The ongoing fight against GPL enforcement
Jan. 30th, 2012 06:10 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59GPL enforcement is a surprisingly difficult task. It's not just a matter of identifying an infringement - you need to make sure you have a copyright holder on your side, spend some money sending letters asking people to come into compliance, spend more money initiating a suit, spend even more money encouraging people to settle, spend yet more money actually taking them to court and then maybe, at the end, you have some source code. One of the (tiny) number of groups involved in doing this is the Software Freedom Conservancy, a non-profit organisation that offers various services to free software projects. One of their notable activities is enforcing the license of Busybox, a GPLed multi-purpose application that's used in many embedded Linux environments. And this is where things get interesting
GPLv2 (the license covering the relevant code) contains the following as part of section 4:
Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.
There's some argument over what this means, precisely, but GPLv3 adds the following paragraph:
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation
which tends to support the assertion that, under V2, once the license is terminated you've lost it forever. That gives the SFC a lever. If a vendor is shipping products using Busybox, and is found to be in violation, this interpretation of GPLv2 means that they have no license to ship Busybox again until the copyright holders (or their agents) grant them another. This is a bit of a problem if your entire stock consists of devices running Busybox. The SFC will grant a new license, but on one condition - not only must you provide the source code to Busybox, you must provide the source code to all other works on the device that require source distribution.
The outcome of this is that we've gained access to large bodies of source code that would otherwise have been kept by companies. The SFC have successfully used Busybox to force the source release of many vendor kernels, ensuring that users have the freedoms that the copyright holders granted to them. Everybody wins, with the exception of the violators. And it seems that they're unenthusiastic about that.
A couple of weeks ago, this page appeared on the elinux.org wiki. It's written by an engineer at Sony, and it's calling for contributions to rewriting Busybox. This would be entirely reasonable if it were for technical reasons, but it's not - it's explicitly stated that companies are afraid that Busybox copyright holders may force them to comply with the licenses of software they ship. If you ship this Busybox replacement instead of the original Busybox you'll be safe from the SFC. You'll be able to violate licenses with impunity.
What can we do? The real problem here is that the SFC's reliance on Busybox means that they're only able to target infringers who use that Busybox code. No significant kernel copyright holders have so far offered to allow the SFC to enforce their copyrights, with the result that enforcement action will grind to a halt as vendors move over to this Busybox replacement. So, if you hold copyright over any part of the Linux kernel, I'd urge you to get in touch with them. The alternative is a strangely ironic world where Sony are simultaneously funding lobbying for copyright enforcement against individuals and tools to help large corporations infringe at will. I'm not enthusiastic about that.
GPLv2 (the license covering the relevant code) contains the following as part of section 4:
Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.
There's some argument over what this means, precisely, but GPLv3 adds the following paragraph:
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation
which tends to support the assertion that, under V2, once the license is terminated you've lost it forever. That gives the SFC a lever. If a vendor is shipping products using Busybox, and is found to be in violation, this interpretation of GPLv2 means that they have no license to ship Busybox again until the copyright holders (or their agents) grant them another. This is a bit of a problem if your entire stock consists of devices running Busybox. The SFC will grant a new license, but on one condition - not only must you provide the source code to Busybox, you must provide the source code to all other works on the device that require source distribution.
The outcome of this is that we've gained access to large bodies of source code that would otherwise have been kept by companies. The SFC have successfully used Busybox to force the source release of many vendor kernels, ensuring that users have the freedoms that the copyright holders granted to them. Everybody wins, with the exception of the violators. And it seems that they're unenthusiastic about that.
A couple of weeks ago, this page appeared on the elinux.org wiki. It's written by an engineer at Sony, and it's calling for contributions to rewriting Busybox. This would be entirely reasonable if it were for technical reasons, but it's not - it's explicitly stated that companies are afraid that Busybox copyright holders may force them to comply with the licenses of software they ship. If you ship this Busybox replacement instead of the original Busybox you'll be safe from the SFC. You'll be able to violate licenses with impunity.
What can we do? The real problem here is that the SFC's reliance on Busybox means that they're only able to target infringers who use that Busybox code. No significant kernel copyright holders have so far offered to allow the SFC to enforce their copyrights, with the result that enforcement action will grind to a halt as vendors move over to this Busybox replacement. So, if you hold copyright over any part of the Linux kernel, I'd urge you to get in touch with them. The alternative is a strangely ironic world where Sony are simultaneously funding lobbying for copyright enforcement against individuals and tools to help large corporations infringe at will. I'm not enthusiastic about that.
Re: You?
Date: 2012-01-31 06:35 am (UTC)Reverse engineering is not forbidden by copyright law – in fact it is a legally-protected right in the U.S., denied only by contracts like those that govern the use of proprietary software. Moreover, can you currently freely run a proprietary program without agreeing to its contract? As I said, copyright law does not restrict the running of programs (in fact, 17 U.S.C. § 117(a)(1) clarifies that running a program is not an infringement of copyright), so abolition of copyright law would have no effect on your ability to freely run non-free programs. Without copyright law, you would still be required to agree to contracts to use proprietary software. And those contracts can be written to emulate current copyright laws, forbidding distribution of programs (in fact, this is already being done).
Abolition of copyright law would win you no rights to proprietary software.
Of course, abolition of copyright law would be great for freedom in other types of works (though in the case of opinion works I would like to see legal replacements for the "moral rights"-style protections afforded by Creative Commons and similar public licenses). However, it could be devastating for software freedom.
Re: You?
Date: 2012-01-31 09:16 am (UTC)Also, copyright law (the DMCA in particular) does prohibit some reverse engineering, namely reverse engineering for the purposes of bypassing copyright enforcement mechanisms.
Regarding "moral rights": so copyright should go, except the parts you personally want to use? No, let's throw the whole thing out. "Moral rights" represent an abomination even worse than copyright, because at least you can waive any and all parts of copyright with a Free and Open Source license. Copyright does not derive from some moral imperative; it represents a tradeoff long overdue for re-evaluation.
Re: You?
Date: 2012-01-31 07:00 pm (UTC)By doing so you indicate agreement to the contract and are legally bound by its terms.
Ah, true, I forgot that in my writing (that would be 17 U.S.C. § 1201). But aside from such circumvention of technological measures, reverse engineering (e.g. studying how a program works so as to be able to write a competing program) is legal.
Sorry, more clarity on my part would've helped. I didn't specifically mean moral rights in themselves. I understand that moral rights (defined by 17 U.S.C. § 106A in the U.S., which actually only applies to visual artists) are quite difficult to disclaim and perhaps overbearing in some jurisdictions. Rather, I meant the similar but weaker provisions of the Creative Commons public licenses (e.g. CC BY § 4, though I realize some people feel that those provisions are also imperfect).
Either way, I'd probably agree that for those who write and enjoy works that currently would be distributed with the terms of CC BY-SA 3.0 (for example), abolition of copyright law would be a net win. We'd lose 17 U.S.C. § 1201 ("circumvention of copyright protection systems") and no longer have any great need for the license's anti-DRM provisions; we'd lose the exclusivity of rights to reproduce copies, prepare derivative works, distribute copies, etc. and would no longer need "copyleft" or "share-alike" provisions; and obviously we would no longer need to grant non-exclusive rights in the first place.
Re: You?
Date: 2012-01-31 10:49 pm (UTC)> By doing so you indicate agreement to the contract and are legally bound by its terms.
No, I don't. I never signed a contract, never clicked an "I agree" button or checkbox, never opened a bit of shrinkwrap with a EULA sticker on it, and never provided any other affirmative indication that I agree to any contract. Nor do I need to do so, since without copyright I receive nothing from the contract and thus have no need to agree to it. Contracts require consideration provided by both parties; in that case at least one party (me) would receive nothing they don't already have, making the contract void in any case.
At least in the US, case law about EULAs can go either way, depending greatly on what constitutes "consent" or "agreement". All of those I've seen seem to agree that some explicit agreement must occur; they just disagree on what constitutes agreement. None that I've seen have suggested that use alone constitutes agreement.
Re: You?
Date: 2012-02-05 04:20 am (UTC)You'll have to physically sign a written contract before getting software.
And if you circimvent this too much, then the software industry will go back 30 years. Please tell me how would you grab the software that is not yet written.
You see, not having to sign physical contracts and the ability to receive the software th second you pay (and not having to wait for some years) is a convenience. If you find a way to exploit, circumvent and cheat this convenience and this cannot be fixed, then this convenience would just die.
Think about money: Money is a convenoence. But if you started printing money and nobody could stop you, the money would die. And we'd be back in prehistoric barter times.