They say there is no such thing as a free lunch. This axiom certainly applies in the software development world, where you can infringe a copyright by distributing products that were made using free, "open source" software. And if you do, the open source community may find you and sue you.

Open source advocates recently sued fourteen large corporations for such a copyright violation in the Southern District of New York. The plaintiff is Software Freedom Conservancy, Inc., which was established by the Software Freedom Law Center ("SFLC"), an entity known for vigorously asserting its rights in open source software. SFLC has brought and subsequently settled at least six other lawsuits in the past three years, mostly against large companies that allegedly violate the terms of a copyright license, known as the GNU General Public License, version 2 ("GPL").

The GPL has become known as a "copyleft" license, because, in contrast to a traditional copyright, the license ensures that software remains freely available by requiring all modified and extended versions of a program to be free software as well. The GPL allows people to freely use, modify, and share certain free software, but it comes with certain restrictions. For example, if a company distributes a copy of a "free" software program, it must give the recipients all the rights that the company has. The company must also make sure that the recipients receive or can get the source code, and it must show them the GPL as well.

The complaint in the most recent case was filed December 14, 2009; it alleges that each of the defendant companies violated the terms of the GPL. The fourteen defendants include Best Buy, Samsung, and Robert Bosch LLC. The complaint alleges that each of the defendant companies distributed electronic devices employing a program called "BusyBox,TM" but failed to include the source code for BusyBox with the electronic devices, or at least a written offer to make that source code available to recipients, thereby violating the GPL.

The Software Freedom Law Center and BusyBox

The plaintiff, Software Freedom Conservancy, is an umbrella organization of SFLC, which is a 501(c)(3) tax exempt New York not-for-profit corporation. It is the self-described fiscal sponsor of various free and open source software projects. Mr. Erik Anderson, the other plaintiff, is a software developer, and is listed as the author of BusyBox.

Released as free software under the GPL, BusyBox provides standard UNIX tools for optimizing computers with limited resources, such as cell phones or PDAs, and is intended for use with embedded devices.

Self-titled "The Swiss Army Knife of Embedded Linux," BusyBox combines tiny versions of many common UNIX utilities into a single small executable file. BusyBox is configurable, which allows users to include only the components they need, making it quite useful for all different types of electronic devices.

Because copyrights for contributions are held by the individuals who make them, Mr. Andersen is also listed as a plaintiff in the most recent lawsuit. Mr. Andersen has distributed BusyBox for free since late 1999 in source code form. A file in the BusyBox source code contains a complete copy of the license text.

History of the GPL

The first version of the GPL was written by Richard Stallman at MIT in 1989 for use with programs released as part of the "GNU project," a free, mass software distribution. GNU stands for "GNU's Not Unix." The GNU operating system is a complete free software system, upward-compatible with Unix.

The original GPL was based on a unification of similar licenses used for early versions of GNU programs. These licenses contained similar provisions to the modern GPL, but were specific to each program, rendering them incompatible. Mr. Stallman wanted to produce one license that could be used for any project, making it possible for many projects to share code.

The second version of the license, which is at issue in the latest BusyBox lawsuit, was released in 1991. Version 3 of the GPL, released on June 29, 2007, does not relate to the BusyBox litigation. Version 3 was created to address some perceived loopholes in version 2. For example, one new clause in GPL version 3 is a "patent retaliation clause," which prohibits people who convey licensed software from filing patent suits against other licensees.

Copyright Infringement Allegations

According to the Complaint, in order to comply with the GPL, when a party distributes an object code or executable form of BusyBox, they must include either: (1) the "complete corresponding machinereadable source code," or (2) a written offer to give any third party a complete machine-readable copy of the corresponding source code. If a distributor fails to do this, they fail to fulfill the terms of the copyright license and that distribution is not made with Mr. Andersen's permission.

The plaintiffs accuse each defendant of selling electronic products that contain embedded executable forms of software, called firmware, or of offering electronic versions of firmware for download via their website. The accused products include high definition televisions, digital video recorders, DVD players, video cameras, and wireless routers.

The complaint alleges that any party that redistributes BusyBox in a way that does not comply with the license immediately and automatically loses all rights under the license to copy and modify BusyBox. The complaint alleges each defendant made a distribution that did not comply with the license and, therefore, that defendant lost any and all right to copy, modify, or distribute BusyBox.

The plaintiffs also allege that they notified each defendant in writing prior to filing the complaint. According to plaintiffs, each defendant either completely ignored the letter, or refused to "meaningfully" respond to it. As a result, the plaintiffs also allege willful infringement for distributions after the date of the notice.

The plaintiffs are seeking a permanent injunction for copyright infringement, along with actual damages and any additional profits, or alternatively the statutory damages provided under 17 U.S.C. § 504.

Prior SFLC Lawsuits

SFLC has filed several other lawsuits in the Southern District of New York since 2007, all alleging a violation of the GPL based on the use of BusyBox. All of the lawsuits resulted in settlements requiring the defendants to distribute source code in compliance with the GPL.

The first lawsuit, case 07-CV-8205 in the United States District Court for the Southern District of New York, was filed on September 20, 2007 by SFLC on behalf of Mr. Andersen and another developer, Rob Landley, against Monsoon Multimedia, Inc. In that case, BusyBox code was apparently discovered in a firmware upgrade and attempts to contact the company prior to the lawsuit allegedly failed. The case was settled with release of the Monsoon version of the source code and a payment of an undisclosed amount of money to the developers.

On November 21, 2007, the SFLC brought two similar lawsuits on behalf of the developers against two more companies, Xterasys (case 07-CV-10456) and High-Gain Antennas (case 07-CV-10455). The Xterasys case was settled a few weeks after the complaint was filed, for release of source code used and an undisclosed payment, and the High-Gain Antennas case settled on March 6, 2008, for active license compliance and an undisclosed payment. On December 7, 2007, SFLC brought a case against Verizon Communications over its distribution of firmware for routers provided by Actiontec Electrnoics, Inc. The Verizon case settled March 17, 2008 on the condition of compliance with the GPL, appointment of an officer to oversee future compliance with the GPL, and payment of an undisclosed sum to the plaintiffs. Further suits were brought on June 9, 2008 against Bell Microproducts (case 08-CV-5270) and Super Micro Computer (case 08-CV-5269). The Super Micro case settled on July 23, 2008, and the Bell Microproducts settled on October, 17, 2008.

No other developers, including the original author of BusyBox, Bruce Perens, were represented in these actions or party to the settlements. On Dec. 15, 2009, Bruce Perens released a statement on his website related to the lawsuits complaining about SFLC. See http://perens.com/blog/2009/12/15/23/. He stated that as the creator of the BusyBox program, he believes he still holds an interest in BusyBox. He alleged that the current BusyBox developers "appear to have removed some of the copyright statements of other Busybox developers, and appear to have altered license statements."

Mr. Perens makes other interesting points about the ease with which companies can comply with the GPL. He argues that all a company needs to do is to "exercise the slightest bit of due diligence" by distributing the BusyBox source code and license statement with its products. Further, he states that any company that wants to maintain the proprietary nature of its own software merely has to place its own software in a separate executable file from BusyBox.

Even if a company fails to comply with the GPL, that company simply needs to respond appropriately to a notice from a copyright holder to avoid litigation. As Mr. Perens noted, it "is only after protracted failure to respond [to a notice from a copyright holder] that non-compliant parties are pursued for damages."

What Companies Should Do To Comply With the GPL

Interestingly, one of the major motivations behind the lawsuit is apparently not monetary damages, although the plaintiffs do seek damages and an injunction. What the developers of BusyBox insist they really want is to promote the open source software movement. Companies that use open source code in their embedded devices, but do not in turn, freely distribute that code to downstream buyers, will discourage open source developers. In many ways, compliance with the GPL seems a small price to pay for use of free software.

The lawsuit serves as a warning to companies that use BusyBox or other programs covered by the GPL. The GPL merely requires that when a party distributes an object code or executable form of GPLlicensed software, they must include either:

  1. the source code to that GPL-licensed software, or
  2. a written offer to give any third party a complete machine-readable copy of the source code.

This written offer could be in the form of a website that makes the source code available to download. And the terms of the license apply whether or not the party modifies the GPL-licensed software.

It is important to note that the GPL does not require any company to make its own proprietary source code available. Rather, the GPL simply requires that the GPL-licensed code (e.g., BusyBox program code) itself be distributed, and a company can compartmentalize that code from its own proprietary code.

Of course, it may not be as easy as it sounds to educate software developers in a large company about compliance with the GPL. And some developers may believe that they can get away with using GPL-licensed source code without anyone discovering it, especially when it is embedded in electronic products. As a result, some technology companies may, without even realizing it, violate the GPL by including

BusyBox or similar programs in their electronic devices. To that end, companies should consider implementing an open source compliance program within their organizations. An open source compliance program needs to identify where open source code is embedded in applications. There are now various tools available to identify where companies may have GPL-licensed code like BusyBox within their products, such as OpenLogic's "OSS Discovery" program. Of course, any compliance program must also ensure compliance with open source licenses (such as the GPL) that apply to the open source code.

Another lesson from the latest BusyBox lawsuit is the importance of responding to pre-suit complaint letters alleging a violation of the GPL. The SFLC alleges that it contacted all fourteen companies prior to filing the latest lawsuit, and all fourteen companies either ignored SFLC's notice or did not respond to the notice in a meaningful way. As the BusyBox website itself states, the authors "don't want monetary awards, injunctions, or to generate bad PR for a company, unless that’s the only way to get somebody that repeatedly ignores us to comply with the license on our code." See http://busybox.net/license.html.

Washington Legal Foundation