Bradley M. Kuhn
e80d35a73e
These two new documents are based on grant proposals for this work. We are preparing to announce the work publicly soon. This is a first draft of both documents.
194 lines
11 KiB
HTML
194 lines
11 KiB
HTML
{% extends "base_compliance.html" %}
|
||
{% block subtitle %}Copyleft Compliance Projects - {% endblock %}
|
||
{% block submenuselection %}EnforcementStrategy{% endblock %}
|
||
{% block content %}
|
||
|
||
<h1 id="software-freedom-conservancy-proposal-for-firmware-liberation-project">Firmware Liberation Project</h1>
|
||
|
||
<h2 id="brief-history-of-openwrt">Brief History of OpenWRT</h2>
|
||
|
||
<p>The spring of 2003 was a watershed moment for software freedom on
|
||
electronic devices. 802.11 wireless technology had finally reached the
|
||
mainstream, and wireless routers for home use had flooded the market
|
||
earlier in the year. By June
|
||
2003, <a href="https://hardware.slashdot.org/story/03/06/08/1749217/is-linksys-violating-the-GPL">the
|
||
general public knew that Linksys (a division of Cisco) was violating the
|
||
GPL</a> on their WRT54G model wireless routers. Hobbyists discovered that
|
||
Linux, BusyBox and many GNU programs were included in the router, but
|
||
Linksys and Cisco had failed to provide source code or any offer for source
|
||
code to its customers. Linksys had violated the GPL, the license of these
|
||
projects.</p>
|
||
|
||
<p>A coalition successfully enforced the GPL in this case, and Linksys
|
||
released source code A <a href="https://openwrt.org/about/history">group of
|
||
volunteers quickly built a new project, called OpenWRT</a> based on that
|
||
source release. In the years that have followed, OpenWRT has been ported to
|
||
almost every major wireless router product. Now, more than 15 years later,
|
||
the OpenWRT project routinely utilizes GPL source releases to build,
|
||
improve and port OpenWRT. OpenWRT has spurred companies to create better
|
||
routers.</p>
|
||
|
||
<h2 id="gpl-enforcement-needs-follow-through">GPL Enforcement Needs Follow-Through</h2>
|
||
|
||
<p>Simply enforcing the GPL is an important first step, and Conservancy
|
||
<a href="enforcement-strategy.html">continues our efforts in that regard</a>. However,
|
||
the success found with OpenWRT can be replicated <em>only if</em> there is
|
||
substantial effort <strong>after</strong> enforcement occurs to turn the
|
||
compliant source release into a viable alternative firmware for the
|
||
platform.</p>
|
||
|
||
<p>Conservancy has seen non-compliant Linux-based firmwares on refrigerators,
|
||
baby monitors, virtual assistants, soundbars, doorbells, home security
|
||
cameras, police body cameras, cars, AV receivers, and televisions.</p>
|
||
|
||
<p>This wide deployment of general purpose computers into mundane household
|
||
devices raises profound privacy and consumer rights
|
||
implications. <a href="https://www.nytimes.com/2019/12/15/us/Hacked-ring-home-security-cameras.html">Home</a> <a href="https://www.washingtonpost.com/technology/2019/01/23/family-says-hacked-nest-camera-warned-them-north-korean-missile-attack/">security</a> <a href="https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable">cameras</a> <a href="https://www.cnn.com/2019/12/12/tech/ring-security-camera-hacker-harassed-girl-trnd/index.html">are</a> <a href="https://abc7.com/baby-monitor-hack-leads-to-kidnap-scare/4931822/">routinely</a> <a href="https://www.bbc.com/news/av/uk-44117337/security-footage-viewed-by-thousands">compromised</a>
|
||
— invading the privacy and security of individual homes. Even when
|
||
companies succeed in keeping out third parties, consumers
|
||
are <a href="https://www.theguardian.com/technology/2019/aug/29/ring-amazon-police-partnership-social-media-neighbor">pressured
|
||
by camera makers</a> to automatically upload their videos to local
|
||
police. Televisions
|
||
routinely <a href="https://techcrunch.com/2019/01/07/vizio-settlement-moves-forward/">spy
|
||
on consumers for the purposes of marketing and massive data
|
||
collection</a>.</p>
|
||
|
||
<p>“Internet of Things” firmware should never rely on one vendor — even the
|
||
vendor of the hardware itself. This centralized approach is brittle and
|
||
inevitably leads to invasions of the public’s privacy and control of their
|
||
technology. Conservancy plans to address this issue in the manner that the
|
||
FOSS community knows best: put one foot in front of the other, and work to
|
||
create FOSS for every possible task that users want to accomplish. For IoT
|
||
devices, this means creating alternative firmware in the same manner that
|
||
OpenWRT has done for wireless routers.</p>
|
||
|
||
<h2 id="limited-success-of-alternative-hardware">Limited Success of
|
||
Alternative Hardware</h2>
|
||
|
||
<p>Alternative hardware projects remain an essential component of small
|
||
device freedom. Conservancy supports and engages with communities that seek
|
||
to source and build IoT-style devices from the ground up. We’re excited to
|
||
see deployable boards that allow Maker efforts to create new devices.</p>
|
||
|
||
<p>Nevertheless, we remain ever-cognizant that FOSS succeeded on servers,
|
||
laptop, desktop, and wireless router computers <em>precisely</em> because
|
||
users could buy commodity hardware at any store and install FOSS. There is
|
||
no complete, operational base operating system for most IoT devices on the
|
||
market.</p>
|
||
|
||
<h3 id="demonstrating-the-power-of-software-freedom">Demonstrating the power
|
||
of software freedom,</h3>
|
||
|
||
<p>To many, the benefits of software freedom are abstract. For less technical
|
||
users, the idea of modifying or even reviewing the software on their
|
||
devices is wholly theoretical. For technical users, there is a limited time
|
||
available to invest in the devices they use for their everyday
|
||
lives. Bringing people together to take collective action for the control
|
||
of their own technology is a powerful proposition that has rarely been
|
||
demonstrated.</p>
|
||
|
||
<p>When alternative firmware projects like OpenWRT exist for IoT devices,
|
||
non-technical users can replace the software on their devices and benefit
|
||
from custom, community-controled software. Technical users are more likely
|
||
to contribute knowing their efforts will be meaningful.</p>
|
||
|
||
<p>However, decades of corporate involvement in copyleft have demonstrated
|
||
that without an organized effort, control over one’s own software is purely
|
||
theoretical, even when software has a copyleft license, and
|
||
sometimes <em>even when</em> compliance with the copyleft license is
|
||
acheived. Conservancy recognizes that there is a unique opportunity for
|
||
charitable organizations to step in and change the power dynamic of the
|
||
tech industry for consumers.</p>
|
||
|
||
<h2 id="conservancys-plan-for-action">Conservancy’s Plan For Action</h2>
|
||
|
||
<p>Conservancy seeks to fund work on liberating firmware for a specific
|
||
device. This is accomplished with a two-prong approach: first, we will
|
||
leverage increased interest and tendency toward GPL compliance throughout
|
||
the embedded industry to more quickly achieve compliant source releases in
|
||
a particular subindustry.</p>
|
||
|
||
<p>Second, depending on what subindustry (i.e., specific class of devices)
|
||
seems most responsive to increased enforcement activity and willing to
|
||
provide compliant source releases quickly, we will launch, coordinate and
|
||
fund an alternative firmware project for that class.</p>
|
||
|
||
<h2 id="leveraging-on-increased-enforcement">Leveraging on Increased
|
||
Enforcement</h2>
|
||
|
||
<p><a href="enforcement-strategy.html">Conservancy plans to select a specific
|
||
violation and engage in litigation. Based on past experience, we expect
|
||
that the press and attention to that ongoing litigation will yield
|
||
increased responsiveness by violators throughout the industry. (A similar
|
||
outcome occurred after our litigation in 2006.) This expected change in
|
||
behavior will open opportunities to replicate the OpenWRT approach in
|
||
another embedded electronic subindustry. Fast action will be necessary;
|
||
most IoT products have an 18 month lifecycle, so we seek to quickly
|
||
identify the right subindustry, gain compliance there, and move on to the
|
||
next phase.</p>
|
||
|
||
<h3 id="funding-firmware-liberation">Funding Firmware Liberation</h3>
|
||
|
||
<p>While we’ve long hoped that volunteers would take up compliant sources
|
||
obtained in our GPL enforcement efforts and build alternative firmware
|
||
projects as they did with OpenWRT, history shows us that the creation of
|
||
such projects is not guaranteed and exceedingly rare.</p>
|
||
|
||
<p>Traditionally, our community has relied exclusively on volunteers to take
|
||
up this task, and financial investment only comes after volunteers have put
|
||
in the unfunded work to make a Minimum Viable Product (MVP) liberated
|
||
firmware. While volunteer involvement remains essential to the success of
|
||
alternative firmware projects, we know from our fiscal sponsorship work
|
||
that certain aspects of FOSS projects require an experienced charity to
|
||
initiate and jump-start some of the less exciting aspects of FOSS project
|
||
creation and development. (In our last fiscal year, Conservancy funded 160
|
||
contributors to work on FOSS)</p>
|
||
|
||
<p>In the initial phase of this grant, Conservancy will to select a specific
|
||
class of device. Upon achieving compliant source releases in that
|
||
subindustry through GPL enforcement, Conservancy will launch an alternative
|
||
firmware project for that class of device.</p>
|
||
|
||
<p>Conservancy will seek to fund the time of project leaders and
|
||
infrastructure for the project. The goal is to build a firm base that draws
|
||
volunteers to the project. We know that sustaining funding over long
|
||
periods for a grassroots hobbyist activity is quite challenging; we seek to
|
||
use this grant to bootstrap and catalyze interest and contribution to the
|
||
project. Ideally, Conservancy would run the project with a single full-time
|
||
staffer for a about a year, and achieve a volunteer base sufficient to
|
||
reduce funding to one part-time staffer.</p>
|
||
|
||
<h3 id="criteria-for-device-selection">Criteria for Device Selection</h3>
|
||
|
||
<p>The IoT device industry moves quickly and we must be prepared to adapt
|
||
based on new information. The first stage in this work will be to carefully
|
||
evaluate and select the device on which to focus for this
|
||
project. Conservancy will evaluate the following criteria in selecting a
|
||
class of devices:</p>
|
||
|
||
<ul>
|
||
<li><p>Do most devices in the subindustry already run a known FOSS system
|
||
(such as Android/Linux, BusyBox/Linux or GNU/Linux)?</p></li>
|
||
|
||
<li><p>In response to our increased enforcement activity, how many existing
|
||
GPL-compliant source releases are available from how many different
|
||
vendors in this subindustry?</p></li>
|
||
|
||
<li><p>Is there a known userspace application that runs on Maker-built
|
||
hardware that does the task the proprietary userspace software from the
|
||
vendor did?</p></li>
|
||
|
||
<li><p>What is the excitement level among volunteers for this
|
||
project?</p></li>
|
||
|
||
<li><p>What value will hobbyists achieve from replacing the software on their
|
||
device? For example, would they be able to avoid surveillance or add
|
||
accessibility features?</p></li>
|
||
|
||
</ul>
|
||
|
||
<p>Finally, Conservancy will be prepared and willing to recognize temporary
|
||
failure and setbacks in a particular subindustry and pivot quickly to
|
||
choosing a different class of devices. This project is ambitious, and we’ll
|
||
be adept in our approach to ensure success.</p>
|
||
|