🦊 MetaMask Changes Its License — Issue No. 107
/On August 20th, 2020, the team behind MetaMask— the most popular dApp-enabled wallet in the Ethereum ecosystem— announced a change to their software license. Whereas the project had previously used a broadly permissive open source license, the project will now place restrictions on commercial products that leverage their code and have more than 10,000 users. The change was met with mixed reactions from the community. Link.
In this edition of Build Blockchain, we'll unpack what the change means and what might have precipitated it. We'll also examine what this change demonstrates about the state of public goods funding in the crypto ecosystem. This is an important topic, and one I care deeply about. Let's dive in.
Understanding Open Source
The term "Open Source Software" doesn't just mean the source code is available to view. Instead, the term refers to projects that make their source code available with broad permission to modify and share that source code without restriction. There are two broad classifications of licenses widely accepted in the open source world.The first family of open source licenses is so-called "copyleft" licenses, sometimes referred to as "viral" licenses. They are characterized this way because they require developers who modify the source code to make those modifications available under a license that is equally permissive as the original.
Put another way, the only restriction of copyleft licenses is that developers downstream of the original project cannot themselves place stricter restrictions on derivative works. The code is required to remain open and copyleft. The most commonly used copyleft licenses are variants of the GNU General Public License, or GPL. Link.
The second family of open source licenses removes the viral component. As such, they are sometimes called "permissive" licenses, because they come with literally no restrictions whatsoever. This family of licenses is referred to collectively as "BSD" licenses, named for the Berkeley Software Distribution operating system that first employed such a scheme.
A project with a BSD license can, for example, be modified by a for-profit company and sold. The customizations made by the company can remain closed source. Downstream developers are not even required to disclose they utilized the upstream open source project. This is not possible for software licensed under the GPL. Link.
MetaMask's Change
With this understanding of open source licenses in place, we can now discuss what change MetaMask made and why they might have made it.MetaMask previously used the MIT license, an open source variant in the permissive BSD family. Because they were using the more permissive, non-viral style of open source license, anyone was free to fork and modify their source code, and do whatever they wanted with it.
The new license imposed by MetaMask, however, puts restrictions on commercial use of the project's source code. In particular, any business using MetaMask's code which achieves 10,000 or more monthly users must "enter into a formal commercial agreement." Such an agreement would, we can presume, require paying MetaMask to continue using their code. This shift means that, while the source code will remain available to view or use in non-commercial settings, MetaMask is no longer an open source project— at least not according to the widely accepted definition of the term.
Why would MetaMask make this change? The simple answer is that the project needs a way to sustain itself. Open source development is frequently thankless work, and while some exceptions certainly exist, there generally aren't great business models available for purely open source projects. As a result, most popular modern source infrastructure projects are funded and controlled by large corporate entities.
Brave's Browser Wallet
As a general explanation of why MetaMask might move away from an open source license, sustainability certainly makes sense. But why make this move now, after years of open source development backed by funding from Consensys? It seems the decision may have been driven partially by a recent change made by the Brave browser.Brave is a privacy focused browser that— while still small compared to the likes of Chrome— has gained significant traction in recent years. It recently surpassed 15 million monthly users. In addition to privacy-centric features, the browser also integrates an Ethereum token called the Basic Attention Token (BAT) which is given to users who view opt-in advertising. Users of the browser can also designate certain sites receive payouts of the BAT proportional to the time the user spends on the site. Link.
The Brave creators recently forked MetaMask's codebase and integrated it directly into their browser. On sites where interaction with Ethereum is needed, Brave automatically prompts the user to activate the native Brave wallet. Even if the user actively installs the MetaMask extension instead, the browser still seems to prompt them to enable the built in Brave version. Link.
The team at Brave acted within the rights granted by MetaMask's open source license. They are also, arguably, providing a better experience for their users, and making it easier for people to onboard into the Ethereum ecosystem. Installing an extension— especially when you may not even know you need it— certainly adds some friction to the on-boarding process. At the same time, Brave is upstream of MetaMask. If their forked integration negates the need for MetaMask as a product, but depends on the MetaMask team to maintain the wallet software they use to do so, it creates an obvious problem.
History Rhymes
I have mixed feelings about this move by MetaMask.On the one hand, the MetaMask team is one of the hardest working in the ecosystem. Their work has been critical to Ethereum's growth and they absolutely deserve to be compensated fairly for it. Their product is great. I use it and love it. I'd rather have MetaMask be not-open-source but sustainable, assuming the only other option is for it to remain open source but stagnant.
On the other hand, the move means yet another critical Ethereum application is moving in a more centralized direction. In this regard, MetaMask joins other widely used pieces of key infrastructure, like the Etherscan block explorer, and the node-as-a-service provider Infura. It would be best for everyone if these applications were treated as public goods. Yet as usual, they lack a way to remain sustainable as such.
It's fair and logical for MetaMask to want compensation from Brave for being included in their browser. At the same time, wouldn't it be better for the ecosystem if all browsers simply included web3 wallets? Wouldn't it be better if web3 simply became an open and widely adopted standard? As a private, for-profit entity, MetaMask is incentivized to work against such a future. It's a prisoner's dilemma.
While I don't have strong opinions about the details of this situation, I am dispirited that the crypto ecosystem is heading down a similar path as the early open source world. As I've written before, I was a young and naive participant in open source a couple of decades ago, and I watched the early idealism of the movement— which ignored or rejected the importance of monetary incentives and sustainable funding— give way to reality as the need for these became clear. That's how we ended up where we are today, with most open source controlled by large corporate entities. Link.
With crypto, there seemed to be an alternate path. Since crypto projects were literally making money, there was hope that public goods could be self sustaining in a way traditional open source projects couldn't. To me, this move by MetaMask is a bellwether. It signals that we are heading toward a future where much of crypto infrastructure will end up like open source infrastructure today— controlled by for profit entities whose narrow incentives don't necessarily line up with the greatest public benefit.
With all that said, I don't want to give the impression that I'm in total despair. There are still many great projects tinkering with ways to mitigate these challenges in their communities. Gitcoin and Zcash come to mind as prominent examples. There are also promising experiments around decentralized governance for the sustainable development of on-chain protocols. Even in MetaMask's case, it's positive that they've chosen to leave the codebase visible, and to allow for non-commercial usage.
It's clear we won't end up in the crypto-utopian world some idealists dream of. I've no illusions of this, and MetaMask's dilemma demonstrates why. Still, I remain hopeful we can notch some wins. We can end up with a world that's better because decentralized cryptonetworks exist, if we're willing to work for it.