|
Larry Rosen, the FTC, Open Standards, and Why FOSS Matters |
|
Monday, October 04 2004 @ 12:07 PM EDT
|
Lawrence Rosen submitted a letter to the Federal Trade Commission in response to their request for comments for the upcoming Email Authentication Summit (see 69 Fed. Reg. 55632-36). The Summit isn’t until November 9-10, but written comments were due on September 30. He was kind enough to send me a copy and give me permission to share it with you. In his letter, he helps the FTC to understand that no spam efforts can work if a goodly portion of the world is not able to use the solution. And if you wish to see some statistics about FOSS use, I heartily recommend reading David Wheeler's "Why Open Source Software/Free Software? Look at the Numbers!", which underlines Rosen's point. Here is the letter as PDF. His submitted comment relates his experience representing the Apache Foundation, the Free Software Foundation, Open Source Initiative and others in the community in negotiations with Microsoft over the Sender ID licensing dispute, trying to arrive at license terms that would allow everyone to make use of Sender ID. He tells the FTC what the sticky wickets turned out to be that killed a successful resolution. He also explains clearly why open standards must be such that everyone, including the open source community, can use them in order for any effective anti-spam technology to be successful.
********************************
September 29, 2004
VIA EMAIL (authenticationsummit@ftc.gov)
Secretary
Federal Trade Commission
Room 159-H (Annex V)
600 Pennsylvania Ave., NW
Washington, DC 20580
RE: Email Authentication Summit - Comments
Dear Sirs:
I recently attempted to negotiate revisions to Microsoft's patent license for their Sender ID technology on behalf of the Apache Foundation, the Free Software Foundation, Open Source Initiative
and others in the open source community. My defined goal was to obtain license terms that would be compatible with open source licensing principles and would thus allow open source implementations of Sender ID.
As of September 8, 2004, there were only two major issues separating us. (1) Microsoft was refusing to allow sublicensing of their patent license and (2) they were insisting upon separate execution of the Microsoft patent license by every distributor of Sender ID implementations.
I was asked to remain available on the evening of September 9, 2004, because "management is reviewing a proposal."
No such proposal came then or ever.
Two weeks later, following several requests for status, Microsoft declared the issue "moot by the working group’s decision to treat PRA and SPF both as optional alternatives and terminate the working group."
Microsoft’s statement is misleading and belies that company’s steadfast refusal to alter their patent license to allow implementations under the GNU General Public License (GPL), the Apache License and other important open source licenses.
I will explain why these licensing issues are show-stoppers for open source, and why the Federal Trade Commission should not treat them as moot.
Sublicensing
Open source development is a continuous process of software modification and improvement by a worldwide community of developers. Companies and individuals anywhere can contribute code, and companies and individuals anywhere can become distributors and/or users of that code.
Most open source licenses are expressly sublicenseable, and the rest are impliedly so. This is intentional. Sublicensing reduces friction in the development and distribution process by allowing each downstream user or distributor to rely exclusively on the grant of rights made by its immediate licensor without having to seek out additional licenses. For software as comprehensive and complex as Linux and Apache, as but two examples, requiring downstream distributors to negotiate additional intellectual property licenses would be impossibly burdensome.
Licensees of open source software expect that they have sublicensed the rights to all intellectual property necessary to make, use, sell, offer for sale, have made, import, or otherwise externally distribute that software, and the open source software market behaves accordingly.
The Apache License, for example, acknowledges that process by expressly stating that its copyright and patent grants are sublicenseable.
Similar provisions are in the GNU General Public License (GPL), the IBM Public License, the Mozilla Public License and the Sun Public License, among many others.
Of course, none of these licenses purport to grant rights to patent claims the licensor doesn’t own or control, and so unanticipated third party patent rights may ultimately take precedence over an open source license. But absent those suddenly-appearing third party patents, open source software is expected to be free of known intellectual property encumbrances that would limit or restrict the freedom for any open source licensee to make, use and distribute copies and derivative works.
The Academic Free License (AFL) and Open Software License (OSL) are even more explicit, offering a specific "warranty of provenance" that "the copyright in and to the Original Work and the patent rights granted herein by Licensor are owned by the Licensor or are sublicensed to You under the terms of this License with the permission of the contributor(s) of those copyrights and patent rights."
Microsoft’s proposed Sender ID patent license is incompatible with these open source licenses because it is not sublicenseable.
Proprietary software vendors are well aware of the value to their customers of obtaining sublicensing rights when they in-license software. For example, nobody would accept Windows or Microsoft Office if Microsoft’s authorized distributors had to seek out additional patent license rights from Microsoft’s suppliers.
Despite repeated requests that they do so, Microsoft has refused to provide any rationale for its refusal to allow sublicensing of their Sender ID patents. Microsoft has already agreed not to charge royalties, so there could be no direct financial motive. The limited scope of their license already protects them from uses broader than specified in their "Caller ID for Email" proposal, so they cannot possibly be afraid of anyone using their patents for purposes other than email authentication. Furthermore, since sublicensing does not nullify or render unenforceable the reciprocity and defensive termination conditions in Microsoft’s patent license, they will have no difficulty later taking action against companies that breach those license conditions, or alternatively, if and when the need arises, dealing with such companies as infringers.
The open source community cannot accept the insertion of additional licensing friction into the open source development and distribution process, particularly when there is no legitimate business purpose served by doing so.
Separate Execution
Microsoft’s proposed Sender ID patent license unnecessarily distinguishes between "End Users" and "Distributors" of software. As I described above, this is inconsistent with open source principles which envision that anyone can become a user or distributor of open source software without seeking additional permission to do so.
Microsoft’s patent license then requires all Distributors, but not End Users, to execute Microsoft's license and thus to notify Microsoft of their intention to implement Sender ID applications.
This requirement to execute an additional license is expressly prohibited by item 7 of the Open Source Definition, which sets the rules for open source licenses: "The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties."
Open Source Initiative has consistently rejected any proposed open source licenses that required licensees to notify a licensor of anything at all. The freedom to create and distribute copies or derivative works of open source software includes the right to do so in private.
Microsoft has provided no rationale for this requirement of their license.
Open Standards
In your notice of the Email Authentication Summit you identified several important reasons why effective spam control technology is in the national interest. The open source community concurs, and members of the Apache Foundation and others in our community have participated diligently in the IETF standard-setting process. But this technology will only be successful if it can be implemented in open source software consistently with open source licensing principles.
This requires an open standard, a term that should be reserved to describe standards that are available to everyone, including the open source community, to implement without royalty requirements or other unacceptable patent license terms and conditions.
Patent licenses, to be compatible with open source, must satisfy the following open standards principles. I note that Microsoft’s patent license for its Sender ID technology could easily satisfy these principles if that company allowed sublicensing and removed the unnecessary requirement for actual execution of a license. I sent them specific proposals for changed wording in their license to allow it to conform to these open standards principles, but they never sent me a new proposal of their own despite continual email correspondence with them for more than a month.
Open Standards Principles
1. Everyone is free to copy and distribute the official specification for an open standard under an open source license.
2. Everyone is free to make or use embodiments of an open standard under unconditional licenses to patent claims necessary to practice that standard.
3. Everyone is free to distribute externally, sell, offer for sale, have made or import embodiments of an open standard under patent licenses that may be conditioned only on reciprocal licenses to any of licensees' patent claims necessary to practice that standard.
4. A patent license for an open standard may be terminated as to any licensee who sues the licensor or any other licensee for infringement of patent claims necessary to practice that standard.
5. All patent licenses necessary to practice an open standard are worldwide, royalty-free, non-exclusive, perpetual and sublicenseable.
Respectfully submitted,
Lawrence E. Rosen
1
I currently serve as general counsel and secretary of Open Source Initiative and have represented many software companies and open source projects. This letter contains my own opinions and does not reflect the official positions of any of the organizations mentioned herein.
2
Emails between Michele Herman of Microsoft and Lawrence Rosen dated September 8, 2004.
3
Email from Michele Herman dated September 9, 2004.
4
Email from Michele Herman to Lawrence Rosen dated September 23, 2004.
5
Apache License, version 2.0, January 2004, sections 2 and 3.
6
The text of all open source licenses referred to in this letter are published at http://www.opensource.ort/licenses
7
Academic Free License (AFL) and Open Software License (OSL), version 2.1, section 7.
8
See http://opensource.org/docs/definition.php.
|
|
Authored by: Groklaw Lurker on Monday, October 04 2004 @ 01:00 PM EDT |
. [ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, October 04 2004 @ 01:14 PM EDT |
Footnote 6 - opensource.ort should be opensource.org [ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, October 04 2004 @ 01:25 PM EDT |
An elegant, clearly argued piece, demonstrating how
distortion of markets might occur in subtle, seemingly
reasonable, methods.
It would be interesting (alas, difficult) to see if this
ripples thorough policy formulation.
The initial move looks ill-advised particularly in the
light of this submission. [ Reply to This | # ]
|
|
Authored by: swkl on Monday, October 04 2004 @ 01:27 PM EDT |
Another issue about spam is that it occurs to me a lot of spammers simply cannot
find any other way to earn their living. A slightly higher welfare check or
unemployment insurance payments might go a long way to prevent spam.
This is assuming a lot of spammers are your fellow US citizens.
This comment was loosely prompted by your writing, "In his letter, he helps
the FTC to understand that no spam efforts can work if a goodly portion of the
world is not able to use the solution."
See you
Stephan
[ Reply to This | # ]
|
- Larry Rosen, the FTC, Open Standards, and Why FOSS Matters - Authored by: brian on Monday, October 04 2004 @ 01:36 PM EDT
- Larry Rosen, the FTC, Open Standards, and Why FOSS Matters - Authored by: Anonymous on Monday, October 04 2004 @ 02:15 PM EDT
- No, SPAM is about economics - Authored by: pooky on Monday, October 04 2004 @ 02:35 PM EDT
- Larry Rosen, the FTC, Open Standards, and Why FOSS Matters - Authored by: theswede on Monday, October 04 2004 @ 03:59 PM EDT
- Welfare for spammers ? - Authored by: Anonymous on Monday, October 04 2004 @ 04:29 PM EDT
|
Authored by: brian on Monday, October 04 2004 @ 01:30 PM EDT |
Microsoft will ramrod this through no matter how much he complains. Complaints
of unfair licensing didn't stop them from re-implementing Kerberos, XML, and any
number of other "standards". To Microsoft a standard is something that
the majority are using and since they are the majority it isn't a standard until
Microsoft implements it in Microsoft's way. In either event, at least he went on
record as opposing it so I guess it isn't all a waste of time...
B.
---
#ifndef IANAL
#define IANAL
#endif[ Reply to This | # ]
|
|
Authored by: Groklaw Lurker on Monday, October 04 2004 @ 01:38 PM EDT |
As an Open Source advocate and supporter, I find it difficult to fathom why
Microsoft would withold these basic and obvious stipulations for SenderID.
However, having witnessed Microsoft playing the role of 'Neighborhood Bully' so
many times in the past, their refusal to even try to generate goodwill in the
FOSS community is not at all surprising.
Microsoft does nothing without a reason. Their rationale for witholding the
clauses necessary to render their SenderID licenses consistent with the OSD is
now and may remain hidden, but it is enough that the FOSS community is aware of
their track record and knows that their reasoning, at the very least, arises out
of a desire to avoid helping the FOSS community and at the worst reflects an
aspect of their agenda for the destruction of the FOSS community.
Sadly, in the long run it is they and their investors who will suffer the
inevitable repercussions that result from their animosity towards us and their
refusal to cooperatively work toward the abolishment of spam.
GL
[ Reply to This | # ]
|
|
Authored by: Peter H. Salus on Monday, October 04 2004 @ 01:47 PM EDT |
Well, here we are. A succinct, literate letter
that would supply the FTC with something to
endorse as a way of getting M$ to do the
reasonable thing.
Of course, I don't expect either the FTC nor M$
to do anything reasonable. After all, this is an
election year, when money counts and the
citizenry doesn't.
---
Peter H. Salus[ Reply to This | # ]
|
|
Authored by: rsmith on Monday, October 04 2004 @ 02:07 PM EDT |
What is missing from this letter is a "why you should care" section.
Geeks know that a lot of e-mail is routed through open-source software. A 2004
survey (http://www.falkotimme.com/projects/survey_smtp_032004.php) shows that
sendmail and postfix are the dominating players in this market (62.8% of the
mail servers disregarding unknown servers are running sendmail or postfix).
Microsoft servers are a tiny 3% of e-mail servers. So any solution that cannot
be implemented on open source servers will be very limited in utility. But is
the FTC aware of this? The letter does not make that clear IMHO.
---
Intellectual Property is an oxymoron.[ Reply to This | # ]
|
|
Authored by: fred fleenblat on Monday, October 04 2004 @ 02:19 PM EDT |
It was a dark time for the empire. Many algorithms, frozen in
carbonite had
been delivered into the hands of Jabba the Gates.
Determined to rescue them,
Eric S. Raymondwalker, Lawrence Rosenbacca,
and Pameleia Jones launched a
hazardous mission against the Empire
using mostly common sense and some advanced
anti-FUD missiles.
The Rebel commanders gathered all the friend-of-the-court
briefs into
a single deposition. Sith Enderle and Laura Didio, who
had ordered
construction to begin on an even more powerful Death
Star logo for AT&T,
were making plans to swamp the courts with
frivolous patent and copyright
lawsuits once and for all.
This caused unrest in the Galactic Senate.
Several dozen
intellectual property real estate agents, under the leadership
of
the Rebellious Leader, Count McBride, have declared their
intentions to secede
from the Republic of Unix and take their
SysV with them and go home because they
don't want to play anymore.
Their separatist movement made it possible for the
limited
number of Linux Knights to maintain peace and order in the
POSIX galaxy.
Senator Hatch, I mean Amidala, the former
Queen of Baboon, is returning to Utah
to manipulate votes on the
critical issue of extending copyrights to INFINITY
AND BEYOND!!!!! [ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, October 04 2004 @ 03:04 PM EDT |
While we are on the topic of comments on proposed government regulations,
groksters may be interested in hearing that the SEC is proposing to use the XBRL
XML schema as a format for electronic filings of annual and quarterly reports.
See http://www.sec.gov/rules/concept/33-8497.htm.
Among the questions on
which the SEC requests comment is the following:
"Although XBRL
specification 2.1 is an open standard available on a royalty-free basis, are
there limitations on the ability of filers, software providers or others to
freely use the specification?"
Note that in Footnote 3, they define "open
source" and "closed source" as follows:
"Open source" means that the
software can be used by anyone without charge and is being developed in an open
and collaborative setting. "Closed source" reporting standards are developed for
proprietary or private purposes, and the code is not publicly available.
[ Reply to This | # ]
|
|
Authored by: Larry West on Monday, October 04 2004 @ 03:27 PM EDT |
Preface: IANAL. A quick web search only indicates the semi-obvious, that
exercise of eminent domain (taking private property) has to be for a public good
(presumably not reasonably achieved by other means), through due process, and
that the owner of the property must be justly compensated.
Assuming there is any actual meat to the patent, and since MS has been willing
to license it for no royalties (only headaches), and that appropriating this
from MS really causes them no harm (actually only benefit, in making their work
a standard), it seems to my naive self that this would be an excellect case for
exercising the right of eminent domain.
Shoot, they take people's homes to build freeways, I'd think a little patent
that's worthless otherwise would be a slam-dunk.
[ Reply to This | # ]
|
|
Authored by: geoff lane on Monday, October 04 2004 @ 05:23 PM EDT |
Always remember, software patents are not like real patents. They are not
obtained to protect a new idea, they are obtained so that two companies can play
Patent Poker. Suppose company A and B get into a fight, almost certainly in the
end there will be a settlement including patent crosslicensing. If you don't
have any chips you lose the game by default.
As we are seeing, most companies do little or nothing to protect their patent
portfolio. The real problems have occured when clever laywers worked out that
that there were a lot of patents out there for sale cheaply and a larger number
of stupid companies that would prefer to pay off a blackmailer than defend their
IP.
---
[ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, October 04 2004 @ 09:09 PM EDT |
Microsoft is still pushing Sender ID
link [ Reply to This | # ]
|
|
Authored by: Minsk on Monday, October 04 2004 @ 09:38 PM EDT |
This is half a joke, but only half a joke. Take it as you will. If it starts a
discussion in how to get F/OSS users more involved in lobbying their respective
governments, I will consider it a victory.
Between the IANAL, and the blatent violation of Open Source and Free Software
guidelines, you really don't want to use this. On the other hand, it is probably
more useful than Beerware licenses...
---
This software is provided free of charge in the hope that it will be useful. Due
to the expansion of software patents in many countries its author or any of its
users, possibly including you, could easily be sued by a third party. Regardless
of the merit of such a lawsuit, defending against it would be extremely
expensive. If you wish to redistribute this software, you must author and send a
letter to an appropriate member of your government describing the risks you do
or could face from software patents. For more information regarding these risks,
see ...
---
Chris[ Reply to This | # ]
|
|
Authored by: RyanEpps on Monday, October 04 2004 @ 09:38 PM EDT |
This recent remark made at the Computer History Museum by Bill Gates shows how
open M$ wants everything.
Gates admitted that Linux is a "clear competitor" to Microsoft
operating systems, but in a nod to the site of his remarks, added, "We have
had clear competition in the past. It's a good thing we have museums to document
that."[ Reply to This | # ]
|
|
Authored by: dwheeler on Monday, October 04 2004 @ 11:25 PM EDT |
I wrote "Why OSS/FS? Look at the Numbers!", and
I also sent comments to the FTC.
I have reason to; I get a disturbing amount of spam!
Here's what I wrote (speaking as a private citizen
who doesn't appreciate getting spam).
I wrote it in a hurry, to meet the submission deadline,
and some mistakes slipped in.
E.G., I said "NIST" in some places
where I should have said "FTC"
or some such, and once where I said "illegal"
I meant "legal".
I also said things in a more direct way than I might
have said if I'd had longer to think on it.
But I think this message might still be of interest.
I'm very strong on the need for better laws.
Technology is great, but for spam, I believe
there's a need for a combination of technology and law.
Trying to treat spam as only a technology problem
(or only as a legal problem) will not really
solve it long-term; there needs to be laws
as well as technology. And that was
a point I tried to emphasize as strongly as I could.
The second point is similar to Rosen's: for a standard
to be a standard, it has to be implementable by
all relevant parties.
===========================
Here are my comments on email authentication per
your request in the Federal Register, Sep. 15, 2004.
My response is lengthy, but the fundamental issues
are simple:
* [FTC] should urge lawmakers to make spam illegal,
so that technological measures will have legal standing.
Authentication has little anti-spam value without it.
* [FTC] should insist that any anti-spam technical standard
must be implementable by all suppliers of email
infrastructure, both proprietary and open source software.
Thank you.
Here are the details:
In question 1, you ask: "Whether any of the proposed authentication
standards
(either alone or in conjunction with other existing technologies) would result
in a significant decrease in the amount of spam received by consumers;"
By themselves, none of these authentication standards will
result in a significant decrease in the amount of spam, and
limiting solutions solely to technological measures will not
help either.
The fundamental problem is that our laws are
antiquated and have not yet caught up to Internet technology.
Fundamentally spam is theft, but one that the laws permit.
Spam steals 8 or more hours a month of my time; why am
I not paid for this theft of my time? Spam steals vast amounts
of computing resources; many organizations have to buy
larger hard drives and network connections solely because
of spam.
There's no point in worrying about authentication as long
as this theft is [legal]. So what if it's authenticated -- it's
authenticated theft. As long as there is no legal way to
respond to the theft, authentication has no value.
Businesses must be able to accept emails from
strangers; it's how they get new business.
Home users must usually accept emails from
long-lost people they knew from years ago.
It's not practical to only accept email from previously
known email addresses. Thus, a spammer can
create a new address for every message, each of
which can be authenticated. And as noted in the Register,
spammers now take over user's machines, and thus
they can send email as that user (and could
authenicate themselves, too).
This doesn't mean that authentication is useless.
Authentication is useful in its own right, especially
for countering phishing attacks, and for eliminating
false "bounce" messages from forged email.
And authentication, when combined with other
anti-spam technology, could have a very slight
impact on spam in the short term. But unless
there are laws forbidding spam, that permit
civil suits and recovery of damages
against spammers, then the
technological measures will not be very effective.
Once there are real anti-spam laws
(instead of the current "you CAN-SPAM
anytime you want to" U.S. laws), then authentication
will be very useful, because it will help to track
down lawbreakers. But as long as theft is
legal, there's no reason to authenticate people
who might not be breaking the law.
Laws are quite possible. The U.S. already forbids
fax spam, and that law was passed for all the same
reasons that email spam should be illegal.
Europe has passed "opt-in" laws
(instead of the worthless "opt-out" laws).
Once most countries pass such laws,
people can decide to simply refuse to accept
email from other countries that don't have or
don't enforce such laws.
The current laws are foolish. It has been
clearly declared, for many years (and including
IETF RFCs) that users should NEVER respond to
so-called "opt-out" messages, since this clearly
marks the respondant as a "real email address"
that spammers will target even harder.
Don't believe the nonsense about it being
impossible to define spam. Other laws have had
definitional issues, and they've been created anyway.
A simple rule would be sending essentially the
same logical message to more than 1000 people without
their prior consent (e.g., by signing up for an email message).
This group must recommend that laws be
passed to forbid spam, and require OPT-IN
(not OPT-OUT) to large lists.
Then the technological measures
will have a chance at being effective, since they can
then help enforce laws instead of social conventions.
Question 3 asks about compatibility with existing software;
questions 7-9 and 29 ask about control of the specification.
All of these questions indirectly with a serious problem
that you have no doubt already heard: namely, that
one of the major proposals (Microsoft's) has been
cleverly designed to create market incompatibilities.
Microsoft is encumbering its proposal with what it
calls its "Royalty Free Sender ID Patent License."
Novices might see no problems with this, but
this is simply not a reasonable proposal.
As the careful analysis of Mark Shewmaker
(http://www.imc.org/ietf-mxcomp/mail-archive/msg03514.html)
and others shows, this license is extremely
discriminatory: it is essentially incompatible with
open source software (OSS).
Since vast amount of the mail
infrastructure is implemented with OSS,
this is unreasonable and extremely discriminatory.
For example, the Apache Software Foundation (ASF)
announced that it couldn't support Sender-ID, at:
http://www.apache.org/foundation/docs/sender-id-position.html
This is important since ASF releases the widely-used
SpamAssassin (as well as the Apache web server).
Any authentication system MUST be implementable
by all major systems. This means that it must
be implementable by all open-source and
proprietary systems. Mere public specification
is not enough; systems must be IMPLEMENTABLE
to be useful, and that includes terms that
permit widespread implementation by all
relevant parties.
Thus, as a private citizen I urge NIST to
clearly articulate that any anti-spam or authentication
standard must be clearly implementable by all
implementations, both proprietary and open source software,
or they should not be made standards.
If NIST makes this clear this would be a
useful result for question #29.
There are, no doubt, other important issues.
But I hope that you find these comments useful.
I wish you well in your deliberations.
--- David A. Wheeler
[ Reply to This | # ]
|
|
Authored by: Anonymous on Tuesday, October 05 2004 @ 05:29 AM EDT |
Hi,
Since Sendmail has 62% of the market, why don't the developers come up with a
solution to SPAM?
Then give Microsoft a taste of their medicine. Patent the new email
authentication protocol, and licence the patent to any software that is under
the GPL.
Microsoft would be screwed. 62% of the worlds email servers stop SPAM. You can
imagine how quickly the other 38% would change over to Sendmail. Microsoft would
have to pay big $$$$ or start selling GPL software.
If I was a Sendmail developer I would have started this a long time ago.
[ Reply to This | # ]
|
|
Authored by: heretic on Tuesday, October 05 2004 @ 11:58 AM EDT |
ht
tp://quote.bloomberg.com/apps/news?pid=10000103&sid=aZ2JnBlm5tOs [ Reply to This | # ]
|
|
|
|
|