Cory DoctorowApr 23

An interesting stunt: Malus.sh will take your money and in exchange it will ingest any free/open source code you want, refactor that code using an LLM, and spit out a "clean room" version that is freed from all the obligations imposed by the original project's software license:

https://www.404media.co/this-ai-tool-rips-off-open-source-software-without-violating-copyright/?ref=daily-stories-newsletter

-

If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2026/04/23/poison-pill/#kobayashied

1/

Show threadCory DoctorowApr 23

Malus was co-created by Mike Nolan, who "researches the political economy of open source software and currently works for the United Nations." Nolan told 404 Media's Emanuel Maiberg that he shipped Malus as a real, live-fire business that will exchange money for an AI service that destroys the commons as a way to alert the free software movement to a serious danger.

2/

Show threadCory DoctorowApr 23

As Maiberg writes, Malus relies on a precedent set in 1982, when IBM brought a copyright suit against an upstart called Columbia Data Products for reverse-engineering an IBM software product. IBM's argument was that Columbia must have copied its *code* - the copyrightable part of a work of software - in order to reimplement the *functionality* of that code. Functions aren't copyrightable: copyright protects creative expressions, not the ideas that inspire those expressions.

3/

Show threadCory DoctorowApr 23

The *idea* of a computer program that performs a certain algorithm is *not* copyrightable, but the *code* that turns that idea into a computer program *is* copyrightable.

Columbia's successful defense against IBM involved using a "clean room" in which two isolated teams collaborated on the reimplementation.

4/

Show threadCory DoctorowApr 23

The first team examined the IBM program and wrote a specification for *another* program that would replicate its functionality. The second team received the specification and turned it into a computer program. The first team *did* handle IBM software, but they did not create a new work of software. The second team *did* create a new work of software, but they never handled any IBM code.

5/

Show threadCory DoctorowApr 23

This is the model for Malus: it pairs two LLMs, the first of which analyzes a free software program and prepares a specification for a program that performs the identical function. The second program receives that specification and writes a new program.

6/

Show threadCory DoctorowApr 23

The Malus FAQ performs a "be as evil as possible" explanation for the purpose of this exercise:

> Our proprietary AI robots independently recreate any open source project from scratch. The result? Legally distinct code with corporate-friendly licensing. No attribution. No copyleft. No problems.

7/

Show threadCory Doctorow

This business about attribution and copyleft is a reference to the terms imposed by some free software licenses. The point of free software is to create a commons of user-inspectable, user-modifiable software that anyone can use, improve and distribute. To achieve this, many free software licenses impose obligations on the people who distribute their code: you are allowed to take the code, improve the code, give it away or sell it, *but* you have to let other people do the same.

8/

Apr 23 at 12:30pmWeb
Show threadCory DoctorowApr 23

Typically, you have to inform people when there's free software in a package you've distributed (attribution) and supply them with the "source code" (the part that humans read and write, which is then "compiled" into code that a computer can use) on demand, so they can make their own changes.

9/

Show threadCory DoctorowApr 23

This system of requiring other people to share the things they make out of the code you share with them is sometimes called "copyleft," because it uses copyright, which is normally a system for restricting re-use to require people *not* to restrict that use.

Companies *love* to *use* free software, but they don't like to *share* free software.

10/

Show threadCory DoctorowApr 23

Companies like Vizio raid the commons for software that is collectively created and maintained, then simply refuse to live up to their end of the bargain, violating the license terms and (incorrectly) assuming no one will sue them:

https://pluralistic.net/2021/10/20/vizio-vs-the-world/#dumbcast

11/

Pluralistic: 20 Oct 2021 – Pluralistic: Daily links from Cory Doctorow

Show threadCory DoctorowApr 23

Malus's promise, then, is that you can pay them to create fully functional reimplementations of any free/open source software package that your company can treat as proprietary, without any obligations to the commons. You won't even have to attribute the original software project that you knocked off!

12/

Show threadCory DoctorowApr 23

This is the risk that Nolan and his partner are trying to awaken the free/open source community to: that our commons is about to be raided by selfish monsters who serve as gut-flora for the immortal colony organisms we call "limited liability corporations," who will steal everything we've built and destroy the social contract we live by.

13/

Show threadCory DoctorowApr 23

This is a real problem, but not because of AI. We *already* have this situation, and it's *really bad*. Most of the foundational free software projects were created under older licenses that did not contemplate cloud computing and software as a service. The "copyleft" obligations of these licenses are triggered by the *distribution* of the software - that is, when I send you a copy of the code.

14/

Show threadCory DoctorowApr 23

But cloud services don't have to send you the code: when you run Adobe Creative Cloud or Google Docs, the most important code is all resident on corporate servers, and never sent to you, which means that you are not entitled to a copy of the new software that has been built atop of our commons.

15/

Show threadCory DoctorowApr 23

In other words, big companies have "software freedom" (the freedom to use, modify and improve software) and we've got "open source" (the impoverished right to look at the versions of these packages that are sitting on services like Github - itself a division of Microsoft):

https://mako.cc/copyrighteous/libreplanet-2018-keynote

Then there's "tivoization," a tactic for stealing from the commons that wasn't *quite* invented by Tivo, though they were one of its most notorious abusers.

16/

How markets coopted free software’s most powerful weapon (LibrePlanet 2018 Keynote)

Several months ago, I gave the closing keynote address at LibrePlanet 2018. The talk was about the thing that scares me most about the future of free culture, free software, and peer production. A …

copyrighteous
Show threadCory DoctorowApr 23

Tivoization happens when you distribute free software as part of a hardware device, then use "digital locks" (sometimes called "technical protection measures") to prevent the owner of this device from running a modified version of the code. With tivoization, I can sell you a device running free software and I can comply with the license by giving you the code, but if you change the code and try to get the device to run it, it will refuse.

17/

Show threadCory DoctorowApr 23

What's more, "anti-circumention" laws like Section 1201 of the US Digital Millennium Copyright Act make it a *felony* to tamper with these digital locks, so it becomes a *crime* to use modified software on your own device:

https://pluralistic.net/2026/03/16/whittle-a-webserver/#mere-ornaments

18/

Pluralistic: Tools vs uses (16 Mar 2026) – Pluralistic: Daily links from Cory Doctorow

Show threadCory DoctorowApr 23

There's no question that the tech industry would devour the free software commons if they were allowed to, and the AI threat that Nolan raises with Malus seems alarming, but while there's *something* to worry about there, I think the risk is being substantially overstated.

19/

Show threadCory DoctorowApr 23

That's because copyleft licenses - and indeed, all software licenses - are *copyright* licenses, and *software written by AI is not eligible for a copyright*, because *nothing made by AI is eligible for copyright*:

https://pluralistic.net/2026/03/03/its-a-trap-2/#inheres-at-the-moment-of-fixation

Copyright is awarded *solely* to works of *human* authorship.

20/

Pluralistic: Supreme Court saves artists from AI (03 Mar 2026) – Pluralistic: Daily links from Cory Doctorow

Show threadCory DoctorowApr 23

This fact has been repeatedly affirmed by the US Copyright Office, which has fought appeals of this principle all the way to the Supreme Court, which declined to hear the case. That's because the principle that copyright is strictly reserved for human creativity isn't remotely controversial in legal circles. This is just how copyright works.

21/

Show threadCory DoctorowApr 23

Which means that the "be evil" version of Malus's business model has a fatal flaw. While the code that Malus produces is indeed "legally distinct" with "no attribution" and "no copyleft," it's not true that there are "no problems." That's because Malus's code doesn't have "corporate-friendly licensing." Far from it: Malus's code has *no* licensing, because it is born in the public domain and *cannot be copyrighted.*

22/

Show threadCory DoctorowApr 23

In other words, if you're a corporation hoping to use Malus to knock off a free software project so that you can adapt it and distribute it without having to make your modifications available, Malus's code will not suit your needs. If you give me code that Malus produced, *you can't stop me from doing anything I want with it*. I can sell it. I can give it away. I can make a competing product that reproduces all of your code and sell it at a 99% discount.

23/

Show threadCory DoctorowApr 23

There's nothing you can do to stop me, any more than you could stop me from giving away the text of a Shakespeare play you sold me. You can't stick a license agreement or terms of service between me and the product that binds me to *pretend* that your public domain software is copyrighted - that's *also* not allowed under copyright.

24/

Show threadCory DoctorowApr 23

Does that mean that Malus is a meaningless stunt? No, because this automated reimplementation *does* create *some* risks to our software commons. A troll who doesn't care about selling software could clone every popular free software project and make public domain versions that would be confusing and maybe demoralizing.

25/

Show threadCory DoctorowApr 23

Combining these clean-room reimplementations with cloud software or tivoization could create hybrid forms of commons-enclosure that are more virulent than the current strains.

But reimplementation itself is *not a risk to free software*. Reimplementation is the *bedrock* of free software. GNU/Linux itself is a reimplementation of AT&T Unix.

26/

Show threadCory DoctorowApr 23

Free software authors re-implement each other's code all the time, often because they think the license the original code was released under sucks. Literally the coolest free software thing I've seen in the past 12 months included a reimplementation of Raspberry Pi's PIO module to escape from its bullshit patent encumbrances:

https://youtu.be/BbWWGkyIBGM?si=vO5zLH3OG5JLW7OP&t=2253

27/

39c3 - Xous: A Pure-Rust Rethink of the Embedded Operating System

YouTube
Show threadCory DoctorowApr 23

Reimplementation is *good, actually*. And honestly, if corporations are foolish enough to reimplement their code using an LLM, and in so doing, create a vast *new* commons of public domain software, well, that's not exactly the freesoftwarepocalypse, is it?

28/

Show threadJonas VautherinApr 27
@pluralistic
There are two things I don't get: first, the corporation is fine with Malus if it doesn't distribute the code (cloud or compiled binary), isn't it? And second, if it distributes readable code (not sure how readable minified JavaScript is, for instance), then how do the users know it is not copyrighted? If I look at random code on the Internet, either it explicitly says that it is open source, or I have to assume it is copyrighted, right?