{% extends "base_compliance.html" %}
{% block subtitle %}Copyleft Compliance Projects - {% endblock %}
{% block submenuselection %}EnforcementStrategy{% endblock %}
{% block content %}
<h1 id="software-freedom-conservancy-proposal-for-gpl-enforcement-grant">History and Future Strategy</h1>
<p>The Software Freedom Conservancy is a 501(c)(3) non-profit charity
registered in New York. Founded in 2006, Conservancy helps people take control
of their computing by growing the software freedom movement, supporting
community-driven alternatives to proprietary software, and defending free
software with practical initiatives. Conservancy accomplishes these goals
with various initiatives including fiscal sponsorship, licensing and project
governance policy, and public advocacy. Some of Conservancy's most important
licensing policy work involves defending and upholding the rights of
software users and consumers under copyleft licenses, such as the GPL.</p>
<p>As existing donors and supporters know, the Software Freedom Conservancy
is a 501(c)(3) non-profit charity registered in New York, and Conservancy
helps people take control of their computing by growing the software
freedom movement, supporting community-driven alternatives to proprietary
software, and defending free software with practical initiatives.
Conservancy accomplishes these goals with various initiatives, including
defending and upholding the rights of software users and consumers under
copyleft licenses, such as the GPL.</p>
<h2 id="brief-history-of-user-focused-gpl-enforcement">Brief History of
User-Focused GPL Enforcement</h2>
<p>The spring of 2003 was a watershed moment for software freedom on
electronic devices. 802.11 wireless technology had finally reached the
mainstream, and wireless routers for home use had flooded the market
earlier in the year. By June
2003, <a href="https://hardware.slashdot.org/story/03/06/08/1749217/is-linksys-violating-the-GPL">the
general public knew that Linksys (a division of Cisco) was violating the
GPL</a> on their WRT54G model wireless routers. Hobbyists discovered
(rather easily) that Linux, BusyBox and many GNU programs were included in
the router, but Linksys and Cisco had failed to provide source code or any
offer for source code to its customers.</p>
(rather easily) that Linux and BusyBox were included in the router, but
Linksys and Cisco had failed to provide source code or any offer for source
code to its customers.</p>
<p>A coalition formed made up of organizations and individuals — including
Erik Andersen (major contributor to and former leader of the BusyBox
project) and Harald Welte (major contributor to Linux’s netfilter
subsystem) — to enforce the
GPL. <a href="https://sfconservancy.org/about/staff/#bkuhn">Bradley
M. Kuhn</a>, who is now Conservancy’s Policy Analyst and
Hacker-in-Residence, led and coordinated that coalition when he was
Executive Director of the FSF. By early 2004, this coalition, through the
Hacker-in-Residence, led and coordinated that coalition (when he was
Executive Director of the FSF). By early 2004, this coalition, through the
process of GPL enforcement, compelled Linksys to release an
almost-GPL-compliant source release for the
WRT54G. A <a href="https://openwrt.org/about/history">group of volunteers
quickly built a new project, called OpenWRT</a> based on that source
release. In the years that have followed, OpenWRT has been ported to almost
every major wireless router product. Now, more than 15 years later, the
OpenWRT project routinely utilizes GPL source releases to build, improve
and port OpenWRT. The project has also joined coalitions to fight the FCC
to ensure that consumers have and deserve rights to install modified
firmwares on their devices and that such hobbyist improvements are no
threat to spectrum regulation.</p>
<p>Recently, OpenWRT decided to join Conservancy as one its member projects,
and Conservancy has committed to long-term assistance to this project.</p>
<p>OpenWRT has spurred companies to create better routers and other wireless
devices than they would otherwise have designed because they now need to
either compete with hobbyists, or (better still) cooperate with them to
create hardware that fully supports OpenWRT’s features and improvements
(such as dealing
with <a href="https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm">the
dreaded “bufferbloat” bugs</a>). This interplay between the hobbyist
community and for-profit ventures promotes innovation in
technology. Without both permission <em>and</em> the ability to build and
modify the software on their devices, the hobbyist community
shrinks. Eventually, instead of encouraging people to experiment with their
devices, hobbyists are limited by the oft-arbitrary manufacturer-imposed
shrinks. Without intervention to assure companies respect the hobbyist
community, hobbyists are limited by the oft-arbitrary manufacturer-imposed
restraints in the OEM firmware. OpenWRT saved the wireless router market
from this disaster; we seek to help other embedded electronic subindustries
avoid that fate. The authors of GPL’d software chose that license so its
source is usable and readily available to hobbyists. It is our duty, as
activists for the software freedom of hobbyists, to ensure these legally
mandated rights are never curtailed.</p>
<p>(More on the OpenWRT project’s history and its connection to GPL
enforcement can be found
in <a href="https://www.youtube.com/watch?v=r4lCMx-EI1s">Kuhn’s talk
at <em>OpenWRT Summit 2016</em></a>.)</p>
<p>Conservancy has had substantial success in leveraging more device freedom
in other subindustries through GPL compliance. In 2009, Conservancy, with
co-Plaintiff Erik Andersen, sued fourteen defendants in federal court under
copyright claims on behalf of its BusyBox member project. Conservancy was
able to achieve compliance for the BusyBox project in all fourteen
cases. Most notably, the GPL-compliant source release obtained in the
lawsuit for certain Samsung televisions provided the basis for
the <a href="https://www.samygo.tv/">SamyGo project</a> — an alternative
firmware that works on that era of Samsung televisions and allows consumers
to modify and upgrade their firmware using FOSS.</p>
<p>Harald Welte also continued his efforts during the early and mid-2000s
after the Linksys enforcement through
<p>Harald Welte also continued his efforts during the early and mid-2000s,
after the Linksys enforcement, through
his <a href="https://gpl-violations.org/">gpl-violations.org
project</a>. Harald successfully sued many companies (mostly in the
wireless router industry) in Germany to achieve compliance and yield source
releases that helped OpenWRT during that period.</p>
<h2 id="importance-of-linux-enforcement-specifically">Importance of Linux Enforcement Specifically</h2>
<p>In recent years, embedded systems technology has expanded beyond wireless
routers to so-called “Internet of Things” devices designed for connectivity
with other devices in the home and to the “Cloud”. Consumer electronics
companies now feature and differentiate products based on Internet
connectivity, and related services. Conservancy has seen Linux-based
firmwares on refrigerators, baby monitors, virtual assistants, soundbars,
doorbells, home security cameras, police body cameras, cars, AV receivers,
and televisions.</p>
<p>This wide deployment of general purpose computers into mundane household
devices raises profound privacy and consumer rights
routers to so-called “Internet of Things” (IoT) devices designed for
connectivity with other devices in the home and to the “Cloud”. Consumer
electronics companies now feature and differentiate products based on
Internet connectivity and related services. Conservancy has seen
Linux-based firmwares on refrigerators, baby monitors, virtual assistants,
soundbars, doorbells, home security cameras, police body cameras, cars, AV
receivers, and televisions.</p>
<p>This wide deployment of general purpose computers into
mundane household devices raises profound privacy and consumer rights
implications. <a href="https://www.nytimes.com/2019/12/15/us/Hacked-ring-home-security-cameras.html">Home</a> <a href="https://www.washingtonpost.com/technology/2019/01/23/family-says-hacked-nest-camera-warned-them-north-korean-missile-attack/">security</a> <a href="https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable">cameras</a> <a href="https://www.cnn.com/2019/12/12/tech/ring-security-camera-hacker-harassed-girl-trnd/index.html">are</a> <a href="https://abc7.com/baby-monitor-hack-leads-to-kidnap-scare/4931822/">routinely</a> <a href="https://www.bbc.com/news/av/uk-44117337/security-footage-viewed-by-thousands">compromised</a>
— invading the privacy and security of individual homes. Even when
companies succeed in keeping out third parties, consumers
are <a href="https://www.theguardian.com/technology/2019/aug/29/ring-amazon-police-partnership-social-media-neighbor">pressured
by camera makers</a> to automatically upload their videos to local
police. Televisions
routinely <a href="https://techcrunch.com/2019/01/07/vizio-settlement-moves-forward/">spy
on consumers for the purposes of marketing and massive data
collection</a>.</p>
<p>There is one overarching irony to this growing dystopia: nearly all these
devices are based primarily on software licensed under the GPL: most
notably, Linux. While Linux-based systems do allow proprietary user-space
applications not licensed under GPL, the kernel and many other system
utilities routinely used in embedded systems, such as Conservancy’s BusyBox
project, are under that license (or similar copyleft licenses such as the
LGPL). These licenses require device makers to provide complete,
corresponding source code to everyone in possession of their
devices. Furthermore, Linux’s specific license (GPL, version 2), mandates
that source code must also include “the scripts used to control compilation
and installation of the executable”. In short, the consumers must receive
@@ -150,39 +149,40 @@
installation, the fundamental purpose of copyleft is frustrated. Consumers,
hobbyists, non-profit e-recyclers and the general public are left without
the necessary tools they need and deserve, and which the license promises
them.</p>
<p>Additionally, copyleft compliance relates directly to significant
generational educational opportunities. There are few easier ways to
understand technology than to experiment with a device one already
has. Historically, FOSS has succeeded because young hobbyists could
examine, modify and experiment with software in their own devices. Those
hobbyists became the professional embedded device developers of today!
Theoretically, the advent of the “Internet of Things” — with its many
devices that run Linux — should give opportunities for young hobbyists to
quickly explore and improve the devices they depend on in their every day
lives. Yet, that’s rarely possible in reality. To ensure that both current
and future hobbyists can practically modify their Linux-based devices, we
must enforce Linux’s license. With public awareness that their devices can
be improved, the desire for learning will increase, and will embolden the
curiosity of newcomers of all ages and backgrounds. The practical benefits
of this virtuous cycle are immediately apparent. With technological
experimentation, people are encouraged to try new things, learn how their
devices work, and perhaps create whole new types of devices and
technologies that no one has even dreamed of before.</p>
<p>“Internet of Things” firmware should never rely on one vendor — even the
vendor of the hardware itself. This centralized approach is brittle and
inevitably leads to invasions of the public’s privacy and loss of control of their
devices that run Linux — <em>should</em> give opportunities for young
hobbyists to quickly explore and improve the devices they depend on in
their every day lives. Yet, that’s rarely possible in reality. To ensure
that both current and future hobbyists can practically modify their
Linux-based devices, we must enforce Linux’s license. With public awareness
that their devices can be improved, the desire for learning will increase,
and will embolden the curiosity of newcomers of all ages and
backgrounds. The practical benefits of this virtuous cycle are immediately
apparent. With technological experimentation, people are encouraged to try
new things, learn how their devices work, and perhaps create whole new
types of devices and technologies that no one has even dreamed of
before.</p>
<p>IoT firmware should never rely on one vendor — even the vendor of the
hardware itself. This centralized approach is brittle and inevitably leads
to invasions of the public’s privacy and loss of control of their
technology. Conservancy’s GPL enforcement work is part of the puzzle that
ensures users can choose who their devices connect to, and how they
connect. Everyone deserves control over their own computing — from their
laptop to their television to their toaster. When the public can modify (or
help others modify) the software on their devices, they choose the level of
centralized control they are comfortable with. Currently, users with
Linux-based devices usually don’t even realize what is possible with
copyleft; Conservancy aims to show them.</p>
<h2 id="the-gpl-compliance-project-for-linux-developers">The GPL Compliance
Project for Linux Developers</h2>
@@ -203,88 +203,86 @@
<p>While we still gain some success, we have found that the landscape of GPL
compliance has changed in recent years. Historically, the true “bad actors”
were rare. We found in the early days that mere education and basic
supply-chain coordination assistance yielded compliance. We sought and
often achieved goodwill in the industry via education-focused
compliance.</p>
<p>Those tactics no longer succeed; the industry has taken advantage of that
goodwill. After the BusyBox lawsuit settled, we observed a slow move toward
intentional non-compliance throughout the embedded electronics
industry. Companies use delay and “hardball” pre-litigation tactics to
drain the limited resources available for enforcement, which we faced for
example
in <a href="https://sfconservancy.org/copyleft-compliance/vmware-lawsuit-links.html">the
VMware violation</a>. While VMware ultimately complied with the GPL, they
drain the limited resources available for enforcement, which we faced (for
example) in <a href="/copyleft-compliance/vmware-lawsuit-links.html">the
did so by reengineering the product and removing Linux from it — and only
after the product was nearing end-of-life.</p>
<p>Conservancy has recently completed an evaluation of the industry’s use of
Linux in embedded products. Our findings are disheartening and require
action. Across the entire industry, most major manufacturers almost flaunt
their failure to comply with the GPL. In our private negotiations, pursuant
to
our <a href="https://sfconservancy.org/copyleft-compliance/principles.html">Principles
of Community-Oriented GPL Enforcement</a>, GPL violators stall, avoid,
their failure to comply with the GPL. In our private negotiations,
pursuant to
our <a href="/copyleft-compliance/principles.html">Principles
delay and generally refuse to comply with the GPL. Their disdain for the
rights of their customers is often palpable. Their attitude is almost
universal: “if you think we’re really violating the GPL, then go ahead and
sue us. Otherwise, you’re our lowest priority.”</p>
universal: <q>if you think we’re really violating the GPL, then go ahead and
sue us. Otherwise, you’re our lowest priority</q>.</p>
<h2 id="conservancys-plan-for-action">Conservancy’s Plan For Action</h2>
<p>Conservancy has a three-pronged plan for action: litigation, persistent
non-litigation enforcement, and alternative firmware development.</p>
<h3 id="litigation">Litigation</h3>
<p>Conservancy has many violation matters that we have pursued during the
last year where we expect compliance is impossible without litigation. We
are poised to select — from among the many violations in the embedded
electronics space — a representative example and take action in USA courts
against a violator who has failed to properly provide source code
sufficient for consumers to rebuild and install Linux, and who still
refuses to remedy that error after substantial friendly negotiation with
Conservancy.</p>
<p>Our goal remains the same as in all matters: we want a source release that
works, and we’ll end any litigation when the company fully complies on its
products and makes a bona fide commitment to future compliance.</p>
<p>Conservancy, after years of analyzing its successes and failures of
previous GPL compliance litigation, has developed — in conjunction with
litigation counsel over the last year — new approaches to litigation
strategy. We believe this will bring to fruition the promise of copyleft: a
license that assures the rights and software freedoms of hobbyists who seek
full control and modifiability of devices they own. With the benefit of
this grant, Conservancy plans to accelerate these plans in 2020 and to keep
the public informed at every stage of the process.</p>
strategy. We believe this will bring to fruition the promise of copyleft:
a license that assures the rights and software freedoms of hobbyists who
seek full control and modifiability of devices they own. With the benefit
of this grant, Conservancy plans to accelerate these plans in 2020 and to
keep the public informed at every stage of the process.</p>
<h3 id="persistent-non-litigation-enforcement">Persistent Non-Litigation Enforcement</h3>
<p>While we will seek damages to cover our reasonable costs of this work, we
do not expect that any recovery in litigation can fully fund the broad base
of work necessary to ensure compliance and the software freedom it
brings. Conservancy is the primary charitable watchdog of
GPL compliance for Linux-based devices. We seek to use litigation as a tool
in a broader course of action to continue our work in this regard. We
expect and welcome that the high profile nature of litigation will inspire
more device owners to report violations to us. We expect we’ll learn about
classes of devices we previously had no idea contained Linux, and we’ll
begin our diligent and unrelenting work to achieve software freedom for the
owners of those devices. We will also build more partnerships across the
technology sector and consumer rights organizations to highlight the
benefit of copyleft to not just hobbyists, but the entire general
public.</p>
of work necessary to ensure compliance and the software freedom it brings.
Conservancy is the primary charitable watchdog of GPL compliance for
Linux-based devices. We seek to use litigation as a tool in a broader
course of action to continue our work in this regard. We expect and
welcome that the high profile nature of litigation will inspire more device
owners to report violations to us. We expect we’ll learn about classes of
devices we previously had no idea contained Linux, and we’ll begin our
diligent and unrelenting work to achieve software freedom for the owners of
those devices. We will also build more partnerships across the technology
sector and consumer rights organizations to highlight the benefit of
copyleft to not just hobbyists, but the entire general public.</p>
<h3 id="alternative-firmware-project">Alternative Firmware Project</h3>
<p>The success of the OpenWRT project, born from GPL enforcement, has an
important component. While we’ve long hoped that volunteers, as they did
with OpenWRT and SamyGo, will take up compliant sources obtained in our GPL
enforcement efforts and build alternative firmware projects, history shows
us that the creation of such projects is not guaranteed and exceedingly
rare.</p>
<p>Traditionally, our community has relied exclusively on volunteers to take
up this task, and financial investment only comes after volunteers have put