License Violations and Compliance
We receive reports about free software license violations from the public every month, and we investigate them all. Since the FSF holds the copyrights for a number of popular programs, such as GNU bash and wget, we can usually take immediate action against the violator — and either way, we work with other interested copyright holders to help ensure everyone's licenses are protected.
Many copyright holders seek monetary damages when their license is violated. We do not — we only want violators to come back into compliance, and help repair any harm done to the free software community by their past actions. Because of that, we contact violators directly, and negotiate a strategy with them that best accomplishes those goals. Oftentimes the violation is unintentional, and people are happy to have help getting their work straightened out. When a violator is less cooperative, we call on the resources of the Software Freedom Law Center to help come to an agreement.
The Life of a Compliance Case
A compliance case has a sort of life cycle. It starts with a report which we receive. We investigate that report and work to confirm the violation. Once we've done that, we use a number of methods to establish contact with the violator. When we start talking, we begin the work of bringing the violator into compliance, and the process ends once that's done.
We provide instructions for reporting license violations. All of our cases start this way — we don't go looking for them on our own. We need to know at least three things:
- Who: The company, organization, or individual who has violated the license.
- What: The software involved in the violation. For us to take direct action, we'll need to hold the copyright on at least one of them. If that's not the case, we can usually pass on the information to another interested copyright holder.
- How: Which requirement in the license has been violated, and through what means.
Of course, more information is almost always better. When it's not immediately obvious where the free software is, some people tell us how they found it, and that's a big help. Contact information for the company and details about previous correspondence are nice as well. These three things are the necessities, though. If a report doesn't tell us enough to figure them out, we'll ask the person who sent it for the missing details.
We use the information above to gather any evidence we need to prove beyond a reasonable doubt that the violator has breached one of the license requirements for FSF-copyrighted software. What we save will depend on the type of violation that has occurred. For instance, many violations take place when a company distributes free software over the web without providing a copy of the source, or appropriate written offer. In that case, we'll check out the software they're distributing (to know that it's ours and doesn't include source) and the surrounding web pages (to make sure that the source isn't distributed elsewhere on the site, and there's no written offer).
We often have to be certain that a distributor is not providing something, such as a copy of the license or source, and it can occasionally be hard to do that. For example, suppose you're using a computer at a library, and find out that it's using some GPLed code. You can't find a copy of the GPL anywhere, so is it violating? To answer that question, we'd have to ask the library's sysadmins how they received the software: did it come in a box? Did the box include a printed copy of the GPL? Was a copy included on the installation media? And so on.
Once we're certain a violation has occurred, we try to contact the violator. This can be harder than it sounds, as I'm sure you know if you've ever tried to get in touch with a company that only gives you a web contact form to use. First we send an e-mail that explains our concerns, asks for clarification, and explains how the compliance process works if there is a problem. If that doesn't work, we'll send follow-up e-mails, phone calls, and faxes. If push comes to shove, we ask our lawyers to bear down on them.
Once we get a response from someone who can handle the case, we can begin bringing them into compliance.
Once we have established that a violation has occurred, we explain to the violator what they must do to come into compliance. They'll make some appropriate changes — to their software, their product, their web site, or whatever's affected — and let us know. We check those changes, tell them about any new or outstanding issues we find, and ask them to make more changes. This back and forth goes on as long as necessary.
This can be a fairly intensive process, because we cannot simply rubber-stamp any token effort the violator makes. We examine everything carefully: we try to build the source they provide, scrutinize written offers to make sure everyone can use them, and so on. When the violator is cooperative and responsive, things move quickly. Otherwise, this work can span a number of months.
We also ask violators to do what they can to amend their errors. For example, if they failed to provide source to their previous customers, they may be able to contact those people to offer it now, or at least make the information public so anyone who's interested can find it. They can usually manage to do something that helps give users back the rights they were always supposed to have under the license.
When this work is finally finished, we formally restore the violator's rights under the license — contingent upon their continued compliance, of course — and the process is complete.
If you'd like to learn more about our compliance work, please contact us.