Celebrating the FSF’s 35th anniversary: Stories from the Licensing and Compliance Lab
Since 2001, the Free Software Foundation (FSF) Licensing and Compliance Lab has provided the legal muscle to defend free software, and has supported software users, programmers, legal professionals, and activists who want their software to remain free. FSF representatives had done copyleft enforcement before this, but the founding of the Lab was a big step toward formalizing and organizing this work. You may have already read licensing and compliance manager Donald Robertson’s comprehensive accounting of the current functions of the team, but today, following our thirty-fifth anniversary celebration, we’re taking a look back at the role this team has played over the course of the FSF’s thirty-five year-long history, and some milestones along the way.
Like the other accounts written for this series, which focused on the campaigns team and the tech team's histories, this is far from a complete story of the FSF’s licensing work: there are important milestones that we were barely able to touch upon, and important people involved whose stories and voices aren’t represented here. It’s also possible that some details may have been missed or lost to time.
However, a few facts are very clear throughout: defending the GNU General Public License (GPL) has long been a massive task, and it was with the establishment of the Licensing and Compliance Lab that this effort was systematized. As with the rest of our work, licensing depends on the financial support and volunteer power of our supporters, and FSF associate members are the most passionate supporters of all. This is why our current fundraiser period is focused on a membership goal -- and we're so close! As of this writing, it's down to fewer than fifty new members to reach the total of five hundred, and we hope you'll help us get all the way there. Please continue spreading the word about why all software must be free, and if you’re not already an associate member of the FSF, I urge you to join today so we can do this work.
Also, please note: in this piece, any quotes and information gleaned from a publication is linked to the original source. Any quotes that do not have links originate from conversations with the individuals who are being quoted.
In the beginning, there was copyleft
In 1985, in the GNU Manifesto, FSF founder Richard Stallman (RMS) wrote:
"GNU is not in the public domain. Everyone will be permitted to modify and redistribute GNU, but no distributor will be allowed to restrict its further redistribution. That is to say, proprietary modifications will not be allowed. I want to make sure that all versions of GNU remain free."
Merely putting a program in the public domain wouldn’t have been adequate, since that would make it possible that developers would redistribute the program as proprietary, or incorporate it in other proprietary programs. It would be one step forward and two steps back, not helping to build a lasting body of free software. Accordingly, while RMS was not the first software developer to use the term "copyleft," he was the first to elaborate on the concept and hammer it into a legal framework, the GPL.
The early FSF was far less structured than it is today, and while developing the GNU operating system was its central intended task, it became quickly obvious that the legal side of things would need some attention, and so the first GNU General Public License was born. RMS writes:
"When I started the FSF, in October, 1985, the plan was to obtain funds and computers to use for developing the GNU operating system. However, people were already offering code contributions, and the FSF made it possible to ask for copyright assignments for contributed code and thus enable the FSF someday to enforce copyleft on the code. The first copyright assignment was signed in November, 1985, by William Schelter for telnet.el, a contribution to GNU Emacs."
The original GPL is dated 1989; it was quickly replaced by the GPLv2 in 1991. However, you can find references to the GNU General Public License as early as the June 1988 issue of the GNU Bulletin, and see more of the early discussions in other issues in the GNU Bulletin archive. The January 1991 issue mentions the upcoming GPLv2 in passing: "There are no real changes in its policies, but we hope to clarify points that have led to misunderstanding and sometimes unnecessary worry." In the June 1991 issue, RMS writes, "The changes are mostly clarifications, but there are new provisions to deal with the effect of software patents."
There’s very little discussion in early documents of any actual legal wranglings. The earliest mention I was able to find of any court cases was in the June 1995 issue, with some news on legal battles from Dean Anderson, the president of the League for Programming Freedom, and a legal defense fund appeal for Phil Zimmermann, original author of the public-key encryption program known as "Pretty Good Privacy," which enabled an OpenPGP standard, implemented by free programs like GnuPG, used at the FSF. In terms of overall enforcement, there was also a situation wherein the GNU Emacs Public License was enforced in 1989, leading to a successful result of the company sharing their improvements under the same license as Emacs. However, the centrality of the GPL to free software was already clear, and in January 1994, the FSF began selling T-shirts with the GPL on the back (why not use that space for some good propaganda?).
The GPL Compliance Lab, or: Licensing & Compliance team 1.0
RMS himself doesn’t remember many details about early GPL enforcement; Wikipedia states that from 1991 through 2001, RMS mostly managed enforcement informally on his own via short email exchanges, with help from the FSF’s lawyer at the time, Eben Moglen. (We welcome any corrections from any readers who were involved at the time -- this is your story and these are your achievements!)
By 2001, it was clear that a more systematic and formal approach was needed to defend the GPL, and it’s also at this point that documentation becomes easier to find. Bradley Kuhn, who started at the FSF as RMS’s assistant and later became executive director, spearheaded the formation of what was then known as the GPL Compliance Lab.
Peter Brown, who was the executive director of the FSF from 2005 through 2011, wrote:
"When I started working at the Free Software Foundation in September 2001, it was to join a team that then-executive director Bradley Kuhn was putting together. It was a period of transition for the FSF. Most of our activity at that time involved publishing and distributing free software and free software documentation as part of our GNU Press operation. Building the FSF GPL Compliance Lab and expanding the infrastructure and support for the GNU Project were early priorities in those days, along with finding new sources of funding for our work. When Bradley left the FSF in 2005 much of that agenda had been achieved."
LWN.net reported in 2002 that the early GPL Compliance Lab included Bradley, GPL compliance engineer David "Novalis" Turner, a part-time copyright assignment clerk, and two pro bono lawyers. They wrote, "According to Mr. Kuhn, the demand for the Lab's services could easily employ twice as many people; in particular, more lawyer time is needed. But, since the FSF lacks the funds to actually hire a lawyer, it is entirely dependent on pro bono work." This article emphasized repeatedly the need for more financial support, and for more hands on deck: they wrote, "the FSF is not exactly overflowing with funds, and has never been able to find the time to set up its own Web site."
David Turner joined the team via Bradley Kuhn, whom he met at a Perl conference, and initially he applied as a sysadmin, but was beaten out by Paul Fisher, who wrote the first version of Red Hat's installer. David started his tenure at the FSF working from his home in Pennsylvania, but when he began work in the Boston office, he discovered exactly how explicit the do-it-yourself ethic of free software is: "I was pointed to a pile of donated computer parts and told, ‘build yourself a computer.’ I did."
Early high-profile enforcement cases included a "beef" with the now long-defunct OpenTV, who were not giving proper access to source code to software tools created under the GPL to programmers who asked for it. Bradley and David also wrangled with Linksys/Cisco about GPL violations (more on Cisco later). This snippet from a letter to GNU/Linux developers early on in the Cisco battle illustrates a bit about what compliance work was like at the time:
"GPL violations sometimes take time to resolve. We wish that we could force resolution quicker, but we haven't found a way to do that. We have, however, discovered a variant of Brooks's Law: adding more lawyers to a GPL violation usually makes it take longer. Lawyers are reluctant to admit to mistakes, because they fear it could be used against them. Engineers and product managers are typically interested in fixing mistakes, so we try our best to work with them first before escalating to legal teams on both sides. Such escalation has happened on this violation, so it will take additional time to resolve the matter."
The GNU General Public License version 3 (GPLv3)
By 2005, a third version of the GPL was underway, and according to Richard Fontana, a key member of the team that created the GPLv3, it was a much more involved and intense process, with many, many cooks in the kitchen. Fontana told me:
"From late 2005 to the end of June 2007 the FSF was actively engaged in the drafting of the new version of the GNU GPL, GPLv3, including managing an unprecedented public license drafting process that included several committees of invited experts and a number of international events, all done under the scrutiny of the free software community and the technology press. At the time I was a lawyer at the Software Freedom Law Center (SFLC), which was then outside counsel for the FSF on GPLv3 and other matters. I was hired by SFLC primarily to work on the GPLv3, and had only joined a month before the FSF’s GPLv3 launch event in Cambridge in January 2006. It’s a little difficult to sum up my role in this effort, but it was a combination of drafting, research, strategy, outreach, advocacy, showmanship and cat herding."
One favorite memory Fontana shared from this process:
"Around September 2006 many were voicing the opposition to the GPLv3 draft as it existed at the time, including above all some of the most prominent Linux kernel developers. Much of that opposition was focused on the anti-lockdown provisions of the license (now located at the end of GPLv3 section 6). The conventional wisdom was that the FSF was seeking to advance policies that were legally and commercially impractical. Yet at a pivotal meeting of the lawyer-dominated vendor committee in a small conference room at a dreary airport hotel in Chicago, the FSF’s lawyers asked a simple question: as I recall it, it was ‘who here believes you should have the right to replace the GPL-licensed software running on a device that you own.’ Nearly every vendor lawyer in the room raised their hand."
Fontana also notes that back then, as today, the work of the FSF was highly collaborative, with staff at all levels making important contributions, and he gives David Turner and his successor, Brett Smith, much credit: "My conversations with Novalis and Brett on GPL interpretation, GPL enforcement, and free software legal policy led to significant changes and improvements in the text of the whole suite of GPLv3-family licenses."
David exited in 2006, to move closer to his then-girlfriend (who is now his wife), but is proud to say that "At one point, I actually convinced RMS of something. Yep, it's because of me that we have GPLv3 section 6(b)(2)." He elaborated:
"That is the section that allows Internet distribution of source code. Since RMS is not always aware of trends in modern technology, he thought that distribution on physical media was a good idea. I didn't. I think Richard said to me that I was always nitpicking over little details but that I could have 100 lines to explain my position. I used 40 and reserved the rest for rebuttals, but I didn't end up needing them."
One important improvement addressed by the GPLv3 was "tivoization." RMS writes:
"Tivoization means certain "appliances" (which have computers inside) contain GPL-covered software that you can't effectively change, because the appliance shuts down if it detects modified software. The usual motive for tivoization is that the software has features the manufacturer knows people will want to change, and aims to stop people from changing them. The manufacturers of these computers take advantage of the freedom that free software provides, but they don't let you do likewise."
While TiVo is no longer a household name, this unethical power dynamic -- locking down devices, especially devices that contain software under free licenses -- has only grown more prominent and more important.
Around the same time as the GPLv3 was released to the world, the GNU Affero General Public License, version 3 (AGPLv3) was also created: designed as the "spiritual successor" to the Affero General Public License, it had the same terms as the GPLv3 plus a term requiring license users to offer a modified program's source to users who interact with it over a network. Brett Smith, who was the licensing compliance engineer at the time of the release of the GPLv3, wrote in the Fall 2007 Free Software Foundation Bulletin:
"AGPLv3 advances a vision of how freedom works in the computing environment of today and tomorrow. Before this, GPLed Web applications provided a lot of good for the community despite their limitations… AGPLv3 takes that one step further by putting developers on a more level playing field..."
"A big conversation about freedom on the network is beginning. We think that AGPLv3 and the code that uses it will add a lot to the discussion, but that’s not going to be the end of it. We’re looking forward to new technology that can provide the benefits of Web services but keep control in users’ hands. We also want to see what community norms take shape around this kind of software – what you all think deployers ought to do, and what it would be nice of them to do."
I asked Donald Robertson, III, our current licensing and compliance manager, how this has played out in the thirteen years since the GPLv3 was newly minted. He answered:
"I think this was the big outcome https://wiki.p2pfoundation.net/Franklin_Street_Statement_on_Freedom_and_Network_Services, which was a statement on what should be considered a free network service. As for the technology, there's been some cool stuff like GNU FM, GNU social, and MediaGoblin, that lets users still control their computing in a network environment by enabling federation. So users can get updates from the FSF's instance of GNU social https://status.fsf.org while maintaining their instance, keeping complete control over their own data."
Just how do you become the licensing and compliance manager, anyway?
While I personally might prefer to claim that our publications are the main vector bringing people into the free software world, a large number of the people who are most devoted to our cause are introduced by a friend or colleague. In Donald Robertson’s case, nineteen years ago, when he began college, his computer at the time had "a particularly terrible version of Windows installed, which had constant problems." A friend in the computer science department offered a unique solution: GNU/Linux. Donald writes:
"Wanting to learn all about the new system I was using, I learned about the GPL and copyleft. When I went to law school I was still really into free software and software licensing in general, and put a fair amount of focus into that practice area, including writing my law review note about derivative works of software and the free software movement. When I graduated law school, I saw an ad on Craigslist for a position working on the licensing team, and the rest was history."
When Donald began as a copyright administrator (also sometimes referred to as copyright clerk) in 2008, copyright assignments were still being handled by snail mail. He writes, "Over the next few years we worked out getting scanned copies and GPG signed assignments for various countries, until just a few years ago, when we made the move to everyone being able to avoid the post."
One of the biggest events of Donald’s early years here was the FSF’s first and only filed compliance lawsuit, against Cisco Systems, Inc.. The FSF had been attempting to bring Cisco into compliance since 2003, in what Brett Smith described as a game of Whack-A-Mole: first, the FSF discovered that the popular Linksys WRT54G wireless router was using a GNU/Linux system in its firmware, but wasn’t providing the necessary source code to customers. When our team tried to address this, more reports of Cisco products that were not in compliance started rolling in. Brett writes,
"New issues were regularly discovered before we could finish addressing the old ones… Despite our best efforts, Cisco seems unwilling to take the steps that are necessary to come into compliance and stay in compliance. We asked them to notify customers about previous violations and inform them about how they can now obtain complete source code; they have refused to do this, along with the other reasonable demands we have made to consider this case settled. The FSF has put in too many hours helping the company fix the numerous mistakes it's made over the years. Cisco needs to take responsibility for its own license compliance."
Prior to this, every compliance case had been hammered out without needing to resort to the court system; as it says in The Principles of Community-Oriented GPL Enforcement,
"Legal action is a last resort. Compliance actions are primarily education and assistance processes to aid those who are not following the license. Most GPL violations occur by mistake, without ill will. Copyleft enforcement should assist these distributors to become helpful participants in the free software projects on which they rely. Occasionally, violations are intentional or the result of severe negligence, and there is no duty to be empathetic in those cases. Even then, a lawsuit is a last resort; mutually agreed terms that fix (or at least cease) further distribution and address damage already done are much better than a battle in court."
However, in this case, Donald writes, "with Cisco, years of trying to work through their predecessor's compliance problems didn't generate the progress we were hoping for, so we had filed a lawsuit. It was quickly settled, and compliance was achieved."
There’s an even brighter silver lining to this story: Cisco later became a contributor to the GNU Project. "It really is a success story in bringing a violator into the free software community," Donald wrote.
The birth of the Respects Your Freedom (RYF) certification
Another important milestone in the recent years of the Licensing and Compliance Lab was the introduction of the Respects Your Freedom (RYF) hardware certification program. Obviously, free software isn’t very useful if you don’t have a device to run it on, so there had always been running lists of devices that will run with a fully free operating system; you can currently find and contribute to an excellent resource on this topic at h-node.org.
However, the shortest route to software freedom is to purchase devices with freedom already included, so in 2010, discussion began in earnest about a hardware certification program. Donald writes,
"All the previous resources could let users know what hardware would work with free software, but you still had to buy that hardware, and when you did, it generally came with tons of proprietary software included. What RYF did was for the first time give you a listing of retailers who would sell you hardware that not only worked with free software, but that would come with freedom inside. Knowing that you can install free software on a device is nice, but knowing that you don't have to because the retailer respects your rights is even better, and that's why we created RYF."
RMS had requested this program while Brett Smith was the FSF’s licensing and compliance engineer, but Donald says that the idea "wasn’t fully formed" until Joshua Gay, who started at the FSF when the campaigns team was formalized in 2007, took over the licensing team in 2012. Prior to this, you could find short lists of recommended complete systems, like this one from 2008, but the team wanted to more formally systematize how devices were vetted, and help companies use an FSF endorsement to promote their products.
The first formal certification was issued to the LulzBot AO-100 3D printer in October, 2012. Josh wrote, "In order to award our first RYF certification to a hardware product, we had to accomplish a lot of other firsts, including: creating a logo/certification mark, certification lab and (re)certification process and negotiating a contract."
The RYF program started out slow, with a handful of certifications in 2013 and 2014, six products in 2015, and ramped up fast over the course of the 2010s, with fifteen devices just from Technoethical alone certified in June 2017, just before I started at the FSF. By the time I joined the campaigns team in July 2017, it was clear that the long list of devices that you had to scroll down on a single page wasn’t doing justice to the sheer number of excellent choices that RYF offered users, so in 2019, we unveiled a user-friendly stand-alone RYF Web site. Now, you can browse by vendor and device type, and when you discover which device meets your needs, an individual product page will direct you to the vendor’s Web site. How high are our standards, you ask? We even examine the vendor’s Web site to make sure you can browse and purchase their products without violating your software freedom!
Today and the future
Right now, Donald leads the licensing team in a plethora of activities that helps users and programmers navigate the world of free software. The part-time copyright clerk position is now a full-time copyright and licensing associate position, held by Craig Topham, who joined us in 2018 -- and it's thanks to our associate members and generous donors that we were able to sustain another full-time employee. We're also immensely grateful for the help of the pro bono lawyers who continue to generously give their time and expertise to support this important work.
This story is far from over, but every article needs to end somewhere, so I’ll let Craig have the final word, with some wise words about the importance of free software from his introductory blog:
*"I find it rewarding to be a part of something larger than myself, and this role puts me on the front lines of an important movement which spans the whole globe. The free software movement is invaluable because humanity is faced with a critical binary choice that will determine the quality of our collective future: when it comes to computers, we either control these machines or we don't. It is that simple, especially since we now live in a world that is inseparably intertwined with this technology. If we don’t control these machines, the challenges of keeping personal privacy, retaining freedom of speech, and having transparency in governments will be nearly impossible to overcome. Free software does not guarantee success to these challenges, but free software is understandably a prerequisite. If the free software movement fails, our prospects would be very dim, and a nightmarish dystopia awaits. Fortunately, from a widely held point of view, the movement has been very successful, but there is obviously still far more work to be done. I am here to do that work."
Illustration Copyright © 2020, Free Software Foundation, Inc., by Raghavendra Kamath, Licensed under Creative Commons Attribution 4.0 International license.
Screenshot Copyright © 2020, Free Software Foundation, Inc., Licensed under Creative Commons Attribution 4.0 International license.