Those who are following Open Source Security, Inc, Bradley Spengler v. Bruce Perens may have noticed that there have been several sealed and redacted filings in the case. What’s being hidden? No information of mine. Just fee amounts and customer terms that the law firm would rather keep private. We already know that lawyers are expensive, and we have already publicized the total of my expenses in defending myself, over $670,000, which we have asked to be awarded from the plaintiff’s funds. The redacted versions of documents are online and tell you everything interesting.
In the United States, some technologies are considered “munitions”. Space satellites, rocketry, digital voice encoding, and encryption are among them. Depending on the technology, they are regulated by the Department of State under ITAR, or the Department of Commerce under EAR.
The Open Source cryptography community worked out how to operate in compliance with ITAR and EAR a decade or more ago, filing several lawsuits against the U.S. Government on the way. Unfortunately, the Amateur Satellite and Space community hasn’t been as up-to-speed. It’s time for that to change.
In January, Michelle Thompson W5NYV and I decided to form a new non-profit corporation specifically structured for the purpose of operating international Open Source development of projects that might otherwise be considered to be munitions under ITAR and EAR. To do this, we make use of carve-outs in ITAR and EAR for published information.
Ben Hilburn (of GNU Radio fame) joined Michelle and I on the board of directors.
Michelle is leading the Phase 4 Ground Station project, an Open Source project to create a digital space communications system. Phase 4 Ground and my Open Cars research will be the first projects under our new organization, Open Research Institute, Inc.
We are now incorporated in California and are filing our registration with the State as a charitable organization today. We have contracted a firm to prepare our 501(c)3 tax-exempt non-profit application with the Internal Revenue Service.
In August, Open Source Security, Inc. brought a lawsuit against me in federal court, seeking over $3 million, and later added Bradley Spengler as a plaintiff. Open Source Security and Mr. Spengler sued me because they disagreed with my blog posts and Slashdot comments which expressed my opinions that their policies regarding distribution of their Grsecurity product could violate the GPL and lead to liability for breach of contract and copyright infringement.
This lawsuit should never have been brought. My blog post and Slashdot comments are first amendment speech protected by the California anti-SLAPP law. While Open Source Security and Mr. Spengler were free to disagree with my opinions, they were not free to sue me to try to stop me from expressing them. The anti-SLAPP law requires recovery of attorneys’ fees and costs–precisely to deter actions like this one that chill the exercise of first amendment rights. Fee recovery also encourages private representation in anti-SLAPP cases so that defendants may obtain quality representation without being bankrupted. Thus, the law provides for successful defendants to recover fees and costs from plaintiffs who bring meritless suits.
The court has now ruled in my favor that Open Source Security and Mr. Spengler’s claims are not meritorious. Today, I am asking the court to award my legal fees and costs so far, which will go to O’Melveny, the law firm I retained.
The cost of my defense well exceeded half a Million dollars.
When I got sued, I called upon the best attorney I know in the Open Source world, Heather Meeker, who I have known for 20 years and worked with professionally. Heather is the author of Open (Source) for Business: A Practical Guide to Open Source Software Licensing — Second Edition and three other books. Heather formed a team including Melody Drummond Hansen, a Silicon Valley partner with experience in Open Source and defamation matters, Cara Gagliano, an associate focused on copyright and speech issues, and two bright first-year associates, Marissa Rhoades and Eric Ormsby .
I sought this high-quality team because the stakes were high. Open Source Security and Mr. Spengler sought at least $3 Million and also attacked my professional reputation and integrity. While the fees incurred in this case are significant, they are based on the standard rates charged for attorneys of similar experience and caliber. In my experience, this team is well worth it. Also, the amount of fees reflect Open Source Security’s and Mr. Spengler’s litigation tactics, which unnecessarily increased the time spent defending this case by forcing responses to the many filings and shifting theories they pursued.
Had Open Source Security and Mr. Spengler not filed their suit, they would not be facing this expense at all. For example, had they engaged in the spirit of reasoned debate rather than filing a lawsuit, the fees could have been avoided entirely. And had they not greatly complicated the suit, the fees would be much smaller. Plaintiffs now also are appealing the case, which will further increase my legal costs.
Fee awards under anti-SLAPP are mandatory and they are meant to deter unnecessary suits like this one–to protect everyone’s freedoms to engage in public debate without fear of being sued.
Generally, I would prefer not to talk about a lawsuit in progress. My desire to keep the Open Source community informed is my reason for making this statement. Unfortunately, I will not be able to make any further statements about the case for now.
At its January 18 meeting, ARRL suspended some of the controversial director confidentiality requirements. These requirements first made news when ARRL publicly censured director Richard Norton N6AA, apparently for publicly discussing at an ARRL conference the requirements themselves and the board’s handling of the matter.
The board moved to delete one section of the existing code of conduct and suspend another:
Today’s Sescom launch by SpaceX failed spectacularly when the expendable first stage failed to be expended, surviving after soft-landing in the ocean. An embarrassed SpaceX had no choice but to attempt to tow the rocket to shore, lest it reveal ITAR-restricted secrets and other proprietary information of SpaceX to anyone who cared to salvage it.
I wrote a while back that the Zuma satellite mission might not have been real. Well, SpaceX launched it yesterday, Sunday January 8, and there is still no indication that a real satellite was launched. While the Zuma mission is secret, rumors today are that the mission failed. See 1 2 3 4 and the best article so far. SpaceX claims that nothing went wrong on their side. My surmise is that this mission was for the purpose of evaluating SpaceX readiness to perform launches for government intelligence, and like the Falcon Heavy demo (which is carrying Elon’s Tesla Roadster) might not have been carrying a functional payload.
On November 27, Red Hat, IBM, Google, and Facebook announced that they would give infringers of their GPL software up to a 30-day hold-off period during which an accused infringer could cure a GPL violation after one was brought to their attention by the copyright holder, and a 60 day “statute of limitations” on an already-cured infringement when the copyright holder has never notified the infringer of the violation. In both cases, there would be no penalty: no damages, no fees, probably no lawsuit; for the infringer who promptly cures their infringement. I’ll discuss this in a question-and-answer style:
Q: Does this change any court case involving the GPL that is presently in progress? A: No. Red Hat, IBM, Google, and Facebook are not known to be involved in any recent cases of enforcing their copyrights on any software under the GPL license. Red Hat once suggested that it could enforce the GPL against patent aggressors, but I am not aware of any cases in which they have done so.
Q: Does this change the way that GPL license on Linux or any Open Source program will be enforced? A: That’s unlikely. It is not in the interest of those four companies to become involved in enforcement of the GPL license in the future. Thus, their promise to allow an infringer to cure their infringement within certain time limits is irrelevant. Red Hat and IBM would rather sell Linux systems than make their customers afraid by bringing lawsuits. Google and Facebook have bigger fish to fry.
Q: Does anyone else have to provide the same time limits? A: No. The companies involved in the announcement are not the entities that bring GPL enforcement lawsuits. There are thousands of copyright holders in the Linux kernel who could theoretically bring a lawsuit, and perhaps one hundred thousand authors of GPL-licensed software other than Linux (but which might be included as part of a typical Linux system). None of those parties are compelled by today’s announcement. But in general those parties have been voluntarily waiting much longer for infringements to be cured without penalties.
Q: Does their announcement comply with the Principles of Community-Oriented GPL Enforcement drafted by the Software Freedom Conservancy? A: Sort of. It’s obviously inspired by them and by a previous announcement by the kernel team which is also inspired by SFC’s principles but doesn’t mention them. The Open Source developer community in general doesn’t just wait 30 days for an infringer to cure their infringement without any penalties. Historically, they’ve waited much longer and the community principles do not specify any particular duration. The infringements of some of my compliance customers would have been impossible to resolve in just 30 days. Some cases have been settled quietly after more than a year in progress, without any cost, or perhaps only a reasonable compliance auditing fee. One of my customers, a Fortune 100 company, was asked to pay $5000 in auditing fees in resolution of a GPL infringement in a Billion dollar product line. Current infringers may be asked for more simply because these cases are expensive to pursue, but in general the community prioritizes compliance over income and does not ask for huge damages as a company in the proprietary software industry would.
Q: Why was today’s announcement made? A: The companies are concerned by one person, Patrick McHardy. I have no personal knowledge of this, but attorney Heather Meeker has documented it. It is said that he has brought about 50 copyright infringement claims regarding the Linux kernel, with intent to collect income rather than simply obtain compliance with the GPL license. Pretty much everyone in the Open Source community and the companies involved all object to this behavior. Me too. But as far as I can tell, it’s McHardy’s legal right to bring such claims regarding the copyrights which he owns, even if it doesn’t fit Community Principles which nobody is actually compelled to follow. The big companies and community members (and I) wish to discourage McHardy and other parties who might wish to become “copyright trolls” in a similar style and exact damages out of unintentional infringers of GPL-liccensed and other software.
Q: Did the Linux Kernel Team make a similar announcement to that of the four companies? A: Yes. Here’s what they had to say. It is probable that in the future the kernel team will stop accepting contributions from people who don’t sign on to the policies at that link. They have presently excluded Mr. McHardy from the kernel team. But it’s important to note that there is lots of existing work in the kernel by copyright holders who are not required to comply with those principles, and the copyright holders all of the GPL software other than the kernel (a larger body of software than the kernel by far) are not required to comply with those principles.
Q: Is it true that the principles the four companies announced today are taken from the GPL 3 license, but they are applying them to GPL 2? A: Yes. If your software is under GPL 3, the same waiting periods that the four companies have promised are required. Thus, it is ironic that when originally presented with the opportunity to apply the GPL 3 to Linux, Linus Torvalds and the Kernel team were quite hostile about it, while the kernel team’s recent announcement attributes the principles they have adopted to the text in GPL 3. Perhaps they’ve learned something since those hostile moments.
Q: I have more questions. A: Send them to bruce at perens dot com.
The Zuma mission was always mysterious. Now, there’s reason to wonder if it was ever even real.
SpaceX announced on October 16 its mission to launch a secret government satellite built by Northrop-Grumman. It was scheduled to launch within 30 days of the announcement. Keeping a mission secret until the last month before launch was unprecedented for SpaceX, even for previous secret government satellite launches, which had been listed on its launch manifest for years.
Just before Zuma was ready to launch, SpaceX announced that the launch was cancelled via twitter: Standing down on Zuma mission to take a closer look at data from recent fairing testing for another customer.
Subsequently, the Zuma mission was removed from the famous NASA Pad 39a, and returned to the SpaceX garage. SpaceX resumed construction work on Pad 39a to remove the huge rotating Space Shuttle enclosure and to ready the pad for the three-booster Falcon 9 Heavy demonstration launch. This indicated that there would be no Zuma launch soon. No new launch date has been announced.
So, if we are to take SpaceX’s tweet at face value, SpaceX has suffered a serious failure during testing of its fairing, the “nose cone” of the rocket used to shield a satellite from the atmosphere during launch, which has delayed the Zuma mission until the failure can be understood and corrected.
The next expected SpaceX launch, a cargo launch to ISS expected to fly from Pad 39a on December 4, won’t use the fairing, which is only for satellite launches. Cargo launches to ISS use the Dragon space vehicle. So, this mission would not be delayed.
Since there’s an Iridium satellite launch using the fairing scheduled for December 22 at Vandenberg, we’ll see in a month or so if the fairing problem is so large that it delays further launches. Changes in the fairing could be visible in the launch video, expect space aficionados to pour over that video frame-by-frame.
But there’s another possibility: That the Zuma mission was never real.
Why would SpaceX bring a rocket to the pad on a short schedule only to never launch it? Perhaps the actual mission was to see if SpaceX could put together a launch on a short-enough schedule to satisfy strategic requirements of the government. In tense times a satellite might have to be launched on a short schedule in order to view a country we want a really good look at with special instruments: say, North Korea. Or a failed military satellite might have to be replaced with a standby unit in a big hurry.
If the Zuma mission actually was a test of SpaceX’s ability to launch on a short schedule, they probably passed the test. They put a rocket with what might have been a mock-up satellite on the pad on a short public schedule and test-fired it. We have no idea, of course, of how long SpaceX actually knew about this mission.
And of course the government could have other reasons to delay a spy satellite launch, which we’d never hear of.
SpaceX still has the functioning rocket to satisfy another mission, so if Zuma was never meant to happen, the government might not have had to pay as much as they would for an actual launch. Government launches and launch simulations are still significantly more expensive than civilian ones, due to the vastly increased administrative requirements when working for the government: tests, paperwork, accounting, etc. that a civilian launch customer would not require.
SpaceX fans obsessively track the serial numbers of boosters (seen near the tail fin on the first stage) from the SpaceX factory in California to its test site in Texas to launch in Florida or California. They might catch on if the Zuma booster is eventually used for another mission. Or SpaceX could repaint the serial number to confuse them.
We should know more soon. Perhaps Zuma will launch.