Android and Users' Freedom
by Richard Stallman
First published in The Guardian
Support the Free Your Android campaign.
To what extent does Android respect the freedom of its users? For a computer user that values freedom, that is the most important question to ask about any software system.
In the free/libre software movement, we develop software that respects users' freedom, so we and you can escape from software that doesn't. By contrast, the idea of “open source” focuses on how to develop code; it is a different current of thought whose principal value is code quality rather than freedom. Thus, the concern here is not whether Android is “open”, but whether it allows users to be free.
Android is an operating system primarily for mobile phones, which consists of Linux (Torvalds' kernel), some libraries, a Java platform and some applications. Linux aside, the software of Android versions 1 and 2 was mostly developed by Google; Google released it under the Apache 2.0 license, which is a lax free software license without copyleft.
The version of Linux included in Android is not entirely free software, since it contains nonfree “binary blobs” (just like Torvalds' version of Linux), some of which are really used in some Android devices. Android platforms use other nonfree firmware, too, and nonfree libraries. Aside from those, the source code of Android versions 1 and 2, as released by Google, is free software—but this code is insufficient to run the device. Some of the applications that generally come with Android are nonfree, too.
Android is very different from the GNU/Linux operating system because it contains very little of GNU. Indeed, just about the only component in common between Android and GNU/Linux is Linux, the kernel. People who erroneously think “Linux” refers to the entire GNU/Linux combination get tied in knots by these facts, and make paradoxical statements such as “Android contains Linux, but it isn't Linux.” If we avoid starting from the confusion, the situation is simple: Android contains Linux, but not GNU; thus, Android and GNU/Linux are mostly different.
Within Android, Linux the kernel remains a separate program, with its source code under GNU GPL version 2. To combine Linux with code under the Apache 2.0 license would be copyright infringement, since GPL version 2 and Apache 2.0 are incompatible. Rumors that Google has somehow converted Linux to the Apache license are erroneous; Google has no power to change the license on the code of Linux, and did not try. If the authors of Linux allowed its use under GPL version 3, then that code could be combined with Apache-licensed code, with the combination could be released under GPL version 3. But Linux has not been released that way.
Google has complied with the requirements of the GNU General Public License for Linux, but the Apache license on the rest of Android does not require source release. Google said it would never publish the source code of Android 3.0 (aside from Linux). Android 3.1 source code was also withheld, making Android 3, apart from Linux, nonfree software pure and simple.
Google said it withheld the 3.0 source code because it was buggy, and that people should wait for the next release. That may be good advice for people who simply want to run the Android system, but the users should be the ones to decide this. Anyway, developers and tinkerers who want to include some of the changes in their own versions could use that code just fine.
Fortunately, Google later released the source code for Android 3.* when it released version 4 (also with source code). The problem above turned out to be a temporary aberration rather than a policy shift. However, what happens once may happen again.
In any case, most of the source code of various versions of Android has been released as free software. Does that mean that products using those Android versions respect users' freedom? No, for several reasons.
First of all, most of them contain nonfree Google applications for talking to services such as YouTube and Google Maps. These are officially not part of Android, but that doesn't make the product ok.
Most Android devices come with the nonfree Google Play software (formerly “Android Market”). This software invites users with a Google account to install nonfree apps. It also has a back door with which Google can forcibly install or deinstall apps. This is officially not part of Android, but that doesn't make it any less bad.
You don't want the nonfree apps that Google Play offers, if you value freedom. To install free Android apps, you don't need Google Play, because you can get them from f-droid.org.
Android products also come with nonfree libraries. These are officially not part of Android, but that since various Android functionalities depend on them, they are part of any real Android installation.
Even the programs that are officially part of Android may not correspond to the source code Google releases. Manufacturers may change this code, and often they don't release the source code for their versions. The GNU GPL requires them to distribute the code for their versions of Linux, assuming they comply. The rest of the code, under the lax Apache license, does not require them to release the source version that they really use.
One user discovered that many of the programs in the Android system that came with his phone were modified to send personal data to Motorola. Some manufacturers add a hidden general surveillance package such as Carrier IQ.
Replicant is the free version of Android. The Replicant developers have replaced many nonfree libraries, for certain phone models, and you can do without the nonfree apps. By contrast, Cyanogen Mod (another modified version of Android) is not free.
Some Android devices are “tyrants”: they are designed so users cannot install and run their own modified software, only the versions approved by some company. In that situation, the executables are not free even if they were made from sources that are free and available to you. However, some Android devices can be “rooted” so users can install different software.
Important firmware or drivers are generally proprietary also. These handle the phone network radio, WiFi, bluetooth, GPS, 3D graphics, the camera, the speaker, and in some cases the microphone too. On some models, a few of these drivers are free, and there are some that you can do without—but you can't do without the microphone or the phone network radio.
The phone network firmware comes preinstalled. If all it did was sit there and talk to the phone network when you wish, we could regard it as equivalent to a circuit. When we insist that the software in a computing device must be free, we can overlook preinstalled firmware that will never be upgraded, because it makes no difference to the user that it's a program rather than a circuit.
Unfortunately, in this case it would be a malicious circuit. Malicious features are unacceptable no matter how they are implemented.
On most Android phones, this firmware has so much control that it could turn the product into a listening device. On some, it controls the microphone. On some, it can take full control of the main computer, through shared memory, and can thus override or replace whatever free software you have installed. With some, perhaps all, models it is possible to exercise remote control of this firmware to overwrite the rest of the software in the phone. The point of free software is that we have control of our software and our computing; a system with a back door doesn't qualify. While any computing system might have bugs, these devices can be bugs. (Craig Murray, in Murder in Samarkand, relates his involvement in an intelligence operation that remotely converted an unsuspecting target's non-Android portable phone into a listening device.)
In any case, the phone network firmware in an Android device is not equivalent to a circuit, because the hardware allows installation of new versions and this is actually done. Since it is proprietary firmware, in practice only the manufacturer can make new versions—users can't.
Putting these points together, we can tolerate nonfree phone network firmware provided new versions of it won't be loaded, it can't take control of the main computer, and it can only communicate when and as the free operating system chooses to let it communicate. In other words, it has to be equivalent to circuitry, and that circuitry must not be malicious. There is no technical obstacle to building an Android phone which has these characteristics, but we don't know of any.
Android is not a self-hosting system; development for Android needs to be done on some other system. The tools in Google's “software development kit” (SDK) are appear to be free, but it is hard work to check this. The definition files for certain Google APIs are nonfree. Installing the SDK requires signing a proprietary software license, which you should refuse to sign. Replicant's SDK is a free replacement.
Recent press coverage of Android focuses on the patent wars. During 20 years of campaigning for the abolition of software patents, we have warned such wars could happen. Software patents could force elimination of features from Android, or even make it unavailable. See endsoftpatents.org for more information about why software patents must be abolished.
However, the patent attacks and Google's responses are not directly relevant to the topic of this article: how Android products partly approach an ethically system of distribution, and how they fall short. This issue merits the attention of the press too.
Android is a major step towards an ethical, user-controlled, free software portable phone, but there is a long way to go. Hackers are working on Replicant, but it's a big job to support a new phone model, and there remains the problem of the firmware. Even though the Android phones of today are considerably less bad than Apple or Windows smartphones, they cannot be said to respect your freedom.