We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

A Service as a Software Substitute (SaaSS) is unjust like proprietary software

00:00

Formal Metadata

Title
A Service as a Software Substitute (SaaSS) is unjust like proprietary software
Subtitle
Thinking carefully about services
Title of Series
Number of Parts
542
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
SaaSS means using a service implemented by someone else as a substitute for running your copy of a program for a computing activity that is entirely your own. It is explained in detail at https://www.gnu.org/philosophy/who-does-that-server-really-serve.en.html. Services where the code is published as free software provides a huge mitigation to SaaSS, but to keep your software freedom, you need to identify it and avoid using it. This talk will first explain some finer points of SaaSS going beyond what is written on gnu.org. I will introduce the concept of the primary purpose of using a service and incidental computing. We will evaluate what parts of some popular services are SaaSS. I will introduce an edge case as an example that the line is not always black and white. The audience will gain confidence in evaluating services they encounter for whether any parts are SaaSS. There has been relatively little attention paid to SaaSS, but it is on the rise especially with AI services. I will suggest some practical cases and approaches for raising the issue of SaaSS. Is there a simpler way to put it? Maybe "That kind of service should only run on your own computer as free software." Publishing free sources for non-SaaSS services is also important and warrants some discussion. If most services aren't SaaSS, why does the FSF recommend the AGPL for all service software? Users of services and society at large deserve the sharing of service software for reasons other than SaaSS which I will discuss.
14
15
43
87
Thumbnail
26:29
146
Thumbnail
18:05
199
207
Thumbnail
22:17
264
278
Thumbnail
30:52
293
Thumbnail
15:53
341
Thumbnail
31:01
354
359
410
Nominal numberWhiteboardSystem callModal logicEmailMessage passingConnected spaceSoftware as a service2 (number)Different (Kate Ryan album)WebsiteComputerWeb serviceServer (computing)Digital photographyInternetworkingBitTelecommunicationMathematicsQuicksortDatabaseSpeech synthesisInformationSoftwareComputer programFreewareSubstitute goodOrder (biology)BackupComputerElectronic mailing listComputer fileLocal ringInformation privacyRevision controlLatent heatQuery languageMereologyFlickrResultantPoint (geometry)Lecture/Conference
Group actionSoftware bugQuicksortBitServer (computing)ComputerEmailSoftwareSoftware developerWeb serviceImage resolutionType theoryRevision controlSource codeProjective planeDigitale VideotechnikSelf-organizationFreewareAreaComputer programProxy serverFunctional (mathematics)CodeContinuous integrationQuery languageVirtual machineField (computer science)Modulare ProgrammierungSystem callForm (programming)Arithmetic meanDatabaseVirtualizationMereologyLine (geometry)Multiplication signTelecommunicationElectronic mailing listNormal (geometry)DebuggerRepository (publishing)Differenz <Mathematik>Level (video gaming)Formal languageLecture/Conference
Server (computing)Web serviceSource codeComputer programSoftwareCodeForm (programming)Complex (psychology)BitQuicksortOperator (mathematics)Condition numberGoodness of fitOperating systemOpen sourceInteractive televisionDifferent (Kate Ryan album)1 (number)ComputerExecution unitLatent heatSearch engine (computing)DatabaseFreewareBusiness modelCovering spaceTerm (mathematics)NumberMereologyFocus (optics)Lecture/Conference
Program flowchart
Transcript: English(auto-generated)
I just have to mention that our board has put out a recruitment call, a call for nominations. We're trying to expand our board. So if you go to FSF.org, it'll be the top news item. It's something I just want to plug before I get started.
We also host another conference in a month. You'll see some information about that, too. So my talk is about SAS, and that stands for public speaking. It takes just a minute, you know.
A service as a software substitute. And what that means is when you run a service, when you use a service, and you use it to substitute for your own computing. And that's a little abstract, so it's best if I give an example.
And the one I like to give is a photo editing service. So say you go to a website, you upload a photo, you tell it you want to turn it black and white. And you click a button, it does it, and then you click download and you've got your photo. Well, that computation done on the server is something that you should control with a program,
with a free photo editing program like GIMP. And so when you use a service like that, you give away your software freedom in a very similar way to using a proprietary program on your computer.
But in some ways it's even worse, because the server operator, it's automatically spyware. It has all your data, and it automatically has a back door to make changes at any time. So in some ways, even worse than proprietary software.
So I want to talk about, that's sort of the basic case, but I'm going to assume you understand software freedom a bit. So I'm going to go into some more other cases. So let's talk about first some basic examples of when something is not SaaS.
So when somebody else is inherently involved in the activity, that's kind of usually a good giveaway. So communication service is an example. Say I want to send you a message across the internet. We need some intermediary to route that message.
It's just I don't have a direct connection to everybody else. So somebody has to provide a service to do that. It's necessary. Another good example is publication. So I give you some data. I send you an email. I say, you can publish it.
Well, there's nothing wrong with you doing that versus me doing that. It's just publishing information. Now, some websites offer multiple services, or they call it one service, but it has many different use cases, and some are SaaS and some aren't.
So let me digress just for a second. This SaaS has nothing to do with the SaaS with two S's. It was kind of meant to be a bad pun, and it didn't work out that great. But just know that when I'm saying SaaS, I'm talking about this SaaS with the three S's,
and you just have to understand by context. So as I was saying, some services have multiple use cases. Some are SaaS, some aren't. An example would be the website Flickr. It's meant to share photos, publication, not SaaS, but then it also has photo editing features. That is SaaS, as I talked about.
So let's move on to another example, a backup service. So a backup service is something people often like to run themselves. So you think, well, is it SaaS? Is it not? Well, if the point of the backup service
is to give you back your files exactly as you gave it to them, then it's not SaaS, because there's no computation there that you should control if you're only hoping to get back the exact same data that you gave it. The result wouldn't be any different. Now, you may want to run that backup service for reasons other than SaaS.
Maybe you think it's more reliable. Maybe you think you have some privacy there. And that's one of the complications with SaaS and services in general, is that there are other concerns besides SaaS that are often very important to people. So it makes it a little difficult to talk about. That's part of the reason I'm talking about it today.
Now, how about the case of a database service, for example, a SQL database service? Well, in this case, SQL queries are actually complex computation.
There's huge manuals for them. Exactly how they work matters to the people using it. They want specific database programs. They care about what the version is running. They care about how that computation is run. So yes, it would be a SaaS if it's a database service. But then think about contrast, a backup service, and a database service.
So say you use a database service, but you use it like a backup service. You just dump some data into a single table, and you just retrieve that table. Well, then you're using it like a backup service, and suddenly it's not SaaS anymore.
So what we have to think about is the primary purpose of how you're using the service. And when I say primary purpose, that brings me to a secondary purpose.
Well, it's not really a secondary purpose that I want to talk about, but let me bring up another example. Say you upload some files to your backup service. And then you say to the backup service, what files do I have? And the backup service returns you a list of files sorted alphabetically.
Well, if you have a list of files on your computer and you wanted it sorted, well, that would be something you would want to do on your computer. You'd want to run the sorting algorithm, something you should control. How it's sorted definitely matters to you. That's your computation.
But then when the backup service does it, well, it has to tell you those files, and it has to sort them somehow. It has to give you to them in some sorted order. So in this case, it's doing computation that is what I call incidental computing.
It's not your primary purpose. Your purpose is just to find out what files are on the backup service. Incidentally, there has to be some computing done in that process, which happens to also be like computing you would do on your own computer if you were running locally. But it's not the primary purpose of using that service, so it wouldn't be SaaS.
Another way to call it was ancillary computing. And so when you pick apart a service and its use cases, this is one way to narrow down the issue to whether something is SaaS or is not SaaS.
Now, for another more complicated example, I've been talking about the computing of an individual person. But groups can come together for a common purpose, form an organization or a project, and then they use a server to collaborate with each other. And an example of this would be like Wikipedia,
which runs, well, MediaWiki and Wikipedia and groups who run MediaWiki. Now, that service has features like document editing, diffing documents, conflict resolution.
Those are the type of computing, if you were working on your own, something you would want to control on your computer, but because you're working collaboratively with a group, you could say it's the group's computing.
It's the group, and that group should be able to control its own computing by running its own server and the software on it. So you could say when you join in with that group, you're a member of that group, and you're collaborating and doing that group's computing, so you can use those sort of features together.
And this is a little bit hard to think about, because sometimes your computing versus a group's computing can get a little blurry sometimes, but it's important to realize and think about. So on to another example.
Think about bug tracking, a bug tracker. This is a very common piece of software that developers use. Now, one way that a bug tracker could work, or does work for some projects,
is they have a mailing list where they say, bugs go to this mailing list. So somebody sends an email to the mailing list saying, I have a bug, and somebody responds and says, yes, I agree, that's a bug. Or somebody says, no, I don't think so, and they discuss it. Well, this is just a form of communication and publication,
like a normal mailing list, and I wouldn't call that SAS. But consider a software like Bugzilla. Well, it doesn't work that way. It's especially with a larger project,
you customize it so that it has maybe even hundreds of fields. And the people who are administering it are doing complicated queries on all of the bugs,
running queries that will modify all the bugs, reassign them, and then it's starting to look like a database with a front end, a complicated database with a front end. And then I would call that SAS. And this, I think, brings up a little bit of a problem
in that it's very difficult to, a lot of software projects want complicated, sophisticated software for their project, but they don't necessarily have the means to run that software like a Bugzilla, because complicated software is complicated to run,
especially as a service. Because you have data, you have backups, you have all of the details of running complicated software. So in that case, it's like, are a lot of projects out there actually running SAS, giving up their freedom?
Well, yes, basically. But it's an area where we have a long way to go. And a good way to deal with that situation is for projects to come together in a larger project that is in their collective interests.
So some of the software I run, or I help run, like the GNU project, where many software packages come together, share the infrastructure that's going to be in all of their interests. And that way, they're doing a group computation together
for a bug tracker. But now this brings me to an example of GitHub. So when I think of GitHub, I look around at the GitHub service, and I think, there are a few features that are clearly SAS.
One, some obvious examples would be continuous integration. That's like they give you a virtual machine and say, run some code on your software. If the code that you're running is their code, then I guess that brings up another topic
of virtual machines, which are not SAS if you control them. And another feature of GitHub would be they have a feature to tell you which functions in two repositories are different. Well, clearly, that would be SAS, because it's parsing the language of the repositories.
It's doing a complicated function level diff on them. And then some other features, I think, would not be SAS, like simply publishing a Git repository. That's just a publication of information, not SAS.
And then their bug tracker, for example. I think in its basic form, it works very much like a simple form, like a mailing list that one person posts, another person replies. And I would call that just a communication service. But I'm not too familiar with all of the advanced features
of GitHub, but I get the suspicion that some of the, maybe, there might be some features of the bug tracker which go into the SAS area when it gets more complicated, when you're an advanced user of all of the features there. So I haven't picked apart every piece of GitHub, and it takes some time to do that analysis, which
I haven't done. But in general, this brings me to the next topic, is that, well, I don't know, how many minutes do I have left? You have? 10 more minutes. 10 minutes? Great. OK, so I think I'm done with some basic examples
of analyzing SAS or not, and I'm happy to talk to people because there sometimes aren't bright lines. And it's a little blurrier than with determining if a piece of software is free or not, but it's not like there isn't blurry lines in that either.
So I think it's just something we have to deal with. It's part of a lot of ethical issues, have their gray areas. And I just happen to be highlighting them. That's all. I don't think it's an inherent problem with SAS at all, with the concept of SAS.
So now I want to bring up one common misconception, is that a service which publishes some free source code that it says it's running means that the users of the service have software freedom. They don't. The users don't control that service. They can't tell it what program to run.
You can only do that with a program on a server you control or on your own computer. And there may be important code that it runs besides what's published. I mean, generally, servers are not publishing the operating system or other things. The first reason I gave is basically the fundamental one,
but some other ones are that. And of course, you can't ever be sure what somebody else's server is doing. You haven't installed the program. You can't be 100% sure. It's different than running your own code on a server you control.
So for services that are not SAS, now I'm going to talk about this idea of publishing source code and think about the difference and the interaction between SAS and the publishing of service source code. So when we think about publishing service source code,
I think about the AGPL, which says you have to publish the source code if it's a service and to the users of it. And what we say is that the publishing of source code benefits the community so that they could use that source code.
That benefit is so important to people being able to use that code that it's worth mandating with the AGPL. And we recommend it for all software that is intended
to be run as a service. In fact, now, not thinking about the SAS issue, but just in general, if I encounter a service and I say, I think, would there be
any reason somebody else besides the server operator would want to run it? If there is, if there's a plausible case of that, I think, well, then are they publishing the source code? If they aren't, why not? I mean, why do they not want to benefit the community?
And another benefit that brings, I think the biggest one is if the service is working well, good. Maybe there's some fundamental services we all rely on, like DNS services.
But then if the service stops working, it adds conditions that people don't want to agree to, it adds, it changes. Well, then the publishing of source code is sort of an insurance policy that somebody else could
start up a new service and users could move over there. And that is so important that I think it's worth considering that in general for any service, which is separate than the SAS issue. And I think if we take a service like GitHub, I think that's obvious. Of course, people would want to run their own GitHub.
So we shouldn't accept a GitHub that doesn't have the service source code published. It's just foolish to subject yourself to the whims of that service operator without having some sort of insurance to go somewhere else, even if you
aren't using it in a SAS way. OK, so I'm going to move on to my next topic, which basically I think the SAS has not gotten enough attention in free software advocacy.
And why hasn't? I think there's lots of reasons. I talked a little bit about the complexity. I think SAS was far less common in the past. Nowadays, most services tend to require non-free software as a client, usually in the form of JavaScript.
And so services in general have caused a lot of problems for software freedom, other problems besides SAS. But like I said, I think SAS needs to get more attention because it's becoming more prevalent. Database services have, in the past few years, become very popular.
Before that, it was much more common to run your own database. A lot of people are relying on these services, which are SAS. And so I think one interesting historical reason for a lack of focus on SAS is that, well, it's
not part of the GPL. It's not part of any license. When the GPL was being drafted, the FSF had its lawyers try and think of a way to add in a provision against SAS, and they couldn't think of a way to do it. So they just didn't. And so when we say the GPL protects your freedom,
well, there's one little hidden asterisk there, as long as you don't give it away in a SAS. And I'd be curious to know some of the lawyers, maybe some lawyers here today, if they still think that's the case, if there's no way to have a SAS provision in a license. I'd be curious to what that is.
I mean, it's the one case, I think, of the FSF saying, here's an important issue. We couldn't write into the license. I haven't heard many people talk about how that could be done, maybe not covering all SAS, but some portion of it. I don't know. I'm not a lawyer, but I would love to hear from some.
So how can you give SAS more attention? I don't have all the answers. It's just a couple ideas. I think number one is just to simply call it out more. When a company has a SAS business model, just say, hey, their business model is SAS. That's taking away people's freedom. That's a very simple way.
Another idea I have is that there's this term self-hosting, which basically seems to cover the idea of SAS plus other things. It's the idea of services run yourself. And sometimes it's even expanded
to just non-services, SAS services that should be run on your own computer and not as a service at all and running themselves. And people call that self-hosting. So the idea of self-hosting covers SAS plus other things. So I think also advocating for self-hosting and saying self-hosting overlaps very well with software
freedom is a way that we can advocate against SAS without having to deal with the complexity of SAS itself, of explaining it fully. And I'm getting to the end of my talk here.
I think those are most of the ideas I want to share. I'd be happy to talk to people afterwards. And one shout out to a specific program, Gnu Units, which is a small SAS that many people use. They ask Google or a search engine to convert between Celsius or Fahrenheit. And there's a program you can do that
on your own computer called Gnu Units. So look it up. And that's all I've got. Thanks for your talk. Thank you very much.