website/www/conservancy/static/copyleft-compliance/firmware-liberation.html
Bradley M. Kuhn e80d35a73e Copyleft Compliance: enforcement strategy & firmware liberation
These two new documents are based on grant proposals for this work.
We are preparing to announce the work publicly soon.  This is a first
draft of both documents.
2020-10-01 10:52:25 -07:00

194 lines
11 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{% extends "base_compliance.html" %}
{% block subtitle %}Copyleft Compliance Projects - {% endblock %}
{% block submenuselection %}EnforcementStrategy{% endblock %}
{% block content %}
<h1 id="software-freedom-conservancy-proposal-for-firmware-liberation-project">Firmware Liberation Project</h1>
<h2 id="brief-history-of-openwrt">Brief History of OpenWRT</h2>
<p>The spring of 2003 was a watershed moment for software freedom on
electronic devices. 802.11 wireless technology had finally reached the
mainstream, and wireless routers for home use had flooded the market
earlier in the year. By June
2003, <a href="https://hardware.slashdot.org/story/03/06/08/1749217/is-linksys-violating-the-GPL">the
general public knew that Linksys (a division of Cisco) was violating the
GPL</a> on their WRT54G model wireless routers. Hobbyists discovered that
Linux, BusyBox and many GNU programs were included in the router, but
Linksys and Cisco had failed to provide source code or any offer for source
code to its customers. Linksys had violated the GPL, the license of these
projects.</p>
<p>A coalition successfully enforced the GPL in this case, and Linksys
released source code A <a href="https://openwrt.org/about/history">group of
volunteers quickly built a new project, called OpenWRT</a> based on that
source release. In the years that have followed, OpenWRT has been ported to
almost every major wireless router product. Now, more than 15 years later,
the OpenWRT project routinely utilizes GPL source releases to build,
improve and port OpenWRT. OpenWRT has spurred companies to create better
routers.</p>
<h2 id="gpl-enforcement-needs-follow-through">GPL Enforcement Needs Follow-Through</h2>
<p>Simply enforcing the GPL is an important first step, and Conservancy
<a href="enforcement-strategy.html">continues our efforts in that regard</a>. However,
the success found with OpenWRT can be replicated <em>only if</em> there is
substantial effort <strong>after</strong> enforcement occurs to turn the
compliant source release into a viable alternative firmware for the
platform.</p>
<p>Conservancy has seen non-compliant Linux-based firmwares on refrigerators,
baby monitors, virtual assistants, soundbars, doorbells, home security
cameras, police body cameras, cars, AV receivers, and televisions.</p>
<p>This wide deployment of general purpose computers into mundane household
devices raises profound privacy and consumer rights
implications. <a href="https://www.nytimes.com/2019/12/15/us/Hacked-ring-home-security-cameras.html">Home</a> <a href="https://www.washingtonpost.com/technology/2019/01/23/family-says-hacked-nest-camera-warned-them-north-korean-missile-attack/">security</a> <a href="https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable">cameras</a> <a href="https://www.cnn.com/2019/12/12/tech/ring-security-camera-hacker-harassed-girl-trnd/index.html">are</a> <a href="https://abc7.com/baby-monitor-hack-leads-to-kidnap-scare/4931822/">routinely</a> <a href="https://www.bbc.com/news/av/uk-44117337/security-footage-viewed-by-thousands">compromised</a>
— invading the privacy and security of individual homes. Even when
companies succeed in keeping out third parties, consumers
are <a href="https://www.theguardian.com/technology/2019/aug/29/ring-amazon-police-partnership-social-media-neighbor">pressured
by camera makers</a> to automatically upload their videos to local
police. Televisions
routinely <a href="https://techcrunch.com/2019/01/07/vizio-settlement-moves-forward/">spy
on consumers for the purposes of marketing and massive data
collection</a>.</p>
<p>“Internet of Things” firmware should never rely on one vendor — even the
vendor of the hardware itself. This centralized approach is brittle and
inevitably leads to invasions of the publics privacy and control of their
technology. Conservancy plans to address this issue in the manner that the
FOSS community knows best: put one foot in front of the other, and work to
create FOSS for every possible task that users want to accomplish. For IoT
devices, this means creating alternative firmware in the same manner that
OpenWRT has done for wireless routers.</p>
<h2 id="limited-success-of-alternative-hardware">Limited Success of
Alternative Hardware</h2>
<p>Alternative hardware projects remain an essential component of small
device freedom. Conservancy supports and engages with communities that seek
to source and build IoT-style devices from the ground up. Were excited to
see deployable boards that allow Maker efforts to create new devices.</p>
<p>Nevertheless, we remain ever-cognizant that FOSS succeeded on servers,
laptop, desktop, and wireless router computers <em>precisely</em> because
users could buy commodity hardware at any store and install FOSS. There is
no complete, operational base operating system for most IoT devices on the
market.</p>
<h3 id="demonstrating-the-power-of-software-freedom">Demonstrating the power
of software freedom,</h3>
<p>To many, the benefits of software freedom are abstract. For less technical
users, the idea of modifying or even reviewing the software on their
devices is wholly theoretical. For technical users, there is a limited time
available to invest in the devices they use for their everyday
lives. Bringing people together to take collective action for the control
of their own technology is a powerful proposition that has rarely been
demonstrated.</p>
<p>When alternative firmware projects like OpenWRT exist for IoT devices,
non-technical users can replace the software on their devices and benefit
from custom, community-controled software. Technical users are more likely
to contribute knowing their efforts will be meaningful.</p>
<p>However, decades of corporate involvement in copyleft have demonstrated
that without an organized effort, control over ones own software is purely
theoretical, even when software has a copyleft license, and
sometimes <em>even when</em> compliance with the copyleft license is
acheived. Conservancy recognizes that there is a unique opportunity for
charitable organizations to step in and change the power dynamic of the
tech industry for consumers.</p>
<h2 id="conservancys-plan-for-action">Conservancys Plan For Action</h2>
<p>Conservancy seeks to fund work on liberating firmware for a specific
device. This is accomplished with a two-prong approach: first, we will
leverage increased interest and tendency toward GPL compliance throughout
the embedded industry to more quickly achieve compliant source releases in
a particular subindustry.</p>
<p>Second, depending on what subindustry (i.e., specific class of devices)
seems most responsive to increased enforcement activity and willing to
provide compliant source releases quickly, we will launch, coordinate and
fund an alternative firmware project for that class.</p>
<h2 id="leveraging-on-increased-enforcement">Leveraging on Increased
Enforcement</h2>
<p><a href="enforcement-strategy.html">Conservancy plans to select a specific
violation and engage in litigation. Based on past experience, we expect
that the press and attention to that ongoing litigation will yield
increased responsiveness by violators throughout the industry. (A similar
outcome occurred after our litigation in 2006.) This expected change in
behavior will open opportunities to replicate the OpenWRT approach in
another embedded electronic subindustry. Fast action will be necessary;
most IoT products have an 18 month lifecycle, so we seek to quickly
identify the right subindustry, gain compliance there, and move on to the
next phase.</p>
<h3 id="funding-firmware-liberation">Funding Firmware Liberation</h3>
<p>While weve long hoped that volunteers would take up compliant sources
obtained in our GPL enforcement efforts and build alternative firmware
projects as they did with OpenWRT, history shows us that the creation of
such projects is not guaranteed and exceedingly rare.</p>
<p>Traditionally, our community has relied exclusively on volunteers to take
up this task, and financial investment only comes after volunteers have put
in the unfunded work to make a Minimum Viable Product (MVP) liberated
firmware. While volunteer involvement remains essential to the success of
alternative firmware projects, we know from our fiscal sponsorship work
that certain aspects of FOSS projects require an experienced charity to
initiate and jump-start some of the less exciting aspects of FOSS project
creation and development. (In our last fiscal year, Conservancy funded 160
contributors to work on FOSS)</p>
<p>In the initial phase of this grant, Conservancy will to select a specific
class of device. Upon achieving compliant source releases in that
subindustry through GPL enforcement, Conservancy will launch an alternative
firmware project for that class of device.</p>
<p>Conservancy will seek to fund the time of project leaders and
infrastructure for the project. The goal is to build a firm base that draws
volunteers to the project. We know that sustaining funding over long
periods for a grassroots hobbyist activity is quite challenging; we seek to
use this grant to bootstrap and catalyze interest and contribution to the
project. Ideally, Conservancy would run the project with a single full-time
staffer for a about a year, and achieve a volunteer base sufficient to
reduce funding to one part-time staffer.</p>
<h3 id="criteria-for-device-selection">Criteria for Device Selection</h3>
<p>The IoT device industry moves quickly and we must be prepared to adapt
based on new information. The first stage in this work will be to carefully
evaluate and select the device on which to focus for this
project. Conservancy will evaluate the following criteria in selecting a
class of devices:</p>
<ul>
<li><p>Do most devices in the subindustry already run a known FOSS system
(such as Android/Linux, BusyBox/Linux or GNU/Linux)?</p></li>
<li><p>In response to our increased enforcement activity, how many existing
GPL-compliant source releases are available from how many different
vendors in this subindustry?</p></li>
<li><p>Is there a known userspace application that runs on Maker-built
hardware that does the task the proprietary userspace software from the
vendor did?</p></li>
<li><p>What is the excitement level among volunteers for this
project?</p></li>
<li><p>What value will hobbyists achieve from replacing the software on their
device? For example, would they be able to avoid surveillance or add
accessibility features?</p></li>
</ul>
<p>Finally, Conservancy will be prepared and willing to recognize temporary
failure and setbacks in a particular subindustry and pivot quickly to
choosing a different class of devices. This project is ambitious, and well
be adept in our approach to ensure success.</p>