| This article brought to you by LWN subscribers Subscribers to LWN.net made this article — and everything that surrounds it — possible. If you appreciate our content, please buy a subscription and make the next set of articles possible. |
What question doesn't get asked?
In his recent talk at FOSDEM, Richard Fontana spoke of using enforcement to encourage "collaboration" by "making a level playing field". While I strongly agree that's a valid reason to do enforcement, I've never seen anyone in a corporate context ask if they should enforce for that reason. That benefit is too abstract, and the costs very specific and real. Businesses typically need much more concrete reasons to make legal threats, especially public ones.
Do they have code I want?
The first question typically asked in community enforcement is "does the license violator have code I want?".
For most individuals who are trying to pursue a GPL violation, the answer is yes — usually because the potential enforcer has other, related code or hardware that would be improved by freeing the defendant's code. This is the intuition that drives the most common type of GPL enforcement — against Linux kernel modules, which can enable many people to use hardware in new and interesting ways.
But for large companies, violators usually don't have interesting code. For a healthy business, a code dump from a hostile party may be actively uninteresting: it will require maintenance, may be poorly written, and probably won't be aligned with its business needs. Imagine if Red Hat had done some of the early WiFi-related enforcement work, for example — what would it have done with that code? It wouldn't have helped them win its primary target market of enterprise servers, and would have cost engineering time to maintain. So even though it was in a strong position to enforce the GPL there (and presumably in many Internet-of-things infringements since then) it would not have made much sense.
Do they have cash, or customers, I want?
Of course, not everyone wants code. Sometimes they want money, or to shut down a competitor. Again, most GPL-contributing companies don't go this route, for a couple of reasons. First, many GPL violators tend to be small companies that can't afford proper compliance. Suing small, poor companies isn't a great plan to make lots of money. In the hardware space, they are also often in China, making it yet more difficult to sue and collect.
Second, many large GPL-contributing companies these days tend not to be threatened by competitors using their code. As just a few examples from the top contributor list, Red Hat knows that its primary value is in support and partnerships; Google in advertising; Intel and AMD in hardware. These companies don't view code as their actual primary business, so suing to shut down a competitor who relies on the same code rarely makes sense.
One key exception to both of these patterns is Oracle. It is willing to enforce at scale against small companies, and it views licensing as its primary business. So it is no surprise that Oracle enforces its licenses (GPL and otherwise) against Java (and MySQL) users.
Have I tried other routes and failed?
As suggested by the previous two questions, businesspeople will often decide that they simply don't care enough to enforce the GPL. But when they do care, and want code, cash, or to scare competition, they know public threats and lawsuits are expensive and uncertain. So before making public enforcement threats they'll almost always try other private routes to get what they want. Some of those options include the following:
If they want code, they can often offer business partnerships or simply try to buy the code they need. GPL enforcement can come into play here, since private threats of GPL enforcement can be used to improve the terms of the deal. Either borrowing or partnering moves a lot faster — and is more likely to be a "win-win" situation — than a lawsuit.
If they want revenue, they often don't need a lawsuit: mere implied threats of enforcement can often turn a violator into a paying customer when there is an alternate licensing model available. These threats (subtle or not) are the essence of the AGPL "dual license" business model, and other software vendors also use variations on this in the GPL space.
If a business that distributes GPL code wants to defend themselves against competitors, even with GPL there are often many options that are quicker and more reliable than litigation. For example, a software author can sometimes make the code more difficult to use while still complying with the GPL. Another, unfortunate, option is to make parts of the code that are most marketable, or susceptible to competition, proprietary.
Because these options are often effective, and don't have the costs of public enforcement, they happen much more regularly than many readers of LWN might suspect, and certainly much more regularly than other forms of enforcement.
What will it cost me? (Hint: not just money.)
If other options aren't right, and a businessperson still wants to enforce the license, they have to start thinking about the costs of enforcement.
The immediate costs are obvious: most of the big GPL copyright holders tend to play to win when they sue other companies, which means eight-digit legal fees for a single trial are common. And even cases against defendants with fewer resources can take years to resolve; years during which your executives and engineers may well be tied up in depositions and other trial-related distractions. (The later BusyBox cases took around three years to resolve, and the VMware case recently entered its sixth year.)
The costs can be non-financial as well: suing licensees will often make customers nervous, and can lead them to start looking for other vendors. Fontana noted in his talk that these fears can crop up even for vendors who have a long-established tradition of being reasonable about licensing, like Red Hat. (With this in mind, it shouldn't surprise when companies who already have a bad reputation for customer relationships are often the ones that do enforcement.)
Will I actually win?
Let's say a GPL-owning company has answered the previous questions in the right way: it's comfortable that its target has money or market share that it wants, other options aren't available, and suing won't bother its customers.
That still leaves them with a critical question: if it sues, will it win? Remember that, because the targets likely have market share and money, they're going to fight tenaciously. Options for this can include challenging ownership of the copyright in question, attacking the scope of the GPL (where that is an issue), and even challenging the enforceability of the license in general in cases where the authorship is complex. While we generally assume we can rely on these things, they are rarely tested in court, so any high-stakes litigation around GPL will have to deal with them. This is a particularly risky proposition for any business that writes a lot of GPL code: if it enters into litigation and loses, it may lose not just that case, but an entire portion of its business model.
If the odds of winning are not great, this takes us back to square one: is all the money, time, hassle, and customer risk worth it? Are there other options we can try? With all those factors in play, it is no surprise that public corporate enforcement happens rarely.
(Log in to post comments)