Fwd: GPL-incompatibility of Spotify's libspotify API ToU (was Re: Getting a Spotify Premium account for Amarok)

Bart Cerneels bart.cerneels at kde.org
Mon Nov 12 20:38:52 UTC 2012 

I'm forwarding this to all GPL project that I know are offering
spotify integration.
AFAIKT Tomahawk and Clementine need not worry, Amarok is a member
project of the SFC and hence subject to it's rules. It's not a given
that the spotify-resolver way of complying with the Spotify Terms of
Use is incorrect.
If you have any comments let me know here. I'll make sure they are
forwarded to Bradley and Tony.

I'll make some comments in a followup mail.

---------- Forwarded message ----------
From: Bradley M. Kuhn <bkuhn at sfconservancy.org>
Date: Mon, Nov 12, 2012 at 9:02 PM
Subject: GPL-incompatibility of  Spotify's libspotify API ToU (was Re:
Getting a Spotify Premium account for Amarok)
To: Bart Cerneels <bart.cerneels at kde.org>, amarok at sfconservancy.org
Cc: Tony Sebro <tony at sfconservancy.org>


Amarok Committee,

Bart, Tony, and I discussed the issue with spotify on IRC today.  I
hadn't realized (until today when Bart told me) that a GSoC student had
added support for spotify to Amarok.  Conservancy only became aware of
the issue on 26 October when Bart asked for a spotify account to get set
up for Conservancy.

As it stands, Conservancy is very worried about Amarok offering spotify
support.  Spotify's terms of use for the libspotify API, at
https://developer.spotify.com/technologies/libspotify/terms-of-use-us/ ,
require the following:

     By using any part of the API (as defined below), you (including any
     organization on whose behalf you are agreeing to these Terms of
     Use) (collectively sometimes referred to as "you" and "your") are
     deemed to have accepted these Terms of Use...

     "Application" means an authorized end user downloadable application
     utilizing the API developed by you solely for use by Users to
     access the Service.
     "User" means a registered subscriber to the Service ...
     ...
     3.10 When distributing the Application, you shall require end users
     to agree to an enforceable end user license agreement containing at
     least the following specific minimum terms:

      1. a provision stating that you, and not Spotify, are responsible for
         your Application;
      2. a provision indicating that the API is provided "as-is," without any
         warranties, and that expressly disclaims all implied warranties,
         including the implied warranties of merchantability, fitness for a
         particular purpose and non-infringement;
      3. a prohibition against modifying or creating derivative works based
         on any part of the API;
      4. a prohibition against decompiling, reverse-engineering,
         disassembling, and otherwise reducing the API to source code or
         other human-perceivable form, to the full extent allowed by law...

The "Application" is Amarok (as defined in the agreement, "end user
downloadable application utilizing the API developed by you").  You, in
the agreement, is the Amarok Developers.  "End users" and "the Users"
are the folks that you distribute Amarok to.  3.10.3 and 3.10.4 above
contradict the requirements of the GPL, so the Amarok Project can't
simultaneously meet its requirements under GPL and the ToU.

Now, Conservancy doesn't believe that distribution of source code in
your current spotify branch violates this agreement: it's always been
Conservancy position that the publication of source code for reading is
Free Speech in the USA and publishing source code for people to read is
akin to publishing a poem on your website.

But, definitively distributing a final Application under GPL intending
that the Amarok user will have a seamless experience with spotify/Amarok
integration *would*, in Conservancy's opinion, violate the ToU, or GPL,
or both, depending on one's perspective.  It furthermore can create
similar risk for downstream distributions that package Amarok.

Whether an agreement regarding using an online API would hold up in
court is another question, but Conservancy's risk is nonetheless great,
because the issue of intention matters in Court.  Thus, if Amarok
intends for its end users to use the spotify API, and makes effort
(which you have) for Amarok to support spotify via the API, it's going
to be difficult for Conservancy to argue it was not bound by the ToU
(even *if* Conservancy doesn't create a spotify account).

We'll need to figure out the right solution here.  Conservancy's General
Counsel, Tony Sebro (cc'ed) is going to make an effort to reach out to
lawyers at Spotify, since there some chance this issue is an unintended
consequence of overzealous drafting on their part.  I can't say for sure
if we'll be successful in reaching out to them, but we're trying.  We'll
keep you posted.

In the meantime, I have to ask Amarok not to make Spotify support
official in your distribution.  I realize that might harm your release
schedule and I apologize for that.  Conservancy just didn't have the
lead time necessary to investigate this issue in time for the next
release.  In future, please do send us any ToU and licensing information
for any service/library you want to support as early as possible.
--
Bradley M. Kuhn, Executive Director, Software Freedom Conservancy

More information about the Amarok-devel mailing list