No, the FCC didn't help free software

Eric Schultz // Aug 2, 2016

This post is solely my opinion and doesn't represent the position of anyone but myself.

Today, the FCC announced a settlement with TP-Link over violation of FCC regulations on Wifi radio security. As part of this, the FCC required TP-Link to allow open source software be installed on the router. This addresses a complaint in the OpenWrt community that TP-Link had restricted modification of their routers in order to comply with FCC regulations on Wifi security. But did the FCC actually help the free and open source software community? Sadly, the answer is "no."

The agreement

To understand why, let's look at what the FCC actually did. To do that we need to read the settlement agreement with TP-Link. On page 5, the FCC orders TP-Link to engage in a set of actions within 60 days. In item iv, the TP-Link must:

... investigate
for certain of its router models the development of U-NII security solutions that would allow for the use of third-party firmware with its devices while meeting the Commission’s U-NII security requirements and maintaining the integrity of critical radio parameters.

Remember, the U-NII security requirements are the problem for open source.

Item iv continues:

As part of this effort, TP-Link, working with TP-Link Technologies CO., Ltd., will cooperate and share information with interested developers of third-party software and chipset manufacturers.

This sounds really good at first. TP-Link will work with open source developers make software work on TP-Link routers... Except...

Nothing in the foregoing is intended to limit or affect the ability of TP-Link or TP-Link Technologies CO., Ltd.: (a) to assess, including by requiring demonstration by any such third-party software developer, whether the developer’s proposed designs will prevent access to the frequency or power level protocols in TP-Link devices and otherwise comply with the U-NII
security requirements
, and (b) to select, in its sole discretion, particular chipsets, that it will use in the manufacture of its devices. (emphasis mine)

TP-Link is empowered to guarantee anyone it provides information to will uphold the U-NII security requirements. There's a problem: Third-party software isn't legally required to comply with U-NII security requirements; that's only a requirement on manufacturers. In effect, the FCC is trying to do something through an settlement agreement that they can't do through law: regulate what ALL software can do if it interacts with radio devices.

The results

So why is the FCC announcing this? I think they wanted to show off that they really care about open source software because they've looked bad over the past year. TP-Link locking access to the router software to comply with the U-NII requirements confirmed what the free software community was concerned about all along. The FCC couldn't politically allow devices to continue to get totally locked down so they found a "fix": Instead of punishing TP-Link to the fullest extent of the law, they decided to use the leverage of greater financial penalties to deputize them into what can only be DRM-like radio software regime.

Ultimately, the FCC did what they've been doing multiple times in this process: say they care about free software while ignoring the problem of their policies. The FCC's policies require companies to, at worst, lock up all of the router's software or, at best, parts of router software. This will inherently ban legal use cases of the software and require all of us to run untrusted and dangerous software on our devices. If we can't run software that we can control, then the FCC is allowing someone to make a decision for us. If this software is compromised at the radio level, then the FCC gives us little choice to fix the problem. Considering that almost all electronics are made in China, a country notorious for industrial espionage, this endangers the privacy of individual Americans and puts American companies at financial risk. Individuals and companies must have the power to protect ourselves from cyber-criminals; the FCC's policies prevent us from doing so.

The FCC has failed to provide examples of users installing free software on their devices and being a danger to others by causing interference. Ironically, the FCC's settlement with the TP-Link shows there's a much greater danger to users and the radio spectrum: low quality manufacturer provided software.

This settlement gave me an idea about a policy compromise that might meet the community's and FCC's interest.


If you'd like to share your opinion, please email or tweet me.