An injunction against Fortinet for GPL violations [LWN.net]

From:		Harald Welte <laforge-AT-gpl-violations.org>
To:		Harald Welte <laforge-AT-gpl-violations.org>
Subject:		Fortinet Violates GPL - Court grants preliminary injunction
Date:		Thu, 14 Apr 2005 10:44:06 +0200

http://gpl-violations.org/news/20050414-fortinet-injuncti...

FOR IMMEDIATE RELEASE
---------------------

FORTINET VIOLATES GENERAL PUBLIC LICENSE IN SECURITY PRODUCTS

 

Munich court grants preliminary injunction halting sales 

 

BERLIN, Germany - Apr. 14, 2005 -- The  gpl-violations.org project has
uncovered violations by Fortinet UK Ltd., the UK subsidiary of Fortinet Inc.,
of the GNU General Public License (GPL).  According to gpl-violations.org,
Fortinet used GPL software in certain products and then used cryptographic
techniques to conceal that usage. 

 

As a result of this violation, the Munich district court has granted a
preliminary injunction against Fortinet Ltd., banning them from further
distribution of their products until they are in compliance with the GNU GPL
conditions.

 

The GPL licenses software without collecting royalties, but requires any
distributor to provide the full corresponding source code and a copy of the
full license text.

 

"This violation by Fortinet is especially egregious since the vendor not
only violated the GPL, but actively tried to hide that violation," said
Harald Welte, Linux Kernel developer and founder of the gpl-violations.org
project. "We are not in any way opposed to the commercial use of Free and
Open Source Software and there is no legal risk of using GPL licensed
software in commercial products.  But vendors have to comply with the
license terms, just like they would have to with any other software license
agreement."

 

Fortinet offers a variety of Firewall and Antivirus Products (the FortiGate
and FortiWiFi product series), on which Fortinet claims to run the "FortiOS"
operating system. However, as the gpl-violations.org project uncovered,
"FortiOS" is using the Linux operating system kernel and numerous other free
software products that are licensed exclusively under the GNU GPL. This
information was not disclosed by Fortinet.

 

Following a warning notice by the gpl-violations.org project on March 17,
2005, Fortinet did not sign a declaration to cease and desist.  Out-of-court
negotiations on a settlement failed to conclude in a timely manner.

 

Thus, the gpl-violations.org project was compelled to ask the court for a
preliminary injunction, banning Fortinet from distributing its products,
unless they are in full compliance with the GNU GPL license conditions.

 

About the gpl-violations.org project

 

In the past 15 months, gpl-violations.org has helped uncover and negotiate
more than 30 out-of-court settlement agreements. The gpl-violations.org
project is a not-for-profit effort to bring commercial users and vendors of
Free Software into compliance with the license conditions as set forth by
the original authors.  The project was founded and is managed by Mr. Harald
Welte, a Linux Kernel developer and Free Software enthusiast.

 

For more information on the project, it's mission, milestones and goals,
please

see http://gpl-violations.org/

 

 

Media contact:

gpl-violations.org

Phone: +49-30-24033902

Email: laforge@gpl-violations.org

-- 
- Harald Welte <laforge@gpl-violations.org>       http://gpl-violations.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)

(Log in to post comments)

An injunction against Fortinet for GPL violations

Posted Apr 14, 2005 17:32 UTC (Thu) by azhrei_fje (guest, #26148) [Link]

From what I've heard so far, I like the approach being taken in this process: contact the alleged offender and ask them if they knew what the situation was, then send a C&D letter, then ask for an injunction in court.

To me, it shows an interest in working with the manufacturer before just taking them to court. I would like to know what the time frame was between sending the C&D letter and filing for the injunction, though. If the C&D was sent on March 17th, then they must've filed for the injunction about 2 weeks later, given that the courts will take a week or two to review the case and make a decision. I'm not sure two weeks from C&D to injunction is long enough; on the one hand, it should be done right away, but on the other hand, it might take some time for a C&D letter to get to the right people.

An injunction against Fortinet for GPL violations

Posted Apr 14, 2005 18:48 UTC (Thu) by euvitudo (guest, #98) [Link]

On the other hand, if you ran a company, wouldn't you take a C&D seriously, or would you consider a C&D threat from a bunch of FOSS people to be insignificant and toothless? Hopefully this will send a message that FOSS licenses should be taken seriously (some companies seem to take, e.g., the GPL, seriously, as there are so many alternative OS licenses to the GPL that have sprung up in recent years--CPL, SISSL, etc.).

Time Limit

Posted Apr 14, 2005 21:20 UTC (Thu) by ncm (subscriber, #165) [Link]

In German law, I gather, you are obliged to file suit within a fixed amount of time (30 days? Two weeks?) after you are first informed of the violation, or lose the right to sue. They can't afford to be too accommodating. In U.S. case law it's a lot more fuzzy. After a while they seem to be able to claim squatters' rights, in violation of the written statute.

Time Limit

Posted Apr 15, 2005 6:35 UTC (Fri) by freddyh (subscriber, #21133) [Link]

The time limit under German law is indeed one month. Herald Welte gave a very nice presentation about the GPL-violations project on Fosdem in which he explained much of the procedure (http://www.fosdem.org/2005/index/speakers/speakers_welte), unfortunately the sheets of his presentation are not yet available.

Time Limit

Posted Apr 15, 2005 6:46 UTC (Fri) by Duncan (guest, #6647) [Link]

Exactly, only I believe the time limit is four weeks (perhaps your 30
days?). Harald Welte has mentioned this specifically before, as an
important aspect of the situation. He makes the companies aware of the
situation and the ticking clock in his warnings, and has observed that in
most cases it tends to bring companies that otherwise might wish to drag
things out for years, until the product is no longer on the market anyway
and they've moved on, to the the table much faster. With the clock
ticking like that, they have little recourse. If for whatever reason they
can't move fast enough, they end up with an injunction. However, AFAIK,
it has only gone that far a couple times, both ending up in our favor,
because most companies have sense enough to see the light, and recognize
they are over a barrel.

In many cases, the company hadn't the foggiest idea it was open source
code, either, because they bought it from some fly-by-nite Chinese company
or the like, and any assurances re source origin they got were entirely
worthless. At that point, they pretty much haven't a choice but to make
public their code, and in the future either resolve to check things more
thoroughly, /not/ always taking the low or fastest available bid, or
decide from the experience that it wasn't so bad after all, and they make
a point after that to check for releasable code and do so if they can.

Unfortunately, I don't know which reaction is more common, but in either
case, they end up with a better respect for GPL code, which in itself is
useful, as it strenthens the guarantees that the GPL offer.

Duncan

Time Limit

Posted Apr 21, 2005 16:57 UTC (Thu) by bastiaan (guest, #5170) [Link]

IIRC, you don't lose the right to sue after the time limit. However you *do* lose the right to apply for a temporary injunction. The reasoning is that temporary injunctions are for urgent issues, and taking more than a month to file suit demonstrates the matter is not that urgent to you.

An injunction against Fortinet for GPL violations

Posted Apr 14, 2005 20:13 UTC (Thu) by nedrichards (guest, #23295) [Link]

>Hopefully, Fortinet's own copyright violations will render that path >untenable. But in the US court system, you can never rely on the >intelligence of judges.

Good thing the action is taking place in the Munich district court then.

An injunction against Fortinet for GPL violations

Posted Apr 15, 2005 6:47 UTC (Fri) by freddyh (subscriber, #21133) [Link]

I'm probably being irrationally paranoid, but this smells like a case where the DMCA could easily be abused. If Fortinet claims that their encryption is an anti-piracy measure, whoever cracked it could be facing some serious shit.

Luckily, under German law you *are* allowed to do reverse engineering if the thing you are reverse engineering includes your own work. I would guess this clause is available in other jurisdictions as well, although I am not sure. I would also guess that in the US you're simply not at all allowed to do this.

Obviously this is still a problem because you don't know yet if it's your work until you've reverse engineered it... So, if you finally conclude that the product doesn't include your work then there is no law-suit, and the company doesn't have to know you've reverse engineered in the first place ;)

An injunction against Fortinet for GPL violations

Posted Apr 15, 2005 13:15 UTC (Fri) by ernest (subscriber, #2355) [Link]

As far as I understand it, the DMCA would not even help in this case, even in the Wild West (ie the US). Apparently there is something about being a thief that juges dislike.

An injunction against Fortinet for GPL violations

Posted Apr 15, 2005 13:58 UTC (Fri) by bbigby (guest, #29308) [Link]

I don't think that the DMCA will protect Fortinet under these circumstances. The problem for Fortinet is that the DMCA is for protecting copyright material of the rightful owner. In this case, Fortinet is NOT the owner of the GPL'ed software. Clearly, they are violating copyright law AND the DMCA does not apply in this case.

Even if you say, "Ah, but the DMCA protects the part of Fortinet's product that is theirs." Perhaps, but there is something in law, called "unclean hands." You cannot receive compensation for a loss when you have acquired gains from breaking the law. Besides, gpl-violations.org did not circumvent the protections in order to use the software. They did it to reveal GPL violations. I think that matters in the law. If gpl-violations.org had not found any violations, they would have quietly discarded the information that they acquired. None would be the wiser.

An injunction against Fortinet for GPL violations

Posted Apr 15, 2005 19:30 UTC (Fri) by khim (subscriber, #9252) [Link]

Besides, gpl-violations.org did not circumvent the protections in order to use the software. They did it to reveal GPL violations. I think that matters in the law.

It should. Since reverse engineering not for purpose of using the product is done every single day on millions of computers around the world!

How ? Why ? Easy: anti-virus software. It does automatic reverse engineering of each and every program to catch "virus-like activity". If you'll think about it this exactly the same procedure copyright holder must do to catch copyright violation when code is obfuscated. And when automated procedure fails anti-virus companies continue with manual reverse engineering and then add more sophisticated algorythms in automatic version.

An injunction against Fortinet for GPL violations

Posted Apr 16, 2005 8:16 UTC (Sat) by xoddam (subscriber, #2322) [Link]

Excellent point.