logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Copilot-GPL-washing.md (13809B)

    

  1. ---
  2. title: GitHub Copilot and open source laundering
  3. date: 2022-06-23
  4. ---
  6. *Disclaimer: I am the founder of a company which competes with GitHub. I am also
  7. a long-time advocate for and developer of free and open source software, with a
  8. broad understanding of free and open source software licensing and philosophy. I
  9. will not name my company in this post to reduce the scope of my conflict of
  10. interest.*
  12. We have seen an explosion in machine learning in the past decade, alongside an
  13. explosion in the popularity of free software. At the same time as FOSS has come
  14. to dominate software and found its place in almost all new software products,
  15. machine learning has increased dramatically in sophistication, facilitating more
  16. natural interactions between humans and computers. However, despite their
  17. parallel rise in computing, these two domains remain philosophically distant.
  19. Though some audaciously-named companies might suggest otherwise, the machine
  20. learning space has enjoyed almost none of the freedoms forwarded by the free and
  21. open source software movement. Much of the actual code related to machine
  22. learning is publicly available, and there are many public access research
  23. papers available for anyone to read. However, the key to machine learning is
  24. access to a high-quality dataset and heaps of computing power to process that
  25. data, and these two resources are still kept under lock and key by almost all
  26. participants in the space.[^1]
  28. [^1]: Shout-out to Mozilla Common Voice, one of the few exceptions to this rule,
  29.   which is an excellent project that has produced a high-quality, freely
  30.   available dataset of voice samples, and used it to develop free models and
  31.   software for text-to-speech and speech recognition.
  33. The essential barrier to entry for machine learning projects is overcoming these
  34. two problems, which are often very costly to secure. A high-quality, well tagged
  35. data set generally requires thousands of hours of labor to produce,[^2] a task
  36. which can potentially cost millions of dollars. Any approach which lowers this
  37. figure is thus very desirable, even if the cost is making ethical compromises.
  38. With Amazon, it takes the form of gig economy exploitation. With GitHub, it
  39. takes the form of disregarding the terms of free software licenses. In the
  40. process, they built a tool which facilitates the large-scale laundering of free
  41. software into non-free software by their customers, who GitHub offers plausible
  42. deniability through an inscrutable algorithm.
  44. [^2]: Typically exploitative labor from low-development countries which the tech
  45.   industry often pretends isn't a hair's breadth away from slavery.
  47. Free software is not an unqualified gift. There are terms for its use and
  48. re-use. Even so-called "liberal" software licenses impose requirements on
  49. re-use, such as attribution. To quote the MIT license:
  51. > Permission is hereby granted [...] subject to the following conditions:
  52. >
  53. > The above copyright notice and this permission notice shall be included in all
  54. > copies or substantial portions of the Software.
  56. Or the equally "liberal" BSD license:
  58. > Redistribution and use in source and binary forms, with or without
  59. > modification, are permitted provided that the following conditions are met:
  60. >
  61. > Redistributions of source code must retain the above copyright notice, this
  62. > list of conditions and the following disclaimer.
  64. On the other end of the spectrum, copyleft licenses such as GNU General Public
  65. License or Mozilla Public License go further, demanding not only attribution for
  66. derivative works, but that such derived works are *also released* with the same
  67. license. Quoting GPL:
  69. > You may convey a work based on the Program, or the modifications to produce it
  70. > from the Program, in the form of source code under the terms of section 4,
  71. > provided that you also meet all of these conditions:
  72. >
  73. > [...]
  74. >
  75. > You must license the entire work, as a whole, under this License to anyone who
  76. > comes into possession of a copy.
  78. And MPL:
  80. > All distribution of Covered Software in Source Code Form, including any
  81. > Modifications that You create or to which You contribute, must be under the
  82. > terms of this License. You must inform recipients that the Source Code Form of
  83. > the Covered Software is governed by the terms of this License, and how they
  84. > can obtain a copy of this License. You may not attempt to alter or restrict
  85. > the recipients' rights in the Source Code Form.
  87. Free software licenses impose obligations on the user through terms governing
  88. attribution, sublicensing, distribution, patents, trademarks, and relationships
  89. with laws like the Digital Millennium Copyright Act. The free software community
  90. is no stranger to the difficulties in enforcing compliance with these
  91. obligations, which some groups view as too onerous. But as onerous as one may
  92. view these obligations to be, one is nevertheless required to comply with them.
  93. If you believe that the force of copyright should protect your proprietary
  94. software, then you must agree that it equally protects open source works,
  95. despite the inconvenience or cost associated with this truth.
  97. GitHub's Copilot is trained on software governed by these terms, and it fails to
  98. uphold them, and enables customers to accidentally fail to uphold these terms
  99. themselves. Some argue about the risks of a "copyleft surprise", wherein someone
  100. incorporates a GPL licensed work into their product and is surprised to find
  101. that they are obligated to release their product under the terms of the GPL as
  102. well. Copilot institutionalizes this risk and any user who wishes to use it to
  103. develop non-free software would be well-advised not to do so, else they may find
  104. themselves legally liable to uphold these terms, perhaps ultimately being
  105. required to release their works under the terms of a license which is
  106. undesirable for their goals.
  108. Essentially, the argument comes down to whether or not the model constitutes a
  109. derivative work of its inputs. Microsoft argues that it does not. However, these
  110. licenses are not specific regarding the means of derivation; the classic
  111. approach of copying and pasting from one project to another need not be the only
  112. means for these terms to apply. The model exists as the result of applying an
  113. algorithm to these inputs, and thus the model itself is a derivative work of its
  114. inputs. The model, then used to create new programs, forwards its obligations to
  115. those works.
  117. All of this assumes the best interpretation of Microsoft's argument, with a
  118. heavy reliance on the fact that the model becomes a general purpose programmer,
  119. having meaningfully learned from its inputs and applying this knowledge to
  120. produce original work. Should a human programmer take the same approach,
  121. studying free software and applying those lessons, but not the code itself, to
  122. original projects, I would agree that their applied knowledge is not creating
  123. derivative works. However, that is not how machine learning works. Machine
  124. learning is essentially a glorified pattern recognition and reproduction engine,
  125. and does not represent a genuine generalization of the learning process. It is
  126. perhaps capable of a limited amount of originality, but is also capable of
  127. degrading to the simple case of copy and paste. Here is an example of Copilot
  128. reproducing, verbatim, a function which is governed by the GPL, and would thus
  129. be governed by its terms:
  131. <video
  132.   src="https://mirror.drewdevault.com/copilot-squareroot.mp4"
  133.   muted autoplay controls></video>
  135. <div class="text-center">
  136.   <small>
  137.     Source: <a href="https://twitter.com/mitsuhiko/status/1410886329924194309">
  138.     Armin Ronacher</a> via Twitter
  139.   </small>
  140. </div>
  142. The license reproduced by Copilot is not correct, neither in form nor function.
  143. This code was not written by V. Petkov and the GPL imposes much stronger
  144. obligations than those suggested by the comment. This small example was
  145. deliberately provoked with a suggestive prompt (this famous function is known as
  146. the "[fast inverse square root]") and the "float Q_", but it's not a stretch to
  147. assume someone can accidentally do something similar with any particularly
  148. unlucky English-language description of their goal.
  150. [fast inverse square root]: https://en.wikipedia.org/wiki/Fast_inverse_square_root
  152. Of course, the use of a suggestive prompt to convince Copilot to print GPL
  153. licensed code suggests another use: deliberately laundering FOSS source code. If
  154. Microsoft's argument holds, then indeed the only thing which is necessary to
  155. legally circumvent a free software license is to teach a machine learning
  156. algorithm to regurgitate a function you want to use.
  158. This is a problem. I have two suggestions to offer to two audiences: one for
  159. GitHub, and another for free software developers who are worried about Copilot.
  161. To GitHub: this is your Oracle v Google moment. You've invested in building a
  162. platform on top of which the open source revolution was built, and leveraging
  163. this platform for this move is a deep betrayal of the community's trust. The law
  164. applies to you, and banking on the fact that the decentralized open source
  165. community will not be able to mount an effective legal challenge to your $7.5B
  166. Microsoft war chest does not change this. The open source community is
  167. astonished, and the astonishment is slowly but surely boiling over into rage as
  168. our concerns fall on deaf ears and you push forward with the Copilot release. I
  169. expect that if the situation does not change, you will find a group motivated
  170. enough to challenge this. The legitimacy of the free software ecosystem may rest
  171. on this problem, and there are many companies who are financially incentivized
  172. to see to it that this legitimacy stands. I am certainly prepared to join a
  173. class action lawsuit as a maintainer, or alongside other companies with
  174. interests in free software making use of our financial resources to facilitate a
  175. lawsuit.
  177. The tool can be improved, probably still in time to avoid the most harmful
  178. effects (harmful to your business, that is) of Copilot. I offer the following
  179. specific suggestions:
  181. 1. Allow GitHub users and repositories to opt-out of being incorporated into the
  182.    model. Better, allow them to opt-in. Do not tie this flag into unrelated
  183.    projects like Software Heritage and the Internet Archive.
  184. 2. Track the software licenses which are incorporated into the model and inform
  185.    users of their obligations with respect to those licenses.
  186. 3. Remove copyleft code from the model entirely, unless you want to make the
  187.    model and its support code free software as well.
  188. 4. Consider compensating the copyright owners of free software projects
  189.    incorporated into the model with a margin from the Copilot usage fees, in
  190.    exchange for a license permitting this use.
  192. Your current model probably needs to be thrown out. The GPL code incorporated
  193. into it entitles anyone who uses it to receive a GPL'd copy of the model for
  194. their own use. It entitles these people to commercial use, to build a competing
  195. product with it. But, it presumably also includes works under incompatible
  196. licenses, such as the CDDL, which is... problematic. The whole thing is a legal
  197. mess.
  199. I cannot speak for the rest of the community that have been hurt by this
  200. project, but for my part, I would be okay with not pursuing the answers to any
  201. of these questions with you in court if you agreed to resolve these problems
  202. now.
  204. And, my advice to free software maintainers who are pissed that their licenses
  205. are being ignored. First, don't use GitHub and your code will not make it into
  206. the model (for now). [I've written before] about why it's generally important
  207. for free software projects to use free software infrastructure, and this only
  208. re-enforces that fact. Furthermore, the old "vote with your wallet" approach is
  209. a good way to show your disfavor. That said, if it occurs to you that you
  210. *don't* actually pay for GitHub, then you may want to take a moment to consider
  211. if the incentives created by that relationship explain this development and may
  212. lead to more unfavorable outcomes for you in the future.
  214. [I've written before]: https://drewdevault.com/2022/03/29/free-software-free-infrastructure.html
  216. You may also be tempted to solve this problem by changing your software licenses
  217. to prohibit this behavior. I'll say upfront that according to Microsoft's
  218. interpretation of the situation (invoking fair use), it doesn't matter to them
  219. which license you use: they'll use your code regardless. In fact, [some
  220. proprietary code] was found to have been incorporated into the model. However, I
  221. still support your efforts to address this in your software licenses, as it
  222. provides an even stronger legal foundation upon which we can reject Copilot.
  224. [some proprietary code]: https://twitter.com/ChrisGr93091552/status/1539731632931803137
  226. I will caution you that the way you approach that clause of your license is
  227. important. Whenever writing or changing a free and open source software license, 
  228. you should consider whether or not it will still qualify as free or open source
  229. after your changes. To be specific, a clause which outright forbids the use of
  230. your code for training a machine learning model will make your software
  231. *non-free*, and I do not recommend this approach. Instead, I would update your
  232. licenses to clarify that incorporating the code into a machine learning model is
  233. considered a form of derived work, and that your license terms apply to the
  234. model and any works produced with that model.
  236. To summarize, I think that GitHub Copilot is a bad idea as designed. It
  237. represents a flagrant disregard of FOSS licensing in of itself, and it enables
  238. similar disregard &mdash; deliberate or otherwise &mdash; among its users. I
  239. hope they will heed my suggestions, and I hope that my words to the free
  240. software community offer some concrete ways to move forward with this problem.