An Interview with Karen Sandler
We discuss source code and medical devices, women in open source, the Software Freedom Conservancy and more.
Karen Sandler is a veteran of the free and open source software world. Having completed an engineering degree, she has worked as a lawyer for the Software Freedom Law Center, was Executive Director of the GNOME Foundation, and recently accepted a position as Executive Director of the Software Freedom Conservancy. I interviewed Karen via email to ask her about her background and insight into various issues in the free and open source world.
Adam Saunders: Please tell us a bit about yourself and what you were doing professionally before you became Executive Director at the Software Freedom Conservancy (SFC).
Karen Sandler: Sure! I come from both a tech and legal background - I have an engineering degree (electrical and mechanical, mostly) and then went to law school. For a while I was a corporate lawyer based in London and then NY, doing debt and equity offerings for European and Latin American companies. When I quit that it was perfectly timed with [Columbia University law professor] Eben Moglen starting the Software Freedom Law Center and he hired me to do nonprofit corporate law.
While there I became passionate about software freedom - from the good work we were doing and also because of personal health issues. I was diagnosed with a heart condition and needed a pacemaker/defibrillator, and none of the device manufacturers would let me see the source code that was to be literally sewn into my body and connected to my heart. My life relies on the proper functioning of software every day, and I have no confidence that it will. The FDA generally doesn't review the source code of medical devices nor can the public. But multiple researchers have shown that these devices can be maliciously hacked, with fatal consequences.
Once you start considering medical devices, you quickly start to realize that it's all kinds of software that is life and society-critical - cars, voting machines, stock markets... It's essential that our software be safe, and the only way we can realistically expect that to be the case over time is by ensuring that our software is free and open. If there's catastrophic failure at Medtronic (the makers of my defibrillator), for example, I wouldn't be able to fix a bug in my own medical device.
AS: Could you give me an overview of SFC, what its purpose is, and what your work for the organization entails?
KS: The Software Freedom Conservancy is a charitable organization set up to promote and defend free software. We have over 30 projects, with a wide variety of purposes, including Git, Samba, Selenium, phpMyAdmin, SugarLabs and Inkscape, to name a few. Some of our projects provide basic infrastructure functionality and others are educational and library software. One of our projects is a library for Braille displays.
The Conservancy provides all of the infrastructure to maintain and support our projects. On a more mundane level, this includes travel expenses for contributors to attend conferences (or running conferences themselves), paying network hosting and other fees related to Internet collaboration, purchasing and owning equipment, and giving stipends for FLOSS [free, libre, and open source software] work by developers. We've been mandated by our projects to defend their copyrights as well, so we also work hard to get companies in compliance with our project's licenses.
We're also working on software for nonprofit accounting. Nonprofits spend millions of dollars in licensing per year for subpar software that they cannot improve themselves. We're creating great software that solves the problem of nonprofit accounting for everyone, and with free software. Nonprofits should be helping each other to make sure that they use their public funds to support their missions, not to enrich proprietary software companies.
My work as Executive Director runs the gamut from advocating for free software and giving educational talks, to making sure we have the proper technical, legal and corporate frameworks in place to serve our projects' needs, to talking to potential new projects -- actually there's so much to do and we are so leanly staffed that sometimes I even act as administrator and travel agent for our member projects. I also must spend more time than I'd like fundraising, which is true of all Executive Directors. Please tell your readers to donate to Conservancy! We could really use the help.
AS: How does SFC ensure that it keeps within a non-profit mandate while providing services for community projects that may have substantial for-profit interests backing them?
KS: Great question, and I think this is an area where the Conservancy is particularly strong. For starters, we have an Evaluation Committee which reviews all applications to become member projects. No project can join if it has undue influence by any one or two companies. Then, once a project joins, we have a Conflicts of Interest Policy that not only applies to our board of directors but also to all of our member project leaders. On top of that, we provide oversight along with our resources, so if a project is considering any action that will unduly benefit any company or individual we call it out and help put on the brakes (or restructure things accordingly). This is really helpful for projects, as it's easier to keep the balance when there is a neutral third party involved.
We also develop all of our policies out in the open so everyone can see how we do things, and let us know if they think we can improve. You can see all of our policies in a public git repository on Gitorious.
To join the Conservancy is a statement that you don't intend to let your project be corporate controlled. Joining us means putting your assets where your mouth is, as holding assets in a 501(c)(3) organization means they are held for the public's benefit.
AS: You were recently the Executive Director of the GNOME Foundation, and are now a board member at the Foundation. What is the GNOME Outreach Program for Women [OPW], what did you like about the program, and did it encounter any challenges?
KS: I'm also still a co-organizer of the Outreach Program for Women along with the amazing Marina Zhurakhinskaya.
We realized that the number of women participating in free and open source software was ridiculously low, even as compared to the number of women in software generally (around 18%). GNOME itself up to 2010 had only ever had one woman apply at most in any year to Summer of Code. So GNOME designed a program offering paid internships to women to participate in free and open source software projects. We now have around 40 free software organizations who have participated, including the Linux kernel, Wikimedia, Mozilla, Debian, Fedora and KDE.
I like that the program was developed by looking at all of the reasons we thought women were staying away and addressing them. A key component of this is getting women started as contributors. OPW requires a contribution to the project as part of the application process. We hook applicants up with mentors and there's a supportive IRC channel and other channels of communication for them while they apply. While we can't accept everyone we'd like to, at the end of the day every successful applicant emerges from the process as a free and open source software contributor.
Other things that we deliberately do to try to include women: we address them directly (the program is for women - there's no doubt that they belong there), and we accept non-students and non-coders. Participants work remotely, which helps provide flexibility for talented women in different stages of their lives.
We require participants to blog and aggregate those blogs where possible, so everyone can see women doing important work in the project. It helps interns get connected in their communities for people to read what they're working on. We also allocate some funds to help interns travel to conferences, as meeting people face to face solidifies relationships and encourages participants to continue contributing after their internship is over.
We've had great results so far. Of our participants:
- 20 had full-session talks at FOSS [free and open source software] conferences
- 16 found employment or contract positions with sponsoring organizations
- 14 continued on to participate in other focused FOSS opportunities, such as Google Summer of Code or Hacker School
- 7 became mentors in their organizations
- 3 organized local technology initiatives - Chicagoans Hacking on GNOME, Nairobi Dev School, Women in Free Software - India
In addition, we're seeing our participants take on key roles in our organizations. In GNOME, for example, one former participant is now our treasurer and on our board of directors. Another is on our membership committee. Women who participated in the program are important voices on our key mailing lists. I can't imagine what GNOME would be like without OPW. I think the other participating organizations are starting to see that change too. My favorite thing is when participants become mentors in a later round. We have one former participant who not only became a mentor, her mentee became a mentor!
The program is being continually refined as we learn as we go. We have added a legal infrastructure (largely at the request of our donors) and are getting better at delivering feedback to participants, guiding mentors and also getting the word out about the program.
The largest obstacle the program has faced so far is the administrative headaches from getting so successful so quickly and growing so fast. We're working on improving our administrative workflow to address this and learning a lot in the process. Donations would also help GNOME with this, I should mention! (I'm still one of the main fundraisers for OPW too, so I can't resist!)
AS: Conferences in the open source world have had a reputation for being... less than welcoming places for women, to put it mildly. As someone who has spoken and attended at several conferences, do you believe that this issue is being addressed seriously and effectively by conference organizers?
KS: I think it really varies from conference to conference. I'm an advisor with the Ada Initiative and they've done a lot of good work to provide resources to conferences to help them provide a safe space for everyone. All conferences should adopt an anti-harassment policy and make sure that they are ready to stand behind it and have infrastructure in place should things go wrong.
To be honest, there are also a lot of problems that the community as a whole has to deal with. I was recently at a conference where at a social event a few people kept talking about a strip club they went to the night before. I'm not easily offended but it was clearly inappropriate. I kept waiting for something to say something, but no one did. In the past I probably would have tried to have been “one of the boys” a bit more about it but in the end, I just told them that the conversation was obviously not meant to include me, and left to join another table. These things happen all of the time, and it definitely makes some women feel like they do not really belong in the community. At this point, I just feel lucky that I'm established enough in my work that the subtle sexism doesn't impact me...usually.
AS: Could you tell us a bit about what it's like living as a cyborg running proprietary software on your heart?
KS: It's great, I can fell my enemies with electric pulses that I shoot from my fingertips.
I don't really think about it day-to-day. But when I do, I get really angry and upset. At the same time I feel lucky that the issue of software freedom was so simply demonstrated for me. I find that I can get people to understand why I am passionate about the issue much more readily by telling them my story that I was able to before. When you see that software really is a life and death issue you can start to appreciate why software freedom is so important.
AS: What are the social, political, and equality issues around implantable medical device manufacturers not providing free and open source software for those devices?
KS: Wow, that's a pretty complicated question, I'm not sure that I can answer briefly.
There's basic software safety in providing the source code for implantable medical devices, of course. And the device manufacturers have such a strong lobby to fight this. I think the most believable reason that I've heard for not providing the source code for the devices (other than not wanting to have to give more than they have to) is that to release software on these devices would expose the manufacturers as violating other people's patents. The software patent system really is terrible, so I'm a little sympathetic, but it's a perverse reason to avoid fundamental good practices for software safety.
On a social level, while most people would not want to alter the source code on their own device, having the source code as proprietary and unavailable locks patients and doctors into single vendors which over time can be very dangerous. As I hinted at before, if there's catastrophic failure at Medtronic, I'm out of luck with my device. The FDA doesn't have a repository of the source code. My doctor won't have access to it. I won't even be able to hire a specialist to fix the problem.
When you think about all of the software we depend on and not just medical devices, the problem just magnifies.