Monday, August 15, 2011

Most Android vendors lost their Linux distribution rights, could face shakedown or shutdown

Last week I read about an Android licensing issue that I wasn't previously aware of. It's a pretty serious one, and it's not that hard to understand. The short version is that

  • rampant non-compliance with the source code disclosure requirement of the GPLv2 (the license under which Linux is published) -- especially but not only in connection with Honeycomb -- has technically resulted in a loss of most vendors' right to distribute Linux;

  • this loss of the distribution license is irremediable except through a new license from each and every contributor to the Linux kernel, without which Android can't run; and

  • as a result, there are thousands of people out there who could legally shake down Android device makers, threatening to obtain Apple-style injunctions unless their demands for a new license grant are met.

At first sight it may appear unthinkable that things could go so wrong with the distribution license for the very foundation Android was built upon. But I did my research and the above conclusions are just consistent with legal positions taken recently by two of the most renowned Free Software organizations -- the Software Freedom Conservancy (SFC) and the Software Freedom Law Center (SFLC) -- in another context involving GPLv2 (and software embedded in devices), the so-called BusyBox lawsuit (U.S. District Court for the Southern District of New York, case no. 1:09-cv-10155).

Just like those organizations forced a number of companies (most recently Best Buy, previously some others including Cisco and Verizon) to pay up, the situation surrounding most Android OEMs could become quite uncomfortable if any Linux copyright holders driven by greed or other motives team up with copyright lawyers (such as on a contingency basis) and enforce their rights. There are thousands of Linux kernel contributors besides Linus Torvalds. In some cases, it would probably be easy to just replace the code they contributed if they seek to enforce their rights, but in other cases, it would certainly take longer than someone's ability to obtain a preliminary injunction somewhere on this planet.

Now let's look at the legal issue more closely.

Two interesting posts on the official blog of the Brown Rudnick law firm

The law firm of Brown Rudnick has an Emerging Technologies group, and last week one of its members, Brown Rudnick partner and IP litigator Edward Naughton, published two blog posts on this issue. Here's a link to that blog. Unfortunately, I couldn't figure out how to link to a particular post on that blog, but as I write this, those two posts are the topmost ones.

Some will remember his Huffington Post article on another Android GPL issue earlier this year. I, too, blogged about it. Back then he raised interesting points, and contrary to popular misbelief, his concerns weren't dispelled by the likes of Linus Torvalds, whose emotional outburst indicated that Naughton had touched on a sensitive area for the Linux community. None of those who contradicted Naughton stood up and said that there was no reason for concern. Ultimately, the interpretation of the GPL and of copyright law at large is in the hands of the courts, not of luminaries like Torvalds. But that's the history, and the new story is -- while also related to Android and the GPL -- a different one.

I've been following Naughton on Twitter since then. He told me that one his clients also got a letter from Lodsys.

Concerning today's topic (the loss-of-license issue), I really recommend reading his posts, which explain the legal theory behind this and put them into the context of open source practice. But I'll also provide some more detail from my end in the remainder of this post.

Section 4 of GPLv2: the loss-of-license paragraph

This is what Section 4 of GPL version 2 says:

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

This is pretty easy to understand. The first sentence references all of the obligations that licensees have under the GPL. One of them is the source code disclosure obligation in Section 3. I won't quote that one here because it's much longer than Section 4 and you can read it on the Internet. With respect to what this discussion is all about, it says that if you distribute software (such as Linux) under the GPLv2 for commercial purposes, you must make its "complete corresponding machine-readable source code" available (as Naughton points out on his blog, even those willing to comply can easily run afoul of that requirement) or provide a written offer to that effect.

The second sentence of that Section 4 then imposes a drastic sanction if you do "otherwise" (meaning if you don't comply with all requirements, including but not limited to Section 3). That sanction is that non-compliance "will automatically terminate your rights under [the GPLv2]". That's the situation in which virtually every Android OEM is now: almost everyone was out of compliance at some point, and it doesn't matter whether someone did the right thing 99% of the time -- non-compliance at just one point in time "will automatically terminate" the license. Matthew Garrett, a well-known GPL activist, checked on the compliance of Android tablet manufacturers with the source disclosure requirement -- you can find the results here. There are various well-known device makers who've been criticized over alleged non-compliance. And as Naughton observed in a different article, the compliance record is probably even worse in connection with Honeycomb, an Android version for tablet computers that Google made available to only a few select OEMs without publishing its source code.

In other words, it's hard to find an OEM who has always complied.

Unfortunately, those OEMs can't argue with any source code publications by Google itself in the past. As Naughton points out on his blog, every company distributing GPLv2-licensed code has that obligation and can't use compliance by someone else upstream as an excuse for its own non-compliance:

"Google's recent posting of some source code on the Android Open Source Project (AOSP) site doesn’t protect OEMs: it’s quite clear that the obligation to provide source code is personal to each and every person in the supply chain, and a commercial entity cannot rely on others to provide the relevant source code. In addition, because the source that Google has posted is a blind dump without any manifest, it is very difficult to determine whether it meets the 'corresponding source' requirement of the GPLv2."

To finish this explanation of GPLv2 Section 4, its third (and last) sentence just protects those who receive a program from a non-compliant party that lost its license, as long as the recipients then act in compliance.

SFC/SFLC position on license termination and remediability

Naughton published several filings from the aforementioned BusyBox litigation, and those relate to a preliminary injunction that the SFLC sought on the SFC's behalf against Best Buy. That motion was never decided on by the court because the parties settled, and it's a safe assumption that Best Buy had to cough up a significant amount of money to resolve this matter.

This is what they tried to do: the SFC and SFLC teamed up with just one contributor to the BusyBox projects. The developers of that one also include Bruce Perens, who probably wrote most of the Busybox code but did not participate in the SFC's and SFLC's enforcement actions.

BusyBox calls itself, according to Wikipedia, "the Swiss Army Knife of Embedded Linux". Indeed, it appears to run on a lot of Linux-powered devices. Best Buy got sued because it distributes one or more of those devices. I personally believe that intellectual property rights should usually be enforced against infringing publishers/manufacturers rather than mere resellers, but that's a separate issue.

In the original complaint filed in late 2009, the legal allies of that BusyBox contributor asked the court for "injunctive relief", more specifically, that Best Buy (and all the other defendants) "be enjoined and restrained from copying, modifying, distributing or making any other infringing use of Plaintiffs' software". In January 2011, they asked for a preliminary injunction against Best Buy and another company (Phoebe Micro).

Obviously, Best Buy opposed that motion. In its opposition, Best Buy pointed to the fact that it had addressed any potential compliance issues. But in their reply brief to that one, SFC/SFLC asserted the following:

"Further, once Best Buy made a distribution of BusyBox that did not comply with the license terms, the license terminated, and therefore any further act of copying or distributing BusyBox by Best Buy (even if in compliance with the license) is without [a particular author's] permission. [...] Thus, Best Buy's failure to comply with the license has terminated any right it may have to make any copies or distributions of BusyBox and its ongoing distribution of BusyBox therefore infringes Andersen's copyrights regardless of whether the distributions today are in compliance with the open source license."

That may sound tough, but that's the position of the Free Software movement, and it's actually reasonable given that the language of GPLv2 Section 4 ("automatically terminates") is indeed very strict. The reply brief I mentioned also stresses something that would apply to smartphones and tablet computers:

"Compliance after the fact will not remedy that loss [of the license], because consumer electronics like Blu-ray disc players fall into disuse quickly, whether from malfunction or obsolescence."

Also, it's not sufficient to just comply with any future release of the same open source software. If there's just one author whose contribution hasn't even changed, he'll argue that by losing the original GPL-based license grant, you're unlicensed and need to strike a new deal with him.

So what could remedy the loss of the license? According to the SFC/SFLC, the only option is to secure a new license from each and every original right holder (contributor). In the specific case of Linux, that means (literally) thousands of people. And any one (or more than one) of them could team up with lawyers like that litigious BusyBox contributor (who isn't even the principal author of that particular program) and bring the same kinds of claims against the vast majority of Android device makers. Who knows, some of them might even pull an Apple.

[Update on August 19, 2011] The Free Software Foundation (FSF) has issued an official statement on this issue, confirming the substance of the concerns and highlighting that this problem would not exist if Linux switched to GPLv3. [/Update]

If you'd like to be updated on the smartphone patent disputes and other intellectual property matters I cover, please subscribe to my RSS feed (in the right-hand column) and/or follow me on Twitter @FOSSpatents and Google+.

Share with other professionals via LinkedIn: