Web apps: the next battleground for FOSS?

Concerned about the increasing popularity of Web applications, Marco Barulli of the Clipperz project has written one of the first detailed suggestions about how free and open source software (FOSS) should respond to the trend. Although neither Barulli nor Clipperz is well-known, his ideas are being listened to by such figures as Richard M. Stallman of the Free Software Foundation and Fabrizio Capobianco, the CEO of Funambol and a long-time advocate of FOSS in Web applications.

Web applications (a.k.a. software as a service and cloud computing) refers to software that users access via their Web browser and that resides on a provider’s servers. Whatever term you prefer, Web applications present a significant challenge to FOSS for at least two reasons.

First, because Web applications do not distribute software in a traditional sense, they bypass the requirement in free licenses such as the GNU General Public License (GPL) that the provider must return code to the community. As a result, companies like Google can take advantage of FOSS for their Web applications, but treat any modifications they make as proprietary.

Second, with data being passed between users and the provider, and, in many cases, the provider’s software being installed on users’ machines, Web applications raise privacy issues that most free licenses do not address.

These issues are not new. Tim O’Reilly has been warning about them for years, but his sensationalistic declaration that “open source licenses are obsolete” has tended to sidetrack any discussion of the implications.

Moreover, as Barulli notes, the convenience of Web applications has tended to stifle any critique of them. “I’ve been in the security field a long time,” Barulli told Linux.com, “and I can tell you that convenience is a big driver — bigger than freedom, and bigger than security.”

Yet, at the same time, the need to address the issues is becoming greater. Pointing out that no one predicted that everyday productivity applications like word processors or spreadsheets would be available via a Web browser, Capobianco observes that “The direction of the market is that every application that can be run as a service will be run as a service someday.” He refers to the problems raised by Web applications as a “cancer” for FOSS, adding, “If we let [this] problem slip by because we think software as a service is of minimal importance, we’re wrong. Because the direction of the world is software as a service. Ten years from now, if 90% of software is run as a service, then open source dies.”

Making Web apps free

Until Barulli suggested his course of action, Clipperz was best known for its problem in having Google Code host the Web site for Clipperz’s community edition. The project wished to license its software under the Affero General Public License (AGPL), a license that closes the distribution loophole in the standard GPL by defining the offering of software as a service as a form of distribution that carries the same obligations.

However, Google refused to host a project licensed under the AGPL, claiming first that it wished to avoid a proliferation of licenses, and later that the AGPL was unproven. However, many observers suggested that the real reason was that Google, which had profited from the loophole, was simply nervous about any association with AGPL.

Clipperz eventually found a home for its community edition on SourceForge.net. However, a more important result of the issue was that Barulli began an extended email exchange with Richard Stallman. “It was quite a revelation for me,” Barulli says, and the conversation led directly to his action plan.

Addressing the problem

At the outset, Barulli makes clear that he is not trying to stop the spread of Web applications. “Web apps are great and I’m in love with them,” Barulli says. “But I think it’s time to ask for more freedom and more privacy.”

Clipperz was one of the first projects to choose the AGPL. “This was what we were waiting for,” Barulli says. Given this enthusiasm, the first step Barulli proposes is unsurprising: encouraging the use of the AGPL. “I think it’s my right to know what code I’m running on my machine, and what code I’m running on yours,” he says simply. As part of this campaign, Barulli is canvassing for suggestions for an “AGPL suite” of Web applications for free software users, and urging developers to join Clipperz in becoming evangelists for the AGPL.

To address the privacy issues raised by Web applications, Barulli advocates what he calls “zero-knowledge Web apps” — that is, applications that encrypt user data and identity so that it is inaccessible to the provider.

This suggestion is Barulli’s own. “Richard Stallman was only worried about the freedom of the source code,” he says. “I’m also worried about the freedom of my data.” When the issue is software installed on a workstation or network that you control, Barulli explains, the issue hardly arises. However, he says, “When I move my application to the Web and therefore my data, I would like to retain control over my data. It’s still my data.”

In fact, as a security expert, Barulli is so concerned about the privacy of data that, referring to free software’s traditional four freedoms, he suggests that “this is another freedom that free software should take care of.”

In the long term, Barulli also calls for changes to free Web browsers as an additional protection of users’ freedoms. Specifically, Barulli would like to see browsers that not only authenticate code using zero-knowledge protocols, but, in keeping with a suggestion from Stallman, would compare JavaScript or Ajax code to a stored copy, and alert users if any change had occurred. “This solution,” Barulli says, “protects the user from malicious code that could be unknowingly executed by his browser, stealing his data and destroying the whole zero-knowledge architecture.” This capability, Barulli suggests, might be provided by an extension to major browsers.

Barulli plans to continue developing these ideas, and urges readers to add their own suggestions, to blog about the ideas on their own sites and forums, and to donate to the campaign. He also asks for help in naming the campaign.

Reactions

So far, Barulli has had only limited responses to his suggestions, and mostly from those who encouraged him in the first place.

When contacted, Stallman discussed the outlines of the challenges that Web applications pose, but declined to discuss solutions in details, explaining, “I am writing my own article about this subject, so I don’t want to write at length about it before that is finished.”

However, Capbianco, who first encouraged Clipperz to move its code to the AGPL, has been more supportive. Capbianco has blogged about Barulli’s suggestions, particularly the concept of zero-knowledge Web applications, and told Linux.com that “I totally agree with Marco about the need for the AGPL.” He advises developers, “If you believe in the open source concept of copyleft, you’d better adopt AGPL as a start, so your community is covered, and any modification made on your code will come back to the community.”

Barulli’s suggestions could be easily implemented if enough people in the FOSS community had the will to do so. However, the problem, as Capbianco says, is that “People aren’t thinking about what is happening. And there are companies making significant money by using open source and not returning the code, and they’re against [suggestions like Barulli’s]. So it’s an uphill battle. But I’m pretty optimistic. The good thing about open source is that good things happen fast.”

Of course, whether events will happen fast enough is another question. And if Barulli and Capbianco are right, the answer could have significant effects on the future of FOSS — perhaps even determining whether FOSS has a future.