Vladimir Sedach

Have Emacs - Will Hack

January 16, 2011

The Cloud, SaaS, source code escrow, and the Affero GPL

Topic: Free Software

When making large deployments of commercial software, it is not uncommon for companies to force the suppliers to place the source code of that software into escrow. Escrow might be an option if you are a large corporation, but for most users of SaaS/cloud computing services it is not, and not looking like one anytime soon.

There is nothing stopping your service provider from going bankrupt, being acquired, or deciding to shut down the service. This has already happened when SalesForce acquired SiteMasher (the latter was discontinued), and Twitter acquired DabbleDB - development and new signups ceased, but at least the current users have the comfort of knowing that "In the event we terminate the service, we will provide our customers with at least 60 days advance notice." And then what?

With shrink-wrapped software, you could continue running your existing version. Even if the discontinued software was tied to discontinued hardware, you could keep critical business functions running via judicious maintenance and spare parts suppliers (and later take advantage of emulation technology). This scenario is not uncommon, and of course entirely impossible for a cloud service.

This makes SaaS/cloud computing a big risk for basing your business on. Richard Stallman has criticized the lock-in risks of cloud computing, and there are also security concerns.

I think there is an overlooked strategy for mitigating the risk of hosted software based around the Affero GPL. Releasing your service software as AGPL would eliminate the risk of your service shutting down for your customers, but unlike the GPL or other licenses it would keep your product protected - all competitors using your code would have to release their changes to the public (and to you). There is also the possibility of dual-licensing your code - an "Enterprise" version with the possibility of escrow for large customers, and an AGPL version with less features for smaller customers.

Why not simply provide an escrow clause into the contract with all customers? It will not help the smaller ones - they will certainly lack the knowledge and resources to go through your proprietary system and set it up on their Intranet. This is unlikely to be the case for Free Software that has a lot of users.

As more web services are created and subsequently shut down and their customers burned, the trend will likely shift to moving away from SaaS. I think a Free Software strategy based around the AGPL is a way to avoid a "cloud computing winter."