Conservancy Blog
Displaying posts tagged law
Helping each other: the right to repair win and software freedom
by
on November 6, 2020We were very excited to hear that Massachusetts voters approved a new right to repair law earlier this week. Laws like these are important tools in allowing us to control the devices that we use. In particular, we believe it is important that people be able to fix their own devices, and to be provided with all the information they might need to make the best repair decisions. This principle has applied to cars for over a century and, now that cars are increasingly made up of computers, the implications for both repairing vehicles and software freedom are hard to ignore.
The proposed law is an excellent start for providing telematics information to vehicle owners. As the full text of the law (pages 5 and 6) describes, there are still implementation aspects to be decided by the Massachusetts Attorney General. These include a notice that describes "the mechanical data collected, stored and transmitted by a telematics system" and "the prospective owner's ability to access the vehicle's mechanical data through a mobile device", which dealers will be required to provide to prospective vehicle buyers and lessees.
The law also states the vehicle manufacturers must implement "an inter-operable, standardized and open access platform across all of the manufacturer's makes and models [that] shall be capable of securely communicating all mechanical data emanating directly from the motor vehicle via direct data connection to the platform". While the law mentions that this data needs to at least "be directly accessible by the owner of the vehicle through a mobile-based application", we would like to see the Massachusetts Attorney General clarify in their notice that the data should be accessible through an API available to the owner as part of this, one that is "inter-operable" and "standardized" per above.
We find often that people can read "a mobile-based application" to mean apps that are available via the Google Play Store or Apple App Store, but nowhere else. Both of these stores are proprietary software and lock users into single-company controlled infrastructure, so it is important to have other options for those who don't want to use such apps, including using an app available in some other store, for some other operating system, or that they wrote themselves if they like (using the API described earlier).
Initiatives like this Massachusetts Right to Repair measure are important for our freedom - our freedom to repair our devices (which includes vehicles) ourselves or by the repair shop of our choice, and our freedom to use whichever tools we wish in order to complete the repair. The right to repair movement is crucial in this world of increasingly locked-down devices, and we hope to build even more bridges to support the shared principles with software freedom going forward. We applaud and stand with the voters who made this initiative happen and look forward to many more such initiatives in the future.
Here is the email we sent to the Massachusetts Attorney General earlier today:
Dear Ms. Healey:
We at Software Freedom Conservancy, a 501(c)(3) charity dedicated in part to helping people take control of their computing experience through the freedom to choose which software they use, are very supportive of the "Right to Repair Law" Vehicle Data Access Requirement Initiative that Massachusetts voters approved this past week (organizationally and also as it relates to employees of ours based in Massachusetts). We see that as Attorney General you have been tasked with writing the telematics notice that manufacturers will provide to vehicle buyers and lessees, and we'd like to provide some suggestions given our experience with the different apps and software that users may wish to use to receive this telematics data.
In particular, we see that the notice will describe "the mechanical data collected, stored and transmitted by a telematics system" and "the prospective owner's ability to access the vehicle's mechanical data through a mobile device", which dealers will be required to provide to prospective vehicle buyers and lessees. The law also states the vehicle manufacturers must implement "an inter-operable, standardized and open access platform across all of the manufacturer's makes and models [that] shall be capable of securely communicating all mechanical data emanating directly from the motor vehicle via direct data connection to the platform".
While the law mentions that this data needs to at least "be directly accessible by the owner of the vehicle through a mobile-based application", we would like to see the Attorney General clarify in their notice that the data should be accessible through an API available to the owner as part of this, one that is "inter-operable" and "standardized" per above.
We find often that people can read "a mobile-based application" to mean apps that are available via the Google Play Store or Apple App Store, but nowhere else. Both of these stores are proprietary software and lock users into single-company controlled infrastructure, so it is important to have other options for those who don't want to use such apps, including using an app available in some other store, for some other operating system, or that they wrote themselves if they like (using the API described earlier).
Please let us know if you have any questions about our suggestions above. For reference, Conservancy's Execute Director, Karen Sandler, has been CCed. We are available to help draft specific text or join whatever process you establish for comments related to the implementation of this measure.
Thanks for your consideration!
Conservancy Requests Three DMCA Exemptions to Let People Control Their Devices
by
on September 16, 2020Every three years, the US Copyright Office conducts a rulemaking process to consider exemptions to the anticircumvention provisions of the Digital Millennium Copyright Act (DMCA). These are the provisions of the law that make it a criminal offense to circumvent digital rights management technology (DRM). These provisions give technology companies far too much control over the technology people use, prohibiting all kinds of modification and tinkering in the name of “copyright protection.” We would love to see the anticircumvention provisions of the DMCA repealed in their entirety.
Until that happens, the rulemaking process gives us an opportunity to request exemptions that are strategically important for software freedom and essential for us to be able to control our own devices. This year we requested three new exemptions:
- To allow people to investigate whether software on a device violates free and open source software (FOSS) licenses, and to exercise rights that would ordinarily be granted by those licenses were it not for the technological restrictions
- To allow people to conduct good-faith testing, investigation, and correction of privacy issues—for example, think Internet of Things devices that phone home with more information than they disclose
- To allow people to install alternative firmware on routers and other network hardware they buy, to add or remove functionality as they see fit
All of these exemptions recognize the growing prevalence of small, dedicated devices in many people’s lives. We’re always horrified to learn when gadgets that should be innocuous like doorbells, thermostats, and baby monitors are spying on us, whether by design or careless programming. It should not be a crime for people to investigate these issues and take steps to defend themselves with devices they’ve bought and own—especially when the device is running FOSS that promises the user those very rights. Our requests call on the US Copyright Office to codify that common sense into law.
We also requested renewal of the exemption that allows people to install alternative software on smart TVs that we previously won in 2015.
These requests kick off the beginning of the process, where all new exemptions are requested. We can expect the Copyright Office to announce what exemptions are granted around this time next year. We’ll be sure to keep you updated on the process.
Toward Copyleft Equality for All
by
on January 6, 2020I would not have imagined even two years ago that expansion of copyleft would become such an issue of interest in software freedom licensing. Historically and for good reason, addition of new forms of copyleft clauses has moved at a steady pace. The early 2000s brought network services clauses (such as that in the Affero GPL), which hinged primarily on requiring provision of source to network-remote users. Affero GPL implemented this via copyright-controlled permission of modification. These licenses began as experiments, and were not approved by some license certification authorities until many years later.
Even with the copyleft community's careful and considered growth, there have been surprising unintended consequences of copyleft licenses. The specific outcome of proprietary relicensing has spread widely and — for stronger copyleft licenses like Affero GPL — has become the more common usage of the license.
As the popularity of Open Source has grown, companies have searched for methods to combine traditional proprietary licensing business models with FOSS offerings. Proprietary relicensing, originally pioneered by MySQL AB (now part of Oracle by way of Sun), uses software freedom licenses to compel purchase of proprietary licenses for the same codebase. Companies accomplish this by ensuring they collect all copyright control of a particular codebase, thus being its sole licensor, and offer the FOSS licenses as a loss-leader (often zero-cost) product. Non-commercial users generally are ignored, and commercial users often operate in fear of captious interpretations of the copyleft license. The remedy for their fear is a purchase of a separate proprietary license for the same codebase from the provider. Proprietary relicensing seems to have been the first mixed FOSS/proprietary business model in history.
The toxicity of this business model has only become apparent in hindsight. Initially, companies engaging in this business model did so somewhat benignly — often offering proprietary licenses only to customers who sought to combine the product with other proprietary software, or as supplemental income along with other consulting businesses. This business model (for some codebases), however, became so lucrative that some companies eventually focused exclusively on it. As a result, aggressive copyleft license overreading and inappropriate, unprincipled enforcement typically came from such companies. For most, the business model likely reached its crescendo when MongoDB began using the Affero GPL for this purpose. I was personally told by large companies at the time (late 2000s into early 2010s) that they'd listed Affero GPL as “Never Allowed Here” specifically because of shake-downs from MongoDB.
Copyleft itself is not a moral philosophy; rather, copyleft is a strategy that software freedom activists constructed to advance a particular set of policy goals. Specifically, software copyleft was designed to ensure that all users received complete, corresponding source for all binaries, and that any modifications or improvements made anywhere in the chain of custody of the software were available in source form to downstream users. As orginially postulated, copyleft was a simple strategy to disarm proprietarization as an anti-software-freedom tactic.
The Corruption of Copyleft
Copyleft is a tool to achieve software freedom. Any tool can be fashioned into a weapon when wielded the wrong way. That's precisely what occurred with copyleft — and it happened early in copyleft's history, too. Before even the release of GPLv2, Aladdin Ghostscript used a copyleft via a proprietary relicensing model (which is sometimes confusingly called the “dual licensing” model). This business model initially presented as benign to software freedom activists; leaders declared the business model “barely legitimate”, when it rose to popularity through MySQL AB (later Sun, and later Oracle)'s proprietary relicensing of the MySQL codebase.
In theory, proprietary relicensors would only offer the proprietary license by popular demand to those who had some specific reason for wanting to proprietarize the codebase — a process that has been called “selling exceptions”. In practice, however, every company I'm aware of that sought to engage in “selling exceptions” eventually found a more aggressive and lucrative tack.
This problem became clear to me in mid-2003 when MySQL AB attempted to hire me as a consultant. I was financially in need of supplementary income so I seriously considered taking the work, but the initial conference call felt surreal and convinced me that MySQL AB was engaging in problematic behavior . Specifically, their goal was to develop scare tactics regarding the GPLv2. I never followed up, and I am glad I never made the error of accepting any job or consulting gig when companies (not just MySQL AB, but also Black Duck and others) attempted to recruit me to serve as part of their fear-tactics marketing departments.
Most proprietary relicensing businesses work as follows: a single codebase is produced by a for-profit company, which retains 100% control over all copyright in the software (either via an ©AA or a CLA). That codebase is offered as a gratis product to the marketplace, and the company invests substantial resources in marketing the software to users looking for FOSS solutions. The marketing department then engages in captious and unprincipled copyleft enforcement actions in an effort to “convert” those FOSS users into paying customers for proprietary licensing for the same codebase. (Occasionally, the company also offers additional proprietary add-ons, improvements, or security updates that are not available under the FOSS license — when used this way, the model is often specifically called “Open Core”.)
Why We Must End The Proprietary Relicensing Exploitation of Copyleft
This business model has a toxic effect on copyleft at every level. Users don't enjoy their software freedom under an assurance that a large community of contributors and users have all been bound to each other under the same, strong, and freedom-ensuring license. Instead, they dread the vendor finding a minor copyleft violation and blowing it out of proportion. The vendor offers no remedy (such as repairing the violation and promise of ongoing compliance) other than purchase of a proprietary license. Industry-wide. I have observed to my chagrin that the copyleft license that I helped create and once loved, the Affero GPL, was seen for a decade as inherently toxic because its most common use was by companies who engaged in these seedy practices. You've probably seen me and other software freedom activists speak out on this issue, in our ongoing efforts to clarify that the intent of the Affero GPL was not to create these sorts of corporate code silos that vendors constructed as copyleft-fueled traps for the unwary. Meanwhile, proprietary relicensing discourages contributions from a broad community, since any contributor must sign a CLA giving special powers to the vendor to continue the business model. Neither users nor co-developers benefit from copyleft protection.
The Onslaught of Unreasonable Copyleft
Meanwhile, and somewhat ironically, the success of Conservancy's and the FSF's efforts to counter this messaging about the Affero GPL has created an unintended consequence: efforts to draft even more restrictive software copyleft licenses that can more easily implement the proprietary relicensing business models. We have partially succeeded in convincing users that compliance with Affero GPL is straightforward, and in the backchannels we've aided users who were under attack from these proprietary relicensors like MongoDB. In response, these vendors have responded with a forceful political blow: their own efforts to redefine the future of copyleft, under the guise of advancing software freedom. MongoDB even cast itself as a “victim” against Amazon, because Amazon decided to reimplement their codebase from scratch (as proprietary software!) rather than use the AGPL'd version of MongoDB.
These efforts began in earnest late last year when (against the advice of the license steward) MongoDB forked the Affero GPL to create the SS Public License. I, with the support of Conservancy, rose in opposition of MongoDB's approach, pointing out that MongoDB would not itself agree to its own license (since MongoDB's CLA would free it from the SS Public License terms). If an entity does not gladly bind itself by its own copyleft license (for example, by accepting third-party contributions to its codebases under that license), we should not treat that entity as a legitimate license steward, nor treat that license as a legitimate FOSS license. We should not and cannot focus single-mindedly on interpretation of the formalistic definitions when we recommend FOSS licensing policy. The message of “technically it's a FOSS license, but don't use” is too complicated to be meaningful.
A Copyleft Clause To Restore Equality
My friend and colleague, Richard Fontana, and I are known for our very public and sometimes heated debates on all manner of software freedom policy. We don't always agree on key issues, but I greatly respect Fontana for his careful thought and his inventive solutions. Indeed, Fontana first formulated “inbound=outbound” into that simple phrasing to more easily explain how the lopsided rights and permissions exchanges through CLAs actually create bad FOSS policy like proprietary relicensing. In the copyleft-next project that Fontana began, he further proposed this innovative copyleft clause that could, when Incorporated in a copyleft license, prevent proprietary licensing before it even starts! The clause still needs work, but Fontana's basic idea is revolutionary for copyleft drafting. The essence in non-legalese is this: If you offer a license that isn't a copyleft license, the copyleft provisions collapse and the software is now available to all under a non-copyleft, hyper-permissive FOSS license.
This solution is ingenious in the way that copyleft itself was an ingenious way to use copyright to “reverse” the rights and ensure software freedom. This provision doesn't prohibit proprietary relicensing per se, but instead simply deflates the power of copyleft control when a copyright holder engages in proprietary relicensing activities.
Given the near ubiquity of proprietary relicensing and the promulgation of stricter copylefts by companies who seek to engage (or help their clients engage) in such business models, I've come to a stark policy conclusion: the community should reject any new copyleft license without a clause that deflates the power of proprietary relicensing. Not only can we incorporate such a clause into new licenses (such as copyleft-next), but Conservancy's Executive Director, Karen Sandler, came up with a basic approach to incorporating similar copyleft equality clauses into written exceptions for existing copyleft licenses, such as the Affero GPL. I have received authorization to spend some of my Conservancy time and the time of our lawyers on this endeavor, and we hope to publish more about it in the coming months.
We've finished the experiment. After thirty years of proprietary relicensing, beginning with Aladdin and culminating with MongoDB and their SS Public License, we now know that proprietary relicensing does not serve or extend software freedom, and in most cases has the opposite effect. We must now categorically reject it, and outright reject any new licenses that can be used for it.
Microsoft & exFAT: One Step on a Long Journey
by
on August 30, 2019In 2013, Conservancy helped resolve a GPL violation by Samsung which arose primarily due to complications around Microsoft's patent holdings related to the exFAT filesystem. At the time, Microsoft was known for demanding patent fees from Linux users and redistributors.
Late last year, Microsoft joined Open Invention Network. As we wrote at the time, this action had limited impact, as key patents like exFAT were not implemented in any packages that were part of OIN's “Linux System Definition”. We asked Microsoft at the time to upstream the exFAT code under GPLv2-or-later to confirm its intention to end patent aggression.
This week, in response to recent follow-up requests from upstream Linux developers, Microsoft announced that they would sign off on inclusion of exFAT in upstream Linux. This is the first step toward real patent peace related to exFAT.
This process for exFAT will only complete once all of the following happen: the exFAT patch appears in an official Linux release, that official Linux release becomes part of OIN's Linux System Definition (this generally happens automatically, as future versions of Linux are included by default), and Microsoft distributes a copy of Linux themselves that contains this technology. This last step is critical, as the OIN patent license is not as comprehensive as a full patent license from Microsoft. Any participating company can withdraw at any time from OIN1 (and there have been several withdrawals in the past, including Oracle, Facebook, HP and Symantec). After a transition period, the safety of OIN's non-aggression pact weakens. In contrast, when a company distributes software under the GPL, there is an irrevocable implicit patent license with the distribution, and GPLv2§7 further assures patent licensing safety.
Eventually, Microsoft will likely distribute a version of Linux containing exFAT to its Azure users and in its Windows Subsystem for Linux. However, until that occurs, the issue is not really resolved. An expedient solution is as we previously requested: that Microsoft bring definitive patent safety to free and open source software by publicly granting a permanent patent license for all patents Microsoft holds that read on Linux. Additionally, we invite Microsoft to keep pace with its peers such as Google and Red Hat, who years ago made very public patent promises to FOSS users. While the actions taken thus far are intermediary steps, I applaud Microsoft's journey from being a company that long attacked FOSS to becoming a contributor.
1 The legal mechanism for withdrawal is exercise of a “Limitation Election” in the OIN patent license agreement.