In an open, academic environment, the use of free commercial (“freemium”) and open-source software (“FOSS”) and tools is not unusual. Actually, many researchers, software developers and students embrace the concept of free downloads from the internet. However, while we discussed in the past the risk to the software supply chain of blindly downloading, copy/pasting and incorporating any kind of third-party software, we now need to consider the word “free” – “free” as in “free speech”, not “free” as in “free beer” – and its limitations.
In fact, lots of software are provided to CERN for free, and not just FOSS. But what do they actually mean when they say “free”? Many software providers offer a free download and use scheme to promote their product, attract more users and increase their market share. The devil, as usual, lies in the detail, namely licence conditions. Licence conditions* may stipulate that such a download is only free for personal use, for small teams, for universities or non-profits, or something else – and programming for CERN may or may not fall into these categories. Indeed, reading licence agreements requires advanced philosophical thinking: what is research, in fact? An activity that results in literature published in academic journals, an activity carried out by someone with a PhD, an activity that is internal to CERN only (excluding the possibility to collaborate with universities even)? Believe us, we have seen every school of thought. Suffice to say, pinpointing how CERN’s status should be interpreted in the context of each licence agreement and the extent to which we are really permitted to use so-called “free” licences is a very slippery exercise.
Paywall #1: Beyond personal use. Teamviewer provides a download that is “free for private use”. Obviously, this excludes any professional use, including any use while at CERN or connected to the CERN network. As stipulated in their knowledge base, professional or “commercial” use applies when you provide support to colleagues, when you connect remotely from home to your organisation, for remote maintenance and support purposes, and also for non-profit organisations, if you or another person in the organisation receive a salary from that organisation.
Paywall #2: You++. Slack allows “small” teams to use its service for free but, if you integrate that throughout CERN, “small” becomes “large”. It is probably not surprising that Slack has approached CERN several times suggesting that we may want to purchase a licence to cover the Organization’s “large-scale” use. So ask yourself this, when you use your CERN email address to sign up for Slack, are you also willing to provide a budget code to contribute to this licence?
Paywall #3: Not the full menu. Anaconda, a Python platform, provides free downloads of “thousands of open-source packages and libraries” for “students, academics, and hobbyists”. While “academics” certainly seems to apply to the research environment of CERN, the download comes with additional limitations (e.g. “mirroring rights not included”). Stepping outside what is covered in the “free” envelope can create financial obligations that you might not be aware of or ready to engage with.
Paywall #4: Embedded paywalls. And if this is not enough, Adobe has informed CERN that part of its freely available Creative Cloud software catalogue is not authorised for use any longer. Apparently, some Adobe apps contain copyrighted software or features by third-party companies, and using this software is beyond Adobe’s agreed terms with those third-party companies.
Similarly, CERN was once approached by an external company about using their copyrighted fonts. While their licensing arrangement was quite opaque, the issue arose when redistributing their fonts either as part of an app or publishing them on a website / web app. Curiously, these fonts were distributed by default with a number of different operating systems including the Oculus app development environment “Unity”.
So, if you are a software developer, system architect, programmer, webmaster or friendly hacker, beware: make sure that the software stack you use is legitimate and licensed. Ensure that the tools you employ are either really FOSS (with “free” as in “free speech”!) or that you have the appropriate licence. Refrain from “personal” use if the software/code/product is intended for professional usage. Instead, consider using FOSS alternatives like the EP-SFT group’s software repositories and CERN’s Mattermost instance. And check with us whether CERN already holds the right licence, like we do for Teamviewer: Software-License-Officer@cern.ch.
* Indeed, the deeper we delve into licence conditions, the more convinced we are that “licensing” deserves a new realm of scientific research: how best to obfuscate purposes and utility while maximising financial return in parallel.
_______
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.