Files @ a8ec562e1ad3
Branch filter:

Location: website/www/conservancy/static/copyleft-compliance/firmware-liberation.html

Bradley M. Kuhn
Copyleft Compliance: enforcement strategy & firmware liberation

These two new documents are based on grant proposals for this work.
We are preparing to announce the work publicly soon. This is a first
draft of both documents.
{% extends "base_compliance.html" %}
{% block subtitle %}Copyleft Compliance Projects - {% endblock %}
{% block submenuselection %}EnforcementStrategy{% endblock %}
{% block content %}

<h1 id="software-freedom-conservancy-proposal-for-firmware-liberation-project">Firmware Liberation Project</h1>

<h2 id="brief-history-of-openwrt">Brief History of OpenWRT</h2>

<p>The spring of 2003 was a watershed moment for software freedom on
  electronic devices. 802.11 wireless technology had finally reached the
  mainstream, and wireless routers for home use had flooded the market
  earlier in the year. By June
  2003, <a href="https://hardware.slashdot.org/story/03/06/08/1749217/is-linksys-violating-the-GPL">the
    general public knew that Linksys (a division of Cisco) was violating the
    GPL</a> on their WRT54G model wireless routers. Hobbyists discovered that
  Linux, BusyBox and many GNU programs were included in the router, but
  Linksys and Cisco had failed to provide source code or any offer for source
  code to its customers. Linksys had violated the GPL, the license of these
  projects.</p>

<p>A coalition successfully enforced the GPL in this case, and Linksys
  released source code A <a href="https://openwrt.org/about/history">group of
    volunteers quickly built a new project, called OpenWRT</a> based on that
  source release. In the years that have followed, OpenWRT has been ported to
  almost every major wireless router product. Now, more than 15 years later,
  the OpenWRT project routinely utilizes GPL source releases to build,
  improve and port OpenWRT. OpenWRT has spurred companies to create better
  routers.</p>

<h2 id="gpl-enforcement-needs-follow-through">GPL Enforcement Needs Follow-Through</h2>

<p>Simply enforcing the GPL is an important first step, and Conservancy
  <a href="enforcement-strategy.html">continues our efforts in that regard</a>. However,
  the success found with OpenWRT can be replicated <em>only if</em> there is
  substantial effort <strong>after</strong> enforcement occurs to turn the
  compliant source release into a viable alternative firmware for the
                                           platform.</p>
                                           
<p>Conservancy has seen non-compliant Linux-based firmwares on refrigerators,
  baby monitors, virtual assistants, soundbars, doorbells, home security
  cameras, police body cameras, cars, AV receivers, and televisions.</p>

<p>This wide deployment of general purpose computers into mundane household
  devices raises profound privacy and consumer rights
  implications. <a href="https://www.nytimes.com/2019/12/15/us/Hacked-ring-home-security-cameras.html">Home</a> <a href="https://www.washingtonpost.com/technology/2019/01/23/family-says-hacked-nest-camera-warned-them-north-korean-missile-attack/">security</a> <a href="https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable">cameras</a> <a href="https://www.cnn.com/2019/12/12/tech/ring-security-camera-hacker-harassed-girl-trnd/index.html">are</a> <a href="https://abc7.com/baby-monitor-hack-leads-to-kidnap-scare/4931822/">routinely</a> <a href="https://www.bbc.com/news/av/uk-44117337/security-footage-viewed-by-thousands">compromised</a>
  — invading the privacy and security of individual homes. Even when
  companies succeed in keeping out third parties, consumers
  are <a href="https://www.theguardian.com/technology/2019/aug/29/ring-amazon-police-partnership-social-media-neighbor">pressured
    by camera makers</a> to automatically upload their videos to local
  police. Televisions
  routinely <a href="https://techcrunch.com/2019/01/07/vizio-settlement-moves-forward/">spy
    on consumers for the purposes of marketing and massive data
    collection</a>.</p>

<p>“Internet of Things” firmware should never rely on one vendor — even the
  vendor of the hardware itself. This centralized approach is brittle and
  inevitably leads to invasions of the public’s privacy and control of their
  technology. Conservancy plans to address this issue in the manner that the
  FOSS community knows best: put one foot in front of the other, and work to
  create FOSS for every possible task that users want to accomplish. For IoT
  devices, this means creating alternative firmware in the same manner that
  OpenWRT has done for wireless routers.</p>

<h2 id="limited-success-of-alternative-hardware">Limited Success of
  Alternative Hardware</h2>

<p>Alternative hardware projects remain an essential component of small
  device freedom. Conservancy supports and engages with communities that seek
  to source and build IoT-style devices from the ground up. We’re excited to
  see deployable boards that allow Maker efforts to create new devices.</p>

<p>Nevertheless, we remain ever-cognizant that FOSS succeeded on servers,
  laptop, desktop, and wireless router computers <em>precisely</em> because
  users could buy commodity hardware at any store and install FOSS. There is
  no complete, operational base operating system for most IoT devices on the
  market.</p>

<h3 id="demonstrating-the-power-of-software-freedom">Demonstrating the power
  of software freedom,</h3>

<p>To many, the benefits of software freedom are abstract. For less technical
  users, the idea of modifying or even reviewing the software on their
  devices is wholly theoretical. For technical users, there is a limited time
  available to invest in the devices they use for their everyday
  lives. Bringing people together to take collective action for the control
  of their own technology is a powerful proposition that has rarely been
  demonstrated.</p>

<p>When alternative firmware projects like OpenWRT exist for IoT devices,
  non-technical users can replace the software on their devices and benefit
  from custom, community-controled software. Technical users are more likely
  to contribute knowing their efforts will be meaningful.</p>

<p>However, decades of corporate involvement in copyleft have demonstrated
  that without an organized effort, control over one’s own software is purely
  theoretical, even when software has a copyleft license, and
  sometimes <em>even when</em> compliance with the copyleft license is
  acheived. Conservancy recognizes that there is a unique opportunity for
  charitable organizations to step in and change the power dynamic of the
  tech industry for consumers.</p>

<h2 id="conservancys-plan-for-action">Conservancy’s Plan For Action</h2>

<p>Conservancy seeks to fund work on liberating firmware for a specific
  device. This is accomplished with a two-prong approach: first, we will
  leverage increased interest and tendency toward GPL compliance throughout
  the embedded industry to more quickly achieve compliant source releases in
  a particular subindustry.</p>

<p>Second, depending on what subindustry (i.e., specific class of devices)
  seems most responsive to increased enforcement activity and willing to
  provide compliant source releases quickly, we will launch, coordinate and
  fund an alternative firmware project for that class.</p>

<h2 id="leveraging-on-increased-enforcement">Leveraging on Increased
  Enforcement</h2>

<p><a href="enforcement-strategy.html">Conservancy plans to select a specific
  violation and engage in litigation. Based on past experience, we expect
  that the press and attention to that ongoing litigation will yield
  increased responsiveness by violators throughout the industry. (A similar
  outcome occurred after our litigation in 2006.) This expected change in
  behavior will open opportunities to replicate the OpenWRT approach in
  another embedded electronic subindustry. Fast action will be necessary;
  most IoT products have an 18 month lifecycle, so we seek to quickly
  identify the right subindustry, gain compliance there, and move on to the
  next phase.</p>

<h3 id="funding-firmware-liberation">Funding Firmware Liberation</h3>

<p>While we’ve long hoped that volunteers would take up compliant sources
  obtained in our GPL enforcement efforts and build alternative firmware
  projects as they did with OpenWRT, history shows us that the creation of
  such projects is not guaranteed and exceedingly rare.</p>

<p>Traditionally, our community has relied exclusively on volunteers to take
  up this task, and financial investment only comes after volunteers have put
  in the unfunded work to make a Minimum Viable Product (MVP) liberated
  firmware. While volunteer involvement remains essential to the success of
  alternative firmware projects, we know from our fiscal sponsorship work
  that certain aspects of FOSS projects require an experienced charity to
  initiate and jump-start some of the less exciting aspects of FOSS project
  creation and development. (In our last fiscal year, Conservancy funded 160
  contributors to work on FOSS)</p>

<p>In the initial phase of this grant, Conservancy will to select a specific
  class of device. Upon achieving compliant source releases in that
  subindustry through GPL enforcement, Conservancy will launch an alternative
  firmware project for that class of device.</p>

<p>Conservancy will seek to fund the time of project leaders and
  infrastructure for the project. The goal is to build a firm base that draws
  volunteers to the project. We know that sustaining funding over long
  periods for a grassroots hobbyist activity is quite challenging; we seek to
  use this grant to bootstrap and catalyze interest and contribution to the
  project. Ideally, Conservancy would run the project with a single full-time
  staffer for a about a year, and achieve a volunteer base sufficient to
  reduce funding to one part-time staffer.</p>

<h3 id="criteria-for-device-selection">Criteria for Device Selection</h3>

<p>The IoT device industry moves quickly and we must be prepared to adapt
  based on new information. The first stage in this work will be to carefully
  evaluate and select the device on which to focus for this
  project. Conservancy will evaluate the following criteria in selecting a
  class of devices:</p>

<ul>
<li><p>Do most devices in the subindustry already run a known FOSS system
    (such as Android/Linux, BusyBox/Linux or GNU/Linux)?</p></li>

<li><p>In response to our increased enforcement activity, how many existing
    GPL-compliant source releases are available from how many different
    vendors in this subindustry?</p></li>

<li><p>Is there a known userspace application that runs on Maker-built
    hardware that does the task the proprietary userspace software from the
    vendor did?</p></li>

<li><p>What is the excitement level among volunteers for this
    project?</p></li>

<li><p>What value will hobbyists achieve from replacing the software on their
    device? For example, would they be able to avoid surveillance or add
    accessibility features?</p></li>

</ul>

<p>Finally, Conservancy will be prepared and willing to recognize temporary
  failure and setbacks in a particular subindustry and pivot quickly to
  choosing a different class of devices. This project is ambitious, and we’ll
  be adept in our approach to ensure success.</p>