The ongoing fight against GPL enforcement

[mjg59]

GPL enforcement is a surprisingly difficult task. It's not just a matter of identifying an infringement - you need to make sure you have a copyright holder on your side, spend some money sending letters asking people to come into compliance, spend more money initiating a suit, spend even more money encouraging people to settle, spend yet more money actually taking them to court and then maybe, at the end, you have some source code. One of the (tiny) number of groups involved in doing this is the Software Freedom Conservancy, a non-profit organisation that offers various services to free software projects. One of their notable activities is enforcing the license of Busybox, a GPLed multi-purpose application that's used in many embedded Linux environments. And this is where things get interesting

GPLv2 (the license covering the relevant code) contains the following as part of section 4:

Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.

There's some argument over what this means, precisely, but GPLv3 adds the following paragraph:

However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation

which tends to support the assertion that, under V2, once the license is terminated you've lost it forever. That gives the SFC a lever. If a vendor is shipping products using Busybox, and is found to be in violation, this interpretation of GPLv2 means that they have no license to ship Busybox again until the copyright holders (or their agents) grant them another. This is a bit of a problem if your entire stock consists of devices running Busybox. The SFC will grant a new license, but on one condition - not only must you provide the source code to Busybox, you must provide the source code to all other works on the device that require source distribution.

The outcome of this is that we've gained access to large bodies of source code that would otherwise have been kept by companies. The SFC have successfully used Busybox to force the source release of many vendor kernels, ensuring that users have the freedoms that the copyright holders granted to them. Everybody wins, with the exception of the violators. And it seems that they're unenthusiastic about that.

A couple of weeks ago, this page appeared on the elinux.org wiki. It's written by an engineer at Sony, and it's calling for contributions to rewriting Busybox. This would be entirely reasonable if it were for technical reasons, but it's not - it's explicitly stated that companies are afraid that Busybox copyright holders may force them to comply with the licenses of software they ship. If you ship this Busybox replacement instead of the original Busybox you'll be safe from the SFC. You'll be able to violate licenses with impunity.

What can we do? The real problem here is that the SFC's reliance on Busybox means that they're only able to target infringers who use that Busybox code. No significant kernel copyright holders have so far offered to allow the SFC to enforce their copyrights, with the result that enforcement action will grind to a halt as vendors move over to this Busybox replacement. So, if you hold copyright over any part of the Linux kernel, I'd urge you to get in touch with them. The alternative is a strangely ironic world where Sony are simultaneously funding lobbying for copyright enforcement against individuals and tools to help large corporations infringe at will. I'm not enthusiastic about that.

Comments

You?

[(Anonymous)]

Aren't you a copyright holder of various bits of the kernel ?

Re: You?

[(Anonymous)]

When copyright and patents die the world will be a better place.

Re: You?

[(Anonymous)]

Not entirely. Without copyright, you still don't have any way of forcing companies to release their source code, and you've lost the legal protection that allows open-source licenses to be enforced.

The only benefit is that *if* you can get hold of their proprietary source code, the company can't do anything about it either.

Re: You?

[(Anonymous)]

Overall, I'll take a world without either copyright or copyleft over a world that has copyright and thus supports copyleft. Net win, even if we can't enforce source code access as easily. Among other things, a lack of copyright completely dismantles the proprietary software model, and if you can't sell licenses to proprietary software then you don't have as strong of an incentive to keep the source code proprietary.

Re: You?

[(Anonymous)]

On the contrary. Lack of copyright law would just make proprietary vendors push DRM and other lock-down of general purpose computing.

Re: You?

[(Anonymous)]

And how, precisely, would they enforce that? Without copyright, we can trivially work around DRM as we always have, without the legal threats such work usually faces.

Re: You?

[pehjota]

Among other things, a lack of copyright completely dismantles the proprietary software model, and if you can't sell licenses to proprietary software then you don't have as strong of an incentive to keep the source code proprietary.

No it doesn't. What you're calling licenses (what are often called "End User License Agreements") are not licenses – they are contracts. Licenses give rights that the law otherwise denies (e.g. the right to distribute copies of a copyrighted work or the right to drive on public roadways). The GNU GPL is a license – specifically, it is a copyright license that gives the licensee rights (reproduction of copies, preparation of derivative works, distribution of copies, etc.) that otherwise are exclusively owned by the copyright holder. Contracts on the other hand are agreements between parties in which one or both parties might give up some otherwise legally-granted rights (e.g. the right to pay an employee very small wages). "End User License Agreements" are contracts in which the user agrees to give up rights such as the right to reverse engineer a program or the right to use more than five Microsoft Windows XP systems on one's home network.

I know of no law that forbids the use of software without authorization. It is not an infringement of copyright law to run a program, period. No license is necessary to use any software, free or proprietary (which is why copyright licenses like the GNU GPL come into play only when modifying or distributing so-licensed programs, not when running them). "End User License Agreements" (or "End User Contracts" as I prefer to call them) have little to nothing to do with copyright law and give the agreeing party (the user) no rights to copyrighted software.

Even if copyright law were abolished, these contracts would still apply (unless contract law were also abolished, which would be a bad thing). Users would still be forbidden from studying, modifying, and sharing proprietary programs. Abolition of copyright law would have absolutely no effect on proprietary software, except that non-free programs could swallow up many previously free programs due to the absence of copyleft licenses. Without the advent of either "copyleft contracts" or a law that requires distribution of software in source form, abolition of copyright law would instead be a strong and dangerous blow to free software.

Re: You?

[(Anonymous)]

I think you've missed something important here. Without copyright, those contracts have nothing to offer you, so why should you agree to them? Without copyright, you could freely use, copy, reverse-engineer, modify, and distribute any bits you had. That leaves you with no incentive to agree to a EULA, and numerous reasons not to.

Now, that said, a proprietary software vendor could force you to agree to various terms in exchange for a warranty or support, which would potentially allow proprietary software to survive for a little while in the enterprise world. But for all of us who don't mind voiding software warranties...

(Also, I think you've missed the huge impact of copyright on fields other than software, where the issue of "source code" doesn't matter as much. I'd count that as part of the "net win".)

Re: You?

[(Anonymous)]

I know of no law that forbids the use of software without authorization. It is not an infringement of copyright law to run a program, period.

This is flat out wrong, sad to say. When you run a program, your computer makes copies--from disk to RAM, for instance. Without a copyright license, that's considered infringement. See MAI v. Peak Computer (http://scholar.google.com/scholar_case?case=5882317517996842407).

Is that a stupid rule? Sure it is. But that's the state of the law.

Re: You?

[(Anonymous)]

> I know of no law that forbids the use of software without authorization. It is not an infringement of copyright law to run a program, period. No license is necessary to use any software.

That really depends on the country. In Poland, software is specifically exempt from most 'allowed personal use' provisions (roughly equivalent to fair use), making it unlawful to use a program without a license.

Re: You?

[(Anonymous)]

"No it doesn't. What you're calling licenses (what are often called "End User License Agreements") are not licenses – they are contracts."

They are contracts that grant a license as the primary consideration. Without the law against copying copyrighted works they would never stick or hold up in any court. A contract without consideration is void.

Your analysis is simply flawed.

"I know of no law that forbids the use of software without authorization. It is not an infringement of copyright law to run a program, period."

To Run a program you need to copy it into memory, which arguably requires a licence. Most of the time you must copy from the installation media or download from the net certain copyrighted files to install a program. Hence requiring a license.

Re: You?

[(Anonymous)]

By the way, I should point out that various people involved with the FSF and the SFC have explicitly said the same thing: they'd much rather have a world without copyright, even though that dismantles the GPL as well.

Re: You?

[(Anonymous)]

I would not give up copyright before the software patents are thrown out first in all major countries. There are countries, like Sweden, that actually follow internationall copyright agreements and has no patents on pure buissiness and software solutions).

As long as there exist countries with software patents, we need to protect with copyrights.

Re: You?

[(Anonymous)]

Are you not a fan of the GPL then?

Re: You?

[mjg59]

Most of the past work I've done is in bits of the kernel that are rarely present in infringing devices, and most of my recent work is owned by my employer rather than me.

Re: You?

[(Anonymous)]

And why doesn't your employer allow the use of their copyrights in GPL enforcement? If they think doing so would not align with their best interests, that sounds a lot like what you decried Google for doing.

Re: You?

[mjg59]

Google make money off GPL infringements. To the best of my knowledge, we don't.

Re: You?

[(Anonymous)]

Google does not directly make any money off of GPL infringement. They make money from Android, however it gets used. Some companies who use Android violate the GPL. If Google did anything about that, they'd potentially scare off users of Android, and add to the general irrational fear of "you can't use Linux without getting sued" (which mostly comes from the various litigious patent holders, such as the current patent extortion against Android vendors). That doesn't align with Google's best interests, so they have no good reason to do it.

Red Hat, similarly, does not directly make any money off of GPL infringement. They make money from Red Hat's Linux distributions, however they get used. Companies who use Red Hat's Linux distributions, and more to the point Red Hat's extensive contributions to numerous parts of the Linux stack, do violate the GPL. If Red Hat did anything about that, they'd potentially scare off users of Red Hat's Linux distributions and of Linux in general, which would not align with Red Hat's best interests, so they have no good reason to do it.

Have I missed something here? I don't mean to suggest that either Google or Red Hat has done anything wrong here; they've both acted in their own best interests. I just don't see a meaningful difference here.

[ajaxxx.livejournal.com]

(not speaking for my employer, etc)

When you buy a RHEL machine, you actually buy an RHN subscription that includes a full copy of the source corresponding to the binaries you installed. Okay technically there's copies up on ftp too, which is why there's a CentOS.

When you buy an Android machine, you don't buy a promise from Google to give you the source. In fact if you're Google you go out of your way to delay public source releases of Android. Your recourse is to the vendor who sold you the device, because the odds are good that stock Android isn't going to run on your phone. And we see how that's gone.

I'm not saying your argument is invalid. In both cases, you don't want to sue your customers. But one of these companies has made a good-faith effort to make GPL compliance trivial, and one has actively shirked that duty. Red Hat probably would pursue GPL infringement if it were losing them RHEL sales (you'll note CentOS and Scientific are squeaky clean here). Google probably would not pursue GPL infringement because the per-seat cost of Android is not where they make money.

Now if you're saying Red Hat should allow the use of its copyright on the kernel as leverage in all GPL enforcement cases, well, yes, probably it should, morally speaking. It's a little difficult to justify that to the shareholders, I expect, since that's a lot of lawyer time for no increase in revenue. But if you can come up with a way to do it I bet there's some counsel that would love to talk to you.

Re: You?

[mjg59]

GPL-violating Android vendors are better able to undercut non-Android vendors, increasing the number of Android devices and thus Google's market share and advertising sales. I don't know of any cases where Red Hat gains financial benefit from customers engaging in GPL violations.

Re: You?

[pehjota]

Pursuant to 17 U.S.C. § 501(b), only the owner of a copyright may institute action for infringement of the copyright.

Red Hat, Inc. would therefore have to either bring enforcement action itself (which is probably not in Red Hat's best interests, as doing so is expensive and suing users doesn't always reflect well on a company) or transfer ownership of its copyrights to another person or entity (such as the Software Freedom Conservancy, Free Software Foundation, or Software Freedom Law Center).

Re: You?

[(Anonymous)]

You can delegate enforcement to someone else on your behalf. Nothing stops the Software Freedom Conservancy from acting as legal representation pro-bono, and enforcing the GPL with the copyright holders' permission.

Re: You?

[(Anonymous)]

No, you really can't "delegate" copyright enforcement. Look at Righthaven:

http://www.vegasinc.com/news/2011/jun/14/judge-rules-righthaven-lacks-standing-sue-threaten/

Some Righthaven suits have been dismissed due to "lack of standing". They don't *own* the copyrights, they just have the right to sue. And you can't transfer the right to sue to someone else while retaining ownership of the copyright.

Re: You?

[pehjota]

No, only the owner of rights can institute legal action for infringement of those rights (see 17 U.S.C. § 501(b)). Other parties may be involved in the action, but only the owner of infringed rights is allowed to file the complaint.

The DMCA, however, does allow authorized agents (and under penalty of law they must indeed be authorized) to issue takedown notices for specific cases of infringement on a network service. Beyond that though, such agents are just about powerless.

Re: You?

[pehjota]

By the way, I think you're confusing the Software Freedom Conservancy (an umbrella organization for projects, similar to Software in the Public Interest, the Free Software Foundation, and the Apache Software Foundation) with the Software Freedom Law Center (an organization that provides legal services to developers and projects).

In some court cases (e.g. those involving BusyBox and some GNU software), the Software Freedom Law Center led the litigation without having ownership of relevant copyrights. However, that was only possible because the owners of those rights filed the complaints and sought the SFLC's legal representation.