27 September 2006

GPL v3: The Missing Piece

There has been a lot of GPLv3 discussion on tech sites. Perhaps predictably, a lot of it has missed the point or miscategorized the changes.

If you read the history of the Free Software Foundation and the GNU Public License, you discover that it all came about because Richard Stallman found himself having to use broken software that he wasn’t allowed to fix. The entire purpose of the GPL is to ensure that everyone who uses a piece of GPL-licensed software can change that software, use the changed version, and distribute it to other people.

The GPLv3 changes are not some radical new direction, there’s no bait-and-switch going on. The problem is simply that a number of organizations have found ways to use GPL-licensed software, but still break the spirit of the license by preventing users from being able to change the software, use the changed version, and distribute it.

One loophole is the TiVo approach: you use GPL software, but you lock down the hardware so that if the user changes the software, they can’t use the changed version. If you don’t think that’s a big deal, consider that many new PCs already contain so-called Trusted Computing functionality, designed to allow exactly this kind of lockdown—it just hasn’t been turned on yet.

Microsoft plan to use the lockdown hardware in Windows Vista, to control who can make changes at the system kernel level. As their FAQ states, there is literally no way for you to get around it, even if you want to. You may own the machine, but if you want to run Vista you can only run what Microsoft says you can run.

Of course, the list of code Microsoft wants you to run includes “Digital Rights Management”. So Microsoft will have a way to guarantee that only their DVD driver code can be executed inside Vista, and hence guarantee that region coding continues to annoy people who want to watch their legally purchased DVDs. They should be able to lock things down so that nothing short of replacing the CPU and BIOS of the machine will be able to break the protection.

In other words, “Trusted Computing” is about who Microsoft trusts; and you are conspicuously absent from the list, even if you own the computer. This is a controversial attitude, and as a result the lockdown feature keeps going through rebranding exercises. As well as “Trusted Computing” you’ll also see it referred to as Palladium, NGSCB, and Lagrande Technology.

It’s not much of a stretch to imagine that someone might want to see PCs on the market that can only run the Windows Vista OS kernel—or more importantly, can’t run Linux. Or how about a cheap PC that runs Linux, but plays you annoying ads? It could be locked down so that you couldn’t turn off the ads, and couldn’t even change and run any of the GPL code used on the machine. And that’s just the start of what’s possible; security expert Ross Anderson has a TCPA FAQ which outlines some other possibilities.

The second loophole is the software patent approach: you use GPL software, but you hold patents on algorithms you incorporate into it. Users can copy and change the software, but they are legally prohibited from running it without a license to the patent. This kind of thing has already happened; the ISO MPEG group released MPEG-1 layer III (MP3) encoder and decoder source code, but using it was prohibited unless you licensed patents from Frauenhofer Institute. They could have released the source under the GPL (version 2) and it wouldn’t have made any difference, you still wouldn’t be allowed to use it without paying Frauenhofer. That’s why many Linux distributions don’t support MP3 playback out of the box, and none of the big distributions provide binaries of the LAME MP3 encoder.

That the loopholes are breaches of the spirit of the GPL ought to be blatantly obvious to anyone. Unfortunately, there are lots of entrenched interests keen on being able to continue to exploit the loopholes, so a lot of misleading information is being spread.

However, with all the sound and fury about software patents and Trusted Computing, there are other big loopholes going unpatched.

I’d like to see GPLv3 close what I think of as the “Firefox loophole”. It’s a bit like the patent loophole, but you use trademark law instead. Basically, you make the GPL-licensed code implement a distinctive visual look—which you obtain a trademark on. You then prohibit anyone else from distributing software with that trademarked visual look.

Trademarks can be extremely broad. Pepsi trademarked the shade of blue they used on cans of the short-lived Pepsi Blue; UPS have trademarked the color of brown used on their vans. Apple have trademarked the visual appearance of many of their distinctive designs; for example, the visual appearance of the front of an iPod is a trademarked design.

So, consider a software iPod. It could be built entirely using GPL-licensed code, Apple could ship it as part of OS X. They could release the source code, too. Yet nobody would legally be able to port the GPL-licensed code and run it on Linux and distribute the result, because that would be ‘diluting’ Apple’s trademark in the marketplace.

I call this the Firefox loophole because the Mozilla Foundation already used the loophole against the Debian Linux distribution (and hence Ubuntu). While Firefox is open source software, the logos and the name “Firefox” are trademarked. The Debian project could ship a web browser that was functionally identical to Firefox, but they couldn’t call it Firefox or give it a logo that people would recognize. Eventually a compromise was reached (call it Firefox but don’t use the logo), but still, the loophole had been demonstrated.

The Firefox loophole is potentially severe, because unlike copyrights and patents, trademarks never expire, and a law has been passed removing all fair use rights—it just needs to be tidied up by committee and passed on to the President for signing. (It’s H.R.683, the Trademark Dilution Revision Act of 2005.) Soon all the necessary legal framework will be in place to prevent even non-profit use of the distinctive trademarked appearance of GPL-licensed code.

© mathew 2017