299 lines
18 KiB
HTML
299 lines
18 KiB
HTML
|
{% extends "base_compliance.html" %}
|
|||
|
{% block subtitle %}Copyleft Compliance Projects - {% endblock %}
|
|||
|
{% block submenuselection %}EnforcementStrategy{% endblock %}
|
|||
|
{% block content %}
|
|||
|
|
|||
|
<h1 id="software-freedom-conservancy-proposal-for-gpl-enforcement-grant">History and Future Strategy</h1>
|
|||
|
|
|||
|
<p>The Software Freedom Conservancy is a 501(c)(3) non-profit charity
|
|||
|
registered in New York that continues it work in the are of important
|
|||
|
licensing policy work involves defending and upholding the rights of
|
|||
|
software users and consumers under copyleft licenses, such as the GPL.</p>
|
|||
|
|
|||
|
<h2 id="brief-history-of-user-focused-gpl-enforcement">Brief History of
|
|||
|
User-Focused GPL Enforcement</h2>
|
|||
|
|
|||
|
<p>The spring of 2003 was a watershed moment for software freedom on
|
|||
|
electronic devices. 802.11 wireless technology had finally reached the
|
|||
|
mainstream, and wireless routers for home use had flooded the market
|
|||
|
earlier in the year. By June
|
|||
|
2003, <a href="https://hardware.slashdot.org/story/03/06/08/1749217/is-linksys-violating-the-GPL">the
|
|||
|
general public knew that Linksys (a division of Cisco) was violating the
|
|||
|
GPL</a> on their WRT54G model wireless routers. Hobbyists discovered
|
|||
|
(rather easily) that Linux, BusyBox and many GNU programs were included in
|
|||
|
the router, but Linksys and Cisco had failed to provide source code or any
|
|||
|
offer for source code to its customers.</p>
|
|||
|
|
|||
|
<p>A coalition formed including organizations and individuals — including
|
|||
|
Erik Andersen (major contributor to and former leader of the BusyBox
|
|||
|
project) and Harald Welte (major contributor to Linux’s netfilter
|
|||
|
subsystem) — to enforce the
|
|||
|
GPL. <a href="https://sfconservancy.org/about/staff/#bkuhn">Bradley
|
|||
|
M. Kuhn</a>, who is now Conservancy’s Policy Analyst and
|
|||
|
Hacker-in-Residence, led and coordinated that coalition when he was
|
|||
|
Executive Director of the FSF. By early 2004, this coalition, through the
|
|||
|
process of GPL enforcement,compelled Linksys to release an
|
|||
|
almost-GPL-compliant source release for the
|
|||
|
WRT54G. A <a href="https://openwrt.org/about/history">group of volunteers
|
|||
|
quickly built a new project, called OpenWRT</a> based on that source
|
|||
|
release. In the years that have followed, OpenWRT has been ported to almost
|
|||
|
every major wireless router product. Now, more than 15 years later, the
|
|||
|
OpenWRT project routinely utilizes GPL source releases to build, improve
|
|||
|
and port OpenWRT. The project has also joined coalitions to fight the FCC
|
|||
|
to ensure that consumers have and deserve rights to install modified
|
|||
|
firmwares on their devices and that such hobbyist improvements are no
|
|||
|
threat to spectrum regulation.</p>
|
|||
|
|
|||
|
<p>Recently, OpenWRT decided to join Conservancy as one its member projects,
|
|||
|
and Conservancy has committed to long-term assistance to this project.</p>
|
|||
|
|
|||
|
<p>OpenWRT has spurred companies to create better routers and other wireless
|
|||
|
devices than they would otherwise have designed because they now need to
|
|||
|
either compete with hobbyists, or (better still) cooperate with them to
|
|||
|
create hardware that fully supports OpenWRT’s features and improvements
|
|||
|
(such as dealing
|
|||
|
with <a href="https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm">the
|
|||
|
dreaded “bufferbloat” bugs</a>). This interplay between the hobbyist
|
|||
|
community and for-profit ventures promotes innovation in
|
|||
|
technology. Without both permission <em>and</em> the ability to build and
|
|||
|
modify the software on their devices, the hobbyist community
|
|||
|
shrinks. Eventually, instead of encouraging people to experiment with their
|
|||
|
devices, hobbyists are limited by the oft-arbitrary manufacturer-imposed
|
|||
|
restraints in the OEM firmware. OpenWRT saved the wireless router market
|
|||
|
from this disaster; we seek to help other embedded electronic subindustries
|
|||
|
avoid that fate. The authors of GPL’d software chose that license so its
|
|||
|
source is usable and readily available to hobbyists. It is our duty, as
|
|||
|
activists for the software freedom of hobbyists, to ensure these legally
|
|||
|
mandated rights are never curtailed.</p>
|
|||
|
|
|||
|
<p>(More on the OpenWRT project’s history and its connection to GPL
|
|||
|
enforcement can be found
|
|||
|
in <a href="https://www.youtube.com/watch?v=r4lCMx-EI1s">Kuhn’s talk
|
|||
|
at <em>OpenWRT Summit 2016</em></a>.)</p>
|
|||
|
|
|||
|
<p>Conservancy has had substantial success in leveraging more device freedom
|
|||
|
in other subindustries through GPL compliance. In 2009, Conservancy, with
|
|||
|
co-Plaintiff Erik Andersen, sued fourteen defendants in federal court under
|
|||
|
copyright claims on behalf of its BusyBox member project. Conservancy was
|
|||
|
able to achieve compliance for the BusyBox project in all fourteen
|
|||
|
cases. Most notably, the GPL-compliant source release obtained in the
|
|||
|
lawsuit for certain Samsung televisions provided the basis for
|
|||
|
the <a href="https://www.samygo.tv/">SamyGo project</a> — an alternative
|
|||
|
firmware that works on that era of Samsung televisions and allows consumers
|
|||
|
to modify and upgrade their firmware using FOSS.</p>
|
|||
|
|
|||
|
<p>Harald Welte also continued his efforts during the early and mid-2000s
|
|||
|
after the Linksys enforcement through
|
|||
|
his <a href="https://gpl-violations.org/">gpl-violations.org
|
|||
|
project</a>. Harald successfully sued many companies (mostly in the
|
|||
|
wireless router industry) in Germany to achieve compliance and yield source
|
|||
|
releases that helped OpenWRT during that period.</p>
|
|||
|
|
|||
|
<h2 id="importance-of-linux-enforcement-specifically">Importance of Linux Enforcement Specifically</h2>
|
|||
|
|
|||
|
<p>In recent years, embedded systems technology has expanded beyond wireless
|
|||
|
routers to so-called “Internet of Things” devices designed for connectivity
|
|||
|
with other devices in the home and to the “Cloud”. Consumer electronics
|
|||
|
companies now feature and differentiate products based on Internet
|
|||
|
connectivity, and related services. Conservancy has seen Linux-based
|
|||
|
firmwares on refrigerators, baby monitors, virtual assistants, soundbars,
|
|||
|
doorbells, home security cameras, police body cameras, cars, AV receivers,
|
|||
|
and televisions.</p>
|
|||
|
|
|||
|
<p>This wide deployment of general purpose computers into mundane household
|
|||
|
devices raises profound privacy and consumer rights
|
|||
|
implications. <a href="https://www.nytimes.com/2019/12/15/us/Hacked-ring-home-security-cameras.html">Home</a> <a href="https://www.washingtonpost.com/technology/2019/01/23/family-says-hacked-nest-camera-warned-them-north-korean-missile-attack/">security</a> <a href="https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable">cameras</a> <a href="https://www.cnn.com/2019/12/12/tech/ring-security-camera-hacker-harassed-girl-trnd/index.html">are</a> <a href="https://abc7.com/baby-monitor-hack-leads-to-kidnap-scare/4931822/">routinely</a> <a href="https://www.bbc.com/news/av/uk-44117337/security-footage-viewed-by-thousands">compromised</a>
|
|||
|
— invading the privacy and security of individual homes. Even when
|
|||
|
companies succeed in keeping out third parties, consumers
|
|||
|
are <a href="https://www.theguardian.com/technology/2019/aug/29/ring-amazon-police-partnership-social-media-neighbor">pressured
|
|||
|
by camera makers</a> to automatically upload their videos to local
|
|||
|
police. Televisions
|
|||
|
routinely <a href="https://techcrunch.com/2019/01/07/vizio-settlement-moves-forward/">spy
|
|||
|
on consumers for the purposes of marketing and massive data
|
|||
|
collection</a>.</p>
|
|||
|
|
|||
|
<p>There is one overarching irony to this growing dystopia: nearly all these
|
|||
|
devices are based primarily on software licensed under the GPL: most
|
|||
|
notably, Linux. While Linux-based systems do allow proprietary user-space
|
|||
|
applications not licensed under GPL, the kernel (and many other system
|
|||
|
utilities routinely used in embedded systems, such as Conservancy’s BusyBox
|
|||
|
project) are under that license (or similar copyleft licenses such as the
|
|||
|
LGPL). These licenses require device markers to provide complete,
|
|||
|
corresponding source code to everyone in possession of their
|
|||
|
devices. Furthermore, Linux’s specific license (GPL, version 2), mandates
|
|||
|
that source code must also include “the scripts used to control compilation
|
|||
|
and installation of the executable”. In short, the consumers must receive
|
|||
|
all the source code and the ability to modify, recompile and reinstall that
|
|||
|
software. Upholding of this core freedom for Linux made OpenWRT
|
|||
|
possible. We work to preserve (or, more often, restore) that software
|
|||
|
freedom for consumers of other types of electronic devices.</p>
|
|||
|
|
|||
|
<p>When devices are compliant with the GPL’s requirements, customers can
|
|||
|
individually or collectively take action against the surveillance and other
|
|||
|
predatory behavior perpetuated by the manufacturers of these devices by
|
|||
|
modifying and replacing the software. Hobbyists can aid their community by
|
|||
|
providing these alternatives. People with no technical background already
|
|||
|
replace firmware on their wireless routers with OpenWRT to both improve
|
|||
|
network performance and allay privacy concerns. Furthermore, older
|
|||
|
equipment is often saved from planned obsolescence by alternative
|
|||
|
solutions. E-recyclers
|
|||
|
like <a href="https://www.freegeek.org/">Freegeek</a> do this regularly for
|
|||
|
desktop and laptop machines with GNU/Linux distributions like Debian, and
|
|||
|
with OpenWRT for wireless routers. We seek to assure they can do this for
|
|||
|
other types of electronic products. However, without the complete,
|
|||
|
corresponding source code and the scripts to control its compilation and
|
|||
|
installation, the fundamental purpose of copyleft is frustrated. Consumers,
|
|||
|
hobbyists, non-profit e-recyclers and the general public are left without
|
|||
|
the necessary tools they need and deserve, and which the license promises
|
|||
|
them.</p>
|
|||
|
|
|||
|
<p>Additionally, copyleft compliance relates directly to significant
|
|||
|
generational educational opportunities. There are few easier ways to
|
|||
|
understand technology than to experiment with a device one already
|
|||
|
has. Historically, FOSS has succeeded because young hobbyists could
|
|||
|
examine, modify and experiment with software in their own devices. Those
|
|||
|
hobbyists became the professional embedded device developers of today!
|
|||
|
Theoretically, the advent of the “Internet of Things” — with its many
|
|||
|
devices that run Linux — should give opportunities for young hobbyists to
|
|||
|
quickly explore and improve the devices they depend on in their every day
|
|||
|
lives. Yet, that’s rarely possible in reality. To ensure that both current
|
|||
|
and future hobbyists can practically modify their Linux-based devices, we
|
|||
|
must enforce Linux’s license. With public awareness that their devices can
|
|||
|
be improved, the desire for learning will increase, and will embolden the
|
|||
|
curiosity of newcomers of all ages and backgrounds. The practical benefits
|
|||
|
of this virtuous cycle are immediately apparent. With technological
|
|||
|
experimentation, people are encouraged to try new things, learn how their
|
|||
|
devices work, and perhaps create whole new types of devices and
|
|||
|
technologies that no one has even dreamed of before.</p>
|
|||
|
|
|||
|
<p>“Internet of Things” firmware should never rely on one vendor — even the
|
|||
|
vendor of the hardware itself. This centralized approach is brittle and
|
|||
|
inevitably leads to invasions of the public’s privacy and control of their
|
|||
|
technology. Conservancy’s GPL enforcement work is part of the puzzle that
|
|||
|
ensures users can choose who their devices connect to, and how they
|
|||
|
connect. Everyone deserves control over their own computing — from their
|
|||
|
laptop to their television to their toaster. When the public can modify (or
|
|||
|
help others modify) the software on their devices, they choose the level of
|
|||
|
centralized control they are comfortable with. Currently, users with
|
|||
|
Linux-based devices usually don’t even realize what is possible with
|
|||
|
copyleft; Conservancy aims to show them.</p>
|
|||
|
|
|||
|
<h2 id="the-gpl-compliance-project-for-linux-developers">The GPL Compliance
|
|||
|
Project for Linux Developers</h2>
|
|||
|
|
|||
|
<p>In May 2012, Software Freedom Conservancy
|
|||
|
formed <a href="https://sfconservancy.org/copyleft-compliance/">The GPL
|
|||
|
Compliance Project for Linux Developers</a> in response to frustration by
|
|||
|
upstream Linux developers about the prevalence of noncompliance in the
|
|||
|
field, and their desire to stand with Conservancy’s BusyBox, Git and Samba
|
|||
|
projects in demanding widespread GPL compliance. This coalition of Linux
|
|||
|
developers works with Conservancy to enforce the GPL for the rights of
|
|||
|
Linux users everywhere — particularly consumers who own electronic
|
|||
|
devices. We accept violation reports from the general public, and
|
|||
|
prioritize enforcement in those classes of devices where we believe that we
|
|||
|
can do the most good to help achieve GPL compliance that will increase
|
|||
|
software freedom for the maximum number of device users.</p>
|
|||
|
|
|||
|
<h2 id="the-need-for-litigation">The Need for Litigation</h2>
|
|||
|
|
|||
|
<p>While we still gain some success, we have found that the landscape of GPL
|
|||
|
compliance has changed in recent years. Historically, the true “bad actors”
|
|||
|
were rare. We found in the early days that mere education and basic
|
|||
|
supply-chain coordination assistance yielded compliance. We sought and
|
|||
|
often achieved goodwill in the industry via education-focused
|
|||
|
compliance.</p>
|
|||
|
|
|||
|
<p>Those tactics no longer succeed; the industry has taken advantage of that
|
|||
|
goodwill. After the BusyBox lawsuit settled, we observed a slow move toward
|
|||
|
intentional non-compliance throughout the embedded electronics
|
|||
|
industry. Companies use delay and “hardball” pre-litigation tactics to
|
|||
|
drain the limited resources available for enforcement, which we faced for
|
|||
|
example
|
|||
|
in <a href="https://sfconservancy.org/copyleft-compliance/vmware-lawsuit-links.html">the
|
|||
|
VMware violation</a>. While VMware ultimately complied with the GPL, they
|
|||
|
did so by reengineering the product and removing Linux from it — and only
|
|||
|
after the product was nearing end-of-life.</p>
|
|||
|
|
|||
|
<p>Conservancy has recently completed an evaluation of the industry’s use of
|
|||
|
Linux in embedded products. Our findings are disheartening and require
|
|||
|
action. Across the entire industry, most major manufacturers almost flaunt
|
|||
|
their failure to comply with the GPL. In our private negotiations, pursuant
|
|||
|
to
|
|||
|
our <a href="https://sfconservancy.org/copyleft-compliance/principles.html">Principles
|
|||
|
of Community-Oriented GPL Enforcement</a>, GPL violators stall, avoid,
|
|||
|
delay and generally refuse to comply with the GPL. Their disdain for the
|
|||
|
rights of their customers is often palpable. Their attitude is almost
|
|||
|
universal: “if you think we’re really violating the GPL, then go ahead and
|
|||
|
sue us. Otherwise, you’re our lowest priority.”</p>
|
|||
|
|
|||
|
<h2 id="conservancys-plan-for-action">Conservancy’s Plan For Action</h2>
|
|||
|
|
|||
|
<p>Conservancy has a three-pronged plan for action: litigation, persistent
|
|||
|
non-litigation enforcement, and alternative firmware development.</p>
|
|||
|
|
|||
|
<h3 id="litigation">Litigation</h3>
|
|||
|
|
|||
|
<p>Conservancy has many violation matters that we have pursued during the
|
|||
|
last year where we expect compliance is impossible without litigation. We
|
|||
|
are poised to select — from among the many violations in the embedded
|
|||
|
electronics space — a representative example and take action in USA courts
|
|||
|
against a violator who has failed to properly provide source code
|
|||
|
sufficient for consumers to rebuild and install Linux, and who still
|
|||
|
refuses to remedy that error after substantial friendly negotiation with
|
|||
|
Conservancy.</p>
|
|||
|
|
|||
|
<p>Our goal remains the same as in all matters: we want a source release that
|
|||
|
works, and we’ll end any litigation when the company fully complies on its
|
|||
|
products and makes a bona fide commitment to future compliance.</p>
|
|||
|
|
|||
|
<p>Conservancy, after years of analyzing its successes and failures of
|
|||
|
previous GPL compliance litigation, has developed — in conjunction with
|
|||
|
litigation counsel over the last year — new approaches to litigation
|
|||
|
strategy. We believe this will bring to fruition the promise of copyleft: a
|
|||
|
license that assures the rights and software freedoms of hobbyists who seek
|
|||
|
full control and modifiability of devices they own. With the benefit of
|
|||
|
this grant, Conservancy plans to accelerate these plans in 2020 and to keep
|
|||
|
the public informed at every stage of the process.</p>
|
|||
|
|
|||
|
<h3 id="persistent-non-litigation-enforcement">Persistent Non-Litigation Enforcement</h3>
|
|||
|
|
|||
|
<p>While we will seek damages to cover our reasonable costs of this work, we
|
|||
|
do not expect that any recovery in litigation can fully fund the broad base
|
|||
|
of work necessary to ensure compliance and the software freedom it
|
|||
|
brings. Conservancy is the primary charitable watchdog of
|
|||
|
GPL compliance for Linux-based devices. We seek to use litigation as a tool
|
|||
|
in a broader course of action to continue our work in this regard. We
|
|||
|
expect and welcome that the high profile nature of litigation will inspire
|
|||
|
more device owners to report violations to us. We expect we’ll learn about
|
|||
|
classes of devices we previously had no idea contained Linux, and we’ll
|
|||
|
begin our diligent and unrelenting work to achieve software freedom for the
|
|||
|
owners of those devices. We will also build more partnerships across the
|
|||
|
technology sector and consumer rights organizations to highlight the
|
|||
|
benefit of copyleft to not just hobbyists, but the entire general
|
|||
|
public.</p>
|
|||
|
|
|||
|
<h3 id="alternative-firmware-project">Alternative Firmware Project</h3>
|
|||
|
|
|||
|
<p>The success of the OpenWRT project, born from GPL enforcement, has an
|
|||
|
important component. While we’ve long hoped that volunteers, as they did
|
|||
|
with OpenWRT and SamyGo, will take up compliant sources obtained in our GPL
|
|||
|
enforcement efforts and build alternative firmware projects, history shows
|
|||
|
us that the creation of such projects is not guaranteed and exceedingly
|
|||
|
rare.</p>
|
|||
|
|
|||
|
<p>Traditionally, our community has relied exclusively on volunteers to take
|
|||
|
up this task, and financial investment only comes after volunteers have put
|
|||
|
in the unfunded work to make an MVP alternative firmware. While volunteer
|
|||
|
involvement remains essential to the success of alternative firmware
|
|||
|
projects, we know from our fiscal sponsorship work that certain aspects of
|
|||
|
FOSS projects require an experienced charity to initiate and jump start
|
|||
|
some of the less exciting aspects of FOSS project creation and
|
|||
|
development.</p>
|
|||
|
|
|||
|
<p>Conservancy plans to select a specific class of device. Upon achieving
|
|||
|
compliant source releases in that subindustry through GPL enforcement,
|
|||
|
Conservancy will <a href="firmware-liberation">launch an alternative
|
|||
|
firmware project</> for that class of device.</p>
|
|||
|
|
|||
|
{% endblock %}
|