<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.77 -->
<title>Who Does That Server Really Serve?
- GNU Project - Free Software Foundation (FSF)</title> Foundation</title>

<!--#include virtual="/server/banner.html" virtual="/philosophy/po/who-does-that-server-really-serve.translist" -->
<!--#include virtual="/philosophy/po/who-does-that-server-really-serve.translist" virtual="/server/banner.html" -->
   
<h2>Who does that server really serve?</h2>

<p>by <strong>Richard Stallman</strong></p>

<p>(First

<blockquote><p>(The first version was published by
in <a href="http://bostonreview.net/BR35.2/stallman.php"> href="http://www.bostonreview.net/richard-stallman-free-software-DRM">
Boston Review</a>.)</p> Review</a>.)</p></blockquote>

<p><strong>On the Internet, proprietary software isn't the only way to
lose your freedom.  Software  Service as a Service Software Substitute, or SaaSS, is
another way to let give someone else have power over your computing.</strong></p>

<p>The basic point is, you can have control over a program someone else
wrote (if it's free), but you can never have control over a service
someone else runs, so never use a service where in principle a program
would do.</p>


<p>SaaSS means using a service implemented by someone else as a
substitute for running your copy of a program.  The term is ours;
articles and ads won't use it, and they won't tell you whether a
service is SaaSS.  Instead they will probably use the vague and
distracting term “cloud”, which lumps SaaSS together with
various other practices, some abusive and some ok.  With the
explanation and examples in this page, you can tell whether a service
is SaaSS.</p>

<h3>Background: How Proprietary Software Takes Away Your Freedom</h3>

<p>Digital technology can give you freedom; it can also take your
freedom away.  The first threat to our control over our computing came
from <em>proprietary software</em>: software that the users cannot
control because the owner (a company such as Apple or Microsoft)
controls it.  The owner often takes advantage of this unjust power by
inserting malicious features such as spyware, back doors, and <a
href="http://DefectiveByDesign.org">Digital Restrictions Management
(DRM)</a> (referred to as “Digital Rights Management” in
their propaganda).</p>

<p>Our solution to this problem is developing <em>free software</em>
and rejecting proprietary software.  Free software means that you, as
a user, have four essential freedoms: (0) to run the program as
you wish, (1) to study and change the source code so it does what
you wish, (2) to redistribute exact copies, and (3) to
redistribute copies of your modified versions.  (See
the <a href="/philosophy/free-sw.html">free software
definition</a>.)</p>

<p>With free software, we, the users, take back control of our
computing.  Proprietary software still exists, but we can exclude it
from our lives and many of us have done so.  However, we are now face a
new threat
offered another tempting way to our cede control over our computing: Software
Service as a Service. Software Substitute (SaaSS).  For our freedom's sake, we
have to reject that too.</p>

<h3>How Software Service as a Service Software Substitute Takes Away Your Freedom</h3>

<p>Software

<p>Service as a Service (SaaS) Software Substitute (SaaSS) means using a service as a
substitute for running your copy of a program.  Concretely, it means
that someone sets up a network server that does certain computing tasks—running spreadsheets,
word processing,
tasks—for instance, modifying a photo, translating text into
another language, etc.—then invites users to do their computing on via
that server.
Users  A user of the server would send their her data to the server,
which does their computing <em>her own computing</em> on the data thus provided, then
sends the results back to her or acts directly on them
directly.</p> her behalf.</p>

<p>The computing is <em>her own</em> because, by assumption, she
could, in principle, have done it by running a program on her own
computer (whether or not that program is available to her at
present).  In cases where this assumption is not so, it isn't SaaSS.</p>

<p>These servers wrest control from the users even more inexorably
than proprietary software.  With proprietary software, users typically
get an executable file but not the source code.  That makes it hard
for programmers to
study the code that is running, so it's hard to determine what the
program really does, and hard to change it.</p>

<p>With SaaS, SaaSS, the users do not have even the executable file: file that
does their computing: it is on
the someone else's server, where the users
can't see or touch it.  Thus it is impossible for them to ascertain
what it really does, and impossible to change it.</p>

<p>Furthermore, SaaS SaaSS automatically leads to harmful consequences equivalent
to the malicious features of certain proprietary software. software.</p>

<p> For instance, some proprietary programs are “spyware”:
the program <a href="/philosophy/proprietary-surveillance.html">
sends out data about users' computing activities. activities</a>.
Microsoft Windows sends information about users' activities to
Microsoft.  Windows Media Player and RealPlayer report reports what each user watches or
listens to.</p> to.  The Amazon Kindle reports which pages of which books the
user looks at, and when.  Angry Birds reports the user's geolocation
history.</p>

<p>Unlike proprietary software, SaaS SaaSS does not require covert code to
obtain the user's data.  Instead, users must send their data to the
server in order to use it.  This has the same effect as spyware: the
server operator gets the data.  He gets it with data—with no special effort, by the
nature of SaaS.</p>

<p>Some proprietary programs can mistreat users under remote command.
For instance, Windows has a back door with which Microsoft can
forcibly change any software on the machine.  The Amazon Kindle e-book
reader (whose name suggests it's SaaSS.  Amy Webb, who intended never to burn people's books) has
an Orwellian back door that Amazon used in 2009
to <a href="http://www.nytimes.com/2009/07/18/technology/companies/18amazon.html"
>remotely delete</a> Kindle copies post any photos of Orwell's books <cite>1984</cite> and
<cite>Animal Farm</cite> which
her daughter, made the users had purchased mistake of using SaaSS (Instagram) to edit
photos of her.  Eventually
<a href="http://www.slate.com/articles/technology/data_mine_1/2013/09/privacy_facebook_kids_don_t_post_photos_of_your_kids_on_social_media.html"> they
leaked from Amazon.</p>

<p>SaaS inherently gives there</a>.
</p>

<p>Theoretically, homomorphic encryption might some day advance to the server operator
point where future SaaSS services might be constructed to be unable to
understand some of the power data that users send them.  Such
services <em>could</em> be set up not to snoop on users; this does not
mean they <em>will</em> do no snooping.</p>

<p>Some proprietary operating systems have a universal back door,
permitting someone to remotely install software changes.  For
instance, Windows has a universal back door with which Microsoft can
forcibly change any software on the machine.  Nearly all portable
phones have them, too.  Some proprietary applications also have
universal back doors; for instance, the Steam client for GNU/Linux
allows the developer to remotely install modified versions.</p>

<p>With SaaSS, the server operator can change the software in use, or use on
the users' data being operated on.  Once again, no
special code is needed server.  He ought to be able to do this.</p> this, since it's his computer;
but the result is the same as using a proprietary application program
with a universal back door: someone has the power to silently impose
changes in how the user's computing gets done.</p>

<p>Thus, SaaS SaaSS is equivalent to total running proprietary software with
spyware and a gaping wide universal back
door, and door.  It gives the server operator
unjust power over the user.  We
can't accept that.</p>

<h3>Untangling user, and that power is something we must
resist.</p>

<h3>SaaSS and SaaS</h3>

<p>Originally we referred to this problematical practice as
“SaaS”, which stands for “Software as a
Service”.  It's a commonly used term for setting up software on a
server rather than offering copies of it to users, and we thought it
described precisely the cases where this problem occurs.</p>

<p>Subsequently we became aware that the term SaaS is sometimes used for
communication services—activities for which this issue is not
applicable.  In addition, the term “Software as a Service”
doesn't explain <em>why</em> the practice is bad.  So we coined the term
“Service as a Software Substitute”, which defines the bad
practice more clearly and says what is bad about it.</p>

<h3>Untangling the SaaSS Issue from the Proprietary Software Issue</h3>

<p>SaaS

<p>SaaSS and proprietary software lead to similar harmful results, but
the causal mechanisms are different.  With proprietary software, the
cause
mechanism is that you have and use a copy which is difficult or and/or
illegal to change.  With SaaS, SaaSS, the cause mechanism is that you use a copy you don't
have.</p> have
the copy that's doing your computing.</p>

<p>These two issues are often confused, and not only by accident.  Web
developers use the vague term “web application” to lump
the server software together with programs run on your machine in your
browser.  Some web pages install nontrivial or nontrivial, even large JavaScript
programs temporarily into your browser without informing
you.  <a href="/philosophy/javascript-trap.html">When these JavaScript
programs are nonfree</a>, they are as bad cause the same sort of injustice as any
other nonfree software.  Here, however, we are concerned with the problem
issue of using the
server software service itself.</p>

<p>Many free software supporters assume that the problem of SaaS SaaSS will
be solved by developing free software for servers.  For the server
operator's sake, the programs on the server had better be free; if
they are proprietary, their owners developers/owners have power over the
server.  That's unfair to the server operator, and doesn't help you the
server's users at all.  But if the programs on the server are free,
that doesn't protect you <em>as the <em>the server's user</em> users</em> from the effects of SaaS.  They give freedom to
SaaSS.  These programs liberate the server operator, but not to you.</p> the
server's users.</p>

<p>Releasing the server software source code does benefit the
community: it enables suitably skilled users can to set up similar
servers, perhaps changing the
software.  But  <a href="/licenses/license-recommendations.html"> We
recommend using the GNU Affero GPL</a> as the license for programs
often used on servers.</p>

<p>But none of these servers would give you control over computing you
do on it, unless it's <em>your</em> server.
The rest would server (one whose software load
you control, regardless of whether the machine is your property).  It
may be OK to trust your friend's server for some jobs, just as you
might let your friend maintain the software on your own computer.
Outside of that, all these servers would be SaaS.  SaaS SaaSS for you.  SaaSS
always subjects you to the power of the server operator, and the only
remedy is, <em>Don't use SaaS!</em> SaaSS!</em>  Don't use someone else's server
to do your own computing on data provided by you.</p>

<p>This issue demonstrates the depth of the difference between
“open” and “free”.  Source code that is open
source <a href="/philosophy/free-open-overlap.html">is, nearly always,
free</a>.  However, the idea of
an <a href="http://opendefinition.org/software-service">“open
software” service</a>, meaning one whose server software is open
source and/or free, fails to address the issue of SaaSS.</p>

<p>Services are fundamentally different from programs, and the ethical
issues that services raise are fundamentally different from the issues
that programs raise.  To avoid confusion,
we <a href="/philosophy/network-services-arent-free-or-nonfree.html">
avoid describing a service as “free” or
“proprietary.”</a></p>

<h3>Distinguishing SaaS SaaSS from Other Network Services</h3>

<p>Does avoiding SaaS mean

<p>Which online services are SaaSS?  The clearest example is a
translation service, which translates (say) English text into Spanish
text.  Translating a text for you is computing that is purely yours.
You could do it by running a program on your own computer, if only you
had the right program.  (To be ethical, that program should be free.)
The translation service substitutes for that program, so it is Service
as a Software Substitute, or SaaSS.  Since it denies you control
over your computing, it does you wrong.</p>

<p>Another clear example is using a service such as Flickr or
Instagram to modify a photo.  Modifying photos is an activity that
people have done in their own computers for decades; doing it in a
server you refuse don't control, rather than your own computer, is SaaSS.</p>

<p>Rejecting SaaSS does not mean refusing to use any network servers
run by anyone other than you?  Not at all. you.  Most servers do are not raise this
issue, SaaSS because the job you
jobs they do with them isn't your are some sort of communication, rather than the user's
own computing
except in a trivial sense.</p> computing.</p>

<p>The original purpose idea of web servers wasn't to do computing for you, it
was to publish information for you to access.  Even today this is what
most web sites do, and it doesn't pose the SaaS SaaSS problem, because
accessing someone's published information isn't a matter of doing your own
computing.  Neither is publishing your own materials via use of a blog site or a to publish your own works,
or using a microblogging service such as Twitter or identi.ca. StatusNet.  (These
services may or may not have other problems, depending on details.)
The same goes for other communication not meant to be private, such as
chat
groups.  Social groups.</p>

<p>In its essence, social networking can extend into SaaS; however, at root it is just a method form of communication and
publication, not SaaS.  If you
use the SaaSS.  However, a service whose main facility is
social networking can have features or extensions which are SaaSS.</p>

<p>If a service for minor editing of what you're going to communicate,
that is not SaaSS, that does not mean it is OK.  There are
other ethical issues about services.  For instance, Facebook
distributes video in Flash, which pressures users to run nonfree
software; it requires running nonfree JavaScript code; and it gives
users a significant issue.</p> misleading impression of privacy while luring them into baring
their lives to Facebook.  Those are important issues, different from
the SaaSS issue.
</p>

<p>Services such as search engines collect data from around the web
and let you examine it.  Looking through their collection of data
isn't your own computing in the usual sense—you didn't provide
that collection—so using such a service to search the web is not
SaaS.  (However,
SaaSS.  However, using someone else's search engine server to implement a search
facility for your own site <em>is</em> SaaS.)</p>

<p>E-commerce SaaSS.</p>

<p>Purchasing online is not SaaS, SaaSS, because the computing
isn't solely yours; <em>your own</em> activity; rather, it is done jointly by and
for you and another party.  So there's no
particular reason why you alone should expect to control that
computing. the store.  The real issue in e-commerce online shopping is whether
you trust the other party with your money and other personal information.</p>
information (starting with your name).</p>

<p>Repository sites such as Savannah and SourceForge are not
inherently SaaSS, because a repository's job is publication of data
supplied to it.</p>

<p>Using a joint project's servers isn't SaaS SaaSS because the computing
you do in this way isn't yours personally. your own.  For instance, if you edit pages on
Wikipedia, you are not doing your own computing; rather, you are
collaborating in Wikipedia's computing.</p>

<p>Wikipedia computing.  Wikipedia controls its own
servers, but groups can face organizations as well as individuals encounter the
problem of SaaS SaaSS if they do their group activities on computing in someone else's server.
Fortunately, development hosting
server.</p>

<p>Some sites such as Savannah offer multiple services, and
SourceForge don't pose if one is not SaaSS,
another may be SaaSS.  For instance, the SaaS problem, because what groups do there main service of Facebook is mainly publication
social networking, and public communication, rather than their own
private computing.</p>

<p>Multiplayer games that is not SaaSS; however, it supports
third-party applications, some of which are a group activity carried out on someone
else's server, SaaSS.  Flickr's main
service is distributing photos, which makes them SaaS.  But where is not SaaSS, but it also has
features for editing photos, which is SaaSS.  Likewise, using
Instagram to post a photo is not SaaSS, but using it to transform the data involved
photo is
just SaaSS.</p>

<p>Google Docs shows how complex the state evaluation of play and the score, the worst wrong the operator
might commit is favoritism.  You might well ignore that risk, since a single service
can become.  It invites people to edit a document by running a
large <a href="/philosophy/javascript-trap.html">nonfree JavaScript
program</a>, clearly wrong.  However, it
seems unlikely offers an API for uploading
and very little downloading documents in standard formats.  A free software editor
can do so through this API.  This usage scenario is at stake.  On the other hand, when
the game becomes more than just a game, the issue changes.</p>

<p>Which online services are SaaS? not SaaSS, because
it uses Google Docs is as a clear example.
Its basic activity is editing, and Google encourages people mere repository.  Showing all your data to use it
for their own editing; this a
company is SaaS.  It offers the added feature of
collaborative editing, bad, but adding participants doesn't alter the fact that editing is a matter of privacy, not SaaSS; depending
on the server a service for access to your data is SaaS.  (In addition, Google Docs bad, but that is
unacceptable because it installs a large nonfree JavaScript program
into matter of
risk, not SaaSS.  On the users' browsers.)  If other hand, using a the service for communication or
collaboration requires doing substantial parts of converting
document formats <em>is</em> SaaSS, because it's something you could
have done by running a suitable program (free, one hopes) in your own computing
with
computer.</p>

<p>Using Google Docs through a free editor is rare, of course.  Most
often, people use it too, that computing through the nonfree JavaScript program, which is SaaS even if
bad like any nonfree program.  This scenario might involve SaaSS, too;
that depends on what part of the communication editing is
not.</p>

<p>Some sites offer multiple services, done in the JavaScript
program and if one is not SaaS, another
may be SaaS.  For instance, what part in the main service of Facebook is social
networking, server.  We don't know, but since SaaSS
and that is not SaaS; however, proprietary software do similar wrong to the user, it supports third-party
applications, some of which may be SaaS.  Flickr's main service is
distributing photos, which is not SaaS, but it also has features for
editing photos, which is SaaS.</p>

<p>Some sites whose main service is publication and communication
extend it with “contact management”: keeping track of
people you have relationships with.  Sending mail
crucial to those people for
you is know.</p>

<p>Publishing via someone else's repository does not SaaS, raise privacy
issues, but keeping track of your dealings with them, if
substantial, is SaaS.</p>

<p>If publishing through Google Docs has a service is not SaaS, that does not mean special problem: it
is OK.  There are
other bad things impossible even to <em>view the text</em> of a service can do.  For instance, Facebook distributes
video Google Docs document
in Flash, which pressures users to run nonfree software, and it
gives users a misleading impression of privacy.  Those are important
issues too, but this article's concern is browser without running the issue nonfree JavaScript code.  Thus, you
should not use Google Docs to publish anything—but the reason
is not a matter of SaaS.</p> SaaSS.</p>

<p>The IT industry discourages users from considering making these distinctions.
That's what the buzzword “cloud computing” is for.  This
term is so nebulous that it could refer to almost any use of the
Internet.  It includes SaaS and it includes nearly
everything else. SaaSS as well as many other network usage
practices.  In any given context, an author who writes
“cloud” (if a technical person) probably has a specific
meaning in mind, but usually does not explain that in other articles
the term has other specific meanings.  The term only lends itself leads people to uselessly broad
statements.</p>

<p>The real meaning of
generalize about practices they ought to consider individually.</p>

<p>If “cloud computing” has a meaning, it is to suggest not a way of
doing computing, but rather a way of thinking about computing: a
devil-may-care approach towards your computing.  It which says, “Don't ask questions, just trust every business without hesitation. questions.  Don't
worry about who controls your computing or who holds your data.  Don't
check for a hook hidden inside our service before a hook hidden inside our service before you swallow it.
Trust companies without hesitation.” In other words, “Be a
sucker.” A cloud in the mind is an obstacle to clear thinking.
For the sake of clear thinking about computing, let's avoid the term
“cloud.”</p>

<h3 id="renting">Renting a Server Distinguished from SaaSS</h3>

<p>If you rent a server (real or virtual), whose software load you
have control over, that's not SaaSS.  In SaaSS, someone else decides
what software runs on the server and therefore controls the computing
it does for you.  In the case where you install the software on the
server, you control what computing it does for you.  Thus, the rented
server is virtually your computer.  For this issue, it counts as
yours.</p>

<p>The <em>data</em> on the rented remote server is less secure than
if you swallow
it.” In other words, “Think like a sucker.” I prefer
to avoid had the term.</p> server at home, but that is a separate issue from
SaaSS.</p>

<h3>Dealing with the SaaS SaaSS Problem</h3>

<p>Only a small fraction of all web sites do SaaS; SaaSS; most don't raise
the issue.  But what should we do about the ones that raise it?</p>

<p>For the simple case, where you are doing your own computing on data
in your own hands, the solution is simple: use your own copy of a free
software application.  Do your text editing with your copy of a free
text editor such as GNU Emacs or a free word processor.  Do your photo
editing with your copy of free software such as GIMP.</p>

<p>But what GIMP.  What if there
is no free program available?  A proprietary program or SaaSS would
take away your freedom, so you shouldn't use those.  You can contribute
your time or your money to development of a free replacement.</p>

<p>What about collaborating with other individuals? individuals as a group?  It may
be hard to do this at present without using a server, and your group
may not know how to run its own server.  If you use one, someone else's
server, at least don't trust a server run by a company.  A mere
contract as a customer is no protection unless you could detect a
breach and could really sue, and the company probably writes its
contracts to permit a broad range of abuses.  Police  The state can subpoena
your data from the company along with
less basis than required everyone else's, as Obama has
done to subpoena them from you, phone companies, supposing the company doesn't volunteer them
like the US phone companies that illegally wiretapped their customers
for Bush.  If you must use a server, use a server whose operators give
you a basis for trust beyond a mere commercial relationship.</p>

<p>However, on a longer time scale, we can create alternatives to
using servers.  For instance, we can create a peer-to-peer program
through which collaborators can share data encrypted.  The free
software community should develop distributed peer-to-peer
replacements for important “web applications”.  It may be
wise to release them under
the <a href="/licenses/why-affero-gpl.html"> GNU Affero GPL</a>, since
they are likely candidates for being converted into server-based
programs by someone else.  The <a href="/">GNU project</a> is looking
for volunteers to work on such replacements.  We also invite other
free software projects to consider this issue in their design.</p>

<p>In the meantime, if a company invites you to use its server to do
your own computing tasks, don't yield; don't use SaaS. SaaSS.  Don't buy or
install “thin clients”, which are simply computers so weak
they make you do the real work on a server, unless you're going to use
them with <em>your</em> server.  Use a real computer and keep your
data there.  Do your work own computing with your own copy of a free
program, for your freedom's sake.</p>

</div>

<h3>See also:</h3>
<p><a href="/philosophy/bug-nobody-allowed-to-understand.html">The
Bug Nobody is Allowed to Understand</a>.</p>

</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer">
<p>
Please
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.
<br />
Please send broken  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.
</p>

<p>Please href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">
        <web-translators@gnu.org></a>.</p>

        <p>For information on coordinating and submitting translations of
        our web pages, see <a
        href="/server/standards/README.translations.html">Translations
        README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and submitting translations
of this article.</p>
</div>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.
     
     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).
     
     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2010 2010, 2013, 2015, 2016 Richard Stallman
<br />
This Stallman</p>

<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by-nd/3.0/us/">Creative
href="http://creativecommons.org/licenses/by-nd/4.0/">Creative
Commons Attribution-NoDerivs 3.0 United States License</a>.
</p>

<p>Updated: Attribution-NoDerivatives 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2016/06/07 05:32:04 $
<!-- timestamp end -->
</p>
</div>
</div>
</body>
</html>