Skip to content

Latest commit

 

History

History
66 lines (56 loc) · 3.37 KB

enforce-gpl-compliance-by-offering-bounties.md

File metadata and controls

66 lines (56 loc) · 3.37 KB
title date tags
Enforce GPL compliance by offering bounties?
2024-09-21
econ-flavored
bounties-in-everything-we-care-about
heuristics
linux
principal-agent-problems

Epistemic status: Very unclear, also I Am Not A Lawyer This Is Not Legal Advice Get Off My Lawn

(N.B.: I"m using "GPL" with broad strokes here, to point at "open source licenses it's straightforward to run afoul of".)

Policing is always hard in a world of limited resources. Especially when one is targeting sophisticated, well-monied criminal organizations, it can take an awful lot of time and effort merely to credibly reveal that wrongdoing has taken place. Would it surprise you if I said the average criminal software organization is probably, on the margin, more sophisticated than the average criminal organization? If so, you should probably expect that the former's crimes are brought to life even less often than the latter's.

Luckily, the world of economics gives us a superweapon against the discovery problem: Bounties. It turns out that simply offering to pay people to bring wrongdoers to justice, incentivizes them to bring wrongdoers to justice. If the bounty scales with the impact of the crime, so much the better for capping large-scale criminal enterprises. And when the crime itself is intricately related to making money, as it so often is in such large-scale enterprises (have you ever heard of a nonprofit drug cartel?), the crime to pay the bounty hunter can come right from the org's own coffers!

Recently I've been pondering the question, "Who actually sues when the GPL is violated, anyway?" Given the scale of the modern-day software industry, I would be shocked if there weren't hundreds of thousands of organizations worldwide violating the GPL with aplomb, out of sheer incompetence than anything else. But I don't think I've ever heard of one of them getting sued, or even settling out of court. We would also expect it to make headlines if some part of a major corporation's code base were copylefted as a result of GPL infection - maybe this secretly drives more "announcements" of companies "donating" software to the public commons than we realize. But, somehow, I doubt it: The rewards are simply too diffuse, and the only people who might substantially financially benefit from strong-arming a corporation into GPL compliance is... another competing corporation. Maybe.

Let's suppose, despite all the saber-rattling the Hacker News folks do, that GPL violation is a crime treated closer to jaywalking or littering than financial fraud. Let's further suppose that you are the author of some GPL-licensed code that has gotten popular - well, to my mind, it might be a very profitable strategy for both you and your colleagues to offer a bounty program of sorts to potential whistleblowers.

Admittedly, this strategy might be less effective if instead of financial remuneration you pursue what the GPL is really about, which is forcing offenders to release yet more GPL code into the world. It hinges upon "I can pay my whistlelowers a slice of the profits I successfully take from the wrongdoer", which ... doesn't play nicely with suing for principle rather than profits.

But consider an alternative scenario, like one where you make the source code for your product availabe, but for viewing or understanding purposes only. A bounty might well pay off handsomely in this scenario indeed.