THE IMPLICIT BAN ON FREE AND OPEN SOURCE SOFTWARE AND STATUTORY OVERREACH IN THE FCC'S REVISED RF DEVICE AUTHORIZATION RULES.

• Author: Kobryn, Brent

I INTRODUCTION 212 II FCC ISSUES NPRM 215 A The Basis for Public Opposition and Importance of Free and Open Source Software in Wireless Communication 218 B The Revised Rules Defined 221 C Proposed Rules Become Effective: Manufacturers' Responses 229 III PREVENTING OPEN INSPECTION AND MODIFICATION OF CODE DOES NOT ENSURE COMPLIANCE 232 A Software Regulation is Far Outside the Bounds of FCC Authority 236 B An Alternative, Less Restrictive Means of Compliance: Mandating Public Disclosure of Source Code 240 IV CONCLUSION 744 I. INTRODUCTION

The Federal Communications Commission's ("FCC" or the "Commission") rules governing radiofrequency ("RF") device approval and certification are in need of revision. RF devices encompass nearly all major forms of wireless communication today, from smart phones to laptop computers. (1) As radios evolve from analog machines to software defined radios ("SDRs"), the RF ecosystem is in a constant state of expansion. (2) The challenge for the FCC in regulating such a landscape is poised to escalate with the advent of the "Internet of Things," which pulls an increasing number of commonplace objects under RF device classification and FCC jurisdiction. (3)

In 2015, the FCC announced proposals to change the rules covering the process of RF device authorization, fifteen years after their last revision. The Notice of Proposed Rulemaking ("NPRM") contained a slew of revisions to the process, including electronic labeling, modular transmitter certification, and the introduction of a streamlined device self-approval program. (4) Following the NPRM, thousands of comments were filed by individuals and organizations in opposition. The proposals covered the authorization procedures for all RF devices, but public opposition was largely focused on the possible severe curtailment of research and development in Wi-Fi router stability and security - areas significantly led by free and open source software developers, made possible by third-party firmware. While the FCC has expressed that it did not intend to ban free software with its revised authorization procedures, (5) the rules now implicitly impose requirements on manufacturers to employ restrictive measures which can only be achieved through proprietary software--where source code is kept private and in the hands of manufacturers. Undoubtedly, the revised rules will hinder research and development from the free and open source software communities, whose developers have been key in cultivating a field where consumer feedback is virtually non-existent and hardware manufacturers lack economic incentives to provide free and timely upgrades to older models.

As highly analogous to the effects of the proposed rules, the Environmental Protection Agency ("EPA") learned from the Volkswagen emissions scandal that prohibiting third party inspection or modification of code does not ensure compliance with regulatory law. (6) In late 2015, the automaker admitted to utilizing proprietary software, shielded from peer review by "anti-circumvention" provisions of copyright law, in order to cheat EPA emissions testing. (7) The scandal revealed free and open source academics as "prophets" who warned for years that compliance through obscurity is not a practical model. (8)

The FCC's endeavor to regulate in the RF ecosystem is necessary. The revised RF device authorization rules, however, will not ensure compliance, but rather will hinder the research and innovation that has shaped the wireless industry for decades. The Commission is also at risk of overstepping its statutory authority, as its proposed rules creep outside the bounds of regulating the RF spectrum and attempt to impose requirements directly on software and hardware components plainly outside the Commission's reach. Alternatively, the most effective way for the FCC to uphold both its statutory duty in providing "rapid, efficient" wireless communication (9) and ensure RF compliance is to mandate public disclosure of RF device source code, which will enable public inspection and scrutiny.

Part II of this Note explores the background of the revised rules, their stated purpose, the basis for public opposition, and details how the rules encourage manufacturers to prohibit free and open source software. Part III draws an analogy to the Volkswagen emissions scandal in which the EPA learned that inability to inspect software's source code does not ensure regulatory compliance, questions the FCC's authority in imposing technology design requirements, and argues for an alternative regulatory scheme based on public disclosure.

2. FCC ISSUES NPRM

   On July 21, 2015, the FCC released an NPRM to update the rules governing the evaluation and approval of RF devices. (10) In order to "meet the challenges of an RF equipment ecosystem that has significantly expanded," the proposed rules would be the first significant change to the FCC's RF equipment authorization procedures in fifteen years." RF devices are defined as "any device which in its operation is capable of emitting radiofrequency energy by radiation, conduction, or other means." (12) Virtually all forms of wireless communication, including cellular phones, personal computers, and wireless routers use RF energy to send and receive signal. (13) The range of equipment falling under the classification of RF devices is expanding yet even further under the Internet of Things, where ubiquitous objects from household appliances to traffic lights are communicating wirelessly. (14) As FCC Commissioner Jessica Rosenworcel acknowledged in the NPRM, "[w]ith the Internet of Things around the bend, we are on the brink of a whole new world of connected wireless devices." (15)

   Through its proposals, the Commission aimed to "enable innovation" in RF device usage and development "by providing a clear path for products to demonstrate compliance with the FCC rules so that they may be brought to the market expeditiously." (16) Specifically, the FCC explained that the rule changes would:

   Combine two separate product approval programs--Declaration of Conformity and verification--into one product self-approval program; Codify and clarify the provisions for certification of modular transmitters--including those in products used for [FCC] licensed radio services--and for radios where the RF parameters are controlled by software; Clarify responsibilities for compliance when a final product may be comprised of one or more certified modular transmitters; Codify existing practices that protect the confidentiality of market-sensitive information; Codify and expand existing guidance for electronic labeling; Eliminate unnecessary or duplicative rules and consolidate rules from various specific rule parts into the equipment authorizations rules in Part 2; and Discontinue the requirement that importers file FCC Form 740 with Customs and Border Protection for RF devices that are imported into the United States. (17) Following the NPRM, interested parties were asked to submit comments on proposed rules. (18) The proposals, by and large, were welcomed by manufacturers and developers. Companies such as Cisco, for example, lauded the FCC's "efforts to streamline its equipment authorization process." (19) Sony "strongly supported]" the proposed supplier's declaration of conformity procedure and allowance of electronic labeling. (20) Still, thousands of comments were fded in opposition to the proposed changes to the certification process covering devices with software-based capabilities. (21)

   The most prominent criticism of the NPRM came from Vint Cerf, co-inventor of the Internet. (22) Writing alongside the Free and Open Source Software Community ("FOSS") and the Internet Engineering Task Force ("IETF"), the comment posed a straightforward request: "If the Commission does not intend to prohibit the upgrade or replacement of firmware in Wi-Fi devices, the undersigned would welcome a clear statement of that intent." (23) OET Chief Engineer Julius Knapp responded in an official blog post that that the FCC "would like to make it clear that the proposal [was] not intended to encourage manufacturers to prevent all modifications or updates to device software." (24) He further stated that the FCC was not "mandating wholesale blocking of Open Source firmware modifications," but instead was seeking to require manufacturers to ensure that wireless routers or other RF devices could not operate outside of their authorized frequencies. (25) His post, as will be discussed below, was not advocating for any official rewording of the proposals.

   1. The Basis for Public Opposition and Importance of Free and Open Source Software in Wireless Communication

      The RF device authorization rules cover all RF devices, but much of the public criticism was directed toward their effect on wireless, or Wi-Fi, routers. Free and open source (26) software developers and researchers were concerned that the Commission's rules would "prevent the installation of traditional free and open source wireless firmware (27) such as OpenWrt." (28) The FOSS and IETF comment undersigned by Cerf cited studies that found numerous popular consumer routers shipped with vulnerable firmware at the time of FCC certification. (29) Due to limited consumer feedback in the router market, however, vendors and manufacturers have little to no information or incentive to remedy these issues. Organizations like FOSS and IETF have picked up the slack "by releasing standards-conformant router software to the public." (30)

      The most significant projects impacting Wi-Fi router security and efficiency run on free and open source software. The CeroWrt project, (31) for example, was key in combating the "endemic" problem of "bufferbloat," or the undesirable decrease in performance from home routers transmitting large amounts of data. (32) One of CeroWrt's greatest achievements has been the implementation of the CoDel algorithm (33)--which delays data packets in...