Harald Welte laforge@gpl-violations.org 2004 Harald Welte <laforge@gpl-violations.org> Dec 01, 2004 1 netfilter core team $Revision: 1.4 $ More and more vendors of various computing devices, especially network-related appliances such as Routers, NAT-Gateways and 802.11 Access Points are using Linux and other GPL licensed free software in their products. While the Linux community can look at this as a big success, there is a back side of that coin: A large number of those vendors have no idea about the GPL license terms, and as a result do not fulfill their obligations under the GPL. The netfilter/iptables project has started legal proceedngs against a number of companies in violation of the GPL since December 2003. Those legal proceedings were quite successful so far, resulting in twelve amicable agreements and one granted preliminary injunction. The list of companies includes large corporations such as Siemens, Asus and Belkin. This paper and the corresponding presentation will give an overview about the author's recent successful enforcement of the GNU GPL within German jurisdiction. The paper will go on describing what exactly is neccessarry to fully comply with the GPL, including the author's legal position on corner cases such as cryptographic signing. In the end, it seems like the idea of the founding fathers of the GNU GPL works: Guaranteeing Copyleft by using Copyright.

The author of this paper is a software developer, not a lawyer. The content of this paper represents his knowledge after dealing with the legal issues of about 20 gpl violation cases. All information in this paper is presented on a nas-is basis. There is no warranty for correctness. The paper does not comprise legal advise, and any details might be coupled to German copyright law (UrhG)

Though Free Software (sometimes referred to as Open Source Software) according to our definition exists since the early 1980's, it didn't became popular until the advent of the internet. The concept of cooperative development between otherwise unrelated parties was an ideal match with the new possibilities of worldwide communication. Free Software finds its way into almost any market within the industry. While FOSS deployment traditionally being strong in the server market, it recently gains in the desktop workstation market, too (e.g. Open Office, Mozilla). However, the largest number of FOSS deployments is in the embedded computing market. You can easily find Linux and other FOSS embeddeed into devices such as DSL routers, WLAN access points, network attached storage, digital TV receivers, home multimedia centres and recently even wireless phones.

Since the GNU GPL is a copyright license, it can only cover copyrightable works. The exact definition of what is copyrightable and what not might vary from legislation to legislation. Software is considered the immaterial result of a creative act, and is treated very much like literary works. It might therefore be applicable to look at the analogy of a printed book. In order for a work to be copyrightable, it has to be non-trivial (German: Schöpfungshöhe). Much like a lector of a book, anybody who just corrects spelling mistakes, compiler warnings, or even functional fixes such as fixing a signedness bug or a typecast are unlikely to be seen as a copyrightable contribution to an existing work. An indication for copyrightability can be the question: Did the author have a choice (i.e. between different algorithms)? As soon as there are multiple ways of getting a particular job done, and the author has to make decisions on which way to go, this is an indication for copyrightability.

As a copyright license, the GNU GPL mainly regulates distribution of a copyrighted work, not usage. To the opposite, the GNU GPL does not allow an author to make any additional restrictions like must not be used for military purpose. As a summary, the license allows distribution of the source code (including modifications, if any) if The GPL license itself is mentioned A copy of the full license text accompanies every copy The GPL allows distribution of the object code (including modifications) if The GPL license itself is mentioned A copy of the full license text accompanies every copy The complete corresponding source code or a written offer to ship it to any third party is included with every copy

The GPL contains a very specific definition of what the term full source code actually means in practise: ... complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. The interpretation of the paper's author of this (for C programs) is: source code Header Files Makefiles Tools for installation of a modified binary, even if they are not technically implemented as scripts The general rule in case of any question is the intent of the license: To enable the user to modify the source code and run modified versions. This brings us to the conclusion that in case of a bundle of hardware and software, the hardware can not be implemented in a way to only accept cryptographically signed software, without providing either the original key, or the option of setting a new key in the hardware.

The question of derivative works is probably the hardest question with regard to the GPL. According to the license text, any derivative work can only be distributed under the GPL, too. However, the definition of a derivative work is left to the legal framework of copyright. The paper's author is convinced that any court decision would not look at the particular technology used to integrate multiple software parts. It is much more a question of how much dependency there is between the two pieces. If a program is written against a specific non-standard API, this can be considered as an indication for a derivative work. If a program is written against standard APIs, and the GPL licensed parts that provide those APIs can be easily exchanged with other [existing] implementations, then it can be considered as indication for no derivative work. Unfortunately there is no precedent on this issue, so it's up to the first court decisions on the issue of derivative works to determine.

... it is not the intent ... to claim rights or contest your rights to work written entirely by you; rather, the intent is to excercise the right to control the distribution of derivative or collective works ... ... mere aggregation of another work ... with the program on a volume of a storage or distribution medium does not bring the other work under the scope of this license So the GPL allows mere aggregation, which is what e.g. the GNU/Linux distributors like RedHat or SuSE do, when they ship GPL-licensed programs together with a proprietary Macromedia Flash player on one CD- or DVD-Medium. Further research is required to determine what exactly would be a collective work, and how far this is backed by copyright law.

Since the GPL regulates distribution and not use, any modifications that are not distributed in any form do not require offering the source code. Special emphasis has to be given on when distribution happens within the legal context. Undoubtedly, as soon as you distribute modifications to a third party, such as a contractor or another company, you are bound by the GPL to either include the full source code, or a written offer. Please note that if you don't include the source code at any given time, the written offer must be available to any third party! Interestingly, at least in German copyright law, distribution can also happen within an organization. Apparently, as soon as a copy is distributed to a group larger than a small number of close colleagues whom you know personally, distribution happens - and thus the obligations of the GPL apply.

The GPL is violated as soon as one or more of the obligations are not fulfilled. For this case, the GPL automatically revokes any right, even the usage right on the original unmodified code. So not only the distribution is infringing, also the mere use is no longer permitted. This very strong provision is quite common in copyright licenses, especially in the world of proprietary software - so businesses involved in the software businesses are already used to that concept.

In fact, GPL enforcement is not something completely new. The Free Software Foundation (FSF) has been handling a number of GPL enforcement cases throughout it's history since 1984. However, their approach is quiet negotiations with the respective parties. While this being productive in the respective cases, it obviously cannot serve as example to raise public awareness about GPL compliance. Also, anyone who uses GPL licensed software doesn't really have an economic incentive to behave license compliant, if he cannot loose something. While the Free Software movement being very ideological, we cannot neglect the fact that businesses are only driven by economy. Thus, it is the idea of the author to raise the economic price of license infringement by making infringement public (and thus imposing a negative marketing effect) raising legal charges which force them to comply or otherwise loose the chance to use GPL covered code claiming damages as a direct economic price

In 2003, the Linksys Case was drawing a lot of attention from the FOSS community. Linksys Corporation (a subsidiary of Cisco, the worldwide leader in network equipment such as enterprise switches and routers) was selling 802.11 (aka WiFi, WLAN) Access Points and Routers containing GPL licensed software. The devices were sold virtually worldwide, and Linksys is one of the largest players in the 802.11 consumer market. Software embedded into the device contains the Linux OS Kernel, uClibc, busybox, netfilter/iptables. An alliance of copyright holders (including the author of this paper) was lead by the Free Software Foundation to bring Linksys into compliance with the GPL license terms. While in the end successfully bringing Linksys into compliance, it took that alliance about four months to achieve the full sourcecode release by Linksys. The strategy of Linksys was to overly delay the negotiations, making one incoomplete source code release after the other. Especially considering that the product lifecycle in the 802.11 being usually somewhere between three and six months, this kind of delay was not acceptable to a number of involved copyright holders. Looking back from now, it is important to note that the Linksys GPL case has actually helped Linksys a lot with regard to the popularity of their products. A lot of users buy their product exactly because they know they receive the sourcecode and the right to modify it. There's now a vivid community around their products, offering community-based alternative software (aka firmware) for them. Also, a number of small and medium-sized businesses have alternative commercial free software offers. Due to that success, almost any new Linksys product was based on Free Software, too!

The author of this paper started the gpl-violations.org project in order to help with new cases coming up after the Linksys case. The usual timeline of an enforcemnt case looks like this: Customer/User of the product sends information about the product to copyright holders Copyright holders confirm violation by re-engineering the product and making a test purchase Copyright holder sends a warning notice to the product vendor Copyright holder waits for some two weeks if vendor is willing to sing a declaration to cease and decist If no declaration to cease and decist was signed Contract technical expert recognized to court to do a study Apply for a preliminary injunction at court If declaration to cease and decist was signed Try to find amicable agreement about damages and information claims Probably grant a grace period for products already produced and in stock

Since the launch of gpl-violations.org, it has been a huge success for the FOSS community. Up to now, there have been about 25 cases where the GPL has been enforced out-of-court. In addition, there two preliminary injunctions have been granted. An appeals case against one injunction was turned down by the court. Thus, precedent has been set forth for likely further cases to follow. Especially the first preliminary injunction received big interest throughout the computing industry and the legal community. It received significant media coverage and thus resulted in exactly what the copyright holders wanted to achive: Raising public awareness about the GPL license conditions.

The Free Software Foundation: The gpl-violations.org project: The GNU project project: The law firm JBB (has court orders as PDF on their site): The gpl-violations.org section in the weblog of the author: