An injunction against Fortinet for GPL violations
| From: | Harald Welte <laforge-AT-gpl-violations.org> | |
| To: | Harald Welte <laforge-AT-gpl-violations.org> | |
| Subject: | Fortinet Violates GPL - Court grants preliminary injunction | |
| Date: | Thu, 14 Apr 2005 10:44:06 +0200 |
http://gpl-violations.org/news/20050414-fortinet-injuncti... FOR IMMEDIATE RELEASE --------------------- FORTINET VIOLATES GENERAL PUBLIC LICENSE IN SECURITY PRODUCTS Munich court grants preliminary injunction halting sales BERLIN, Germany - Apr. 14, 2005 -- The gpl-violations.org project has uncovered violations by Fortinet UK Ltd., the UK subsidiary of Fortinet Inc., of the GNU General Public License (GPL). According to gpl-violations.org, Fortinet used GPL software in certain products and then used cryptographic techniques to conceal that usage. As a result of this violation, the Munich district court has granted a preliminary injunction against Fortinet Ltd., banning them from further distribution of their products until they are in compliance with the GNU GPL conditions. The GPL licenses software without collecting royalties, but requires any distributor to provide the full corresponding source code and a copy of the full license text. "This violation by Fortinet is especially egregious since the vendor not only violated the GPL, but actively tried to hide that violation," said Harald Welte, Linux Kernel developer and founder of the gpl-violations.org project. "We are not in any way opposed to the commercial use of Free and Open Source Software and there is no legal risk of using GPL licensed software in commercial products. But vendors have to comply with the license terms, just like they would have to with any other software license agreement." Fortinet offers a variety of Firewall and Antivirus Products (the FortiGate and FortiWiFi product series), on which Fortinet claims to run the "FortiOS" operating system. However, as the gpl-violations.org project uncovered, "FortiOS" is using the Linux operating system kernel and numerous other free software products that are licensed exclusively under the GNU GPL. This information was not disclosed by Fortinet. Following a warning notice by the gpl-violations.org project on March 17, 2005, Fortinet did not sign a declaration to cease and desist. Out-of-court negotiations on a settlement failed to conclude in a timely manner. Thus, the gpl-violations.org project was compelled to ask the court for a preliminary injunction, banning Fortinet from distributing its products, unless they are in full compliance with the GNU GPL license conditions. About the gpl-violations.org project In the past 15 months, gpl-violations.org has helped uncover and negotiate more than 30 out-of-court settlement agreements. The gpl-violations.org project is a not-for-profit effort to bring commercial users and vendors of Free Software into compliance with the license conditions as set forth by the original authors. The project was founded and is managed by Mr. Harald Welte, a Linux Kernel developer and Free Software enthusiast. For more information on the project, it's mission, milestones and goals, please see http://gpl-violations.org/ Media contact: gpl-violations.org Phone: +49-30-24033902 Email: laforge@gpl-violations.org -- - Harald Welte <laforge@gpl-violations.org> http://gpl-violations.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)
Posted Apr 14, 2005 17:32 UTC (Thu)
by azhrei_fje (guest, #26148)
[Link] (5 responses)
From what I've heard so far, I like the approach being taken in this
process: contact the alleged offender and ask them if they knew what the
situation was, then send a C&D letter, then ask for an injunction in
court.
To me, it shows an interest in working with the manufacturer before
just taking them to court. I would like to know what the time frame was
between sending the C&D letter and filing for the injunction, though.
If
the C&D was sent on March 17th, then they must've filed for the
injunction
about 2 weeks later, given that the courts will take a week or two to
review the case and make a decision. I'm not sure two weeks from C&D
to
injunction is long enough; on the one hand, it should be done right away,
but on the other hand, it might take some time for a C&D letter to get
to
the right people.
Posted Apr 14, 2005 18:48 UTC (Thu)
by euvitudo (guest, #98)
[Link]
Posted Apr 14, 2005 21:20 UTC (Thu)
by ncm (guest, #165)
[Link] (3 responses)
Posted Apr 15, 2005 6:35 UTC (Fri)
by freddyh (guest, #21133)
[Link]
Posted Apr 15, 2005 6:46 UTC (Fri)
by Duncan (guest, #6647)
[Link]
Posted Apr 21, 2005 16:57 UTC (Thu)
by bastiaan (guest, #5170)
[Link]
Posted Apr 14, 2005 20:02 UTC (Thu)
by chbarts (guest, #28896)
[Link] (6 responses)
I'm probably being irrationally paranoid, but this smells like a case where the DMCA could easily be abused. If Fortinet claims that their encryption is an anti-piracy measure, whoever cracked it could be facing some serious shit. Hopefully, Fortinet's own copyright violations will render that path untenable. But in the US court system, you can never rely on the intelligence of judges.
Posted Apr 14, 2005 20:13 UTC (Thu)
by nedrichards (subscriber, #23295)
[Link]
Good thing the action is taking place in the Munich district court then.
Posted Apr 15, 2005 6:47 UTC (Fri)
by freddyh (guest, #21133)
[Link]
I'm probably being irrationally paranoid, but this smells like a case where the DMCA could easily be abused. If Fortinet claims that their encryption is an anti-piracy measure, whoever cracked it could be facing some serious shit. Luckily, under German law you *are* allowed to do reverse engineering if the thing you are reverse engineering includes your own work. I would guess this clause is available in other jurisdictions as well, although I am not sure. I would also guess that in the US you're simply not at all allowed to do this.
Posted Apr 15, 2005 13:15 UTC (Fri)
by ernest (guest, #2355)
[Link]
Posted Apr 15, 2005 13:58 UTC (Fri)
by bbigby (guest, #29308)
[Link] (2 responses)
Even if you say, "Ah, but the DMCA protects the part of Fortinet's product that is theirs." Perhaps, but there is something in law, called "unclean hands." You cannot receive compensation for a loss when you have acquired gains from breaking the law. Besides, gpl-violations.org did not circumvent the protections in order to use the software. They did it to reveal GPL violations. I think that matters in the law. If gpl-violations.org had not found any violations, they would have quietly discarded the information that they acquired. None would be the wiser.
Posted Apr 15, 2005 19:30 UTC (Fri)
by khim (subscriber, #9252)
[Link] (1 responses)
Besides, gpl-violations.org did not circumvent the protections in order to use the software. They did it to reveal GPL violations. I think that matters in the law. It should. Since reverse engineering not for purpose of using the product is done every single day on millions of computers around the world! How ? Why ? Easy: anti-virus software. It does automatic reverse engineering of each and every program to catch "virus-like activity". If you'll think about it this exactly the same procedure copyright holder must do to catch copyright violation when code is obfuscated. And when automated procedure fails anti-virus companies continue with manual reverse engineering and then add more sophisticated algorythms in automatic version.
Posted Apr 16, 2005 8:16 UTC (Sat)
by xoddam (subscriber, #2322)
[Link]
An injunction against Fortinet for GPL violations
On the other hand, if you ran a company, wouldn't you take a C&D seriously, or would you consider a C&D threat from a bunch of FOSS people to be insignificant and toothless? Hopefully this will send a message that FOSS licenses should be taken seriously (some companies seem to take, e.g., the GPL, seriously, as there are so many alternative OS licenses to the GPL that have sprung up in recent years--CPL, SISSL, etc.).An injunction against Fortinet for GPL violations
In German law, I gather, you are obliged to file suit within a fixed amount of time (30 days? Two weeks?) after you are first informed of the violation, or lose the right to sue. They can't afford to be too accommodating. In U.S. case law it's a lot more fuzzy. After a while they seem to be able to claim squatters' rights, in violation of the written statute.Time Limit
The time limit under German law is indeed one month. Herald Welte gave a very nice presentation about the GPL-violations project on Fosdem in which he explained much of the procedure (http://www.fosdem.org/2005/index/speakers/speakers_welte), unfortunately the sheets of his presentation are not yet available.Time Limit
Exactly, only I believe the time limit is four weeks (perhaps your 30 Time Limit
days?). Harald Welte has mentioned this specifically before, as an
important aspect of the situation. He makes the companies aware of the
situation and the ticking clock in his warnings, and has observed that in
most cases it tends to bring companies that otherwise might wish to drag
things out for years, until the product is no longer on the market anyway
and they've moved on, to the the table much faster. With the clock
ticking like that, they have little recourse. If for whatever reason they
can't move fast enough, they end up with an injunction. However, AFAIK,
it has only gone that far a couple times, both ending up in our favor,
because most companies have sense enough to see the light, and recognize
they are over a barrel.
In many cases, the company hadn't the foggiest idea it was open source
code, either, because they bought it from some fly-by-nite Chinese company
or the like, and any assurances re source origin they got were entirely
worthless. At that point, they pretty much haven't a choice but to make
public their code, and in the future either resolve to check things more
thoroughly, /not/ always taking the low or fastest available bid, or
decide from the experience that it wasn't so bad after all, and they make
a point after that to check for releasable code and do so if they can.
Unfortunately, I don't know which reaction is more common, but in either
case, they end up with a better respect for GPL code, which in itself is
useful, as it strenthens the guarantees that the GPL offer.
Duncan
IIRC, you don't lose the right to sue after the time limit. However you *do* lose the right to apply for a temporary injunction. The reasoning is that temporary injunctions are for urgent issues, and taking more than a month to file suit demonstrates the matter is not that urgent to you. Time Limit
An injunction against Fortinet for GPL violations
According to gpl-violations.org, Fortinet used GPL software in certain products and then used cryptographic techniques to conceal that usage.
>Hopefully, Fortinet's own copyright violations will render that path >untenable. But in the US court system, you can never rely on the >intelligence of judges.An injunction against Fortinet for GPL violations
An injunction against Fortinet for GPL violations
As far as I understand it, the DMCA would not even help in this case, even in the Wild West (ie the US). Apparently there is something about being a thief that juges dislike.An injunction against Fortinet for GPL violations
I don't think that the DMCA will protect Fortinet under these circumstances. The problem for Fortinet is that the DMCA is for protecting copyright material of the rightful owner. In this case, Fortinet is NOT the owner of the GPL'ed software. Clearly, they are violating copyright law AND the DMCA does not apply in this case. An injunction against Fortinet for GPL violations
An injunction against Fortinet for GPL violations
Excellent point. An injunction against Fortinet for GPL violations