I got into this with another set of engineers on Reddit where I discovered there’s a subculture of engineers who don’t believe you can’t actually own code and apparently take a copy of their employers source code repository everytime they switch jobs.
Edit:
Updated “can actually own code” to “can’t actually own code”
FYI the edit might have made it more confusing, since there's a double negative now. "don't believe you can't actually own code" reads as "believe you can actually own code", which I'm not sure is what you were going for.
One thing I regret is not taking a copy of the code I wrote for another company, so many handy little utility functions I made that I then had to recreate. The transaction costs for b2b are far too high for any reasonable sale, so exfiltration is the utilitarian choice.
That’s still just theft if you’re not a contractor? Full time software employees are doing work for hire. There’s plenty of moral and ideological arguments about theft being morally acceptable in this situation but I was more marveling at the people who thought that taking source code from their company was legally not theft
There are situations where developers emailed/cloud uploaded/took hard drive of code they had been working on when he left the organization and were looking at prison sentences for theft...not copyright infringement. They didn't even give it to someone or reuse it somewhere. Just the fact of trying to keep it when they left as illegal.
All that to say that in some circumstances taking source code is considered theft.
in my country, copying source code is definitely theft and is contractually enforced. but reproducing similar concepts/architectures from memory happens often
Your jurisdiction may have a law called "IP theft" or it may not, either way the moral category of "theft" does nor apply.
(Also, if it was theft this particular example would be theft in the same way that taking a book from someone's recycling bin would be theft: no one is worse off)
1. Suppose the OP did not take the source code files, but memorized the source code and later recalled it from memory. Would that be theft?
2. Suppose the OP neither took the file nor memorized the code, but had photographic memory and replayed the exact visual scenes during their creation of the utility functions and copied down the code from what they saw in their mind's eye. Would that be theft?
3. Suppose the OP was solving a seemingly novel problem and suddenly remembered how they solved the exact same problem when they were employed by company X. Are they obligated to banish this solution from their mind?
For the other examples, it depends but I'm pretty sure a copyright infringement case for either of them wouldn't be immediately thrown out. IANAL but I do know that law is quite fuzzy.
It’s alarming because, in my experience, anything you write for an employer is intellectual property of the company. Unless he wrote that Box demo all on his own time and his own equipment completely outside of work, or Box has some abnormal contract with their employees, he can’t just slap an MIT license onto it and call it open source.
I worked with a few people who were successfully sued by our employer when those people left and brought a “spare time” project/tool with them and tried to publish it. It wasn’t even code we sold or ended up using internally, but was still IP of the company because they wrote it during business hours on a work machine.
Worse than that, many companies have clauses that indicate that any software you write (regardless of whether for the company or not), belongs to them. I don’t know if this would hold up in court, but it’s there in the contract.
It’s pretty hard not to overlap with big tech companies. Everything has been touched internally.
My understanding is the same though. Unfortunately whether a clause is legal or not may matter little - you’ll run out of cash for legal bills before they do. The best defense is probably just that most companies don’t care about your side projects.
Yes, but if we speculate as to the invalidity of the explicitly published license, we basically can't use any foss code on GitHub.
Any reasonable person can expect that the MIT license on this code is valid and authorized by the rightsholder.
Did Uber or Box explicitly agree to release it under an foss license? Is it the author's personal individual copyright made on personal hardware outside of work location/time? Does it predate their employment? Nothing in the article linked indicates clearly that it was written for an employer.
If I am expected to research this for every foss library published on GitHub by someone who works for Big Tech, then we are all capital-f fucked.
It's easiest and sanest to assume that people are not lying.
> Any reasonable person can expect that the MIT license on this code is valid and authorized by the rightsholder.
Yep, that's the reasonable default position.
If however, the author of the code wrote a length article about how they'd developed this code while working for a company (not in their spare time), and you happen to read the article in question... then for that specific repo you might look at it differently.
The article in question doesn't clarify things regarding the Box derived code, nor whether they sought and received permission from Uber prior to publishing. Absent both of those, I'd personally not use code from this repo.
That's just me being risk-adverse here, as I don't personally have a use for the code. Others might make different choices. :)
"It's easiest and safest to assume that property is not stolen" is a parallel construction of your argument.
You can assume whatever you want but the cops may not be very impressed.
There are a lot of polite fictions in law, and this is one of them. If you had no reasonable way of knowing that a license was invalid (or property was stolen), the judge is probably going to be sympathetic, but the property will still get returned to its proper owner.
If you DID have a reasonable way to know that the status of the property was suspect (as in this case), they are likely to take a dim view of the situation.
I'm not talking about this code in particular - I am talking about all code presumably written by individuals and posted on GitHub with a LICENSE file saying it's free software.
It is standard, reasonable person practice to use foss-labeled code on GitHub under the presumption that the license is not a lie.
This case is no different.
Nothing in the author's linked story suggests this code is not MIT licensed as the repo claims. It is unreasonable to assume that the license file in the repo is false; nothing available to us supports this assumption.
I think it's reasonable to assume that it belongs wholy to Uber and that he was acting illegally to publish it on github. He even showed us the sofa in the Uber office where he wrote it. He told us his manager asked him to write the code and seemingly had no idea that he'd written a database engine. He told us that they were paranoid of industrial espionage at the time. There seems to be zero reason to suspect that Uber carved out a specific exception to the usual employment contract enabling him to work on and release this code as FOSS while at the company.
Yeah, you want to get rid of uncertainty, but it's here to stay. The whole legal system is not brought to its knees over the fact that no code on GitHub (gasp) is automatically guaranteed to be safe against copyright infringement.
> It is standard, reasonable person practice to use foss-labeled code on GitHub under the presumption that the license is not a lie.
Yes, absolutely: presumption, not certainty. (Nitpicking the phrasing: presumption that the copyright is not a lie, the issue does not even venture into licensing.)
You seem to be using an absence of evidence as evidence of absence.
There's nothing to explicitly suggest that either is the rightsholder; that is another assumption, which is directly counter to the fact that the person who wrote the code posted it alongside an MIT license.
Not when he wrote it for and showed it to box. Doesn’t matter how he “licensed” it. They would have had good legal standing to come after him. I can’t believe he wrote that on his blog. He should honestly take it down.
> I demoed Box Sums to the Box Notes team at some point, and they nitpicked the UI and implementation details (“What if two people type in the same cell at the same time? They’ll just overwrite each other.” ). Nothing came of it, but I took the code and shoved it into my back pocket for a rainy day.
You can be 99.999% sure unless the engineer went through a long painstaking process to get Box or Uber to open-source and then re-license the code to MIT, it was fully owned under traditional copyright by Box when it was originally authored.
Actually, it gets fairly complicated, because he created a derivate work at Uber with with what is likely Box's IP.
Sorta. He has a license (MIT), but no copyright statement. The license is an agreement between the copyright holder and the user. Normally he would have gotten the sign-off from his employer to release this, and this thing would be Copyright: Box, License: MIT. But there's no explicit copyright holder stated, which makes me think that he just uploaded and "licensed" code that he doesn't own.
The code is MIT licensed if and only if the copyright holder - not the author of the story but respectively Box or Uber - explicitly made it MIT licensed. Without a legally binding commitment from these companies, a "license.txt" at the repository can't make it MIT licensed, all it means that the author is lying about its license. He doesn't own the code (despite writing it) so his "permission" is worse than worthless (by being dangerously misleading) without an explicit blessing by the company - even an implicit "we probably don't care" doesn't cut it.
He could be authorised to open source the company code he wrote. Though, I wouldn’t bet it’s the case there. But Uber has a lot of Open-source projects so they are perhaps allowing engineers to decide themselves.
You can't just re-license intellectual property that someone owns the rights to. EVEN if you authored originally. It's likely Box and Uber own rights to different parts of the IP, under both employment law, and his employment contract.
If we're being generous, the author may have had permission to do so. It's not inconceivable; the code was abandoned. If one of my reports had asked, I would have approved.
I think you might be surprised how easy this process is at some big tech companies. For me the bigger hurdle is getting past a privacy review, not the issue of the license.
What big tech company makes it easy for you to take code written and deployed there while you were employed, and just open-source it?
I know there are big tech firms that own everything you do outside of work, but have a fairly easy process to allow you to release that as open-source.
But this is different, this is about code written for and deployed by the company itself, that isn't part of any corporate open-source strategy.
“Corporate open source strategy” where I work is just having a form that engineers can fill out to request to open source things, and a committee on the other end of the form to sign off. It’s similar to the process for speaking at a conference or publishing on the company blog. Management sometimes steers in the direction of more or less public content, but specific releases are always individual initiative by engineers who want to develop their project in the open. Tech brand wants our name associated with high quality work.
I've only managed small businesses not large ones, but personally I'd be fine 9 times out of 10 with a developer who asked to open source a project they had built an mvp/poc of, but that never got approved to be used at all.
I could even imagine approving of a policy for the open sourcing / licensing of code, where any code that's used or previously used by the company in any way needs to go through an approvals process if anyone wants to open source it, while anything created but never used has a much simpler barrier such as manager agreeing in writing that it's unneeded code and therefore eligible for instant open sourcing under a specific license and specific terms of release.
> "But this is different, this is about code written for and deployed by the company itself"
Written for, yes, but seemingly never deployed (except to the extent that it could be demo'd and rejected). From the article:
> [After looking at a product owned by an unrelated team in the company, he single-handedly decided to make what he thought would be a good add-on or sibling to it] "I demoed Box Sums to the Box Notes team at some point, and they nitpicked the UI and implementation details (“What if two people type in the same cell at the same time? They’ll just overwrite each other.” ). Nothing came of it, but I took the code and shoved it into my back pocket for a rainy day."
It's not impossible "nothing came of it" is a shortened version of "they said it seemed like an awesome tool but too far from the original scope to want to take on and commit to maintaining, and as they said there was no chance that decision would change my manager agreed to sign off on my releasing it under MIT license as is allowed for un-used code."
Story time. In a past life, I tried to open source code I wrote at work. My manager greenlit it, but obviously that wasn't enough. Next thing I know, I'm in a room with a lawyer trying to write a patent. In the end, no patent was filed, and the code was never open sourced. What a waste. Arguably, that was 15+ years ago, it would probably go down differently now...
I do academic research and write a ton of code to support this. In grad school (many years ago) at a Midwestern state school, I try to release some code under GPL and get blocked by the school's tech transfer department. It's a program that was designed to support the lab research we were doing (LIMS, ordering, etc). It wasn't much, but it very much made our lab run better. In the end, they licensed it out to a start up that flamed out. The entire process was messy, but all I really wanted was to release it with a GPL license and get on with my work. That office made my life quite difficult through grad school.
Fast forward a few years and I'm now at Stanford and then later UCSF. I email the tech transfer office about some code I'm planning on publishing, expecting a similar back and forth. It took all of two minutes to get back an email:
Are you planning on making money with this code? If so, let us know. If not, any open source license is fine with us.
It was a quite refreshing change to deal with institutions that knew what they were doing w.r.t. IP.
You might or might not; it's not like Google polls the shareholders to decide what source license to use for each project. Authority gets delegated and every company is different.
Actually that was the first thing I looked for in the comments, even before finishing the article and seeing he even published the finished code on his own repo (and not box or uber one), under his only name.
Indeed. Having warned against "If you treat the code like a pet for sentimental reasons, you’re working in direct opposition to the interests of the business." He does exactly that.
Who cares about copyright "ownership"? It's a means to an end, more innovation.
When it can't possible serve that end (again, selling a set of utility methods that would take a dev a few hours to make from spec is impossible) people should discard it.
i understand ownership, but software and code are so easy to copy, transfer and modify that it would be stupid not to do it. it's not like stealing a car. arrr
in other words: ownership of immaterial goods is mostly a scam
Would the world definitely be a worse place if the laws were amended to say "any software developer owns equal IP rights to the code they create as part of their jobs along with the company, so either party can do anything they want with it"?
I'm not sure it would - although it disadvantages the companies compared to the current situation, it's not like they would choose to stop hiring devs to work for them - and that's just a legalisation of the currently unethical behaviour that you think is definitely a worse situation to have?
It massively disadvantages the company. Why pay for software to be built that can just be taken by your software engineers, who form a new company and run a competing product?
Well if that were the situation for all companies, the answer to why pay is the same as it is now - even if it doesn't provide so much of a moat, they have a business need for certain code so they pay in order to have and run that code.
(I'm not sure if it would be better or worse myself, I suspect it might not make much of a difference when everything balances out.)
Why not? Why as a developer wouldn't I go to a VC and say "I have the source and rights to this premade product - fancy giving me some cash to take my team and run it?"
