 So, I'm here to talk about a very important question, and that's the question, what actually makes a web service free as free software is free. And you know me, I'm Konne Schumacher, and I will talk about that. So, we have the free software definition, and we apply that to our software we run on the desktop, we run ourselves. And this is something which is very established, we understand that, and we enjoy the freedoms, of being able to use it for any purpose, we enjoy the freedom to inspect it, to look into it, to change it, to distribute it, to give it to others, and that gives us the freedom to actually have control about our computing. That's the core, we have achieved on the desktop, we have control about what we do on our own, we also have everything we need to help others. So we can give the software, we can change it, we can give it to others even in the changed form, and this gives us all the freedom we take for granted when we are running our own application. So that's all nice and great, but then there is some struggle. There are all these nice web services, like GitHub, like Facebook, like Twitter, like Dropbox, like Google, and the list is endless. And most of us actually use them, we use them for all kind of different purposes, and we have more or less problems with that. We had a big debate in KDE about GitHub, for example, to what degree is it okay to use GitHub? Is it actually a good service, a bad service? Is it okay to mirror our software there, to reach more people? Is it okay to actually use it for development? And that's not a clear answer. We had a big debate about that, but what we are lacking is actually the criteria which tell us what web services are okay, and also the criteria for these web services to run them in a free way. That's not an easy answer, because web services are fundamentally different from the software we run ourselves. So what actually is a web service? In the end, the definition I will use is very simple. It's using software which is run by somebody else. So we run our desktop applications and a lot of other applications. We run them ourselves on our own computer. We have control about what software we run, we have control about in which way we run it. We have complete control about the data and everything. But when we are running software or when we are using software which is run by somebody else, then there's an interesting balance we have to strike and we have to see how this actually affects the freedoms not only of us, but also of others. And that's what makes web services so complicated. When I run a web service, then it's simple again because I have all the freedoms, I use free software, I can use free software, and I have the freedoms to change it, to do whatever I want with it. And that's very nice. And that's why a lot of these web service providers like Google, Facebook, et cetera, they all use a lot of free software, because it gives them freedom. But it doesn't necessarily give the user freedom. And one reason why this is not the case is that there are actually, it's more than one person involved, more than one party involved, and it's different freedoms which might actually be in conflict with each other. So when I use a web service, then there's my own freedom, but there's also the freedom of the operator. And there's also the freedom of other users of this web service, which might come in conflict. So my desire to be in control of the web service or of the software I run and have control about what is happening there might come into conflict with somebody else. So if I run, let's say, a bike shed as a service, and I might want to decide the bike shed is red, I can do that if I run it myself. But if another user is using my same bike shed as a service, then who decides? If another user wants to have another color, who decides? There's no way to satisfy the freedoms of all of the users in the same way. And that's a fundamental problem with freedom in the context of society or in the freedom in the context of groups of people, that my own freedom is okay. But the interesting question is always when do I reach the freedom of others and then how do I decide that? Another problem is that freedom might actually be in conflict with other values, like privacy or security. So I might want to be in control of what I'm doing. When I run my own software, I can do that. I can look at my data. I can make sure that I fix all the security issues and I can inspect it and that's fine. If I use a service, it would be nice to have the same freedom again, to look at what is happening there, look at the data, look at the security problems, maybe fix something. But then do I really want that, that I am able to do that? That's okay, but that's the operator role. I don't want random users to be able to inspect what is happening on the service or what data is there. So the freedom to be in control of what is happening there actually is in conflict there with privacy and security. And so the result of that is actually that free software is not enough. When I'm talking about services, free software is not really the important detail. If the service is running free software or not, it doesn't help me. And there are a couple of reasons actually for that. So one is that running free software on a service is actually not distributing it and that means that most of the free software licenses actually don't apply. So if I run GPL software on my service and modify it, I have no obligation to give them changes to anybody. It's my own freedom. It's like if I modified myself on my own computer. So the license is not a useful model there to actually make sure that something is free. The another problem is even if an operator releases the software they use on the service as free software, I still don't really have a guarantee that they are actually running the software. I can't tell because I can't look into the server and that's a good thing because the service has to be secure and respect privacy. So I don't want users to be able to just log into the server and make sure what software is running and look at everything there. I don't want that. That's not a secure way to run a service. So there's no guarantee even if the service provider releases the software that it's actually the software they run. So I don't have the same elegant mechanism with local software where I can just compile it myself and I can prove it that it's exactly the software I want to run there. So this mechanism doesn't work on servers. Another problem is that the value of a service in many cases is not actually the software that's running but it's more the data, it's more the configuration, it's the interaction with other users. So even if I would have the complete source code of Facebook, I could run it myself but that would be a pretty depressing thing if I just run Facebook for myself and I can read my own timeline and then I can chat with me or whatever. That's not useful. So free software is not enough there to actually make sure that I have control about what is happening there. And the other problem is that running services is actually in a lot of cases quite difficult because they have to scale, they have to store a lot of data, they have to interact with a lot of users and I can't run Facebook on my laptop, that's just impossible. And this is another problem which is very elegantly solved in free software around myself because by definition, if I'm able to run a program on my computer, I'm also able to run a modification of it if I can modify it, if I have the source. For servers, that's not enough. So free software is not enough to solve all the problems we have with services and there are actually a number of problems we have to solve there. And I will quickly go through the problems which are there. So one problem is terms of service. Do you know that if you register for a new service, you have to agree to use some terms of service. And in many cases, you probably don't even know what you agree to because nobody reads this 40 pages of legalese. So do I know the conditions? Are they fair or not? In many cases, I don't know. I maybe assume that they are fair or somebody else has read them and told me, okay, that's okay, use it. But even then, I don't even know are the conditions I agree to, then still in effect when I use the service later, I might get an email that something changes but then again, 40 pages of legalese, who reads that? And this is a big problem because the terms of service decide about a lot. Who owns the data, what the company running the service can do with the data and so on. So this might completely destroy my freedom and completely remove my control. I might upload data which I then don't own anymore. And that's just because of the terms of service. Even if the service is running free software, I can create a completely evil service just by putting evil clauses in the terms of service. So this is something, a problem we have to solve. Another problem is login. That's the business model of many of these services. They want everybody to use their service. Facebook wants to have everybody on the planet to use their tools. The same for Twitter, Google and so on. And then they can sell advertisements or whatever to the billions of users they have. So for them, the business model is locked in. So you have to use their service and the more difficult it is for you to then leave the service, the better for them because you are locked in, you have to use their service, they can sell your data or whatever. So this is a big problem. How can I switch to another service? That's actually something which gives me control. Which gives me the freedom to choose what I'm doing. And in an extreme case, also the question, can I actually run the service myself? So can I switch it? How can I get out of this login? And this is actually a big question because in most cases I can't really switch easily because I don't have the software, I don't have the configuration, I don't have the data, there might be no API or something to actually export the data. So I'm locked in and that removes my freedom and my control about what I'm doing with the service. So this problem also has to be solved. Related to that, I also have the problem that if a service goes out of service, what happens then? Then I'm stuck. I've uploaded all my photos from my last 20 years to this nice photo service. Then from one day to another, they get bought and they shut it down and my data is gone. And I have no control about it. So this is another problem which is related to the problem that I need to have a way how to move out of the service, but it's a special case where I need some kind of plan for sustainability. So how do we solve that? With free software, I run myself, again, it's very easy and solved because I have the software and it doesn't matter if the vendor goes out of business or vanishes or whatever because I have the software and I can do whatever I want with it. Not so for a service which I rely on the provider. Another problem which has to be solved. Then privacy, that's kind of the obvious problem with a lot of the web services we use. Who has access to my data? What happens to my data? Is it sold to advertisers? Is it sold to other companies who do stuff with it? Is it looked at by the government or whatever? I don't know. And that's where in Germany, we have a pretty good situation because of the laws, so there are pretty strong laws in place about what is required to keep the privacy of the users, but that's not the same in every country. And also in Germany, there are many cases where actually it would be good to have more privacy. So this is something, again, which doesn't happen with software you run yourself because there, your data is on your computer. Nobody else can look at it unless you give the computer to them. With a service, obviously you upload your data so that's something you need to have some regulation to make sure that your privacy is actually respected. And it's actually even more difficult because there's not only data, but there's also metadata. Who is looking at my data? This information is something only the server provider has. And this is a question, who owns this data? It's very relevant data because I might be interesting in who is looking at my profile on GitHub or Facebook or whatever, but how is that handled? And it's valuable data, which service providers also use to sell it to others and that's a valid business model for them. So what happens with metadata? Another problem we have to address. And another problem a little bit related to the metadata which I call triple payment is that's kind of what LinkedIn is doing. So it's a free service, you don't have to pay for it. You upload your data. That means you actually pay with your data. Then people look at your profile. It generates more data for LinkedIn. You pay a second time with your metadata. And then to actually see the information who has looked at your profile, you have to pay money. So that LinkedIn gives you this data. Is this a fair model? I doubt it. So this is another problem where I lose a lot of control about what I'm doing with my own data in this case. Security, that's kind of a general problem. How do you make sure that the system is secure? When I run the software myself, I can look at it, I can make sure that it's secure. If it's a service, I have to trust the service provider. And the last problem is hackability. Can I actually change hackability in the good sense? Can I actually change the software I'm using when I'm running a service? Can I add a bug, fix a bug, add a feature? Can I actually do a change and give it to others? That's not easily possible with services. So this is also a problem which needs to be solved. And all these problems actually have been addressed. There are a couple of solutions people have come up with. And I want to quickly go through a number of possible approaches and then tell you what I'm thinking, where we can go. The simple solution is just don't use web services. So in this case, we can stop here and go home and everything is fine. But I doubt that this is really a practical solution for most of the people. I'm sure many people or actually all of us use some services of various degrees of freedom. So let's not focus on that, let's not focus on that but look in some of the more pragmatic approaches. So one of the most popular approaches I think is the AFRAO, the AFRAO general public license, the GNU license. So this actually closes this loophole. How I talked about earlier that if you run GNU's GPL software on your service, you actually have no obligation to give it to the users. The AFRAO license fixes that, so that you actually have to do that. But still all the same problems still apply, a license is not good enough because even if people use their AFRAO license, I can't tell if they are running the code they are releasing. Another pretty old approach from I think 2008 or something from a free software foundation working group was the Franklin Street statement on freedom and network services. So that was an attempt to define some criteria what a free web service would be. And they basically say, okay, the service has to be free software and the data has to be free data so I can use it and access it. It's kind of a simplistic way how to address it and I don't think it solves all problems. Another approach from also from the SFS, FSF is the GNU ethical repository criteria so that's a definition for their own co-toasting repositories. And this contains some nice things that has to be free software but it's also focused a lot on stuff which is not really relevant to other services like the co-toasting approach and it focuses a lot on that the JavaScript is free and in the biggest categories you have to be able to access the site without using JavaScript and that's something which is also not very practical. This is not realistic I think in current days. A completely different approach to solve this problem of the terms of service is the website terms of service that I didn't read. This is a nice approach to actually classify terms of service. So this is a crowdsourced initiative where people read the terms of service and then classify it in what are positive things, what are negative things, is it recommended to use the service or not so you don't have to read the 40 pages of legalese but you get a clear indication, okay, there are these three problems in the terms of service that you give up these things so you can decide for yourself if you want to use it. Unfortunately it's not very active, there is some activity but this certainly needs some more manpower. So if you want to help I can only recommend it and Hugo who is doing that is actually around here so I'll talk to him. Another approach how to address this is the user data manifesto, many of us know that. This is coming from the data perspective and this is defining that you need to have control about your data, you need to be able to get it from the service that you own it, that you know where it's stored under which jurisdiction so you can decide if you want to give it to an American server or a German server or whatever and the freedom to actually choose the platform so you can get the data and move it to another platform. So this is already a nice approach but focuses mostly on the data and that's not complete, that's not enough. Another approach published by Aaron Seiger in 2009 in a blog he came up with a definition of some freedom services as he calls it and that's four topics, one is specification that there should be a specification of the API of the service so that you can actually re-implement it that there's a reference implementation so that it's actually realistic to re-implement it that privacy is respected and data integrity that means that you are able to get the data and you can export it and import it. So that already covers I think a couple of things and it gets to the core of the problem that we need a way how to define how we can actually replace services. And another initiative I think from two or three years ago from the OpenBit charity that's a nonprofit organization actually and they came up with four commands that are free of trusted internet services and this is all about being able to replace it and being able to trust it so being able to see the source so you can actually look at it and see is it running what is the code safe and so on. So this is a nice definition but it also only covers a certain area and it's focused on the source code. There are other things like I don't want to go into details here but the Electronic Frontier Foundation they have some definition about mostly privacy related what service providers has to do and that's actually similar to a lot what the law says. So in Germany we have the Federal Data Protection Act which says that you have to minimize data that you have to document where it starts which classifies data in different categories and depending on how relevant it is for you personally it's more protected or not and there are similar rules on the European Union level and the OECD so this is a pretty complicated field because that's international law and the laws are different in different countries but there are actually quite a number of laws which help with defining actually making sure that users have control about what is happening with their data but we all know that this is still a difficult topic because not everybody has the same laws. So the question is can we do better than that because none of these attempts has succeeded so far. We don't have this definition of what a free web service is. We haven't really solved all the problems so the problems of terms of service of login of sustainability of privacy of metadata there's triple payment things security, hackability so this is a lot of problems and we have all these approaches for some of them but we haven't something which is as effective and good and accepted as the free software definition which we all use and which makes sure that we have all the freedom which is simple to understand and I can easily say if I get a piece of software under the GPL I know I have all the freedoms and I can use it for whatever I want I can change it and so on. For web services this is much more difficult that's why it needs threads with hundreds of mails when we decide to look into using GitHub as KDE for example. So it would be nice if these discussions would be as easy as they nowadays are with free software I run myself. So how can we get there? One important thing is we have to keep the freedoms of the users of the web service that's the goal but we also have to respect the freedoms of other users and of the operators. If I operate the service I have the same right to have control about what I'm doing as when I'm a user. So the problem is there that we can't really, we can't do it in the same way as we do it with free software. We need to have some kind of contract defining the interaction with the service. We can't just tell the operator you have to do exactly this but we need something which has a contract on the surface when the interaction happens. And one way how this could be done and that's a suggestion. I don't really have the answer here so what I'm presenting to you now is kind of the conclusion of many discussions I had so far and my thoughts and I would like to get your feedback on that and have a discussion about that how if that's right or how we can proceed with that. And my thinking is that an effective way how to actually make sure that we have the same same safeness and we can really be sure about what is going on and some kind of certification. So if a web service could get a stamp, this is a free web service then we would be on the same level as with free software. We know, okay, GPL, GPL stamp is great for web services that doesn't help the GPL thing but if we have something which could say, okay, he has a contract and under the contract he finds the criteria and the criteria make sure that the web service is free and if the provider fulfills the contract they can put the batch on their website and we have a free web service. So that would be a way how to do that. And the criteria for that, I think there are five criteria which are really important and the first and most important one is substitutability. I'm not sure if that even is the word but the important thing is that it has to be possible to substitute the service by another one so that you can move to something else. You can run it yourself or you can go to another provider and that's the counterintuitive thing where of course that's not good for a service provider on first thought because I'm giving up my users if they can easily go to somebody else but that's the same thing when I'm releasing free software. I also give up this natural thinking of, okay, if I give it away for free then how can I earn money? But we know that there are many ways how to earn money with free software. And to go into a little bit more details, some thoughts what could be more concrete criteria, how to make sure that the service is substitutable. We need some API to access it. We need open protocols so we can actually reimplant things and combine services. Users need to own their data so they actually have the right to substitute the service. We need some provision for succession so if the service closes down there needs to be something in place which makes sure that I still can access the data, get some notification of the data stored in a safe place or whatever. And there needs to be some guarantee that the functionality is actually re-implementable. So one way to guarantee that would be to release the code of the service as free software because then I already have the implementation but it's more than that. So I also have to make sure that for example, I don't know, the legal rights, patterns or whatever are not preventing me from re-implementing that. Three other important criteria, we talked about that. They have a bit more simple and better address I think, transparency and privacy and security. So it has to be clear what the terms of use are. We have to minimize storage and processing of personal data. I think that's something which is always good to respect your privacy. That's kind of what is in the German law for example. It has to be transparent how the data is processed, where it's processed so that I actually know under which jurisdiction it is if the American government can access it or not. That's some information I would like to have when I'm putting my data somewhere. And for the security, one aspect of that is encryption so that the data is encrypted when I'm accessing the data on the server. So this is not complete but this is kind of, some details about these criteria. And the last one, I think that's important, a fair model of operation. Because I talked about this triple payment problem, that's not a fair way how to deal with your users. You lose control if you have to pay to access your own data. That's something which takes away freedom from yourself. So to go into a little bit more detail and that's of course something which can be debated. I think paying for a service is perfectly okay. I mean, it costs money to run a service, that's a big problem, it can cost a lot of money. So if users pay money to just access the service, that's something which I think is perfectly fine. But this artificial barrier to your own data, that's something which is not fair because then you don't have access to your own data anymore, you lose control. And no third party advertisements, that's something which is certainly debatable. But I think that's also something you give up control if the service provider shows advertisements on your profile page or somewhere else, your data goes to an advertisement network. That's something which takes control from how you're running the service and how you're using the service. So to summarize that, I think these are the five criteria we have to address, the substitutability, the transparency, privacy, security and the fair model of operation. And if you can find a way how to put that into a definition, I think we could define something what I'm calling fair web services. And if we could write this down into something which can be used by service providers to have some certification that they are actually fair web services, this would make it much easier for us to actually to decide what services to use and also service providers, what they have to do to offer that. So that's about it. I'm really interested in your feedback. I would like to know if you see other problems, more problems I haven't addressed. If the problems can be described better, if the solutions, if there are better solutions already, other things we can take into account. What do you think about the criteria for fair web service? What do you think about the idea in general? So I really want to start a discussion basically. It's not the end yet. It's not a finished thing. But I would like to come something which is finished and polished and we can put into some place where then people can actually use it to decide about what service they use and know if they respect their freedom or not. So I'm here. I'm here for the whole week. Talk to me, please. Send me an email. I have planned a boss session on Monday at five o'clock. So there we can have an extended discussion. And that's what I wanted to tell you. Okay, we have essentially zero minutes for discussion but it's lunch, so. So even with the certification, I'm wondering how would we know that the service provider didn't change things and violate that certification? I mean, it's the same as for the ATPL. We never know whether the code he's executing is really the one he says it's on the ATPL. Yeah. So there are different kinds of certification. You could start with something like a self certification then you don't know anything. It's just a statement of intention. But you could go to something like a more real certification. I mean, there are security certifications stuff like that which also involve that somebody audits the code which is running on the server, gets access to the machines, analyzes what is happening there. So these certifications are possible. It's still not a complete guarantee but if there's a contract and there's some organization behind that, I mean, that's something which is not easy to set up. But I think that could be kind of an end goal that there's a real certification which is operating on the level of other certifications which includes auditing and so on. That costs a lot of money. So there has to be a business model behind that. But if it's of value to have such a certification then there is a model to how to pay for that. I think you should add another point from the user perspective. It is interoperability. If I want to switch from Facebook to diaspora I want to take my complete timeline or if I switch from source forage to GitHub, I want to take all my code and it is often not even possible. It's a no means to take all your stuff from one service to another and it needs to be covered by some somehow. Yeah, that's a good point. What we want to have is a button on diaspora which says import my Facebook profile and delete it. Or the other way around. If Facebook decides to be good, I wouldn't have a problem with that. Do you think that KDE is the sort of organization you can make this happen? Or are you thinking of a new organization or FSFE or? I'm not really thinking about a specific organization here at the moment. So KDE EV could be such an organization. The FSFE probably would be more appropriate because they are a bit broader in their audience. On the other hand, they have a pretty clear agenda of what they do. So maybe actually a new organization could take care of that. But I think realistically it probably would be good if one of the organizations would just addressing more of the policy issues like the FSF or the FSFE would do something like that. Anyone else? I just want to give you a short feedback. I think it's worth working on it. It's a hard topic. It's not so easy. I was also thinking for years about transparent service and how to deal with that. And certificates are not the nicest thing but still they are worth something. So I just want to encourage you to go on to do something. It's worth doing it. And it helps users in practice because that's where we stand right now. Also just general positives and feedback. That's great feedback. Thank you. Katie just launched the most exciting new development, the Katie E-Store. And everyone should download the official QtCon wallpaper and donate me money. Have you checked if the Katie E-Store complies with this kind of stuff? Because I'm not convinced it does. Yeah, I looked at that. I discussed it yesterday a little bit. I mean, these criteria are kind of in flow and it's thinking. So I think the Katie E-Store does a lot of things to actually address it. Like the agreement which makes sure that if the company goes down or whatever the store goes down, we have the data that it's free software which is running there. So there are APIs and so on. I think we have to look in a little bit more detail but I mean the Katie E-Store, I think the intention of the providers of the store I think is to be as free as it can be. So I would hope that there is a pretty natural match but I haven't looked into all the little details. Yeah, like you say, the intention of the Katie E-Store is most definitely to be as free as absolutely possible and comply with all of these things. So if a test bed were needed, I think that would be it. I mean, some things are certainly clear. For example, I'm not so sure about the terms of use. If that's done in some clear way or not, I haven't registered yet, so I don't know. No, and that's exactly one of the things that, as far as I remember the terms of service are a bit minimal at the moment but they're also not particularly clear and which would make it a pretty good place to start as a test for what would be a little needed for legal clarity. Yeah, absolutely. Okay, last question. What do you think if the users own the data on the service? They would have to give some kind of license to the one running the server. With Creative Commons or something like this, the right choice when you have in your terms of service, public posts are published under a license for everyone under Creative Commons to buy or whatever. Yeah, that's a very, very difficult question because on one hand it depends on the service, what it does, what it does with the data. I think in most cases probably most of the data is used for some internal use of the service. If data is published, then Creative Commons, I think would be a useful thing and that's actually what I think is part of the user data manifesto that they say that users should be able to choose the license under which data is published. But there's all this middle ground of data which is not really published, it's accessible maybe to other specific users or it's only accessible for the service provider to do some processing and then they come up with that. So that's a very, very difficult question actually. I don't really have a good answer to that yet, sorry. Okay, so I encourage you to actually show up where Cornelius is both Monday 5 p.m., right? Right. Okay, so let's give a hand. Thank you.