A theme that has re-appeared on this blog many times over the years is that of software patents. As I've noted before, they are perhaps the biggest single threat to free software, especially since the decline of Microsoft. Indeed, it's not hard to see software patent lawsuits being filed by Microsoft in the last, desperate stage of that decline in order to inflict the maximum damage on open source.
That's already manifest in its Android licensing strategy. Note, in particular, that it refuses to discuss what exactly Android allegedly infringes upon. This means that it can sign secret deals with companies willing to go along with this ploy, giving the impression that there is a problem, without offering the slightest proof to that effect.
In the EU things are more complicated. According to the European Patent Convention, patents cannot be given for programs "as such", but those two words and the highly-paid ingenuity of lawyers has allowed vast numbers of pseudo-software patents to be granted with the complaisance of the European Patent Office, one of free software's greatest enemies, albeit undeclared.
Software patents are fundamentally incompatible with free software for a variety of reasons. Obviously per-copy licensing fees cannot be paid, since it must be possible to make any number of copies from open source code without paying. Similarly, patent licences usually forbid re-licensing, which is again something that must be possible under free software – for example, allowing re-use of GPL'd code in new programs released under the same licence.
Against that background, I was intrigued to read the following:
Security Innovation, an authority in application and crypto security, today announced the availability of NTRU crypto for free use in open-source software. With its small footprint, high speed, future-proof security, and IEEE and X9 standards adoption, NTRU is poised to become the de facto crypto in the post-RSA world.
RSA and ECC are the two most common public-key crypto systems in use today. At the 2013 Black Hat conference, researchers declared that the math for cracking encryption algorithms could soon become so efficient that it will render the RSA crypto algorithm obsolete. Coupled with the recent NSA tampering allegations on ECC, this mistrust could set up a "cryptopocalypse" with organizations scrambling to retrofit systems with new, yet trusted, public-key crypto systems.
I have seen so many of these announcements that code is "for free use in open-source software", that I was immediately sceptical. But I was intrigued by the next paragraph:
With the GNU Public License (GPL) open source license, NTRU can be confidently deployed in open source products such as web browsers and TLS/SSL servers. For those wishing to incorporate NTRU into a proprietary product, a commercial license is available.
Was that really true, or was this the typical misunderstanding of how GNU GPL code works? I went to NTRU's GitHub page to take a look at the licences. There is a Readme document, which has this to say on the problematic area of patents:
Is NTRU Patented?
Yes. The patents will still be enforced but may be used under the GPL, i.e. under the condition that any work that uses them is also made available under the GPL. The patents and the code implementations are also available under standard commercial terms.
Clearly, I needed to examine the licence more closely. In fact, it is extremely simple:
NTRU Intellectual Property and Reference Source Code Licensing
Security Innovation NTRU cryptographic software invention and reference source code including NTRUCrypt and NTRUSign/PASS is a dual license product and includes open source and standard commercial licensing.
NTRU cryptographic IP and reference software may be used and modified to the needs of the user as long as the user adheres to version two (2) or higher of the GPL License. For details please refer to COPYING-2.txt included in this distribution.
The GPLv2 license may also be found on the gnu.org website at: (http://www.gnu.org/licenses/gpl-2.0.html)
Parties who wish to distribute ntru-crypto, or components thereof, under licenses other than the GPL must obtain a commercial license. Commercial licenses are available using flexible licensing terms on a one time per product fee or running royalty. For details please refer to COMMERCIAL LICENSE.doc included in this distribution.
IANAL, but to my inexpert eye this would seem to get around the usual problems of patents and free software, for the very simple reason that Security Innovation is effectively cancelling its patent claims for any code released under GPL v2, but retaining them for anything else. Specifically, it is not asking for any royalties, and it is allowing re-licensing but only under GNU GPL v2 or higher.
Naturally, I wanted to confirm this impression, and so asked Richard Stallman what he thought of this approach. He hadn't seen the press release quoted above (maybe it would have been a good idea to run it past him....), and he is now investigating further, but his first impressions are good. As he wrote in an email:
It looks like free software to me.
It's important to emphasise that the reason the patent seems to be compatible with the GNU GPL here is that the dual licensing negates the patent, but only for free software. This means that the company is still able to earn money by licensing to non-free software (in fact, it would seem that even free software using other non-GPLv2 (or higher) licences might be required to pay.)
As a final point, it's worth noting that such a licence actually turns patents into a powerful weapon against closed code, since it provides benefits that only GPL'd software can enjoy. That's a useful further incentive to adopt this licence. Although I can't see Microsoft doing so, it's possible that other companies that are more friendly to free software might consider licensing software patents they hold under similar terms: effectively free for GPL'd code, but requiring a licence for closed source. This would complement other schemes trying to de-fang software patents for free software, such as the Open Innovation Network. It's certainly an avenue worth exploring, and I'll be interested to hear RMS's thoughts on Security Innovation's approach once he's investigated further.