FSFLA/ blogs/ lxo/ draft/ Avoiding AGPL Abuse

FSFLA

Myself

Blonging for Freedom

This is Alexandre Oliva's personal blog, that does not necessarily represent the opinions held by FSFLA, FSF, AdaCore or any other organization the author may be or may have been associated with, or even by myself, as of now or ever.

See also my home page, where I share my speeches, and follow me on the Fediverse, where I post other thoughts.

I'm also lxo in the GNU Jami P2P network and on IRC (libera.chat, oftc.net, techrights.org), and I have a Tox ID.

This blog has different entries in Portuguese, Spanish, and perhaps in other languages.

Legal matters

The following catch-all copyright notice and permission apply to all documents and postings in this blog that don't contain a copyright notice of their own, and whose copyright can be reasonably assumed to be held by Alexandre Oliva.

Copyright 2007-2025 Alexandre Oliva

Permission is granted to make and distribute verbatim copies of this entire document worldwide without royalty, provided the copyright notice, the document's official URL, and this permission notice are preserved.

The following licensing terms also apply to all documents and postings in this blog that don't contain a copyright notice of their own, or that contain a notice equivalent to the one above, and whose copyright can be reasonably assumed to be held by Alexandre Oliva.

This work is licensed under the Creative Commons License BY-SA (Attribution ShareAlike) 3.0 Unported. To see a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.

Anti-piracy policy

Please do not attack ships, especially while visiting this site!

Avoiding AGPL Abuse

Alexandre Oliva

The Free Software Movement stands for the notion that users deserve control over their own computing, that denying others control over their computing subjugates them and is unethical. The GNU Affero General Public License is a legal tool that defends users' freedoms, but like most tools, it can be misused, and thus deprive users of the freedom they deserve.

Historical context

In order to control one's computing, four freedoms are essential over the software: (0) to run the program for any purpose; (1) to study its source code, so that one can understand how it works, and to adapt it, so it does what the user wishes; (2) to make copies of the program and distribute them; and (3) to improve the program and distribute the improvements. If any of them is denied, the user loses control over the program, and that who controls the program that does someone else's computing gains unjust power over the user.

Free Software is software that respects these freedoms. Copyright reserves these freedoms exclusively to authors, so copyright licenses that respect the essential freedoms are necessary for users to have control over their computing, unless they were to use only software in the public domain or written from scratch by themselves.

Copyleft is a licensing technique that, in addition to respecting the essential freedoms, defends them, by delimiting the permissions it grants so that distribution is only permitted in forms that respect others' freedoms. Other forms of distribution, that would enable the distributor to gain power over downstream recipients, remain prohibited by copyright. The GNU General Public License is where copyleft was first implemented. The GNU GPL has long been a favorite among those who wish to defend users' freedoms.

Server-side software

Network services are neither free nor nonfree, they raise different issues, but consequences of freedom deprivation can be similar to users.

The offering of services as software substitutes, wherein users are enticed to do their computing with programs that run under others' control on remote computers, showed that copyleft couldn't defend users' freedoms when users weren't even offered a copy of the program they used to do their computing. In this kind of service, the users whose freedom ought to be respected are the clients, not the server operator.

Other cases in which programs running on third-party servers mediate communication between users, perform joint computing between server operators and clients, or otherwise perform computing that doesn't pertain (exclusively) to the server operator, the ethical imperative that users deserve control over their computing doesn't apply to the server operators inasmuchas it isn't (exclusively) their computing.

That makes room for respecting and defending remote users' freedoms, and for pursuing other desirable opportunities for transparency, sharing, and cooperation.

Enters the AGPL

Another variant of copyleft was thus introduced, that delimited the permissions on modification, so that the program could only be modified in ways that respected remote users' freedoms, enabling them to get a copy of the modified program's source code, and to run it under their own control, if they so wished. This technique was first implemented as a variant of the GNU GPLv2: the Affero GPL. The GNU GPLv3 brought with it the GNU Affero GPLv3, AGPLv3 for short.

It has been widely adopted among web-native freely-licensed programs, intended to perform users' computing on third-party servers, or to mediate users' interactions through third-party servers.

Through the adoption of the AGPL by such programs, server operators were not allowed to trap and lock in remote users thereof, by depriving them from access to the program and to improvements. Users who know better than to do their computing under someone else's control can obtain a copy of any such program and run it themselves, in freedom, or share the program and improvements to it with other mediation or joint computing server operators and developers, so that everyone benefits, without depriving anyone from control over one's own computing.

But there's a catch

Seeing that the AGPL served its purpose for programs aimed at serving remote users, some started perceiving it as a stronger copyleft, and started recommending it for general use, even on programs and libraries that are not intended to serve remote users, that do local users' computing.

Consider, for example, a web shop(*)[#footnote] server program: it controls a web site that shows products and prices for customers to select and add to shopping carts, and it manages information about payments, shipping, returns and refunds. All of this can be reasonably considered the shop's own computing, not that of its remote customers (to avoid unnecessary distractions and tangents, assume no JavaScript is sent to users, and the server program does strictly no more than what a salesperson would do face-to-face on behalf of an offline shop with a delivery service), so the shop is the user whose freedoms must be respected and, ideally, defended. It would thus be desirable for such a program to be licensed under the GPL.

(By the way, if the shop's web site were to be retargeted from the WWWorst App Store to an installable app, or rather a TRApp, running on the customers' own device, the shop would be exploiting and abusing its customers by demanding them to install and run a remotely-controlled program on their own computer, and by offloading its own computing to the customers' devices without relinquishing control over that computing. But that's a tangent.)

If the web shop server-side program were licensed under the AGPL, then the shop would be required to offer all customers access to its source code, including all improvements it made.

That may seem desirable under certain political positions tangential and often mistaken with that of the Free Software Movement.

But under Free Software philosophy, the ethical imperative is for users to have control over their computing, through respect for the four freedoms essential for this control.

Since the web shop itself is the only user whose computing the program does, requiring the web shop to distribute the program and its private improvements denies it the essential freedoms that it deserves. Freedom is about being entitled to choose whether or not to do something according to one's own values, interests and dispositions; an obligation that removes that choice denies that freedom.

(The GNU GPL doesn't ever require someone to distribute the covered program, it only states that, if one chooses to distribute it, one can do so in certain ways that respect others' freedoms; it doesn't grant permissions for other ways, that may remain prohibited by copyright.)

Room for abuse

A more subtle scenario involves software components intended for integration with larger programs. Say, a component that manages a business's finances, or one that generates downloadable documents that the business must provide to its customers. It could technically make sense to integrate them with the web shop program, but if the web shop is GPLed while any of these components is AGPLed, then the combination as a whole would have to be made available to remote customers, despite doing only the shop's own computing, so it harms the very party whose freedoms ought to be respected.

Licensing under the AGPL code that is meant to do the local user's computing, rather than to serve remote users, is an unintended use case that is prone to abuse, such as enforcement of requirements against users in ways that deny them the very freedoms they deserve, that the licenses were made to defend. It adds insult to injury when copyright holders resort to threats of legal action to enforce this denial of freedom to demand users to buy a nonfree version of the component that further erodes their freedom (rather than buying exceptions).

No easy solution

Unfortunately, discouraging the adoption of the AGPL for components that are not meant for serving remote users would be undesirable: nearly any software component that can be used locally to do one's own computing can also be turned into a Service as a Software Substitute (SaaSS), for remote users.

For example, the aforementioned web shop server program does the shop's own computing, and it runs under the control the user deserves to have, provided that it is the shop itself that runs it. But if some third party were to install the same software to offer web shops as a service to other businesses, that third party would be in control of computing that pertains to its business customers, and then the stricter AGPL requirements would be desirable to enable the business customers to escape the chains of the SaaSS arrangement and attain the freedom they deserve as users.

Neither the GPL nor the AGPL have language to distinguish users whose computing the software performs, who thus deserve control over that computing and thus whose freedoms must be respected as an ethical imperative, from others who merely interact with the program as it carries out somebody else's computing.

Ideally, we'd have a single license combining both GPL and AGPL into one that released users from the stricter AGPL requirements, retaining those of the GPL, when the program does only the user's own computing, despite interacting with remote users.

But copyright permissions cannot delimit execution, because execution is not a right reserved exclusively to the authors. Only licensing agreements, that are contracts rather than one-way license grants, could require users to give up part of their preexisting right to run a program as a precondition to gain access to the program. Besides, constraining freedom 0 would presumably depart from the Free Software Definition, so the result would be nonfree software.

Besides, identifying whose computing a piece of software does is occasionally hard to characterize, and it may even do computing for more than one party, or for no one in particular. A nuanced encoding of this sort of distinction in precise and legally-enforceable terms is likely to remain elusive for the foreseeable future.

Recommendation

Until we find language that could enable the unification of these licenses in a way that doesn't deny the very freedoms we wish to respect and defend, I propose that copyright holders who license their programs under the AGPLv3 commit themselves to refrain from enforcing the stricter AGPLv3 requirements, falling back to the GPLv3 ones, whenever the licensee can show that the software is doing only the licensee's computing, and not any remote user's. Some mechanism to clear specific situations, perhaps with mediation, advice and even adjudication by a third party committed to defending the freedoms of users (I'm thinking of the FSF), would probably be desirable. This might help evolve terms that could end up in a unified strong copyleft license.

(I'd like the final version of this article to propose wording that copyright holders could use to reassure downstream recipients, but I don't have the legal expertise to come up with that. I'd welcome help from willing and aligned legal minds.)

(*) It has been pointed out to me that a web shop is not a great example, because it may legitimately be regarded as customer's or joint computing, making the AGPL a desirable license. I'm looking for a better example that encompasses the various circumstances I wish to discuss.

Copyright 2024 Alexandre Oliva

Permission is NOT YET granted to make and distribute verbatim copies of this entire document worldwide without royalty, provided the copyright notice, the document's official URL, and this permission notice are preserved.

https://www.fsfla.org/blogs/lxo/draft/avoiding-agpl-abuse