Waters Wrap: Open source and storm clouds on the horizon

There are programming languages like Python. There are application containers like Kubernetes. There are machine-learning frameworks like TensorFlow. All of these tools are ubiquitous in financial services, and all are examples of open-source tools.

Open-source code is everywhere—not just in the capital markets, but…everywhere.

And while it has taken some time, in recent years, banks and asset managers have warmed to the idea of not just taking from the open-source community, but also giving back. There are many reasons for this sea change, but I’d argue that two—well three—are the leading drivers. First, the Financial Crisis cut tech teams to the bone at a time when a flood of new regulatory reporting requirements came crashing through the door. Second, financial services firms like to talk about their prowess in the field of artificial intelligence, but that evolution has been supercharged by open-source offerings. And third, why reinvent the wheel? (Meaning, cost savings/cutting.)

That’s all probably a bit simplistic, but we’re not writing a book, so let’s just be blunt about it. And if AI and regulation are at (or near) the heart of open-source’s rise, it might then sound antithetical to think that regulation and AI could also kill open-source’s momentum.

Amanda Brock is the CEO of OpenUK, which advocates for open-source technology and standards. She has also served in various advisory roles for the UK government and the United Nations. She’s served on a variety of advisory boards, including for a California-based cybersecurity company. And she’s practiced law for 25 years.

Considering her experience in the fields of open-source, cybersecurity, and law, what she said to one of our reporters—Emma Hilary Gould—jumped out at me:

“We’re at a point in time where we’re seeing people move away from open source because they’re having business concerns. … There are some really meaty, interesting questions that need to be answered around whether open source will survive. It will be very difficult to pull [the open-source code] out, but it would be easier over a longer period of time to replace it, if necessary.”

Emma Hilary spoke with Brock because she was writing a story about an interesting court case taking place in the US. The Software Freedom Conservancy (SFC), a nonprofit advocate of open source, alleges that television manufacturer Vizio violated the terms of the General Public License—a popular open-source license that mandates several provisions—by failing to make its GPL-derived source code public.

Brock is not a n00b—she’s an expert with impressive credentials. Even if you think the SFC’s challenge is doomed to fail, Brock sees more than one storm cloud on the horizon. While the case doesn’t directly involve any capital markets firms, if the SFC is successful, the ripple effect will be wide.

From the story:

In a trial that began on March 25, another open-source non-profit, the Software Freedom Conservancy (SFC), is battling television manufacturer Vizio, alleging that the budget TV-maker violated the terms of GPL by failing to make its GPL-derived source code public. Previous cases of a similar vein were typically brought by the original copyright holder of the code, meaning that federal courts in the US could dismiss the claims under the fair use doctrine that allows courts to excuse instances of copyright infringement if it deemed it was in the public interest.

If the SFC is successful, the case could change the way open-source licenses are litigated, setting a precedent for anyone to bring a case against a company found to be in violation of GPL.

Taken on its own, the SFC-Vizio lawsuit might be easy to ignore if you’re a software developer at a bank, asset manager, exchange, or capital markets vendor. But, as noted before by Brock, there are other forces in motion—both in the US and in Europe—that, when combined, paint a worrisome picture if you believe in the benefits of open-source development.

First—and perhaps most substantially—is the European Union’s Digital Operational Resilience Act. Dora, as it is known, requires companies to take stock of their dependencies on open source as part of the act’s testing program.

Please allow me to once more “open source” from Emma Hilary’s story (but I promise, her deep dive is well worth your time):

John Salmon, a partner at London-based law firm Hogan Lovells, says Dora’s broad definition of an information communication technology service has brought basic software licensing into the fold. “Dora is much bigger than people realize,” he says.

Some suggest the renewed attention on open-source licensing, both from open-source activists and financial regulators and governments, is a by-product of the generative AI boom, which has placed greater scrutiny on the relationship between copyright and technology. (Emphasis my own)

Ah yes…genAI. It’s the topic of the moment, for sure. And regulators and lawmakers are taking notice, too.

Take, for example, a piece of legislation sitting in the US Senate called the Financial Artificial Intelligence Risk Reduction Act, or FAIRR. (Kudos to whomever came up with that staged acronym.) As our Eliot Raman Jones reports, the bill was introduced at the end of last year by John Kennedy (R, Louisiana) and Mark Warner (D, Virginia), two fairly prominent senators sitting on opposite sides of the aisle.

Jack Solowey is a policy analyst at the Cato Institute’s Center for Monetary and Financial Alternatives, which focuses, in part, on artificial intelligence and decentralized finance. Like OpenUK’s Brock, he’s also practiced law, so he’s seen both ends of the spectrum.

Solowey told Eliot that the broad wording of the bill—as it is currently written, though it has a long way to go—potentially makes open-source developers liable for criminal activity based on the reach of the programs. Solowey specifically pointed to OpenAI and its ChatGPT chatbot.

From Eliot’s story (again, worth the full read, I assure you):

Solowey says that while the bill will likely be marked up and changed as it progresses through the legislative system, at present the wording is too vague to not implicate open-source developers. He also notes that FSOC’s powers of regulation are not strong enough to set a solid example. FSOC currently has the authority to make recommendations to other financial regulators to make or enhance regulations, but those recommendations are not binding.

The bill does not specifically account for the potentially unfair scenario of a developer exporting AI models they have coded onto open-source software-sharing platforms like GitHub, which then are used by a third party to game the market. In a post on social network X that he posted last year about the act, Solowey wrote: “To call this bill ‘FAIRR’ is Orwellian.”

And the proposals keep on a-comin’.

In 2021, president Joe Biden issued an Executive Order on cybersecurity. As part of the EO, the White House published a report on its Open-Source Software Security Initiative. Similarly, the European Commission’s Cyber Resilience Act could have a profound impact on open-source developers. And Gary Gensler, chair of the US Securities and Exchange Commission, is also taking a greater interest in AI. While not directly addressing open-source technology, as seen above, open source could get ensnarled should Biden win a second term and Gensler gets a few more years at the helm of the SEC. (It should also be noted that the presumptive Republican nominee for November’s presidential election, former president Donald Trump, has said AI might be “the most dangerous thing out there.” Again, not directed at open source, but how often do Biden and Trump find common ground?)

Panic button

Here’s the thing: So many of the smartest, most passionate developers and engineers that I regularly speak with are huge proponents of the open-source ethos (even if they, at times, have trouble convincing the larger C-suite of its benefits). Are there risks? Of course. Then again, every tool, app, or interface has vulnerabilities. Does genAI pose unforeseen risks and massive concerns about intellectual property? Absolutely. That doesn’t mean you pull the emergency brakes.

Regulators and governments face a challenging task: protecting their constituents from unconstrained AI; but AI, at its best, also helps to make people more efficient and effective. In creating rules and laws, they will need to consider the implications for other interconnected forms of technological advancement—improvements that make life better or easier for everyday consumers or for institutional traders…or just ordering a sandwich. We can’t be afraid of tech evolution, but there’s a ton of nuance involved.

As I hammer on about constantly in this biweekly column, everything is connected and the capital markets have changed mostly for the better (but at times for the worse) thanks to smart developers and engineers, who are also just trying to better understand the lay of constantly shifting land.

Cloud. API development. Artificial intelligence. An ever-growing amount of data. More desire for SaaS and managed services. More regulatory requirements. The need for deeper analytics. The need for better visualization tools and UX. They’re all connected. And weeding its way through all these cool new tools and improvements we see in the capital markets is open-source coding.

So regulators need to take a gentle touch when addressing the very real concerns surrounding genAI and machine learning—and, by extension, open source. Put another way, there’s a Japanese word called “niwaki”—it’s more about sculpting, rather than brute force cutting and yanking.

So the question is: Do regulators and politicians have it within themselves when it comes to sculpting laws—can they use niwaki? The SFC-Vizio lawsuit and FAIRR Act will likely give us an early indication of their restraint, or lack thereof.

The image accompanying this column is “Approaching Storm” by William Keith, courtesy of The Met’s open-access program.