III.  Legal and Technological Changes and the Response:  GPLv3

The Free Software Foundation released a proposed Version 3 of the GPL (GPLv3) for public comment on January 16, 2006.65  GNU states that the key motivation behind the revised license is not a philosophical shift, but a perceived need for additional measures to uphold GNU's existing free software philosophy.66  It is noteworthy that GPLv3 devotes an entire new section to Digital Rights Management (“DRM”).67  DRM refers broadly to technological measures which control access to digital information.68  Digital information, of course, now includes movies on DVD, music on CD, electronic books, or practically anything else that can be transmitted over the Internet.  Given that many such items are works protected by copyright-and that copyright holders are generally interested in controlling the circulation of their works-the number of potential applications for DRM is virtually unlimited.  DRM is patently unacceptable to GNU, which has relabeled the concept “Digital Restrictions Management”69 and rejected DRM outright as incompatible with free software, stating that “DRM is fundamentally in conflict with the freedoms of users that the GPL is designed to safeguard . . . .”70  GNU further notes that their “ability to oppose DRM by means of free software licenses is limited.”71 In making an attempt to combat DRM via GPLv3, however, the added provisions are unacceptably vague and will undermine the GPL's legitimacy.  The next two sections address GPLv3's DRM provisions in turn.  

A.  Privacy

The subject of privacy does not appear in Version 2, the current official version of the GPL.72  In contrast, GPLv3 explicitly addresses the issue, providing that “[r]egardless of any other provision of this License, no permission is given to distribute covered works that illegally invade users' privacy . . . .”73  Taking this language at its plain meaning, it marks a sharp doctrinal departure from GNU's traditional ethos of permitting any and all uses of free software, as long as the GPL's redistribution requirements are observed.  While making clear that it views some uses of software as unethical, the FSF has in the past explicitly declined to enforce any ethical regime among users of the GPL.74  In fact, in criticizing another license which attempts to invoke such restrictions, the GNU Project has stated that such restrictions in a software license would be both “unnecessary” and “ineffective.”75  It goes on to claim that “[t]he GNU GPL is sufficient protection against privacy-violating features, because it ensures that someone can get the source code, find the [privacy-violating] feature, and publish an improved version of the software which does not have the feature.”76  In early 2005, FSF went so far as to foreclose the idea that GPLv3 would contain any such software-purpose restrictions, declaring its intention to “reject restrictions on who can use free software, or what it can be used for.”77  That such a broad and explicit anti-privacy-invasion provision has suddenly found itself in GPLv3 is incongruous with its prior declarations and unexplained by FSF.

Even if GNU indeed intends to begin restricting GPL-covered software to what it considers to be “ethical uses,” this is not likely to be accomplished by the anti-privacy-invasion provision as written.  The most fundamental flaw with the provision is that the terms illegal and invasion make the statement somewhat circular.  A legal invasion of privacy is arguably not an invasion at all.  Black's Law Dictionary defines an “invasion of privacy” as “[a]n unjustified exploitation of one's personality or intrusion into one's personal activity . . . .”78  Black's definition suggests that if an invasion is an unjustified intrusion, then some intrusions are justified, removing justified intrusions from the category of invasion.  

Furthermore, the provision as written is not particularly compatible with the stated purposes of GPL.  The FSF states that opposition to certain legal changes in the past fifteen years is part of FSF's rationale behind the revised license.79  But in providing only for the prohibition of illegal invasions of privacy, GPLv3 appears to hypothetically permit the use of GPL-covered software for any invasions of privacy that an oppressive government wishes to impose on its citizens, so long as those invasions are legally within that government's power.  In other words, GPLv3 ironically begins as a response to unfavorable changes in the law, but then uses simple legality as its standard for acceptable behavior.

On closer inspection, this provision's flaws extend beyond confusing wording.  Privacy is a context-dependent concept.  In the United States, warrantless governmental monitoring of a citizen's Internet usage would risk running afoul of the Fourth Amendment, while the same activity is widely permitted when performed by an employer.80  However, what if a warrant has been properly issued for a legal wiretap on a citizen?  What if a citizen has consented to being monitored, or if the party with whom the citizen is communicating has so consented?  Whether the monitoring in any of these cases is legal is highly fact-dependent.  Unfortunately, any software being used to monitor an individual's Internet usage will be unable to even ascertain the specific facts of any given instance, much less adequately take them into consideration.  

In addition to being a context-dependent concept, privacy lacks a consistent meaning across jurisdictional boundaries.  For example, while the Charter of Fundamental Rights of the European Union recognizes an individual's right “to respect for his or her private and family life, home, and communications”81 and “to the protection of [his] personal data,”82 there is no such explicit privacy right in the United States Constitution.  Privacy guarantees in the United States are instead based on “certain areas or zones of privacy.”83  Because “privacy” has no universal legal meaning, the concept is too nebulous to be effectively protected by a software license.

An additional problem is that this provision does not adequately explain who constitutes a “user.”  Is the provision meant to protect only the privacy of the person running the program, for example, by prohibiting GPL-covered “spyware?”84  Or does the provision also cover the privacy of users other than the person running the program?  Consider that several GPL-covered programs are designed for activities that can be either legitimate or privacy-invasive, depending on how they are used.  For example, some “network scanners” are covered by the GPL.85  These programs can be used to determine how many and what kinds of computers are present on a network, typically without the knowledge of other users.86  This activity is neither ethical nor unethical in the abstract.  It can be carried out by a network administrator who needs to know what has attached itself to the network, or it can be carried out by a criminal as a first step in a break-in.  Another dual-use tool is a “password cracker,”87 which can be used for either recovering a lost password for a user (ethical) or for guessing another's password without permission (unethical).  Another example is a “packet sniffer,”88 which can be used for either analyzing raw network traffic between two machines to find communication problems (ethical) or for silently intercepting network traffic to look for passwords or other private information (unethical).  Some of these programs are also GPL-covered, yet GPLv3's privacy provision does not make a distinction between dual-use tools and the uses to which such tools are put.  A broad reading of GPLv3's anti-privacy-invasion provision arguably will prohibit the distribution of any program that may be used as a tool for privacy invasion.

In attempting to prohibit privacy-invading programs, the FSF has failed to recognize that it is people, not programs, who invade privacy.  A piece of software cannot be held liable for an act.  GPLv3 ignores the distinction between tools that can be used to carry out digital privacy invasion and the act of invasion itself.  Thus, a number of software tools with legitimate uses, presently distributed under the GPL, would risk running afoul of GPLv3.

Apart from present-day programs, there are also potential conflicts with programs that work in conjunction with emerging technologies.  For example, the use of biometric technology89 in security and surveillance activities has raised a number of privacy issues.90  If some aspect of an emerging technology is judged by the FSF to be “privacy-invasive,” a strict reading of GPLv3 implies that no GPLv3-covered software may be used for that purpose.  Declaring entire fields of endeavor to be off limits for GPLv3-covered software in turn raises another problem-determining when a connection to such a field is attenuated enough to fall within GPLv3's permissions.  For example, how should the use of a GPLv3-covered word processor by a government surveillance agency be evaluated?  Does the agency violate GPLv3's privacy provisions when it uses the word processor to maintain lists of surveillance subjects?  Or is any use of the software in a “privacy-invasive” field in turn a “privacy-invasive” use?  GPLv3 provides no guidance in this area.

B.  “Effective Technological Protection Measure[s]”

A comparison of the key words in the second part of the “Digital Restrictions Management” provision of GPLv3 suggests that it is intended as a frontal attack on the Digital Millennium Copyright Act (DMCA).91  The DMCA is designed to provide additional protections to copyright holders who protect their works using technological measures,92 and provides that “[n]o person shall circumvent a technologicalmeasure that effectively controls access to a work protected under [copyright].”93  GPLv3 provides that:

“[n]o [GPL-]covered work constitutes part of an effective technological protection measure:  that is to say, distribution of a covered work as part of a system to generate or access certain data constitutes general permission at least for development, distribution and use, under this License, of other software capable of accessing the same data.” 94

The intent, evidently, is that GPL-covered software may never be used as a tool for furthering the purposes of the DMCA.  The “Rationale Document” for GPLv3 lends some support to this reading, noting that “[t]he second paragraph of section 3 declares that no GPL-covered program is part of an effective technological protection measure, regardless of what the program does.”95  However, this provision suffers from at least two deficiencies:  (1) it is ambiguous about exactly what a GPLv3 licensee is required to make available; and (2) under a practical interpretation of that requirement, it raises problems for those wishing to distribute GPL-covered works alongside non-GPL-covered works-a right which the license claims to grant.

1.  Ambiguity of the “General Permission” Requirement

As an example of the first deficiency, consider a hypothetical medical information management system for small offices, which employees use via their web browser on the office network.  The system is developed and sold as a unit by a system supplier.  It consists of:  (1) a personal computer running the Linux operating system, which is covered by the GPL; (2) additional open-source software packages, including a web server and database server, which are either covered by the GPL or a free software license compatible with the GPL;96 and (3) additional, proprietary software developed by the system supplier, custom written for managing medical records.97  Office employees use the system to maintain information about new and existing patients, including names, addresses, and medical histories.  As GPLv3 leaves most of the terms in the provision undefined, one can reasonably construe the product as constituting “a system” under the provision, with Linux (and any other GPL-covered software present) constituting “covered works” that are part of that system, and the medical information it manages to constitute “certain data” which is “generated” and “accessed” by the system.98  However, what the system supplier must actually permit or make available, in order to grant this “general permission” for development of software capable of “accessing the same data,” is not specified.

A literal interpretation suggests that other developers should have access to the medical data itself.  This is undoubtedly not the intent, particularly given GPLv3's preoccupation with privacy, as discussed above.  A more realistic reading is that the system supplier must give permission to utilize the same data format; that is, that the internal structure of the data cannot be kept proprietary, but must be made open to anyone interested in learning the structure.  This reading is consistent with the FSF philosophy that free software must include “the freedom to study how the program works, and adapt it to your needs . . . [for which] [a]ccess to the source code is a precondition . . . .”99  However, this result is inconsistent with another key GPL provision:  that non-GPL-covered works, even proprietary works, may be distributed along with GPL-covered works as long as the GPL-covered and the non-GPL-covered portions are kept sufficiently separate from one another.

2.  Conflict with the “Mere Aggregation” Provisions

Under the more realistic reading of the “general permission” requirement, requiring that details about the internal workings of non-GPL-covered works be made available when they are distributed together with GPL-covered works, it is dubious whether a proprietary product such as the specialized medical information management program as described above can be distributed and remain proprietary.100  Section 2 of GPL Version 2 specifies that source code must be supplied when modified versions of GPL software are distributed.101  However, this requirement is limited to works either: (1) derived from the GPL-covered program itself; or (2) separate from the GPL-covered program, but distributed as part of another program which is based on the GPL-covered program.102

Other works that are not based on, or an extension of a GPL-covered program, but instead are separate, independently-created works may be distributed with GPL-covered programs without falling within this requirement.103  GNU has further clarified this “mere aggregation” provision, going so far as to state that simply because two programs-for instance, a GPL-covered database server and a proprietary program to retrieve data from that database-may interoperate by communicating with each other, they are not combined into one program for the purposes of the GPL.104  This provision appears with different wording in Section 5 of GPLv3,105 but the “Rationale Document” declares that “the underlying meaning is unchanged.”106  If that is the case, it is unclear how one is still free to distribute proprietary works together with GPL-covered works, while simultaneously granting permission to “access” anything that the proprietary program would access.  GPLv3 gives no further guidance as to what constitutes this general permission or how it is to be granted, leaving much room for misinterpretation.