GPL Enforcement and the Trans-Pacific Partnership
byon November 9, 2015
Many people have criticized the proposed Trans-Pacific Partnership (TPP) treaty since the text was released. In particular, some of the terms in the agreement are bad for software freedom and other social justice causes. Despite the TPP's stated intention to bring "social benefits" in addition to economic growth, the terms of TPP work against social benefits and awards too much power and control to large multinational corporations, including proprietary software companies.
The agreement text is lengthy and complex, filed with bad provisions. A few days ago, the Free Software community uncovered the following text from the TPP:
1. No Party shall require the transfer of, or access to, source code of software owned by a person of another Party, as a condition for the import, distribution, sale or use of such software, or of products containing such software, in its territory.
2. For the purposes of this Article, software subject to paragraph 1 is limited to mass-market software or products containing such software and does not include software used for critical infrastructure.
3. Nothing in this Article shall preclude:
(a) the inclusion or implementation of terms and conditions related to the provision of source code in commercially negotiated contracts; or
(b) a Party from requiring the modification of source code of software necessary for that software to comply with laws or regulations which are not inconsistent with this Agreement.
4. This Article shall not be construed to affect requirements that relate to patent applications or granted patents, including any orders made by a judicial authority in relation to patent disputes, subject to safeguards against unauthorised disclosure under the law or practice of a Party.
The revelation of this clause has confused our community, as it appears as if this provision, once adopted, might impact or restrict the international operation of copyleft licenses. Below we explain that, while everyone should reject and oppose this provision — and the rest of TPP — this provision has no dramatic impact on copyleft licensing.
First, as others have pointed out, Party is a defined term that refers specifically to government entities that sign the treaty. As such, the provision would only constrain the behavior of governments themselves. There are some obviously bad outcomes of this provision when those governmental entities interfere with public safety and ethical distribution of software, but we believe this provision will not interfere with international enforcement of copyleft.
Copyleft licenses use copyright as a mechanism to keep software free. The central GPL mechanism that copyright holders exercise to ensure software freedom is termination of permission to copy, modify and distribute the software (per GPLv2§4 and GPLv3§8). Under GPL's termination provisions, non-compliance results in an automatic termination of all copyright permissions. In practice, distributors can chose — either they can provide the source code or cease distribution. Once permissions terminate, any distribution of the GPL'd software infringes copyrights. Accordingly, in an enforcement action, there is no need to specifically compel a government to ask for disclosure of source code.
For example, imagine if a non-US entity ships a GPL-violating, Linux-based product into the USA, and after many friendly attempts to achieve compliance, the violating company refuses to comply. Conservancy can sue the company in US federal court, and seek injunction for distribution of the foreign product in the USA, since the product infringes copyright by violating the license. The detailed reasons for that infringement (i.e., failure to disclose source code) is somewhat irrelevant to the central issue; the Court can grant injunction (i.e., an order to prevent the company from distributing the infringing product) based simply on the violator's lost permissions under the existing copyright license. The Court could even order the cease of import of the infringing products.
In our view, the violator would be unaffected under the above TPP provision, since the Court did not specifically compel release of the source code, but rather simply ruled that the product generally infringed copyrights, and their distribution rights had fully terminated upon infringement. In other words, the fact that the violator lost copyright permissions and can seek to restore them via source code disclosure is not dispositive to the underlying infringement claim.
While TPP thus does not impact copyright holders' ability to enforce the GPL, there are nevertheless plenty of reasons to oppose TPP. Conservancy therefore joins the FSF, EFF, and other organizations in encouraging everyone to oppose TPP.
Help support Conservancy and its efforts to defend the GPL by becoming a Supporter today.
Join me for a Supporters Only Dinner in Raleigh, NC on Tuesday, October 20
byon October 14, 2015
Are you attending All Things Open next week? Or, are you local to the Raleigh-Durham area? If so, become a Supporter of Conservancy and email <email@example.com> to RSVP for an exclusive dinner with me at Tír na nÓg at 218 S. Blount St. in Raleigh. This event is only open to Conservancy Supporters, so be sure to sign up as a Supporter first and then RSVP via email.
Once you RSVP, I'll reply by email and give you details.
If you're already a Supporter, I hope you'll not only RSVP, but also ask a friend to sign up too and join us!
Linaro Connect, Volkswagen and Developer Ethics
byon September 30, 2015
Last week I had the privilege of delivering Friday's keynote address at Linaro Connect. I was so excited and pleased that I had been asked to speak about compliance there. As Linaro is a consortium for Linux kernel related initiatives on ARM, I was excited and curious as to what the conference was like and thrilled to be given the chance to talk about why copyleft and GPL compliance are so fundamental to the success of collaborative engineering initiatives like Linaro. The fact that the conference is so developer focused was a huge bonus.
One of the topics I touched on, given its newsworthiness was the situation with Volkswagen. Many people have talked about the implications of so-called dieselgate and its implications for free and open source software. In my talk I focused on another aspect of this - engineer and developer culture.
When I was in engineering school at The Cooper Union we had a mandatory course during our first year where we read the book To Engineer Is Human (which incidentally, if you buy you can sign up to support Conservancy on Amazon Smile first). The book discusses prominent engineering failures (including the dramatic Tacoma Narrows Bridge collapse “Galloping Gertie”), why they failed and how such failure is ultimately a part of successful societal engineering. In the class we talked about the culture of engineering ethics and how engineers ultimately have a special responsibility in society on behalf of the people who are impacted by the work they do.
In the recent case of Volkswagen, the failure of the company to behave ethically not only caused a negative impact on the environment and alienated VW's customer base, but also had a massively negative effect on the company's bottom line and financial outlook. How many engineers at the company felt horribly about what was happening and felt powerless to do anything about it? And in that case, the failure of Volkswagen to do the right thing was bad for the company in a number of levels.
As we see that copyleft and best security are linked (I talked about the Honeymoon Effect during the talk, and you can read my old paper on medical device safety plus many great discussions by folks like Matthew Garrett and even Bruce Schneier) and we embark upon an Internet of Things network, the ethical implications of software freedom become all the more poignant. In addition to the ethical aspects inherent in sharing code and the ethical considerations of following a license under which you received software for your use, there's an additional ethics layer in the safety implications of keeping GPL'd code closed. Because software so often interacts in complex ways (as shown in the car vulnerability demonstrations that go through the wheel maintenance system to exploit the critical ignition and brake systems), it's impossible to predict which software the next failure will be based on.
We need companies to understand that complying with the GPL isn't just good community participation or a safeguard from lawsuits - it is fundamental to their longterm financial success in a myriad of ways. Developers play a key role in that process. It's not always easy to stand up for the right thing in a corporate context. Doing so can cause reprisal in the form of some penalty. Obviously, if an engineer had been able to take action at Volkswagen, they would have saved the company a lot of embarrassment and lost revenue but without the hindsight of seeing how that situation actually played out it's likely that there was a real fear of penalty for speaking up.
Fortunately, where copylefted software is involved there are external mechanisms to help with some of these issues. Because companies must make good on providing source when they distribute, an outsider could determine that a company is not meeting its obligations. This is the main reason why having the option of participating anonymously in our coalition of developers who want to enforce the GPL is so important. In software development, coming out in favor of enforcement may not cause you any negative repercussions with your current employer but many developers rightly worry that other future employers may negatively view their participation in the coalition.
In the same vein as my ethical education in engineering school, developers should include the long term ethical considerations in their core technical analysis of what free and open source software licenses their companies should use and how they comply with it on a long term basis. While failures are terrible to have, they're essential to learn from and work towards better technical and ethical infrastructure.
How Would Software Freedom Have Helped With VW?
byon September 29, 2015
Would software-related scandals, such as Volkswagen's use of proprietary software to lie to emissions inspectors, cease if software freedom were universal? Likely so, as I wrote last week. In a world where regulations mandate distribution of source code for all the software in all devices, and where no one ever cheats on that rule, VW would need means other than software to hide their treachery.
Universal software freedom is my lifelong goal, but I realized years ago that I won't live to see it. I suspect that generations of software users will need to repeatedly rediscover and face the harms of proprietary software before a groundswell of support demands universal software freedom. In the meantime, our community has invented semi-permanent strategies, such as copyleft, to maximize software freedom for users in our current mixed proprietary and Free Software world.
In the world we live in today, software freedom can impact the VW situation only if a few complex conditions are met. Let's consider the necessary hypothetical series of events, in today's real world, that would have been necessary for Open Source and Free Software to have stopped VW immediately.
First, VW would have created a combined or derivative work of software with a copylefted program. While many cars today contain Linux, which is copylefted, I am not aware of any cars that use Linux outside of the on-board entertainment and climate control systems. The VW software was not part of those systems, and VW engineers almost surely wrote the emissions testing mode code from scratch. Even if they included some non-copylefted Open Source or Free Software in it, those licenses don't require disclosure of any source code; VW's ability to conceal its bad actions with non-copylefted code is roughly identical to the situation of proprietary VW code before us. As a thought experiment, though, let's pretend, that VW based the nefarious code on Linux by writing a proprietary Linux module to trick the emissions testing systems.
In that case, VW would have violated the GPL. But that alone is far from enough to ensure anyone would catch VW. Indeed, GPL violations remain very prevalent, and only one organization, Conservancy, enforces the GPL for Linux. Conservancy has such limited enforcement resources (only three full-time people on staff, and enforcement is one of many of our programs), I suspect that years would pass before Conservancy had the resources to pursue the violation; Conservancy currently has hundreds of Linux GPL violations queued for action. Even once opened, most GPL violations take years to resolve. As an example, we are currently enforcing the GPL against one auto manufacturer who has Linux in their car. We've already spent hundreds of hours and the company to date continues to fail in their GPL compliance efforts. Admittedly, it's highly unlikely that particular violator has a GPL-violating Linux module specifically designed to circumvent automotive regulations. However, after enforcing the GPL in that case for more than two years, I still don't have enough data about their use of Linux to even know which proprietary Linux modules are present — let alone whether those modules are nefarious in any way other than as violating Linux's license.
Thus, in today's world, a “software freedom solution” to prevent the VW scandal must meet unbelievable preconditions: (a) VW would have to base all its software on copylefted Open Source and Free Software, and (b) an organization with a mission to enforce copyleft for the public good would require the resources to find the majority of GPL violators and ensure compliance in a timely fashion. This thought experiment quickly shows how much more work remains to advance and defend software freedom. While requirements of source code disclosure, such as those in copyleft licenses, are necessary to assure the benefits of software freedom, they cannot operate unless someone exercises the offers for source and looks at the details.
We live in a world where most of the population accepts proprietary software as legitimate. Even major trade associations in the Open Source community laud companies who make proprietary software, as long as they adopt and occasionally contribute to some Free Software too. Currently, it feels like software freedom is winning, because the overwhelming majority in the software industry believe Open Source and Free Software is useful and superior in some circumstances. Furthermore, while I appreciate the aspirational ideal of voluntary Open Source, I find in my work that so many companies, just as VW did, will cheat against important social good policies unless someone watches and regulates. Mere adoption of Open Source won't work alone; we only yield the valuable results of software freedom if software is copylefted and someone upholds that copyleft.
Indeed, just as it has been since the 1980s, very few people believe that software freedom is of fundamental importance for all software users. Scandals, like VW's use of proprietary software to hide other bad acts, might slowly change opinions, but one scandal is rarely enough to permanently change public opinion. I therefore encourage those who support software freedom to take this incident as inspiration for a stronger stance, and to prepare yourselves for the long haul of software freedom advocacy.