Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
Latest Breaking News
Editorials & Other Articles
General Discussion
The DU Lounge
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
The (other) problem with automatic conversion of free software to proprietary software by Cory Doctorow
Here's an interesting stunt: a project called Malus.sh will take your money, and in exchange, it will ingest any free/open source code you want, refactor that code using an LLM, and spit out a "clean room" version that is freed from all the obligations imposed by the original project's software license:
https://www.404media.co/this-ai-tool-rips-off-open-source-software-without-violating-copyright/?ref=daily-stories-newsletter
Malus was co-created by Mike Nolan, who "researches the political economy of open source software and currently works for the United Nations." Nolan told 404 Media's Emanuel Maiberg that he shipped Malus as a real, live-fire business that will exchange money for an AI service that destroys the commons as a way to alert the free software movement to a serious danger.
As Maiberg writes, Malus relies on a legal precedent set in 1982, in which IBM brought a copyright suit against a small upstart called Columbia Data Products for reverse-engineering an IBM software product. IBM's argument was that Columbia must have copied its code – the copyrightable part of a work of software – in order to reimplement the functionality of that code. Functions aren't copyrightable: copyright protects creative expressions, not the ideas that inspire those expressions. The idea of a computer program that performs a certain algorithm is not copyrightable, but the code that turns that idea into a computer program is copyrightable.
Columbia's successful defense against IBM involved using a "clean room" in which two isolated teams collaborated on the reimplementation. The first team examined the IBM program and wrote a specification for another program that would replicate its functionality. The second team received the specification and turned it into a computer program. The first team did handle IBM software, but they did not create a new work of software. The second team did create a new work of software, but they never handled any IBM code.
This is the model for Malus: it pairs two LLMs, the first of which analyzes a free software program and prepares a specification for a program that performs the identical function. The second program receives that specification and writes a new program.
The Malus FAQ performs a "be as evil as possible" explanation for the purpose of this exercise:
Our proprietary AI robots independently recreate any open source project from scratch. The result? Legally distinct code with corporate-friendly licensing. No attribution. No copyleft. No problems.
This business about "attribution" and "copyleft" is a reference to the terms imposed by some free software licenses. The purpose of free software is to create a commons of user-inspectable, user-modifiable software that anyone can use, improve, and distribute. To achieve this, many free software licenses impose obligations on the people who distribute their code: you are allowed to take the code, improve the code, give it away or sell it, but you have to let other people do the same.
Typically, you have to inform people when there's free software in a package you've distributed (attribution) and supply them with the "source code" (the part that humans read and write, which is then "compiled" into code that a computer can use) on demand, so they can make their own changes. This system of requiring other people to share the things they make out of the code you share with them is sometimes called "copyleft," because it uses copyright, which is normally a system for restricting re-use to require people not to restrict that use.
Companies love to use free software, but they don't like to share free software. Companies like Vizio raid the commons for software that is collectively created and maintained, then simply refuse to live up to their end of the bargain, violating the license terms and (incorrectly) assuming no one will sue them:
https://pluralistic.net/2021/10/20/vizio-vs-the-world/#dumbcast
Malus's promise, then, is that you can pay them to create fully functional reimplementations of any free/open source software package that your company can treat as proprietary, without any obligations to the commons. You won't even have to attribute the original software project that you knocked off!
This is the risk that Nolan and his partner are trying to awaken the free/open source community to: that our commons is about to be raided by selfish monsters who serve as gut-flora for the immortal colony organisms we call "limited liability corporations," who will steal everything we've built and destroy the social contract we live by.
This is a real problem, but not because of AI. We already have this situation, and it's really bad. Most of the foundational free software projects were created under older licenses that did not contemplate cloud computing and software as a service. The "copyleft" obligations of these licenses are triggered by the distribution of the software – that is, when I send you a copy of the code.
But cloud services don't have to send you the code: when you run Adobe Creative Cloud or Google Docs, the most important code is all resident on corporate servers, and never sent to you, which means that you are not entitled to a copy of the new software that has been built atop of our commons. In other words, big companies have "software freedom" (the freedom to use, modify and improve software) and we've got "open source" (the impoverished right to look at the versions of these packages that are sitting on services like Github – itself a division of Microsoft):
https://mako.cc/copyrighteous/libreplanet-2018-keynote
Then there's "tivoization," a tactic for stealing from the commons that wasn't quite invented by Tivo, though they were one of its most notorious abusers. Tivoization happens when you distribute free software as part of a hardware device, then use "digital locks" (sometimes called "technical protection measures"
to prevent the owner of this device from running a modified version of the code. With tivoization, I can sell you a device running free software and I can comply with the license by giving you the code, but if you change the code and try to get the device to run it, it will refuse. What's more, "anti-circumention" laws like Section 1201 of the US Digital Millennium Copyright Act make it a felony to tamper with these digital locks, so it becomes a crime to use modified software on your own device:
https://pluralistic.net/2026/03/16/whittle-a-webserver/#mere-ornaments
There's no question that the tech industry would devour the free software commons if they were allowed to, and the AI threat that Nolan raises with Malus seems alarming, but while there's something to worry about there, I think the risk is being substantially overstated.
That's because copyleft licenses – and indeed, all software licenses – are copyright licenses, and software written by AI is not eligible for a copyright, because nothing made by AI is eligible for copyright:
https://pluralistic.net/2026/03/03/its-a-trap-2/#inheres-at-the-moment-of-fixation
Copyright is awarded solely to works of human authorship. This fact has been repeatedly affirmed by the US Copyright Office, which has fought appeals of this principle all the way to the Supreme Court, which declined to hear the case. That's because the principle that copyright is strictly reserved for human creativity isn't remotely controversial in legal circles. This is just how copyright works.
Which means that the "be evil" version of Malus's business model has a fatal flaw. While the code that Malus produces is indeed "legally distinct" with "no attribution" and "no copyleft," it's not true that there are "no problems." That's because Malus's code doesn't have "corporate-friendly licensing." Far from it: Malus's code has no licensing, because it is born in the public domain and cannot be copyrighted.
In other words, if you're a corporation hoping to use Malus to knock off a free software project so that you can adapt it and distribute it without having to make your modifications available, Malus's code will not suit your needs. If you give me code that Malus produced, you can't stop me from doing anything I want with it. I can sell it. I can give it away. I can make a competing product that reproduces all of your code and sell it at a 99% discount. There's nothing you can do to stop me, any more than you could stop me from giving away the text of a Shakespeare play you sold me. You can't stick a license agreement or terms of service between me and the product that binds me to pretend that your public domain software is copyrighted – that's also not allowed under copyright.
Does that mean that Malus is a meaningless stunt? No, because this automated reimplementation does create some risks to our software commons. A troll who doesn't care about selling software could clone every popular free software project and make public domain versions that would be confusing and maybe demoralizing. Combining these clean-room reimplementations with cloud software or tivoization could create hybrid forms of commons-enclosure that are more virulent than the current strains.
But reimplementation itself is not a risk to free software. Reimplementation is the bedrock of free software. GNU/Linux itself is a reimplementation of AT&T Unix. Free software authors re-implement each other's code all the time, often because they think the license the original code was released under sucks. Literally the coolest free software thing I've seen in the past 12 months included a reimplementation of Raspberry Pi's PIO module to escape from its bullshit patent encumbrances:
Reimplementation is good, actually. And honestly, if corporations are foolish enough to reimplement their code using an LLM, and in so doing, create a vast new commons of public domain software, well, that's not exactly the freesoftwarepocalypse, is it?
https://www.404media.co/this-ai-tool-rips-off-open-source-software-without-violating-copyright/?ref=daily-stories-newsletter
Malus was co-created by Mike Nolan, who "researches the political economy of open source software and currently works for the United Nations." Nolan told 404 Media's Emanuel Maiberg that he shipped Malus as a real, live-fire business that will exchange money for an AI service that destroys the commons as a way to alert the free software movement to a serious danger.
As Maiberg writes, Malus relies on a legal precedent set in 1982, in which IBM brought a copyright suit against a small upstart called Columbia Data Products for reverse-engineering an IBM software product. IBM's argument was that Columbia must have copied its code – the copyrightable part of a work of software – in order to reimplement the functionality of that code. Functions aren't copyrightable: copyright protects creative expressions, not the ideas that inspire those expressions. The idea of a computer program that performs a certain algorithm is not copyrightable, but the code that turns that idea into a computer program is copyrightable.
Columbia's successful defense against IBM involved using a "clean room" in which two isolated teams collaborated on the reimplementation. The first team examined the IBM program and wrote a specification for another program that would replicate its functionality. The second team received the specification and turned it into a computer program. The first team did handle IBM software, but they did not create a new work of software. The second team did create a new work of software, but they never handled any IBM code.
This is the model for Malus: it pairs two LLMs, the first of which analyzes a free software program and prepares a specification for a program that performs the identical function. The second program receives that specification and writes a new program.
The Malus FAQ performs a "be as evil as possible" explanation for the purpose of this exercise:
Our proprietary AI robots independently recreate any open source project from scratch. The result? Legally distinct code with corporate-friendly licensing. No attribution. No copyleft. No problems.
This business about "attribution" and "copyleft" is a reference to the terms imposed by some free software licenses. The purpose of free software is to create a commons of user-inspectable, user-modifiable software that anyone can use, improve, and distribute. To achieve this, many free software licenses impose obligations on the people who distribute their code: you are allowed to take the code, improve the code, give it away or sell it, but you have to let other people do the same.
Typically, you have to inform people when there's free software in a package you've distributed (attribution) and supply them with the "source code" (the part that humans read and write, which is then "compiled" into code that a computer can use) on demand, so they can make their own changes. This system of requiring other people to share the things they make out of the code you share with them is sometimes called "copyleft," because it uses copyright, which is normally a system for restricting re-use to require people not to restrict that use.
Companies love to use free software, but they don't like to share free software. Companies like Vizio raid the commons for software that is collectively created and maintained, then simply refuse to live up to their end of the bargain, violating the license terms and (incorrectly) assuming no one will sue them:
https://pluralistic.net/2021/10/20/vizio-vs-the-world/#dumbcast
Malus's promise, then, is that you can pay them to create fully functional reimplementations of any free/open source software package that your company can treat as proprietary, without any obligations to the commons. You won't even have to attribute the original software project that you knocked off!
This is the risk that Nolan and his partner are trying to awaken the free/open source community to: that our commons is about to be raided by selfish monsters who serve as gut-flora for the immortal colony organisms we call "limited liability corporations," who will steal everything we've built and destroy the social contract we live by.
This is a real problem, but not because of AI. We already have this situation, and it's really bad. Most of the foundational free software projects were created under older licenses that did not contemplate cloud computing and software as a service. The "copyleft" obligations of these licenses are triggered by the distribution of the software – that is, when I send you a copy of the code.
But cloud services don't have to send you the code: when you run Adobe Creative Cloud or Google Docs, the most important code is all resident on corporate servers, and never sent to you, which means that you are not entitled to a copy of the new software that has been built atop of our commons. In other words, big companies have "software freedom" (the freedom to use, modify and improve software) and we've got "open source" (the impoverished right to look at the versions of these packages that are sitting on services like Github – itself a division of Microsoft):
https://mako.cc/copyrighteous/libreplanet-2018-keynote
Then there's "tivoization," a tactic for stealing from the commons that wasn't quite invented by Tivo, though they were one of its most notorious abusers. Tivoization happens when you distribute free software as part of a hardware device, then use "digital locks" (sometimes called "technical protection measures"
to prevent the owner of this device from running a modified version of the code. With tivoization, I can sell you a device running free software and I can comply with the license by giving you the code, but if you change the code and try to get the device to run it, it will refuse. What's more, "anti-circumention" laws like Section 1201 of the US Digital Millennium Copyright Act make it a felony to tamper with these digital locks, so it becomes a crime to use modified software on your own device:
https://pluralistic.net/2026/03/16/whittle-a-webserver/#mere-ornaments
There's no question that the tech industry would devour the free software commons if they were allowed to, and the AI threat that Nolan raises with Malus seems alarming, but while there's something to worry about there, I think the risk is being substantially overstated.
That's because copyleft licenses – and indeed, all software licenses – are copyright licenses, and software written by AI is not eligible for a copyright, because nothing made by AI is eligible for copyright:
https://pluralistic.net/2026/03/03/its-a-trap-2/#inheres-at-the-moment-of-fixation
Copyright is awarded solely to works of human authorship. This fact has been repeatedly affirmed by the US Copyright Office, which has fought appeals of this principle all the way to the Supreme Court, which declined to hear the case. That's because the principle that copyright is strictly reserved for human creativity isn't remotely controversial in legal circles. This is just how copyright works.
Which means that the "be evil" version of Malus's business model has a fatal flaw. While the code that Malus produces is indeed "legally distinct" with "no attribution" and "no copyleft," it's not true that there are "no problems." That's because Malus's code doesn't have "corporate-friendly licensing." Far from it: Malus's code has no licensing, because it is born in the public domain and cannot be copyrighted.
In other words, if you're a corporation hoping to use Malus to knock off a free software project so that you can adapt it and distribute it without having to make your modifications available, Malus's code will not suit your needs. If you give me code that Malus produced, you can't stop me from doing anything I want with it. I can sell it. I can give it away. I can make a competing product that reproduces all of your code and sell it at a 99% discount. There's nothing you can do to stop me, any more than you could stop me from giving away the text of a Shakespeare play you sold me. You can't stick a license agreement or terms of service between me and the product that binds me to pretend that your public domain software is copyrighted – that's also not allowed under copyright.
Does that mean that Malus is a meaningless stunt? No, because this automated reimplementation does create some risks to our software commons. A troll who doesn't care about selling software could clone every popular free software project and make public domain versions that would be confusing and maybe demoralizing. Combining these clean-room reimplementations with cloud software or tivoization could create hybrid forms of commons-enclosure that are more virulent than the current strains.
But reimplementation itself is not a risk to free software. Reimplementation is the bedrock of free software. GNU/Linux itself is a reimplementation of AT&T Unix. Free software authors re-implement each other's code all the time, often because they think the license the original code was released under sucks. Literally the coolest free software thing I've seen in the past 12 months included a reimplementation of Raspberry Pi's PIO module to escape from its bullshit patent encumbrances:
Reimplementation is good, actually. And honestly, if corporations are foolish enough to reimplement their code using an LLM, and in so doing, create a vast new commons of public domain software, well, that's not exactly the freesoftwarepocalypse, is it?
https://pluralistic.net/2026/04/23/poison-pill/#kobayashied]