are ephemeral. In the free world, technical features only require anyone who wants to take the time to improve the program. People can and do learn to become software developers. And free software’s technical merit can be improved by anyone willing to do the work. Ergo we can add impressive technical features to free software.

But we can’t make proprietary software free. So the path to getting software we can evaluate against a claim of “security” and back up that claim starts and ends with software freedom.

Should you have ever hosted on GitHub? No. GitLab was a wiser choice for years.

In “Three Takes on Microsoft Acquires GitHub” posters are conflating free software and open source. For reference, consult the GNU Project’s two essays on this topic (older, newer).

The discussion includes an anonymous comment, “Windows 10 includes WSL [Windows subsystem for Linux — nonfree software for Windows which allows one to run a GNU/Linux OS on top of Windows] now… Microsoft has become a major promoter of free software.”. Actually Microsoft continues as they were: they develop and distribute proprietary software, the opposite of free software.

Microsoft didn’t promote free software before and continues to not promote free software now. Microsoft shifted from calling the GNU General Public License (GPL) a “cancer” including screeds from company reps who claimed “The way the license is written, if you use any open-source software, you have to make the rest of your software open source” and “Government funding should be for work that is available to everybody, [but] open source is not available to commercial companies” which is wrong for multiple reasons. Saying that now would make them look foolish because that misinterpretation of how the GPL works would mean all of Microsoft Windows would come under the GPL. That was one of many errors in Steve Ballmer’s claim at the time and Microsoft knew it, but they had an enemy in software freedom and didn’t have a better response than to lie about their adversary. Given that history we’re supposed to believe Microsoft now when they promote their “love” for open source, and that it is wise to depend on Microsoft in order to run free software such as these GNU/Linux distributions.

Open source is not the same as free software. Long ago free software activists knew that free software with nonfree software dependencies made for free software that was useless in the free world precisely because adopting such software means a loss of one’s software freedom. Thus the free world doesn’t need a Linux kernel based operating system with Windows kernel dependencies (such as GNU/Linux running atop Windows) despite that this now exists. Open source doesn’t encourage anyone to want or defend software freedom. Therefore abandoning software freedom for convenience seems like a right and proper thing to an open source advocate. That’s one of the major points in the newer of the two essays linked above in the section “Different Values Can Lead to Similar Conclusions…but Not Always”:

[…P]eople from the free software movement and the open source camp often work together on practical projects such as software development. It is remarkable that such different philosophical views can so often motivate different people to participate in the same projects. Nonetheless, there are situations where these fundamentally different views lead to very different actions.

The idea of open source is that allowing users to change and redistribute the software will make it more powerful and reliable. But this is not guaranteed. Developers of proprietary software are not necessarily incompetent. Sometimes they produce a program that is powerful and reliable, even though it does not respect the users’ freedom. Free software activists and open source enthusiasts will react very differently to that.

A pure open source enthusiast, one that is not at all influenced by the ideals of free software, will say, “I am surprised you were able to make the program work so well without using our development model, but you did. How can I get a copy?” This attitude will reward schemes that take away our freedom, leading to its loss.

The free software activist will say, “Your program is very attractive, but I value my freedom more. So I reject your program. I will get my work done some other way, and support a project to develop a free replacement.” If we value our freedom, we can act to maintain and defend it.

I don’t see why one would choose to let Microsoft host their software, nor do I see how it is in any user’s interest to not have control over their own repository. So running one’s own instance of GitLab strikes me as a reasonable choice but not hosting one’s data on GitHub. Thus it’s no surprise to me that GitLab earned a “C” rating back in 2015 and GitHub an “F” rating from back in 2016 well prior to any talk of Microsoft buying GitHub. And this is yet another example of how (as Eben Moglen puts it in numerous talks) “Stallman was right” or the GNU Project got there well before it became in vogue to reevaluate one’s Git-related hosting options and move away from GitHub.

What can the reaction to removing “Roseanne” and reaction to allegations of sexual misconduct teach us about streaming?

By now you’ve probably heard that stand-up comics Louis C.K. and Roseanne Barr have both had TV shows pulled from streaming services (such as Hulu and Netflix). Louis C.K. was accused of sexual misconduct and Roseanne Barr wrote posts on her Twitter account some found offensive. In response to the allegations and Twitter posts, C.K.’s and Barr’s shows were no longer listed. Considering the popularity of “cord-cutting” (no longer subscribing to cable TV but retaining Internet access) and the popularity of streaming services, this is an increasingly effective means of censorship not only of the artists but of the audience.

Users lost access to those shows. For all we know people paid for services like these and gave up their software freedom in order to gain access to those shows and now people at each service decided that users should be disallowed access to those shows via the service.

Remote control of one’s library means submitting to someone else’s control of that library. This is a compelling reason to own copies of one’s own media instead of depending on inherently unreliable streaming media (which means downloading media data without retaining a copy and thus constantly depending on the server to supply a new copy for re-watching, often combined with proprietary software which is always untrustworthy and digital restrictions management (DRM)—proprietary software and DRM are also reasons to reject a streaming service).

It should be up to you to decide what to watch and when, what is offensive and what isn’t.

If you had your own copies of Louis C.K.’s stand-up sets, or episodes of the “Roseanne” show in DRM-free formats favorable to free software, you wouldn’t need to rely on a streaming service to watch them. You wouldn’t have to put up with being tracked as you watch them. You couldn’t be cut off from access to them without your consent. These are some of the reasons why file sharing (not the propagandistic term “piracy“) is rightly considered a service.

Apparently the reasons for losing access to media via streaming services grows over time. Streaming services don’t advertise that if a celebrity says the wrong thing or allegedly mistreats someone, you lose access to the works in which they’re a star. You can’t predict what will disappear next when you depend on someone else to grant you access to their library. You also can’t control what your computer is doing when you run their software. You should prefer media in formats you personally can break (DVD DRM is easily broken now but Blu-Rays are less easily broken) and play with free software even offline.

Facebook remains a monstrous surveillance engine

Years ago software freedom fighters understood the harm Facebook poses and threatens. And they warned us all to avoid Facebook.

The Free Software Foundation got there earlier: the FSF published a warning on on Dec 20, 2010. FSF & GNU Project founder Richard Stallman has been rightly objecting to Facebook for years in his talks and on his personal website.

In his talks, long-time former FSF lawyer Eben Moglen rightly called Facebook a monstrous surveillance engine. He pointed out the ugliness of Facebook’s endless surveillance (at length in part 3 but in other places in the same lecture series as well). See for the entire series of talks. Moglen routinely points out that ‘Stallman was right’ in his talks and for good reason.

GNU General Public License 3’s termination term getting wider reception

Want to fix a licensing problem for a GPLv2 or LGPLv2.x program? Relicense under GPLv3 or later, or under AGPLv3 or later. Consider LGPLv3 or later carefully before use, erring on the side of picking the GNU GPL v3 or later. This will grant recipients of the program the more lenient terms which do a good job of covering accidental infringement while still being able to legally compel other infringers to stop their infringement until they come into compliance.

This article bears the bias of coming from corporate media; it implicitly highlights the difference between free software (a social movement based in how people ought to treat one another with regard to computer software) and open source (a means for businesses to see free software hackers as an exploitable source of gratis labor by divesting the ethical underpinning of free software, pitched primarily to businesses). But no clear distinction is drawn so it’s not easy to see past the business-first talk that is not in keeping with why the GPLs exist, who wrote the GPLs, and why the GPLs say what they do.

For example, consider this from the article

In 2007, Microsoft was very openly and publicly anti-GPLv3, claiming it was an attempt “to tear down the bridge between proprietary and open source technology that Microsoft has worked to build with the industry and customers.”

This short-sighted comment receives no examination in the article but certainly deserves some since the entire “cure” is to do what the GPLv3 has long done—make it easier for accidental or non-malicious infringement to be fixed, thus allowing distributors to come into compliance, and continue distribution under compliance.

Microsoft’s words ignore that the Free Software Foundation (FSF) wrote the GPLs. The FSF is focused on software freedom (specifically a user’s freedom to run, inspect, share, and modify published computer software). Richard Stallman is credited as the chief author of the GPLs v1-3. Stallman also started the free software movement. Open source advocates, in what Stallman once called a right-wing counter to free software, want to use GPLv2 and GPLv3 (and related licenses) without talking about the ethical basis for these licenses and their derivatives (AGPL and LGPL).

Microsoft’s language would have you believe this is all to do with business concerns because that’s the open source enthusiast’s primary audience. But how a copyright holder behaves in light of infringement concerns anyone who distributes copyrighted works including any copyrighted free, libre, and open source software under any FLOSS license.

Microsoft essentially wants what any other proprietor (Apple, Oracle, Intel, etc.) want: more hackers writing and distributing code under licenses that allow proprietors to make proprietary derivatives. The GNU General Public Licenses (GNU GPL or GPL) say no to that; the GNU GPLs versions 1-3 say we should be equals in this work and all users must be free to run, inspect, share, and modify the program. No privileged position (such as is the nature of proprietary software) allowed. The “Lesser GPL” (originally the Library GPL) puts in an exception that grants a bit more inequity for software where there are plenty of other implementations that would get used more and possibly do less to protect a user’s software freedom (such as C libraries). The Affero GPL protects a user’s software freedom for remotely run applications such as web-based programs.

Any evaluation of software that excludes the underlying ethical (and class-based!) examination free software provides is bound to favor proprietors. That’s why proprietors all like “open source” but don’t frame anything in terms of free software. Software freedom has at its heart the very thing that keeps would-be proprietors honest and keeps users informed about changes, and in power over their own computers. Proprietary software is a social ill, never to be trusted, and a degree of control even other proprietors merely tolerate because they can’t easily object (‘power for me but not for thee’ doesn’t fly amongst those jockeying for power over one’s users).

Mass surveillance is unneeded, unethical, and used to relieve you of your privacy

Consider that schools are said to be spending a lot on mass surveillance kit and what that means for parents, students, and everyone else in the neighborhood.

Mass surveillance is the principal abuse here and the likely reliance on non-free (user-subjugating, proprietary) software (which is often malware) compounds the problems. One could go further in exploring additional abuses by looking into what is done with the data:

  • Where is the data stored?
  • Who else has access to the data?
  • What do they do with the data?
  • Is any of this knowable?

but indiscriminately collecting information on people in the hope it will somehow prove useful is mass surveillance, spying on everyone as if everyone is guilty by default. This is also a way to convince fearful people of the notion that it’s right and proper to have no privacy.

Consider this excerpt from the article:

“Schools are justified in thinking about safety, both in terms of gun violence and other possible hazards,” Rachel Levinson, senior counsel at the Brennan Center for Justice, told Gizmodo. “At the same time, these technologies do not exist in a vacuum; we know, for instance, that facial recognition is less accurate for women and people of color, and also that school discipline is imposed more harshly on children of color.”

Everything Levinson says here is vague and remarkably inarticulate, and I don’t blame Levinson. For all we know, Gizmodo simply didn’t ask further questions to clarify these claims in what should have been the basis of the entire article. Being concerned is insufficient. Precisely how is a bunch of data like this going to curb gun violence? What other hazards are you referring to, exactly? Why should we be concerned about the details of accuracy of the collected information while we’re questioning whether it was ethical and useful to collect this data in the first place? Which school situations where “discipline is imposed more harshly on children of color” will be resolved by watching surveillance footage or examining location data?

All the more reason why people should get their own computers, never use school-issued computers, and make sure that their own computers run only a free software OS, and install nothing but free software on top of that. Also everyone (not just parents and students) need to politically organize to let students use privacy respecting books and (only if strictly needed) computer education that can be used from any computer OS.

RT’s reporting on Tor problems underwhelms; no recognition of how software freedom works

Two stories badly covered by RT in the same way: no mention of how software freedom plays a huge role in interpreting the events presented in the story.

Tor is untrustworthy! Maybe…but we’re not saying why…

RT published a couple of versions of this story (earlier, later).

Tor, the onion router, is software intended to increase privacy online by passing data from one Tor user to a another Tor user thus obfuscating the source of the data to the ultimate recipient and even users on the Tor network. As a result of this arrangement, one can set up services that are only accessible from inside the Tor network (such as websites one can only visit while on Tor).

RT pointed out that Tor is funded by the FBI and this funding makes Tor suspicious (“Tor’s developers have been meeting with its agents, briefing them on how to use the technology, even organizing conferences for the Bureau.”) and then went on to make a dramatic claim that requires some unpacking:

“The FBI is always the first to know about vulnerabilities in tor’s code, and also gets a say in when the public finds out about the flaws.” and later “A privilege like this effectively gives the FBI all the time in the world to exploit the weak spot before it is fixed”

The entire RT report (and the reports RT based their report on) rely on guilt by association rather than telling the audience about specific vulnerabilities in Tor’s code and how these vulnerabilities are exploited. It’s important not to fall for fear by association where we should demand detailed examinations of vulnerabilities because we don’t need to settle for less than very specific evidence. (a blog entry pointed to in RT’s written report) includes:

I obtained the documents in 2015. By then I had already spent a couple of years doing extensive reporting on Tor’s deeply conflicted ties to the regime change wing of the U.S. government. By following the money, I discovered that Tor was not grassroots. I was able to show that despite its radical anti-government cred, Tor was almost 100% funded by three U.S. national security agencies: the Navy, the State Department and the BBG. Tor was military contractor with its own government contractor number — a privatized extension of the very same government that it claimed to be fighting.

This was a shocking revelation.

Let’s review some facts: Tor started at the US Navy as a research project and was later turned into a more user-friendly free software program anyone could use (RT points this out). This was always known and is not news, therefore it was not shocking. Later Tor was incorporated into a variant of the Firefox web browser called the “Tor Browser” allowing users to easily substitute this browser for their browser any time they want to browse using Tor.

Firefox and Tor are both free software. Free software means users have the freedom to run, inspect, share, and modify the program. This term is not a reference to price, even though both Firefox and Tor are available at no charge. The implications of this are important for this story: if Tor has a security flaw any user, not just Tor’s developers or sponsors, can inspect the code to find the flaw, modify the code to fix the flaw, run the improved code to run the improved code, and distribute the improved code to help their community. One has these permissions and there is no notification requirement—one can do all of these things without telling anyone except those with whom they share the code. This is the best means we have to make sure all computer users are treated ethically. Everyone deserves the freedom to determine what their computer does and this is the way we practically achieve that, and have done this for decades.

Therefore the FBI is not necessarily “always the first toe know about vulnerabilities in Tor’s code” as RT claimed. We don’t know who else has a copy of Tor’s source code. We don’t know who else (besides Tor’s developers) inspects Tor code, who improves Tor code, who publishes their modifications to Tor at all, or with whom code modifications are shared. The same is true of every free software program. These are all direct implications of software freedom.

But doesn’t this mean we should fear the heavy hand of the FBI?

In politics we have incomplete information so we have to settle for making educated guesses such as where a politician or reporter gets their funding because we’re not always privy to the deals politicians make. If a politician accepts money from weapons contractors, for instance, we expect that politician to promote war because that would be beneficial to their campaign funding. Therefore it’s no surprise if they vote pro-war or otherwise champion invasion and occupation. We connect the dots and say that the individuals in Congress are bought off by business lobbies.

But with computer program source code we can see how a program will operate by reading its source code. We can determine what that program does, how that program works, identify its problems, propose and implement fixes. We can learn to become programmers (that’s how programmers figured out how to read source code). We can hire programmers to do work on our behalf, we can ask programmer friends to do favors for us, and we can easily share the result of a programmer’s work with others. So we don’t need to settle for proxies like Tor developers have undisclosed meetings with shadowy government groups where they discuss Tor.

Investigative journalism regarding free software vulnerabilities requires specific evidence, far more than a vague assertion connecting a free program to a party we might be wise not to trust. Our permission (freedom) to run, inspect, share, and modify the published software means we don’t need to settle for guilt by association and shouldn’t accept an absence of hard evidence.

RT quoted Roger Dingledine, a Tor project co-founder, writing the following to Kelly DeYoe, Broadcasting Board of Governors:

Keeping the FBI informed of (and using!) Tor contributes to project and network sustainability.

This quote is given in a suspicious context, but here’s another way to interpret the same words in an entirely different light: Tor purposefully routes data circuitously through multiple other Tor users’ computers before that data reaches the Internet (and similarly going in the other direction from the Internet to a Tor user). Therefore Tor as a project needs a lot of people to run Tor, participating as nodes in the Tor network to make the Tor network function. Thus it is in the Tor project’s interest to get more people to run Tor.

Without more detail on specifics, it’s hard to know which way we ought to interpret the quote—with suspicion, as an innocent call for greater participation, or something else?

So what are we to make of the RT claim that “A privilege like this effectively gives the FBI all the time in the world to exploit the weak spot before it is fixed”?

Absent a weakness in Tor’s software (which was not identified in RT’s report), the claim remains unproven. Tor is free software so the FBI has no special advantage over others examining Tor’s source code. If Tor were proprietary (non-free software) RT’s claim here could be true: what any proprietary program does is secret. That secrecy is what gives proprietors an edge over their users, and why users should run nothing but free software on their computers.

What about Tor nodes that spy on the users? Didn’t Tor’s blog warn about this?

In mid-2014 the Tor project blog warned of an attack against other Tor users. From

On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.

The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4. While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.

More details are in that blog post including details of what was known at the time (including pointers to Tor software updates that fix known problems). But the underlying problem remains the same: Tor’s problems are still better addressed with software freedom fully intact and recognized for the huge ethical and practical advantages it brings over non-free software.

Any organization (including the FBI) could work toward adding tracking software (Javascript-based, or Flash-based, for instance) to websites such that most visitors will end up picking up the tracker in normal website browsing. This wouldn’t indicate a hole in Tor per-se, as Tor is not intended to do anything to website malware. In fact, one might look at this exploitation in another way: this approach to undermining the privacy Tor grants may suggest Tor is doing its job of disguising the network locations of its users quite well, thus compelling spy agencies to look for other means to effectively spy on Tor users.

Isn’t it possible there is a genuine weakness in Tor despite being free software?

Sure; we already knew that Tor had genuine weaknesses which were fixed. And it’s possible the upcoming report referred to in RT’s report and Surveillance Valley will reveal more genuine weaknesses in Tor. But we ought not judge things by fear; we should demand evidence. The details backing up the claims in this report have yet to be published. This report contains no actionable clues to help us understand why we should fear Tor or look at Tor as broken beyond repair.

When weaknesses are found users are still better off with a free software program than with non-free software because users have options on how to get the software fixed. They can wait for an update from the Tor developers, they can get involved and learn the details and apply a fix themselves, they can hire someone they trust to do this work for them. Compare that to non-free software where the only options are to quit running the non-free software or to wait for the proprietor (the very party users can’t trust) to ‘fix’ the problem.

E-waste versus Microsoft

RT showed the story of a California-based Eric Lundgren who offered copies of Microsoft OS restore discs — a disc used to install a new copy of an operating system on a computer — thus allowing someone to keep using their old computer instead of buying a new computer.

Lundgren said that he did nothing wrong; systems running Microsoft Windows slow down over time, his service allowed users to experience a faster computer by reinstalling the operating system on the computer thus restoring its performance like when the computer was new. Microsoft said Lundgren committed copyright infringement.

Lundgren could have avoided this kerfuffle and helped his users escape from Microsoft’s spying grasp at the same time by helping his users install a free software operating system (such as any of the free OSes listed here) instead of perpetuating his user’s dependency on proprietary software. This would have completely avoided the complaint with Microsoft, helped users liberate themselves from user-subjugating software (which often contains malware) published by a known NSA partner and spy. We don’t know what most of Microsoft’s software does because it is proprietary, so we have to fall back on examining the programs by how they behave and what relationships Microsoft cultivates with other organizations.

How many ways can one be silenced online?

Reading the many ways tech discussion site Hacker News silences posts its moderators don’t like reminds one that contributing to someone else’s forum, mailing list, or any other centrally-hosted discussion is one way to be censored. User moderation is no better than administrator moderation; it’s very easy to learn the themes that pass for acceptable on some tech sites such as Hacker News or Slashdot: celebrating proprietary software is fine, software freedom (the freedom to run, inspect, share, and modify published computer software) is eschewed even though software freedom addresses most of the stories on these corporate media repeater sites and addresses public interest.

What sites don’t often let on is that their lists of censor tricks can be quite subtle: “shadow banning” can come in the form of not telling a user that nobody can see their posts but them, or nobody can see a user’s posts unless the reader looks for them. That’s what Twitter has been reported doing for posts that challenge the current narrative known as “Russiagate” where Russians spending thousands of dollars on ads before and after the 2016 US election somehow put Pres. Trump in the White House and prevented Hillary Clinton from winning. There’s no evidence to back this up, but it doesn’t stop the mainstream corporate media from posting story after story about (usually unnamed) Russians doing dastardly things that are indistinguishable from exercising free speech.

Sadly, Internet access is not seen as a human right, something civilized countries supply to all and never take away. So long as Internet access is privatized we’ll always publish on sufferance—say something someone powerful doesn’t like and you could be prevented from speaking in a way others can see, read, or hear online again.

What would an ethical discussion service look like?

Such a service would use a protocol to convey posts to clients which is fully documented and available for anyone to implement, convey data only via encrypted connections, and mask which posts were being read as much as possible. The goal has to be designing the service around preserving user’s privacy and freedom to express themselves.

I think ethical services would do more operations client-side to give the user powerful means of selecting what to read, see, or hear. The client would track what’s been read, sort and filter posts according to a particular user’s desires (the user defines what is unsolicited, objectionable, or somehow not worth reading) but all posts would be available to all by default. The client would cache data to enable offline reading and posting by batch upload. Doing any of this server-side is just another way to enable censorship.

An ethical service offers multiple entry points like netnews among a lot of cooperating and publicly-available news servers. If one server becomes unavailable one can easily move to another server and continue the discussion. All current web-based services rely on being single points of failure (from the user’s perspective). It doesn’t matter that Twitter, Facebook, and other currently popular sites have many servers when they all obey the same rules of exclusion and all draw posts from the same database. We rightly consider all Twitter servers as part of the same oppressive system. Users aren’t kicked off or silenced when posting to one Twitter server, their account is (shadow) banned from all Twitter servers. The same is true of any centralized system, that’s why these services implement their services from a central setup. Therefore freedom of speech requires massive decentralization.

It’s a class issue: Power over the users is unjust power

A flight simulator company FlightSimLabs was caught embedding malware in their proprietary software which copies a user’s website credentials. FlightSimLabs claims they only had plans to use this against users who “pirated” the software but nobody can be sure because this malware was in every copy of the FlightSimLabs software; the credentials copying was indiscriminate. We won’t really know when this issue will go away or if it does go away because we can’t tell where the unethically copied data will travel. But there are aspects of this case which bring to mind the underlying class basis of users vs. proprietors, how things were different in the recent past with home computing, and what the changes of always-on networked computing (in which we store sensitive information) means for the public.

The chief underlying problem here is proprietary (non-free, user-subjugating) software. Software you’re not allowed to run, inspect, modify, or share (also known as ‘software freedom’). Proprietary software is licensed and distributed to keep you from running the program despite doing normal maintenance, software meant to keep you from treating your friends as friends by sharing a copy, inspecting the program to see what it does, and distributed to prevent you from modifying your copy the program should you wish to for any reason.

I experienced something quite similar with the Commodore 64: A video game called Elite on the C-64 had an anti-copying scheme so clumsy and prone to problems it drove me to understand what was really going on. Today we’d properly call this DRM—digital restrictions management (expanded that way because I take the side of the user class, not the publisher class) which was only visited upon those who obtained their copy of the program in a way the publisher found acceptable. Typically this meant buying a copy, but I later came to understand some copies were distributed gratis. The packaged game came with media, a manual, and a flat plastic device with a see-through window. The device could be bent so it resembled a table like an inverted letter “U”. On starting the game, the user was shown some blocky image that looked incomprehensible. When the plastic device was folded, placed on the monitor at the proper distance (via the “legs” of the device), and peered through one could see the blocky image turn into something readable. If I recall correctly, the readable image was a page number reference in the manual one was expected to look up and type in the proper word to get past this stage of the loading program.

After I did this a couple of times it dawned on me that those who engage in filesharing and treating friends like friends (sometimes propagandistically called “pirates“) never have to put up with this. Only the people who used the publisher-distributed copy did. And most of those users had paid for this treatment.

Those who shared copies were doing us all a favor: they let us try programs before buying a copy, they let us run copies that didn’t have what we now call DRM; the anti-copying code had been stripped away. They let us have copies that one could copy in an ordinary fashion, no need for special copiers (such as “nibblers”, or any copier that knew how to get past the errors which were deliberately added to the disk to defeat the standard file and disk copiers). There was no need to work around the issue by using audio tapes instead of disks (since audio tapes didn’t have copy-prevention added to the media). These so-called “pirates” were doing us a service, a service I might have paid for if offered the opportunity to pay a publisher for a headache-free copy of the program.

Later I obtained a memory snapshotting cartridge called “Isepic” which let me make my own copy of the RAM-resident portion of the game. Isepic produced a copy which loaded faster, never prompted me for the manual lookup, and played identically to the other copy loaded from the distributor’s media (no surprise there, it was the same code being loaded into memory). I never loaded the distributor’s media again. But this got me to thinking about all the other programs (not just games) that treated the users this way across all the computers I had used. And I began to realize that this was a scam perpetrated on the people who treated the publishers the best. We were literally exchanging our money for being treated badly. And this harm pushed on the users was indiscriminate, just like the flight simulator company did here.

There was one more issue to wrestle with: proprietary software. This was an issue even the filesharers couldn’t really contend with. Almost all of the software I saw anyone use on the C-64 was proprietary: users weren’t allowed to do things we wanted to do: understand how the program worked, share copies, modify the program, or (in some cases) even run the program whenever we wanted. At best, the filesharers could grapple with runtime limits: Want to play ‘Elite’ from the publisher’s media without the plastic device? Too bad; that plastic device and loading routine is DRM to stop one from running the program (meaning that even if you copy the media you’ll probably make a copy you can’t really use). It’s not likely one will be able to look at the screen and manually decode the image, by design. Tough on the paying users, easy on the users who know how to share with each other. But this won’t help you with the other freedoms of free software.

As a practical matter we didn’t face some very serious problems with always-networked computers: We didn’t have our C-64s constantly on, we didn’t store sensitive credentials on the C-64, and we didn’t connect them to networks most of the time. So we didn’t have the privacy-busting ramifications proprietary software poses for ordinary computer users today (copying people’s credentials to websites ought to be criminal; this is very likely to include copying credentials to medical, banking, and work-related websites). What if that flight simulator company doesn’t keep the lid on whatever they illicitly copied from the users? Remember they did this indiscriminately: They did this to all of their users; there’s no reason to believe they won’t mistreat a paying user. They’ve already lied to all their users by misrepresenting what the flight simulator does—I’ll bet that people who got a copy thought they were getting a flight simulator, not a credentials copier.

In the end I came to recognize that the heart of this issue where the computer owner has less power over their computer than an organization that convinces the user to run their software is the main issue of software freedom. Software proprietors have unjust power over the users. The only way to break that power and keep people opting for freedom is to teach people to value software freedom for its own sake, and then choose free software consistently: play free software games, run free software apps for other jobs, and install and use free software operating systems. You’ll have to have the spine to say ‘no’ to a lot of what is advertised, but you’ll retain control of your data and your computer and it’s a lot less likely you’ll ever bump into DRM. Free software DRM is ineffective—edit out the DRM code and run that version instead. You also get to treat your friends like friends doing something natural to do with digital computers—sharing copies of published software.