[Discuss] Govt Source Code Policy

[smallm at sdf.org (Mike Small)]

Rich Pieri <richard.pieri at gmail.com> writes:

> On 4/4/2016 4:05 PM, Mike Small wrote:
>> That's a bit weak. You would only be liable if you in fact did not erase
>> your backups and had some. So their definition would stand on a
>> hypothetical present fact (that backups exist) and a hypothetical future
>> action (that the victim doesn't destroy them) for the hypothetical "you"
>> the license references.
>
> We know that backups do exist because we know the device had previously
> been synched with iCloud and those backups were not erased.

We'd need a lawyer here but I don't think you get to go specific when
interpreting the definitions of the license in general. i.e. I can't see
a legal interpretation of the GPL that makes the meaning of convey
conditional on the particular licensee's circumstances. You'd have a
kind of Schrodinger's license in that case.

>> But for the sake of argument let me concede the point. Let's say Syed
>> Farook's phone had had GPLed Apple system software on it. It would have
>> been Farook who would be breaking the GPL by not passing on the
>> "authorization info" as he "conveyed" this GPLv3ed iPhone software to
>> the FBI. This possibility wouldn't have prevented or disincentivized
>> Apple from using the GPLv3 + autodestruct.
>
> There are two possibilities here.
>
> One is that this information is generic to all of that device model. In
> this case all the FBI would need to do is have an agent buy an iPhone
> and request the information. In this case the FBI would not need Apple
> to sign their custom GovtOS in order to avoid wiping the device.

Generally people argue that in the long run, not depending on security
by obscurity forces people to make systems that work as intended even
when attackers have the benefit of source code. The FBI can buy versions
and be free to mess with them and see how they work, but so could
academic and industry security researches with the results being made
available so Apple could try again better next time.

>
> The other is that the DRM is uniquely keyed to the device. In this case
> the FBI might actually need Apple's intervention if said information
> were not in the employer's possession and not in Farook's effects, right?

>
> Wrong.
>
> Every or nearly every version of iOS, including the version on Farook's
> employer's iPhone, has vulnerabilities that can be exploited in order to
> run unsigned versions of the operating system. GPL Part 3 prohibits
> using laws like WIPO as protection which means the dissemination of
> exploits cannot be prevented or suppressed by those laws. In this case
> the FBI would legally have the information necessary to circumvent the
> DRM and thus still would not need Apple to sign their custom GovtOS in
> order to avoid wiping the device.
>

Not sure I'm understanding you. First off, the FBI as a criminal
enforcement agency is themself excempt from the DMCA:
https://www.law.cornell.edu/uscode/text/17/1201
Remember also again that Apple would not need to fear being out of
compliance with the GPL on software they're the sole copyright owner
of. You'd need some other copyright holder up the chain of what they're
distributing for that to matter when they violated that clause with a
DMCA suit. Then how much effect are DMCA civil suits really going to
have on dissemination of exploits?  About as much as copyright law has
had on the availability of movies with the copy protections stripped off
I should think. And besides, as was puzzling all along in this case, the
FBI is no doubt perfectly capable of coming up with their own exploits
or hiring someone to quietly do so.

> I have to admit: it's been entertaining watching you GPL adherents try
> to punch holes in your own favorite software license in order to prevent
> the FBI from hypothetically doing what it was carefully crafted to
> explicitly permit.

There's no irony here. I like the idea of a GPL with provisions not
granting equal rights to scumbags who spy on environmental orgs and
black lives matter activists or to people who manufacture weapons. But
it's easy to see the mess that would result if everyone had their pet
restriction added in. They struck the right balance, as usual IMO. So to
the degree the FBI exercises their right to mess with software they come
into possession of it's cool they're granted such rights.

And obviously the GPL wasn't "carefully crafted" to permit someone to
take your device and get at your data. I mean, maybe in the 80s rms had
said something that seems funny now about passwords, but today the FSF
is promoting use of encryption.

-- 
Mike Small
smallm at sdf.org