| ▲ | Roritharr 7 hours ago |
| As part of my consulting, i've stumbled upon this issue in a commercial context.
A SaaS company who has the mobile apps of their platform open source approached me with the following concern. One of their engineers was able to recreate their platform by letting Claude Code reverse engineer their Apps and the Web-Frontend, creating an API-compatible backend that is functionally identical. Took him a week after work. It's not as stable, the unit-tests need more work, the code has some unnecessary duplication, hosting isn't fully figured out, but the end-to-end test-harness is even more stable than their own. "How do we protect ourselves against a competitor doing this?" Noodling on this at the moment. |
|
| ▲ | 3rodents 6 hours ago | parent | next [-] |
| You're not describing anything new, you're describing progress. A company invests time and money and expertise into building a product, it becomes established, people copy in 1/10th of the time, the quality of products across the industry improve. Long before generative AI, Instagram famously copied Snapchat's stories concept in a weekend, and that is now a multi-multi-multi-billion contributor to Meta's bottom line. As engineers, we often think only about code, but code has never been what makes a business succeed. If your client thinks that their businesses primary value is in the mobile app code they wrote, 1) why is it even open source? 2) the business is doomed. Realistically, though, this is inconsequential, and any time spent worrying about this is wasted time. You don't protect yourself from your competitor by worrying about them copying your mobile app. |
| |
| ▲ | amelius 6 hours ago | parent [-] | | > You don't protect yourself from your competitor by worrying about them copying your mobile app. They did not copy the mobile app. They copied the service. | | |
|
|
| ▲ | IanCal 7 hours ago | parent | prev | next [-] |
| You might be interested in the dark factory work here https://factory.strongdm.ai/ They do something very similar for some of their work. It’s hard to use external services so they replicate them and the cost of doing so has come down from “don’t be daft, we can’t reimplement slack and google drive this sprint just to make testing faster” to realistic. They run the sdks against the live services and their own implementations until they don’t see behaviour differences. Now they have a fast slack and drive and more (that do everything they need for their testing) accelerating other work. I’m dramatically shifting my concept of what’s expensive and not for development. What you’re describing could have been done by someone before, but the difficulty of building that backend has dropped enormously. Even if the application was closed you could probably either now or soon start to do the same thing starting with building back to core user stories and building the app as well. You can view some of this as having things like the application as a very precise specification. Really fascinating moment of change. |
| |
| ▲ | Garlef 5 hours ago | parent [-] | | > It’s hard to use external services I think it's interesting to add what they use it for and why its hard. What they use it for: - It's about automated testing against third party services. - It's not about replicating the product for end users Why using external services is hard/problematic - Performance: They want to have super fast feedback cycles in the agentic loop: In-Memory tests. So they let the AI write full in-memory simulations of (for example) the slack api that are behaviorally equivalent for their use cases. - Feasiblity: The sandboxes offered by these services usually have performance limits (= number of requests per month, etc) that would easily be exhausted if attached to a test harness that runs every other minute in an automated BDD loop. |
|
|
| ▲ | consumer451 21 minutes ago | parent | prev | next [-] |
| > "How do we protect ourselves against a competitor doing this?" I have been thinking about this a lot lately, as someone launching a niche b2b SaaS. The unfortunate conclusion that I have come to is: have more capital than anyone for distribution. Is there any other answer to this? I hope so, as we are not in the well-capitalized category. We have friendly user traction. I think the only possible way to succeed is to quietly secure some big contracts. I had been hoping to bootstrap, but how can we in this new "code is cheap" world? I know it's always been like this, but it is even worse now, isn't it? |
|
| ▲ | zozbot234 7 hours ago | parent | prev | next [-] |
| > "How do we protect ourselves against a competitor doing this?" If the platform is so trivial that it can be reverse engineered by an AI agent from a dumb frontend, what's there to protect against? One has to assume that their moat is not that part of the backend but something else entirely about how the service is being provided. |
|
| ▲ | littlecranky67 7 hours ago | parent | prev | next [-] |
| Interesting case, IANAL but sounds legal and legit. The AI did not have expose to the backend it re-implemented. The API itself is public and not protectable. |
| |
| ▲ | bandrami 7 hours ago | parent [-] | | OTOH as of yesterday the output of the LLM isn't copyrightable, which makes licensing it difficult | | |
| ▲ | graemep 6 hours ago | parent | next [-] | | As other's have pointed out, this case is really about refusing to allow an LLM to be recognised as the author. The person using the LLM waived any right to be recognised as the author. Its also US only. Other countries will differ. This means you can only rely on this ruling at all for something you are distributing only in the US. Might be OK for art, definitely not for most software. Very definitely not OK for a software library. For example UK law specifically says "In the case of a literary, dramatic, musical or artistic work which is computer-generated, the author shall be taken to be the person by whom the arrangements necessary for the creation of the work are undertaken." https://www.legislation.gov.uk/ukpga/1988/48/section/9 | | |
| ▲ | jacquesm 5 hours ago | parent | next [-] | | > The person using the LLM waived any right to be recognised as the author. They can't waive their liability from being identified as an infringer though. | |
| ▲ | bakugo 6 hours ago | parent | prev [-] | | > the author shall be taken to be the person by whom the arrangements necessary for the creation of the work are undertaken. This seems extremely vague. One could argue that any part of the pipeline counts as an "arrangement necessary for the creation of the work", so who is the author? The prompter, the creator of the model, or the creator of the training data? | | |
| ▲ | graemep 5 hours ago | parent [-] | | The courts will have to settle that according to circumstances. I think it is likely to be the prompter, and in some cases the creator of the training data as well. The creator of the model will have copyright on the model, but unlikely to have copyright on its outputs (any more than the writer of a compiler has copyright on its output). |
|
| |
| ▲ | NitpickLawyer 7 hours ago | parent | prev | next [-] | | I wrote this comment on another thread earlier, but it seems relevant here, so I'll just c/p: I think we didn't even began to consider all the implications of this, and while people ran with that one case where someone couldn't copyright a generated image, it's not that easy for code. I think there needs to be way more litigation before we can confidently say it's settled. If "generated" code is not copyrightable, where do draw the line on what generated means? Do macros count? Does code that generates other code count? Protobuf? If it's the tool that generates the code, again where do we draw the line? Is it just using 3rd party tools? Would training your own count? Would a "random" code gen and pick the winners (by whatever means) count? Bruteforce all the space (silly example but hey we're in silly space here) counts? Is it just "AI" adjacent that isn't copyrightable? If so how do you define AI? Does autocomplete count? Intellisense? Smarter intellisense? Are we gonna have to have a trial where there's at least one lawyer making silly comparisons between LLMs and power plugs? Or maybe counting abacuses (abaci?)... "But your honour, it's just random numbers / matrix multiplications... | | |
| ▲ | bandrami 5 hours ago | parent | next [-] | | In terms of adoption, "it's not settled" is even worse | |
| ▲ | amelius 6 hours ago | parent | prev [-] | | Maybe we should build an LLM that can be the judge of that :) |
| |
| ▲ | senko 7 hours ago | parent | prev | next [-] | | That's a very incorrect reading. AI can't be the author of the work. Human driving the AI can, unless they zero-shotted the solution with no creative input. | | |
| ▲ | camgunz 5 hours ago | parent | next [-] | | Only the authored parts can be copyrighted, and only humans can author [0]. "For example, when an AI technology receives solely a prompt from a human and produces complex written, visual, or musical works in response, the 'traditional elements of authorship' are determined and executed by the technology—not the human user." "In other cases, however, a work containing AI-generated material will also contain sufficient human authorship to support a copyright claim. For example, a human may select or arrange AI-generated material in a sufficiently creative way that 'the resulting work as a whole constitutes an original work of authorship.'" "Or an artist may modify material originally generated by AI technology to such a degree that the modifications meet the standard for copyright protection. In these cases, copyright will only protect the human-authored aspects of the work, which are 'independent of' and do 'not affect' the copyright status of the AI-generated material itself." IMO this is pretty common sense. No one's arguing they're authoring generated code; the whole point is to not author it. [0]: https://www.federalregister.gov/d/2023-05321/p-40 | | |
| ▲ | simiones an hour ago | parent | next [-] | | > IMO this is pretty common sense. No one's arguing they're authoring generated code; the whole point is to not author it. Actually this is very much how people think for code. Consider the following consequence. Say I work for a company. Every time I generate some code with Claude, I keep a copy of said code. Once the full code is tested and released, I throw away any code that was not working well. Now I leave the company and approach their competitor. I provide all of the working code generated by Claude to the competitor. Per the new ruling, this should be perfectly legal, as this generated code is not copyrightable and thus doesn't belong to anyone. | |
| ▲ | maxerickson 5 hours ago | parent | prev [-] | | So if I want to publish a project under some license and I put a comment in an AI generated file (never mind what I put in the comment), how do you go about proving which portion of that file is not protected under copyright? If the AI code isn't copyrightable, I don't have any obligations to acknowledge it. | | |
| ▲ | bandrami 4 hours ago | parent | next [-] | | You're looking at this as the infringer rather than the owner. How do you as a copyright owner prove you meaningfully arranged the work when you want to enforce your copyright? | |
| ▲ | camgunz 4 hours ago | parent | prev [-] | | Copyright office says this has to be done case-by-case. My guess is they'd ask to see prompts and evidence of authorship. |
|
| |
| ▲ | skeledrew 6 hours ago | parent | prev [-] | | The human is still at best a co-author, as the primary implementation effort isn't theirs. And I think effort involved is the key contention in these cases. Yesterday ideas were cheap, and it was the execution that matters. Today execution is probably cheaper than ideas, but things should still hold. |
| |
| ▲ | phire 6 hours ago | parent | prev | next [-] | | That's not really what the ruling said. Though, I suspect this type of "vibe rewrite" does fall afoul of the same issue. But for this type of copyright laundering, it doesn't really matter. The goal isn't really about licensing it, it's about avoiding the existing licence. The idea that the code ends up as public domain isn't really an issue for them. | |
| ▲ | oblio 7 hours ago | parent | prev [-] | | As of yesterday? | | |
|
|
|
| ▲ | rwmj 5 hours ago | parent | prev | next [-] |
| No serious enterprise SaaS company differentiates themselves solely on the product (the products are usually terrible). It's the sales channel, the fact that you know how to bill a big company, the human engineer who is sent on site to deploy and integrate the product, the people on the support line 24/7, the regulatory framework that ensures the customer can operate legally and obtain insurance, the fact that there's a deep pool of potential hires who have used and understand the product. Those are the differentiators. |
|
| ▲ | jillesvangurp 3 hours ago | parent | prev | next [-] |
| > "How do we protect ourselves against a competitor doing this?" You can try patenting; but not after the fact. Copyright won't help you here. You can't copyright an algorithm or idea, just a specific form or implementation of it. And there is a lot of legal history about what is and isn't a derivative work here. Some companies try to forbid reverse engineering in their licensing. But of course that might be a bit hard to enforce, or prove. And it doesn't work for OSS stuff in any case. Stuff like this has been common practice in the industry for decades. Most good software ideas get picked apart, copied and re-implemented. IBM's bios for the first PC quickly got reverse engineered and then other companies started making IBM compatible PCs. IBM never open sourced their bios and they probably did not intend for that to happen. But that didn't matter. Likewise there were several PC compatible DOS variants that each could (mostly) run the same applications. MS never open sourced DOS either. There are countless examples of people figuring out how stuff works and then creating independent implementations. All that is perfectly legal. |
|
| ▲ | ShowalkKama 7 hours ago | parent | prev | next [-] |
| If your backend is trivial enough to be implemented by a large language model, what value are you providing? I know it's a provoking question but that answers why a competitor is not a competitor. |
| |
| ▲ | dboreham 2 hours ago | parent [-] | | I suspect you're underestimating the capabilities of today's LLMs. |
|
|
| ▲ | Meneth 4 hours ago | parent | prev | next [-] |
| "How do we protect ourselves against a competitor doing this?" That's the neat thing: you don't! |
|
| ▲ | senko 7 hours ago | parent | prev | next [-] |
| > "How do we protect ourselves against a competitor doing this?" DMCA. The EULA likely prohibits reverse engineering. If a competitor does that, hit'em with lawyers. Or, if you want to be able to sleep at night, recognize this as an opportunity instead of a threat. |
| |
| ▲ | orthoxerox 6 hours ago | parent [-] | | What about jurisdictions where reverse engineering is an inalienable right? |
|
|
| ▲ | nandomrumber 7 hours ago | parent | prev | next [-] |
| Maybe a better question is: How do our competitors protect themselves against us doing this? |
|
| ▲ | amelius 6 hours ago | parent | prev | next [-] |
| Makes me wonder when AI will put the mobile phone OS duopoly to an end. |
|
| ▲ | mellosouls 7 hours ago | parent | prev | next [-] |
| The famous case Google vs Oracle may need to be re-evaluated in the light of Agents making API implementation trivial. https://en.wikipedia.org/wiki/Google_LLC_v._Oracle_America,_.... |
|
| ▲ | fragmede 7 hours ago | parent | prev | next [-] |
| Nothing. This is why SaaS stocks took a dump last week. |
|
| ▲ | jmyeet 5 hours ago | parent | prev [-] |
| I think the genie is out of the bottle on this one and there's really no putting it back. There is a certain amount of brand loyalty and platform inertia that will keep people. Also, as you point out, just having the source code isn't enough. Running a platform is more than that. But that gap will narrow with time. The broader issue here is that there are people in tech who don't realize that AI is coming for their jobs (and companies) too. I hope people in this position can maybe understand the overall societal issues for other people seeing their industries "disrupted" (ie destroyed) by AI. |
