First Update on the Vizio lawsuit
byon November 30, 2021
Yesterday, we received from Vizio their first official response in our pending litigation against Vizio for their copyleft license violations. So, what was their response?
Did Vizio release the source code — as the GPL and LGPL require — for the modified versions of Linux, alsa-utils, GNU bash, GNU awk, BusyBox, dmesg, findutils, dmsetup, GNU tar, mount and selinux found in their TV’s firmwares? No.
Did Vizio propose a CCS candidate for us to review, provide them with additional feedback, so that we could help them get consumers who bought their TVs the source code they deserve? Nope.
Did Vizio argue that we had erred, and in fact, none of those programs we list above appear in their firmware? Not that either. (Unlikely though — after all, they surely know those programs are in their firmware!)
Instead, Vizio filed a request to “remove” the case from California State Court (into US federal court), which indicates Vizio's belief that consumers have no third-party beneficiary rights under copyleft! In other words, Vizio’s answer to this complaint is not to comply with the copyleft licenses, but instead imply that Software Freedom Conservancy — and all other purchasers of the devices who might want to assert their right under GPL and LGPL to complete, corresponding source — have no right to even ask for that source code.
That’s right: Vizio’s filing implies that only copyright holders, and no one else, have a right to ask for source code under the GPL and LGPL. While we expected Vizio held this position (since they ultimately ignored us during our discussions with them in years past), Vizio has gone a disturbing step further and asked the federal United States District Court for the Central District of California to agree to the idea that not only do you as a consumer have no right to ask for source code, but that Californians have no right to even ask their state courts to consider the question!
Vizio’s strategy is to deny consumers their rights under copyleft licenses, and we intend to fight back.
We believe in complete transparency of the copyleft compliance process, and so encourage everyone to read the filings. We’ve even paid the Pacer fees and used the Recap browser plugin, so that all the documents in the case are freely available via the Recap project archives.
Software Freedom Conservancy’s annual fundraiser is happening right now! Please help us continue our work by becoming a Sustainer. Donate now and have your donation matched by a group of generous individuals who care deeply about software freedom.
Trump's Social Media Platform and the Affero General Public License (of Mastodon)
byon October 21, 2021
An analysis: Trump's Group has 30 days to remedy the violation, or their rights in the software are permanently terminated
In 2002, we used phrases like “Web 2.0” and “AJAX” to describe the revolution that was happening in web technology for average consumers. This was just before names like Twitter and Facebook became famous worldwide. Web 2.0 was the groundwork infrastructure of the “social media” to come.
As software policy folks, my colleagues and I knew that these technologies were catalysts for change. Software applications, traditionally purchased on media and installed explicitly, were now implicitly installed through web browsers — delivered automatically, or even sometimes run on the user's behalf on someone else's computer. As copyleft activists specifically, we knew that copyleft licensing would have to adjust, too.
In late 2001, I sat and read and reread section 2(c) of the GPLv2. After much thought, I saw how it could be adapted, using the geeky computer science concept called a quine — a program that has a feature to print its own source code for the user. A similar section to GPLv2§2(c) could be written that would assure that every user of a copylefted program on the Internet would be guaranteed the rights and freedoms to copy, modify, redistribute and/or reinstall their software — which was done by offering a source-code provision feature to every user on the network. The key concept behind the Affero GPL (AGPL) version 1 was born. Others drafted and released AGPLv1 based on my idea. Five years later, I was proudly in the “room where it happened” when Affero GPL version 3 was drafted. Some of the words in that section are ones I suggested.
We were imagining a lot about the future in those days; the task of copyleft licensing drafting requires trying to foresee how others might attempt to curtail the software rights and freedoms of others. Predicting the future is difficult and error-prone. Today, a piece of Affero GPLv3's future came to pass that I would not have predicted back in November 2007 at its release.
I invented that network source code disclosure provision of the AGPL — the copyleft license later applied to the Mastodon software — in 2002 in light of that very problem: parties who don't share our values might use (or even contribute to) software written by the FOSS community. The license purposefully treats everyone equally (even people we don't like or agree with), but they must operate under the same rules of the copyleft licenses that apply to everyone else.
Today, we saw the Trump Media and Technology Group ignoring those important rules — which were designed for the social good. Once caught in the act, Trump's Group scrambled and took the site down.
Early evidence strongly supports that Trump's Group publicly launched a so-called “test site” of their “Truth Social” product, based on the AGPLv3'd Mastodon software platform. Many users were able to create accounts and use it — briefly. However, when you put any site on the Internet licensed under AGPLv3, the AGPLv3 requires that you provide (to every user) an opportunity to receive the entire Corresponding Source for the website based on that code. These early users did not receive that source code, and Trump's Group is currently ignoring their very public requests for it. To comply with this important FOSS license, Trump's Group needs to immediately make that Corresponding Source available to all who used the site today while it was live. If they fail to do this within 30 days, their rights and permissions in the software are automatically and permanently terminated. That's how AGPLv3's cure provision works — no exceptions — even if you're a real estate mogul, reality television star, or even a former POTUS.
I and my colleagues at Software Freedom Conservancy are experts at investigating non-compliance with copyleft license and enforcing those licenses once we confirm the violations. We will be following this issue very closely and insisting that Trump's Group give the Corresponding Source to all who use the site.
Finally, it's worth noting that we could find no evidence that someone illegally broke into the website. All the evidence available on the Internet (as of 2021-10-22) indicates that the site was simply deployed live early as a test, and without proper configuration (such as pre-reserving some account names). Once discovered, people merely used the site legitimately to register accounts and use its features.
Update (2021-10-22): Some have asked us how this situation relates to our Principles of Community-Oriented GPL Enforcement, since we are publicly analyzing a copyleft violation publicly. Historically, we did similarly with the Canonical, Ltd., Cambium, Ubiquiti, and Tesla (twice!) violations. We do believe that “confidentiality can increase receptiveness and responsiveness”, but once a story is already made widely known to the public by a third-party, confidentiality is no longer possible, since the public already knows the details. At that moment, the need to educate the public supersedes any value in non-disclosure.
How We Hired Our Last Employee: Equitable Hiring Processes for Small (and Large) Organizations
byon October 15, 2021
Like many small organization that are overloaded with work, it's hard to make the time to conduct a proper hiring process, and no one on staff is dedicated to making sure the process goes smoothly. Because it is very important to our organizational values to make sure that our hiring is fair and also that we wind up with the best person for the job, we were very careful in how we designed our search.
We finished our last hiring a few months ago. I'm proud of the way we handled the process, and I think it resulted in the best hire possible for the position. As I describe the process below, you can see how we worked to respect our applicants, interview while minimizing bias, and select for skills that were essential for the actual work to be covered by the open position. (There's a TL;DR summary at the end! Perhaps the most interesting part is that we paid people who made it to the final round to respect their time and to defray their costs of participating,)
A neutral and realistic job posting
We thought hard about our job posting, including a detailed description of the role. We were clear that we were open to hiring from a variety of backgrounds and were willing to train less experienced candidates. We worked to eliminate any gendered language or anything that we thought would create heightened requirements for the job, which can reinforce bias in the process. Finally, we were open to feedback, and when folks suggested that we include a narrow salary range to bring transparency and lower stress for our applicants, we added that too.
You can see the job posting we just put up for an Outreachy related position where we once again are following these principles.
Happily, for the position that we already hired for, we received around 40 really solid applications for the position - a really high number for an organization like ours, especially since we only advertised the position in limited ways.Initial screen by volunteer directors
After a very quick review of resumes to weed out the few applications that were spammers or otherwise not really targeted to our organization, we scheduled 15 minute screening interviews with two of our volunteer directors. We wanted to make sure that we added a layer of independent review that would otherwise be impossible in a small org like ours.
In order to make sure that we were comparing apples to apples, and giving everyone the same chance at success, the directors were given a set list of questions to ask. Because the role was about advocacy and communications, most of the questions were connected to explaining what software freedom is, and how the applicant became interested in it. The directors were also given a rubric to grade the interviews, both question by question and overall. The directors put their grades and thoughts about each candidate (along with any red flags) in spreadsheets so that we'd be able to access the information easily later. Spelling out what questions will be asked and how the responses willl be graded helps to eliminate bias that can come from an an interviewer and interviewee that "click" in ways that might be related to their background or shared experiences.
After the screening interviews, the bulk of the applicants were asked to participate in an anonymous exercise. The goal of having an anonymous exercise is to overcome any biases we might have for or against particular candidates. Each applicant was assigned a random string, and they were instructed not to put any personal identifying information in their answers.
We designed the exercise to reflect actual tasks we'd expect the new employee to take on, while providing some opportunities to brainstorm some big picture topics that could come up in the position. Writing emails to our organization's Supporters and member projects are key components of the job, so we created short hypothetical situations (that encompassed typical problems we need to address) and asked the applicants to write mock email responses. Because the role also has a public press and event organizing component, we asked applicants to write the beginning of a website news item and tell us a few things they thought were essential to run a successful in person event.
To respect our applicants time, we kept the exercise bounded. We expected it to take an hour or less, and asked the applicants send us their responses after an hour and a half, explicitly adding a little bit of extra time in case they were interrupted during the process. We also scheduled the exercises at the convenience of the applicant at any time during normal east coast business hours, since being able to coordinate with staff in the US was an important part of the role. We offered flexibility for applicants who could not make time during the workday during their existing role or had other obligations they needed to schedule around.
Conservancy staffers graded the responses on an anonymous basis, scoring each exercise. When this was completed, the graders met to compare their results. At this point, there were five applicants whose exercises stood out from the group. We de-anonymized them and cross referenced them to make sure that their screening interview scores were also strong and all of them moved to the next round.
At this point, I should note that I was surprised by the results. Long-time software freedom activists, whose work we know and respect, wound up not making it to our final group, whereas our final applicants included people who were new to software freedom, had never been in a communications role or who we simply hadn't met before. This final group consisted of people who showed the skill sets most likely to succeed in the position, not people who were already part of our network.
Because the exercise was anonymous, it was also easier to explain to the other applicants why we weren't advancing them to the next round, and I think (hope!) that it made it easier to preserve our relationships with the applicants who are truly excellent advocates for software freedom in a variety of other contexts.
Paying the finalists
Because we are a small organization, adding another employee is a big deal. We knew that to do this job right we were going to need to take some time talking to them to figure out if they were the right fit for the role. We also know that not everybody does their best when put on the spot in an interview, and wanted to make sure that we allowed people the chance to know what we'd be asking and to prepare if they wanted to. We didn't want to take our applicants' time for granted, even though we are a small publicly supported organization.
Because of this, we decided to pay each our five finalists $500 to proceed with the rest of the interview. While $500 is not a huge amount, we thought it was a nice amount for a charitable organization to give to an applicant who would dedicate some time and thought to our hiring process, which would cover strategic thinking about our organization's mission and operations in our communications and other related areas.
Again, we used the same questions with all candidates, and we provided them in advance of the interview, offering the applicants the option of providing written answers or just discussing them on the spot, whichever they were most comfortable with. We were trying to avoid a gamification of the interview process, while still getting insight into the thought process of the applicants. These questions included difficult ones about the software freedom community and also about Software Freedom Conservancy. Now that we knew these candidates were very strong in their ability to write quick emails and website copy, the idea was to bring some of the most strategic problems that we'd be looking to include the new employee in tackling.
Conducting final interviews
This step looked like a more traditional interview. Bradley and I scheduled video chats with the remaining candidates. We first had the applicants tell us their answers to the questions we had sent in advance and used those as a jumping off point for relevant conversation.
While all five candidates were strong in these interviews, three candidates had a mix of skill sets that seemed like the best fit for the role. For these three candidates, we scheduled an interview with Conservancy's staff in its entirety. Again, with a small organization, the addition of another person is a huge chance in organizational dynamics. Feedback from all employees was essential to making this decision.
Choosing the final candidate
In the end, going through the interview process and learning more about the job convinced one of the final three candidates that they were not really interested the role we were hiring for, which they understood much better through our hiring process. It was a tough choice between the two remaining candidates, but we were able to have confidence in Pono as our choice due to feedback from staff, the comparisons made possible by asking the candidates the same questions and the grading from the previous two rounds. If we'd had the budget, we would have hired all three of these final candidates.
Feedback on the process
Each of the finalists were surprised that we were willing to pay them for their time. For some of the applicants, being paid to participate gave them the flexibility to devote more time to their interview preparation. We were happy we were able to show our appreciation for the impressive applicants who were willing to give us so much of their time.
We also got positive feedback on the anonymized exercise. Because the exercise gave insight into how some of the every-day work in the position would look, it made it easier for some of the candidates to decide if they wanted to actually work in that role. In addition to the benefit I mentioned above about the anonymization making it easier to explain who would advance to the next round, some applicants indicated that making it to the final round via an anonymous exercise gave them confidence that they were qualified for the position.
For future hiring, we'll be looking to bring the same concepts to the process. Namely:
- bring in an independent review of the candidates
- ask all of the candidates the same questions
- design an exercise that connects to the actual work the employee will be doing in the role
- judge the exercise responses on an anonymous basis
- keep the time required for applicants to invest in the interviewing process as minimal as possible
- pay applicants who are required to invest more substantial time in the process
Many thanks to all of Conservancy's staff who helped us with this process (Rosanne Dimesio, Bradley Kuhn, Sage Sharp, Brett Smith), and to Deb Nicholson who helped bring some of these concepts to our previous hiring process.
Outreachy is hiring for a community manager position and using some of the strategies listed above. If you or someone you know if interested in applying for the community manager position, check out the post here.
byon August 24, 2021
We often talk about how frustrating it is to obtain source code that is supposed to be available under copyleft licenses. We not only try to get source code for our own devices, but we also are inundated with requests from developers all over the world who seek source code to modify their technology in ways they should have a right to do. By the time someone sends a complaint to us, asking for our help, they've already tried and failed to ask the company to do the right thing. Usually they are simply ignored by the company but sometimes companies introduce all kinds of weird procedures in the hopes that if they make it just difficult enough that the requestors will go away.We've seen these obstacles include all kinds of unreasonable forms, beyond a simple email address to make the request. A common requirement is that the request be sent to a particular paper address, by registered mail, and we've even seen the company specify particular kind of storage device to be included in the mailing. Companies erroneously try to require that requestors include personal information, including detailed information on the device and its purchase. It's hard work, but we're proud that we continue to apply pressure to these companies and never give up our quest to make sure everyone follows the rules so that developers can have access to the software on their devices that the GPL ensures. It also often feels like lonely work. But not today.
DevOps Engineer, ptrcnull (Patrycja), tweeted last week about a frustrating email she received from Umidigi, a Chinese smartphone manufacturer, which told her that if she wanted access to the source code she was rightfully requesting under GPLv2, she needed to come in person to Umidigi's offices in Shenzhen. And that (by the way) the office was only Chinese speaking.
Luckily, one of ptrcnull's followers, looped in Naomi Wu, a well known Chinese maker and hacker, who decided to go down to Umudigi's offices and take them up on the offer.
As a Cyborg Lawyer who spends a good portion of her time trying to compel GPL compliance, I nearly flipped watching Wu (who calls herself Sexy Cyborg) marching into Umidigi trying to find anyone who could help her get the source code. It's the physical manifestation of the kafkaesque experience that companies set up for those exercising their rights under GPL. I couldn't believe it when I clicked on it from a link in a mastodon toot from Harald Welte, who has also done quite a bit of GPL enforcement over the years.Here's the video:
While Wu managed to get to Umidigi's offices in mere days from when the email was sent to push off ptrcnll, she's told that the person who wrote the email, Ben, is no longer with the company.
I look forward to seeing the full video, and have offered our assistance. I'm grateful to ptrcnull and Wu for doing this work and I'm happy to work on GPL enforcement myself, but it makes me wonder: How much could we accomplish if companies did what they were supposed to do? What would it look like if companies were true partners in compliance and encouraged their customers to tinker with their devices? How many people try to make source requests and give up when it's difficult? If we've been able to accomplish so much with copyleft, even in the face of corporate stonewalling, imagine what we could do if we could skip all of these tedious steps and get straight to collaborating.