Software Governance and Automobiles - Session 1d
Industry Transformation: From Metal-Benders to Software Companies, by Jeremiah Foster
EBEN MOGLEN: So, Jeremiah Foster, for those of you who don’t know him, is a local boy, a New England product in a global industry–the community manager for the GENIVI Alliance and an open-source technologist at Luxoft, and that means right in the middle of the nitty-gritty of all of this. And, the person I know best who has fought the, “you know, you really ought to think about GPLv3 in your cars” wars in the most deep and lengthy and profound way in this complicated industry. So, that’s the last voice that we need so that we can really have the conversation. Jeremiah.
JEREMIAH FOSTER: Thanks so much, Eben. These events are amazing, I’ve been working in the automotive industry for, I think, close to ten years, and this is the first time that I’ve actually spoken directly with a lawyer from an automotive company, and I haven’t even spoken with him yet. Excuse me–and now he’s going to sue me because I spilled water on the mouse. Okay. I can’t speak extemporaneously like Eben, so I need slides as a crutch, plus in this industry the cars that are made nowadays and the concepts are so amazing that it makes any presentation look really great. So, I’m cheating, but, hey…
We’re up and running. So, I don’t know how Professor Moglen does it… But he seems to have the ability to create thematic presentations. The fall event that they usually have has been remarkable in getting–without much explicit intention–to getting presenters to speak in a way that the talks actually connect a great deal, and I think this one is connected a great deal. I’m really grateful for Daniel to show up today. It’s fantastic, and I can’t tell you how important it is to hear actually from somebody who actually knows this industry very well. And, of course, Mr. Shuttleworth, somebody who has done so much for free software–I was at a talk he gave, I think it was in 2004 in Gothenburg, Sweden, before Ubuntu was launched, and, if you ever get a chance to see him speak, as you have, but always do. He gave a talk that was intertwined about his trip to space and what we need in the free software community, and that was the launch of Ubuntu–it was one of the best. So, thank you so much, and don’t worry, your English is tremendous and nobody speaks English as well as Professor Moglen, by the way. No shame there. [LAUGHTER]
I want to make it abundantly clear that you can feel free to rip me off, this is sort-of virtue signaling because I’ve ripped other people off.
So, off we go. What the heck is going on? Why are we here? What does it matter? I mean, I think the big thing is digitalization. There are a bunch of other things: electrification, ECU consolidation–there are a whole bunch of industry buzzwords that are fundamentally transforming automaking and its very foundation from a materials science, from an engineering, mechanical engineering driven industry into software driven industry. This may seem obvious, but it’s truly profound. This, I think, Eben was talking about twentieth century versus twenty-first century business models, and here we are. This, of course, doesn’t scale, but it certainly is almost an idyllic view of the days of yore.
Here we are today, already we’ve lost a lot of freedom. This system down here is in Gothenburg, Sweden, and it can read your license plate, knows the speed that you’re going, it’ll send you a bill in the mail if you try and cheat–I think they do that on the Henry Hudson Parkway here in New York now, but a lot of things are happening here, and, obviously, software is coming into play. We still have two radios and transponders and such talking to each other, but now we get to the next step, and everything is digitized, and you just have, somewhere, two block-chains–or a signature on a block-chain is signed–and all the money goes to the right place, presumably.
So, this is where we are today, and, as complex as cars are to build, the infrastructure around them is, perhaps, equally complex if not more so. I think Elon Musk says, “Rockets are hard but cars are really hard,” and I think that is very true.
So, digitalization is happening all around our society, in a real profound change–something that I think that, for a long time, we’ve been calling for, certainly with regard to certain industries–is happening apace. And the next thing that digitalization has brought is connectivity, and cars are no slouch–they are extremely sophisticated machines, and they test their systems and use all this connectivity and networking in ways that your ordinary computer doesn’t even come close. I mean, if you’ve got a bluetooth phone that you’re streaming your music on to the head unit, it’s carrying that stuff through a fiber-optic network–so there’s no electrical or magnetic interference inside the car. It may be recording simultaneously FM-band, AM-band. It also, you know, will have a hard disk on-site. It will have very detailed maps–for example, your Google phone may be able to guess where you are within roughly one hundred meters, maybe ten meters, but the car can do it often in ten centimeters. So, the size of an orange–it can locate you with its GPS. And autonomous driving, it’s going to be even more detailed and the maps themselves will be significantly more detailed.
So, you know, this is… It’s amazingly complex, and it’s amazingly difficult, and I think sometimes we need to step back and be grateful for the work that the car companies have volunteered to take on. They’re certainly getting pushed by external companies, I think, but these two forces, connectivity and digitalization, are really turning cars into software defined vehicles.
Here is something from McKinsey, a gentleman named Georg Doll, Georg Doll used to work for Luxoft but he also worked in GENIVI with us, and I think it’s pretty straight-forward: software already represents a significant portion of the vehicle. In fact, cabling is the third heaviest element in any vehicle. It’s a huge part of the cost, and it’s going to rise. Roughly, now, I think it’s about one thousand dollars, the cost of a vehicle’s software, and that’s expected to rise to about five thousand.
Electrification also, and that points to the fact that cars have to serve not only customers–well, obviously customers, hugely–but they also have to serve the jurisdictions in which they sell cars. I think Daniel pointed to that recently–that there are multiple jurisdictions, and if China decides that all cars are going to be electric, well, you’re going to make a lot of electric cars and you probably won’t make money if you can’t.
And electrification helps to change the entire eco-system of course. Naturally, you’re going to have a whole set of things, but user experience, software-defined vehicles, the car being just another node of the network, shared mobility–all these catch phrases come in to heavily influence the way cars are being made.
Now, as these car companies, that are, quite frankly, rather profoundly good at mechanical engineering–we joke about them bending metal, and they, sort-of, cast aspersions on some of their suppliers for just making sand, you know, silicon is just sand… But that represents the dynamic, obviously, between their business partners and suppliers.
But as they transform themselves from mechanical engineering and that intellectual property milieu into software, they’ve recognized something profound that you need an eco-system, you can’t just rely on a small set of suppliers, which they traditionally do. They’re called tier ones and tier twos. That dynamic is clearly being disrupted, and I think that while car makers prefer that, you have issues of liability. You can go to your supplier and say, “Hey, do this,” or “Hey, we’ll charge you a lot less, we’ll ask a lot less money, if you can produce on this timeframe” or what have you–I mean, that relationship is very powerful, and, in fact, it binds the car makers a great deal. Sometimes, there can be money on the next project that you take off or you get added on, what have you.
But car-makers recognize that they need a complete eco-system, they need to have multiple partners, they need to be reliable, and they need to be focused on their needs. And there was really no balance of the kind of customization and flexibility, as well as reliability and quality software, that was available like, I believe, the FOSS eco-system has.
And with that comes Copyleft, of course, and, I think, the analysis of it is pretty good. One thing about the car companies that I find amazing is not only as they adopt open-source, GNU Linux, free software, they tend to–well, they’ve understood Copyleft, I think–let me put it that way… They’ve adopted that as well. I think Daniel’s analysis was pretty good. The problem I see it is–or, one problem is–that they’re all building the same software. They’re all building their own GNU Linux stacks, and they’re all using the same approach to licensing and compliance. I think that we can build a broader–I think that forums such as this are important to build a broader coalition across these industries so that people can sort of peer into that black box and understand that there’s standard ways to do it, there are best practices, and that we really should be collaborating more. But you can see how Copyleft would be a dramatic challenge, I think, to an industry that’s mostly mechanical engineering that has long release cycles.
One of the things that car-makers do is that they’re very good at getting together in organizations. Automotive Grade Linux, for example, has, I think, had a profound effect. So has GENIVI. OSADL you’ll hear from Nicholas McGuire, and there’s also something called Autoczar, and they do fundamentally low-level networking and some operating systems stuff. And what GENIVI has done is that it has taken some of the stuff that Autoczar specifies–specifications are very important requirements, very important–and they’ve turned that into open source, but I think it would be more important for Autoczar itself to become an open source organization. I think there’s some interest in getting that done. It’s not there yet, but I think that it would help a great deal with some governance challenges.
And here we can also start talking about other issues that were pointed out earlier and how do you graft a process designed for safety-critical software development, with their own standards like MISRA C, onto the open source system. It’s nearly impossible. You have to do sort of a reverse engineering approach. You certify process, you certify hardware, so it’s much more than just putting the software and saying it’s compliant. You have to have an eco-system around it, and then you also have to have requirements–we don’t really use requirements in open source. Most of the time it’s just developers saying, “Wouldn’t it be cool if my software did this?” It doesn’t work that way when you’re getting your software certified against ISO-26262.
And let’s point to some of the draconian reactions, I feel, to GPLv3, which was the “panic” reaction I think you’re talking about–that’s blacklisting GPLv3, and I think that’s really the situation that we are quite broadly in the industry today.
If we outline some of the governance challenges, maybe we can find some solutions. The shell of protections that surround a vehicle is quite robust. The stakes are incredibly high–this is not a phone where you might miss a call, the stakes are much, much higher. We’re already in certain levels of autonomy: so, you have ADAS systems, assisted-driving systems, lane change avoidance, you have cars that will detect the speed of the car in front of them and keep a safe distance at certain miles an hour, you have Volvo’s City Safety. So, you have tons of these safety systems and then security systems built on top of them, and as BMW calls it, they call it a shell, and anything that disrupts the integrity of that shell, including support–you have to have a support contract that goes beyond the start of production. You have to be able to support your system for ten years. You know, Qualcomm makes chips–their software development cycle is roughly six months. How are you going to establish this support system for ten years? Or twelve? Or fifteen, which ought to be the life of a car in many cases? It’s a very difficult challenge, and I think it’s completely reasonable that there’s that integrity, and I think that the solution that Mr. Shuttleworth talked about today really needs to be seriously looked at because I think that it could be quite elegant.
Then, how do you graph the process? As we’ve spoken before, how do we actually create new safety-certified functional safety software onto the open source process? I think not enough has been talked about there. We don’t even have tooling, for example, free software tooling, for handling requirements, and I think everyone agrees–I think there is consensus, Professor Moglen–that blacklisting GPLv3 will not work.
One of the reasons that I think it won’t work is because software is incredibly useful in safety. As NASA says, if you do it right, it’s sometimes the best hazard prevention system. So, I think that while there are significant challenges to maintain the integrity of the security and safety shell, I think there are also huge opportunities, and I think we can’t really rely on that barrier to entry–that moat–that a lot of industries are putting up, especially in IoT against the innovation that’s flooding through GPLv3.
And fundamentally, I think, as we speak of security, as someone said, “proprietary software is an unsafe building material–you can’t inspect it.” I think we’re going to need to inspect our software. I think if the vehicle is driving you, I think you’re going to want to have some trust in that. I think car-makers are experiencing a bit of skepticism from the public regarding autonomous vehicles, and I think that safety and security are going to be ways they are going to sell new autonomy, and certainly the shared mobility folks are, and I don’t know that we’re going to get there without being abundantly clear to consumers, to industry regulators, to insurance companies, to dealers–to anybody–if we don’t have the ability to introspect the software. That’s why the later talk this afternoon is going to be absolutely important about introspecting AI. But we have methods and means to introspect software today, and that’s sharing the source code. I think that’s an extremely important tool that we need to use.
So, here’s an approach that is not used by Canonical and Ubuntu. This is from Yocto. Here we can see a disparity, this layer, as it’s called, is way to pull in a bunch of older software, and they say right here, “by splitting this into a separate layer, it’s hoped that people realize these may not be the best solution to the ‘no-GPLv3 problem’ and it should also make it clear there’s a different quality of service applied to these recipes.”
So, what’s happening is that there’s a project, started by operating system vendors, and operating system vendors were the people that car companies really turned to first, companies like MontaVista, Wind River, Mentor Graphics–they’re all gone, by the way. Wind River was bought by Intel, MontaVista left the automotive industry and sold their automotive works to Mentor Graphics, and Mentor Graphics was bought by Siemens.
So operating systems vendors, the business is not what it used to be–let’s put it that way. Anyway, they created a very powerful tool that they used to create their own distributions, custom distributions that they maintained–a very expensive process instead of say taking a distribution built in the open like Debian. But, you know, it’s a quality tool, it’s useful, it’s carried on today in a project called Yocto and essentially creates layers of co-mingled software, and as more software becomes GPLv3, they’ve had to create GPLv2–or the set of layers for GPLv2–that allows people avoid GPLv3 software. Well, even with this sort of disclaimer, this is still widely used and I think the danger is quite real, but this is an example of how–where–we are today in the state of the industry.
We’ve seen a lot about anti-TiVo-ization. I think that there is a way to get around it, if you will, but I think that getting around it is not really, I don’t know–I think that’s the wrong way to think about it. I think that, in fact, GPLv3 was built very powerfully to be more GPL-like–in other words, modifiable. And I think that there’s a great opportunity to address anti-TiVo-ization with that, but I do think that we ought to represent, and as Mark said earlier, people have legitimate concerns, people have legitimate interests, and these, I’m trying to represent them as clearly as possible.
And I’m trying to distill that anti-TiVo-ization requirements create an unacceptable safety risk, even though I think that there are ways to address that. And these are them. You can craft an exception–it’s not really an exception, it’s additional permissions, which I think is quite elegant, and you add additional permissions that say you’re permitted to remove the requirement to provide the installation information. I think that’s really interesting. You do have to have appropriate copyright information. So, if you’re writing something under the GPLv3, you can craft something that says, “Okay, I’ll provide an exception to section (6), which allows you to remove that particular provision,” which could be extremely useful for getting certain free software made available at all. In fact, we’ve done this at Luxoft, we have a small safety critical certified system which can serve telltales, which are important parts of the car, showing your brakes, and the value there is not really in the software, the value is the fact that it is gone through the certification process. So, if you were to take the software GPLv3 and put it in your car, even without regard to the license, you’re not going to get anywhere because you have to certify your car, you have to certify your hardware, you have to demonstrate your process, and you’ll need a great deal of expertise and there’s time and money, so that’s a very powerful impetus to make sure that the software produced and that the certification process is sustainable by the company that does that.
Then, I still think that we need to discuss GPL compliance in large complex systems. I think that’s something that the automotive industry has found quite difficult. I think that the fine-grain detail shown in Ubuntu core is probably the only real way to manage it in that regard. Currently, it’s very difficult, and licenses shift–and there was a talk here recently saying that some licenses don’t even have stewards, so what happens if there are issues found, who do you go to, who do you turn to? These, I think, are still some real concerns.
There are, also though, some opportunities there. We’ve seen Canonical’s approach, but there are other organizations as well–OpenChain at the Linux Foundation, that I think has found wide adoption, especially in Asia, in Japan and in China. There’s Common Cure, which is really, I think, sort of based on the principles of community-oriented GPL enforcement, and that is to essentially treat GPL enforcement as one does with GPLv3, which is, you know, it’s a better license–it’s a very good license, and it’s perfectly reasonable and this is a great approach, and I think industry is really adopting it in a great way.
But, finally, to quote Antonin Artaud, “I think we need to bring in some disruption–a suicide hand-grenade.” What do we do when we have full autonomy? What happens when the car-maker is also the owner of the car and runs the shared mobility service? There is no distribution point as we traditionally have with software. There’s no tier one or tier two delivering software to the car-maker, instead they’re producing it, they’re making it themselves.
And then what happens with new data protection laws as the GDPR happening in the E.U. and, in fact, their new industrial data type, almost, or, industrial data law that industrial data in the Internet of Things actually has its own set of licenses, or own set of ownership. That can be separate, even if it’s about the car that you’re traveling in and it’s your car’s exact position. I think we’re going to have to look quite closely at that because, as we have seen, data is the new oil. Our personal data is extremely important, and who’s going to hold the liability? When you don’t own the car, what rights do you have? I think we need to have even stronger protections around data and around inspectability as we move closer and closer to autonomous vehicles–not just because of the important safety aspects and security aspects but because of the rights of the passengers.
And that is my talk for today. That’s good. The comedy portion of the program is over, we can move on to some good questions…
MOGLEN: We could, except we need to give people time to use the bathroom.
FOSTER: Indeed. Thank you.