In an open, academic environment, the use of free commercial (“freemium”) and open-source software (“ FOSS ”) plus tools is not unusual. Actually, many researchers, software developers and students embrace the concept of free downloads from the internet. However , while we discussed in the past the risk to the software program supply chain of blindly downloading, copy/pasting and incorporating any kind of third-party software , we now need to consider the word “ free ” – “free” as in “free speech”, not “free” as in “free beer” – and its limitations.
In fact , lots of software are provided to CERN for free, and not just FOSS. But what do they actually mean when they say “free”? Many software providers offer a free download plus use scheme to promote their product, attract more users and increase their market share. The devil, as usual, lies within the detail, namely licence conditions. Licence conditions* may stipulate that such a download is only totally free for personal use, for small teams, for universities or non-profits, or even something else – and programming for CERN may or may not fall into these categories. Indeed, reading license agreements requires advanced philosophical thinking: what is research, in fact? An activity that results in literature published in academic journals, an exercise carried out by someone with a PhD, an action that is internal to CERN only (excluding the possibility to collaborate along with universities even)? Believe us, we have seen every school of thought. Suffice in order to say, pinpointing how CERN’s status should be interpreted in the context of each licence agreement and the particular extent to which we are really permitted to make use of so-called “free” licences is a very slippery exercise.
Paywall #1: Beyond personal use . Teamviewer provides a download which is “free for private use”. Obviously, this excludes any professional use, including any make use of while at CERN or connected to the CERN network. As stipulated in their knowledge base , expert or “commercial” use applies when you provide support in order to colleagues, when you connect remotely from home to your organisation, with regard to remote maintenance and support purposes, plus also regarding non-profit organisations, if you or another person within the organisation receive a salary from that will organisation.
Paywall #2: You++ . Slack allows “small” teams to use its service free of charge but, if you integrate that throughout CERN, “small” becomes “large”. It is probably not surprising that will Slack has approached CERN several times suggesting that we might want in order to purchase a licence to cover the particular Organization’s “large-scale” use. So ask yourself this, when you use your own CERN email address to sign up for Slack, are a person also willing to provide a budget code to contribute to this licence?
Paywall #3: Not the full menu . Anaconda , a Python platform, provides free downloading of “thousands of open-source packages and libraries” intended for “students, academics, and hobbyists”. While “academics” certainly seems to apply to the research environment of CERN, the download comes with additional limitations (e. g. “mirroring rights not really included”). Stepping outside what exactly is covered in the “free” envelope can create financial obligations that you might not be aware of or even ready to engage with.
Paywall #4: Embedded paywalls . And if this is not enough , Adobe offers informed CERN that part of its freely available Creative Cloud software catalogue is just not authorised for use any longer. Apparently, some Adobe apps contain copyrighted software or features simply by third-party companies, and using this particular software is beyond Adobe’s agreed terms with those third-party companies.
Similarly, CERN was once approached by an external company about using their copyrighted fonts. While their own licensing arrangement was quite opaque, the issue arose whenever redistributing their particular fonts either as part of a good app or even publishing them on a website / web app. Curiously, these types of fonts were distributed by default with a number of different operating systems including the Oculus app development environment “Unity”.
So , if you are a software developer, system architect, programmer, webmaster or friendly hacker, beware: make sure that the particular software stack you use is legitimate and licensed. Ensure that the tools you employ are either really FOSS (with “free” as in “free speech”! ) or that you have the appropriate licence. Refrain from “personal” use if the software/code/product is intended for professional usage. Instead, consider using FOSS alternatives like the EP-SFT group’s software program repositories plus CERN’s Mattermost instance . And check with all of us whether CERN already holds the right licence, like we do for Teamviewer: Software-License-Officer@cern. ch .
* Certainly, the deeper we delve into license conditions, the more convinced we have been that “licensing” deserves a new realm associated with scientific study: how best to obfuscate purposes and utility while maximising financial return in parallel.
_______
Do you want to learn a lot more about computer security incidents and issues at CERN? Follow our Monthly Report . For further information, questions or help, check our own website or contact us at Computer. Security@cern. ch .