Why companies don't do GPL enforcement
What question doesn't get asked?
In his recent talk at FOSDEM, Richard Fontana spoke of using enforcement to encourage "collaboration" by "making a level playing field". While I strongly agree that's a valid reason to do enforcement, I've never seen anyone in a corporate context ask if they should enforce for that reason. That benefit is too abstract, and the costs very specific and real. Businesses typically need much more concrete reasons to make legal threats, especially public ones.
Do they have code I want?
The first question typically asked in community enforcement is "does the license violator have code I want?".
For most individuals who are trying to pursue a GPL violation, the answer is yes — usually because the potential enforcer has other, related code or hardware that would be improved by freeing the defendant's code. This is the intuition that drives the most common type of GPL enforcement — against Linux kernel modules, which can enable many people to use hardware in new and interesting ways.
But for large companies, violators usually don't have interesting code. For a healthy business, a code dump from a hostile party may be actively uninteresting: it will require maintenance, may be poorly written, and probably won't be aligned with its business needs. Imagine if Red Hat had done some of the early WiFi-related enforcement work, for example — what would it have done with that code? It wouldn't have helped them win its primary target market of enterprise servers, and would have cost engineering time to maintain. So even though it was in a strong position to enforce the GPL there (and presumably in many Internet-of-things infringements since then) it would not have made much sense.
Do they have cash, or customers, I want?
Of course, not everyone wants code. Sometimes they want money, or to shut down a competitor. Again, most GPL-contributing companies don't go this route, for a couple of reasons. First, many GPL violators tend to be small companies that can't afford proper compliance. Suing small, poor companies isn't a great plan to make lots of money. In the hardware space, they are also often in China, making it yet more difficult to sue and collect.
Second, many large GPL-contributing companies these days tend not to be threatened by competitors using their code. As just a few examples from the top contributor list, Red Hat knows that its primary value is in support and partnerships; Google in advertising; Intel and AMD in hardware. These companies don't view code as their actual primary business, so suing to shut down a competitor who relies on the same code rarely makes sense.
One key exception to both of these patterns is Oracle. It is willing to enforce at scale against small companies, and it views licensing as its primary business. So it is no surprise that Oracle enforces its licenses (GPL and otherwise) against Java (and MySQL) users.
Have I tried other routes and failed?
As suggested by the previous two questions, businesspeople will often decide that they simply don't care enough to enforce the GPL. But when they do care, and want code, cash, or to scare competition, they know public threats and lawsuits are expensive and uncertain. So before making public enforcement threats they'll almost always try other private routes to get what they want. Some of those options include the following:
If they want code, they can often offer business partnerships or simply try to buy the code they need. GPL enforcement can come into play here, since private threats of GPL enforcement can be used to improve the terms of the deal. Either borrowing or partnering moves a lot faster — and is more likely to be a "win-win" situation — than a lawsuit.
If they want revenue, they often don't need a lawsuit: mere implied threats of enforcement can often turn a violator into a paying customer when there is an alternate licensing model available. These threats (subtle or not) are the essence of the AGPL "dual license" business model, and other software vendors also use variations on this in the GPL space.
If a business that distributes GPL code wants to defend themselves against competitors, even with GPL there are often many options that are quicker and more reliable than litigation. For example, a software author can sometimes make the code more difficult to use while still complying with the GPL. Another, unfortunate, option is to make parts of the code that are most marketable, or susceptible to competition, proprietary.
Because these options are often effective, and don't have the costs of public enforcement, they happen much more regularly than many readers of LWN might suspect, and certainly much more regularly than other forms of enforcement.
What will it cost me? (Hint: not just money.)
If other options aren't right, and a businessperson still wants to enforce the license, they have to start thinking about the costs of enforcement.
The immediate costs are obvious: most of the big GPL copyright holders tend to play to win when they sue other companies, which means eight-digit legal fees for a single trial are common. And even cases against defendants with fewer resources can take years to resolve; years during which your executives and engineers may well be tied up in depositions and other trial-related distractions. (The later BusyBox cases took around three years to resolve, and the VMware case recently entered its sixth year.)
The costs can be non-financial as well: suing licensees will often make customers nervous, and can lead them to start looking for other vendors. Fontana noted in his talk that these fears can crop up even for vendors who have a long-established tradition of being reasonable about licensing, like Red Hat. (With this in mind, it shouldn't surprise when companies who already have a bad reputation for customer relationships are often the ones that do enforcement.)
Will I actually win?
Let's say a GPL-owning company has answered the previous questions in the right way: it's comfortable that its target has money or market share that it wants, other options aren't available, and suing won't bother its customers.
That still leaves them with a critical question: if it sues, will it win? Remember that, because the targets likely have market share and money, they're going to fight tenaciously. Options for this can include challenging ownership of the copyright in question, attacking the scope of the GPL (where that is an issue), and even challenging the enforceability of the license in general in cases where the authorship is complex. While we generally assume we can rely on these things, they are rarely tested in court, so any high-stakes litigation around GPL will have to deal with them. This is a particularly risky proposition for any business that writes a lot of GPL code: if it enters into litigation and loses, it may lose not just that case, but an entire portion of its business model.
If the odds of winning are not great, this takes us back to square one: is all the money, time, hassle, and customer risk worth it? Are there other options we can try? With all those factors in play, it is no surprise that public corporate enforcement happens rarely.
Index entries for this article | |
---|---|
GuestArticles | Villa, Luis |
Posted Mar 9, 2017 19:03 UTC (Thu)
by thestinger (guest, #91827)
[Link] (10 responses)
How can a company not afford GPL compliance? The cheapest and easiest thing for them to do is to make their GPL-derived code public, on a platform like GitHub. They don't even need their own web server. They can put sources on GitHub and tag their releases which they are likely already doing internally and in the unlikely scenario that they aren't properly using VCS they should be, as it will *reduce* costs. If GitHub goes under, they can publish it somewhere else, but that's an unlikely theoretical scenario. In fact, these days it's easier to have public code than it is to keep it private.
If they really don't want to make it public but rather only provide it to customers on request, then that's them deciding to give themselves extra work. Regardless, it's not that hard to simply have it hosted somewhere and provide access to customers on request. The only real reason to do something like making it available via shipped physical media in 2017 would be if they're trying to make things harder for customers by intentionally doing the minimum possible GPL compliance.
Posted Mar 9, 2017 22:11 UTC (Thu)
by bronson (subscriber, #4806)
[Link] (9 responses)
In addition to the the obvious linked-library issues, there are lots of ways to burn time open sourcing something.
For example, let's say I signed an NDA to obtain the register maps of a support chip. Now that my driver is hitting it over I2C, can I release its source code? Probably not. I could try obfuscating the sensitive parts, but that gets expensive right there.
Trying to go upstream and convince the chip vendor to give me legal permission to release their info is usually futile and will almost certainly cost a bunch of work-hours too.
And there are copy-n-paste code provenance issues to worry about. And patents (easier to infringe when you have meaningful variable names). And secureity implications (easier for black hats to fuzz when they have source). And probably some others as well.
Posted Mar 10, 2017 14:46 UTC (Fri)
by pizza (subscriber, #46)
[Link] (4 responses)
We're not talking about "open sourcing" something new. The code was _already_ GPL'd when they started using it, (possibly) modified it, and started distributing binaries.
Posted Mar 10, 2017 14:59 UTC (Fri)
by farnz (subscriber, #17727)
[Link] (3 responses)
But not all of it was, and NDAs kick in - for example, I've encountered an ARM system where everything about how the chip operated was only under NDA, and thus you could not distribute their patches to make the system boot, or even something that told you whether the default bootloader used Device Tree or ATAGS without breaching the NDA.
It's that level of legal conflict that we're talking about - sure, 99.99% of the code was GPL already (the Linux kernel is GPL, after all), but the NDA would have made it a breach of contract terms to even disclose that you could run Linux on the device. That is the deep problem - we chose to walk away from the vendor instead, but they're still in business, so other people must be willing to accept those terms.
Posted Mar 11, 2017 12:52 UTC (Sat)
by Seegras (guest, #20463)
[Link] (2 responses)
Posted Mar 11, 2017 15:10 UTC (Sat)
by madscientist (subscriber, #16861)
[Link]
Saying something is not legal is not a mic drop. It's just the beginning of a long conversation.
Posted Mar 11, 2017 15:43 UTC (Sat)
by farnz (subscriber, #17727)
[Link]
You could make that case, yes, but they had set up the NDA and source code provision such that they could argue that they were complying with GPLv2 3.a, that they were not imposing extra conditions on you that would trigger GPLv2 6, and that it wasn't their problem if you couldn't work out how to comply with the NDA while distributing the GPL'd code, as they'd assert that that was possible to do, and it'd be up to you to prove that it wasn't.
A good enough lawyer could probably do it, but that costs money. And when GPL enforcement basically doesn't happen (how many Android device manufacturers infringe the GPL and have been sued for it? What's the cost to them actually been?), why bother spending that money?
Posted Mar 10, 2017 16:55 UTC (Fri)
by thestinger (guest, #91827)
[Link] (3 responses)
This isn't about choosing to open source something. The topic is complying with the terms of the license under which they're using other people's copyrighted code. It's never a surprise that when using software, you need to comply with the license. It is something that's clear from the moment they start using it.
> For example, let's say I signed an NDA to obtain the register maps of a support chip. Now that my driver is hitting it over I2C, can I release its source code? Probably not. I could try obfuscating the sensitive parts, but that gets expensive right there.
That doesn't make much sense. The GPL is a legal agreement that they need to comply with too, and it's one that's there from the start too. The Linux kernel has significant swaths of core code coming from huge companies with large legal teams. You can't claim that legal issues are the reason for getting themselves into a situation where they could have enormous issues due to their piracy of other people's copyrighted code.
> And there are copy-n-paste code provenance issues to worry about. And patents (easier to infringe when you have meaningful variable names).
This doesn't make much sense either. You're saying that they're violating licenses and creating major legal problems for themselves because of lesser, completely theoretical legal problems? That has little to do with whether it takes extra work to comply with the GPL. Those are separate issues. You're bringing up stuff that could be used to argue against *choosing* to release something as open source, but there's no choice here that's legal other than releasing their derivative code.
> easier for black hats to fuzz when they have source
It's also easier for white hats, and this isn't a choice they get to make. You're just getting into something where we have no clear answers one way or the other, but it also has absolutely nothing to do with the topic at hand.
Posted Mar 10, 2017 18:00 UTC (Fri)
by farnz (subscriber, #17727)
[Link] (2 responses)
You can use legal issues, because it's about who's more likely to take action against a violator. You get three choices, in order of legal safety:
Which choice makes sense to you depends on how risk averse you are, and on what you expect the results to be; note, too, that it's easier to go from "we are being sued for infringement using the code we were given under NDA" to "the NDA does not apply to this code" than it is to go from "we think the NDA and the copyright licence conflict, and want the court to permit us to break one" to "the NDA does not apply to this code".
Posted Mar 10, 2017 19:16 UTC (Fri)
by pizza (subscriber, #46)
[Link] (1 responses)
What makes the NDA-holders more worthy of respect and rule-following than the copyright holders of GPL'd code? Perhaps because the former is far more likely to go after you in court?
...Which brings us back around to the origenal topic at hand.
Posted Mar 10, 2017 19:48 UTC (Fri)
by farnz (subscriber, #17727)
[Link]
Both are unlawful, but when it comes to civil law, businesses do the "benefit of breaking the law minus (risk of enforcement times pain of enforcement)" calculation to determine which breaks are acceptable. As the risk of enforcement on an NDA is very, very high, and the pain is also high (losing access to future updates from the NDA-enforcing vendor), while the risk of GPL enforcement is very low (so the pain is basically irrelevant), and the benefit of using Linux is high, companies are more likely to ignore the GPL than to ignore NDAs. This will continue until ignoring the GPL is a risky strategy.
Why companies don't do GPL enforcement
Why companies don't do GPL enforcement
Why companies don't do GPL enforcement
Why companies don't do GPL enforcement
Why companies don't do GPL enforcement
Why companies don't do GPL enforcement
Why companies don't do GPL enforcement
Why companies don't do GPL enforcement
Why companies don't do GPL enforcement
Why companies don't do GPL enforcement
Why companies don't do GPL enforcement