That's what open source is, isn't it? Anyone can use it, including hackers, NSA, etc. Why is it surprising that they, like nearly every other technology company, depend on open source software?
# This tool may be used for legal purposes only. Users take full responsibility
# for any actions performed using this tool. The author accepts no liability
# for damage caused by this tool. If these terms are not acceptable to you, then
# do not use this tool.
#
# In all other respects the GPL version 2 applies:
"The JSLint license is a derivative of the MIT License. The sole modification is the addition of "The Software shall be used for Good, not Evil.""
The story (transcript from a conference):
"About once a year, I get a letter from a lawyer, every year a different lawyer, at a company – I don’t want to embarrass the company by saying their name, so I’ll just say their initials – IBM…
[laughter]
…saying that they want to use something I wrote. Because I put this on everything I write, now. They want to use something that I wrote in something that they wrote, and they were pretty sure they weren’t going to use it for evil, but they couldn’t say for sure about their customers. So could I give them a special license for that?
Of course. So I wrote back – this happened literally two weeks ago – “I give permission for IBM, its customers, partners, and minions, to use JSLint for evil.”
[laughter and applause]
And the attorney wrote back and said: “Thanks very much, Douglas!”"
1) The intent behind the original license doesn't match with what the author intends. This seems to be the likely case. But, there is also the second issue to look at.
2) The violation of the license, assuming the source code was not shared with the clients. This is a direct violation, and through the common use of the term theft when it applies to copyright violation, it matches. Basically, if you don't adhere to my license, you don't have a right to use my code, and as a result, you've effectively "stolen" it.
People like to pretend that even MIT style licenses don't have requirements. They do, and you can violate that license, and by violating, you never had the right to use that code.
Basically...
> Anyone can use it, including hackers, NSA, etc.
Incorrect. Anyone who abides by the license can use it. While that might not seem onerous, it's an important distinction to make. So, considering the code in discussion was licensed under a GPL license (one of them, not sure which), one wonders if they were abiding by the license.
"2) The violation of the license, assuming the source code was not shared with the clients. This is a direct violation, and through the common use of the term theft when it applies to copyright violation, it matches. Basically, if you don't adhere to my license, you don't have a right to use my code, and as a result, you've effectively "stolen" it."
Because you know that the nation states who used the services of this company didn't also receive the source code to the tools, correct?
The intent behind the original licenses doesn't matter. One of the repos[0] had two licenses the Apache License 2.0 and the LGPL v2.1. If that means it is open source then it is fair play as I don't have the time nor the expertise to go through both licenses. You know who probably didn't either, Hacking Team. They are professional hackers and even if they straight up stole the code the main way they would be caught is if their code leaked. In that scenario, an angry dev would be/currently is the least of their problems.
If it is on Github and it is worth using, it will get used. Good and bad people use open source software, it is a just a tool, totally neutral.
The intent does matter when answering the original question of why this is surprising. It's because the original author released the code under a license that gave freedoms they didn't intend. It's the original developer suddenly being surprised, and they realize the mistake they made in choosing the license they used.
Popular german blogger and hacker fefe also complained that hacking team used his open source code. He now calls for an NOMIL/NOINTL version of the GPL and wants to sit down with a lawyer to create something along these lines, or see if that is possible at all.
Unless I misunderstand, this is software that runs on the target device. Does that count as distribution? Did the victims receive a copy of the license and access to the source code? Is there some kind of infringement case here if we could find someone this was used on?
Once you figure out how to write a software license to prevent this kind of usage can you work on that 3d printer that will print anything except weapons?
Next on your list is to define "repressive governments" in non-ambiguous terms such that it doesn't include more than half of the world.
You may be able to prevent them _legally_ using your work, but will never prevent them from using your work.
Hackers operate outside of the law. Licensing, conversely, exists only in the legal realm. So I dont see how any licensing scheme can prevent hackers from using his tool, as the author wishes for, other than don't make it open source. We must accept that our open source tools may be used for evil.
The title here is "Hacking Team steals open source code to build Android spy tool", while it seems to me that they didn't "steal" anything. They just used some open-source software to build their tools.
Maybe someone could argue that it is GPL code and there should be redistribution of the code, but this is only towards the client of Hacking Team.
Their use was a violation of the license (GPL v2) of the software at issue. If commercial copyright infringement can be called "theft" then Hacking Team certainly "stole" his code. End users of software, not just the paying clients/spooks, have rights under the original license of his app.
Based on what? Do you know of a single end user client that's complaining that they don't have the source code to the tools? More than likely they do.
Or are you saying that the license applies to the 'end user', the person unknowingly and/or unwillingly being monitored by the injection of this software onto their devices?
Is that really a road you want to go down - that people with no knowledge or consent are still parties to a license? The whole "click through" EULA thing is bad enough. Now I can come along, commit a felony to install something on your computer without your knowledge and you're still a party to the license of the software I installed.
What's funny is that one of Stallman's arguments for GPL over BSD style licenses, i.e. Free vs. Open licenses, is specifically about the code being used for nefarious purposes, like DRM. In this case it's used to create something even more sinister, but by all accounts they are following the licensing by keeping the source open.
So it says more to me about picking a license that you are comfortable with, and understanding that based on that choice it's going to possibly be used in the worst way that you could imagine.
They were correct to leave his name as copyright holder, as doing anything different would mean that they stole his copyright, which they did not.
There is not evidence that they complied the license. They were hacked and this source code was exposed. I suspect that they were not properly distributing links to the source for the LGPL library they used (especially since it seems like this is Android spyware).
BTW even if they cited the author as the copyright holder... that does not necessarily mean that they were complying with the license, which could definitely be copyright infringement