Open Source and the Legend of Linksys
People want to know what, exactly, can they get away with. To answer this, it's important to understand how violations of the GPL appear on the enforcement radar screen, so here is how: Somebody rats on you, usually your competitors or disgruntled employees.
06/28/05 5:00 AM PT
People often ask me how likely it is that an open-source license like the GNU General Public License will ever be enforced. When they ask that, they usually mean: "If I violate it will I get caught?" It's a legitimate question, if one lays aside moral rhetoric, such as the idea that proprietary software companies are merely evil capitalist agents seeking to abuse the rights of free software developers.
It is the natural tendency of the citizens of a nation of laws to know exactly what the law allows them to do. Thus the legal profession, and thus the question: What can we get away with?
Now, even the most starry-eyed of us must acknowledge that with no enforcement there is no law. Anyone who has tried to train a dog to stay off the sofa knows that. So, no one will comply with the terms of a license agreement like the GPL, with which compliance can be challenging if not downright burdensome, unless they believe someone will enforce it.
When open source first became popular, lawyers and businesspeople alike wondered about this. Would free software advocates be willing to police their rights? Would a group that was vocally opposed to intellectual property rights undertake the tedium and expense of intellectual property lawsuits?
After all, enforcement of IP rights has historically been the bailiwick of the media and the technology industry, not starry-eyed dreamers who believe in making the world safe for software. Did these people, who disdained hiring lawyers to write license agreements for them, really want to send lawyers out to sue people?
Eventually, the technology industry discovered that the answer was probably yes. But in the meantime, many people raised many questions and arguments about the GPL and its likely enforcement, most of which were ill-informed. Such as:
- There is no "I accept" button on the GPL, thus no contract. In legal terms, this is known as a formation defense. However, the Free Software Foundation is right when it says without an express license to distribute, which you probably can't get without accepting the GPL terms, you cannot distribute their code. So, this argument might work for people who are only users and not distributors of the GPL, but users are not the ones who want to challenge the "viral" GPL's requirements, which only attach on distribution. Moreover, formation challenges to online agreements are weak, and as time goes on, they will get weaker. In the 1980s and early 1990s, formation defenses were a hot issue; now they're pretty much dead.
- The GPL "violates the U.S. Constitution." Only SCO would be deranged enough to make this argument (which it made in the lawsuit with IBM). The sputtering explanation of this argument by SCO did make for droll reading, but if you read it, and were worried you were missing something, you weren't. It's wrong.
- The GPL "has never been tested in court." People who make this argument must not realize how fascist it sounds. There are probably regimes where private contracts are not valid until they are approved by a central governmental authority like a court. But none of us actually wants to live there because of that small detail of freedom of contract being an essential political freedom.
There are interesting arguments about enforcement of open-source licenses like the GPL, but no one ever seems to discuss them. Most lawyers, like me, are probably waiting for someone to actually get sued, and hoping to get hired to defend them so they can get paid for their ideas rather than thinking them up for free. But, in brief, there will be many challenges. What is a "reasonable royalty" for using software that is free of charge? Will statutory damages be available? Who has standing to enforce the agreement? Does the "viral" nature of the license constitute copyright misuse? There are others; these are the obvious ones.
The Important Questions
It is important to understand that there are two questions lurking here, not one: "Can the agreement be enforced?" and "Will the agreement be enforced?" The first is a purely legal question, and can be answered by any smart law student who is willing to put in a lot of research and analysis time. The second is the reason people don't hire law students to answer the first question. Every attempt at enforcement of any open-source license generates a lot of buzz, but not because anyone believes it will resolve the first question. People want to know about the second: What, exactly, can we get away with?
To answer this, it's important to understand how violations of the GPL appear on the enforcement radar screen, so here is how: Somebody rats on you, usually your competitors or disgruntled employees. Now, anyone who works in law enforcement knows that this is the way almost all violations of the law are reported. Drug dealers rat out other drug dealers and in doing so use the police as antitrust enforcers. But in the free software world, while people may rat on you because it is in their personal interest, they will also rat on you because it is their moral duty. So you will be reported not only by competitors and employees, but by true believers as well. As you might imagine, this is much more perilous.
So much for the informants. Now for the cops. Here is some advice from the Free Software Foundation's FAQ on the GNU GPL:
What should I do if I discover a possible violation of the GPL? You should report it. First, check the facts as best you can. Then tell the publisher or copyright holder of the specific GPL-covered program. If that is the Free Software Foundation, write to firstname.lastname@example.org. Otherwise, the program's maintainer may be the copyright holder, or else could tell you how to contact the copyright holder, so report it to the maintainer.
Fair enough: This instructs you to report a violation to the copyright owner. Given that in the U.S., no one can enforce intellectual property rights but their owner, that makes sense. However, the FSF also acts as a de facto enforcer of any violation of the GPL, even when FSF is not the copyright owner: "We encourage others to share with us any technical information about this or any other GPL violation ..." (quoted from a FSF posting signed by David Turner, GPL Compliance Engineer, FSF Bradley M. Kuhn, Executive Director, FSF, about the Linksys matter discussed later in this article). In the free software world, the FSF owes this de facto enforcement role in part to practicality -- it has more resources than most free software developers -- but also thought leadership, because the FSF has thought long and hard about what the license means, and has detailed policies and FAQs on compliance.
The FSF's enforcement resources are significant, though they may not equal the war chests of some of the larger patent enforcers. The FSF, through its "Compliance Lab," conducts, according Forbes in 2003, 30 to 40 investigations at a time. That is quite a bit of work, which in a private company would take up at least a full time lawyer or two.
The FSF's actions to enforce the GPL are conducted largely in confidential discussions:
This isn't the first GPL violation we have dealt with; we've been actively enforcing the GPL for over ten years. Our usual practice is not to publicly announce details of ongoing violation negotiations, because we find that private negotiation yields quicker and better cooperation.
Again, fair enough. This is how all infringement lawsuit threats are handled. Public announcement of an infringement threat takes away a significant bargaining chip of any IP enforcer. In the world of private IP enforcement, where people threaten suits to enforce patents or proprietary software, the threat of public exposure means a falling stock price for public companies, or a bitter pill to investors of private companies. In the free software world, the emphasis is more on public embarrassment, but the mechanism is essentially the same.
So far, on a macro scale, enforcement actions are similar for the FSF and for private IP owners, but now the cases diverge. The FSF seeks different remedies from private IP enforcers. "Our number one goal in any GPL violation case is to get proper and full compliance with the license; everything else is secondary."
Indeed, everything else may be impossible. The FSF's position that the GPL is "a license not a contract" probably means that the FSF cannot successfully seek injunctive relief to force anyone to lay open-source code. The fact that it does not charge license fees for its software probably means it cannot seek damages based on the amount of a reasonable royalty -- though it could still rely on statutory damages. So the FSF's position -- comply or stop using our stuff -- is, quite neatly, mostly what they could get under the law. The FSF publicly states they do not seek to force laying open of code, only compliance. And they do not seek damages, though a check written to augment their enforcement funds is understood not to be unwelcome.
The Legend of Linksys
The "Legend of Linksys" is a metonymy for this second question, in the reverse: What have people not gotten away with? The legend has at least two sides to it: the legal and the factual. First, the facts.
I have no personal knowledge of any of the facts I am about to describe; if I did, I would not be writing an article about it. But the facts here may be murky, and I welcome correction; my lack of personal knowledge is further complicated by the legendary nature of the story -- legendary, because the negotiations to resolve it were non-public. The sources I used to put this together were mainly the Forbes article "Linux Hit Men" dated October 14, 2003, an article of the same date in Linuxdevices.com quoting Bruce Perens, and several random bulletin board postings about the Linksys product.
Linksys is a very successful purveyor of WiFi routers, in particular the WRT54G 802.11g wireless home gateway. In March, 2003, Cisco Systems bought Linksys for US$500 million. After the acquisition, in June 2003, complaints appeared on discussion boards such as LKML and Slashdot claiming that Linksys was violating the GPL by not providing source code for certain code used in its WRT54G wireless access point. (See for instance this posting.) The Linksys product included both the Linux kernel and other GPL code.
This is the nightmare scenario for an acquiror worried about open source. In the trade this is known as "buying a lawsuit."
The FSF stepped in, stating publicly that it was spearheading enforcement for multiple copyright holders who had licensed materials under the GPL: "[W]e are leading a coalition of many copyright holders in the WRT54G, as Linux is only one part of a large body of GPL'ed software in the product. We formed this coalition because, having done enforcement cases for a product with a broad range of copyright holders before, we have found that separate enforcement actions and/or law suits from individual copyright holders make attainment of compliance more difficult."
Undoubtedly informal enforcement actions are easier with fewer parties involved. However, this statement as it relates to "law suits" is a bit disingenuous, for two reasons: first, FSF has never actually led a formal defense group to enforce the GPL in court, and second, if it did so, it would likely do so based not on convenience, but necessity, as separate suits might be impossible due to legal due process requirements.
What Can Be Learned
Linksys eventually released the source code at issue. Various Web reports place the release at three to four months after the first demand by the FSF. It is amusing to read the morally outraged postings on this subject that describe this result as glacially slow. It seemed fast to me. The only way to do it faster would have been a scorched earth TRO action or some jackbooted GPL police.
The first take-away from this case is the difficulty of doing enough diligence on software development in an age of vertical dis-integration. Cisco knew nothing about the problem, despite presumably having done intellectual property diligence on Linksys before it bought the company. But to confound matters, Linksys probably knew nothing of the problem either, because Linksys has been buying the culprit chipsets from Broadcom, and Broadcom also presumably did not know, because it in turn outsourced the development of the firmware for the chipset to an overseas developer.
To discover the problem, Cisco would have had to do diligence through three levels of product integration, which anyone in the mergers and acquisitions trade can tell you is just about impossible. This was not sloppiness or carelessness -- it was opaqueness.
There is no way around this problem if one approaches open-source diligence from a provenance angle. Finding the ultimate source of code is too difficult. This argues for "back-end" risk management like insurance and code matching, which are becoming more and more attractive alternatives as the complexity and prevalence of open source assets increases.
The second take-away is that this was a strong case for the FSF, but to understand why takes us into some of the more excruciating details of kernel development. One online complaint said:
I am unable to build a working Linux kernel based on your tree due to source code missing from arch/mips/brcm-boards/ and other directories. You also seem to have modified the kernel module loading process, as standard kernel modules built from your tree load without warnings on a running WRT54G, but apparently do not function properly. ... I believe it is a violation of the GPL to distribute versions of the Linux kernel that are missing critical, non-modular kernel code.
I quote the above not for the truth of its assertions, but to point out why Linksys got tagged. The writer was unable to build a working kernel. He characterized the undisclosed code as "critical" and "non-modular." Engineers are practical folks, and they don't tend to quibble over adhering to the letter of a license if they can reap its benefits. He could not reap. Consider also this comment (cited above) on the LKML board:
I know that traditionally, Linux has allowed binary-only modules. However, I was always under the impression that this required that the final customer be allowed to remove them at will. That is to say, you couldn't choose to implement a portion of the kernel critical to the system's operation in a module, and then not release that module under the GPL. In this particular case, I would argue that the wireless drivers are critical to this device's operation ...
This writer is making a crucial point: There is some controversy in the free software world over whether some kinds of kernel modules escape GPL terms. But Linksys was not in one of these gray areas. Linksys not only included kernel modules in their code, they included statically linked kernel modules that could not be separated from the kernel. For the FSF, this was game, set and match.
Several commentators have noted that GPL compliance issues are particularly problematic in embedded applications, as well as code developed by overseas developers. The Legend of Linksys bears out both these observations.
It's a Small Welte After All
Across the wide ocean, other enforcement of the GPL runs along a different trail. Harald Welte, a self-appointed enforcer of the GPL who operates a GPL Web site filed two actions with the District Court of Munich to enforce the license. In both cases, Welte was the author of code that had appeared in the defendant's product. The court granted Welte an injunction against Sitecom Deutschland GmbH, prohibiting Sitecom from distributing a wireless networking router until it complied with the GPL. Sitecom appealed the injunction, but lost, and Sitecom later posted the terms of the GPL on its FAQ Web page for the router. Welte also filed for an injunction against Fortinet UK Ltd. based on its firewall products, with similar results.
Though much has been made of these two cases, there are reasons why Welte has already obtained injunctions in Germany while the FSF has not yet sought one in the US. Injunctive enforcement in Germany is so simple and quick that it makes Americans suspicious about piddling legal details like legal due process. In Germany, a preliminary injunction can be obtained ex parte -- in other words, without giving the defendant the chance to defend itself. (This has the appropriately scary sounding name einstweilige Verfuegung.)
Also, in Germany, an author of a component piece of software can enjoin an infringer from distributing the entire program, not just the part he owns. In the US, any injunctive relief requires that the defendant have the ability to present a defense. Moreover, in the U.S., a plaintiff seeking a temporary restraining order must post a bond to compensate the defendant in case the TRO is wrongly issued. In Germany, there are no such niceties. So, before you start flushing your proprietary loadable kernel modules down the commode, remember that the path to an injunction here in the U.S. -- and indeed in most common law countries -- is much more treacherous. This is why injunctions in Germany are likely to happen long before -- or in lieu of -- injunctions in the U.S.
More interesting to U.S. companies are Welte's informal enforcement actions, which have included sending letters to over a dozen large commercial software and appliance products including Motorola, Acer, Micronet, and Buffalo. The problem is that Welte apparently does not hold the copyright to the code that is the subject of these letters. Welte's approach is to send public letters and announcements first, rather than seek confidential action.
The Landscape Evolves
Anyone who decries the enforcement actions of the FSF only need read Welte's blog to appreciate the FSF's restraint. Some of Welte's targets have complied voluntarily, but one suspects that is because they were simply unaware of the problem. Welte apparently has no authority to enforce these copyrights. These actions are not really legal enforcement -- more the equivalent of picketing companies that use cheap overseas labor. It is an attempt to embarrass, not enforce.
It is also impossible to avoid observing that Welte often proceeds without the benefit of legal analysis. For instance, he targeted AOpen, which responded, that he "should have directed that letter to their Taiwanese mother company, since the products that I claim are in violation of the GPL are not sold in Germany. They don't get it. Its their problem if they don't comply with the license. Its they who are liable for copyright infringement. I don't care which particular subsidiary of a multinational corportation [sic] is responsible. It is in the best mutual interest of any subsidiary to assure that they comply with license conditions."
Actually, AOpen's point was probably that there was no action under German law because lack of an infringing product in Germany meant it was not within German jurisdiction. But, it so happened, that AOpen was actually compliant, having offered the source code on a German Web site, as Welte later noted in his blog. Nevermind.
This kind of stuff gives lawyers the willies, on the one hand. Lay commentators who post on blogs or bulletin boards about open source legal issues without the benefit of legal reasoning are a dime a dozen, but at least they don't usually sue people. On the other hand, who would you rather be sued by: Welte or the FSF? Given that most of Welte's complaints would fail in the U.S. on procedural grounds that would allow a defendant to jettison the case quickly, he is my plaintiff of choice.
Other enforcement of the GPL has been of less note. The MySQL case, which is the only lawsuit ever filed in the U.S. regarding GPL code, was disposed of on unrelated grounds. The FSF has conducted regular informal enforcement, but none has garnered quite the press of the Linksys matter. In 2002, the FSF engaged in a GPL enforcement action against OpenTV, a San Francisco company that ships a set-top box containing Linux. According to Forbes, OpenTV ended up paying the FSF $65,000. But OpenTV also reportedly complied by making available the requested code, so the purpose of the payment is unclear. The FSF's stated mission is not to demand money damages for GPL violations.
Meanwhile, we are all waiting for the other shoe to drop. And while rumors occasionally circulate that lawsuits will be filed -- as in the case of OpenTV -- there is a big difference between making threats and filing lawsuits. So, get used to standing on one foot, while legend of Linksys lives on.
Heather Meeker is a shareholder at the international law firm Greenberg Traurig, LLP, and specializes in intellectual property transactions for software and other technology clients. Ms. Meeker is the co-chair of the Open Source Committee of the Science and Technology Section of the American Bar Association. She advises clients regularly on open-source licensing issues and open-source business strategies.