Bradley M. Kuhn
46c50ec0b1
This rewrite should improve the stand-alone nature of these documents and allow for better integration with other summary text and announcements on the website. Note that they have now drifted heavily from the original formulation of the items as grant proposals.
301 lines
18 KiB
HTML
301 lines
18 KiB
HTML
{% extends "base_compliance.html" %}
|
||
{% block subtitle %}Copyleft Compliance Projects - {% endblock %}
|
||
{% block submenuselection %}EnforcementStrategy{% endblock %}
|
||
{% block content %}
|
||
|
||
<h1 id="software-freedom-conservancy-proposal-for-gpl-enforcement-grant">History and Future Strategy</h1>
|
||
|
||
<p>As existing donors and supporters know, the Software Freedom Conservancy
|
||
is a 501(c)(3) non-profit charity registered in New York, and Conservancy
|
||
helps people take control of their computing by growing the software
|
||
freedom movement, supporting community-driven alternatives to proprietary
|
||
software, and defending free software with practical initiatives.
|
||
Conservancy accomplishes these goals with various initiatives, including
|
||
defending and upholding the rights of software users and consumers under
|
||
copyleft licenses, such as the GPL.</p>
|
||
|
||
<h2 id="brief-history-of-user-focused-gpl-enforcement">Brief History of
|
||
User-Focused GPL Enforcement</h2>
|
||
|
||
<p>The spring of 2003 was a watershed moment for software freedom on
|
||
electronic devices. 802.11 wireless technology had finally reached the
|
||
mainstream, and wireless routers for home use had flooded the market
|
||
earlier in the year. By June
|
||
2003, <a href="https://hardware.slashdot.org/story/03/06/08/1749217/is-linksys-violating-the-GPL">the
|
||
general public knew that Linksys (a division of Cisco) was violating the
|
||
GPL</a> on their WRT54G model wireless routers. Hobbyists discovered
|
||
(rather easily) that Linux and BusyBox were included in the router, but
|
||
Linksys and Cisco had failed to provide source code or any offer for source
|
||
code to its customers.</p>
|
||
|
||
<p>A coalition formed made up of organizations and individuals — including
|
||
Erik Andersen (major contributor to and former leader of the BusyBox
|
||
project) and Harald Welte (major contributor to Linux’s netfilter
|
||
subsystem) — to enforce the
|
||
GPL. <a href="https://sfconservancy.org/about/staff/#bkuhn">Bradley
|
||
M. Kuhn</a>, who is now Conservancy’s Policy Analyst and
|
||
Hacker-in-Residence, led and coordinated that coalition (when he was
|
||
Executive Director of the FSF). By early 2004, this coalition, through the
|
||
process of GPL enforcement, compelled Linksys to release an
|
||
almost-GPL-compliant source release for the
|
||
WRT54G. A <a href="https://openwrt.org/about/history">group of volunteers
|
||
quickly built a new project, called OpenWRT</a> based on that source
|
||
release. In the years that have followed, OpenWRT has been ported to almost
|
||
every major wireless router product. Now, more than 15 years later, the
|
||
OpenWRT project routinely utilizes GPL source releases to build, improve
|
||
and port OpenWRT. The project has also joined coalitions to fight the FCC
|
||
to ensure that consumers have and deserve rights to install modified
|
||
firmwares on their devices and that such hobbyist improvements are no
|
||
threat to spectrum regulation.</p>
|
||
|
||
<p>Recently, OpenWRT decided to join Conservancy as one its member projects,
|
||
and Conservancy has committed to long-term assistance to this project.</p>
|
||
|
||
<p>OpenWRT has spurred companies to create better routers and other wireless
|
||
devices than they would otherwise have designed because they now need to
|
||
either compete with hobbyists, or (better still) cooperate with them to
|
||
create hardware that fully supports OpenWRT’s features and improvements
|
||
(such as dealing
|
||
with <a href="https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm">the
|
||
dreaded “bufferbloat” bugs</a>). This interplay between the hobbyist
|
||
community and for-profit ventures promotes innovation in
|
||
technology. Without both permission <em>and</em> the ability to build and
|
||
modify the software on their devices, the hobbyist community
|
||
shrinks. Without intervention to assure companies respect the hobbyist
|
||
community, hobbyists are limited by the oft-arbitrary manufacturer-imposed
|
||
restraints in the OEM firmware. OpenWRT saved the wireless router market
|
||
from this disaster; we seek to help other embedded electronic subindustries
|
||
avoid that fate. The authors of GPL’d software chose that license so its
|
||
source is usable and readily available to hobbyists. It is our duty, as
|
||
activists for the software freedom of hobbyists, to ensure these legally
|
||
mandated rights are never curtailed.</p>
|
||
|
||
<p>(More on the OpenWRT project’s history and its connection to GPL
|
||
enforcement can be found
|
||
in <a href="https://www.youtube.com/watch?v=r4lCMx-EI1s">Kuhn’s talk
|
||
at <em>OpenWRT Summit 2016</em></a>.)</p>
|
||
|
||
<p>Conservancy has had substantial success in leveraging more device freedom
|
||
in other subindustries through GPL compliance. In 2009, Conservancy, with
|
||
co-Plaintiff Erik Andersen, sued fourteen defendants in federal court under
|
||
copyright claims on behalf of its BusyBox member project. Conservancy was
|
||
able to achieve compliance for the BusyBox project in all fourteen
|
||
cases. Most notably, the GPL-compliant source release obtained in the
|
||
lawsuit for certain Samsung televisions provided the basis for
|
||
the <a href="https://www.samygo.tv/">SamyGo project</a> — an alternative
|
||
firmware that works on that era of Samsung televisions and allows consumers
|
||
to modify and upgrade their firmware using FOSS.</p>
|
||
|
||
<p>Harald Welte also continued his efforts during the early and mid-2000s,
|
||
after the Linksys enforcement, through
|
||
his <a href="https://gpl-violations.org/">gpl-violations.org
|
||
project</a>. Harald successfully sued many companies (mostly in the
|
||
wireless router industry) in Germany to achieve compliance and yield source
|
||
releases that helped OpenWRT during that period.</p>
|
||
|
||
<h2 id="importance-of-linux-enforcement-specifically">Importance of Linux Enforcement Specifically</h2>
|
||
|
||
<p>In recent years, embedded systems technology has expanded beyond wireless
|
||
routers to so-called “Internet of Things” (IoT) devices designed for
|
||
connectivity with other devices in the home and to the “Cloud”. Consumer
|
||
electronics companies now feature and differentiate products based on
|
||
Internet connectivity and related services. Conservancy has seen
|
||
Linux-based firmwares on refrigerators, baby monitors, virtual assistants,
|
||
soundbars, doorbells, home security cameras, police body cameras, cars, AV
|
||
receivers, and televisions.</p>
|
||
|
||
<p>This wide deployment of general purpose computers into
|
||
mundane household devices raises profound privacy and consumer rights
|
||
implications. <a href="https://www.nytimes.com/2019/12/15/us/Hacked-ring-home-security-cameras.html">Home</a> <a href="https://www.washingtonpost.com/technology/2019/01/23/family-says-hacked-nest-camera-warned-them-north-korean-missile-attack/">security</a> <a href="https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable">cameras</a> <a href="https://www.cnn.com/2019/12/12/tech/ring-security-camera-hacker-harassed-girl-trnd/index.html">are</a> <a href="https://abc7.com/baby-monitor-hack-leads-to-kidnap-scare/4931822/">routinely</a> <a href="https://www.bbc.com/news/av/uk-44117337/security-footage-viewed-by-thousands">compromised</a>
|
||
— invading the privacy and security of individual homes. Even when
|
||
companies succeed in keeping out third parties, consumers
|
||
are <a href="https://www.theguardian.com/technology/2019/aug/29/ring-amazon-police-partnership-social-media-neighbor">pressured
|
||
by camera makers</a> to automatically upload their videos to local
|
||
police. Televisions
|
||
routinely <a href="https://techcrunch.com/2019/01/07/vizio-settlement-moves-forward/">spy
|
||
on consumers for the purposes of marketing and massive data
|
||
collection</a>.</p>
|
||
|
||
<p>There is one overarching irony to this growing dystopia: nearly all these
|
||
devices are based primarily on software licensed under the GPL: most
|
||
notably, Linux. While Linux-based systems do allow proprietary user-space
|
||
applications not licensed under GPL, the kernel and many other system
|
||
utilities routinely used in embedded systems, such as Conservancy’s BusyBox
|
||
project, are under that license (or similar copyleft licenses such as the
|
||
LGPL). These licenses require device makers to provide complete,
|
||
corresponding source code to everyone in possession of their
|
||
devices. Furthermore, Linux’s specific license (GPL, version 2), mandates
|
||
that source code must also include “the scripts used to control compilation
|
||
and installation of the executable”. In short, the consumers must receive
|
||
all the source code and the ability to modify, recompile and reinstall that
|
||
software. Upholding of this core freedom for Linux made OpenWRT
|
||
possible. We work to preserve (or, more often, restore) that software
|
||
freedom for consumers of other types of electronic devices.</p>
|
||
|
||
<p>When devices are compliant with the GPL’s requirements, customers can
|
||
individually or collectively take action against the surveillance and other
|
||
predatory behavior perpetuated by the manufacturers of these devices by
|
||
modifying and replacing the software. Hobbyists can aid their community by
|
||
providing these alternatives. People with no technical background already
|
||
replace firmware on their wireless routers with OpenWRT to both improve
|
||
network performance and allay privacy concerns. Furthermore, older
|
||
equipment is often saved from planned obsolescence by alternative
|
||
solutions. E-recyclers
|
||
like <a href="https://www.freegeek.org/">Freegeek</a> do this regularly for
|
||
desktop and laptop machines with GNU/Linux distributions like Debian, and
|
||
with OpenWRT for wireless routers. We seek to ensure they can do this for
|
||
other types of electronic products. However, without the complete,
|
||
corresponding source code, including the scripts to control its compilation and
|
||
installation, the fundamental purpose of copyleft is frustrated. Consumers,
|
||
hobbyists, non-profit e-recyclers and the general public are left without
|
||
the necessary tools they need and deserve, and which the license promises
|
||
them.</p>
|
||
|
||
<p>Additionally, copyleft compliance relates directly to significant
|
||
generational educational opportunities. There are few easier ways to
|
||
understand technology than to experiment with a device one already
|
||
has. Historically, FOSS has succeeded because young hobbyists could
|
||
examine, modify and experiment with software in their own devices. Those
|
||
hobbyists became the professional embedded device developers of today!
|
||
Theoretically, the advent of the “Internet of Things” — with its many
|
||
devices that run Linux — <em>should</em> give opportunities for young
|
||
hobbyists to quickly explore and improve the devices they depend on in
|
||
their every day lives. Yet, that’s rarely possible in reality. To ensure
|
||
that both current and future hobbyists can practically modify their
|
||
Linux-based devices, we must enforce Linux’s license. With public awareness
|
||
that their devices can be improved, the desire for learning will increase,
|
||
and will embolden the curiosity of newcomers of all ages and
|
||
backgrounds. The practical benefits of this virtuous cycle are immediately
|
||
apparent. With technological experimentation, people are encouraged to try
|
||
new things, learn how their devices work, and perhaps create whole new
|
||
types of devices and technologies that no one has even dreamed of
|
||
before.</p>
|
||
|
||
<p>IoT firmware should never rely on one vendor — even the vendor of the
|
||
hardware itself. This centralized approach is brittle and inevitably leads
|
||
to invasions of the public’s privacy and loss of control of their
|
||
technology. Conservancy’s GPL enforcement work is part of the puzzle that
|
||
ensures users can choose who their devices connect to, and how they
|
||
connect. Everyone deserves control over their own computing — from their
|
||
laptop to their television to their toaster. When the public can modify (or
|
||
help others modify) the software on their devices, they choose the level of
|
||
centralized control they are comfortable with. Currently, users with
|
||
Linux-based devices usually don’t even realize what is possible with
|
||
copyleft; Conservancy aims to show them.</p>
|
||
|
||
<h2 id="the-gpl-compliance-project-for-linux-developers">The GPL Compliance
|
||
Project for Linux Developers</h2>
|
||
|
||
<p>In May 2012, Software Freedom Conservancy
|
||
formed <a href="https://sfconservancy.org/copyleft-compliance/#linux">The GPL
|
||
Compliance Project for Linux Developers</a> in response to frustration by
|
||
upstream Linux developers about the prevalence of noncompliance in the
|
||
field, and their desire to stand with Conservancy’s BusyBox, Git and Samba
|
||
projects in demanding widespread GPL compliance. This coalition of Linux
|
||
developers works with Conservancy to enforce the GPL for the rights of
|
||
Linux users everywhere — particularly consumers who own electronic
|
||
devices. We accept violation reports from the general public, and
|
||
prioritize enforcement in those classes of devices where we believe that we
|
||
can do the most good to help achieve GPL compliance that will increase
|
||
software freedom for the maximum number of device users.</p>
|
||
|
||
<h2 id="the-need-for-litigation">The Need for Litigation</h2>
|
||
|
||
<p>While we still gain some success, we have found that the landscape of GPL
|
||
compliance has changed in recent years. Historically, the true “bad actors”
|
||
were rare. We found in the early days that mere education and basic
|
||
supply-chain coordination assistance yielded compliance. We sought and
|
||
often achieved goodwill in the industry via education-focused
|
||
compliance.</p>
|
||
|
||
<p>Those tactics no longer succeed; the industry has taken advantage of that
|
||
goodwill. After the BusyBox lawsuit settled, we observed a slow move toward
|
||
intentional non-compliance throughout the embedded electronics
|
||
industry. Companies use delay and “hardball” pre-litigation tactics to
|
||
drain the limited resources available for enforcement, which we faced (for
|
||
example) in <a href="/copyleft-compliance/vmware-lawsuit-links.html">the
|
||
VMware violation</a>. While VMware ultimately complied with the GPL, they
|
||
did so by reengineering the product and removing Linux from it — and only
|
||
after the product was nearing end-of-life.</p>
|
||
|
||
<p>Conservancy has recently completed an evaluation of the industry’s use of
|
||
Linux in embedded products. Our findings are disheartening and require
|
||
action. Across the entire industry, most major manufacturers almost flaunt
|
||
their failure to comply with the GPL. In our private negotiations,
|
||
pursuant to
|
||
our <a href="/copyleft-compliance/principles.html">Principles
|
||
of Community-Oriented GPL Enforcement</a>, GPL violators stall, avoid,
|
||
delay and generally refuse to comply with the GPL. Their disdain for the
|
||
rights of their customers is often palpable. Their attitude is almost
|
||
universal: <q>if you think we’re really violating the GPL, then go ahead and
|
||
sue us. Otherwise, you’re our lowest priority</q>.</p>
|
||
|
||
<h2 id="conservancys-plan-for-action">Conservancy’s Plan For Action</h2>
|
||
|
||
<p>Conservancy has a three-pronged plan for action: litigation, persistent
|
||
non-litigation enforcement, and alternative firmware development.</p>
|
||
|
||
<h3 id="litigation">Litigation</h3>
|
||
|
||
<p>Conservancy has many violation matters that we have pursued during the
|
||
last year where we expect compliance is impossible without litigation. We
|
||
are poised to select — from among the many violations in the embedded
|
||
electronics space — a representative example and take action in USA courts
|
||
against a violator who has failed to properly provide source code
|
||
sufficient for consumers to rebuild and install Linux, and who still
|
||
refuses to remedy that error after substantial friendly negotiation with
|
||
Conservancy.</p>
|
||
|
||
<p>Our goal remains the same as in all matters: we want a source release that
|
||
works, and we’ll end any litigation when the company fully complies on its
|
||
products and makes a bona fide commitment to future compliance.</p>
|
||
|
||
<p>Conservancy, after years of analyzing its successes and failures of
|
||
previous GPL compliance litigation, has developed — in conjunction with
|
||
litigation counsel over the last year — new approaches to litigation
|
||
strategy. We believe this will bring to fruition the promise of copyleft:
|
||
a license that assures the rights and software freedoms of hobbyists who
|
||
seek full control and modifiability of devices they own. With the benefit
|
||
of this grant, Conservancy plans to accelerate these plans in 2020 and to
|
||
keep the public informed at every stage of the process.</p>
|
||
|
||
<h3 id="persistent-non-litigation-enforcement">Persistent Non-Litigation Enforcement</h3>
|
||
|
||
<p>While we will seek damages to cover our reasonable costs of this work, we
|
||
do not expect that any recovery in litigation can fully fund the broad base
|
||
of work necessary to ensure compliance and the software freedom it brings.
|
||
Conservancy is the primary charitable watchdog of GPL compliance for
|
||
Linux-based devices. We seek to use litigation as a tool in a broader
|
||
course of action to continue our work in this regard. We expect and
|
||
welcome that the high profile nature of litigation will inspire more device
|
||
owners to report violations to us. We expect we’ll learn about classes of
|
||
devices we previously had no idea contained Linux, and we’ll begin our
|
||
diligent and unrelenting work to achieve software freedom for the owners of
|
||
those devices. We will also build more partnerships across the technology
|
||
sector and consumer rights organizations to highlight the benefit of
|
||
copyleft to not just hobbyists, but the entire general public.</p>
|
||
|
||
<h3 id="alternative-firmware-project">Alternative Firmware Project</h3>
|
||
|
||
<p>The success of the OpenWRT project, born from GPL enforcement, has an
|
||
important component. While we’ve long hoped that volunteers, as they did
|
||
with OpenWRT and SamyGo, will take up compliant sources obtained in our GPL
|
||
enforcement efforts and build alternative firmware projects, history shows
|
||
us that the creation of such projects is not guaranteed and exceedingly
|
||
rare.</p>
|
||
|
||
<p>Traditionally, our community has relied exclusively on volunteers to take
|
||
up this task, and financial investment only comes after volunteers have put
|
||
in the unfunded work to make an MVP alternative firmware. While volunteer
|
||
involvement remains essential to the success of alternative firmware
|
||
projects, we know from our fiscal sponsorship work that certain aspects of
|
||
FOSS projects require an experienced charity to initiate and jump-start
|
||
some of the less exciting aspects of FOSS project creation and
|
||
development.</p>
|
||
|
||
<p>Conservancy plans to select a specific class of device. Upon achieving
|
||
compliant source releases in that subindustry through GPL enforcement,
|
||
Conservancy will <a href="firmware-liberation.html">launch an alternative
|
||
firmware project</a> for that class of device.</p>
|
||
|
||
{% endblock %}
|