The emergence of political 'protestware' in the software ecosystem

In the world of software development a new form of ‘protest-ware’ is emerging – varying from genuine social protest to deliberate malware.

In the world of software development, third party software libraries are a common form of code sharing for developers. Most open-source material has been apolitical, but a new form of ‘protest-ware’ is emerging – varying from genuine social protest to deliberate malware.

Third party libraries are made of pieces of code that perform particular functions – created by someone else, the third party – that a developer can then incorporate without having to write detailed code for every function required for the software they are working on.

Computer scientist Dr Christoph Treude, with his colleague Raula Gaikovina Kula, has explored the phenomenon of what he describes as ‘weaponising’ software for political purposes. The ongoing war in Ukraine, particularly, has brought this behaviour into the spotlight.

Dr Treude says the advantages of open-source software (OSS) are that it promises higher quality, better reliability, greater flexibility, and lower cost for developers.

“Projects build reputation over time, with developers gaining trust in using theselibraries. Each ecosystem has their own culture of maintainers, who are empowered to approve and publish contributed code changes.

“But problems arise when a maintainer feels empowered to sabotage their own projects, thus weaponizing their library as protestware – for example with the intention to make users of their library aware of some political stance, or situation,” he says.

Dr Treude says responses from the OSS community have been varied, some supporting the idea of free speech and the right to protest but questioning whether inserting malware into software that unsuspecting users might incorporate into their own work is ultimately self-defeating.

In terms of malignant protestware, the researchers cite an example that is barely distinguishable in execution from deliberate malware: a JavaScript snippet in a very frequently used piece of OSS which assessed users’ IP addresses and overwrote all files of those based in Russia or Belarus with a heart symbol.

The community was unimpressed by the precedent they saw had potential to be exploited by ‘some random dev on the internet who thought it was the right thing to do’.

The second ‘type’ of protestware the researchers document is more benign in nature, and they cite an example in which a message of support for Ukraine appears in the code but the maintainer attached a README file pledging the module would not cause any damage.

The third case they examine relates to developer sanctions whereby maintainers or their parent companies decide not to distribute their products in Russia, or to allow code from Russian developers to be shared through popular platforms such as GitHub.

Next steps

Dr Treude says evidence from this research shows “the thin line that exists between protestware and malware”.

“As mentioned by the OSS  community, protest is an important element of free speech, with openness and inclusivity being cornerstones of the culture of open source. However, vandalizing open-source projects threatens any possible benefit, and might damage the projects and contributors responsible.”

In response to their explorations in the field of political protestware the researchers have laid out a research agenda based around ten key questions they hope will lead to effective analysis of the role, efficacy and harms that protestware presents.

“Our hope is that answering these questions will help us understand how to sustain and build resilient software ecosystems,” Dr Treude says.

People

Dr Christoph Treude, Senior Lecturer in Software Engineering, School of Computing and Information Systems, University of Melbourne

Raula Gaikovina Kula, Assistant Professor at Software Engineering Lab, Division of Information Science, Nara Institute of Science and Technology, Japan

Publication

Raula Gaikovina Kula and Christoph Treude. 2022. In War and Peace: The Impact of World Politics on Software Ecosystems. In Proceedings of the ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, to appear. (To be delivered November 2022. Preprint: https://arxiv.org/abs/2208.01393 )

First published on 16 August 2022.


Share this article