What is Tivoisation?

Tivoisation is the creation of a computer system that incorporates open source software but uses technical methods to prevent users from running modified versions of the software on that hardware. The term arose as a result of TiVo‘s use of open source software that had been licensed under the terms of the Free Software Foundation’s GPL licensing arrangements on the TiVo brand digital video recorders. In general terms if a product is “TiVo’d” then:

  • the manufacturer puts a chip in the computer which checks any software before it is run and which will only allow authorised software to be run;
  • the chip can recognise authorised software by, for example, comparing a checksum (like a fingerprint) to a list of authorised checksums, or by checking for an encrypted signature; and
  • the manfucturer withholds the information which the user would need in order to make software authorised.

By doing this, the manufacturer can still publish new versions of the software for download to the device. The manufacturer embeds the encrypted signature in the new version of the software, or sends a remote command which would add the checksum of the new version to the list of authorised checksums.

However, if a user tries to use a modified version of the software, or tries to run some third-party software, the device will refuse to function fully, or will simply not run the software at all.

Conflict with elements of the Open Source Movement

Some of the proponents of open source software, and in particular the Free Software Foundation (with Richard Stallman leading the debate), believe that Tivoisation is inconsistent with open source principles by denying users key elements of the freedoms that the GNU General Public Licence (GPL) was designed to promote.

TiVo’s software incorporates the Linux kernel, licensed under version 2 of the GPL at the time that the issue came to prominence. The GPLv2 requires distributors of software licensed under the GPL to make the corresponding source code available to each person who receives the software and authorises users to amend the source code of the distributed software. The objective is to allow any users of GPL’d software the freedom to modify and enhance the GPL’d software.

The Free Software Foundation (“FSF”) regards TiVo’s approach as circumventing this objective by making their products run software only if the program’s digital signature matches the software authorised by the manufacturer of the TiVo. Although TiVo complied with the GPLv2 requirement to release the source code for others to modify, any modified software would not run on TiVo’s hardware. The anti- Tivoisation elements of the open source movement take the view that when open source software is distributed, more people become involved in the development of the software (individuals plus companies) as some of the users will know how to program, and they will make changes and enhancements to the software. Many of the people who make changes will publish their improvements so that everyone, including the nonprogrammers, can benefit from the general ability of the community to modify the software. They see that there is a risk that “by making computers nonprogrammable, Tivoisation makes free software users non-programmers”.

Not all of the open source movement accept this argument. Linus Torvalds (one of the key proponents of open source, who originally authored the Linux kernel and remains a key figure in the development of Linux) has argued that it is appropriate for companies to use digital signatures to limit the software that runs on the systems that they sell. He believes that the use of private digital signatures on software can be a beneficial security tool. Torvalds also believes that software licences should attempt to control only software, not the hardware on which it runs. So long as a user has access to the software, and can modify it to run on some hardware, Torvalds believes there is nothing unethical about using digital signatures to prevent devices running modified copies of Linux.

The debate within the GPLv3 development process

The debate over Tivoisation was a key element in the process leading to the development of a new version of the GPL. In late 2005, the FSF announced work on version 3 of the GPL (GPLv3). On January 16, 2006, the first “discussion draft” of GPLv3 was published, and the public consultation began. The public consultation was originally planned for nine to fifteen months but finally stretched to eighteen months, with four drafts being published. The official GPLv3 was released by the FSF on June 29, 2007.

The most important changes in GPLv3 are in relation to software patents, free software licence compatibility, the definition of “source code”, and Tivoisation. In relation to Tivoisation Richard Stallman commented:“the purpose of the GNU GPL is to defend for all users the freedoms that define free software….Now, what we didn’t have 15 years ago was the threat of making the program effectively non free by technical restrictions placed around it. That’s what Tivoisation is. Tivoisation means taking a free program and distributing a binary of it, and also providing the source, because the GPL requires that. But when the user changes the source code and compiles it and then tries to install the changed program he discovers that that’s impossible because the machine is designed not to let him.

The result of this is that freedom number 1, the freedom to study the source code and change it so the program does what you want, has become a sham. Tivoisation is essentially a way to formally comply with the requirement, but not in substance.”

As a result, the GPLv3 produced by the FSF contains provisions that attempt to prevent the Tivoisation of open source software, despite the concerns of other open source practitioners such as Linus Torvalds. The FSF took these concerns into account during the evolution of GPLv3 and made modifications to the anti-Tivoisation provisions in the draft GPL during the consultation process.

The GPLv3 anti-Tivoisation provisions

GPLv3 contains some new terms under Section 6 (Conveying Non-Source Forms) relating to anti-Tivoisation. The first new term is for “User Product” which is defined as:

“A ‘User Product’ is either (1) a consumer product, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling.”

In other words a “User Product” can be an item of consumer digital equipment, such as DVD recorders, mobile phones, CD players, televisions, etc but the definition also encompasses fixtures and fittings, furniture and alarm systems which may be incorporated into a house.

The second new term is “Installation Information” which is defined as:

“Installation Information for a User Product means any methods, procedures, authorisation keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.”

This is a new requirement that was not in GPLv2 and is intended to ensure that entities using GPLv3 licenced software also provide any and all additional information necessary to ensure installation and running of the open source software.

These new terms are then used in the anti- Tivoisation requirement as follows:

“If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterised), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM).”

In other words, where GPL’d software is conveyed in a consumer or domestic item the distributor must provide the source code and the installation details for the User Product, unless the user or any other 3rd party cannot install modified object code on the User Product (e.g. the software is distributed on a ROM).

This approach has “brokered” a somewhat uneasy compromise between the FSF stalwarts, such as Stallman and the Linux4 “camp” headed by Linus Torvald. Torvald appears satisfied by this compromise as conveyances of Linux within the open source community will not generally be made through User Products. This gives Torvald the freedom to apply digital signatures to the Linux kernel as a security measure. The compromise also means that medical equipment is outside the scope of the anti-Tivoisation measures. There had been debate that medical devices should not be covered by the anti- Tivoisation requirements as there is a need to be able to ensure that software in medical devices is not tampered with.

The anti-Tivoisation legal cases

Harald Welte, an open source activist in Germany, has brought a series of legal actions to draw attention to noncompliance with the GPL terms. A number of these actions have involved the distribution of open source in consumer products. Although the legal actions were brought under the GPLv2 and did not involve the use of technical measures to prevent the running of modified open source software of consumer products, they are indicative of the open source community’s concerns over the proliferation of the use of open source in domestic products without compliance with the terms of the GPL.

Welte’s legal actions have included cases against Sitecom and Skype as follows:

Welte v Sitecom Germany GmbH

The Munich court required Sitecom to comply with the terms of the GPLv2. The case involves netfilter/iptables, opensource networking software for tasks such as firewalls for protecting a network from unwanted traffic.

Welte, one of the main netfilter authors, sued a Dutch company, Sitecom, alleging it used the software in a wireless network product without abiding by the terms of the GPL. In April 2004, a three-judge panel in a Munich court granted Welte’s request for a preliminary injunction to stop distribution of the product without complying with the GPL. Specifically, the court forbade Sitecom’s German subsidiary from distributing the netfilter software without attaching the GPL text and the netfilter source code free of royalties.

Welte v Skype

In another case the German courts have ruled that Skype violated the GPLv2 by selling a Linux-based phone without access to the source code. The action related to the Skype WSKP100 phone, made by SMC, in various countries, including the UK and Germany. Welte’s complaint was that Skype did not give every user access to the source code, as required by the GPLv2.

In response to legal action from the gplviolations. org project, a website run by Welte, Skype included a flyer in the package giving a web link to the source code, but the court in Munich ruled that it was still not strictly in compliance with GPLv2, because it did not include the GPL licence itself.

As a result Skype changed the way that it sells the phone so that it now complies strictly with the terms of the GPL.

Erik Andersen and Rob Landley v Monsoon Multimedia Inc., case number 07-CV-8205

In the US, the GPL has been policed for many years with great effect by the Free Software Foundation’s Compliance Lab and, more recently by the Software Freedom Law Center (“SFLC”). In September 2007, the SFLC filed the first ever US copyright infringement lawsuit based on a violation of the GPL on behalf of the principal developers of BusyBox, against Monsoon Multimedia, Inc. BusyBox is a lightweight set of standard Unix utilities commonly used in embedded systems and is open source software licenced under GPLv2.

Monsoon Multimedia publicly acknowledged that its products and firmware contained BusyBox but it did not provide recipients with access to the underlying source code, as required by the GPL. The complaint filed by SFLC on behalf of the BusyBox developers requested that an injunction be issued against Monsoon Multimedia, together with damages and litigation costs.

The legal action was settled very quickly. In October 2007, Monsoon Multimedia agreed to appoint an Open SourceCompliance Officer to monitor and ensure GPL compliance, to publish the source code for the version of BusyBox it previously distributed on its website, and to undertake substantial efforts to notify previous recipients of BusyBox from Monsoon Multimedia of their rights to the software under the GPL. The settlement also includes an undisclosed financial settlement to the plaintiffs.


As the spread of open source litigation from the US to Europe indicates, companies cannot afford to sign up to the GPL without taking the obligations it imposes completely seriously. The stricter regime introduced under GPLv3 means that companies now need to pay close attention, not only to whether open source material is included, but also which version of the GPL applies, since version 2 continues to be used in parallel with the new version.