The Anti-tivoization is one of the notable difference between GPL-3.0 and GPL-2.0. Briefly, Tivoization is that part of the Source Code of the product will be provided to the users, yet due to the Digital Rights Management (DRM) restriction, the modified software based on that shall not be able to be implemented to the very device or be executing on it. Which means although the corresponding Source Code of the product might have already been delivered to the users, the DRM mechanism just render it quite limited in modified version redistribution for FOSS community. On account of that, the “Installation Information” in the GPL-3.0, as part of the “Corresponding Source”, has been redefined clearly to include “authorization keys” in the definition. This ends the Tivoization in the GPL-3.0 related products, however, triggers the Information Security concerns of embedded devices with encryption and decryption functions on the security maintenance. In this session, the correct interpretation of the “User Product” terms in the GPL-3.0 will be further explained, based on that, several solutions as real world examples to leverage this issue shall be introduced, yet, not all of them are 100% out of the grey area from the FOSS license compliance risks.
The Anti-tivoization is one of the difference shall be noted between GPL-3.0 and GPL-2.0. As a matter of fact, the Anti-tivoization “feature” introduced in the GPL-3.0 is actually treated cautiously by many large-scaled IT enterprises all over the world, quite a number of those companies have made the policies that the softwares licensed under GPL-3.0 or AGPL-3.0 shall not be adopted into their commercial products without further evaluations in advance. Briefly, the Tivoization is that, part of the Source Codes of the product might be provided to the users, yet due to the Digital Rights Management (DRM) restriction, the modified software based on those Source Codes shall not be able to be implemented to the very device or be executed on it. That means the device is prohibited from being implemented or executing the modified software, even though the corresponding source codes of that device have been delivered to the customers under GPL-2.0 or LGPL-2.1. To a certain extent, the Tivoization DRM mechanism just renders the Source Codes quite limited in modified version redistribution for FOSS community.
Before the publication of GPL-3.0, the Free Software Foundation and Richard Stallman has already made several public statements to comment on the Tivoization, and the conclusion has been drew that the “patching” solution will be “submitted” into the new version of the GPL license terms. That is, the “Installation Information” in the GPL-3.0, as part of the “Corresponding Source”, has been redefined clearly to include “authorization keys” in the definition. This ends the Tivoization debate in the GPL-3.0 related products. However, this new Anti-tivoization mechanism also triggers the Information Security concerns on the embedded devices with encryption and decryption functions for the security maintenance uncertainty at the same time. In other words, the manufacturers might be required to help “hacking” their own products by providing the authentication keys so that the modified softwares can be implemented back into the device to operate. Because of this, many router manufacturers, chip manufacturers, and smart vehicle device manufacturers, such as the GENIVI Alliance, are tentative to exclude GPL-3.0/AGPL-3.0 licensed components from the approved list. Regarding these disputes, in this session the interpretation of the “User Product” terms of the GPL-3.0 will be further explained, based on the correct understanding, several solutions in the real world for leveraging this issue shall be introduced, yet, not all of them are 100% out of the grey area from the FOSS license compliance risks. However, in general, understanding and trying to make a better management on that, shall be a progressive way to achieve the open source compliance in embedded fields.
About Lucien C.H. Lin
Lucien Cheng-hsia Lin, legal adviser both of Open Culture Foundation and Gemly Int’l Intellectual Property Right Office, has been participating in the Open Source, Open Data, and Creative Commons Licenses interpretation and clarification among the local communities, official agencies, and companies in Taiwan for more than 10 years. He is best known for being the main proposer and drafter of the “Open Government Data License Taiwan 1.0” (https://data.gov.tw/license), with an one-way CC BY 4.0 switching mechanism implemented, which can make most of the materials on Taiwan Open Data portal available under CC BY 4.0 license.