If the rightsholder could demonstrate that the retailer had performed an act restricted by copyright then, yes, going against the retailer could well be an option.

If, for example, the retailer was the first one to import the work in question into Europe, or copied the software onto the device itself.


Neil

__________

Neil Brown
***@neilzone.co.uk | http://neilzone.co.uk

Hi Ralph
FYI, I've spoken to the division at HM Revenue and Customs which deals with the seizure of infringing items, and they see no reason in principle why they may not use their powers against items containing infringing GPL code. However, the applicant does have to give various undertakings as to costs and damages etc. if the allegation turns out to be incorrect (which means, potentially, that they may be forced to the expense of proving their case in a court of law), so this is a fairly major disincentive to use thi

[ This email is ridiculously long. Much of it is just anecdotal info
about my meta-experiences in the software industry over the years as
they relate to GPL enforcement. I doubt you'll want to read it unless
you're really interested in the complicated politics of community GPL
enforcement, given from a non-profit advocate's perspective. And,
much of this stuff below are things I've already said in my various
public talks on the subject. ]
Oh, no, executives at BigWig are *much* more politically savvy than
that. They send proxies to fight GPL enforcement: if you see people who
have 'street cred' in the Free Software community criticizing my
enforcement efforts (as happens in the media from time to time, like
back in early 2012), you should "follow the money" and see where it
leads you. (I really wish we had true investigative journalists in the
tech industry who would dig this stuff out independently.)
Indeed, they use plenty of private intimidation tactics, of both the
carrot and the stick variety. Below are a few anecdotes. Of course,
since it is "back alley", as you point out, you have to take my word
that these things below happened. I'm sure that the people involved
would deny it and/or avoid the question if asked, which is the main
reason I don't name names.

For example, an executive at a well-known corporation that contributes
to Linux and other Free Software projects once tried to convince me that
his company would give huge amounts of money to Conservancy if
Conservancy stopped stop doing GPL enforcement entirely. Other
mid-level managers followed up later with the same message.

Later, a different executive from a different company, which has
invested millions in Linux and Linux-related products, told me privately
that his company would "just stop its work in Linux, Samba and BusyBox
if you don't stop this GPL enforcement" (which would've been comical if
he hadn't seemed dead serious -- it seemed he really thought I was naïve
enough to believe that might be true). I told him that I found that
impossible to believe, and that he flattered the few GPL enforcers in
the world if he was saying our behavior alone could change his company's
major business plans. That executive ended the conversation by telling
me that if we were "doing any GPL enforcement against [his] competitors,
get in touch, because [he] could help". (There is some hypocrisy in
these positions, as you can see.) This executive also said during the
same conversation that that his "lawyers have researched the question
and found that you cannot ever enforce the GPL without 100% of the
copyright". Of course, we'd already gotten multiple judicial decisions
in BusyBox cases that show he's just wrong about that. :) He was just
trying to see if he could scare me.

I've also been blackballed from attending some conferences and
participating in some industry groups occasionally, where the only
legitimate reason that can be found upon investigation is that some of
the event/group sponsors are against GPL enforcement. (The publicly
stated reasons are usually Kafkaesque, that can clearly be shown as a
double-standard when comparing me to other invited participants.)

There have also been plenty of attacks on my character, both public and
private. Political opponents of GPL enforcement make a lot of hay of
the fact that I'm not a tactful politician and I have no qualms about
frankly speaking truth to power. I'm admittedly kinda the Michael Moore
of Free Software. But, political opponents use this as a way to
discredit me and conflate me personally with the broader work of
non-profit GPL enforcement -- since I'm the most known for it -- yet
it's not me excursively doing it.

Finally, at previous employers, I've actually been told by my managers
that they were under serious pressure from their funders to stop my GPL
enforcement work. I have fewer details on this part because I was only
told that second-hand and thus my repeating it is double-hearsay, but it
was clear to me that the managers in the situation believed it to be
true and they made substantial policy changes based on the information.

Now, I want to be abundantly clear on something I said before: this is
*not* a conspiracy. All the actors involved have their own reasons
(some of which overlap) for opposing GPL enforcement. But, I've
discovered that claims that community-oriented GPL enforcement [0] is
"controversial" -- which is a widely held political belief -- can be
traced back to a relatively few powerful people inside a few large
companies, who convince others -- some of whom are otherwise considered
software freedom heroes -- to spread a FUD message about GPL
enforcement. It's just a long-standing perfect storm scenario. I've
struggled for the last 12 years to fight the FUD, but these powerful
people are frankly better politicians than I am.
Indeed, I can imagine being offered some cushy job *specifically* as a
way of getting me to stop doing GPL enforcement. The reason no one
offers me that is because they know I won't take it. :) (cf: the scene
in *It's a Wonderful Life* where Potter offers George Bailey a job. ;)
It's all about the proprietary kernel modules. There's a lot of
powerful forces that want to keep modules proprietary, even though the
GPL prohibits that. If upstream Linux were LGPL'd (or de-facto treated
as if it were), well, then proprietary modules would be permitted.
Fortunately, Linux is not LGPL'd, but GPL'd -- however, if we don't
enforce, as I've said before, an unenforced GPL is the functional
equivalent of the Apache License.

... which brings me to another example of a dirty political trick a law
firm lawyer (formerly counsel to a Linux-related company) pulled on me
not too long ago: misquoting me on purpose on that statement above,
claiming that I said: "if copyright holders fail to enforce the GPL, the
copyright holders are giving you permissions equivalent of the Apache
license". Obviously, I never said that. The truth doesn't matter to
these people. :)
I mean, after all, I *am* too busy to get to most GPL violations, and
Harald and Armijn for their part have retired from community GPL
enforcement work. There are hundreds of active violations, and I work
on 20-30 a year. I think FSF has similar numbers.
Nah, that's the "old story" of GPL compliance issues -- what I was
saying in talks 3-5 years ago. The real story now is that savvy
violators are testing the boundaries of copyleft and have become brazen.
I get a lot of: "You think that's what the GPL requires? Fine, sue
us."-like responses (even on simply stuff like "you have to respond to
requests for source"). I'm amazed at this, because both Harald and I
*have* coordinated lawsuits before and can do so again. :) It should be
clear to everyone that "you might get sued unless you comply" is not a
bluff. But they still think it's a bluff, and they're starting to call
more often. I used to be a professional poker player, so I know what to
do when you get called too often: show up with a hand in the next really
big pot.
Yes, I think this work is still worth doing. That's why I want to
improve that book I mentioned elsewhere in this thread.
Yes, the low-hanging fruit isn't cutting it. When I focused on low
hanging fruit, I got more "volume" of compliance, sure, but the problem
is the truly bad actors laughed their way to the bank by willfully
violating the GPL in nasty ways. I'm convinced now we have to mix
enforcement between some low-hanging fruit of "the clueless violators"
while also going after some of these companies who just get away with
major violations for very long periods of time because they have the
money to fund big law firm lawyers to fight copyleft.
The general rule of thumb in the USA is that you can contract away any
right or privileged that isn't specifically prohibited from contracting
away by some state/Commonwealth or federal law. The USA is a scary
place, legally speaking. :)

But, I suspect that employers are not asking developers to contract away
their right to enforce their own copyrights on key Free Software
programs. I think what's actually happening is a chilling effect: if
you know your bosses hate GPL enforcement and you generally like your
job, won't you avoid enforcing the GPL?
Indeed, what employers *do* typically take (in part because it's the
default situation in the USA) is Free Software contributions that are
"work for hire", and thus copyrighted by the employer, not the employee.
Employees can and should insist on an explicit exception to this in
their contracts. A few Free Software-friendly employers have been good
about granting such exceptions upon request (at least for major Free
Software contributors who have a history of contribution before their
hire). No company is likely to offer this as an option on a menu;
employees must insist on it.
I agree, we should do that. I certainly try, but as I've explained,
I've got a lot of people working hard to convince developers not to
listen to me. :)
Ideally, this would be a joint campaign from multiple orgs. I've just
asked the folks at OSI, Conservancy and FSF whom I know if they'd be
willing to work on this.
I try to make the case that it's about the users. Most of the time, I
admit fully the CCS releases we get don't have ready-to-upstream code in
them. Some detractors have argued that GPL enforcement is *never*
worthwhile if it doesn't produce ready-to-upstream code. However, I
think we get something much more important: "scripts used to control
compilation and installation of the executable" and all the sources
needed to actually get software for the device in question built and
installed. This type of CCS release gained through enforcement actions
have created communities like OpenWRT and sammyGo. If we had more
leverage to enforce (i.e., more copyright holding developers involved),
we can help create more of these great outcomes.
I hope so. I've heard a few developers say they just don't care about
these communities who build modified firmwares. For example, one Linux
developer who opposes GPL enforcement told me: "I only care about the .c
file". But, I think that's a minority opinion: I suspect most
copyright-holding developers can see that helping out their users to
make modified firmwares for embedded devices is a good thing.

(Heck, if the violating companies weren't so short sighted, they'd see
it's a good thing for them too. A hackable firmware makes a lot better
product because there is diversity of interest from different types of
customers. But, even Linksys never saw that value: the WRT54G,
precisely because of Harald's and my enforcement action, ended up
selling a *lot* more units than it would have if we'd not enforced and
gotten a buildable and installable source release that launched the
OpenWRT project.)

[0] By community-oriented GPL enforcement, I mean the specific type of
enforcement that FSF and Conservancy does: which focuses exclusively
on getting compliance and merely recovering reasonable staff-time
costs for achieving that compliance from the violator. Ironically,
GPL enforcement of other types, such as (a) using GPL as a ploy
counter-claim in patent infringement suits, or (b) Oracle-style
MySQL violation shake-downs, seems to be the darling of the Open
Source industry. Not surprisingly, I have long called that that
type of enforcement "corrupt use of the GPL", mainly because the
enforcers in those cases don't actually seek compliance -- they seek
a deal on some other issue (such as making a patent suit go away, or
selling a proprietary license), and are using enforcement merely as
unrelated leverage. In those cases, compliance is almost never
achieved, and the "other, more important, business outcome" is
reached instead.

By contrast, in the case of community-oriented GPL enforcement,
there is no other goal higher than compliance, and as such nothing
else will be accepted in exchange for failure to comply: financial
or otherwise. This is an important concept, because unless one's
motives are completely pure in this regard to gain compliance, it's
very easy to become corrupt. This is why I try to be as transparent
as possible at how I pick GPL violation matters to work on and what
the demands are (the book I've been talking about covers this part).
It's in fact the primary reason why I've been participating on this
list more in recent months: to increase transparency.

Be very careful what specific view you're implying when you say "is the
minority view, rejected by the author/steward of the license [meaning FSF]".

AFAIK, the only related item that RMS has said specifically isn't covered by
GPLv2 is cryptographic lock-down -- i.e., a system that does not allow the
user to install modified versions of GPLv2'd software due to cryptography.
RMS has said such crypto-lock-down is permitted on GPLv2 but not by GPLv3.
I, Alan Cox, Jeremy Allison, and others do hold the minority view that GPLv2
*does* require disclosure of a method to install modified versions even in
this situation.

However, I realize that RMS made a problem for that minority interpretation
by saying what he's said. I was even deposed on this point in Conservancy
& Andersen v. Best Buy, et al. The violators brought my whole blog into
evidence just to ask me about about this blog post:
http://ebb.org/bkuhn/blog/2010/07/15/motorola-admits.html ). Here's the
relevant porition of the deposition transcript (Q is the violator's attorney,
A is me):
Q. Do you see that the second sentence is: "In
fact, in my reading of GPL Version 2, in comparison to
GPL Version 3, the only affected [sic] difference between the
two on this point relates to cryptographic device
lockdown. I do admit that under GPL Version 2, if you
give all the required installation scripts, you could
still use cryptography to prevent those scripts from
functioning without an authorization key."
Did I read those two sentences correctly?

A. Yes.

Q. Do you have any reason to disagree with those two sentences?

A. I believe that we're stuck in that interpretation of GPL V 2,
much to my chagrin.

I think it's kind of funny that some first year associates had to read my
entire blog going back to the 1990s just to find that quote so their
boss could ask me about it in deposition. :)

Anyway, there is no indication of any other difference in what
must be included with GPLv2's "scripts used to control compilation and
installation of the executable" and what GPLv3 requires in its (more long-winded)
equivalent provision. The only difference in GPLv2-compliant build/install
instructions and GPLv3-compliant build/install instructions would be "the
GPLv2 ones don't tell you how to cryptographically sign the binary as part of
the install process". Nothing FSF has ever said contradicts that
interpretation, and AFAIK it's the interpretation that both FSF and
Conservancy use in their GPL enforcement matters.

I've said frequently on my talks in GPL enforcement: the people that try
to say there's more to the difference between v2's and v3's requirements
in this regard (beyond cryptographic key issue) are likely going to end up
violating GPLv2. And I'll come knocking.

-- bkuhn