The economic incentive to violate the GPL
Jan. 4th, 2012 08:40 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
My post yesterday on how Google gains financial benefit from vendor GPL violations contained an assertion that some people have questioned - namely, "unscrupulous hardware vendors save money by ignoring their GPL obligations". And, to be fair, as written it's true but not entirely convincing. So instead, let's consider "unscrupulous hardware vendors have economic incentives to ignore their GPL obligations".
Complying with the GPL means having the source code that built the binaries you ship. This is easy if your workflow involves putting source in at one end and getting binaries out at the other, but getting to that workflow means having a certain degree of engineering rigour. If your current build process involves mixing a bunch of known good binaries you got from somewhere but you can't remember where with a hacked up source tree that exists on someone's hard drive and then pushing all of these into a tool that only runs on Windows ME, before taking the resulting image and replacing chunks of it by hand, compliance is effectively impossible.
We all know that this is against all kinds of best practices and probably causes so many problems that it's more expensive in the long term, but retooling and hiring someone to oversee all of this takes time and money, and given the margins on many of these devices that's probably enough to make you uncompetitive for a couple of product cycles. Maybe you'll be in a better position afterwards, but you don't know that there'll be an afterwards.
You can't be in compliance if you don't have the source code in the first place. The same arguments that apply to the hardware vendors also apply to the people selling you your chips, so there's also an economic incentive for them to avoid complying. And there's an obvious incentive for you to choose the cheaper chipset, even if they don't comply.
Buying a chipset doesn't necessarily get you the software that makes it work - several silicon vendors will charge you for the SDK. But many of these devices are effectively reference platforms, so are basically identical from a hardware perspective. So if one of your competitors paid for the SDK, you can just dump the binaries off their machine, flash them onto your own boards and save yourself a decent amount of money. You obviously don't get the source, and nor do you have the standing to insist that the vendor whose binaries you misappropriated give you the source.
Let's imagine two companies, A and B. Both build a tablet device, and buy the full SDK including source code. Both find a bunch of bugs in the vendor SDK and fix a different subset of them. They ship. A provides source code. B doesn't. B can now take A's bugfixes and incorporate them, resulting in a more compelling product without any significant extra cost. You now have two products that can sell for the same price, but B's is better. A would need to prove that B copied their bugfixes rather than simply fixing them themselves , which probably isn't going to happen.
In a larger market, if B is the only vendor who does this then their advantage isn't large - some of A's work is misappropriated by B, but A does benefit from the engineering work contributed by C, D, E, F and G. A combination of social pressure and legal threats may bring B into compliance. But if infringement is the norm, A has no incentive at all to release the source - by doing so they'll be helping not only B, but also C, D, E, F and G. Everyone undercuts A and they go out of business quite quickly.
Moral: In the absence of enforcement, if everyone else is infringing, a single company who complies is at a disadvantage.
You can argue that cheap tablets from China are infringing simply because nobody knows better. But what's HTC's excuse? They've clearly decided that there's a benefit in holding back their source code releases[1], balancing this against the risk of being sued. They know full well what they're doing. If compliance was free they'd ship the source at the same time as they shipped the binaries. Other significant vendors are also fully aware of their obligations but choose to ignore them anyway.
There are economic incentives to infringe the GPL, and therefore (all else being equal) an infringing device can be sold for less money. All else being equal, a cheaper device will sell more units. More sales means more devices selling adverts for Google. Google makes more money because Android vendors infringe the GPL.
Edited to add:
But don't just take my word for it - Jean-Baptiste Queru says the same here (search for "scrubbing" - is there any way to link directly to a Google plus comment?)
[1] The usual argument is "We will release the source code within 120 days", implying that it's a process that takes time and we should just be patient. Every single time I've started making threatening noises, the source has appeared within a week.
The direct act of compliance costs money
Complying with the GPL means having the source code that built the binaries you ship. This is easy if your workflow involves putting source in at one end and getting binaries out at the other, but getting to that workflow means having a certain degree of engineering rigour. If your current build process involves mixing a bunch of known good binaries you got from somewhere but you can't remember where with a hacked up source tree that exists on someone's hard drive and then pushing all of these into a tool that only runs on Windows ME, before taking the resulting image and replacing chunks of it by hand, compliance is effectively impossible.
We all know that this is against all kinds of best practices and probably causes so many problems that it's more expensive in the long term, but retooling and hiring someone to oversee all of this takes time and money, and given the margins on many of these devices that's probably enough to make you uncompetitive for a couple of product cycles. Maybe you'll be in a better position afterwards, but you don't know that there'll be an afterwards.
Suppliers who don't provide you with the source code may be cheaper than those who do
You can't be in compliance if you don't have the source code in the first place. The same arguments that apply to the hardware vendors also apply to the people selling you your chips, so there's also an economic incentive for them to avoid complying. And there's an obvious incentive for you to choose the cheaper chipset, even if they don't comply.
Getting the source may cost money
Buying a chipset doesn't necessarily get you the software that makes it work - several silicon vendors will charge you for the SDK. But many of these devices are effectively reference platforms, so are basically identical from a hardware perspective. So if one of your competitors paid for the SDK, you can just dump the binaries off their machine, flash them onto your own boards and save yourself a decent amount of money. You obviously don't get the source, and nor do you have the standing to insist that the vendor whose binaries you misappropriated give you the source.
In the absence of enforcement, GPL compliance only works if it's the norm
Let's imagine two companies, A and B. Both build a tablet device, and buy the full SDK including source code. Both find a bunch of bugs in the vendor SDK and fix a different subset of them. They ship. A provides source code. B doesn't. B can now take A's bugfixes and incorporate them, resulting in a more compelling product without any significant extra cost. You now have two products that can sell for the same price, but B's is better. A would need to prove that B copied their bugfixes rather than simply fixing them themselves , which probably isn't going to happen.
In a larger market, if B is the only vendor who does this then their advantage isn't large - some of A's work is misappropriated by B, but A does benefit from the engineering work contributed by C, D, E, F and G. A combination of social pressure and legal threats may bring B into compliance. But if infringement is the norm, A has no incentive at all to release the source - by doing so they'll be helping not only B, but also C, D, E, F and G. Everyone undercuts A and they go out of business quite quickly.
Moral: In the absence of enforcement, if everyone else is infringing, a single company who complies is at a disadvantage.
If compliance cost nothing then everyone would do it
You can argue that cheap tablets from China are infringing simply because nobody knows better. But what's HTC's excuse? They've clearly decided that there's a benefit in holding back their source code releases[1], balancing this against the risk of being sued. They know full well what they're doing. If compliance was free they'd ship the source at the same time as they shipped the binaries. Other significant vendors are also fully aware of their obligations but choose to ignore them anyway.
Summary
There are economic incentives to infringe the GPL, and therefore (all else being equal) an infringing device can be sold for less money. All else being equal, a cheaper device will sell more units. More sales means more devices selling adverts for Google. Google makes more money because Android vendors infringe the GPL.
Edited to add:
But don't just take my word for it - Jean-Baptiste Queru says the same here (search for "scrubbing" - is there any way to link directly to a Google plus comment?)
[1] The usual argument is "We will release the source code within 120 days", implying that it's a process that takes time and we should just be patient. Every single time I've started making threatening noises, the source has appeared within a week.
It is a "Prisoner's Dilemma" scenario
Date: 2012-01-04 08:52 pm (UTC)If one company "defects" by being the only one that doesn't follow the GPL rules, they benefit big and the rest get screwed a little bit.
The more companies defect, the less benefit each defector gets and eventually the net is a loss. If everyone defects and keeps their source guarded, everyone gets screwed big by not benefiting from sharing the effort of development.
If everyone stayed GPL compliant, then everyone benefits a little bit and that benefit increases with the more companies that are being compliant.
Just like the criminals in the original dilemma, short term thinking and lack of trust/communication between companies lead to the defection and the net result being a loss rather than a gain for all.
is there any way to link directly to a Google plus comment?
Date: 2012-01-04 09:27 pm (UTC)Can't be arsed to re-set my OpenID passwd
Date: 2012-01-05 02:03 am (UTC)Point one can be summerised thus: "If you're a total idiot, you can fuck things up"
If getting the source costs money, then the other side is in violation of the gpl. You can't use violation as an argument for violation.
"In the absence of enforcement..." Moot. It is enforced, and has been tested in court.
Many (most?) companies that use gpl-licensed software are compliant. The ones that aren't are tiny, often make poor-quality products, and aren't targeted because they don't matter much in the grand scheme of things.
Seriously, this is such horse dung that I had to comment.
Re: Can't be arsed to re-set my OpenID passwd
Date: 2012-01-05 02:12 am (UTC)I'm not providing any kind of moral justification for companies behaving this way. But the fact remains that, given the current level of enforcement, it's cheaper to violate than it is to comply.
Re: Can't be arsed to re-set my OpenID passwd
Date: 2012-02-03 10:11 am (UTC)Barnes and Noble, Lenovo, Sony, Bosch, Western Digital, Zyxel have at some point or are currently in violation and that's just from the top of my head.
Also why does the quality of the final product have any bearing on whether the GPL should be enforced or not ? Surely enforcement shouldn't be selective...well beyond perhaps ordering the backlog in terms of number of units distributed but in that case since when does the quality of the final product have any bearing on number of units sold ?
Still Google loose at next release...
Date: 2012-01-05 09:58 am (UTC)The simple fact that people have fixed stuff not working on Linux and given those fixes to the main branch is what has made Linux.
Obviously if you just have short term targets...
If wishes were fishes we'd all cast nets in the sea
Date: 2012-01-09 06:40 pm (UTC)That's really an extraordinary statement. Assuming that everyone is a rational actor is a major fallacy.
Most things involving human behavior are either partially or entirely irrational, in my length experience. Individual humans are irrational within fairly strictured and predictable domains, but groups of humans are unpredictably irrational.
I enjoy your blogging very much, Matthew. Thanks for sharing your technical adventures!
no subject
Date: 2012-01-13 10:16 pm (UTC)This is key, I think: commercial software is fucked up shit. I work in an office with really very smart geeks who know what the Right Thing is, but the pressures to cut corners are ever-present. Shit's gotta be done now. So to build half our stuff needs you to know a couple of years' magical incantations. (One of my big projects at this moment is to actually clean this up.)
It's really true: the reason commercial source code isn't released is shame.