Wiretapping also known as wire tapping or telephone tapping, is the monitoring of telephone and Internet-based
conversations by a third party, often by covert means. The wire tap
received its name because, historically, the monitoring connection was
an actual electrical tap on an analog telephone or telegraph line. Legal
wiretapping by a government agency is also called lawful interception. Passive wiretapping monitors or records the traffic, while active wiretapping alters or otherwise affects it.
Lawful interception is officially strictly controlled in many countries to safeguard privacy; this is the case in all liberal democracies. In theory, telephone tapping often needs to be authorized by a court, and is again in theory, normally only approved when evidence shows it is not possible to detect criminal or subversive
activity in less intrusive ways. Oftentimes, the law and regulations
require that the crime investigated must be at least of a certain
severity. Illegal or unauthorized telephone tapping is often a criminal offense. In certain jurisdictions, such as Germany and France, courts will accept illegally recorded phone calls without the other party's consent as evidence, but the unauthorized telephone tapping will still be prosecuted.
The telephone call recording laws in most U.S. states require only one party to be aware of the recording, while twelve states require both parties to be aware.
In Nevada, the state legislature enacted a law making it legal for a
party to record a conversation if one party to the conversation
consented, but the Nevada Supreme Court issued two judicial opinions
changing the law and requiring all parties to consent to the recording
of a private conversation for it to be legal. It is considered better practice to announce at the beginning of a call that the conversation is being recorded.
The Fourth Amendment to the United States Constitution protects privacy rights by requiring a warrant
to search an individual. However, telephone tapping is the subject of
controversy surrounding violations of this right. There are arguments
that wiretapping invades an individual's personal privacy and therefore
violates their Fourth Amendment rights. On the other hand, there are
certain rules and regulations, which permit wiretapping. A notable
example of this is the Patriot Act. The Patriot act does, in certain circumstances, give the government permission to wiretap citizens. In addition, wiretapping laws vary per state which makes it even more difficult to determine whether the Fourth Amendment is being violated.
Canada
In
Canadian law, police are allowed to wiretap without the authorization
from a court when there is the risk for imminent harm, such as kidnapping or a bomb threat.
They must believe that the interception is immediately necessary to
prevent an unlawful act that could cause serious harm to any person or
to property. This was introduced by Rob Nicholson on February 11, 2013, and is also known as Bill C-55. The Supreme Court gave Parliament twelve months to rewrite a new law. Bill C-51
(also known as the Anti-Terrorism Act) was then released in 2015, which
transformed the Canadian Security Intelligence Service from an
intelligence-gathering agency to an agency actively engaged in
countering national security threats.
Legal protection extends to 'private communications' where the
participants would not expect unintended persons to learn the content of
the communication. A single participant can legally, and covertly
record a conversation. Otherwise police normally need a judicial warrant
based upon probable grounds to record a conversation they are not a
part of. In order to be valid wiretap authorization must state: 1) the
offense being investigated by the wiretap, 2) the type of communication,
3) the identity of the people or places targeted, 4) the period of
validity (60 days from issue).
India
In India,
the lawful interception of communication by authorized law enforcement
agencies (LEAs) is carried out in accordance with Section 5(2) of the
Indian Telegraph Act, 1885 read with Rule 419A of Indian Telegraph
(Amendment) Rules, 2007. Directions for interception of any message or
class of messages under sub-section (2) of Section 5 of the Indian
Telegraph Act, 1885 shall not be issued except by an order made by the
Secretary to the Government of India in the Ministry of Home Affairs in
the case of Government of India and by the Secretary to the State
Government in-charge of the Home Department in the case of a state
government. The government has set up the Centralized Monitoring System
(CMS) to automate the process of lawful interception and monitoring of
telecommunications technology. The government of India on 2015 December 2
in a reply to parliament question no. 595 on scope, objectives and
framework of the CMS has struck a balance between national security,
online privacy and free speech informed that to take care of the privacy
of citizens, lawful interception and monitoring is governed by the
Section 5(2) of Indian Telegraph Act, 1885 read with Rule 419A of Indian
Telegraph (Amendment) Rules, 2007 wherein oversight mechanism exists in
form of review committee under chairmanship of the Cabinet Secretary at
Central Government level and Chief Secretary of the State at the state
government level.Section 5(2) also allows the government to intercept messages that are public emergencies or for public safety.
The contracts or licenses by which the state controls telephone companies
often require that the companies must provide access to tapping lines
to law enforcement. In the U.S., telecommunications carriers are
required by law to cooperate in the interception of communications for
law enforcement purposes under the terms of Communications Assistance for Law Enforcement Act (CALEA).
When telephone exchanges
were mechanical, a tap had to be installed by technicians, linking
circuits together to route the audio signal from the call. Now that many
exchanges have been converted to digital technology, tapping is far
simpler and can be ordered remotely by computer. This central office
switch wiretapping technology using the Advanced Intelligent Network
(AIN) was invented by Wayne Howe and Dale Malik at BellSouth's Advanced
Technology R&D group in 1995 and was issued as US Patent #5,590,171. Telephone services provided by cable TV companies also use digital switching technology. If the tap is implemented at a digital switch,
the switching computer simply copies the digitized bits that represent
the phone conversation to a second line and it is impossible to tell
whether a line is being tapped. A well-designed tap installed on a phone
wire can be difficult to detect. In some places, some law enforcement
may be able to even access a mobile phone's internal microphone even
while it isn't actively being used on a phone call (unless the battery
is removed or drained). The noises that some people believe to be telephone taps are simply crosstalk created by the coupling of signals from other phone lines.
Data on the calling and called number, time of call and duration,
will generally be collected automatically on all calls and stored for
later use by the billing
department of the phone company. These data can be accessed by
security services, often with fewer legal restrictions than for a tap.
This information used to be collected using special equipment known as pen registers and trap and trace devices
and U.S. law still refers to it under those names. Today, a list of
all calls to a specific number can be obtained by sorting billing
records. A telephone tap during which only the call information is
recorded but not the contents of the phone calls themselves, is called a
pen register tap.
For telephone services via digital exchanges, the information
collected may additionally include a log of the type of communications
media being used (some services treat data and voice communications
differently, in order to conserve bandwidth).
Conversations can be recorded or monitored unofficially, either by
tapping by a third party without the knowledge of the parties to the
conversation or recorded by one of the parties. This may or may not be
illegal, according to the circumstances and the jurisdiction.
There are a number of ways to monitor telephone conversations.
One of the parties may record the conversation, either on a tape or
solid-state recording device, or they may use a computer running call recording software. The recording, whether overt or covert, may be started manually, automatically when it detects sound on the line (VOX), or automatically whenever the phone is off the hook.
using an inductive coil tap (telephone pickup coil) attached to the handset or near the base of the telephone, picking up the stray field of the telephone's hybrid;
fitting an in-line tap, as discussed below, with a recording output;
using an in-ear microphone while holding the telephone to the ear
normally; this picks up both ends of the conversation without too much
disparity between the volumes;
more crudely and with lower quality, simply using a speakerphone and recording with a normal microphone.
The conversation may be monitored (listened to or recorded) covertly by a third party by using an induction coil or a direct electrical connection to the line using a beige box.
An induction coil is usually placed underneath the base of a telephone
or on the back of a telephone handset to pick up the signal inductively.
An electrical connection can be made anywhere in the telephone system,
and need not be in the same premises as the telephone. Some apparatus
may require occasional access to replace batteries or tapes. Poorly
designed tapping or transmitting equipment can cause interference
audible to users of the telephone.
The tapped signal may either be recorded at the site of the tap or transmitted by radio or over the telephone wires. As of 2007
state-of-the-art equipment operates in the 30–300 GHz range to keep up
with telephone technology compared to the 772 kHz systems used in the
past. The transmitter may be powered from the line to be maintenance-free,
and only transmits when a call is in progress. These devices are
low-powered as not much power can be drawn from the line, but a
state-of-the-art receiver could be located as far away as ten kilometers
under ideal conditions, though usually located much closer. Research
has shown that a satellite can be used to receive terrestrial transmissions with a power of a few milliwatts. Any sort of radio transmitter whose presence is suspected is detectable with suitable equipment.
Conversation on many early cordless telephones could be picked up with a simple radio scanner or sometimes even a domestic radio. Widespread digital spread spectrum technology and encryption has made eavesdropping increasingly difficult.
A problem with recording a telephone conversation is that the
recorded volume of the two speakers may be very different. A simple tap
will have this problem. An in-ear microphone, while involving an
additional distorting step by converting the electrical signal to sound
and back again, in practice gives better-matched volume. Dedicated, and
relatively expensive, telephone recording equipment equalizes the sound
at both ends from a direct tap much better.
Location data
Mobile phones are, in surveillance terms, a major liability.
For mobile phones the major threat is the collection of communications data.
This data does not only include information about the time, duration,
originator and recipient of the call, but also the identification of the
base station where the call was made from, which equals its approximate
geographical location. This data is stored with the details of the call
and has utmost importance for traffic analysis.
It is also possible to get greater resolution of a phone's
location by combining information from a number of cells surrounding the
location, which cells routinely communicate (to agree on the next
handoff—for a moving phone) and measuring the timing advance, a correction for the speed of light in the GSM
standard. This additional precision must be specifically enabled by the
telephone company—it is not part of the network's ordinary operation.
Internet
In 1995, Peter Garza, a Special Agent with the Naval Criminal Investigative Service, conducted the first court-ordered Internet wiretap in the United States while investigating Julio Cesar "Griton" Ardita.
As technologies emerge, including VoIP, new questions are raised about law enforcement access to communications (see VoIP recording). In 2004, the Federal Communications Commission was asked to clarify how the Communications Assistance for Law Enforcement Act
(CALEA) related to Internet service providers. The FCC stated that
“providers of broadband Internet access and voice over Internet protocol
(“VoIP”) services are regulable as “telecommunications carriers” under
the Act.”
Those affected by the Act will have to provide access to law
enforcement officers who need to monitor or intercept communications
transmitted through their networks. As of 2009, warrantless
surveillance of internet activity has consistently been upheld in FISA court.
The Internet Engineering Task Force has decided not to consider requirements for wiretapping as part of the process for creating and maintaining IETF standards.
Typically, illegal Internet wiretapping will be conducted via Wi-Fi connection to someone's internet by cracking the WEP or WPA key, using a tool such as Aircrack-ng or Kismet. Once in, the intruder will rely on a number of potential tactics, for example an ARP spoofing attack which will allow the intruder to view packets in a tool such as Wireshark or Ettercap.
Mobile phone
The second generation mobile phones (c. 1978 through 1990) could be easily monitored by anyone with a 'scanning all-band receiver'
because the system used an analog transmission system-like an ordinary
radio transmitter. The third generation digital phones are harder to
monitor because they use digitally encoded and compressed transmission.
However the government can tap mobile phones with the cooperation of the
phone company.
It is also possible for organizations with the correct technical
equipment to monitor mobile phone communications and decrypt the audio.
To the mobile phones in its vicinity, a device called an "IMSI-catcher"
pretends to be a legitimate base station of the mobile phone network,
thus subjecting the communication between the phone and the network to a
man-in-the-middle attack.
This is possible because, while the mobile phone has to authenticate
itself to the mobile telephone network, the network does not
authenticate itself to the phone.There is no defense against IMSI-catcher based eavesdropping, except
using end-to-end call encryption; products offering this feature, secure telephones,
are already beginning to appear on the market, though they tend to be
expensive and incompatible with each other, which limits their
proliferation.
Webtapping
Logging the IP addresses of users that access certain websites is commonly called "webtapping".
Webtapping is used to monitor websites that presumably contain
dangerous or sensitive materials, and the people that access them.
Though it is allowed by the USA PATRIOT Act, it is considered a questionable practice by many citizens.
Telephones recording
In
Canada, anyone is legally allowed to record a conversation as long as
they are involved in the conversation. The police must apply for a
warrant beforehand to legally eavesdrop on the conversation. It must be
expected that it will reveal evidence to a crime. State agents are
lawfully allowed to record conversations, but to reveal the evidence in
court, they must obtain a warrant.
History
Many
state legislatures in the United States enacted statutes that prohibited
anyone from listening in on telegraph communication. Telephone
wiretapping began in the 1890s, following the invention of the telephone
recorder, and its constitutionality was established in the Prohibition-Era conviction of bootleggerRoy Olmstead. Wiretapping has also been carried out under most Presidents, sometimes with a lawful warrant since the Supreme Court ruled it constitutional in 1928. On October 19, 1963, U.S. Attorney General Robert F. Kennedy, who served under John F. Kennedy and Lyndon B. Johnson, authorized the FBI to begin wiretapping the communications of Rev. Martin Luther King Jr. The wiretaps remained in place until April 1965 at his home and June 1966 at his office.
The history of voice communication technology began in 1876 with the invention of Alexander Graham Bell’s telephone. In the 1890s, “law enforcement agencies begin tapping wires on early telephone networks”.
Remote voice communications “were carried almost exclusively by
circuit-switched systems,” where telephone switches would connect wires
to form a continuous circuit and disconnect the wires when the call
ended). All other telephone services, such as call forwarding and
message taking, were handled by human operators.
However, the first computerized telephone switch was developed by Bell
Labs in 1965. This got rid of standard wiretapping techniques.
In late 1940, the Nazis tried to secure some telephone lines between their forward headquarters in Paris and a variety of Fuhrerbunkers
in Germany. They did this by constantly monitoring the voltage on the
lines, looking for any sudden drops or increases in voltage indicating
that other wiring had been attached. However, the French telephone
engineer Robert Keller succeeded in attaching taps without alerting the
Nazis. This was done through an isolated rental property just outside of
Paris. Keller's group became known to SOE
(and later Allied military intelligence generally) as "Source K". They
were later betrayed by a mole within the French resistance, and Keller
was murdered in Bergen-Belsen in April 1945.
In the 1970s, optical fibers
become a medium for telecommunications. These fiber lines, “long, thin
strands of glass that carry signals via laser light,” are more secure
than radio and have become very cheap. From the 1990s to the present,
the majority of communications between fixed locations has been achieved
by fiber. Because these fiber communications are wired, they're given
greater protection under U.S. law.
The earliest wiretaps were extra wires—physically inserted to the
line between the switchboard and the subscriber—that carried the signal
to a pair of earphones and a recorder. Later on, wiretaps were
installed at the central office on the frames that held the incoming
wires.”
Before the attack on Pearl Harbor and the subsequent entry of the United States into World War II,
the U.S. House of Representatives held hearings on the legality of
wiretapping for national defense. Significant legislation and judicial
decisions on the legality and constitutionality of wiretapping had taken
place years before World War II.
However, it took on new urgency at that time of national crisis. The
actions of the government regarding wiretapping for the purpose of
national defense in the current war on terror have drawn considerable
attention and criticism. In the World War II era, the public was also
aware of the controversy over the question of the constitutionality and
legality of wiretapping. Furthermore, the public was concerned with the
decisions that the legislative and judicial branches of the government
were making regarding wiretapping.
In 1967 the U.S. Supreme Court ruled that wiretapping (or “intercepting communications”) requires a warrant in Katz v. United States. In 1968 Congress passed a law that provided warrants for wiretapping in criminal investigations.
In 1978 the Foreign Intelligence Surveillance Act (FISA) created a
"secret federal court" for issuing wiretap warrants in national security
cases. This was in response to findings from the Watergate break-in,
which allegedly uncovered a history of presidential operations that had
used surveillance on domestic and foreign political organizations.
The Federal Communications Commission (FCC) ruled in August 2005 that “broadband-service providers and interconnected VoIP
providers fall within CALEA’s scope. Currently, instant messaging, web
boards and site visits are not included in CALEA’s jurisdiction. In 2007 Congress amended FISA to “allow the government to monitor more communications without a warrant”. In 2008 President George W. Bush expanded the surveillance of internet traffic to and from the U.S. government by signing a national security directive.
In the Greek telephone tapping case 2004–2005 more than 100 mobile phone numbers belonging mostly to members of the Greek government, including the Prime Minister of Greece,
and top-ranking civil servants were found to have been illegally tapped
for a period of at least one year. The Greek government concluded this
had been done by a foreign intelligence agency, for security reasons
related to the 2004 Olympic Games, by unlawfully activating the lawful interception subsystem of the Vodafone Greece
mobile network. An Italian tapping case which surfaced in November 2007
revealed significant manipulation of the news at the national
television company RAI.
In 2008, Wired and other media reported a lamplighter
disclosed a "Quantico Circuit", a 45-megabit/second DS-3 line linking a
carrier's most sensitive network in an affidavit that was the basis for
a lawsuit against Verizon Wireless. The circuit provides direct access
to all content and all information concerning the origin and
termination of telephone calls placed on the Verizon Wireless network as
well as the actual content of calls, according to the filing.
The most recent case of U.S. wiretapping was the NSA warrantless surveillance controversy discovered in December 2005. It aroused much controversy after then President George W. Bush admitted to violating a specific federal statute (FISA) and the warrant requirement of the Fourth Amendment to the United States Constitution. The President claimed his authorization was consistent with other federal statutes (AUMF) and other provisions of the Constitution, also stating that it was necessary to keep America safe from terrorism and could lead to the capture of notorious terrorists responsible for the September 11 attacks in 2001.
One difference between foreign wiretapping and domestic
wiretapping is that, when operating in other countries, “American
intelligence services could not place wiretaps on phone lines as easily
as they could in the U.S.” Also, domestically, wiretapping is regarded
as an extreme investigative technique, whereas outside of the country,
the interception of communications is huge. The National Security
Agency (NSA) “spends billions of dollars every year intercepting foreign
communications from ground bases, ships, airplanes and satellites”.
FISA distinguishes between U.S. persons and foreigners, between
communications inside and outside the U.S., and between wired and
wireless communications. Wired communications within the United States
are protected, since intercepting them requires a warrant.
Historically, the GPL license family has been one of the most popular software licenses in the free and open-source software domain. Prominent free software programs licensed under the GPL include the Linux kernel and the GNU Compiler Collection (GCC). David A. Wheeler argues that the copyleft provided by the GPL was crucial to the success of Linux-based
systems, giving the programmers who contributed to the kernel the
assurance that their work would benefit the whole world and remain free,
rather than being exploited by software companies that would not have
to give anything back to the community.
In 2007, the third version of the license (GPLv3) was released to
address some perceived problems with the second version (GPLv2) which
were discovered during the latter's long-time usage.
To keep the license up to date, the GPL license includes an
optional "any later version" clause, allowing users to choose between
the original terms or the terms in new versions as updated by the FSF.
Software projects licensed with the optional "or later" clause include
the GNU Project, while the Linux kernel, for instance, is licensed under
GPLv2 only.
The "or any later version" clause is sometimes known as a
lifeboat clause since it allows combinations between different versions
of GPL licensed software to maintain compatibility.
History
The GPL was written by Richard Stallman
in 1989, for use with programs released as part of the GNU project. The
original GPL was based on a unification of similar licenses used for
early versions of GNU Emacs (1985), the GNU Debugger, and the GNU C Compiler.
These licenses contained similar provisions to the modern GPL, but were
specific to each program, rendering them incompatible, despite being
the same license.
Stallman's goal was to produce one license that could be used for any
project, thus making it possible for many projects to share code.
The second version of the license, version 2, was released in 1991. Over the following 15 years, members of the free software community
became concerned over problems in the GPLv2 license that could let
someone exploit GPL-licensed software in ways contrary to the license's
intent. These problems included tivoization
(the inclusion of GPL-licensed software in hardware that refuses to run
modified versions of its software), compatibility issues similar to
those of the Affero General Public License, and patent deals between Microsoft
and distributors of free and open-source software, which some viewed as
an attempt to use patents as a weapon against the free software
community.
Version 3 was developed to attempt to address these concerns and was officially released on 29 June 2007.
Version 1 of the GNU GPL, released on 25 February 1989,
prevented what were then the two main ways that software distributors
restricted the freedoms that define free software. The first problem was
that distributors may publish only binary files
that are executable, but not readable or modifiable by humans. To
prevent this, GPLv1 stated that copying and distributing copies of any
portion of the program must also make the human-readable source code
available under the same licensing terms.
The second problem was that distributors might add restrictions,
either to the license or by combining the software with other software
that had other restrictions on distribution. The union of two sets of
restrictions would apply to the combined work, thus adding unacceptable
restrictions. To prevent this, GPLv1 stated that modified versions, as a
whole, had to be distributed under the terms of GPLv1.
Therefore, software distributed under the terms of GPLv1 could be
combined with software under more permissive terms, as this would not
change the terms under which the whole could be distributed. However,
software distributed under GPLv1 could not be combined with software
distributed under a more restrictive license, as this would conflict
with the requirement that the whole be distributable under the terms of
GPLv1.
According to Richard Stallman, the major change in GPLv2 was the "Liberty or Death" clause, as he calls it – Section 7. The section says that licensees may distribute a GPL-covered work only
if they can satisfy all of the license's obligations, despite any other
legal obligations they might have. In other words, the obligations of
the license may not be severed due to conflicting obligations. This provision is intended to discourage any party from using a patent infringement claim or other litigation to impair users' freedom under the license.
By 1990, it was becoming apparent that a less restrictive license would be strategically useful for the C library and for software libraries that essentially did the job of existing proprietary ones;
when version 2 of the GPL (GPLv2) was released in June 1991, therefore,
a second license – the GNU Library General Public License – was
introduced at the same time and numbered with version 2 to show that
both were complementary. The version numbers diverged in 1999 when version 2.1 of the LGPL was released, which renamed it the GNU Lesser General Public License
to reflect its place in the philosophy. The GPLv2 was also modified to
refer to the new name of the LGPL, but its version number remained the
same, resulting in the original GPLv2 not being recognised by the
Software Package Data Exchange (SPDX).
The license includes instructions to specify "version 2 of the
License, or (at your option) any later version" to allow the flexible
optional use of either version 2 or 3, but some developers change this
to specify "version 2" only.
In late 2005, the Free Software Foundation
(FSF) announced work on version 3 of the GPL (GPLv3). On 16 January
2006, the first "discussion draft" of GPLv3 was published, and the
public consultation began. The public consultation was originally
planned for nine to fifteen months, but finally stretched to eighteen
months with four drafts being published. The official GPLv3 was released
by the FSF on 29 June 2007. GPLv3 was written by Richard Stallman, with
legal counsel from Eben Moglen and Richard Fontana from the Software Freedom Law Center.
According to Stallman, the most important changes were in relation to software patents, free software license compatibility, the definition of "source code", and hardware restrictions on software modifications, such as tivoization.
Other changes related to internationalization, how license violations
are handled, and how additional permissions could be granted by the
copyright holder. The concept of "software propagation", as a term for
the copying and duplication of software, was explicitly defined.
The public consultation process was coordinated by the Free
Software Foundation with assistance from Software Freedom Law Center, Free Software Foundation Europe, and other free software groups. Comments were collected from the public via the gplv3.fsf.org web portal, using purpose-written software called stet.
During the public consultation process, 962 comments were submitted for the first draft. By the end of the comment period, a total of 2,636 comments had been submitted.
The third draft was released on 28 March 2007. This draft included language intended to prevent patent-related agreements such as the controversial Microsoft-Novell patent agreement,
and restricted the anti-tivoization clauses to a legal definition of a
"user" and a "consumer product". It also explicitly removed the section
on "Geographical Limitations", whose probable removal had been announced
at the launch of the public consultation.
The fourth discussion draft, which was the last, was released on 31 May 2007. It introduced Apache License
version 2.0 compatibility (prior versions are incompatible), clarified
the role of outside contractors and made an exception to avoid the
perceived problems of a Microsoft–Novell style agreement, saying in
Section 11 paragraph 6 that:
You may not convey
a covered work if you are a party to an arrangement with a third party
that is in the business of distributing software, under which you make
payment to the third party based on the extent of your activity of
conveying the work, and under which the third party grants, to any of
the parties who would receive the covered work from you, a
discriminatory patent license...
This aimed to make future such deals ineffective. The license was
also meant to cause Microsoft to extend the patent licenses it granted
to Novell customers for the use of GPLv3 software to all users of that GPLv3 software; this was possible only if Microsoft was legally a "conveyor" of the GPLv3 software.
Early drafts of GPLv3 also let licensors add an Affero-like requirement that would have plugged the ASP loophole in the GPL. As there were concerns expressed about the administrative costs of
checking code for this additional requirement, it was decided to keep
the GPL and the Affero license separated.
Others, notably some high-profile Linux kernel developers such as Linus Torvalds, Greg Kroah-Hartman, and Andrew Morton, commented to the mass media and made public statements about their objections to parts of discussion drafts 1 and 2. The kernel developers referred to GPLv3 draft clauses regarding DRM/Tivoization, patents, and "additional restrictions", and warned of a Balkanisation of the "Open Source Universe". Linus Torvalds, who decided not to adopt the GPLv3 for the Linux kernel, reiterated his criticism several years later.
GPLv3 improved compatibility with several free software licenses
such as the Apache License, version 2.0, and the GNU Affero General
Public License, which GPLv2 could not be combined with.
However, GPLv3 software could only be combined and share code with
GPLv2 software if the GPLv2 license used had the optional "or later"
clause and the software was upgraded to GPLv3. While the "GPLv2 or any
later version" clause is considered by FSF as the most common form of
licensing GPLv2 software, Toybox developer Rob Landley described it as a lifeboat clause. Software projects licensed with the optional "or later" clause include the GNU Project, while a prominent example without the clause is the Linux kernel.
The final version of the license text was published on 29 June 2007.
Terms and conditions
The
terms and conditions of the GPL must be made available to anybody
receiving a copy of the work that has a GPL applied to it ("the
licensee"). Any licensee who adheres to the terms and conditions is
given permission to modify the work, as well as to copy and redistribute
the work or any derivative version. The licensee is allowed to charge a
fee for this service or do this free of charge. This latter point
distinguishes the GPL from software licenses that prohibit commercial
redistribution. The FSF argues that free software should not place
restrictions on commercial use, and the GPL explicitly states that GPL works may be sold at any price.
The GPL additionally states that a distributor may not impose
"further restrictions on the rights granted by the GPL". This forbids
activities such as distributing the software under a non-disclosure
agreement or contract.
The fourth section for version 2 of the license and the seventh
section of version 3 require that programs distributed as pre-compiled
binaries be accompanied by a copy of the source code, a written offer to
distribute the source code via the same mechanism as the pre-compiled
binary, or the written offer to obtain the source code that the user got
when they received the pre-compiled binary under the GPL. The second
section of version 2 and the fifth section of version 3 also require
giving "all recipients a copy of this License along with the Program".
Version 3 of the license allows making the source code available in
additional ways in fulfillment of the seventh section. These include
downloading source code from an adjacent network server or by
peer-to-peer transmission, provided that is how the compiled code was
available and there are "clear directions" on where to find the source
code.
The FSF does not hold the copyright for a work released under the GPL unless an author explicitly assigns copyrights
to the FSF (which seldom happens except for programs that are part of
the GNU project). Only the individual copyright holders have the
authority to sue when a license violation is suspected.
Use of licensed software
Software under the GPL may be run for all purposes, including commercial purposes and even as a tool for creating proprietary software, such as when using GPL-licensed compilers.
Users or companies who distribute GPL-licensed works (e.g. software),
may charge a fee for copies or give them free of charge. This
distinguishes the GPL from shareware
software licenses that allow copying for personal use but prohibit the
commercial distribution or proprietary licenses where copying is
prohibited by copyright law.
The FSF argues that freedom-respecting free software should also not
restrict commercial use and distribution (including redistribution).
In purely private (or internal) use—with no sales and no
distribution—the software code may be modified and parts reused without
requiring the source code to be released. For sales or distribution, the
entire source code needs to be made available to end users, including
any code changes and additions—in that case, copyleft is applied to
ensure that end users retain the freedoms defined above.
However, software running as an application program under a
GPL-licensed operating system such as Linux is not required to be
licensed under GPL or to be distributed with source-code
availability—the licensing depends only on the used libraries and
software components and not on the underlying platform. For example, if a program consists only of original source code, or is combined with source code from other software components,
then the custom software components need not be licensed under GPL and
need not make their source code available; even if the underlying
operating system used is licensed under the GPL, applications running on
it are not considered derivative works.
Only if GPLed parts are used in a program (and the program is
distributed), then all other source code of the program needs to be made
available under the same license terms. The GNU Lesser General Public License
(LGPL) was created to have a weaker copyleft than the GPL, in that it
does not require custom-developed source code (distinct from the LGPL'ed
parts) to be made available under the same license terms.
The fifth section of version 3 states that no GPL-licensed code
shall be considered an effective "technical protection measure" as
defined by Article 11 of the WIPO Copyright Treaty, and that those who convey the work waive all legal power to prohibit circumvention
of the technical protection measure "to the extent such circumvention
is effected by exercising rights under this License with respect to the
covered work". This means that users cannot be held liable for
circumventing DRM implemented using GPLv3-licensed code under laws such
as the U.S. Digital Millennium Copyright Act (DMCA).
The distribution rights granted by the GPL for modified versions of
the work are not unconditional. When someone distributes a GPL'ed work
plus their own modifications, the requirements for distributing the
whole work cannot be any greater than the requirements that are in the
GPL.
This requirement is known as copyleft. It earns its legal power from the use of copyright
on software programs. Because a GPL work is copyrighted, a licensee has
no right to redistribute it, not even in modified form (barring fair use),
except under the terms of the license. One is only required to adhere
to the terms of the GPL if one wishes to exercise rights normally
restricted by copyright law, such as redistribution. Conversely, if one
distributes copies of the work without abiding by the terms of the GPL
(for instance, by keeping the source code secret), they can be sued by the original author under copyright law.
Copyright law has historically been used to prevent distribution
of work by parties not authorized by the creator. Copyleft uses the same
copyright laws to accomplish a very different goal. It grants rights to
distribution to all parties insofar as they provide the same rights to
subsequent ones, and they to the next, etc. In this way the GPL and
other copyleft licenses attempt to enforce libre access to the work and all derivatives.
Many distributors of GPL'ed programs bundle the source code with the executables.
An alternative method of satisfying the copyleft is to provide a
written offer to provide the source code on a physical medium (such as a
CD) upon request. In practice, many GPL'ed programs are distributed
over the Internet, and the source code is made available over FTP or HTTP. For Internet distribution, this complies with the license.
Copyleft applies only when a person seeks to redistribute the
program. Developers may make private modified versions with no
obligation to divulge the modifications, as long as they do not
distribute the modified software to anyone else. Copyleft applies only
to the software, and not to its output (unless that output is itself a
derivative work of the program). For example, a public web portal running a modified derivative of a GPL'ed content management system
is not required to distribute its changes to the underlying software,
because the modified web portal is not being redistributed but rather
hosted, and also because the web portal output is also not a derivative
work of the GPL'ed content management system.
There has been debate on whether it is a violation of the GPL to release the source code in obfuscated
form, such as in cases in which the author is less willing to make the
source code available. The consensus was that while unethical, it was
not considered a violation. The issue was clarified when the license was
altered with v2 to require that the "preferred" version of the source
code be made available.
License versus contract
The GPL was designed as a license, rather than a contract. In some Common Law jurisdictions, the legal distinction between a license and a contract is an important one: contracts are enforceable by contract law, whereas licenses are enforced under copyright law.
However, this distinction is not useful in the many jurisdictions where
there are no differences between contracts and licenses, such as Civil Law systems.
Those who do not accept the GPL's terms and conditions do not
have permission, under copyright law, to copy or distribute GPL-licensed
software or derivative works. However, if they do not redistribute the
GPL'ed program, they may still use the software within their
organization however they like, and works (including programs)
constructed by the use of the program are not required to be covered by
this license.
Software developer Allison Randal
argued that the GPLv3 as a license is unnecessarily confusing for lay
readers, and could be simplified while retaining the same conditions and
legal force.
In April 2017, a US federal court ruled that an open-source license is an enforceable contract.
In October 2021 SFC sued Vizio over breach of contract as an end
user to request source code to Vizio's TVs, a federal judge has ruled in
the interim that the GPL is an enforceable contract by end users as
well as a license for copyright holders.
Derivations
The text of the GPL is itself copyrighted, and the copyright is held by the Free Software Foundation.
The FSF permits people to create new licenses based on the GPL,
as long as the derived licenses do not use the GPL preamble without
permission. This is discouraged, however, since such a license might be
incompatible with the GPL and causes a perceived license proliferation.
The text of the GPL is not itself under the GPL. The license's
copyright disallows modification of the license. Copying and
distributing the license is allowed since the GPL requires recipients to
get "a copy of this License along with the Program".
According to the GPL FAQ, anyone can make a new license using a
modified version of the GPL as long as they use a different name for the
license, do not mention "GNU", and remove the preamble, though the
preamble can be used in a modified license if permission to use it is
obtained from the Free Software Foundation (FSF).
Linking and derived works
Libraries
According
to the FSF, "The GPL does not require you to release your modified
version or any part of it. You are free to make modifications and use
them privately, without ever releasing them."
However, if one releases a GPL-licensed entity to the public, there is
an issue regarding linking: namely, whether a proprietary program that
uses a GPL library is in violation of the GPL.
This key dispute is whether non-GPL software can legally statically link or dynamically link to GPL libraries. Different opinions exist on this issue. The GPL is clear in requiring that all derivative works
of code under the GPL must themselves be under the GPL. Ambiguity
arises with regards to using GPL libraries, and bundling GPL software
into a larger package (perhaps mixed into a binary via static linking).
This is ultimately a question not of the GPL per se, but of how copyright law defines derivative works. The following points of view exist:
Point of view: dynamic and static linking violate GPL
The
Free Software Foundation (which holds the copyright of several notable
GPL-licensed software products and of the license text itself) asserts
that an executable that uses a dynamically linked library is indeed a
derivative work. This does not, however, apply to separate programs
communicating with one another.
The Free Software Foundation also created the LGPL,
which is nearly identical to the GPL, but with additional permissions
to allow linking for the purposes of "using the library".
Richard Stallman and the FSF specifically encourage library
writers to license under the GPL so that proprietary programs cannot use
the libraries, in an effort to protect the free-software world by
giving it more tools than the proprietary world.
Point of view: static linking violates GPL but unclear as of dynamic linking
Some people believe that while static linking
produces derivative works, it is not clear whether an executable that
dynamically links to a GPL code should be considered a derivative work
(see weak copyleft). Linux author Linus Torvalds agrees that dynamic linking can create derived works but disagrees over the circumstances.
A Novell
lawyer has written that dynamic linking not being derivative "makes
sense" but is not "clear-cut", and that evidence for good-intentioned
dynamic linking can be seen by the existence of proprietary Linux kernel
drivers.
In Galoob v. Nintendo, the United States Ninth Circuit Court of Appeals defined a derivative work as having "'form' or permanence" and noted that "the infringing work must incorporate a portion of the copyrighted work in some form", but there have been no clear court decisions to resolve this particular conflict.
Point of view: linking is irrelevant
According to an article in the Linux Journal, Lawrence Rosen (a one-time Open Source Initiative general counsel) argues that the method of linking is mostly irrelevant to the question about whether a piece of software is a derivative work; more important is the question about whether the software was intended to interface with client software and/or libraries.
He states, "The primary indication of whether a new program is a
derivative work is whether the source code of the original program was
used [in a copy-paste sense], modified, translated or otherwise changed
in any way to create the new program. If not, then I would argue that it
is not a derivative work," and lists numerous other points regarding intent, bundling, and linkage mechanism.
He further argues on his firm's website that such "market-based" factors are more important than the linking technique.
There is also the specific issue of whether a plugin or module (such as the NVidia or ATIgraphics cardkernel modules)
must also be GPL, if it could reasonably be considered its own work.
This point of view suggests that reasonably separate plugins, or plugins
for software designed to use plugins, could be licensed under an
arbitrary license if the work is GPLv2. Of particular interest is the
GPLv2 paragraph:
You may modify your copy or copies of the Program or any portion of
it, thus forming a work based on the Program, and copy and distribute
such modifications or work under the terms of Section 1 above, provided
that you also meet all of these conditions:...
b) You must cause any work that you distribute or publish, that
in whole or in part contains or is derived from the Program or any part
thereof, to be licensed as a whole at no charge to all third parties
under the terms of this License.... These
requirements apply to the modified work as a whole. If identifiable
sections of that work are not derived from the Program and can be
reasonably considered independent and separate works in themselves, then
this License, and its terms, do not apply to those sections when you
distribute them as separate works. But when you distribute the same
sections as part of a whole which is a work based on the Program, the
distribution of the whole must be on the terms of this License, whose
permissions for other licensees extend to the entire whole, and thus to
each and every part regardless of who wrote it.
The GPLv3 has a different clause:
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the terms
of Section 4, provided that you also meet all of these conditions:...
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This License will
therefore apply, along with any applicable Section 7 additional terms,
to the whole of the work, and all its parts, regardless of how they are
packaged. This License gives no permission to license the work in any
other way, but it does not invalidate such permission if you have
separately received it.... A compilation of
a covered work with other separate and independent works, which are not
by their nature extensions of the covered work, and which are not
combined with it such as to form a larger program, in or on a volume of a
storage or distribution medium, is called an "aggregate" if the
compilation and its resulting copyright are not used to limit the access
or legal rights of the compilation's users beyond what the individual
works permit. Inclusion of a covered work in an aggregate does not cause
this License to apply to the other parts of the aggregate.
As a case study, some supposedly proprietary plugins and themes/skins for GPLv2 CMS software such as Drupal and WordPress have come under fire, with both sides of the argument taken.
The FSF differentiates on how the plugin is being invoked. If the
plugin is invoked through dynamic linkage and it performs function
calls to the GPL program then it is most likely a derivative work.
Communicating and bundling with non-GPL programs
The
mere act of communicating with other programs does not, by itself,
require all software to be GPL; nor does distributing GPL software with
non-GPL software. However, minor conditions must be followed that
ensures the rights of GPL software are not restricted. The following is a
quote from the gnu.org GPL FAQ, which describes to what extent software is allowed to communicate with and be bundled with GPL programs:
What is the difference between an "aggregate" and other kinds of "modified versions"?
An "aggregate" consists of a number of separate programs,
distributed together on the same CD-ROM or other media. The GPL permits
you to create and distribute an aggregate, even when the licenses of the
other software are non-free or GPL-incompatible. The only condition is
that you cannot release the aggregate under a license that prohibits
users from exercising rights that each program's individual license
would grant them.
Where's the line between two separate programs, and one program
with two parts? This is a legal question, which ultimately judges will
decide. We believe that a proper criterion depends both on the mechanism
of communication (exec, pipes, rpc, function calls within a shared
address space, etc.) and the semantics of the communication (what kinds
of information are interchanged).
If the modules are included in the same executable file, they are
definitely combined in one program. If modules are designed to run
linked together in a shared address space, that almost surely means
combining them into one program.
By contrast, pipes, sockets, and command-line arguments are
communication mechanisms normally used between two separate programs. So
when they are used for communication, the modules normally are separate
programs. But if the semantics of the communication are intimate
enough, exchanging complex internal data structures, that too could be a
basis to consider the two parts as combined into a larger program.
The FSF thus draws the line between "library" and "other program" via
1) "complexity" and "intimacy" of information exchange and 2) mechanism
(rather than semantics), but resigns that the question is not clear-cut
and that in complex situations, case law will decide.
The first known violation of the GPL was in 1989, when NeXT extended the GCC compiler to support Objective-C, but did not publicly release the changes. After an inquiry they created a public patch. There was no lawsuit filed for this violation.
In 2002, MySQL AB sued Progress NuSphere for copyright and trademark infringement in United States district court.
NuSphere had allegedly violated MySQL's copyright by linking MySQL's
GPL'ed code with NuSphere Gemini table without complying with the
license. After a preliminary hearing before Judge Patti Saris on 27
February 2002, the parties entered settlement talks and eventually
settled.
After the hearing, FSF commented that "Judge Saris made clear that she
sees the GNU GPL to be an enforceable and binding license."
In August 2003, the SCO Group
stated that they believed the GPL to have no legal validity and that
they intended to pursue lawsuits over sections of code supposedly copied
from SCO Unix into the Linux kernel. This was a problematic stand for them, as they had distributed Linux and other GPL'ed code in their Caldera OpenLinux distribution, and there is little evidence that they had any legal right to do so except under the terms of the GPL.
In February 2018, after federal circuit court judgement, appeal, and
the case being (partially) remanded to the circuit court, the parties
restated their remaining claims and provided a plan to move toward final
judgement. The remaining claims revolved around Project Monterey, and were finally settled in November 2021 by IBM paying $14.25 million to the TSG (previously SCO) bankruptcy trustee.
In April 2004, the netfilter/iptables project was granted a preliminary injunction against Sitecom Germany by Munich
District Court after Sitecom refused to desist from distributing
Netfilter's GPL'ed software in violation of the terms of the GPL. Harald Welte, of Netfilter, was represented by ifrOSS co-founder Till Jaeger. In July 2004, the German court confirmed this injunction as a final ruling against Sitecom. The court's justification was that:
Defendant has infringed on the copyright of plaintiff by
offering the software 'netfilter/iptables' for download and by
advertising its distribution, without adhering to the license conditions
of the GPL. Said actions would only be permissible if the defendant had
a license grant.... This is independent of
the questions whether the licensing conditions of the GPL have been
effectively agreed upon between plaintiff and defendant or not. If the
GPL were not agreed upon by the parties, defendant would notwithstanding
lack the necessary rights to copy, distribute, and make the software
'netfilter/iptables' publicly available.
This exactly mirrored the predictions given previously by the FSF's
Eben Moglen. This ruling was important because it was the first time
that a court had confirmed that violating terms of the GPL could be a
copyright violation and established jurisprudence as to the
enforceability of the GPLv2 under German law.
In May 2005, Daniel Wallace filed suit against the Free Software Foundation in the Southern District of Indiana,
contending that the GPL is an illegal attempt to fix prices (at zero).
The suit was dismissed in March 2006, on the grounds that Wallace had
failed to state a valid antitrust claim; the court noted that "the GPL
encourages, rather than discourages, free competition and the
distribution of computer operating systems, the benefits of which
directly pass to consumers". Wallace was denied the possibility of further amending his complaint, and was ordered to pay the FSF's legal expenses.
On 8 September 2005, the Seoul Central District Court ruled that the GPL was not material to a case dealing with trade secrets derived from GPL-licensed work.
Defendants argued that since it is impossible to maintain trade secrets
while being compliant with GPL and distributing the work, they are not
in breach of trade secrets. This argument was considered without ground.
On 6 September 2006, the gpl-violations.org project prevailed in court litigation against D-Link Germany GmbH regarding D-Link's copyright-infringing use of parts of the Linux kernel in storage devices they distributed. The judgment stated that the GPL is valid, legally binding, and stands in German court.
In late 2007, the BusyBox developers and the Software Freedom Law Center embarked upon a program to gain GPL compliance from distributors of BusyBox in embedded systems,
suing those who would not comply. These were claimed to be the first US
uses of courts for enforcement of GPL obligations. (See BusyBox GPL lawsuits.)
After six years of repeated complaints to Cisco
by the FSF, claims by Cisco that they would correct, or were
correcting, their compliance problems (not providing complete copies of
all source code and their modifications), of repeated new violations
being discovered and reported with more products, and lack of action by
Linksys (a process described on the FSF blog as a "five-years-running
game of Whack-a-Mole") the FSF took them to court.
Cisco settled the case six months later by agreeing "to appoint a
Free Software Director for Linksys" to ensure compliance, "to notify
previous recipients of Linksys products containing FSF programs of their
rights under the GPL," to make source code of FSF programs freely
available on its website, and to make a monetary contribution to the
FSF.
In 2011, it was noticed that GNU Emacs had been accidentally
releasing some binaries without corresponding source code for two years,
in opposition to the intended spirit of the GPL, resulting in a copyright violation. Richard Stallman described this incident as a "very bad mistake",
which was promptly fixed. The FSF did not sue any downstream
redistributors who also unknowingly violated the GPL by distributing
these binaries.
In 2017 Artifex, the maker of Ghostscript, sued Hancom,
the maker of an office suite which included Ghostscript. Artifex offers
two licenses for Ghostscript; one is the Affero GPL License and the
other is a commercial license. Hancom did not acquire a commercial
license from Artifex nor did it release its office suite as free
software. Artifex sued Hancom in US District Court and made two claims.
First, Hancom's use of Ghostscript was a violation of copyright; and
second, Hancom's use of Ghostscript was a license violation. Judge Jacqueline Scott Corley found the GPL license was an enforceable contract and Hancom was in breach of contract.
On 20 July 2021, the developers of the open-source Stockfish chess engine sued ChessBase, the creator of chess software, for violating the GPLv3 license.
It was claimed that Chessbase had made only slight modifications to the
Stockfish code and sold the new engines (Fat Fritz 2 and Houdini 6) to
their customers.
Additionally, Fat Fritz 2 was marketed as if it was an innovative
engine. ChessBase had infringed on the license by not distributing these
products as Free Software in accordance with the GPL.
A year later on 7 November 2022, both parties reached an
agreement and ended the dispute. In the near future ChessBase will no
longer sell products containing Stockfish code, while informing their
customers of this fact with an appropriate notice on their web pages.
However, one year later, Chessbase's license would be reinstated.
Stockfish did not seek damages or financial compensation.
Compatibility and multi-licensing
Code licensed under several other licenses can be combined with a
program under the GPL without conflict, as long as the combination of
restrictions on the work as a whole does not put any additional
restrictions beyond what GPL allows. In addition to the regular terms of the GPL, there are additional restrictions and permissions one can apply:
If a user wants to combine code licensed under different
versions of GPL, then this is only allowed if the code with the earlier
GPL version includes an "or any later version" statement. For instance, the GPLv3-licensed GNU LibreDWG library cannot be used anymore by LibreCAD and FreeCAD who have GPLv2-only dependencies.
Code licensed under LGPL is permitted to be linked with any other code no matter what license that code has,
though the LGPL does add additional requirements for the combined work.
LGPLv3 and GPLv2-only can thus commonly not be linked, as the combined
Code work would add additional LGPLv3 requirements on top of the
GPLv2-only licensed software. Code licensed under LGPLv2.x without the
"any later version" statement can be relicensed if the whole combined work is licensed to GPLv2 or GPLv3.
FSF maintains a list of GPL-compatible free software licenses containing many of the most common free software licenses, such as the original MIT/X license, the BSD license (in its current 3-clause form), and the Artistic License 2.0.
Starting from GPLv3, it is unilaterally compatible for materials (like text and other media) under Creative Commons Attribution-ShareAlike 4.0 International License
to be remixed into the GPL-licensed materials (prominently software),
not vice versa, for niche use cases like game engine (GPL) with game
scripts (CC BY-SA).
David A. Wheeler has advocated that free/open source software
developers use only GPL-compatible licenses, because doing otherwise
makes it difficult for others to participate and contribute code. As a specific example of license incompatibility, Sun Microsystems' ZFS cannot be included in the GPL-licensed Linux kernel, because it is licensed under the GPL-incompatible Common Development and Distribution License.
Furthermore, ZFS is protected by patents, so distributing an
independently developed GPL-ed implementation would still require
Oracle's permission.
It
is possible to use the GPL for text documents instead of computer
programs, or more generally for all kinds of media, if it is clear what
constitutes the source code (defined as "the preferred form of the work
for making changes in it"). For manuals and textbooks, though, the FSF recommends the GNU Free Documentation License (GFDL) instead, which it created for this purpose. Nevertheless, the Debian
developers recommended (in a resolution adopted in 2006) to license
documentation for their project under the GPL, because of the
incompatibility of the GFDL with the GPL (text licensed under the GFDL
cannot be incorporated into GPL software). Also, the FLOSS Manuals
foundation, an organization devoted to creating manuals for free
software, decided to eschew the GFDL in favor of the GPL for its texts
in 2007.
If the GPL is used for computer fonts,
any documents or images made with such fonts might also have to be
distributed under the terms of the GPL. This is not the case in
countries that recognize typefaces (the appearance of fonts) as being a useful article and thus not eligible for copyright, but font files as copyrighted computer software
(which can complicate font embedding, since the document could be
considered 'linked' to the font; in other words, embedding a vector font
in a document could force it to be released under the GPL, but a
rasterized rendering of the font would not be subject to the GPL). The
FSF provides an exception for cases where this is not desired.
Adoption
Historically, the GPL license family has been one of the most popular software licenses in the FOSS domain.
A 1997 survey of MetaLab, then the largest free software archive, showed that the GPL accounted for about half of the software licensed therein. Similarly, a 2000 survey of Red Hat Linux 7.1 found that 53% of the source code was licensed under the GPL. As of 2003, about 68% of all projects and 82.1% of the open source industry certified licensed projects listed on SourceForge.net were from the GPL license family. As of August 2008, the GPL family accounted for 70.9% of the 44,927 free software projects listed on Freecode.
After the release of the GPLv3 in June 2007, adoption of this new GPL version was much discussed and some projects decided against upgrading. For instance the Linux kernel, MySQL, BusyBox, AdvFS, Blender, VLC media player, and MediaWiki decided against adopting GPLv3.
On the other hand, in 2009, two years after the release of GPLv3, Google
open-source programs office manager Chris DiBona reported that the
number of open-source project licensed software that had moved from
GPLv2 to GPLv3 was 50%, counting the projects hosted at Google Code.
In 2011, four years after the release of the GPLv3, 6.5% of all
open-source license projects are GPLv3 while 42.5% are GPLv2 according
to Black Duck Software data. Following in 2011 451 Group
analyst Matthew Aslett argued in a blog post that copyleft licenses
went into decline and permissive licenses increased, based on statistics
from Black Duck Software. Similarly, in February 2012 Jon Buys reported that among the top 50 projects on GitHub five projects were under a GPL license, including dual licensed and AGPL projects.
GPL usage statistics from 2009 to 2013 was extracted from Freecode data by Walter van Holst while analyzing license proliferation.
In August 2013, according to Black Duck Software, the website's data
shows that the GPL license family is used by 54% of open-source
projects, with a breakdown of the individual licenses shown in the
following table.
However, a later study in 2013 showed that software licensed under the
GPL license family has increased, and that even the data from Black Duck
Software has shown a total increase of software projects licensed under
GPL. The study used public information gathered from repositories of
the Debian Project, and the study criticized Black Duck Software for not publishing their methodology used in collecting statistics. Daniel German, Professor in the Department of Computer Science at the University of Victoria
in Canada, presented a talk in 2013 about the methodological challenges
in determining which are the most widely used free software licenses,
and showed how he could not replicate the result from Black Duck
Software.
In 2015, according to Black Duck, GPLv2 lost its first position to the MIT license and is now second, the GPLv3 dropped to fourth place while the Apache license kept its third position.
Usage of GPL family licenses in the FOSS domain in % according to Black Duck Software
License
2008-05-08
2009-03-11
2011-11-22
2013-08-12
2015-11-19
2016-06-06
2017-01-02
2018-06-04
GPLv2
58.69%
52.2%
42.5%
33%
23%
21%
19%
14%
GPLv3
1.64%
4.15%
6.5%
12%
9%
9%
8%
6%
LGPLv2.1
11.39%
9.84%
?
6%
5%
4%
4%
3%
LGPLv3
? (<0.64%)
0.37%
?
3%
2%
2%
2%
1%
GPL family together
71.72% (+ <0.64%)
66.56%
?
54%
39%
36%
33%
24%
A March 2015 analysis of the GitHub repositories revealed, for the GPL license family, a usage percentage of approximately 25% among licensed projects. In June 2016, an analysis of Fedora Project's
packages revealed the GNU GPLv2 or later as the most popular license,
and the GNU GPL family as the most popular license family (followed by
the MIT, BSD, and GNU LGPL families).
An analysis of whitesourcesoftware.com in April 2018 of the FOSS
ecosystem saw the GPLv3 on third place (18%) and the GPLv2 on fourth
place (11%), after MIT license (26%) and Apache 2.0 license (21%).
Reception
Legal barrier to application stores
The GPL is incompatible with many application digital distribution systems, like the Mac App Store,
and certain other software distribution platforms (on smartphones as
well as PCs). The problem lies in the right "to make a copy for your
neighbour", as this right is violated by digital rights management
systems embedded within the platform to prevent copying of paid
software. Even if the application is free in the application store in
question, it might result in a violation of that application store's
terms.
There is a distinction between an app store, which sells DRM-restricted software under proprietary licenses, and the more general concept of digital distribution via some form of online software repository. Virtually all modern Unix systems and Linux distributions have application repositories, including NetBSD, FreeBSD, Ubuntu, Fedora, and Debian. These specific application repositories
all contain GPL-licensed software apps, in some cases even when the
core project does not permit GPL-licensed code in the base system (for
instance OpenBSD). In other cases, such as the Ubuntu App Store, proprietary commercial software applications and
GPL-licensed applications are both available via the same system; the
reason that the Mac App Store (and similar projects) is incompatible
with GPL-licensed apps is not inherent in the concept of an app store,
but is rather specifically due to Apple's terms-of-use requirement
that all apps in the store utilize Apple DRM restrictions. Ubuntu's app
store does not demand any such requirement: "These terms do not limit
or restrict your rights under any applicable open source software
licenses."
In 2001, Microsoft CEO Steve Ballmer referred to Linux as "a cancer that attaches itself in an intellectual property sense to everything it touches".
In response to Microsoft's attacks on the GPL, several prominent Free
Software developers and advocates released a joint statement supporting
the license. Microsoft has released Microsoft Windows Services for UNIX,
which contains GPL-licensed code. In July 2009, Microsoft itself
released a body of around 20,000 lines of Linux driver code under the
GPL. The Hyper-V
code that is part of the submitted code used open-source components
licensed under the GPL and was originally statically linked to
proprietary binary parts, the latter being inadmissible in GPL-licensed
software.
"Viral" nature
The description of the GPL as "viral", when called 'General Public Virus' or 'GNU Public Virus' (GPV), dates back to a year after the GPLv1 was released.
In 2001, the term received broader public attention when Craig Mundie, Microsoft Senior Vice President, described the GPL as being "viral".
Mundie argues that the GPL has a "viral" effect in that it only allows
the conveyance of whole programs, which means programs that link to GPL libraries must themselves be under a GPL-compatible license, else they cannot be combined and distributed.
In 2006, Richard Stallman responded in an interview that Mundie's
metaphor of a "virus" is wrong as software under the GPL does not
"attack" or "infect" other software. Accordingly, Stallman believes that
comparing the GPL to a virus is inappropriate, and that a better
metaphor for software under the GPL would be a spider plant: if one takes a piece of it and puts it somewhere else, it grows there too.
On the other hand, the concept of a viral nature of the GPL was taken up by others later too.For instance, a 2008 article stated: "The GPL license is 'viral,'
meaning any derivative work you create containing even the smallest
portion of the previously GPL licensed software must also be licensed
under the GPL license."
The FreeBSD project has stated that "a less publicized and unintended
use of the GPL is that it is very favorable to large companies that
want to undercut software companies. In other words, the GPL is well
suited for use as a marketing weapon, potentially reducing overall
economic benefit and contributing to monopolistic behavior" and that the
GPL can "present a real problem for those wishing to commercialize and
profit from software."
Richard Stallman wrote about the practice of selling license
exceptions to free software licenses as an example of ethically
acceptable commercialization practice. Selling exceptions here means
that the copyright holder of a given software releases it (along with
the corresponding source code) to the public under a free software
license, "then lets customers pay for permission to use the same code
under different terms, for instance allowing its inclusion in
proprietary applications". Stallman considered selling exceptions
"acceptable since the 1990s, and on occasion I've suggested it to
companies. Sometimes this approach has made it possible for important
programs to become free software". Although the FSF does not practice
selling exceptions, a comparison with the X11 license (which is a
non-copyleft free software license) is proposed for suggesting that this
commercialization technique should be regarded as ethically acceptable.
Releasing a given program under a non-copyleft free software license
would permit embedding the code in proprietary software. Stallman
comments that "either we have to conclude that it's wrong to release
anything under the X11 license—a conclusion I find unacceptably
extreme—or reject this implication. Using a non-copyleft license is
weak, and usually an inferior choice, but it's not wrong. In other
words, selling exceptions permits some embedding in proprietary
software, and the X11 license permits even more embedding. If this
doesn't make the X11 license unacceptable, it doesn't make selling
exceptions unacceptable".
Open-source criticism
In 2000, developer and author Nikolai Bezroukov
published an analysis and comprehensive critique of GPL's foundations
and Stallman's software development model, called "Labyrinth of Software
Freedom".
Version 2 of the WTFPL (Do What The Fuck You Want To Public License) was created by Debian project leader Sam Hocevar in 2004 as a parody of the GPL.
In 2005, open source software advocate Eric S. Raymond
questioned the relevance of GPL then for the FOSS ecosystem, stating:
"We don't need the GPL anymore. It's based on the belief that open
source software is weak and needs to be protected. Open source would be
succeeding faster if the GPL didn't make lots of people nervous about
adopting it."
Richard Stallman replied: "GPL is designed to ... ensure that every
user of a program gets the essential freedoms—to run it, to study and
change the source code, to redistribute copies, and to publish modified
versions... [Raymond] addresses the issue
in terms of different goals and values—those of 'open source,' which do
not include defending software users' freedom to share and change
software."
In 2007, Allison Randal, who took part in the GPL draft committee, criticized the GPLv3 for being incompatible with the GPLv2 and for missing clarity in the formulation. Similarly, Whurley
prophesied in 2007 the downfall of the GPL due to the lack of focus for
the developers with GPLv3 which would drive them towards permissive
licenses.
In 2009, David Chisnall described in an InformIT article, "The Failure of the GPL", the problems with the GPL, among them incompatibility and complexity of the license text.
Already
in September 2006, in the draft process of the GPLv3, several
high-profile developers of the Linux kernel, for instance Linus
Torvalds, Greg Kroah-Hartman, and Andrew Morton, warned on a splitting of the FOSS community: "the release of GPLv3 portends the Balkanisation of the entire Open Source Universe upon which we rely."
Similarly Benjamin Mako Hill argued in 2006 on the GPLv3 draft, noting that a united, collaborating community is more important than a single license.
Following the GPLv3 release in 2007, some journalists and Toybox developer Rob Landley criticized that with the introduction of the GPLv3 the split between
the open source and free software community became wider than ever. As
the significantly extended GPLv3 is essentially incompatible with the
GPLv2,
compatibility between both is only given under the optional "or later"
clause of the GPL, which was not taken for instance by the Linux kernel.
Bruce Byfield noted that before the release of the GPLv3, the GPLv2 was
a unifying element between the open-source and the free software
community.
For the LGPLv3, GNU TLS
maintainer Nikos Mavrogiannopoulos similarly argued, "If we assume that
its [the LGPLv3] primary goal is to be used by free software, then it
blatantly fails that", after he re-licensed GNU TLS from LGPLv3 back to LGPLv2.1 due to license compatibility issues.
Lawrence Rosen,
attorney and computer specialist, praised in 2007 how the community
using the Apache license was now able to work together with the GPL
community in a compatible manner, as the problems of GPLv2 compatibility
with Apache licensed software were resolved with the GPLv3. He said, "I
predict that one of the biggest success stories of GPLv3 will be the
realization that the entire universe of free and open-source software
can thus be combined into comprehensive open source solutions for
customers worldwide."
In July 2013, Flask developer Armin Ronacher
draws a less optimistic conclusion on the GPL compatibility in the FOSS
ecosystem: "When the GPL is involved the complexities of licensing
becomes a non fun version of a riddle", also noting that the conflict
between Apache License 2.0 and GPLv2 still has impact on the ecosystem.