The ongoing fight against GPL enforcement
Jan. 30th, 2012 06:10 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59GPL enforcement is a surprisingly difficult task. It's not just a matter of identifying an infringement - you need to make sure you have a copyright holder on your side, spend some money sending letters asking people to come into compliance, spend more money initiating a suit, spend even more money encouraging people to settle, spend yet more money actually taking them to court and then maybe, at the end, you have some source code. One of the (tiny) number of groups involved in doing this is the Software Freedom Conservancy, a non-profit organisation that offers various services to free software projects. One of their notable activities is enforcing the license of Busybox, a GPLed multi-purpose application that's used in many embedded Linux environments. And this is where things get interesting
GPLv2 (the license covering the relevant code) contains the following as part of section 4:
Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.
There's some argument over what this means, precisely, but GPLv3 adds the following paragraph:
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation
which tends to support the assertion that, under V2, once the license is terminated you've lost it forever. That gives the SFC a lever. If a vendor is shipping products using Busybox, and is found to be in violation, this interpretation of GPLv2 means that they have no license to ship Busybox again until the copyright holders (or their agents) grant them another. This is a bit of a problem if your entire stock consists of devices running Busybox. The SFC will grant a new license, but on one condition - not only must you provide the source code to Busybox, you must provide the source code to all other works on the device that require source distribution.
The outcome of this is that we've gained access to large bodies of source code that would otherwise have been kept by companies. The SFC have successfully used Busybox to force the source release of many vendor kernels, ensuring that users have the freedoms that the copyright holders granted to them. Everybody wins, with the exception of the violators. And it seems that they're unenthusiastic about that.
A couple of weeks ago, this page appeared on the elinux.org wiki. It's written by an engineer at Sony, and it's calling for contributions to rewriting Busybox. This would be entirely reasonable if it were for technical reasons, but it's not - it's explicitly stated that companies are afraid that Busybox copyright holders may force them to comply with the licenses of software they ship. If you ship this Busybox replacement instead of the original Busybox you'll be safe from the SFC. You'll be able to violate licenses with impunity.
What can we do? The real problem here is that the SFC's reliance on Busybox means that they're only able to target infringers who use that Busybox code. No significant kernel copyright holders have so far offered to allow the SFC to enforce their copyrights, with the result that enforcement action will grind to a halt as vendors move over to this Busybox replacement. So, if you hold copyright over any part of the Linux kernel, I'd urge you to get in touch with them. The alternative is a strangely ironic world where Sony are simultaneously funding lobbying for copyright enforcement against individuals and tools to help large corporations infringe at will. I'm not enthusiastic about that.
GPLv2 (the license covering the relevant code) contains the following as part of section 4:
Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.
There's some argument over what this means, precisely, but GPLv3 adds the following paragraph:
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation
which tends to support the assertion that, under V2, once the license is terminated you've lost it forever. That gives the SFC a lever. If a vendor is shipping products using Busybox, and is found to be in violation, this interpretation of GPLv2 means that they have no license to ship Busybox again until the copyright holders (or their agents) grant them another. This is a bit of a problem if your entire stock consists of devices running Busybox. The SFC will grant a new license, but on one condition - not only must you provide the source code to Busybox, you must provide the source code to all other works on the device that require source distribution.
The outcome of this is that we've gained access to large bodies of source code that would otherwise have been kept by companies. The SFC have successfully used Busybox to force the source release of many vendor kernels, ensuring that users have the freedoms that the copyright holders granted to them. Everybody wins, with the exception of the violators. And it seems that they're unenthusiastic about that.
A couple of weeks ago, this page appeared on the elinux.org wiki. It's written by an engineer at Sony, and it's calling for contributions to rewriting Busybox. This would be entirely reasonable if it were for technical reasons, but it's not - it's explicitly stated that companies are afraid that Busybox copyright holders may force them to comply with the licenses of software they ship. If you ship this Busybox replacement instead of the original Busybox you'll be safe from the SFC. You'll be able to violate licenses with impunity.
What can we do? The real problem here is that the SFC's reliance on Busybox means that they're only able to target infringers who use that Busybox code. No significant kernel copyright holders have so far offered to allow the SFC to enforce their copyrights, with the result that enforcement action will grind to a halt as vendors move over to this Busybox replacement. So, if you hold copyright over any part of the Linux kernel, I'd urge you to get in touch with them. The alternative is a strangely ironic world where Sony are simultaneously funding lobbying for copyright enforcement against individuals and tools to help large corporations infringe at will. I'm not enthusiastic about that.
Re: You?
Date: 2012-01-31 12:09 am (UTC)Re: You?
Date: 2012-01-31 12:51 am (UTC)The only benefit is that *if* you can get hold of their proprietary source code, the company can't do anything about it either.
Re: You?
Date: 2012-01-31 03:56 am (UTC)Re: You?
Date: 2012-01-31 04:01 am (UTC)Re: You?
Date: 2012-01-31 05:51 am (UTC)Re: You?
Date: 2012-01-31 09:53 am (UTC)Re: You?
Date: 2012-01-31 10:08 am (UTC)"Working around" protected software gets harder every day. It is not trivial.
Re: You?
Date: 2012-01-31 12:09 pm (UTC)Re: You?
Date: 2012-01-31 04:58 am (UTC)No it doesn't. What you're calling licenses (what are often called "End User License Agreements") are not licenses – they are contracts. Licenses give rights that the law otherwise denies (e.g. the right to distribute copies of a copyrighted work or the right to drive on public roadways). The GNU GPL is a license – specifically, it is a copyright license that gives the licensee rights (reproduction of copies, preparation of derivative works, distribution of copies, etc.) that otherwise are exclusively owned by the copyright holder. Contracts on the other hand are agreements between parties in which one or both parties might give up some otherwise legally-granted rights (e.g. the right to pay an employee very small wages). "End User License Agreements" are contracts in which the user agrees to give up rights such as the right to reverse engineer a program or the right to use more than five Microsoft Windows XP systems on one's home network.
I know of no law that forbids the use of software without authorization. It is not an infringement of copyright law to run a program, period. No license is necessary to use any software, free or proprietary (which is why copyright licenses like the GNU GPL come into play only when modifying or distributing so-licensed programs, not when running them). "End User License Agreements" (or "End User Contracts" as I prefer to call them) have little to nothing to do with copyright law and give the agreeing party (the user) no rights to copyrighted software.
Even if copyright law were abolished, these contracts would still apply (unless contract law were also abolished, which would be a bad thing). Users would still be forbidden from studying, modifying, and sharing proprietary programs. Abolition of copyright law would have absolutely no effect on proprietary software, except that non-free programs could swallow up many previously free programs due to the absence of copyleft licenses. Without the advent of either "copyleft contracts" or a law that requires distribution of software in source form, abolition of copyright law would instead be a strong and dangerous blow to free software.
Re: You?
Date: 2012-01-31 05:59 am (UTC)Now, that said, a proprietary software vendor could force you to agree to various terms in exchange for a warranty or support, which would potentially allow proprietary software to survive for a little while in the enterprise world. But for all of us who don't mind voiding software warranties...
(Also, I think you've missed the huge impact of copyright on fields other than software, where the issue of "source code" doesn't matter as much. I'd count that as part of the "net win".)
Re: You?
Date: 2012-01-31 06:35 am (UTC)Reverse engineering is not forbidden by copyright law – in fact it is a legally-protected right in the U.S., denied only by contracts like those that govern the use of proprietary software. Moreover, can you currently freely run a proprietary program without agreeing to its contract? As I said, copyright law does not restrict the running of programs (in fact, 17 U.S.C. § 117(a)(1) clarifies that running a program is not an infringement of copyright), so abolition of copyright law would have no effect on your ability to freely run non-free programs. Without copyright law, you would still be required to agree to contracts to use proprietary software. And those contracts can be written to emulate current copyright laws, forbidding distribution of programs (in fact, this is already being done).
Abolition of copyright law would win you no rights to proprietary software.
Of course, abolition of copyright law would be great for freedom in other types of works (though in the case of opinion works I would like to see legal replacements for the "moral rights"-style protections afforded by Creative Commons and similar public licenses). However, it could be devastating for software freedom.
Re: You?
Date: 2012-01-31 09:16 am (UTC)Also, copyright law (the DMCA in particular) does prohibit some reverse engineering, namely reverse engineering for the purposes of bypassing copyright enforcement mechanisms.
Regarding "moral rights": so copyright should go, except the parts you personally want to use? No, let's throw the whole thing out. "Moral rights" represent an abomination even worse than copyright, because at least you can waive any and all parts of copyright with a Free and Open Source license. Copyright does not derive from some moral imperative; it represents a tradeoff long overdue for re-evaluation.
Re: You?
From:Re: You?
From: (Anonymous) - Date: 2012-01-31 10:49 pm (UTC) - ExpandRe: You?
From:Re: You?
Date: 2012-01-31 10:30 am (UTC)The big thing about End User License Agreements is that you implicitly agree with them by buying the product. That is, you might *think* that merely opening a paper package which has been sealed with a sticker cannot force you to assent to the legal statement written on that sticker, but if you do, you are wrong: courts have upheld that this is a valid contract regardless of how you open that paper package -- or presumably even if you find some way to avoid doing so.
-- Drostie
Re: You?
Date: 2012-01-31 11:19 am (UTC)The problem isn't that we have problem getting propretory software, the problem is that propretory software are pirating open GPL (and like license) software.
So we should fight those corporate pirates.
Re: You?
Date: 2012-01-31 01:25 pm (UTC)So if a purchaser chose to flout the EULA and give a copy to a friend *only* he could be sued - not his friend or anyone who obtained the software from his friend even if they distributed it further. In addition contract law, I think, doesn't have the same sort of statutory damages provisions that copyright law does - so when suing the initial purchaser the company could only get damages for the direct action of him giving a single copy to his friend - at most the purchase price of the software.
That is, of course, assuming that the original purchaser can be identified in the first place - requiring waging a war on crackers (whose activities might even be legal provided they don't buy their own copies) using ever more sophisticated watermarking and online registration schemes.
tl;dr you can drive a truck through the loopholes in a EULA based business model, so although it might be attempted it is unlikely to be viable.
Re: You?
Date: 2012-01-31 11:19 am (UTC)This is flat out wrong, sad to say. When you run a program, your computer makes copies--from disk to RAM, for instance. Without a copyright license, that's considered infringement. See MAI v. Peak Computer (http://scholar.google.com/scholar_case?case=5882317517996842407).
Is that a stupid rule? Sure it is. But that's the state of the law.
Re: You?
Date: 2012-01-31 03:39 pm (UTC)Re: You?
Date: 2012-01-31 08:48 pm (UTC)I refer you to 17 U.S.C. § 117, which states that "it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program" for the purposes of running or archiving the program.
This actually looks like the issue of contracts ("EULAs"). The court seems to have determined that § 117 doesn't apply because the ability to run the software in question is regulated by a contract. As many such contracts say, the software is "licensed, not sold" (though as I said, I contend that this use of the word "licensed" is incorrect). However, I can't explain the ruling of copyright infringement.
In any case, it's worth noting that as a result of this case, Congress amended 17 U.S.C. to add § 117(c), which explicitly allows the reproduction of copies of a program for the purposes of computer system maintenance.
Re: You?
Date: 2012-02-01 12:23 pm (UTC)Okay, a less cynical take: the legal contortion here is that 117 only applies to the owner (and that's why 117(c) was added) and, as you hinted at, companies nowadays seem to be allowed to claim that all software is merely rented, simply by stating it, even in the absence of an agreed EULA, and even though there is no legal ground to make such a claim.
RIP doctrine of first sale.
Re: You?
Date: 2012-01-31 08:16 pm (UTC)That really depends on the country. In Poland, software is specifically exempt from most 'allowed personal use' provisions (roughly equivalent to fair use), making it unlawful to use a program without a license.
Re: You?
Date: 2012-02-03 03:48 am (UTC)They are contracts that grant a license as the primary consideration. Without the law against copying copyrighted works they would never stick or hold up in any court. A contract without consideration is void.
Your analysis is simply flawed.
"I know of no law that forbids the use of software without authorization. It is not an infringement of copyright law to run a program, period."
To Run a program you need to copy it into memory, which arguably requires a licence. Most of the time you must copy from the installation media or download from the net certain copyrighted files to install a program. Hence requiring a license.
Re: You?
Date: 2012-02-03 04:45 am (UTC)Yes, copyright laws would forbid this, except...
...copyright law (in the U.S. and probably other jurisdictions) explicitly allows the owner of a copy of a copyrighted program to run it. Such running of a program, even though it involves copying the program into memory, is not an infringement of copyright and does not require any authorization by the copyright holder. This is the way things have been since 1980, when Congress passed the Computer Software Copyright Act with the recommendations of the National Commission on New Technological Uses of Copyrighted Works (CONTU).
Any license granted by an End User Contract is not one necessitated by copyright law. Rather, the contract itself makes it unlawful to run a program without authorization.
Re: You?
Date: 2012-01-31 06:00 am (UTC)Re: You?
Date: 2012-01-31 11:23 am (UTC)As long as there exist countries with software patents, we need to protect with copyrights.
Re: You?
Date: 2012-01-31 02:34 pm (UTC)