website/conservancy/content/copyleft-compliance/enforcement-strategy.html

{% extends "base_compliance.html" %}
{% block subtitle %}Copyleft Compliance Projects - {% endblock %}
{% block submenuselection %}EnforcementStrategy{% endblock %}
{% block content %}

<h1 id="strategic-gpl-enforcement-initiative">The Strategic GPL Enforcement Initiative</h1>

<p>As existing donors and sustainers know, the Software Freedom Conservancy
  is a 501(c)(3) non-profit charity registered in New York, and Conservancy
  helps people take control of their computing by growing the software
  freedom movement, supporting community-driven alternatives to proprietary
  software, and defending free software with practical initiatives.
  Conservancy accomplishes these goals with various initiatives, including
  defending and upholding the rights of software users and consumers under
  copyleft licenses, such as the <acronym title="General Public License">GPL</acronym>.</p>

<h2 id="brief-history-of-user-focused-gpl-enforcement">Brief History of
  User-Focused GPL Enforcement</h2>

<p>The spring of 2003 was a watershed moment for software freedom on
  electronic devices. 802.11 wireless technology had finally reached the
  mainstream, and wireless routers for home use had flooded the market
  earlier in the year. By June
  2003, <a href="https://hardware.slashdot.org/story/03/06/08/1749217/is-linksys-violating-the-GPL">the
  general public knew that Linksys (a division of Cisco) was violating the
  GPL</a> on their WRT54G model wireless routers. Hobbyists discovered
  (rather easily) that Linux and BusyBox were included in the router, but
  Linksys and Cisco had failed to provide source code or any offer for source
  code to its customers.</p>

<p>A coalition formed made up of organizations and individuals — including
  Erik Andersen (major contributor to and former leader of the BusyBox
  project) and Harald Welte (major contributor to Linux’s netfilter
  subsystem) — to enforce the
  GPL. <a href="https://sfconservancy.org/about/staff/#bkuhn">Bradley
  M. Kuhn</a>, who is now Conservancy’s Policy Fellow and
  Hacker-in-Residence, led and coordinated that coalition (when he was
  Executive Director of the <acronym title="Free Software Foundation">FSF</acronym>). By early 2004, this coalition, through the
  process of GPL enforcement, compelled Linksys to release an
  almost-GPL-compliant source release for the
  WRT54G. A <a href="https://openwrt.org/about/history">group of volunteers
  quickly built a new project, called OpenWrt</a> based on that source
  release. In the years that have followed, OpenWrt has been ported to almost
  every major wireless router product.  Now, more than 15 years later, the
  OpenWrt project routinely utilizes GPL source releases to build, improve
  and port OpenWrt.  The project has also joined coalitions to fight the FCC
  to ensure that consumers have and deserve rights to install modified
  firmwares on their devices and that such hobbyist improvements are no
  threat to spectrum regulation.</p>

<p>Recently, <a href="https://sfconservancy.org/news/2020/sep/10/openwrt-joins/">OpenWrt joined Conservancy as one its member projects</a>,
  and Conservancy has committed to long-term assistance to this project.</p>

<p>OpenWrt has spurred companies to create better routers and other wireless
  devices than such companies would otherwise have designed because they now need to
  either compete with hobbyists, or (better still) cooperate with those hobbyists to
  create hardware that fully supports OpenWrt’s features and improvements
  (such as dealing
  with <a href="https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm">the
  dreaded “bufferbloat” bugs</a>). This interplay between the hobbyist
  community and for-profit ventures promotes innovation in
  technology. Without both permission <em>and</em> the ability to build and
  modify the software on their devices, the hobbyist community
  shrinks. Without intervention to ensure companies respect the hobbyist
  community, hobbyists are limited by the oft-arbitrary manufacturer-imposed
  restraints in the OEM firmware. OpenWrt saved the wireless router market
  from this disaster; we seek to help other embedded electronic subindustries
  avoid that fate. The authors of GPL’d software chose that license so its
  source is usable and readily available to hobbyists. It is our duty, as
  activists for the software freedom of hobbyists, to ensure these legally
  mandated rights are never curtailed.</p>

<p>(More on the OpenWrt project’s history and its connection to GPL
  enforcement can be found
  in <a href="https://www.youtube.com/watch?v=r4lCMx-EI1s">Kuhn’s talk
    at <em>OpenWrt Summit 2016</em></a>.)</p>

<p>Conservancy has had substantial success in leveraging more device freedom
  in other subindustries through GPL compliance. In 2009, Conservancy, with
  co-Plaintiff Erik Andersen, sued fourteen defendants in federal court under
  copyright claims on behalf of its BusyBox member project. Conservancy 
  achieved compliance for the BusyBox project in all fourteen
  cases. Most notably, the GPL-compliant source release obtained in the
  lawsuit for certain Samsung televisions provided the basis for
  the <a href="https://www.samygo.tv/">SamyGo project</a> — an alternative
  firmware that works on that era of Samsung televisions and allows consumers
  to modify and upgrade their firmware using FOSS.</p>

<p>Harald Welte also continued his efforts during the early and mid-2000s,
  after the Linksys enforcement, through
  his <a href="https://gpl-violations.org/">gpl-violations.org
    project</a>. Harald successfully sued many companies (mostly in the
  wireless router industry) in Germany to achieve compliance and yield source
  releases that helped OpenWrt during that period.</p>

<h2 id="importance-of-linux-enforcement-specifically">Importance of Linux Enforcement Specifically</h2>

<p>In recent years, embedded systems technology has expanded beyond wireless
  routers to so-called “Internet of Things” (IoT) devices designed for
  connectivity with other devices in the home and to the “Cloud”. Consumer
  electronics companies now feature and differentiate products based on
  Internet connectivity and related services. Conservancy has seen
  Linux-based firmwares on refrigerators, baby monitors, virtual assistants,
  soundbars, doorbells, home security cameras, police body cameras, cars, AV
  receivers, and televisions.</p>

<p>This wide deployment of general purpose computers into
  mundane household devices raises profound privacy and consumer rights
  implications. <a href="https://www.nytimes.com/2019/12/15/us/Hacked-ring-home-security-cameras.html">Home</a> <a href="https://www.washingtonpost.com/technology/2019/01/23/family-says-hacked-nest-camera-warned-them-north-korean-missile-attack/">security</a> <a href="https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable">cameras</a> <a href="https://www.cnn.com/2019/12/12/tech/ring-security-camera-hacker-harassed-girl-trnd/index.html">are</a> <a href="https://abc7.com/baby-monitor-hack-leads-to-kidnap-scare/4931822/">routinely</a> <a href="https://www.bbc.com/news/av/uk-44117337/security-footage-viewed-by-thousands">compromised</a>
  — invading the privacy and security of individual homes. Even when
  companies succeed in keeping out third parties, consumers
  are <a href="https://www.theguardian.com/technology/2019/aug/29/ring-amazon-police-partnership-social-media-neighbor">pressured
  by camera makers</a> to automatically upload their videos to local
  police. Televisions
  routinely <a href="https://techcrunch.com/2019/01/07/vizio-settlement-moves-forward/">spy
  on consumers for the purposes of marketing and massive data
  collection</a>.</p>

<p>There is one overarching irony to this growing dystopia: nearly all these
  devices are based primarily on GPL'd software: most
  notably, Linux. While Linux-based systems do allow proprietary user-space
  applications (i.e., not licensed under GPL), the kernel and many other system
  utilities routinely used in embedded systems, such as Conservancy’s BusyBox
  project, are under that license (or similar copyleft licenses such as the
  LGPL). These licenses require device makers to provide complete,
  corresponding source code to everyone in possession of their
  devices. Furthermore, Linux’s specific license (GPL, version 2), mandates
  that source code must also include “the scripts used to control compilation
  and installation of the executable”. In short, the consumers must receive
  all the source code and the ability to modify, recompile and reinstall that
  software. Upholding of this core freedom for Linux made OpenWrt
  possible. We work to preserve (or, more often, restore) that software
  freedom for consumers of other types of electronic devices.</p>

<p>When devices are compliant with the GPL’s requirements, customers can
  individually or collectively take action against the surveillance and other
  predatory behavior perpetuated by the manufacturers of these devices by
  modifying and replacing the software. Hobbyists can aid their community by
  providing these alternatives. People with no technical background already
  replace firmware on their wireless routers with OpenWrt to both improve
  network performance and allay privacy concerns. Furthermore, older
  equipment is often saved from planned obsolescence by alternative
  solutions. E-recyclers
  like <a href="https://www.freegeek.org/">Freegeek</a> do this regularly for
  desktop and laptop machines with GNU/Linux distributions like Debian, and
  with OpenWrt for wireless routers. We seek to ensure they can do this for
  other types of electronic products. However, without the complete,
  corresponding source code (CCS), including the scripts to control its compilation and
  installation, the fundamental purpose of copyleft is frustrated. Consumers,
  hobbyists, non-profit e-recyclers and the general public are left without
  the necessary tools they need and deserve, and which the license promises
  them.</p>

<p>Additionally, copyleft compliance relates directly to significant
  generational educational opportunities. There are few easier ways to
  understand technology than to experiment with a device one already
  has. Historically, FOSS has succeeded because young hobbyists could
  examine, modify and experiment with software in their own devices. Those
  hobbyists became the professional embedded device developers of today!
  Theoretically, the advent of the “Internet of Things” — with its many
  devices that run Linux — <em>should</em> give opportunities for young
  hobbyists to quickly explore and improve the devices they depend on in
  their every day lives.  Yet, that’s rarely possible in reality.  To ensure
  that both current and future hobbyists can practically modify their
  Linux-based devices, we must enforce Linux’s license. With public awareness
  that their devices can be improved, the desire for learning will increase,
  and will embolden the curiosity of newcomers of all ages and
  backgrounds. The practical benefits of this virtuous cycle are immediately
  apparent. With technological experimentation, people are encouraged to try
  new things, learn how their devices work, and perhaps create whole new
  types of devices and technologies that no one has even dreamed of
  before.</p>

<p>IoT firmware should never rely on one vendor — even the vendor of the
  hardware itself. This centralized approach is brittle and inevitably leads
  to invasions of the public’s privacy and loss of control of their
  technology. Conservancy’s GPL enforcement work is part of the puzzle that
  ensures users can choose who their devices connect to, and how they
  connect. Everyone deserves control over their own computing — from their
  laptop to their television to their toaster. When the public can modify (or
  help others modify) the software on their devices, they choose the level of
  centralized control they are comfortable with. Currently, users with
  Linux-based devices usually don’t even realize what is possible with
  copyleft; Conservancy aims to show them.</p>

<h2 id="the-gpl-compliance-project-for-linux-developers">The GPL Compliance
  Project for Linux Developers</h2>

<p>In May 2012, Software Freedom Conservancy
  formed <a href="https://sfconservancy.org/copyleft-compliance/#linux">The GPL
    Compliance Project for Linux Developers</a> in response to frustration by
  upstream Linux developers about the prevalence of noncompliance in the
  field, and their desire to stand with Conservancy’s BusyBox, Git and Samba
  projects in demanding widespread GPL compliance. This coalition of Linux
  developers works with Conservancy to enforce the GPL for the rights of
  Linux users everywhere — particularly consumers who own electronic
  devices. We accept violation reports from the general public, and
  prioritize enforcement in those classes of devices where we believe that we
  can do the most good to help achieve GPL compliance that will increase
  software freedom for the maximum number of device users.</p>

<h2 id="the-need-for-litigation">The Need for Litigation</h2>

<p>While we still gain some success, we have found that the landscape of GPL
  compliance has changed in recent years. Historically, the true “bad actors”
  were rare. We found in the early days that mere education and basic
  supply-chain coordination assistance yielded compliance. We sought and
  often achieved goodwill in the industry via education-focused
  compliance.</p>

<p>Those tactics no longer succeed; the industry has taken advantage of that
  goodwill. After the BusyBox lawsuit settled, we observed a slow move toward
  intentional non-compliance throughout the embedded electronics
  industry. Companies use delay and “hardball” pre-litigation tactics to
  drain the limited resources available for enforcement, which we faced (for
  example) in <a href="/copyleft-compliance/vmware-lawsuit-links.html">the
  VMware violation</a>. While VMware ultimately complied with the GPL, they
  did so by reengineering the product and removing Linux from it — and only
  after the product was nearing end-of-life.</p>

<p>Conservancy has recently completed an evaluation of the industry’s use of
  Linux in embedded products. Our findings are disheartening and require
  action.  Across the entire industry, most major manufacturers almost flaunt
  their failure to comply with the GPL.  In our private negotiations,
  pursuant to
  our <a href="/copyleft-compliance/principles.html">Principles
  of Community-Oriented GPL Enforcement</a>, GPL violators stall, avoid,
  delay and generally refuse to comply with the GPL. Their disdain for the
  rights of their customers is often palpable.  Their attitude is almost
  universal: <q>if you think we’re really violating the GPL, then go ahead and
  sue us. Otherwise, you’re our lowest priority</q>.</p>

<h2 id="conservancys-plan-for-action">Conservancy’s Plan For Action</h2>

<p>Conservancy has a three-pronged plan for action: litigation, persistent
  non-litigation enforcement, and alternative firmware development.</p>

<h3 id="litigation">Litigation</h3>

<p>Conservancy has many violation matters that we have pursued during the
  last year where we expect compliance is impossible without litigation.  We
  are poised to select — from among the many violations in the embedded
  electronics space — a representative example and take action in USA courts
  against a violator who has failed to properly provide source code
  sufficient for consumers to rebuild and install Linux, and who still
  refuses to remedy that error after substantial friendly negotiation with
  Conservancy.</p>

<p>Our goal remains the same as in all matters: we want a source release that
  works, and we’ll end any litigation when the company fully complies on its
  products and makes a bona fide commitment to future compliance.</p>

<p>Conservancy, after years of analyzing its successes and failures of
  previous GPL compliance litigation, has developed — in conjunction with
  litigation counsel over the last year — new approaches to litigation
  strategy.  We believe this will bring to fruition the promise of copyleft:
  a license that ensures the rights and software freedoms of hobbyists who
  seek full control and modifiability of devices they own. Conservancy plans
  to accelerate these plans in late 2020 into early 2021 and we'll keep the
  public informed at every stage of the process.</p>

<h3 id="persistent-non-litigation-enforcement">Persistent Non-Litigation Enforcement</h3>

<p>While we will seek damages to cover our reasonable costs of this work, we
  do not expect that any recovery in litigation can fully fund the broad base
  of work necessary to ensure compliance and the software freedom it brings.
  Conservancy is the primary charitable watchdog of GPL compliance for
  Linux-based devices.  We seek to use litigation as a tool in a broader
  course of action to continue our work in this regard.  We expect and
  welcome that the high profile nature of litigation will inspire more device
  owners to report violations to us. We expect we’ll learn about classes of
  devices we previously had no idea contained Linux, and we’ll begin our
  diligent and unrelenting work to achieve software freedom for the owners of
  those devices. We will also build more partnerships across the technology
  sector and consumer rights organizations to highlight the benefit of
  copyleft to not just hobbyists, but the entire general public.</p>

<h3 id="alternative-firmware-project"><a href="/copyleft-compliance/firmware-liberation.html">Alternative Firmware Project</a></h3>

<p>The success of the OpenWrt project, born from GPL enforcement, has an
  important component. While we’ve long hoped that volunteers, as they did
  with OpenWrt and SamyGo, will take up compliant sources obtained in our GPL
  enforcement efforts and build alternative firmware projects, history shows
  us that the creation of such projects is not guaranteed and exceedingly
  rare.</p>

<p>Traditionally, our community has relied exclusively on volunteers to take
  up this task, and financial investment only comes after volunteers have put
  in the unfunded work to make an <acronym title="minimal viable product">MVP</acronym> alternative firmware. While volunteer
  involvement remains essential to the success of alternative firmware
  projects, we know from our fiscal sponsorship work that certain aspects of
  FOSS projects require an experienced charity to initiate and jump-start
  some of the less exciting aspects of FOSS project creation and
  development.</p>

<p>Conservancy plans to select a specific class of device. Upon achieving
  compliant source releases in that subindustry through GPL enforcement,
  Conservancy will <a href="firmware-liberation.html">launch an alternative
  firmware project</a> for that class of device.</p>

{% endblock %}