On reimbursement of costs for enforcement actions & related issues

Posted Dec 4, 2015 2:32 UTC (Fri) by bkuhn (subscriber, #58642)
In reply to: On reimbursement of costs for enforcement actions by Felix
Parent article: A referendum on GPL enforcement

Replying to Felix, who noted:

Otherwise you just provide them with free legal/tech consulting.

Frankly, that's often what we do, from our point of view. Ironically, from the violator's point of view, they are paying a lot for the whole process already, because the first thing they do (these days) is hire high-priced outside attorneys who advises them to fight us. After a GPL enforcement matter gets a year or two into the usual clock, the other side has probably paid many tens of thousands to their counsel advising them to introduce delay and refuse to even acknowledge that they were out of compliance; sunk cost fallacy likely kicks in at that point. By then, the company has paid so much money to their lawyers that they are fed up with the whole process and we're lucky to get them into compliance without a lawsuit, let alone recover our costs.

Felix noted further:

it should be cheaper to ship a compliant product in the first place than to violate the GPL and fix things up later.

I agree that it should be true, but sadly, it's not; violators play the odds. I often point out that Conservancy is aware of hundreds and possibly thousands of GPL violations ongoing, just on Linux, at any given moment. Most products with Linux have a life cycle of 18 months or less. Violators realize that the odds are forever in their favor: for any given product, the odds that we can get to them before the product hits end of life are very low. Plus, when companies have outside vendors who are ultimately responsible for the firmware (and are the primary violator) it's more valuable to the OEM to preserve those relationships than to insist on compliance. Factor that into the (small but nontrivial) cost of complying up front, and you have a corporate decision-making recipe that always says to violate first and comply later (if we ever even have to). Few companies are committed to doing the right thing and not playing those odds. I'm glad some do, but they're rare.

You might reasonably ask why we don't go after the upstream firmware/board manfuacturers directly. We rarely have enough evidence of a board-maker's violation that is sufficient for enforcement action. From the point of view of us and everyone who bought the product, the OEM is the violator, not their firmware vendor. If the OEM protects their upstream vendor at all costs (which they do, since the vendors have a lot of power in the relationship once it's in place), the OEM refuses to even say the vendor was the primary violator. We thus don't have any evidence to pursue the original violator. Not until there is a strong set of Court cases that show such violations won't be tolerated will this behavior change, IMO.

Felix finally noted, quite reasonably:

While I'm happy to donate for [Conservancy] in general I'm not sure I want to keeping paying for GPL enforcement forever if this can be a self-funding endeavor.

Conservancy chose to fund the VMware suit (and set its money aside separately — the funding for VMware is already collected and not at issue in Conservancy's current fundraiser —) as part of a careful strategic plan to maximize the value of the enforcement we can afford to do. We cannot guarantee our donors that GPL enforcement will become self-funding, but we constantly consider ways to make it so, provided that we not compromise the moral principles of GPL enforcement. Personally, I've seen too many cases where well-intentioned people got involved in enforcement and then began to value revenue over compliance — Jon Corbet made reference to one such situation in his main article. For my part, I'm constantly vigilant to ensure any time funds are involved in an enforcement settlement that we are not even close to trading failures in compliance for money. Even doing that a little bit begins the path to corruption.

This fundraising campaign is the culmination of many years of thinking and seeking a formula that generates sustainable self-funding revenue for ethical GPL enforcement. During those years, I have personally been offered high paying jobs if I'd just stop doing GPL enforcement, and some companies have offered funding to Conservancy if we'd just “remove enforcement work from [our] roster”. I suspect that many who care about the GPL but don't work regularly in the enforcement/compliance community will be flabbergasted to learn that powerful for-profit interests seek to curtail enforcement of copyleft. Given this political climate, Karen and I both feel that Conservancy needs a mandate from the public to continue this work. Jon Corbet's phrase for this, a referendum on GPL enforcement, is thus apt.

Meanwhile, I know that Karen and I sometimes may sound dismissive when people come forward with suggestions on better ways to do enforcement. It's because we've tried as many suggestions as we can that don't compromise our enforcement principles — in fact, we've tried most of them at least twice in different time periods; we've done a lot of “well, that didn't work before, but maybe things have changed and it'll work now”. Yet, the situation doesn't get any better. In fact, violation counts increase. In particular, over the last two years, we've seen a rise in companies who are what I call “savvy” violators: companies that knew about the GPL and its requirements but sought specific methods to avoid compliance. GPL violations stopped being just a series of innocent mistakes by n00bs a long time ago.

I realize that's a long winded answer to your point, Felix, but I hope it illuminates that we did not come to this decision to launch this fundraiser lightly. I realize it's frustrating to be asked for an annual donation to do the seemingly simple job of asking other people to follow the rules, and I don't blame you for feeling some donor fatigue, particularly when the wheels of justice move so slowly. (We'd hoped for a decision in the VMware case by now, but it may be a long way away!) The best I can promise you is we're always committed to looking for creative solutions to the problem, and that we operate as transparently as we possibly can (which is why Karen and I are spending time late into the night answering queries on LWN ;)

Finally, I'm glad LWN readers had the opportunity to read about this and ask these questions.

— Bradley M. Kuhn, Distinguished Technologist, Software Freedom Conservancy

On reimbursement of costs for enforcement actions & related issues

Posted Dec 4, 2015 8:06 UTC (Fri) by kleptog (subscriber, #1183) [Link] (1 responses)

FWIW, you've convinced me. Also, thank you for allowing me to choose the commitment level.

On reimbursement of costs for enforcement actions & related issues

Posted Dec 4, 2015 16:57 UTC (Fri) by rghetta (subscriber, #39444) [Link]

+1 Having to fund for gpl compliance makes me sad, however

On reimbursement of costs for enforcement actions & related issues

Posted Dec 4, 2015 20:09 UTC (Fri) by HenrikH (subscriber, #31152) [Link] (5 responses)

Would it be possible to extract money the BSA way? I.e to keep the whole affair a secret but if they don't pay the BSA appointed fee then their violation is made public. Or are these companies not afraid to be publicly known as GPL violaters?

On reimbursement of costs for enforcement actions & related issues

Posted Dec 4, 2015 22:13 UTC (Fri) by bkuhn (subscriber, #58642) [Link] (4 responses)

HenrikH asks:

Would it be possible to extract money the BSA way?

Well, first of all, the BSA tactics, behaviors, and overall strategy have always been abysmal, specifically because they target users. The BSA strategy of GPL enforcement would be to find everyone who bought a GPL infringing product and somehow go after them aggressively. No one should ever do that, IMO. Ethical GPL enforcement, by contrast, fights for rights of users who got that product — to make sure they can recompile and reinstall the GPL'd software they got, and that all the source code for that software is present. Blaming a user who bought an infringing product is akin to blaming the victim of a crime.

Or are these companies not afraid to be publicly known as GPL violaters?

Regarding your more general question about of public shaming, Erik Andersen of the BusyBox project was a fan of this strategy for a while. It has some benefits, but it ceased working for him, which is why he asked me personally (and later Conservancy as a whole) to help him enforce the GPL on his copyrights.

Certainly, Karen and I talk regularly with our enforcement coalitions of copyright holders about using public shaming as a tactic. It certainly is cheaper, and if it was sure to work, we'd use it more often. But, when I see perennial GPL violators constantly mentioned in threads like this, whom Conservancy knows about but whom we've been unable to convince to comply, I conclude that public shaming is not going to work, even though it might have in the past.

On reimbursement of costs for enforcement actions & related issues

Posted Dec 5, 2015 23:51 UTC (Sat) by HenrikH (subscriber, #31152) [Link] (3 responses)

Thanks for your reply!

Regarding the public shaming I wasn't talking about that being a tactic but as a tool for money just like the BSA does. I.e if the case is settled out of court then the #1 priority of the settlement would of course be to make the violator GPL compliant but then they could also get asked to pay a sum of money or else they will be put on your public list of GPL violators and also be part of a press release.

I.e it's not hush money per say and never ever an alternative to be GPL compliant. However I'm sure that you and the conservatory that works with these issues all day already have though long and hard on issues like these, it's easy for some one like me to play armchair layer :-) so once again thanks for your insightful replies!

Btw, please note that I'm in no way promoting BSA tactics, I once worked for a company that where hit hard by them (we had an employee who where responsible for licensing and when he got mad at the management he simply stopped buying licenses and reported the company to BSA and thus not only brought harm to the company but also got a finders fee from the BSA. What I however got out of that whole affair was the notion that the BSA gives you a costly option of avoiding being named in their press release and apparently a lot of companies pay that money [and that sum was bigger than the "license penalty"]).

On reimbursement of costs for enforcement actions & related issues

Posted Dec 6, 2015 3:18 UTC (Sun) by bkuhn (subscriber, #58642) [Link] (2 responses)

make the violator GPL compliant but then they could also get asked to pay a sum of money or else they will be put on your public list of GPL violators and also be part of a press release.

It's an interesting idea, and I don't find it morally wrong on its face, but I also don't see how it's particularly helpful. If the public shaming comes after they've come into compliance, what shame is there? Everyone makes mistakes, and coming into compliance is they way you correct it. I don't think there is actually anything shameful in making a mistake and then correcting it.

On reimbursement of costs for enforcement actions & related issues

Posted Dec 8, 2015 6:08 UTC (Tue) by pabs (subscriber, #43278) [Link] (1 responses)

How about the opposite? If they contribute funds to future enforcement actions you could celebrate their new-found compliance and contributions.

On reimbursement of costs for enforcement actions & related issues

Posted Dec 11, 2015 8:50 UTC (Fri) by jospoortvliet (guest, #33164) [Link]

Both, I'd say. Celebrate those who come in compliance and pay (if they wish) and condemn those who don't pay.

On reimbursement of costs for enforcement actions & related issues

Posted Dec 5, 2015 2:45 UTC (Sat) by lukeshu (guest, #105612) [Link] (2 responses)

> Most products with Linux have a life cycle of 18 months or less. Violators realize that the odds are forever in their favor: for any given product, the odds that we can get to them before the product hits end of life are very low.

Doesn't the GPLv2 terminate upon violation; if product A violates, and they therefore loose the license, shouldn't that also terminate their license for product B? That is, even if you can't get them before the product hits EOL, aren't they still affected?

As a side question from that: If you, representing a stakeholder in the kernel, show that an organization committed a GPLv2 violation, bring them in to compliance, and (on behalf of the single stakeholder) reinstate the license, isn't the license from every other stakeholder still implicitly revoked (per §4)?

On reimbursement of costs for enforcement actions & related issues

Posted Dec 6, 2015 3:10 UTC (Sun) by bkuhn (subscriber, #58642) [Link] (1 responses)

lukeshu asked:

Doesn't the GPLv2 terminate upon violation; That is, even if you can't get them before the product hits EOL, aren't they still affected?

I find myself inspired to quote Futurama: You are technically correct! The best kind of correct!. Yes, indeed, under GPLv2§4, the violator will lose their distribution rights (read more in Copyleft Guide), and that termination relates to any copyrights infringed in the original product. Thus, indeed, if those copyrights are redistributed in a later product, their rights have already been terminated.

But, this is where I again have to say that the GPL isn't magic pixie dust that just works. If the violator doesn't wish to comply, we have to compel them somehow. Termination of rights works the same way as it did in the first product, and has the same tools available. Namely, we can go into court, and seek an injunction; just like we'd have needed to for the first product. The fact that the rights terminated long ago in past product might help us convince the judge to grant an injunction more quickly, and/or show the judge the company acted in bad faith. But, the enforcement process is the same, and note that one way to come into compliance is to stop distributing. Therefore, with regard to the old violation, the company is now in compliance. We're unlikely to therefore get a judge to compel a source release for the old product, since distribution has ceased.

If you, representing a stakeholder in the kernel, show that an organization committed a GPLv2 violation, bring them in to compliance, and (on behalf of the single stakeholder) reinstate the license, isn't the license from every other stakeholder still implicitly revoked?

First, it's worth noting that Conservancy doesn't just represent a coalition of stakeholders (although we do that too), but Conservancy is also a copyright holder in Linux as well, as some stakeholders have outright assigned Linux copyrights to Conservancy. But, that wasn't your question. To answer your question: Yes, you're quite correct about how rights restoration works (at least in the USA and most other jurisdictions I'm familiar with). The negotiation point that both FSF and Conservancy use in that enforcement scenario is simply tell violators that once compliance is achieved, we're on their side and prepared to be an expert witness or otherwise help the former violator oppose any copyright holders knocking at the door for huge settlements. Such copyright holders who came to demand pay-outs after compliance was achieved of course wouldn't be acting under the principles of ethical GPL enforcement anyway.

On reimbursement of costs for enforcement actions & related issues

Posted Dec 6, 2015 4:10 UTC (Sun) by lukeshu (guest, #105612) [Link]

Thanks for the reply!

It's been my experience that corporate lawyers tend to be very afraid of "technically correct", which is why I asked.

On reimbursement of costs for enforcement actions & related issues

Posted Dec 6, 2015 6:45 UTC (Sun) by ncm (guest, #165) [Link] (4 responses)

The evidence is by now super-abundant that SFC's "enforcement principles", as formulated, are a failure. This is not to say no morally defensible principles are possible. Rather, out of the universe of possible morally defensible principles, this choice has been amply demonstrated to be poor enough to merit reformulating. There is no shame in admitting the truth. It is not as if the results of all the failed attempts were predictable. They had to be tried, but having been tried, now we know, and can act on what we now know.

The solution may be to start another organization, e.g. The Coding Liberty Cooperative, with more effective principles, sign up authors, and go into competition, maybe pursuing repeat offenders who have been let off too easily by SFC.

On reimbursement of costs for enforcement actions & related issues

Posted Dec 8, 2015 2:58 UTC (Tue) by lutchann (subscriber, #8872) [Link] (3 responses)

Yeah. If SFC is casually tossing around the term "savvy violators", it's clear that whatever they're doing is ineffective. Maybe "our primary goal in GPL enforcement is to bring about GPL compliance" should be replaced with "our primary goal in GPL enforcement is to seek large monetary damages as a punitive measure to make violators think twice about doing it again in the future." I'd donate money to get that kind of thing going.

On reimbursement of costs for enforcement actions & related issues

Posted Dec 8, 2015 21:22 UTC (Tue) by bkuhn (subscriber, #58642) [Link] (2 responses)

There are practical reasons to follow our principles, not just moral ones. I think people here are a bit confused what types of damages are even possible in copyright infringement cases. The damages are decided by a judge and/or a jury, and are unpredictable, and you don't find out what they are until you're at the end of the case. And, if you lose the case, you often have to pay the other side's attorney's fees in many jurisdictions.

Even if avarice was maximized in these enforcement cases, the proceeds wouldn't be seen for a very long time.

Anyway, the only logistical way to get large amounts of money quickly and easily is to take pay-offs to look the other way when compliance isn't achieved. There are people making money doing that, which Jon made reference to in the original article. I denounce that as immoral, even if it would be a way to get money easily.

You can see on Conservancy's Form 990s that we did receive money in the BusyBox enforcement, which funded more enforcement. But enforcement where compliance is the paramount goal is only partially self-funding. I hope people will donate to bridge the gap.

On reimbursement of costs for enforcement actions & related issues

Posted Dec 10, 2015 10:46 UTC (Thu) by linuxrocks123 (subscriber, #34648) [Link]

US statutory damages are $750 per work, minimum. On a judgment of infringement, the court has to grant at least that, and may grant more. If the violator distributed 100,000 products, that's $75 million.

Oh, but, if the violator proves (burden on the violator) that they really didn't know, and shouldn't have known, the court can reduce damages to $200 per work. So then you only get $20 million.

That's still $20 million, in the absolute worst case, for what I would imagine to be a fairly low-volume product. What am I missing here?

On reimbursement of costs for enforcement actions & related issues

Posted Jul 20, 2016 21:14 UTC (Wed) by paulj (subscriber, #341) [Link]

The moral and practical imperative must be to ensure that GPL compliance is more attractive than not, by taking stern action against at least some violators. The best way to make sure action can be taken is for that action to be self-sustaining - paying for the action taken at least, ideally also punitive costs that can then be used to pre-pay for the next action. Anything less would surely be doing a _disservice_ to the viability of the GPL?

The one cautionary bit is that such actions mustn't put off more people from going with GPL software than are attracted to it.