An EU regulation may make it impossible to install a custom piece of software on most radio devices like WiFi routers, smartphones, and embedded devices. It requires hardware manufacturers to implement a barrier that disallows users to install any software which has not been certified by them. This has negative implications on user rights and Free Software, security, fair competition, the environment, and charitable community initiatives.
The origin of these issues lies in one article of the Radio Equipment Directive (2014/53/EU) which was passed in 2014. Although the directive is already implemented in the member states' national legislations, the problematic Article 3(3)(i) is still on hold and subject to exact definition.
[R]adio equipment [shall support] certain features in order to ensure that software can only be loaded into the radio equipment where the compliance of the combination of the radio equipment and software has been demonstrated.
– Radio Equipment Directive, Article 3(3)(i)
The article requires that device manufacturers check all software which can be loaded onto the device regarding its compliance with applicable radio regulations (e.g. signal frequency and strength). Until now, the responsibility for compliance lay with users if they modified something, no matter if it was related to hardware or software. This shift of responsibility sounds convenient for users but in fact takes away the ability to control this important technology. It gives the device manfacturers the control over the choice of software which can run on their devices.
Since 2015, the FSFE has been working on raising awareness among the public, industry, and political decision-makers, and contributing expertise to limit the negative outcomes of this article. Many organisations and companies signed our Joint Statement against Radio Lockdown in which we formulated several proposals to EU institutions and EU member states with concrete steps to solve these issues.
By default, almost all devices which can send and receive radio signals fall under this directive. For instance, WiFi routers, mobile phones, bluetooth chips in computers, GPS receivers, and so-called "smart devices" in households. But the European Parliament asked the European Commission to adopt a so-called Delegated Act in which they define the classes of devices which shall fall under this regulation.
In turn, the European Commission has installed an Expert Group, mostly consisting of member states' public agencies, to come up with recommendations. Unfortunately, as of June 2019, the majority of the group intends to make broad and diffuse device categories like "Software Defined Radio" and "Internet of Things" a subject of radio lockdown.
First of all, the scope is immense. Radio devices are everywhere and increasingly many devices connect using wireless and mobile networks. The influence of this technology in our daily lives continously grows. Therefore, it is more important than ever to ensure that users are not restricted. But Article 3(3)(i) does not enforce only a certain security measurement, but drastically limits the control that customers have over the technology they own.
For each of the following areas, we see a number of issues caused by Radio Lockdown, as we explain in the following.
To control technology, we have to be able to control the software running it. This only is possible with Free Software. So if we want to have transparent and trustworthy devices, we need to make the software running on them Free Software. But any device affected by Article 3(3)(i) will only allow the installation of software which has been authorised by the device manufacturer. It is unlikely that a manufacturer will certify all the available, perfectly legal software for its device. This turns manufacturers into gatekeepers, and with their particular interests they may make it more difficult to use Free Software on radio devices.
A large number of radio devices uses Free Software such as GNU/Linux, the GNU C Library or Samba which are licenced under the popular GNU GPL, LGPL or AGPL licences. The Legal Study on the Radio Equipment Directive's Potential Ramifications for FOSS by the renowed lawyer Dr. Till Jaeger found that Article 3(3)(i) is incompatible with the licence conditions of GPL-3.0, LGPL-3.0 and AGPL-3.0 and probably more Free Software licences like GPL-2.0 and LGPL-2.1:
It can be stated that widely used Free and Open Source Software programs as GNU/Linux, GNU C Library and Samba will not be able to be used in products which fall into the scope of Art. 3(3)(i) RED if the delegated acts of the European Commission do not provide for a limitation. Otherwise, the manufacturer would risk a copyright infringement since any violation of the license conditions of the GPL and LGPL results in an automatic termination of the rights granted.
This would put manufacturers using components under these licenses into a dangerous position. On the one hand, they have to set up a software lockdown on their devices, on the other hand they illegally breach the licence terms.
Radio equipment like smartphones, routers, or smart home devices are highly sensitive parts of everyday life today. Unfortunately, many manufacturers sacrifice security for lower costs. For many devices there is better software which protects data and still offers equal or even better functionality. Users have to be able to protect themselves by installing safer and well-maintained software. But if certain manufacturers do not even care for security, it is unlikely that they will run a costly certification of third-party software.
If customers don't like a certain product, they can use another from a different manufacturer. New competitors can access the market to convince customers with better features. But Article 3(3)(i) favours huge enterprises as it forces companies to install software barriers and do certification of additional software. For example, a small and medium-sized manufacturer of WiFI routers cannot certify all available Free Software operating systems and their different versions. Also, companies bundling their own software with third-party hardware will run into problems. On the other hand, large companies which don't want users to use any other software than their own will profit from this threshold.
The life cycles of radio devices like mobile phones and routers continuously decrease. From a security perspective, there are only two options for a device which does not receive any vendor updates any more: install another firmware which still receives updates, or throw the whole device away. From an environmental perspective, the first solution is much better. But manufacturers do not have an incentive to certify alternative firmware for devices they want to get rid of.
Charitable initiatives like Freifunk, Funkfeuer, Ninux, or Guifi depend on third-party hardware which they can use with their own software for their charity causes. They create innovative solutions for the public with limited resources. At the same time, they are dependent on devices which they can use with their own, individually adapted software.
Although organisations like the FSFE are continously fighting to limit the negative consequences of Radio Lockdown, we need your help! Here are a few proposals for contributing to our common efforts: