Enforcement of the GNU GPL in Germany and Europe
~ by Till Jaeger
[Dr. iur., Partner at JBB Rechtsanwälte, Berlin; Co-founder of the Institute for Legal Questions on Free and Open Source Software (ifrOSS); Representative of gpl-violations.org project in its enforcement activities. A PDF of this article is available here.]
Abstract
GPL enforcement is successful in Europe. In several court decisions and out of court settlements the license conditions of the GPL have been successfully enforced. In particular, embedded systems are the main focus of such compliance activities. The article describes the practice of enforcement activities and the legal prerequisites under the application of German law.
A. Rationale for enforcement of the GPL
At present, the enforcement of the GPL license conditions is driven by single developers and organizations supporting Free Software. Most famous is Mr. Harald Welte, former maintainer of the Netfilter/Iptables project, who is running the enforcement project gpl-violations.org. Some years ago, Mr. Welte became aware of the fact that many manufacturers use the Linux kernel in their products without complying with the GPL conditions, and give the necessary credit to the Free Software community. His letters to the companies remained mostly unanswered or negotiations were so protracted that by the time the source code was eventually published, the relevant product was no longer available for sale. Therefore, he decided to take legal action in a more formal way.
After the first enforcement cases became public, more and more interested parties informed Mr. Welte about other violations. He then decided to establish ‘www.gpl-violations.org’ to provide a platform for enforcement activities and public documentation of his and others’ efforts to bring commercial GPL users into GPL compliance.[1] Having access to modified source codes of technical devices is a strong motivation to participate in the enforcement of the GPL, and thus many people support gpl-violations.org.
In 2006, the FSF Europe launched a Freedom Task Force (FTF) to collect and share knowledge about Free Software law and safeguard the interests of Free Software projects. FTF cooperates with gpl-violations.org with regard to GPL compliance issues and facilitates the European Legal Network (ELN), where lawyers and representatives of companies from the software industry maintain a lively exchange of ideas.[2] This strategic approach has been enhanced and refined, and has had impact on the general behaviour of IT industries with regard to GPL compliance.
GPL is popular not just among developers but also among companies because it helps secure a proper competition with regard to a particular software product and prevents unfair withholding of improvements of the software released in the Free Software world. Moreover, as the dual licensing model – i.e. offering a software product under the GPL and a proprietary license – is widely used, it can be expected that companies will also start to enforce their rights in the near future. Even companies that distribute GPL products without holding copyrights may soon begin to enforce the GPL by relying on unfair competition law (instead of copyright law) in order to obtain the complete corresponding source codes of improved software solutions from their competitors.[3]
B. Information about GPL violations
One might think that the detection of GPL violations in proprietary products is difficult or almost impossible, when no source code is at hand or the software is even hidden in an embedded system. In reality, however, there are many different ways to get the necessary information to prove the use of GPL-licensed software.[4] To quote an easy example: On a recent flight, when the entertainment system in the seat in front of me booted, I was surprised to see the typical boot information of the Linux kernel, including a copyright notice of one of my clients.
But GPL violations are not restricted to the Linux kernel. Once, another client of mine was contacted by a customer of a proprietary product asking for support. Thus, my client learned that a header file written by him was made available on the vendor’s website, and that the latter shipped his proprietary product without any information about the fact that the software was licensed under the GPL.
Many violations concern embedded systems. Typically, violations become obvious when manufacturers provide firmware updates on their websites. Violations can often be shown by a simple analysis of strings showing typical debug information or even copyright notices. Strings are sequences of characters, and sometimes text strings from the source code remain intact after the compilation process. String searches with an editor can be sufficient to receive strong indication for the use of a certain program.[5] Specialised research providers are currently developing a software tool for easy detection of GPL violations.[6]
More complex efforts are necessary to provide evidence for the use of the Linux kernel in an embedded system, if no firmware access is given. With the necessary expert knowledge, a serial port can be detected on the printed circuit board (PCB). The typical structure of a booting Linux kernel can be found with the help of an oscillograph and, if the suspicion is confirmed, a hardware interface can be soldered on the PCB to extract the firmware from the serial port for further analysis.
In our current practice, we frequently see cases of firmware being encrypted in order to hide the use of GPL software, but where the violation can be shown with the help of the advanced reengineering skills of the Free Software community.
C. Modes of violations
The typical GPL infringing product does not contain any notice about the fact that GPL software is contained. Consequently, no license text and no source code are provided. Such products are the main focus of enforcement activities. Sometimes a GPL notice is provided, but the license text of the GPL and the source code are not available, or the notice points to a webpage that might contain this material or nothing at all. Although a situation where the necessary information is provided on a webpage is in general no reason for enforcement activities, one should keep in mind that the District Court of Munich has decided that the mere referral to a webpage does not comply with section 3 of the terms and conditions of the GPL (version 2).[7] This example demonstrates that careful in depth consideration of all obligations of the GPL is required for compliant use of GPL software.
Far more common is the situation that firmware updates are offered on the website of the manufacturer but no “complete corresponding source code” is made available.[8] In particular, it is not sufficient to provide the most current version of the source code, if several older versions of the firmware are still offered on the website – the “correspondent” source code for all software versions would be missing. Furthermore, gpl-violations.org often faces the problem that the available source code is not complete, because only parts of the source code are offered or only the modified files, but not the complete source code allowing compilation and installation of the software on the very same device are available. It is a common violation that the scripts used to control compilation and installation are missing for embedded systems.[9]
Derived works of a GPL licensed software have to be licensed under the GPL according to section 2 b) GPLv2 (so called “Copyleft”[10]), and the source code of the modified version has to be provided. Although we have not seen any court cases regarding the scope of the “Copyleft” so far, it is most likely that such cases will come to court in the future. At present, there is uncertainty about what has to be considered as a derivative work and how it can be distinguished from an independent piece of software.[11] This might discourage parties to institute court proceedings with an uncertain outcome. Nevertheless, developers and competitors are highly interested in using modifications of successful programs, and therefore, companies unwilling to release the source code of derivative works will sooner or later become targets of GPL enforcement.
D. Out of court proceedings
Enforcement proceedings usually start with a cease and desist letter explaining the GPL violation and demanding a declaration to cease and desist from distributing the product, unless according to the requirements of the GPL, each product contains a copy of the license text and the complete corresponding source code is made available. Therefore the violator is allowed to continue the use of the GPL software if he shifts the distribution of his product in a GPL compliant way. In addition, the violator is demanded to accept the reimbursement of the costs of the enforcement (expenses for a test purchase, reengineering and lawyer’s fees[12]) and to provide information about the supplier of the software (if any) and commercial consumers. This information is needed to safeguard and ensure that the distribution chain is also compliant.
Depending on the concrete case, damages may be claimed.[13] Some infringers defend themselves with the argument that no damage was incurred, as the software is available without any license fee. But this line of argument is without any merit: under German law the copyright holder may claim the vendor’s profit that is based on the use of the GPL software. Copyright holders who offer their software under a dual licensing model are easily able to prove their actual damage when demanding the equivalent of license fees not earned.
The vast majority of infringers accept to declare to cease and desist from GPL incompliant distribution of their products and to reimburse the costs of the enforcement. In some cases a settlement can entered into, which addresses particular issues, e.g. a grace period.
German procedural law allows to file for a preliminary injunction in urgent matters. It is generally accepted that a permanent copyright infringement constitutes an urgent matter.[14] However, this assumption is not upheld where the infringed party fails to act in an urgent matter by waiting a inappropriate time (measured from the moment the rights holder becomes aware of the infringement) before filing for a preliminary injunction. What is considered an appropriate time in this context depends on the competent court.[15] Therefore out of court proceedings have to be conducted within a short period to keep the option alive to apply for a preliminary injunction.
Out of court settlements are not restricted to violations in Germany. The gpl-violations.org project enforced the GPL in other European countries like Slovenia, the Netherlands, Sweden, France, Austria and the UK, as well as outside Europe, e.g. in Taiwan, Korea, the US and China. This has led to a growing awareness about GPL compliance issues, in particular in software producing countries as Korea and Taiwan.[16]
E. Enforcement in court proceedings
The first lawsuit to enforce the GPL in Europe was filed in 2004.[17] The infringer, a manufacturer of a WLAN router that deployed GPLed software in its firmware, refused to provide a declaration to cease and desist from GPL incompliant distribution. The copyright holder applied for a preliminary injunction on April 1, 2004. The District Court of Munich granted a preliminary injunction on April 2, 2004, thus only one day later. After an objection of the manufacturer against the preliminary injunction and a court hearing the District Court of Munich confirmed the preliminary injunction and provided a written reasoning. The infringer had to bear the complete costs of the proceedings including the lawyer’s fees of the copyright holder.
The most important aspect of this judgment is the court’s conclusion that a violation of the GPL results in a copyright infringement with regard to the automatic termination clause of section 4 GPLv2.[18] The GPL is considered a license agreement with a resolutory condition that provides for an automatic reversal of rights in case a licensee does not abide by his contractual obligations.[19] Therefore, GPL incompliant distribution is a copyright infringement and not only a breach of contract.[20] Consequently, licensors of GPL software may rely on all the enforcement means established by the European “Directive on the enforcement of intellectual property rights”[21], when enforcing the GPL obligations.
If this reasoning will prevail in other countries of the European Union, has still to be proven in court cases. Currently, a lawsuit aiming at the enforcement of the GPL is pending in France.[22] Independently from this case, the Paris Court of Appeals held in a recent decision that it is a breach of an IT contract, if GPL software is delivered in fulfilment of the contractual obligations, but the conditions of the GPL are not observed.[23] This case was not an enforcement case, but examined the GPL as a preliminary question.
However, enforcement lawsuits with effect on other European countries are existent. In the case Welte ./. Skype Technologies S.A., the GPL has been enforced against a Luxembourgian company acting in Germany.[24] This is the single case in Germany, in which a GPL infringer appealed a District Court decision, mainly for alleged violation of antitrust law. However, the defendant withdrew the appeal, after the Munich Court of Appeal expressed in the hearing its clear intention to uphold the decision of the District Court, arguing that even in the unlikely case that the GPL would violate antitrust provisions, such violation would not result in releasing a licensee of GPL software from observing the conditions of the GPL. Another case with international perspective concerned a UK company with a branch office in Germany, which allowed to serve a preliminary injunction in German language.
F. Conclusion
The well-established practice of GPL enforcement in Germany and some parts of Europe leads to a growing number of GPL compliant products. Since embedded systems often contain third party software, enforcement cannot stop with legal actions against manufacturers or importers of infringing products, but must aim for compliance of the complete distribution chain and needs to have a more general strategy of information policy for such software developing companies and countries.[25]. Plenty of documentation exists that can be used for providing the software industries all over the world with the necessary know-how to avoid GPL violations.[26] Considering the increasing use of GPL software in the software market, license enforcement will continue being an essential issue in the OSS world.
[1] See www.gpl-violations.org.
[2] See K. Kopenhaver, Collaboration Among Counsel Celebrating the Formation of a Community of Lawyers for the Advancement of Understanding of Free and Open Source Licensing and Business Models, 1 IFOSS L. Rev. 53 et seq. (2009), http://www.ifosslr.org/ifosslr/article/view/7/18.
[3] See G. Spindler, Rechtsfragen bei open source, p. 128 and T. Jaeger/A. Metzger, Open Source Software, 2. ed, para. 336 et seq.
[4] For detailed information see A. Hemel, The GPL Compliance Engineering Guide (v.3.00), http://www.loohuis-consulting.nl/downloads/compliance-manual.pdf.
[5] Before a string research, it might be necessary to extract data from an image file by decompressing and extracting the kernel image and file systems hidden in such file.
[6] Development by OpenDawn and Loohuis Consulting funded by NLnet Foundation. The detection tool is expected to be launched in the near future.
[7] District Court of Munich, 12 July 2007, case 7 O 5245/07 (Welte v. Skype Technologies S.A.), available at http://www.ifross.de/Fremdartikel/LGMuenchenUrteil.pdf.
[8] Section 3 GPLv2: “…complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.”
[9] More detailed information is provided at http://www.gpl-violations.org/faq/sourcecode-faq.html.
[10] Definition of the FSF, see http://www.gnu.org/copyleft/.
[11] On the concept of „derivative work“ under European copyright law, especially with regard to the Council Directive 91/250/EEC of 14 May 1991 on the legal protection of computer programs (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31991L0250:EN:HTML), see T. Jaeger, Kommerzielle Applikationen für Open Source Software und deutsches Urheberrecht, in Hoffmann/Leible (eds.), Vernetztes Rechnen, Softwarepatente, Web 2.0 (2008), 61, 70 et seq. (available at
http://www.ifross.org/ifross_html/HoffmannLeible_Beitrag%20Jaeger.pdf). See also ifrOSS, Die GPL kommentiert und erklärt, Ziffer 2, http://www.ifross.org/Druckfassung/Die_GPL_kommentiert_und_erklaert.pdf (licensed under the CC license Attribution-Noncommercial-No Derivative Works 1.0).
[12] According to German law, the violator has to compensate for the actual costs for the test purchase and the reengineering efforts and the costs for the services of a lawyer under a statutory scale according to the German Lawyers’ Fees Act, http://www.gesetze-im-internet.de/rvg/index.html.
[13] German civil law does not stipulate claims for punitive damages, but is designed to compensate the claimant for its economic loss. In the case of an infringement of copyright three methods of calculation are accepted: 1. equivalent to license fees, 2. concrete actual damage and 3. profits of the violator, BGH GRUR 1995, 349, 351 –Objektive Schadensberechnung.
[14] See Fromm/Nordemann-J.B. Nordemann, Urheberrecht, 10th ed. (2008), § 97 UrhG, para 202.
[15] The courts of Munich apply a strict deadline of one month, OLG München, GRUR 1992, 328.
[16] F. Ko, The Introduction of Viral Effect of the GPL and German Case Studies,
in: Y-C. Wang, Exploring the Unknown of Science and Technology Law, Taipei
2006, p. 93-117.
[17] District Court of Munich, 19 May 2004, case 21 O 6123/04 (Welte v. Sitecom Deutschland GmbH), available in German language at http://www.jbb.de/fileadmin/download/urteil_lg_muenchen_gpl.pdf, and in English translation at http://www.jbb.de/fileadmin/download/judgment_dc_munich_gpl.pdf
[18] „You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.”
[19] A. Metzger/T. Jaeger, Open Source Software and German Copyright Law, IIC Vol. 32, 2001, p. 52.
[20] Similar to the conclusions of the United States Court of Appeals for the Federal Circuit in Jacobsen v. Katzer, 535 F.3d 1373, 1379 (Fed. Cir. 2008), http://www.cafc.uscourts.gov/opinions/08-1001.pdf. For an analysis see T. Jaeger/J. Gebert, USA/CAFC - Open Source Licensing – Comment on “ Jacobsen v. Katzer”, IIC 2009, pp. 345 et seq; L. Rosen, Bad Facts Make Good Law: The Jacobsen Case and Open Source, 1 IFOSS L. Rev. 27 et seq. (2009), http://www.ifosslr.org/ifosslr/article/view/5/9; M. Henley, Jacobsen v Katzer and Kamind Associates – an English legal perspective, 1 IFOSS L. Rev. 41 et seq. (2009), http://www.ifosslr.org/ifosslr/article/view/4/13.
[21] Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004L0048R%2801%29:EN:HTML.
[22] http://gpl-violations.org/news/20071120-freebox.html, http://www.fsf.org/blogs/licensing/2007-11-29-lawsuits.
[23] EDU 4 v. AFPA, Cour d’Appel de Paris, Pôle 5, Chambre 10, no: 294, http://fsffrance.org/news/arret-ca-paris-16.09.2009.pdf. For a report see M. von Willebrand, Case law report: A look at EDU 4 v. AFPA, also known as the “Paris GPL case”, 1 IFOSS L. Rev. 123 et seq. (2009), http://www.ifosslr.org/ifosslr/article/view/17/41.
[24]District Court of Munich, 12 July 2007, case 7 O 5245/07 (Welte v. Skype Technologies S.A.), available at http://www.ifross.de/Fremdartikel/LGMuenchenUrteil.pdf.
[25] See R. Kemp, Towards Free/Libre Open Source Software (“FLOSS”) Governance in the Organisation, 1 IFOSS L. Rev. 61 et seq. (2009).
[26] See e.g. A. Hemel, The GPL Compliance Engineering Guide (v.3.00), http://www.loohuis-consulting.nl/downloads/compliance-manual.pdf, the FAQ of the FSF, http://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html, the FAQ of gpl-violations.org, http://gpl-violations.org/faq/index.html, and the information provided by ifrOSS, http://www.ifross.org/en/node/3.
© 2010 Till Jaeger
Any party may modify and pass on this article as physical copies and by electronic means and make it available for download under the terms and conditions of the Free Digital Peer Publishing Licence (f-DPPL). The text of the licence may be accessed and retrieved via Internet at http://nbn-resolving.de/urn:nbn:de:0009-fdppl-v3-en3.
As an alternative, this article may also be used under the Creative Commons Attribution-Share Alike 3.0 Unported License, available at http://creativecommons.org/licenses/by-sa/3.0.
Cite as: Jaeger T (2010). Enforcement of the GNU GPL in Germany and Europe. jipitec, Vol. 1
|