- Android is an open source operating system, which forces manufacturers to have certain legal responsibilities.
- Chinese manufacturer Xiaomi has a track record of violating the GNU General Public License by not posting source kernels of their devices.
- Will Google have to step in and force the company to comply?
Most Android smartphone users understand that the operating system which powers their device is “open source.” However, for many, that’s where their understanding ends. The legality of open source technology like Android is a mystery outside the geeky inner circle of coders and hackers who make a hobby out of tinkering with the system.
But we can be forgiven for our ignorance because it’s just not our wheelhouse. There’s no reason for us to care. However, for Android smartphone manufacturers, things are different. For them, a deep understanding of the laws governing open source technology is a necessity.
Why is Chinese smartphone manufacturer Xiaomi, the world’s fifth largest, constantly on the wrong side of the law?
For those readers who don’t know the ins and outs of the laws governing Android, here’s a brief synopsis:
- Android is based on Linux, an open-source operating system. Linux is published under the General Public License (GPL), which regulates how Linux can be used, edited, and distributed.
- As well as the Linux kernel, there are lots of other components to Android, most of which are also licensed under an “open source” license. The preferred license for the Android Open Source Project is the Apache Software License, Version 2.0 (“Apache 2.0”), and the majority of the Android software is licensed with Apache 2.0.
- Anyone can download and share the Linux kernel for free. If they edit the Linux code in any way, they can share that too, as long as they make the altered system available for anyone else to freely download. This is because their Linux derivative is still bound to the GPL.
- Since Android is a Linux derivative, it is thus bound by the GPL. Therefore, the Android source code must be freely available to anyone who would like to see it.
- If anyone changes the Android source code, it is also bound to the respective licenses. If that new code is then amended, it is regulated by the same license, and so on ad infinitum.
The Mi A1 is Xiaomi’s very first Android One device. Android One devices run on a nearly-stock version of the operating system, and companies work closely with Google to integrate the software. Google introduced the Android One program to bring some cohesion to the Android user experience across different types of hardware, and the Mi A1 has the distinction of being the first Android One device to launch globally.
But it’s been three months since the device hit shelves, and Xiaomi has yet to post the source kernel.
That infraction of the GPL might be understandable if there weren’t a disturbing trend: it was six months after the releases of 2016’s Mi 5 and 2017’s Mi 6 when their source codes went live. If this trend continues, it will be April 2018 before we’ll see the source of the Mi A1.
How can a company as large as Xiaomi be at odds with the GPL so regularly and not face any consequences?
It was six months after the releases of 2016’s Mi 5 and 2017’s Mi 6 when their source codes went live.
To be clear, there is no ostensible reason for these delays. The Samsung Galaxy S8 and S8 Plus hit store shelves on April 21, 2017. The source code for the devices appeared on April 26, 2017. Five days is a reasonable amount of time to copy a pre-existing file to a website for the public to consume. Six months is not.
This is especially confusing since the Galaxy S8 runs a heavily modified version of Android known as Samsung Experience. Samsung taking some time to post a kernel that is filled with unique code is understandable, but the Mi A1? The code is not much different from the files publicly available right now at the AOSP site, so why isn’t Xiaomi following the rules?
The most obvious explanation for Xiaomi’s playing fast and loose with the GPL is because, generally speaking, there are no repercussions. There have been numerous cases of companies violating their GPL obligations in the past, but offenders have rarely been taken to court over it. In fact, legal action over GPL is practically unheard of in the Android ecosystem. Even if a stakeholder would decide to sue Xiaomi, they would need to do it in China — which has notoriously lax regulations when it comes to intellectual property infringements — India, or one of the other markets where Xiaomi has significant market share. Suing Xiaomi in the US wouldn’t make sense, simply because Xiaomi doesn’t have an official presence there.
Legal action would have to be filed in multiple jurisdictions in order to have a real effect (similar to how Apple and Samsung fought each other in courts from a dozen countries). It can take close to a decade, and millions of dollars, to bring such cases to their final conclusion. And, in the end, the plaintiff would probably not be awarded any damages, simply because it’s hard to prove that the GPL violation caused any financial loss to the plaintiff.
But if Xiaomi wants to come to America (which reps for the company have mentioned several times as being a goal) it might not be able to ignore GPL statutes for long. Under threat of litigation, the Mi A1 code would have to be posted to the public within a reasonable amount of time.
If Xiaomi wants to come to America it won’t be able to ignore GPL statutes.
While the company is focused on China and India though, Xiaomi doesn’t have to worry about abiding by the standards set by their competitors that operate globally. This is unfortunate because the power of the GPL is set by the companies and individuals who uphold it. It may seem alarmist, but it’s a slippery slope from not posting source code in a reasonable amount of time, to not posting source code at all, to then charging people for accessing the code (which companies have tried to do).
Even if you ignore the ethics of non-compliance with the GPL, the safety and security of devices are put at risk when the source code isn’t freely available. One of the significant benefits of open source code is that anyone can go through it to look for issues. Once a vulnerability appears, it can be examined, patched, and that patch can spread. But if users can’t view the source code, security threats could go unmonitored for weeks or even months, putting smartphone owners in genuine danger.
And where is Google in all of this? As the developers of the Android operating system, Google and its parent company Alphabet have a vested interest in making sure Android derivatives adhere to the GPL. But even though the Mi A1 is the first of its kind and a flagship device of the Android One program, Google has yet to comment on Xiaomi’s track record of source code releases, and hasn’t made any public moves to push Xiaomi to release the code.
Ultimately, Xiaomi is a successful brand and will continue to dominate sales in China, India, and other markets, regardless of whether or not it follows the GPL. But if it ever wants to make its mark worldwide, this glaring issue will have to be addressed.
Editor’s Note: Both Xiaomi and Google were contacted for this article, but comments were not available at press time. We will update the article should either company make a statement.