Software Freedom Law Center

August 20, 2008 by Bradley M. Kuhn

Compliance Advice Core-Dumped

For ten years, I've been building up a bunch of standard advice on GPL compliance. Usually, I've found myself repeating this advice on the phone, again and again, to another new GPL violator who screwed it all up, just like the last one did. In the hopes that we will not have to keep giving this advice one-at-a-time to each violator, my colleagues and I have finally gotten an opportunity to write out in detail our best advice on the subject.

Somewhere around 2004 or so, I thought that all of the GPL enforcement was going to get easier. After Peter Brown, Eben Moglen, David Turner and I had formalized FSF's GPL Compliance Lab, and Dan Ravicher and I had taught a few CLE classes to lawyers in the field, we believed that the world was getting a clue about GPL compliance. Many people did, of course, and we constantly welcome new groups of well-educated people in the commercial space who comply with the GPL correctly and who interact positively with our community.

However, the interest in FLOSS keeps growing, rapidly. So, for every new citizen who does the research ahead of time and learns the rules, there are dozens who don't. The education effort is therefore forever ongoing because the newbies always seem to outnumber the old hands. It's our own copyleft version of Eternal September. The whole space is now big enough that one-by-one education in our traditional way can no longer scale.

Hopefully, publishing some guidelines for GPL compliance will help the education effort scale. If you redistribute GPL'd software commercially in any way, or you are a lawyer who represents people that do, please spend the time to familiarize yourself with this information. If you have ideas on how we can expand this document, we would of course love to hear from you.

Update (on 2008-08-26): Thanks for all the feedback we've gotten from the community. We've been glad to update the document to incorporate your suggestions.

Posted by Bradley M. Kuhn on August 20, 2008

Tags: infringement, gpl, enforcement

August 16, 2008 by Bradley M. Kuhn

If The Worst of Us Wins, The Best of Us Surely Will

There has been much chatter and coverage about the court decision related to the Artistic License decision last week. Having spent a decade worrying about the Artistic License, I was surprised and relieved to see this decision.

One of the first tasks I undertook in the late 1990s in the world of Software Freedom licenses were issues surrounding the Artistic License. My first Software Freedom community was the Perl one, but my second was the licensing wonks. Therefore, I walked the line for many years, as I considered the poor drafting of the Original Artistic License. As the Perl6 process started in 2000, I chaired the Licensing Committee, and wrote all of the licensing RFCs in the Perl6 process, including RFC 211, which collected all the historical arguments about bad drafting of the Artistic License and argued that we change the Artistic License.

Last year, I was silent about the lower court decision, because I'd known for years that the Original Artistic License was a poorly drafted and confusing license. I frankly was not surprised that a court had considered it problematic. Of course, I was glad for the appeal, and that there was a widely supported amicus brief arguing that the Artistic License should be treated appropriately as a copyright license. (SFLC signed on with and contributed to it.) However, I had already prepared myself to live with the fact that the my greatest licensing fears had come true: the most poorly drafted FLOSS license had been the first for a USA court to consider, and that court had seen what we all saw — a license that was confusing and could not be upheld due to lack of clarity.

I was overjoyed last week to see that the Federal Circuit ruled that even a poorly drafted copyright license like that must be taken seriously and that the copyright holder could seek remedies under copyright law. Now that I have seen this decision, I feel confident that the rest of our licenses will breeze through the courts, should the need arise. We've been arguing for a decade that the Artistic license is problematic, and even Larry Wall (its author) admitted that his intent wasn't necessarily to draft a good license but to inspire people to contact him for additional permissions outside the GPL. Nevertheless, he drafted a license that the USA courts clearly see as a valid copyright license. The bottom bar has been set, and since all our other licenses are much clearer, it will be smooth sailing here on out.

(Please note, if you are a fan of the Artistic License, the Artistic License 2.0 is a much better option and is recommended. Despite the decision, we should still cease using the Original Artistic License now that we have 2.0.)

Posted by Bradley M. Kuhn on August 16, 2008

Tags: copyright, licensing, artistic

July 23, 2008 by Bradley M. Kuhn

When Will Hosting Sites Allow AGPLv3 Code?

At the OSCON Google Open Source Update, Chris Dibona reiterated his requirement to see significant adoption before code.google.com will host AGPLv3 projects (his words). I asked him to tell us how tall we in the AGPLv3 community need to be to ride this ride, but unfortunately he reiterated only the bar of “significant adoption”. I therefore am redoubling my efforts to encourage projects to switch to the AGPLv3, and for our community to build a list of AGPLv3'd projects, so that we can convince them.

Chris argues that including AGPLv3 would encourage of license proliferation. On their surface, his arguments seem to be valid. I don't like license proliferation, either. Indeed, I have been a proponent of reducing license proliferation since around 2000 — long before it was fashionable, and when the OSI itself was the primary purveyor of license proliferation. I'm very glad that everyone has gotten on the same page about this, and would certainly not want to change my position now that we've reached consensus.

However, AGPLv3 is not an example of license proliferation for three reasons. First, AGPLv3 is a license published by an organization (my old employers, the FSF) that has a 24 year history of publishing — indeed, inventing — the most popular and major licenses available in the FLOSS world. To compare them to (as some have) Nokia, who published merely a vanity license with an OSI rubber stamp is simply not a valid comparison.

Second, the history of AGPL itself shows that proliferation is not at work here. AGPL was first drafted and published in early 2002, and has been in constant use since then. It filled a niche for users who were clamoring for a specific license to address a clear concern related to software freedom. I grant that the license is adopted by a small community, but GPL itself started with minimal interest (i.e., only in the GNU project). Also, licenses that are “GPL plus various special exceptions” that deal with tightly confined areas are, similar to AGPLv3, of interest to only small groups currently. There is no reason to reject a license that has a strong level of interest in a small community, particularly if it is — as GPL+exceptions and AGPLv3 are — compatible with existing licenses like GPLv3. In these cases, we should understand the reasons its user community picks it. In the APGLv3 case, the license addresses important FLOSS principles under serious study by our community. Any license that is actually redundant couldn't pass this test; AGPLv3 can.

Finally, the AGPLv3 is the outcome of a public process in which Google itself (as well as many others) participated. Indeed, it was the original intent of the GPLv3 drafters to include the Affero clause in the GPLv3 itself. The committees (on which Google served) convinced RMS and other drafters to not include the clause, and that is why it was put into a separate license. We must consider the fairness issue: some members of the community asked us to not include the Affero clause in GPLv3; others wanted it. The parts of the community who didn't want the clause should be accepting of the idea that another publicly-audited license to address this concern should be published for the slighted community.

Therefore, in this post, I am asking for help: will someone maintain a website that specifically tracks AGPLv3 adoption (as opposed to other sites that try to track everything)? I was going to do it myself, but since I'm the author of the Affero clause and a primary advocate in AGPLv3 adoption, I think it would better if someone else did it. Please email me if you are interested in this volunteer task. I'll update this post once we have a team of folks willing to work on this.

Posted by Bradley M. Kuhn on July 23, 2008

Tags: agplv3, netservices

July 22, 2008 by Bradley M. Kuhn

Welte Receives Open Source Award for GPL Enforcement

About two hours ago, Harald Welte received the 2008 Open Source Award entitled the Defender of Rights. (Open Source awards are renamed for each individual who receives them.) This award comes on the heels of the FSF Award for the Advancement of Free Software in March. I am glad that GPL enforcement work is now receiving the recognition it deserves.

When I started doing GPL enforcement work in 1999, and even when, two years later, it became a major center of my work (as it remains today), the violations space was a very lonely place to work. During that early period, I and my team at FSF were the only people actively enforcing the GPL on behalf of the Software Freedom Movement. When Harald started gpl-violations.org in 2004, it was a relief to finally see someone else taking GPL violations as seriously as I and my colleagues at the FSF had been for so many years.

Of course, it was no surprise when Harald received the FSF award earlier this year. This Open Source Award now shows a broader recognition. In fact, I hope that this award is a harbinger to indicate that the larger FLOSS world has realized the tremendous value in consistent and serious GPL enforcement that some of us have done for so long. The copyleft is meaningless if it is not defended against those who ignore it, and I am glad that more of the FLOSS world has begun to see that.

Posted by Bradley M. Kuhn on July 22, 2008

Tags: infringement, gpl, enforcement

July 14, 2008 by Bradley M. Kuhn

Autonomo.us Computing

The Network Services committee that I alluded to recently in various interviews is now officially public and named: Autonomo.us. (Thanks to one of the committee members, Evan Prodromou, who donated the domain name. ) Autonomo.us is officially endorsed by the FSF.

I've written before about how discussions began at FSF in January 2002 to address the “ASP loophole of the GPL”. In those months that followed, when I came up with the idea for what would (later be named) the Affero clause, I naïvely thought that a license term for the software would “solve” the Software as a Service (SaaS) problem. Indeed, I considered the problem fully addressed upon publication of the original AGPL, and it was much later before I realized the problem was more complex.

The AGPLv3 is only one (albeit essential) part of what must be a multi-pronged strategy to address the freedom implications and concerns of SaaS. At Auotonomo.us, we have published The Franklin Street Statement on Freedom and Network Services (named for the place it was declared — the location of post-Temple-Place FSF offices). The Statement is a manifesto (of sorts) outlining the concerns that must be addressed and the beginnings of some ideas for solutions. I hope you will read it and begin considering this issue if you haven't already, and that you will endorse the statement if you already understand the issue. We hope to be publishing more on that site as the year goes on!

Posted by Bradley M. Kuhn on July 14, 2008

Tags: agplv3, netservices

July 3, 2008 by Bradley M. Kuhn

Like Twitter, but with Freedom Inside

A company called Control Yourself, led by Evan Prodromou (who serves with me and many others on the FSF-endorsed Freedom for Network Services Committee) yesterday launched a site called identi.ca. It's a microblogging service similar to Twitter, but it is designed to respect the rights and freedoms of its users.

I'm personally excited because the software for the system, Laconica, is under the license that I originally drafted back in 2002, the Affero GPL (which was updated as part of the GPLv3 process, and is now available as AGPLv3). This marks the first time I've seen a company release its product under a network service freedom-defending license from the start.

His launch comes at an interesting time. Twitter has had no Jabber-based updates for more than a month, and Identica allows updates via Jabber. Thus, in a way, it's more fully featured than Twitter is right now!

Posted by Bradley M. Kuhn on July 3, 2008

Tags: agplv3, technology, netservices

June 28, 2008 by Bradley M. Kuhn

Does This Mean We've “Made It” as a Social Cause?

I got a phone call yesterday from someone involved with one of the many socially responsible investment houses. It appears that in some (thus far, small) corners of the socially responsible investment community, they've begun the nascent stages of adding “willingness to contribute to FLOSS” to the consideration map of social responsibility. This is an issue that has plagued me personally for many years, and I was excited to receive the call.

When I graduated high school and read my first book on personal financial management, I learned how to invest for retirement in mutual funds. The book mentioned the (then) somewhat new practice of “socially responsible investing”, which immediately intrigued me. The author argued, however, that it was silly to make investment decisions based on personal beliefs. I immediately disagreed with that, but I discovered that his secondary point was actually accurate: beyond the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn't actually as bad as that, because there actually is a pretty good consensus on what is and is not socially responsible (or, at least, the general consensus in this regard seems to match my personal beliefs, anyway). However, I did discover a gaping hole in the social responsible investment agenda. The biggest social issue in my personal life — the issue of software freedom — was never on others' radar screens as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k) into an investment of my own choosing, I discovered a troubling fact. Every single socially responsible fund, when I looked at their stocks held (sorted by percentage), Microsoft was always in the top ten, and Oracle in the top twenty. Indeed, on most socially responsible axes, Microsoft and Oracle look good: they treat their employees reasonably well, they don't generally build products that actively kill people (although many of us die inside a little bit every time we use proprietary software), and, heck, if they use more DRM, they can ship their software and documentation via the network and won't even ship as many CDs to fill up landfills. This kind of thinking about “socially responsible” ignores how the proprietariness of the company's technology negatively impacts people outside of the company. Nevertheless, for years, I've held my nose and put my retirement money in these funds, content on the compromised idea that at least I don't have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call from an employee of a socially responsible investment house. This fellow was actually investigating the FLOSS credentials of various companies and trying to bring it forward as a criterion when considering how socially responsible their practices are. He seemed genuinely interested in bringing this forward as part of a social agenda for his company. I told him: every great idea starts as a conversation between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a factor in the socially responsible investing world, but I am glad that at least someone in that world is thinking about these questions. Of course, I agree that in grand scheme, FLOSS issues should not be ranked too highly — certainly issues of environmental sustainability and human rights have a higher and more immediate social impact⁰. However, given that Microsoft so often ends up in the top ten of “good socially responsible investments”, FLOSS issues are clearly ranked far too low in the calculation.

Hopefully, this phone call I took yesterday shows we're entering an era where FLOSS issues are on the socially responsible criteria list for investors. I further hope this blog entry doesn't stop socially responsible investors and fund managers from contacting me in the future to get advice on how socially responsible various companies are. I debated whether to write about this call publicly, but ultimately went for it, since it's an issue I think deserves some net.attention. So many of us, FLOSS fans included, must now must manage our own retirement accounts, since pension funds have generally given way to self-directed retirement savings options. If you have a fund with a socially responsible investment company, take this opportunity to give them a call or send them a letter to tell them you'd like to see FLOSS issues on the criteria list. If you don't yet invest in with a socially responsible company, consider switching to one, as they clearly will be the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed myself that FLOSS is the most important social justice issue in the grand scheme. I struggled for years with the question of whether to devote my career to a social cause that wasn't top priority; things like human rights and environmental sustainability certainly deserve more immediate attention. However, it turned out that my skills, knowledge, background and talent are clearly uniquely tuned to Computer Science in general and FLOSS in particular, and therefore I can have the greatest positive impact focusing on this rather than would-be higher priority causes. If only we could get people in these other movements to at least see that they are better off not using Microsoft for their own operations (in my experience, NGOs and NPOs are more likely to stick with proprietary software than for-profit companies), but that's an agenda for another blog entry.

Posted by Bradley M. Kuhn on June 28, 2008

Tags: social justice

June 20, 2008 by Bradley M. Kuhn

Stop Obsessing and Just Do It: VoIP Encryption Is Easier than You Think

Ian Sullivan showed me an article that he read about eavesdropping on Internet telephony calls. I'm baffled at the obsession about this issue on two fronts. First, I am amazed that people want to hand their phone calls over to yet another proprietary vendor (aka Skype) using unpublished, undocumented non-standard protocols and who respects your privacy even less than the traditional PSTN vendors. Second, I don't understand why cryptography experts believe we need to develop complicated new technology to solve this problem in the medium term.

At the SFLC, all our telephony is VoIP and every leg that can be encrypted is. We don't use Skype, of course, because it is (a) proprietary software and (b) based on an undocumented protocol, (c) controlled by a company that has less respect for users' privacy than the PSTN companies themselves. Indeed, security was actually last on our list for reasons to reject Skype, because we already had a simple solution for encrypting our telephony traffic: All calls are made through a VPN.

Specifically, all SFLC users have an OpenVPN connection back to the home office. From there, they have access to register a SIP client to an internal Asterisk server living inside the VPN network. Using that SIP phone, they can call any SFLC employee. That call continues either on the internal secured network, or back out over the same VPN to the other SIP client. Users can also dial out from there to any PSTN DID.

Of course, when calling the PSTN, the encryption ends at SFLC's home office, but that's the PSTN's fault, not ours. No technological solution — save using a modem to turn that traffic digital — can easily solve that. However, with minimal effort, and using existing encryption subsystems, we have end-to-end encryption for all employee-to-employee calls.

And it could go even further with a day's effort of work! I have a pretty simple idea on how to have an encrypted call to anyone who happens to have a SIP client and an OpenVPN client. My plan is to make a public OpenVPN server that accepts connection from any host at all, that would then allow encrypted “phone the office” calls to any SFLC phone with any SIP client anywhere on the Internet. In this way, anyone wishing end-to-end phone encryption to the SFLC need only connect to that publicly accessible OpenVPN and dial our extensions with their SIP client over that line. This solution even has the added bonus that it avoids the common firewall and NAT related SIP problems, since all traffic gets tunneled through the OpenVPN: if OpenVPN (which is, unlike SIP, a single-port UDP/IP protocol) works, SIP automatically does!

The main criticism of this technique regards the silliness of two employees at a conference in San Francisco bouncing all the way through our NYC offices just to make a call to each other. While the Bandwidth Wasting Police might show up at my door someday, I don't actually find this to be a serious problem. The last mile is always the problem in Internet telephony, so a call that goes mostly across a single set of last mile infrastructure in a particular municipality is no worse nor better than one that takes a long haul round trip. Very occasionally, there is a half second of delay when you have a few VPN-based users on a conference call together, but that has a nice social side effect of stopping people from trying to interrupt each other.

Finally, the article linked above talks about the issue of variable bit rate compression changing packet size such that even encrypted packets yield possible speech information, since some sounds need larger packets than others. This problem is solved simply for us with two systems: (a) we use µ-law, a very old, constant bit rate codec, and (b) a tiny bit of entropy is added to our packets by default, because the encryption is occurring for all traffic across the VPN connection, not just the phone call itself. Remember: all the traffic is going together across the one OpenVPN UDP port, so an eavesdropper would need to detangle the VoIP traffic from everything else. Indeed, I could easily make (b) even stronger by simply having the SIP client open another connection back to the asterisk host and exchange payloads generated from /dev/random back and forth while the phone call is going on.

This is really one of those cases where the simpler the solution, the more secure it is. Trying to focus on “encryption of VoIP and VoIP only” is what leads us to the kinds of vulnerabilities described in that article. VoIP isn't like email, where you always need an encryption-unaware delivery mechanism between Alice and Bob. I believe I've described a simple mechanism that can allow anyone with an Asterisk box, an OpenVPN server, and an Internet connection to publish to the world easy instructions for phoning them securely with merely a SIP client plus and OpenVPN client. Why don't we just take the easy and more secure route and do our VoIP this way?

Posted by Bradley M. Kuhn on June 20, 2008

Tags: encryption, voip, asterisk, technology

June 5, 2008 by Aaron Williamson

Law.com article spins old confusions into new "danger"

Law.com recently ran a sensationalist piece by Edmund J. Walsh warning of the impending “dangerous real world business dispute” in store for any for-profit company that uses free software. Walsh points to lawsuits filed by SFLC on behalf BusyBox as a source of this danger, and having worked on those lawsuits, I hope I can provide a helpful counterpoint.

Copyright law has always been a key tool of free and open source software

The article claims that until the first BusyBox lawsuit, the free and open source software (FOSS) movement has presented nothing more than “a philosophical debate about the proper place for software in society.” But copyright licenses have been used to give freedom to users for almost as long as the concept of “free software” has existed.

There are a few reasons why these long-standing legal claims have not developed into lawsuits until recently. One is that FOSS developers have preferred inclusiveness, welcoming new members into the community and offering gentle guidance to those who got it wrong. This has been the approach of the FSF, which has been enforcing its copyrights privately for many years. Another reason is that very few FOSS projects have the resources to enforce the terms of their licenses, and as a result even the most blatant violations have historically carried minimal consequences. Some companies have—whether through ignorance, laziness, or malice—taken full advantage of this disparity of resources. Without the benefit of legal assistance, projects' enforcement attempts have typically been met with excuse and delay, and almost never with full compliance.

Recent enforcement does not reveal any new risks or pitfalls

The issue is hardly that FOSS licenses present hidden risks. By and large, they are clearer and less onerous than proprietary software licenses. Nor is it the case that “the freedom belongs to the software, not to users.” All users, including for-profit companies, are afforded the same substantial freedoms by FOSS licenses. But as has always been the case, the GPL does not give any user the right to deny those freedoms to others. This could only be a “new lesson” to someone who has never read the license.

Walsh's perception of an “irreconcilable conflict between open source software and its widespread use by for-profit companies” is unsupportable, as is his assertion that “any activity that leverages software for business advantage is likely to restrict the software's freedom.” These statements stem from a misunderstanding of the facts involved in the BusyBox lawsuits. Walsh takes the confidential nature of the settlement terms as license to assume that the defendants were forced to release proprietary code which they distributed with GPL'd software. Nevermind that software derived (within the meaning of copyright law) from GPL'd code can never be “proprietary,” you don't need access to the settlement terms to see that no such thing happened in any of these cases. This is because a not-so-secret condition of settlement is compliance with the license, and a survey of the sources released in these cases reveals that no one was compelled to spill even a drop of secret sauce.

FOSS is a windfall for embedded device manufacturers

Manufacturers of embedded devices built on Linux, BusyBox, and other common embedded FOSS derive enormous benefit from these tools that in no way abrogates their “business advantage.” Most make their money by selling hardware, and many don't write any software to speak of. Even so, it is trivially easy to build devices that run proprietary applications in conjunction with embedded FOSS without any need to release the code to the former.

So why do they keep the code to themselves? We can speculate on the reasons—ignorance of their legal obligations, indifference owing to a history of non-enforcement, etc.—but it seems that in the overwhelming majority of cases, the decision has nothing to do with protecting a proprietary business model. Whether they license proprietary software or FOSS, for-profit companies should of course pay attention to their legal obligations. But so long as they do so, they need not fear any “irreconcilable conflict” between making money and using FOSS.

Posted by Aaron Williamson on June 5, 2008

Tags: enforcement

June 2, 2008 by Bradley M. Kuhn

Linux Outlaws Interview

I am delighted to be this week's guest on one of the best Free Software podcasts Linux Outlaws. Despite the name, the hosts Dan and Fab are two of the friendliest and kindest podcast presenters in our community, and (besides the occasional cursing) they aren't “outlaws” in the least. I think they picked the name merely because they liked the look of Tux in a cowboy hat and gun holster (which is their logo).

It turns out I was the first-ever guest on their show, and was happy to receive the honor. Dan and Fab have a great way of presenting that keeps experts interested and newbies engaged. My interview discusses the general background of the SFLC and the Software Freedom Conservancy, as well as important discussion about the Affero GPL and the issue of network services and software freedom. They also got me talking a bit about poker (just to have something that wasn't Free Software to ask me about), however I did also mention Pokersource, the only Free Software online poker system, which I contribute to on weekends.

I hope everyone enjoys the podcast.

Posted by Bradley M. Kuhn on June 2, 2008

Tags: agplv3