Did Boxee Violate the GPL?

An open source advocate has alleged that Boxee and D-Link are violating the General Public License (GPL) with its Boxee Box, but Boxee has responded, saying that the code at the heart of the controversy was never used and has since been removed.

Allegations that Boxee is violating the open source license surfaced on Monday, with a website called Infityoverzero.com detailing a test that seems to indicate the inclusion of code licensed under GLP v3 on the device.

Boxee is based on the open source XBMC project, and the company has been making some of its source code available online. However, the software used on the Boxee Box also contains DRM protection to secure video services from companies like Netflix (s NFLX) and prevent users from tinkering with the installed software. “Boxee has included cryptographic controls to block you from using your software on the Boxee Box. Both D-Link and Boxee refuse to release the key files required to pass these checks,” writes the author of Infitiyoverzero.com.

This wouldn’t necessarily be a problem if Boxee had used open source software licensed under the GPL’s version 2, or an even more liberal license. However, GPL v3 contains specific language that is meant to deter companies from locking down devices — a practice that the Free Software Foundation has dubbed Tivotization. The FSF explains it this way:

“Tivoization is a dangerous attempt to curtail users’ freedom: the right to modify your software will become meaningless if none of your computers let you do it. GPLv3 stops tivoization by requiring the distributor to provide you with whatever information or data is necessary to install modified software on the device.”

Infinityoverzero.com tested for GPLv3 code by establishing a telnet connection to the device and then looking at the version of GPG, a cryptography tool. Turns out the version included with the Boxee software that shipped with the device is licensed under GPL v3. However, Boxee now says that the tool “was erroneously included — but never used, and we subsequently removed it from the Boxee Box software.” Boxee co-founder Tom Sella added in a blog post that the company has put a new process in place to avoid future mistakes like these and audit all of its existing open source software components.

This isn’t the first time Boxee’s CE hardware ambitions have faced a backlash. Some users took issue with the new UI as soon as the Boxee Box was released, and others have complained that not all of the promises made about the device have been met. Sella said that the controversy had a lot more to do with the some of the compromises the company has had to make.

“We had always hoped that the Boxee Box would be able to run XBMC, enable old-school emulators, and make breakfast in the morning”, he wrote, adding: “But it quickly became clear that to release a device with premium content, we’d need to put strict security measures in place. Lose the security requirements and lose access to some of the Boxee Box’s most popular content.”