For the past two years, software engineers and systems administrators from San Jose to Seattle have engaged in the tech industry’s latest rite of passage: reading the news to discover that their employer contributed to something they find unethical. In 2018, Google workers learned of the company’s secret U.S. military contract and state-censorship search project in China from media reports. In February, Microsoft workers signed a letter saying they “did not sign up to develop weapons,” after reports revealed the existence of a $480 million contract between the software giant and the U.S. military. Seven months later, in September, Amazon staff mobilized after finding out how their work on cloud computing supports the oil-and-gas industry.
The next month, the Los Angeles Times reported that Immigrations and Custom Enforcement had renewed a 2016 contract with the code-hosting service GitHub. It seemed like history repeating itself: another backlash, another reckoning.
But GitHub is different.
With 37 million users, GitHub is the largest host of source code in the world. Much of the code hosted on GitHub is open source, meaning it’s accessible, shareable, and modifiable to anyone. Developers join the platform, download one another’s code, then collaborate, improve it, and tweak it for their own projects. Google, Facebook, the federal government, and many other technology firms rely on open-source licensing, a legal framework that lets users borrow ideas and pool together the insights and labor of volunteer developers. GitHub is itself built on open-source tools, and sometimes uses code hosted on the platform to improve itself.
So when news of GitHub’s contract with ICE emerged, its employees weren’t the only ones outraged. Because of the transitive nature of open source, volunteer developers—who host code on the site to share with others—may have unwittingly contributed to the code GitHub furnished for ICE, the agency responsible for enforcing immigration policy. Some were troubled by the idea that their code might in some way be used to help agents detain and deport undocumented migrants. But their outrage—and the backlash to it—reveals existential questions about the very nature of open source.
Richard Schneeman is a software developer in Austin. Since 2012, he’s contributed to Ruby on Rails, an open-source coding software that GitHub has long used as part of its infrastructure. “Since I have contributed to Ruby on Rails, and I know that GitHub is using Ruby on Rails, I know that ICE is directly using my code,” he told me. “When I first found out, I was like, Oh, this has gotta be a mistake, right?”
In December, Schneeman signed an open letter alongside 2,000 other open-source contributors, who called the ICE contract a betrayal of open source’s commitment to “inverting power structures and creating access and opportunities for everyone.”
When reached for comment, a spokesperson for GitHub referred me to an October blog post from the company’s CEO and co-founder, Nat Friedman. The post acknowledges the work GitHub has done to connect and build users, but also points to a tension central to the open-source project. For a project to call itself “open source,” it can’t place restrictions on who can and cannot access it.
Friedman noted that although GitHub is an enormous part of the open-source community, its contract with ICE is for a different product, the GitHub Enterprise Server—a version of the typical GitHub platform retooled for the company using it. Data are hosted on the company’s own servers, access is restricted solely to its own employees, sharing is limited based on internal rules and regulations, and so on.
Friedman explained that GitHub doesn’t know the specifics of how ICE is using the Enterprise product. He maintained a distinction between the open-source repositories the platform is known for and ICE’s “private work” using the Enterprise software. As he argued, interrogating the agency or potentially terminating its contract would compromise Github’s core philosophy.
“A world where developers in one country or every country are required to tell us what type of software they are creating would, in our view, undermine the fundamental rights of software developers,” Friedman wrote in his blog post.
It’s important to note that GitHub has a code of conduct and has removed users from its site for violating those terms. Being unpopular is neither illegal nor a violation of the terms of service.
“Just as Microsoft for more than three decades has licensed Microsoft Word without demanding to know what customers use it to write, we believe it would be wrong for GitHub to demand that software developers tell us what they are using our tools to do,” Friedman wrote. If you place restrictions on who can use open source, is it still open?
Many in the community take a hard line here, arguing that restricting access to source code is, under almost any circumstances, antithetical to the values of open source. In August, the open-source-code-management service Lerna met sudden backlash when it modified its own license to bar ICE, and more than a dozen organizations working with the agency, from the platform. Eric Raymond, a co-founder of the Open Source Initiative, a Palo Alto, California, nonprofit that has championed the open-source movement since 1998, wrote in a blog post that the removal was “destructive of one of the deep norms that keeps the open source community functional—keeping politics separated from our work.” Lerna quickly reversed its decision and apologized.
In response to the GitHub fracas, the developer Coraline Ada Ehmke proposed the Hippocratic License—named for the Hippocratic oath—which caveats traditional open-source licensing with restrictions on uses that “actively and knowingly endanger, harm, or otherwise threaten the physical, mental, economic, or general well-being of underprivileged individuals or groups.” The Open Source Initiative responded by clarifying that it makes no such restrictions on use. “Giving everyone freedom means giving evil people freedom, too,” reads its abridged definition of open source.
“The bargain is that we create something, and we may have the best of intent, but that thing is not always going to be under our own control,” Josh Simmons, the vice president of the Open Source Initiative, told me. “When it’s out of our control, it could be used for good or ill.”
As news of the ICE contract spread, contributors with moral qualms were left with a difficult choice: Stay on what they saw as a compromised platform—or leave and take their work with them, potentially to the shock and anger of the users who rely on constantly updated and maintained repositories. In September, Seth Vargo, a former employee of the Seattle-based software company Chef, deleted his own code from the platform. “I have a moral and ethical obligation to prevent my source from being used for evil,” he wrote in a statement on the GitHub page that once hosted his code.
But the developers I spoke with acknowledged that, on the individual level, source maintainers—those who voluntarily host code and rely on hosted code—can’t do much. These people have no financial or legal ties to the company, but have immense social and ethical ties. What obligation does GitHub—or Microsoft, which bought the company in June 2018 for $7.5 billion—have to nonemployees?
“Source maintainers hold a great deal of power. Not individually, but collectively,” said Don Goodman-Wilson, a former GitHub employee who resigned following the news of the ICE contract. “Because they are the source of almost all of GitHub’s brand goodwill, which is the majority of that $7.5 billion valuation that Microsoft gave them. They didn’t buy them for their technology. They bought them for their goodwill with developers.”
A philosopher and technologist, Goodman-Wilson in October published a blog post titled “Open Source Is Broken.” It was both a recounting of his decision to leave GitHub and an extended argument about the problems with open source. In a phone interview, he framed the current controversy for me using Karl Popper’s “paradox of tolerance,” the notion that for a society to be tolerant, it must wholeheartedly advocate against the views of the intolerant.
GitHub’s greatest asset is a community that allows for open sharing and what’s essentially free labor due to a good-faith assumption. But when the company is no longer aligned with contributors’ own personal value systems, those contributors have few options other than speaking out and potentially removing their own work from the system and moving it to other open-source repositories.
“When the perception of the company is one that hinges on moral values, its users and customers start to have expectations that the company will behave in a certain way,” Jordan Harband, another developer, GitHub contributor, and open-source advocate, told me.“But once you do that, then your behavior is subject to a higher scrutiny that has nothing to do with legality and nothing to do with numbers on a balance sheet.”