Another bit of perspective re: Copilot. This one people will probably like less, but lets do it anyway. Here is what it is like, from my experience, to be having conversations about legal issues and open source when you are an executive. I have no insight or connection to GitHub.
Everything depends on the specifics of who your lawyer is. Ideally, you have an in-house council that is familiar with the specifics of what you do, and the exact work we're talking about. This was my experience from fairly early in the life of a startup.
Lets assume you're working with lawyers that are as good as the ones who worked for Chef. This is a pretty high bar, because we had *excellent* lawyers. So the business decides it wants to do something - in this case, do ML modeling of the source code we host.
Since you have a good lawyer, their job is to *help you get to yes*. This is important - most people think lawyers jobs are to say no. That's because you are usually interacting with lawyers when you're in trouble. That's not what happens in corporate law, usually.
So they would say something like, "well, what kind of output would this copilot thingy produce?" And you would explain how it is being trained against public repos, but in general it probably only reproduces a single function body at most.
Even then, probably only does so verbatim if it has seen the same thing a lot of times. So if it's code that's widely in the zeitgeist, more likely to be repeated, but otherwise, it's probably guessing the answer from multiple sources at once.
But we're getting off topic. You explain to the lawyer what happens. They probably say back to you: "It's probably okay - there is such and such fair use thingy, and so and so copyright thingy, and this case in this jurisdiction". Then they start talking downside risk.
Would we get sued? By whom? How would they prove that a specific line of code from the model, if what you said about widely used snippets being produced verbatim is true, came from a specific place?
They won't likely give a "yes" or "no" answer. They will give you the boundaries of risk. The most common conversation you'll see this in is around things like opt-in or opt-out for things. Always safer to make people opt-in. Business always wants opt-out. Balance of risk.
From there the ball goes back to managements court, unless the lawyer says "this is illegal". This is where people who want cut-and-dried legal answers to these issues are missing the point. Leadership now has to make a judgement call - is what we are doing worth the risk?
This is why something can be "legal", but also be *wrong*. Did leadership take into account how people would feel about how their code is used? Maybe? What barometer would they have to gauge that?
They would probably fall back to things like the license, and the Github TOS. If you licensed your code OSS, and you made the repo public - is it crazy for that to mean you meant the public should be able to see it?
And if you meant for the public to see it, and the lawyer just said it is probably fair use... then why wouldn't we give the world this productivity super power we're building? Who doesn't want better auto-complete? Better inference?
This can lead to what I've come to call (in my own head, anyway) the "policy trap". People *hate* to be forced to make murky ethical decisions. They want cut and dry lines of right and wrong.
If leadership can find a policy to fall back on, they will cling to interpreting that policy like a drowning person clings to a life preserver. We're *right*, because our *policy* says we are! People who think we're monsters don't understand the nuanced glory of it!
So where are the policies Github could fall back on? The open source licenses themselves, and their own terms of service. Both of which, by most lawerly interpretations I've seen, would say to you: "it's probably just fine"
And for most people... that's enough. Because going further requires diving into that non-policy ethical space. Did the people who put that code up under the GPL expect that it would be used for profit in your proprietary machine learning suite? Probably not!
In fact, they probably hoped for the exact opposite outcome - that stuff like your proprietary machine learning suite would for forced to be open source, so that we could all benefit from the knowledge.
But if you bring that up in a leadership meeting, most likely, we're going to be seeking that "yes". The mitigation for it - a pre-emptive opt-in, say, for AI model training - would ruin the go to market. How could we ask permission before we even know if it works?
And if we ask permission, won't competitors know what we're doing? How might people answer before they see the value? Since we're probably allowed to do it anyway, lets wait and see. Just to see if it works?
So you wait. And it works. And it's fucking awesome. And legal says its fine. And when you ask your inner circle of open source advocates (and their CEO, btw, is a legendary open source advocate!) - they say its fine too.
So you ship it, and twitter explodes, and everyone wonders how you could miss such a fucking obvious footgun. How obviously you should be called to do better, because of your massive size and resources.
How you're a bunch of copyright disrespecting, money grubbing ass-hats wearing fucking clown shoes. And in your heart you go: but look at the *policy*! We all agreed it was fine - look at the license! Listen to the *lawyers*!
And like all good twitter kerfuffles, you know this too shall pass. We won't even be talking about Copilot much in six months outside of a very small circle of people who really care about these issues. The hot take and shitpost brigades will move on.
But, dear leader, you should not move on. Instead, you really need to think about how you create a world where the concerns of the communities you serve are heard. How can you balance their concern with your legal right to build a product that does what Copilot does?
You don't *have* to do it. You likely have every legal right to do what you have done. But you should figure it out. It could be an opt-out switch. It could be an AI.txt. It could be so many different things.
But it's a mistake to do nothing, and assume that the crowd will sort it out. Because you built the product. You have the responsibility to shepherd it into the world. As a leader, you have a responsibility to look hard at that criticism, and decide what to do about it.
The right decision probably isn't "turn off copilot". But it also isn't "leave it as it is". But you can either wait for the community to get even more riled up, and create some new norms with you as a straw man villain - or you can figure out how to add the layer of nuance
that the law, and your policies, do not have. Because it's the right thing to do. Not because you have to do it. Because you can do it. And nobody else really can right now.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
