Copyright infringement by "Culture4Life GmbH" / LucaApp #1
Comments
|
Diff: https://twitter.com/zerforschung/status/1377043580498378753 They only removed the License and changed some formatting. |
|
Just to be clear: The Luca app is commercial software. And they already sold it to several german federal states earning approx. 10 million euros. So not just another OpenSource project which "accidentially forgot to copy the license". |
|
Making money with OpenSource Piracy. |
|
To be even clearer: after massive pressure because it was pretty much impossible to vet their app they now "published" the client part of their source code under a "license" that essentially states "you may look at it until we say you may not for no reason whatsoever, all other rights reserved by us"¹:
and, the most cognitive dissonant clause ever given their theft:
¹: technically even me quoting their license here is against their license. fun, right? see also the issue on their gitlab about their weird relation to licenses to which their response effectively was to ignore the issue being raised and babble something about how great they are for showing us the irrelevant part of their sourcecode. btw this might be helpful. |
|
They just changed their license and added the copyright notice for this repository. https://gitlab.com/lucaapp/android/-/commit/4433884f00462baecf6ac51641433e089516f533 |
|
I just came here to say that the developers of the LucaApp are skidkids and that they don't deserve the money. @thesimj should get some money as an apology. This guy should step forward and write an apology because in the end its his project. :) |
|
From Philipp Berger who changed the licence now to GPL v3:
https://twitter.com/BergerPhilipp/status/1377159036546609152 |
|
Does the GPL allow adding BSD-licensed code? |
|
@dertuxmalwieder you can include BSD-licensed code in GPL-licensed software. You can not include GPL-licensed code in BSD-licensed software. There are loopholes though. As a rule of thumb, your software's license needs to be no more permissive than the license of any of its dependencies (where BSD is considered more permissive than GPL, i.e. this is from the POV of the publisher, not the user). |
|
As far as I have seen, the app developers have sublicensed other people’s BSD code under the GPL without noting that. But I could be mistaken. |
|
i mean they're also still in breach of license despite readding the source comments, since their app doesn't (and never did) show any copyright notice in its binary form |
|
Fixing a mistake does not, legally speaking, remove the past violation. |
|
This seems like something the EFF or FSF (if GPL is involved) might need to be notified about. Just a thought. This is what OSS licenses are for, and if there is no recourse for blatant illegal theft like this then our entire culture and hard work is collectively devalued. Building for-profit applications on the backs of our free time is something we're okay with, but at least follow the minimal set of rules we set forth for doing so. Violations need to be made an example of. |
|
Embrace the incoming shitstorm 🍿 |
|
I believe they did a poor attempt at stripping out any and all comments from their codebase which ofc also removes copyright headers of libraries and toolstacks which in turn is against their respective licenses. It would be interesting to see if the App itself lacks the License acknowledgements as well, because if they do not list Open Source Software and licenses used in the final .apk then there's malicious intent. I think the best way forward is to use strict OSS licenses like AGPL & co that simply forces the user (luca in this case) to themselves opensource and publish any and all modifications made to it while still allowing a commercial use. //EDIT: With License Acknowledgements I mean like every other large app (eventho sometimes hidden) has an entry in their Help/Settings/About page with a very large list of which OSS component is used and which license it has, as example I'll just pick Instagram: Profile -> Settings -> About -> Open Source Libraries -> Enjoy the Wall of Text of all Licenses and Libraries used |
Yes. This is what every professional developer would do. So what are the developers of Luca then? 😏 |
|
Startup hipsters, presumably. |
When it comes to the GPL (at least v3), fixing a mistake within 30 days of being notified about it grants you back permission to use the code (if it’s your first violation). |
To quote from the GPLv3 section 5: “If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.” So strictly reading you can publish a GPLv3 program with an interactive user interface which does not display Appropriate Legal Notices, because you are not required to add them, but once there exist Legal Notices, you must not remove them. I don’t know how a court would decide this. |
I don't buy it, because there are/were other comments in those .java files, so removing just the copyright headers at the top looks at least somewhat intentional to me. |
I bet they have some "Copyright Culture4Life GmbH" somewhere in their UI, so… 😅 |
Well … :-) |
I've not vetted many of their files, I just briefly skimmed through the first commit and saw that a very large portion of .java files had no comments whatsoever which is rather odd. So I just assumed human-error over malicious intent by default. But ofc this seems to be less and less the case now. I could also not find any in-app acknowledgements from the code but again, I've not fully vetted it. |
|
Wouldn't this make a report on the Google Play Store page possible? Copyright infringement? |
What are skidkids? |
Regarding Apple store: https://twitter.com/ralf/status/1377127675463004162 (German thread) |
|
While I understand and share the fury of all of you, please remember this is an issue tracker, not a discussion board or IRC.
are only possible by the copyright holder – the author himself. |
|
I know this is not the place to add it, but for those who care ... Through my years in IT, have found several vendors were essentially rewriting open source code in their dev work in such a way as to not to blatantly violate licenses .... I suppose you can call it laziness, being cheap; or flattering the great work people in the open source community do every day... Probably saying things you all know .... |
|
@StewAlexander-com That's just "business as usual" sadly. However, if you find something feel free to report it to https://gpl-violations.org/ |
What do start-ups and hipsters have to do with this? Way to pass judgement on a totally non-related issue. |
|
As they used your code without permission, it's not in conflict with your license, it's just in conflict of copyright in general. You should really write them a bill for the usage, it's that simple. You give permission only to those that obey, for every cent they earned before they published their code and/or complied with your license, they had no right to use it besides paying you for it. So go, please get a lawyer that knows this stuff (e.g. ask fsf.org) and wire that bill over there! good luck! |
|
I might be downvoted for this but I don't agree with some of the outrage that happens here. Though of course there is some constructive content here too, that I do agree with. I want to preceed the following by saying that I am not affiliated with Luca whatsoever, I heard about it for the first time today. The authors might be intentionally abusive or they might not, but I do not believe that it can be judged from this incident alone. My thoughts are these:
Given the smallness and specificity of this algorithm I do not really blame them for taking option 1. I would have found it worse if they went for option 2 since that displays intend for infringement. Options 3 and 4 would have resulted in more overhead for something so miniscule. We've all copied code from projects before, I know I'm not alone on this, it's a normal thing to do, and partially even legal. I agree this crosses a certain arbitrary boundary, but I just want to argue that this is somewhat subjective. That being said I personally like assuming foolishness over maliciousness.
It might just be a big project which "accidentally forgot to copy the license", I don't see why there should be a differentiation here. I haven't used the app but from the few screenshots on their website it doesn't look like it's a huge company with hundreds of employees, for all I know it might be a couple of friends who worked on that app and it ended up really successful. Could even have been just one guy who then copied this code when they started out. Furthermore I would like to post the question: What do they gain from not including the BSD license? BSD is permissive of commercial usage, so all it would save them is including the BSD license in some throwaway part of their client or website (see e.g. discord's licensing page). This is partially a genuine question, perhaps I'm just missing something here. Once more, I am not saying the authors did nothing wrong - they did, this is objectively copyright infringement. But insulting them, calling for a shitstorm, or acting like this proves they definitely did something bad (as opposed to something wrong) is just immature and senseless behaviour, as far as I'm concerned. |
A company that takes millions of public money in Euros is probably not in a good position to say “oops, we’re foolish, hee-hee”. As I’m one of the people who paid with their taxes for this pile of whatever, I am, to say the least, not happy to hear that my taxes are spent for paying fools who don’t know the basics of licensing law and still are allowed to run a software company.
And they don’t, so they violate a license for my money and this is disturbing. |
i may add that the actual binary on google play store is still the violating Software - since it was build with the removed licences - stolen code. Actually its Version 1.4.12 - the presented Code is for 1.6.1 your code is not the only one affected, but the most prominent one - the smoking gun. |
You forgot option 5: 5. Contact the author and offer payment for the right to use it without obeying the license. Some context for the outrage, in case you understand German: https://logbuch-netzpolitik.de/lnp385-fuempf-blockchains Luca has been pestering German IT Folks for months to aid them in their PR, and incidentally and surely without any connection, the German government created rules for gatherings that the existing app created for the government which keeps to highest privacy standards (and was praised throughout German IT communities) cannot fulfill, because they are incompatible with such privacy standards. |
Why would they do that? BSD does not hinder them in their efforts whatsoever. They have absolutely no incentive for option 5, hence I didn't include it in my listing. That's the entire point of open source software, allowing people to use it for whatever they want, so long they mention the usage in case of MIT/BSD/etc. or use the same license for their software in case of GPL/LGPL (assuming the linkage exception wasn't made use of), etc. At best they just forgot to add it, perhaps when the app was still small, or they copied it over from an old project of theirs. Without further context it is very hard to know where on the spectrum between those two options this lands. I could understand the point if this project was licensed under any of the GPL licenses. In that case it would be very obvious to me that they just wanted to avoid having to go open source themselves. But BSD is about as permissive as it gets before being public domain, so they have had such a small incentive to just neglect this that I find it at least worth considering that it might have just been a blunder. |
This is what they did not do, and if they don’t want to acknowledge the authors, then they should ask the author(-s) for an exception (for payment). That they deleted the license notice is an indicator (though no proof) that they did not want to acknowledge the author. Could be an oversight, or some strange notion from a legal department (which backfired badly), but it looks fishy: Someone took the decision to remove the copyright header. Naturally it carries a risk to do the right thing: The author could say no — and then be aware that they wanted to use the code, so if they decide to use it anyway their copyright violation might be noticed more quickly. But they got people from music bands to do their marketing whose labels already sued noncommercial filesharers, so I have no sympathy at all for their commercial copyright violations. This would look less fishy (but more illegal — at least before their move to GPLv3+, with GPLv3+ it is legal), if they had included code snippets from stackoverflow (which are cc by-sa licensed). That’s something where I think that it can happen much more easily unintentionally. Their move to GPLv3+ suggests, however, that they have at least some people (or rather: at least one person) who know their stuff — whom the public outcry helped to sway the opinion of the deciders and do the right thing. |
|
I really want to stress that I don't want to excuse their copyright infringement. What they did is wrong, period. I just don't like how people are insulting them over this, or judging their entire operation based on this fact alone. You can judge them for their privacy model or the legal actions you mentioned among other things, but I don't think it's fair to assess anything significant from what I perceive to be such a minor incident. |
|
It may be off-topic, but since this a general discussion about the topic: @thesimj hired a lawyer to get a fee from the developers besides a trial in court, which he will give back the community at 100 percent. |
|
They are saying that the BSD-license isn’t compatible with the GPL. That would mean that it’s the 4-clause BSD-license instead of the more widely used and more compatible 3-clause BSD-license. But the license in https://gitlab.com/lucaapp/android/-/blob/master/Luca/app/src/main/java/de/culture4life/luca/util/Z85.java#L132-137 is the 3-clause-BSD license: https://en.wikipedia.org/wiki/BSD_licenses#3-clause_license_(%22BSD_License_2.0%22,_%22Revised_BSD_License%22,_%22New_BSD_License%22,_or_%22Modified_BSD_License%22) |
|
@ArneBab You seem to be correct. The original license comment uses the 3-clause BSD license, same as the restored comment in your link, btw: What's even weirder is that a LICENSE file was later added, which contains a 2-clause BSD license, making it unclear which of the two is supposed to apply to the code in question (but presumably it's the 3-clause one as it's still embedded in the code file): https://github.com/thesimj/jBaseZ85/blob/master/LICENSE Coupled with the claim that the license is incompatible with the GPL this sounds like either the details of the legal claim got muddled in a game of telephone or there is some confusion about the difference between the various BSD-style licenses. EDIT: IANAL, TINLA, none of this commentary constitutes a qualified legal opinion or claim. |
|
IANAL but I still seems like the lawyer is wrong. There is nothing wrong with using a BSD licensed project in GPLed or closed source software (as already stated above). Quite disappointed that @thesimj would involve a lawyer over this. The only thing the LucaApp people did wrong was removing the license in the comment, which I would assume is just a rookie mistake. There might also be a requirement to include the license somewhere in the UI, but AFAIK the jury is still out on that. They were certainly not "pirating" anything. If anyone has a problem with their software being used in commercial projects, just use an appropriate license. Keep in mind also, that they were forced to rush releasing their code by an angry mob. If they wouldn't have released it, they wouldn't have done any violation from what I can tell. They tried to push back on releasing everything too early probably precisely to avoid a situation like this. Yeah they were dumb to invent their own license which makes things worse for them. But everyone who works in open source knows tedious it can be to make sure you adhere to all licenses without ever having any bad intent. |
|
There is definitely a requirement to include the license somewhere in the app: If they wouldn't have stripped comments from their source code, the only violation would be not including the notice in the app. |
while this is technically correct (apart from you mixing up MIT/BSD there) and i assume that was confusion about this RMS rant usually cited for claims (despite not actually showing why) that the 4-clause version would be incompatible, or the fact it would've been very much incompatible with their own original "homebrewed just looking no touching license", what is clearly wrong though is making a derivative work of said code (which they did by changing things about it) and then releasing this as part of the first closed and now GPLed software without adhering to the license terms. essentially, the BSD license is very much incompatible to the act of literally changing a work's license after copying it without asking the author.
care to elaborate as to why?
so "the only thing they did wrong" was blatantly ignoring and even deleting all trace of the license terms of a product they made money off? and no, the jury is not out on that, it's literally stated in the license terms they deleted (see comment above).
they took someone's product, broke the license terms, and sold it as their own. where's that "not pirating"? that's arguably worse pirating than most "real" software piracy where people don't often actually sell it
nobody had a problem with the software being used commercially, but with the fact the appropriate license was breached. yknow, the kinda case you'd put a lawyer on :P your logic boils down to "if you don't like your stuff getting stolen after you told people not to, just tell them not to", you are aware of that, right?
you mean apart from the violation there always was from the second they released their binary to the users? (again, see above)
given a) they have been in breach of license even before releasing the source, and b) they're now hiding the fact they doctored the license comment back in by messing with git history, the only thing they seem to try is covering their asses, already knowing they messed up (which they must have known, given the allegedly bribes, nepotism and fraud fueled way they got the govt contracts to begin with). we're talking about a company literally going "we don't have competitors so don't bother asking our competitors and just hand over the money" and "what do you mean you found multiple glaringly obvious giant vulnerabilities and you're showing screenshots of the proof? here's a half page marketing blurb saying it's secure because we'd like it to be, so you must be wrong" after all, so how exactly do you think they'd reacted if @thesimj would have contacted them without lawyering up (especially after multiple other people have alerted them of their illegalities and they chose to literally ignore all of that)? |
|
Yeah maybe they'd need to show the license somewhere in the app as well. Maybe webapp need to. Maybe only if they render client side. My point is @thesimj could have just told them about the mistake instead of now trying to monetize the situation, which I believe was simply an honest mistake and not "blatantly ignoring", "pirating" or "selling as their own". Anyway, users of my software don't need to worry about me sending a lawyer after them without warning for a mistake like this. |
not just maybe, they would have needed to do that, it's literally in the license.
lots of people did using various channels and were ignored
that's how lawyers work though, they cost money. and without a lawyer they would have just kept ignoring it (they still don't adhere to the license to this day, and haven't even done so little as apologizing unless you count a tweet literally saying "the BSD project stole our code, but we love the community" because they couldn't be bothered to let someone else than google translate type that, and in which they claim to have "contacted the author and apologized" after he lawyered up). and, after all, breach of contract usually also costs money. and it's not like they're lacking any they swindled out of our pockets.
if you make a honest mistake, and lots of people complain about it, you apologize and fix it. they didn't. they even go out of their way to actively try to hide evidence after they have been made aware this is a legal matter now.
those are things they literally did though, no matter the intent.
it is about proper reproduction of a license (that's why @thesimj lawyered up after all), it's just made worse by the fact it's a shitty company making a shitty product and selling it to millions of people without their consent and with allegedly fraudulent means. and the fact their main mouthpiece is on record how important intellectual property is (when it comes to his making money off it, i guess; tl;dr for the non-german speakers: "we should teach the populace a) how evil piracy is and b) that music should not be allowed to be copyleft even by the authors").
good, because neither do users of this software, they had ample warning after all. care to get off your high horse and stop protecting the poor poor government backed fraudsters from the evil open source developer now? because that "i'm so much better than @thesimj" comment was really uncalled for, especially in this context. |
|
and even if this all was "just a simple mistake", we're talking about a company a) owned by people suing file hosting companies out of existance because it's possible to use them for piracy, and b) going out of their not necessarily legal way to get an exclusive deal with a government that recently had to fameously recall guns from the battlefield because they were concerned the manufacturer used patented technology without license. you'd kinda expect them to look out for mistakes like that. and people telling them they made mistakes like that over and over. and not just tweet a claim about having apologized after they've been presented the lawyer's bill. |
And c) they are paid millions by us taxpayers for "their" software. Not only was the intellectual property of the original author stolen, they also committed fraud to millions of victims (= us) because that was not what we wanted. |
I would understand this shit storm if thats the case. Who contacted Luca when and how long did it take them to fix the license header? All your remarks on how evil this company is just proves my point. You're trying to weaponize open source for your campaign against a company you don't like. On the note of squashing the commits: Of course, otherwise they would still host the code without the license and therefor violating it |
Why is it bad that @thesimj wants to get money when they did not adhere to the license? If it’s wrong that @thesimj wants money, then it is also wrong, that the company behind LucaApp wants money. People who sued children for copyright violation do not get lenience when they violate copyright themselves — at least not before they offer excuses and make amends for the wrong they did (if you think that @thesimj does wrong, then people behind LucaApp already did wrong thousands of times and should first repay those they hurt). |
I'm with @ArneBab, opensource does not mean you aren't required to adhere to licenses and copyright. Since thesimj is the copyright holder of a used code portion, he has every right to do legal actions about non-complying projects. |
|
There should still be a separation between what the company does in general and what they did here. It seems large parts of this are the general discontent against the company, rather than a clearminded judgement of what has happened here. Having done even more research on the company and their product I despise them just as much as the rest here, but that doesn't mean that what they did here is intentional, and it is my belief that you should treat everyone equal regardless of unrelated things they have done. So whilst you bring up very good points @nonchip and the actions taken so far are righteous as far as I'm concerned, I believe that @discordianfish has a point in saying that you're just using this incident to stick it to a company you dislike. |
|
@Folling thousands of Germans are out of work right now and a company we all pay taxes toward is using the OSS community's work without attribution. This is 100% their screwup. You are not exempt from consequence because you make a mistake or don't understand the law. You are required to understand how software licenses work and their requirements if you are to use licensed software. Period.
They would be subject to copyright infringement, just like everyone else. They wouldn't allow this to happen, though, because they have a good group of reviewers that would never let it happen.
Where was the company insulted? Where is the "shitstorm"? As for legal action, perhaps you should research a bit on GPL vs BSD and Apple. There is a long standing precedent about how these sorts of licenses work in the wild. This is no different.
I don't think anyone has any strong opinions about the company either way, except for their illegal use of code and the fact they're building a commercial operation using OSS software and taking taxpayer money.
There can be lots of reasons why there would be (naive and unacceptable) incentive. Optics within the company, plagiarism, toe-stepping requirements or other regulations, patent-related reasons, or even something as simple as altruism ("we built this all on our own"). Of course, there is always the chance it's neglect. However, that doesn't excuse you from adhering to a legal contract.
I don't really understand the "kumbaya" mentality here. A commerical endeavor funded either in part/in whole by taxpayers using open source, freely available software failed to adhere to the most basic clauses and requirements of the contract they implicitly agreed to when deriving a work based off of the protected work. It's a cut and dry case. Nobody is excused.
This is speculative and an argument that is 1) made in bad faith (you're assuming something about one's character or motives as leverage in support of legal wrongdoing), and 2) completely ignores the point that they broke a very clear, cut and dry contract. |
I never argued with this.
I never argued with this.
I never argued with this. I only said that they wouldn't be judged as harshly and people would presume it to be an honest mistake before anything else, unlike here.
They were called "hipster startups" and "skidkids" in this thread alone, there was worse on twitter. I never said there is a shitstorm, I said that people called for a shitstorm.
I never argued with this. In fact I went out of my way to call the legal pursuit "righteous".
And I still highly doubt that any of those apply. But I am aware that I could be very wrong here. Maybe I'm just underestimating the incompetence or maliciousness of the company. I don't see why any firm with millions of public backing would go through the legal risk of deleting a copyright notice on purpose when all they would have to do in order to comply with it is not do that, and mention the usage on some obscure part of their app/website which takes minutes to setup.
I never argued with this.
And if they did that on purpose I find it despicable, I still believe it was an honest mistake though.
I never argued with this.
Funny how that works :P And I am not supporting legal wrongdoing, the only thing I have ever argued against was the judgemental attitude. I think it's fine and proper to involve a lawyer here, to be paid reparations, and to have the company do right on their wrong. I don't think it's fine and proper to go out of your way to insult the people working on the product because of the mistake they made, I've argued this plenty of times and have stressed this point before, you even reacted to the message I sent before that so I know you read it. I don't know why you still believe that I want to excuse their misbehaviour. They made a mistake, they should pay for the consequences, but this could have been a neutral From my perspective there shouldn't even have been a mention of the dubious privacy policy, the anti-filesharing attitude, or any of the other issues people have with the company in this thread. The rest I completely and whole-heartedly agree with.
Which I still never argued with. |
|
@Folling Part of the point here is hypocrisy: They make PR with people who sued kids for copyright infringement. That is very much related to the issue at hand. This does not mean that every copyright infringement in for-profit software development is as bad. But still @thesimj should get part of the profits: He allowed gratis use of his library under specific conditions. They did not follow those conditions, so they should be required to buy a license for the time in which they violated his copyright. That should be basic decency and @thesimj shouldn’t have to sue over that. They should directly offer it. That’s for the general case. But there is a bigger issue, which is why I’m pretty angry about this: Back in the days they claimed that every copied song was a lost sale. LimeWire was sued for 75 trillion dollar in damages — yes you read that right — and had to pay 100 Million Dollar after a very fishy court case. The media industry never dropped that claim. They can either drop the claim of imaginary damages, or they can adhere to it themselves. I would actually prefer if they’d drop their claim (or stop working with people who sued children). But until they do that, I’ll hold them to their own standards. … taking a deep breath … EDIT (after taking a few more deep breaths): Also the statement by Smudo linked in a previous post is much more open to change than those of many other people at that time. As I said before: that they license under GPL now is an indication that there are people at the company who actually want to do the right thing. I wouldn’t judge the devs on the ground for what their marketing does. This can be an honest mistake, or a misunderstanding of the license. Just get management to buy a temporary license for the time they were (and will be) in infringement of the gratis license, then move forward. |
multiple people on twitter right after the release, and me myself on gitlab on March 31st (the same day this issue was opened), it took them about a day to fix the header, which was only one clause of the license they broke, and they're still not in full compliance to this date (about 2 weeks after they've been contacted by multiple people), which they're fully aware of but taking their sweet time to fix, since "mirroring from their internal repository" apparently takes upwards of a week (no idea how that's even possible tbh, like by now their code is open, how can they be generating so much to be doctored on each push that fast).
no it just proves i didn't get my point across. which is they did a bad thing and thesimj is well within his rights to enforce said rights, and them being "such an evil company" (especially one owned by people regularly suing over infractions such as this) just means they should've not made this mistake and shouldn't be defended when someone is simply enforcing his own rights against them for a change. i'm not trying to weaponize anything. i might be liking the fact they get a taste of their own medicine because i dislike their business practices sure. but that doesn't mean that thesimj shouldn't give them said taste when well within his rights to do so.
that's the thing though, i'm mentioning those things not (only) to say i dislike the company for its practices, but (also) to make clear why a company that does those things should expect the same level of scrutiny when they're suddenly themselves breaking a law they otherwise use to sue little kids over a downloaded song. if you're quite literally making a living off the copyright law you should be expected to adhere to it yourself. |
|
Relevant reading from the Chaos Computer Club (CCC) here in Germany. |
and others
Hey,
just wanted to let you know that portions of your code seem to be used in the so called "LucaApp" by Culture4Life GmbH without respecting your License. See:
https://gitlab.com/lucaapp/android/-/blob/master/Luca/app/src/main/java/de/culture4life/luca/util/Z85.java
The text was updated successfully, but these errors were encountered: