GPLv3

Comment 1125: internationally dangerous

By making a reference to local law about privacy, you are making the application of the GPLv3 internationally uncertain. Indeed, making a reference to privacy law makes the GPLv3 step outside of the frame of the Berne Convention on author rights.

Therefore the "illegally invade users'privacy" wording should be avoided.

I think a clear definition of DRM is: - a mode of distribution - that grants some of the rights present in the license while deliberately forbidding others

This is more or less what the second part of your sentence says.

Comment 236: Privacy is outside the scope of the 4 freedoms

Frankly, this clause seems off-topic. Why not, for instance, deny distribution to covered works that are components of weapons of mass destruction? The whole issue of what constitutes privacy is something of an open issue these days, when everybody submits their corporate shopping ID at the grocery store checkout counter and thinks nothing of having their most everyday habits and activities tracked, profiled, and distributed to anyone willing to pay for them.

Comment 251: Open Source Definition - 6 6. No Discrimination Against Fields of Endeavor

I admit I'm somewhat clueless about the specifics of privacy laws (both in the UK or elseware). This seems to imply that you may not distrabute spyware or DRM monitoring systems under the GPL, or by inference modify existing GPL code to become spyware / DRM monitoring apps and then distrabute that. I'm not pro-spyware, would this clause make GPLv3 incompatable with the 6th clause of the open source definition: 6. No Discrimination Against Fields of Endeavor The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research. In the Sony DRM case, one of the features of their CD player software is that it would look to see which CD was playing then make a HTTP request to a Sony server to lookup extra album information, the HTTP requests are then logged by the webserver along with IP address and the privacy implications there (How much consent and/or knowledge is needed from the end user of the feature before its becomes legal/illegal).

Now Assume that I add a feature (maybe it already exists) to GPLv3 XMMS to do a lookup on www.freedb.org based on the currently playing MP3 or OGG. Does this raise privacy implications, I guess not as many. So where is the source of the problem here, is it that the media player software performs automattic HTTP requests based on its other activities, is it at the webserver end because it performs logging, is it because one company controls both the end user software and the webserver performing the logging, or is it simply a matter of trust, we trust the people running www.freedb.org far more than we trust the people at Sony. Assuming everything is running GPLv3 code, and that with everything combined it is considered illegal, on which piece of software would this clause kick in on and prevent redistrabution. The term user is not defined specifically, it could mean the person running the code, or making use of the code (as in a remote user accessing a webserver) - or potentually mean other computer users affected in some way by the code. Take a program like nmap, which does port scanning, is this an illegal invasion of privacy, what if you are running it against military or sensitive computers? Who is the user in this case, is it me because I'm running the code on my computer, or my target who is being scanned (what if the RIAA where to run nmap on every IP to visit www.grokster.com).

Now some tools can be used in many different ways, a combination of an ssh client, a bash loop, a dictionary file and rsync could be used in ways that are very easily invade privacy (and all other data files) on a users machine, though individually and in combination are also very ligitimate tools.

Then you have an intresting possible (though rather insignificant) perversion of the GPLv3. One day Gator Corp (of spyware fame) decides to release all its products under the GPLv3. As copyright holder it can give as many copies as it likes away, but when anybody starts copying the code themselves, they are sued by Gator for violation of section 3 of the GPLv3, "thou shall use use GPLed spyware". I'm pretty sure such a case would be dismissed on the basis of unclean hands, but it only takes one SCO to tie up the court for years. Another potentual issue is with privacy related bugs. I create a app v0.1 which I later find has a fairly serious privacy flaw. I correct this in v0.2, but does this now mean that others can no longer distrabute v0.1 of my code.

Everybody is asying that this clkause is stupid. If it is illegal, then the licence does not need to say it.

RMS: This better not be in draft 2!

Comment 257: Redundant statement

The draft already clearly indicates in other places that this license does not allow for illegal activities.

Maybe I'm missing something, but, in general (not just regarding this section), what possible business does the GNU GPL have in restricting people's ability to break laws or punishing people for doing so?

If the law in question is in force in their jurisdiction, the courts (not us) should metre out the appropriate punishment, and, if it isn't in force in their jurisdiction, it is usually unfair for them to be punished for breaking it.

Comment 614: Purpose of this text?

Can anyone involved in the drafting process shed some light on the intention of this language?

Was it about moderating the effect of the following paragraph? In that case, does my suggestion of limiting that following paragraph to "legally published" data or works help?

Or was it about trying to stop rootkits, spyware and other creepy crawlies included as part of DRM systems? If that was the case, as others have noted, it shouldn't be limited to "illegal" invasion of privacy. Perhaps some expanded and clarified language (a whole paragraph?) could better achieve such an objective?

1) GPL is about distribution. It should not rule what programs can do.

2) Privacy is a term that depends on the law. In some countries privacy may not be a right at all. This makes the clause almost useless.

The subject text is totally redundant and will only cause confusions. What the SONY rootkit did was almost certainly illegal, but there's no point in having a license forbidding something which is illegal by law. And there is no way you can decide from the source code alone whether is it going to be used illegaly. This text is probably the most obvious candidate for deletion from the draft.

Comment 697: A hammer with a notice stating "you cannot use me to break people's heads"

Does this mean that I cannot modify a "licensed program" in order to implement some illegal privacy-invading feature and distribute the resulting work? This is an unacceptable restriction on the functionality of modified versions and discriminates against possible uses of the work. I'm definitely *against* privacy invasions, but this should not belong in a copyright license. If the privacy invasion is indeed illegal, there are already laws to forbid that behavior. The license should *not* say that you cannot distribute a modified program that performs illegal operations. I suggest dropping this restrictions, especially in light of http://www.gnu.org/licenses/hessla.html

I agree. GPL is hurting secirity research and freedom of speech here. If I want to demonstrate how software could be used to invade privacy, I should be allowed to create an exploit and possibly distribute it via mailing lists. I don't want to be prosecuted for copyright violation when reporting privacy-related security holes.

Comment 234: No permission for illegal acts?

Why would a license declare that no permission is given to commit illegal acts?

No it declares that DISTRIBUTION of works that commit illegal acts is disallowed. As such it is this part of the license-text that makes distribution of such works illegal as well.

Anyway, many invasions of privacy are LEGAL. BUT, what is the legal definition of "invasion of privacy"? -- this is a more serious issue.

Comment 251: Open Source Definition - 6 6. No Discrimination Against Fields of Endeavor

I admit I'm somewhat clueless about the specifics of privacy laws (both in the UK or elseware). This seems to imply that you may not distrabute spyware or DRM monitoring systems under the GPL, or by inference modify existing GPL code to become spyware / DRM monitoring apps and then distrabute that. I'm not pro-spyware, would this clause make GPLv3 incompatable with the 6th clause of the open source definition: 6. No Discrimination Against Fields of Endeavor The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research. In the Sony DRM case, one of the features of their CD player software is that it would look to see which CD was playing then make a HTTP request to a Sony server to lookup extra album information, the HTTP requests are then logged by the webserver along with IP address and the privacy implications there (How much consent and/or knowledge is needed from the end user of the feature before its becomes legal/illegal).

Now Assume that I add a feature (maybe it already exists) to GPLv3 XMMS to do a lookup on www.freedb.org based on the currently playing MP3 or OGG. Does this raise privacy implications, I guess not as many. So where is the source of the problem here, is it that the media player software performs automattic HTTP requests based on its other activities, is it at the webserver end because it performs logging, is it because one company controls both the end user software and the webserver performing the logging, or is it simply a matter of trust, we trust the people running www.freedb.org far more than we trust the people at Sony. Assuming everything is running GPLv3 code, and that with everything combined it is considered illegal, on which piece of software would this clause kick in on and prevent redistrabution. The term user is not defined specifically, it could mean the person running the code, or making use of the code (as in a remote user accessing a webserver) - or potentually mean other computer users affected in some way by the code. Take a program like nmap, which does port scanning, is this an illegal invasion of privacy, what if you are running it against military or sensitive computers? Who is the user in this case, is it me because I'm running the code on my computer, or my target who is being scanned (what if the RIAA where to run nmap on every IP to visit www.grokster.com).

Now some tools can be used in many different ways, a combination of an ssh client, a bash loop, a dictionary file and rsync could be used in ways that are very easily invade privacy (and all other data files) on a users machine, though individually and in combination are also very ligitimate tools.

Then you have an intresting possible (though rather insignificant) perversion of the GPLv3. One day Gator Corp (of spyware fame) decides to release all its products under the GPLv3. As copyright holder it can give as many copies as it likes away, but when anybody starts copying the code themselves, they are sued by Gator for violation of section 3 of the GPLv3, "thou shall use use GPLed spyware". I'm pretty sure such a case would be dismissed on the basis of unclean hands, but it only takes one SCO to tie up the court for years. Another potentual issue is with privacy related bugs. I create a app v0.1 which I later find has a fairly serious privacy flaw. I correct this in v0.2, but does this now mean that others can no longer distrabute v0.1 of my code.

Everybody is asying that this clkause is stupid. If it is illegal, then the licence does not need to say it.

RMS: This better not be in draft 2!

Comment 257: Redundant statement

The draft already clearly indicates in other places that this license does not allow for illegal activities.

Maybe I'm missing something, but, in general (not just regarding this section), what possible business does the GNU GPL have in restricting people's ability to break laws or punishing people for doing so?

If the law in question is in force in their jurisdiction, the courts (not us) should metre out the appropriate punishment, and, if it isn't in force in their jurisdiction, it is usually unfair for them to be punished for breaking it.

Comment 485: redundant (& hence harmful)

I see no point for a license to withold permission to do what is already illegal.

I object to the many legal documents (conditions of use etc.) that forbid doing illegal things, and do not want the GNU GPL to lend weight to such clauses. Such clauses make the document harder to read, and hence fewer people read the document, and hence it is easier to get people to agree to objectionable terms.

I believe the reasoning is "we don't want any licensee claiming 'but the GPL made me do it!'"

I agree that lawyers and judges realize that legal documents can't force you to break the law. But many non-lawyers don't recognize this.

To bring up a politically-charged issue, remember the number of reporters claiming that they had to protect their sources in the Plame issue because they had enforceable contracts to do so. Any lawyer would say "that contract may have been legal when it was made, but now 'protecting your sources' is illegal in your case so the contract is no longer valid, just as if you had a long-standing contract to supply a product that was later banned your contract would no longer be binding."

pjrm: I think your concern is a valid one. The only case I can think of in which it is helpful to add a second layer of privacy protection is where it allows a different party to file a lawsuit over that privacy violation.

There are deeper problems with this sentence:

1. it is about privacy, but it is buried inside the DRM section, that is related to the subject of privacy, but not _about_ it.

2. nor the license nor the body of law in many jurisdictions define exactly what is privacy, nor which are the privacy rights and expectations of the individuals, nor which are the exceptions to those rights.

2a. maybe those definitions are out of the scope of the GPLv3.

3. there are privacy-invasion acts that are illegal -- and there are those that are legal (like a wiretap authorized by a judge, or a surveillance camera on a street). which acts are being banned by this sentence?

4. last but not least, even if a program _can_ be used to invade the privacy of others, exist the possibility that such program is not _intended_ to be used in such a fashion, and that its primary function is not simply invading the privacy of others, or that to fulfill its primary function, as a collateral, the program _can_ be used to invade the privacy of others (example: nmap and other security scanners). Are those programs banned?

Comment 614: Purpose of this text?

Can anyone involved in the drafting process shed some light on the intention of this language?

Was it about moderating the effect of the following paragraph? In that case, does my suggestion of limiting that following paragraph to "legally published" data or works help?

Or was it about trying to stop rootkits, spyware and other creepy crawlies included as part of DRM systems? If that was the case, as others have noted, it shouldn't be limited to "illegal" invasion of privacy. Perhaps some expanded and clarified language (a whole paragraph?) could better achieve such an objective?

1) GPL is about distribution. It should not rule what programs can do.

2) Privacy is a term that depends on the law. In some countries privacy may not be a right at all. This makes the clause almost useless.

The subject text is totally redundant and will only cause confusions. What the SONY rootkit did was almost certainly illegal, but there's no point in having a license forbidding something which is illegal by law. And there is no way you can decide from the source code alone whether is it going to be used illegaly. This text is probably the most obvious candidate for deletion from the draft.

Comment 236: Privacy is outside the scope of the 4 freedoms

Frankly, this clause seems off-topic. Why not, for instance, deny distribution to covered works that are components of weapons of mass destruction? The whole issue of what constitutes privacy is something of an open issue these days, when everybody submits their corporate shopping ID at the grocery store checkout counter and thinks nothing of having their most everyday habits and activities tracked, profiled, and distributed to anyone willing to pay for them.

Comment 251: Open Source Definition - 6 6. No Discrimination Against Fields of Endeavor

I admit I'm somewhat clueless about the specifics of privacy laws (both in the UK or elseware). This seems to imply that you may not distrabute spyware or DRM monitoring systems under the GPL, or by inference modify existing GPL code to become spyware / DRM monitoring apps and then distrabute that. I'm not pro-spyware, would this clause make GPLv3 incompatable with the 6th clause of the open source definition: 6. No Discrimination Against Fields of Endeavor The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research. In the Sony DRM case, one of the features of their CD player software is that it would look to see which CD was playing then make a HTTP request to a Sony server to lookup extra album information, the HTTP requests are then logged by the webserver along with IP address and the privacy implications there (How much consent and/or knowledge is needed from the end user of the feature before its becomes legal/illegal).

Now Assume that I add a feature (maybe it already exists) to GPLv3 XMMS to do a lookup on www.freedb.org based on the currently playing MP3 or OGG. Does this raise privacy implications, I guess not as many. So where is the source of the problem here, is it that the media player software performs automattic HTTP requests based on its other activities, is it at the webserver end because it performs logging, is it because one company controls both the end user software and the webserver performing the logging, or is it simply a matter of trust, we trust the people running www.freedb.org far more than we trust the people at Sony. Assuming everything is running GPLv3 code, and that with everything combined it is considered illegal, on which piece of software would this clause kick in on and prevent redistrabution. The term user is not defined specifically, it could mean the person running the code, or making use of the code (as in a remote user accessing a webserver) - or potentually mean other computer users affected in some way by the code. Take a program like nmap, which does port scanning, is this an illegal invasion of privacy, what if you are running it against military or sensitive computers? Who is the user in this case, is it me because I'm running the code on my computer, or my target who is being scanned (what if the RIAA where to run nmap on every IP to visit www.grokster.com).

Now some tools can be used in many different ways, a combination of an ssh client, a bash loop, a dictionary file and rsync could be used in ways that are very easily invade privacy (and all other data files) on a users machine, though individually and in combination are also very ligitimate tools.

Then you have an intresting possible (though rather insignificant) perversion of the GPLv3. One day Gator Corp (of spyware fame) decides to release all its products under the GPLv3. As copyright holder it can give as many copies as it likes away, but when anybody starts copying the code themselves, they are sued by Gator for violation of section 3 of the GPLv3, "thou shall use use GPLed spyware". I'm pretty sure such a case would be dismissed on the basis of unclean hands, but it only takes one SCO to tie up the court for years. Another potentual issue is with privacy related bugs. I create a app v0.1 which I later find has a fairly serious privacy flaw. I correct this in v0.2, but does this now mean that others can no longer distrabute v0.1 of my code.

Everybody is asying that this clkause is stupid. If it is illegal, then the licence does not need to say it.

RMS: This better not be in draft 2!

Comment 614: Purpose of this text?

Can anyone involved in the drafting process shed some light on the intention of this language?

Was it about moderating the effect of the following paragraph? In that case, does my suggestion of limiting that following paragraph to "legally published" data or works help?

Or was it about trying to stop rootkits, spyware and other creepy crawlies included as part of DRM systems? If that was the case, as others have noted, it shouldn't be limited to "illegal" invasion of privacy. Perhaps some expanded and clarified language (a whole paragraph?) could better achieve such an objective?

1) GPL is about distribution. It should not rule what programs can do.

2) Privacy is a term that depends on the law. In some countries privacy may not be a right at all. This makes the clause almost useless.

The subject text is totally redundant and will only cause confusions. What the SONY rootkit did was almost certainly illegal, but there's no point in having a license forbidding something which is illegal by law. And there is no way you can decide from the source code alone whether is it going to be used illegaly. This text is probably the most obvious candidate for deletion from the draft.

Comment 1125: internationally dangerous

By making a reference to local law about privacy, you are making the application of the GPLv3 internationally uncertain. Indeed, making a reference to privacy law makes the GPLv3 step outside of the frame of the Berne Convention on author rights.

Therefore the "illegally invade users'privacy" wording should be avoided.

I think a clear definition of DRM is: - a mode of distribution - that grants some of the rights present in the license while deliberately forbidding others

This is more or less what the second part of your sentence says.

Comment 235: Invasion of privacy clause allows outsiders to mess with distribution rights

What if, for instance, some silly legislative body decides that, for instance, revealing an IP number is an invasion of privacy. This clause seems to offer way too much scope for 3rd parties to interfere with distribution rights.

Comment 1095: proof of concept (viruses,spywares...)

it is unclear if someone can or can't distribute a gpl3 proof of concept

an example: someone discover a new kind of security flaw and make a gpl code that exploit it in order to demonstrate that this is a real security flaw what is unclear is the "illegaly" term this term depends a lot on the law of the country where the code is relased: *if the country prohibit spywares,drm,viruses... the person can't distribute his code *if the country does not prohibit spywares,drm,viruses but only prohibit things such as cracking/hacking it will only be illegal when: **the program is included or hidden inside another program in the purpose of cracking/hacking **the program is used in order to crack/hack

The clause isn't bulletproof (and was never intended to be) and does, as you mention, depend on regional laws (which is taken up in other comments).

You've given an example of either a "fair use" of the software--using the GPL software to comment on a flaw--or a use of the software that is not an example of "distribution".

Comment 251: Open Source Definition - 6 6. No Discrimination Against Fields of Endeavor

I admit I'm somewhat clueless about the specifics of privacy laws (both in the UK or elseware). This seems to imply that you may not distrabute spyware or DRM monitoring systems under the GPL, or by inference modify existing GPL code to become spyware / DRM monitoring apps and then distrabute that. I'm not pro-spyware, would this clause make GPLv3 incompatable with the 6th clause of the open source definition: 6. No Discrimination Against Fields of Endeavor The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research. In the Sony DRM case, one of the features of their CD player software is that it would look to see which CD was playing then make a HTTP request to a Sony server to lookup extra album information, the HTTP requests are then logged by the webserver along with IP address and the privacy implications there (How much consent and/or knowledge is needed from the end user of the feature before its becomes legal/illegal).

Now Assume that I add a feature (maybe it already exists) to GPLv3 XMMS to do a lookup on www.freedb.org based on the currently playing MP3 or OGG. Does this raise privacy implications, I guess not as many. So where is the source of the problem here, is it that the media player software performs automattic HTTP requests based on its other activities, is it at the webserver end because it performs logging, is it because one company controls both the end user software and the webserver performing the logging, or is it simply a matter of trust, we trust the people running www.freedb.org far more than we trust the people at Sony. Assuming everything is running GPLv3 code, and that with everything combined it is considered illegal, on which piece of software would this clause kick in on and prevent redistrabution. The term user is not defined specifically, it could mean the person running the code, or making use of the code (as in a remote user accessing a webserver) - or potentually mean other computer users affected in some way by the code. Take a program like nmap, which does port scanning, is this an illegal invasion of privacy, what if you are running it against military or sensitive computers? Who is the user in this case, is it me because I'm running the code on my computer, or my target who is being scanned (what if the RIAA where to run nmap on every IP to visit www.grokster.com).

Now some tools can be used in many different ways, a combination of an ssh client, a bash loop, a dictionary file and rsync could be used in ways that are very easily invade privacy (and all other data files) on a users machine, though individually and in combination are also very ligitimate tools.

Then you have an intresting possible (though rather insignificant) perversion of the GPLv3. One day Gator Corp (of spyware fame) decides to release all its products under the GPLv3. As copyright holder it can give as many copies as it likes away, but when anybody starts copying the code themselves, they are sued by Gator for violation of section 3 of the GPLv3, "thou shall use use GPLed spyware". I'm pretty sure such a case would be dismissed on the basis of unclean hands, but it only takes one SCO to tie up the court for years. Another potentual issue is with privacy related bugs. I create a app v0.1 which I later find has a fairly serious privacy flaw. I correct this in v0.2, but does this now mean that others can no longer distrabute v0.1 of my code.

Everybody is asying that this clkause is stupid. If it is illegal, then the licence does not need to say it.

RMS: This better not be in draft 2!

Comment 697: A hammer with a notice stating "you cannot use me to break people's heads"

Does this mean that I cannot modify a "licensed program" in order to implement some illegal privacy-invading feature and distribute the resulting work? This is an unacceptable restriction on the functionality of modified versions and discriminates against possible uses of the work. I'm definitely *against* privacy invasions, but this should not belong in a copyright license. If the privacy invasion is indeed illegal, there are already laws to forbid that behavior. The license should *not* say that you cannot distribute a modified program that performs illegal operations. I suggest dropping this restrictions, especially in light of http://www.gnu.org/licenses/hessla.html

I agree. GPL is hurting secirity research and freedom of speech here. If I want to demonstrate how software could be used to invade privacy, I should be allowed to create an exploit and possibly distribute it via mailing lists. I don't want to be prosecuted for copyright violation when reporting privacy-related security holes.

Comment 251: Open Source Definition - 6 6. No Discrimination Against Fields of Endeavor

I admit I'm somewhat clueless about the specifics of privacy laws (both in the UK or elseware). This seems to imply that you may not distrabute spyware or DRM monitoring systems under the GPL, or by inference modify existing GPL code to become spyware / DRM monitoring apps and then distrabute that. I'm not pro-spyware, would this clause make GPLv3 incompatable with the 6th clause of the open source definition: 6. No Discrimination Against Fields of Endeavor The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research. In the Sony DRM case, one of the features of their CD player software is that it would look to see which CD was playing then make a HTTP request to a Sony server to lookup extra album information, the HTTP requests are then logged by the webserver along with IP address and the privacy implications there (How much consent and/or knowledge is needed from the end user of the feature before its becomes legal/illegal).

Now Assume that I add a feature (maybe it already exists) to GPLv3 XMMS to do a lookup on www.freedb.org based on the currently playing MP3 or OGG. Does this raise privacy implications, I guess not as many. So where is the source of the problem here, is it that the media player software performs automattic HTTP requests based on its other activities, is it at the webserver end because it performs logging, is it because one company controls both the end user software and the webserver performing the logging, or is it simply a matter of trust, we trust the people running www.freedb.org far more than we trust the people at Sony. Assuming everything is running GPLv3 code, and that with everything combined it is considered illegal, on which piece of software would this clause kick in on and prevent redistrabution. The term user is not defined specifically, it could mean the person running the code, or making use of the code (as in a remote user accessing a webserver) - or potentually mean other computer users affected in some way by the code. Take a program like nmap, which does port scanning, is this an illegal invasion of privacy, what if you are running it against military or sensitive computers? Who is the user in this case, is it me because I'm running the code on my computer, or my target who is being scanned (what if the RIAA where to run nmap on every IP to visit www.grokster.com).

Now some tools can be used in many different ways, a combination of an ssh client, a bash loop, a dictionary file and rsync could be used in ways that are very easily invade privacy (and all other data files) on a users machine, though individually and in combination are also very ligitimate tools.

Then you have an intresting possible (though rather insignificant) perversion of the GPLv3. One day Gator Corp (of spyware fame) decides to release all its products under the GPLv3. As copyright holder it can give as many copies as it likes away, but when anybody starts copying the code themselves, they are sued by Gator for violation of section 3 of the GPLv3, "thou shall use use GPLed spyware". I'm pretty sure such a case would be dismissed on the basis of unclean hands, but it only takes one SCO to tie up the court for years. Another potentual issue is with privacy related bugs. I create a app v0.1 which I later find has a fairly serious privacy flaw. I correct this in v0.2, but does this now mean that others can no longer distrabute v0.1 of my code.

Everybody is asying that this clkause is stupid. If it is illegal, then the licence does not need to say it.

RMS: This better not be in draft 2!