Setting the Record Straight on OSS v. Perens - Background

February 7, 2020

Company Background

Open Source Security, Inc. was formed in 2008 initially to handle donations related to the grsecurity project, an open source project started in 2001 and freely (in all senses) available to the world until at least 2015. In 2015 we made our stable patches available to paid customers only via our website, a right granted by the GPL. At the time, we still had a freely (in all senses) test patch available. In April of 2017 we stopped providing the test patches to the general public.

A Troll's Revenge

Only a few months after this, a notorious Internet troll who had used grsecurity in the past and been banned from our forums for misogynistic comments was apparently upset at having his access cut off completely (after previously being denied access to the stable patches in 2015), and came out of hibernation to extend a private and public campaign to get revenge. This campaign continues today even, with posts to LKML, various distribution mailing lists, and posts and comments on Slashdot, Reddit, and other news aggregators. This person poses under various names, usernames, and email addresses, but most recently poses as a legitimate lawyer claiming the GPL can be rescinded. The emails come from @redchan.it,@airmail.cc,@firemail.cc and other anonymous mailing services with usernames like "aconcernedfossdev", "visionsofalice", "gameonlinux", "nisus", "agentoranger", "whywontyousue", "nipponmail"', and "unconditionedwitness". Most commonly, the email subject regarding us includes: "Why will no-one sue GrSecurity for their blatant GPL violation?" or "Yes you have standing to sue GRSecurity." In many instances, due to the changing names and email addresses, readers are unaware this is the same "MikeeUSA" troll, a self-professed misogynist and pedophile, that had been harrassing and issuing death threats to women in Open Source for years.

But the anonymous troll wasn't able to inflict the kind of damage he wanted to achieve alone. People saw an unstable individual mixing misogynistic comments with nonsensical legal theories, making it clear he was not an expert and his comments had no basis in reality. To inflict the damage he wanted, he'd need to enlist the help of someone the public trusts and views as an expert on license compliance matters, so that it'd be accepted as fact by the public. So in private, he contacted various influential people (including Richard Stallman, Eben Moglen, Bradley Kuhn, and Bruce Perens) involved in Free Software/Open Source in an attempt to bait them into accepting and repeating his claims and wild legal theories as true. The troll did this because some of the same people had apparently indulged him when he contacted them previously in relation to his harrassment of women in Open Source. This time, none of them took the bait, except for Bruce Perens.

Perens' Collaboration

Perens rushed to create a blog post, as he believed he has "publicity as a tool" and felt that his post would have "the desired effect" of preventing companies from doing business with us. At no time did Perens ever contact us. By his own admission, he had not even seen our subscription agreement. All he had was the claims of this Internet troll, despite claims of "reliable witnesses" (witnesses he never provided any proof of in court and which we have asserted do not exist). Perens himself even removed mention of the "reliable witnesses" in a revised version of his blog.

Perens' blog post was submitted to Slashdot with the title "Bruce Perens Warns Grsecurity Breaches the Linux Kernel's GPL License" by an 8chan user whose only other submission was the claims of the Internet troll (it is possible the user is the troll himself), only that previous post didn't get any traction. With Perens lending credibility to the troll by effectively parroting his claims (something the troll gleefully later bragged about), the story quickly hit the Slashdot front page and was spread worldwide nearly instantly onto other major "news" sites and even translated into other languages.

Below is a full reproduction of three of MikeeUSA's 8chan posts from 7/15/17 (roughly a week after the Slashdot article), where he credits himself for causing Perens to create his blog post. He mentions his strategy of mailing people directly in addition to the mailing lists (which generally quickly ban him), as it causes his messages to appear in quoted replies whenever anyone he baited replies to the mailing list. He also mentions he was talking to Perens for over a week, that he "see[s] some of the language from [his] emails in Bruce's post", but that Perens suddenly stopped talking to him (presumably after he realized the identity of the "lawyer" he had been talking with and that he had been duped):

Do you think someone tipped him off that I feel that Hans Reiser did nothing wrong, and that I support the book of Deuteronomy, especially Deuteronomy chapter 22 verse 28-29 (as written in hebrew) and am infavor of men taking young girls as brides (as allowed by the God of the Old Testament) am not a fan of women's rights, etc?

He was listening to me (for over a week), posted this: https://perens.com/blog/2017/06/28/warning-grsecurity-potential-contributory-infringement-risk-for-customers/

after my explanation of the law

which became this slashdot story (in which he comments):

https://linux.slashdot.org/story/17/07/09/188246/bruce-perens-warns-grsecurity-breaches-the-linux-kernels-gpl-license


And then suddenly an hour or two ago, poof,

These are the people that were cc'd Cc rms@gnu.org, debian-user@lists.debian.org, Eric Raymond, moglen@columbia.eduAdd contact


Which one do you think caused this?

I suspect ESR myself... Your thoughts?

Do you think he'll now issue a retraction of his article, even though my understanding of the law is correct?

This was in a conversation directly with Bruce Perens with the debian list, RMS, etc Carbon Copy'd.

(I always do that because even though my emails are blocked within a day, my messages still get through in the > 'd replies and thus the conversation is backed up even if I lose access to the mail.)

He was talking to me for over a week and listening to my legal advice.

This induced him to write this: https://perens.com/blog/2017/06/28/warning-grsecurity-potential-contributory-infringement-risk-for-customers/

Which was then posted to slashdot as: https://linux.slashdot.org/story/17/07/09/188246/bruce-perens-warns-grsecurity-breaches-the-linux-kernels-gpl-license

I see some of the language from my emails in Bruce's post (maybe we should archive.is it incase whatever caused him to stop talking to me suddenly...)

(Also I was also talking to the free software conservancy, RMS was talking to Bruce also due to my efforts, etc.)

https://archive.fo/g9n3g

I also sent him the Stable Patch Access Agreement from GRSecurity as a PDF, which he didn't have before, where they put it in writing:

>"Notwithstanding these rights and obligations, the User acknowledges that redistribution of the provided stable patches or changelogs outside of the explicit obligations under the GPL to User's customers will result in termination of access to future updates of grsecurity stable patches and changelogs."


Which he then used to argue against grsecurity's position in the slashdot comments.

So: I explained the law to everyone that I could.
I explained how GRSecurity is violating the terms of the license grant from Linus and the rest.
I explained surrounding areas of law (verbal agreements, course of business dealing, adding terms that way)... and then it was discovered that GRSecurity put their additional restrictions in writing so I:
Supplied Bruce with that material too.

MikeeUSA further bragged (in the third person) in an anonymous post on another site that Perens parroted his claims and caused people to believe them as facts, essentially praising Perens for enabling him:

Before Bruce Perens published his article, everyone was saying MikeeUSA's analysis was wrong.
You might notice that Bruce Perens article has the same rhyme and meter, in places, as MikeeUSA's emails to Bruce Perens (which can be seen on the public debian mailing lists) on the issue from a week prior to the publication.

Only after Bruce Perens published the points MikeeUSA made did anyone* in the opensource community acknowledge it's correctness. Most laughed at MikeeUSA claiming he was neither a programmer nor a lawyer, and then repeated their own argument about since the additional term is not penned into the very text of the GPL file all is kosher.
They also said that no one who likes cute young girls and accepts (Devarim chapter 22, verse 28, hebrew) child marriage of girls as fine, could ever have the mental capacity to be a programmer or attorney.

*Other than other lawyers.

The claims in MikeeUSA's post are remarkably similar to Perens' first blog. In it, he cites as evidence supposed "witnesses" that have dealt with us. The one was not a customer, who was unhappy about receiving a quote for their Russian hosting company that was beyond their means. The second "witness" was someone simply mentioning that they worked for a human rights organization that was getting its grsecurity patches from a customer of ours, and that they had made some agreement with that customer. We don't know who this individual is, but it's both clear that we did not prevent this third party from being able to receive the patches and that we have no involvement in any kind of agreement they created among themselves. MikeeUSA's posts also refer to "no-redistribution agreement[s].", and similar to Perens' post, says that "[i]f the customer redistributes the derivative works they are punished." In fact, MikeeUSA in his campaign that continues today, continues to cite Perens' post to add additional credibility to himself, and references threads he created under different aliases to create the impression that there's a large controversy being discussed. One such example is presented below:

On 07/29/2017 07:53 AM, nisus at redchan.it wrote:
> ( NOTE: If you would like to read on how your copyright is being violated by
> GRSecurity, Bruce Perens posted a good write-up on his web-page )
> (
> perens.com/blog/2017/06/28/warning-grsecurity-potential-contributory-infringement-risk-for-customers/
>   )
> ( There was also a discussion on the linux section of slashdot, and on the
> debian user mailing list, and on the dng devuan mailing list and on the
> openwall mailing list and the fedora legal mailing list )

Since MikeeUSA's post is what was distributed to Richard Stallman, Eben Moglen, Bruce Perens, and others, we strongly believe the above non-witnesses are in fact Perens' "reliable witnesses" -- random, anonymous comments on the Internet relayed through an anonymous troll. Given that Perens removed all mention of "reliable witnesses" in his updated post, it's likely he too recognized it was false. We also know that after the initial blog post was published by Perens, MikeeUSA continued to collaborate with Bruce Perens by providing him with a copy of a subscription agreement of ours that was available online at the time.

Regarding the sole source of his claims, Perens later in 2018 stated the following, based off continued email conversations with the troll:

The fellow spreading this story that you can "rescind" code is more commonly known as MikeeUSA, a misogynist and general nutcase. In one email, he complains that because of people like me, the law doesn't allow him to marry very young girls. I mean single-digit young. He claims to be an attorney but nothing he has written makes me think he is.

Perens also later said about the same troll that duped him:

He's a really skilled and effective troll. He's entirely roped in a whole bunch of people who should have known better (I didn't recognize him at first either)

Our Perspective on the False Statements

From our perspective, we had been publicly accused of a crime, citing witnesses that did not exist, from someone who had not even seen our subscription agreement, who while not a lawyer or even a college graduate, charges high rates for his supposed license compliance expertise. Our goal, regardless of what's been claimed, was not to stifle free speech, nor to engage in any kind of conduct anti-SLAPP statutes were ideally designed to prevent. On the contrary, we believed that having been effectively accused of a crime (willful copyright infringement in this case for financial benefit), we had the right to defend ourselves in court against the false allegations. Indeed, if we felt Perens' statements weren't 1) made recklessly or knowing they're false, 2) causing tangible financial and reputational damage, and 3) explicitly or impliedly asserting a false fact about us, we would have never brought suit, just as we've never brought suit against any other individual with a misinformed opinion about us.

Perens justified the fact that he didn't bother contacting us before making his post, because "others in the community had already made contact and been rebuffed." What Perens left out was that neither the SFC, FSF, nor any other remotely credible source had ever contacted us about our subscription policies, nor have they ever contacted us since Perens' posts. The only individual who had been rebuffed by us was an anonymous troll (presumably MikeeUSA), who after removal of the test patches from our website, had sent repeated emails to us demanding copies of them, contrary to the rights granted by the GPL and plainly referenced on the GPL FAQ.

In Perens' posts, there was no mention that such legally uncontested subscription policies are commonplace in the industry and in use for at least two decades. We were made out to be an outlier, a thug. The post didn't deal with the spirit of the GPL, but rather the letter of it, and asserted it explicitly contained terms that it did not. His post didn't discuss subscription policies in general, but was directed specifically to our customers, whom he additionally accused of being liable for contributory copyright infringement by virtue of being customers of ours, going as far as inviting their legal counsel to discuss the matter with him under NDA. In previous instances where it was our own code that had its GPL license violated by larger companies, we were advised by legal counsel at the time to not mention their names in public lest we potentially be subjected to a defamation suit (regardless of validity).

Important too for us was that Perens claimed we had a "redistribution prohibition". This is completely false, and what we believed helped produce a false impression of our subscription agreements in the reader. An actual prohibition would both be a violation of the GPL, but would obviously also rule out customers using grsecurity in products. The false statement also made it appear that we force our customers using grsecurity in a product to violate the GPL themselves. This is in contrast to our clear statements to customers in email, in the subscription agreement, and on our website. On our website, we mention that grsecurity is GPLv2 and that anyone using grsecurity in a product they purchased must be provided with the complete corresponding source for the Linux kernel binary used in the product. In email, one of the first things we mention is that we require GPL compliance as a condition for becoming a customer. In our subscription agreement, it states explicitly: "The User has all the rights and obligations granted by grsecurity's software license, version 2 of the GNU GPL." There is no prohibition present whatsoever.

Conflict of Interest and a Profit Motive

We were also very concerned about the conflict of interest and potential for abuse of Perens' position in a for-profit business related to license compliance. One of the first advices we were given, in fact, was to pay Perens to not talk about us, and that this was commonly done in business. That didn't sit right with us at all. It was also clear to us from Perens' post and his public comments and emails that he saw his post as a way to achieve the same results as an actual court case, without the presence of an actual court case where the accused could defend himself, because he had "lost patience" in the failure of other organizations to bring GPL lawsuits and that it was "more effective than writing to the company."

We wondered what kind of message his post sent to other people, since it effectively advertised his license compliance services. To the best of my knowledge, he hasn't made any similar accusatory posts about current or former customers of his, making it seem like the message was to pay him money or else have your reputation ruined as he did ours in a few hours. We thus felt that the attack on us was seen as an opportunity by Perens for self-promotion and to drum up more business for his compliance services. In Part 2 of our blog, we demonstrate why we had good reason to believe this, based on Perens' documented past behavior.

As Bradley Kuhn noted elsewhere in a mail to Perens in 2017:

Bruce, you've admitted publicly on this thread something that I've known for some time: at least part, if not all, of the revenue to your business comes from corporate clients that violate the GPL. You've even been the violator's representative party that I've negotiated with in past violations. I can't very well reach out to you about third-party GPL violations, given your business.
While I'm glad that you take your job seriously and seek to get your clients into compliance when they violate, it also means you'll face difficulty because you simultaneously seek to be a violator-paid fixer *and* an advocate for the software freedom of copyleft software users.

Lawsuit Background

Based on our knowledge of the actions leading up to Perens' reckless and false post, the damage it caused to the business, and the clear evidence we saw of the public accepting Perens' words as facts, we prepared our evidence and brought suit for Defamation and Intentional Interference with Prospective Relations against Bruce Perens and anyone he collaborated with in creating the post (including the Internet troll, here a John Doe as his identity is not known, uses anonymous mailers and Tor for his trolling activities). The magistrate judge (and later the Appellate Court) declared Perens' post pure layperson opinion, even though Perens asserts himself as an expert in GPL compliance, educates lawyers on the topic, has a business around license compliance, and reportedly charges high rates for his supposed expertise. If Perens lived in a different state, or wasn't defended by the same lawfirm that successfully defended Enron, it is likely the outcome would have been entirely different.

The validity of Perens' claims are easy to refute with common sense. A user has no more of a right to future work than they do to support or warranty. If discontinuing business relations is an "additional term" on the GPL, then so is a company's policy to not provide support for modified Linux kernels (modification is a right provided by the GPL) or to not honor a warranty on a phone if it has been rooted or otherwise modified. Since the first case alone describes virtually all distributions and the Linux kernel developers themselves, either everyone in the world is violating Perens' version of the GPL, or Perens is obviously incorrect and the developer exercising their own rights related to additional or future services isn't adding an "additional term" or violating the GPL. A user who modifies their kernel and then fails to receive support for that modified kernel was clearly not prohibited or prevented in any way from making the modification. If every developer were on the hook for supporting any modification a user made to GPL'd code, simply because the GPL'd code was provided to them, there would be no software developed under the GPL at all today.

Let's look at another example from the opposite direction, which also demonstrates how little the general public understands of the GPL — even those regarded as leaders. Linus Torvalds has been consistent over many years that the GPL to him says that "If you make changes, you have to send the changes back to me." These statements of his have been publicized widely, and he's repeated them many times at conferences. But this is adding demands to the GPL — there exists no requirement in the GPL that someone making changes contribute those changes back, something the current Vice President of the FSF pointed out to Torvalds directly back in 2007: "I'm afraid that's not what the GPLv2 says. There's no provision whatsoever about giving anything back. Not in the spirit, not in the legal terms."

Under Perens' interpretation, since Torvalds has made his demands public, this too would be considered an added term to the GPL, causing Torvalds himself to be a GPL violator. Indeed, there have even been punishments for those who haven't met Torvalds' interpretation of the GPL — public shaming for not making effort to split up outside work and contribute it upstream. Perhaps in large part due to people like Torvalds, this misinterpretation of the GPL is common among many today and created a sense of obligation that isn't required by the license. But expressing what one would like (changes back) or notifying others how one will exercise their own rights (cutting business ties) is clearly not a modification of the license itself. If it is, then Torvalds himself would lose the ability to redistribute work containing our registered copyright in the Linux kernel as well.

It is important to make clear: we lost the case purely due to California's specific (and in our opinion, overly-broad and unfair) anti-SLAPP statute. Our case involved defamation alone. The findings of the court were simply that, as Perens solely argued, his statements were only a matter of opinion, that his statements could not be proven either true or false. The court did not therefore even broach the topic of the validity of Perens' claims, as would have happened during a jury trial. In the Court's view, they did not amount to a false defamatory implication under a totality of circumstances test. The Court claimed, contrary to the evidence on record, that the readers of Perens' posts wouldn't have relied on his expertise in forming their own opinion on the matter. They claimed all the facts had been fully disclosed, even though Perens' first post (the one most people actually saw), did not link to the GPL itself, and cited unnamed but "reliable witnesses". We had requested a jury trial to present all of our evidence, including evidence we discovered after our initial briefs were submitted, but a loss via the anti-SLAPP statute prevents any such trial from occuring, including any form of discovery, and no new evidence can be introduced during appeal.

The district court made its decision despite the fact that we see all the examples of people claiming as fact we're violating the GPL continuing to this day, having it listed on our Wikipedia page, having the license of grsecurity stated as "GPLv2 with restrictions" as if it were a fact, with the sole evidence being "because Perens said so". We appealed the decision, and lost again in appeals court, despite our case having strong case law behind it. The only thing that mattered to the court was that the GPL says "You may not impose further restrictions on the recipients' exercise of their rights granted herein" and that we have a subscription agreement. These are the only "true facts" that are now being referenced regarding the case, misleading people into believing that there were other aspects of what Perens claimed that were actual true facts. Because, according to the court, any outrageous claim can be made to connect those two separate facts, no other details mattered.

The Appellate Court was clear in its ruling that when it comes to any legal issue, unless you have already been brought to court on the issue and ruled unequivocally innocent, anyone, regardless of their position of authority, can assert you are violating the law. Regardless of how that is perceived by the public, it will be declared mere layperson opinion. The Catch-22 here is that actual lawyers know our subscription policies are not in violation of the GPL and will never bring suit, giving FUD-spreaders like Perens perpetual license to abuse the public's trust and their position of authority to make false claims about small companies that dare to exert the same fundamental rights that billion dollar corporations have exercised with impunity for decades when it comes to the GPL.

For more information about Bruce Perens' history of FUD and profiting off it, see Part 2 of our blog post here: https://grsecurity.net/setting_the_record_straight_on_oss_v_perens_part2.
For more information on what we think the implications of our experience are on the stewards of the GPL and the community at large, see Part 3 of our blog here: https://grsecurity.net/setting_the_record_straight_on_oss_v_perens_part3.

For those who believed the opinions of a layperson reflected facts, please see this article from an actual lawyer regarding the GPL and subscription policies with conditions on providing future services or support: https://www.clfip.com/ip/blog/the-gpl-and-a-condition-on-providing-future-versions-or-services/