May 11, 2006

Enforcing the GPL

Author: Joe 'Zonker' Brockmeier

As the Free Software Foundation (FSF) works toward finalizing the next version of the GNU General Public License (GPL), free software developers are still trying to make sure companies are complying with the current version of the GPL.

Violations of free software licenses are usually handled differently than violations of proprietary software licenses. Developers aren't looking for money or to punish competitors, but simply to enforce compliance with a license that requires reciprocity. Though a few violations have been widely reported, many more are settled quietly.

Dan Ravicher, legal director of the Software Freedom Law Center (SFLC), says that most companies violating the GPL are "not doing so because they're evil, but because they don't know. The managers and businesspeople don't know that's in there."

Part of the problem may stem from a faulty understanding of the GPL and other free software licenses, rather than a deliberate attempt to rip off free software developers. Corporate types understand licensing code for money, but the reciprocity requirements of the GPL and other free software licenses seem to confuse many corporate and proprietary software types.

Sloppiness and laziness can also be a factor -- developers pushing deadlines may cut corners by reusing GPL code in projects without the knowledge or blessing of management. But Ravicher says outright maliciousness is rare, though not unheard of.

According to former BusyBox maintainer Erik Andersen, violations are fairly common. "I get roughly three reports every week of some device or other that is shipping with BusyBox in violation of the license; i.e., the vendor fails to support source, fails to offer source, and in many cases, claims the software is completely proprietary, when in fact it is obviously running Linux and using BusyBox."

Pursuing legal matters

Andersen says that his father, an attorney, has tried to follow up on violations, but Andersen calls it an "overwhelming burden" because his father still needs to pay paralegals, secretaries, and so forth. Andersen says GPL enforcement "has earned nothing to help pay the salaries at my dad's law office. Quite understandably, therefore, GPL enforcement tended to, [out] of necessity, get pushed to the bottom of the priority list."

Current BusyBox maintainer Rob Landley says that GPL violations not only cost BusyBox time and effort, but they've caused at least one developer to abandon the project.

This problem's been festering for a while, and it's cost us. A year ago, we lost a prominent developer, Glenn McGrath, who tried his own license enforcement effort -- prying the source code to the router he bought out of the company that made it -- and was so burned out by what turned into a nasty legal battle that he completely lost faith in the GPL. Others have had similar experiences and stopped contributing code they thought would just be decommoditized and sucked into proprietary projects regardless of the license they put it out under.

On the other hand, Ravicher says that GPL violations "are not increasing at any alarming rate, if at all." He points out that copyright violations have "almost no statute of limitations" due to copyrights' longevity, and that companies have little incentive to "violate and keep it hush-hush" because violations can always be addressed at a later date. He also says that "no rational business thinks it's a wise thing to rip of GPLed software."

While Ravicher doesn't observe an increase in violations, Andersen, Landley, and founder Harald Welte believe the rate is increasing. The reality may be that violations are not increasing overall, but the number being reported in the embedded market is increasing. As Welte states on his blog, "The current rate at which new GPL violations get reported and/or discovered, especially from the appliance/embedded market, is really alarming. For example, I haven't yet seen a single Linux-based NAS product that was even remotely license-compliant when first analyzing it. And I'm not only talking about the SoHo NAS boxes with one or two hard disk drives, but even about enterprise storage systems."

Welte also expresses frustration with the amount of time needed to pursue GPL compliance. "I'm a die-hard technical guy who loves kernel development," he says. "While I have excellent legal contacts who are skilled in both [the] technical and legal worlds, it's still a neverending amount of hours spent in work that doesn't really seem 'productive' to me. I'm constantly spending between 50% and 60% of my time with this."

Part of the problem is that developers are taking on a task that they're not well suited for. Ravicher says that enforcement "without legal representation is difficult; with legal representation, it's not that hard." For one thing, Ravicher says that letters coming from nonlawyers may not be taken as seriously by a company. "Companies get so many letters all the time ... it's hard to distinguish [legitimate claims] from people who don't have meritorious claims."

Ravicher also points out that if he were following up on claims, he might simply contact a company's in-house lawyer directly to start talking about bringing the company into compliance with the GPL -- something that might be difficult for a developer to do.

Finding violations

It can be difficult to even find and confirm violations. It takes a fair amount of work to confirm that a device or program is in violation, since (by definition) violators usually don't ship source code. This means that, to prove violations in embedded devices or proprietary software, the investigating party needs to obtain -- usually at a fair expense -- a copy of the software or device, then engage in a great deal of work to confirm that it contains GPLed code. Welte describes some of the efforts in this entry on his blog:

So apart from talking to lawyers, proofreading legal paperwork, negotiating with allegedly infringing companies, and the like, I now also start having trouble doing test purchases. [I] not only refuse some retailers to take orders from me, but also if I actually place an order, it raises new problems.

The last web store I ordered a test purchase from now asked me for a complete, readable copy of both sides of my ID card.... This is totally against any data protection laws. There is absolutely no requirement for them to know my passport photograph, ID card number, size, or eye colour. So as a follow-up, I had to write an official complaint with the Berlin data protection agency -- as if I didn't have any other work to do.

Also, for the last months, I find myself giving about EUR 10k in 0% interest loans to GPL infringing companies. That's the amount of money spent for test purchases that I had to do to confirm GPL violations, but which hasn't yet been reimbursed.

One way to make it easier to spot violations is to be proactive about identifying use of GPLed code. For example, Ravicher says that one of his clients developed an interface that, if the user typed in a specific question, would respond with his client's name -- providing pretty strong evidence if a company copied his code into their program. He suggests that other free software developers put "fingerprints" in their software to help identify illicit use of their code.

However, Ravicher points out that the "vast community" of free software users and contributors are fairly effective at spotting and reporting possible violations of the GPL. Free software supporters are working in all sorts of companies and organizations, and it's not unlikely that an engineer could spot a violation and report it anonymously.

How to handle violations

If you discover a violation, it's important that the initial reaction is constructive rather than confrontational, according to the GPL Violations FAQ. The violation may or may not be intentional, but it's probably best to give a company or project the benefit of the doubt when making initial contact -- and it's probably best to contact the company quietly and privately the first time.

As the GPL Violations FAQ states, "Be polite but firm when dealing with companies and remember that the goal is to ensure a company stops violating the GPL and does not violate it again, rather than to leave a smoking crater at the location of their HQ... at least not on the first offense."

According to Landley, it depends on the company whether a light touch will work. "Some companies simply make an oversight and respond to a polite email. Some companies are too busy to deal with you until they get a cease and desist letter. And some companies laugh at you until an actual lawsuit is filed."

Looking to GPLv3

When talking about enforcing the GPL, it's worthwhile to consider the GPLv3 draft and provisions that would change the termination procedure for violations. The current version of the GPL automatically terminates a licensee's rights to copy, modify, distribute, or sublicense GPLed code from the program. (Note that this doesn't extend to other GPLed applications, so if a party violates the GPL by distributing an application such as Gaim in violation of the terms of the GPL applied to Gaim, the party doesn't lose the right to distribute any GPLed code -- just Gaim.)

The GPLv3 draft changes the termination clause to say that the copyright holder may terminate rights under the GPL "after having notified you of the violation by any reasonable means within 60 days of any occurrence." This puts an additional burden on the copyright holder to notify the violator and wait 60 days.

Welte says that the new draft "would make enforcement in the way of virtually impossible. There is a ridiculous change where the rights are only revoked after the copyright holders explicitly notify the infringing party of the revocation, and then the copyright holders have to wait ... before they could take any legal action."

If the provision remains as is, Welte says he doubts that the provision would help compliance. "Where is the advantage of bringing out a product [that's] GPL-compliant, if the only 'penalty' of noncompliance is that I have to prepare a source code offer within 60 days after being notified by the copyright holders?"

However, Welte says that he expects the wording regarding revocation will be updated in the next draft of the GPLv3.

Eben Moglen, pro bono general counsel for the FSF and chairman of the SFLC, says that the FSF considers it "harmful" to the GPLv3 process to reply "to individual comments or commentators in an informal way." He says that the FSF "has taken a number of steps to clarify the license in ways that FSF believes will reduce the frequency of unintentional violations, and to ease the problems of remedying violations when they do occur. FSF does not believe that the current license draft contains any elements that would impede enforcement of copyright against either willful or inadvertent infringers, but we continue to accept and to study all comments in order to learn from others' experiences and views."

Success rate

Is all this effort actually worthwhile? Though it takes a lot of time and effort, it does seem that enforcement efforts are paying off.

Welte says that the success rate of is at about 99%. "There was only one case where we could not obtain source code. And that one was about a product that already has been end-of-life, and the European distributor had no contacts with the real manufacturer anymore. In all other cases, we could obtain source code."

"I very much believe the project is making a difference," says Welte. "I get lots of feedback from both the corporate world and the community, and the awareness within the corporate world definitely increases."

Even if violations of the GPL are increasing, it may not be a negative sign in the long run. Landley says an increase in violations highlights the increased adoption of free software overall. "In a way, this whole thing is a sign of success. The problem isn't that a larger percentage of people are ignoring the license, it's approximately the same percentage of a much larger pool."


  • Free Software
Click Here!