webpages, citizen —

Russian media group Rambler attempting to hold Nginx hostage

Nginx's co-founders were detained on criminal charges and now face civil suits.

Stock photo of empty jail cell.
Enlarge / This listing image is slightly hyperbolic—Nginx co-founders Sosoev and Konovalov didn't do time in jail, they were "just" detained and interrogated at gunpoint in their homes at 7am local time.

Maxim Konovalov and Igor Sysoev—founders and creators of the popular Web server software Nginx—were arrested, detained, and interrogated last Thursday. Sysoev's former employer, Rambler—Russia's third-largest Internet company, which occupies a roughly similar position in Russian-language Internet to Yahoo or AOL at their height in the English-speaking world—alleged that it owned the rights to Nginx's source code, due to Sysoev having originally developed it while an employee at Rambler.

In an interview with Meduza.io—a news site focusing on Russian and former Soviet Union reporting—founder Konovalov decried Rambler's move as "a typical racket, simple as that," and he went on to state that no attempt had been made to negotiate with or even notify him or Sysoev before the raid happened. Their first indication of a problem came with the police raids which detained the two, seized IT equipment from them, and interrogated them early that morning. Konovalov described the raid as "professional and polite, if you exclude the fact that special forces agents were standing around with automatic weapons... then there were interrogations. Generally speaking, the questions weren't particularly interesting or pleasant."

Konovalov characterized the move as a money-grabbing shakedown from the current leadership at Rambler, inspired by Nginx's $670 million acquisition by American tech giant F5 Networks approximately six months earlier.

He told Meduza:

Nginx was officially registered in 2011, and it's now 2019, and in all this time Rambler never raised any issues... there was the deal with F5, the big money became palpable, and then we see the desire to grab a piece of it for themselves. It's a typical racket. Simple as that.

Konovalov and Sysoev were not even certain what criminal charges were filed against them. But earlier today, Rambler requested the Russian courts to drop the criminal charges and instead turned to civil litigation. This follows Konovalov's earlier prediction that the criminal charges were merely being used as an excuse to go on a fishing expedition for leverage to use in a civil case. Rambler further claimed it was cutting ties with the "Lynwood" law firm which had filed criminal charges; but this seems likely to be a move for show only, since Lynwood Investments is tied to Alexander Mamut—a Russian billionaire who is co-owner of Rambler itself.

A simple cash grab?

Although Nginx co-founder Konovalov characterizes the move by Rambler as a simple cash grab inspired by Nginx's $670 million acquisition, the potential ramifications are far wider-reaching than ~42 billion rubles in cold hard cash. A successful, retroactive acquisition of the rights to Nginx would not just give Rambler access to that cash—it would also provide the ability to declare the entire open source license of the Nginx platform invalid.

This would, in turn, open up effectively the entire developed world's tech industry to shakedowns for licensing fees—both for continued operation, and in theory, retroactively for more than a decade of "unlicensed" usage.

Since the Nginx license was a weak, permissive license—largely akin to the BSD license, requiring nothing but acknowledgement of the original copyright notice in source code and documentation—Nginx has not just proliferated directly as a Web server used on general purpose computers but also as a key embedded component of many other solutions. For instance, Symantec's Blue Coat appliances, Sophos' Email Appliances, and Netflix's Open Connect Appliances all depend on Nginx.

Moving back to "simple" software deployments, UK Internet services company Netcraft lists Nginx as the single-most common Internet-facing Web server on the planet in its Q3 2019 Web server survey, with more than 31 percent of all sites surveyed detected as Nginx. Filtering to only "active" sites seemingly reduces Nginx to the second-most common server, with Apache at 30 percent and Nginx at 20 percent. But this conveniently ignores a whopping 37 percent of "other" results, representing Web servers locked down in production too tightly to be easily classified. Many of those "other" servers will also be Nginx or Nginx derivatives.

As of December 2019, Nginx is even more popular than Apache. Netcraft confirms it.
Enlarge / As of December 2019, Nginx is even more popular than Apache. Netcraft confirms it.

If Russian courts were to grant a civil victory to Rambler and award it ownership of the rights to Nginx, the sweeping impact on the entire global technical industry is difficult even to estimate. A simple self-hosted blog might be able to swap out Nginx for Apache in a few hours. A more complex and heavily optimized site, designed to field a lot of traffic, might get back on its feet nearly as quickly but operate at reduced capacity for a week.

Meanwhile, the industry giants which depend on Nginx include Facebook, Netflix, and WordPress. Add in Cloudflare's Content Distribution Network and DDoS protection service, and it becomes easier to discuss what portion of the Internet wouldn't stop working without Nginx than which ones would.

It seems difficult to believe that this fact is lost on the Rambler executives who initiated this grab. But it also seems difficult to believe that the rest of the world would tolerate it and honor a Russian-court decision with such far-ranging effects. Adding to the already ham-handed obviousness of the grab—which comes more than a decade after Nginx established itself as both a service company and a significant part of the global Internet infrastructure—Igor Ashmanov, a Rambler chief executive from the time Sysoev worked at the company, declared on Facebook that "developing software wasn't part of [Sysoev's] job description at all," and "Rambler [probably can't] come up with a single piece of paper, never mind a non-existent task to develop a web server."

This author believes that it would be difficult to find a court outside Russia's direct control that would issue injunctions based on such a decision which would necessarily bind the entire visible Internet from operation. As dark as politics has become, I believe sanctioning corruption this immediately and obviously visible and damaging to both tech industry giants and everyday citizens—No cat memes today? No pictures of each others' lunches? Sacrilege!—would represent immediate political suicide no elected official would likely believe they could ignore.

Channel Ars Technica