UPDATE 01/30/2018, 9:55 A.M. EST: Today, Xiaomi posted the kernel source code for the Mi A1. It looks like this article, others like it, and most importantly the passionate comments and discussion by the Xiaomi user community have forced Xiaomi’s hand. This is a consumer win, and hopefully future Xiaomi kernel releases will come at a faster pace.

Most Android smartphone users understand the operating system which powers their device is “open source.” For many, that’s where their understanding ends. The legality of open source technology like Android is a mystery outside the geeky inner circle of coders and hackers who make a hobby out of tinkering with the system.

There’s often no reason for most of us to care. Things are different for Android smartphone manufacturers. For them, a deep understanding of the laws governing open source technology is a necessity.

So why is Chinese smartphone manufacturer Xiaomi, the world’s fifth largest, constantly on the wrong side of the law when it comes to open source rules and regulations?

Why is Chinese smartphone manufacturer Xiaomi, the world’s fifth largest, constantly on the wrong side of the law?

Here’s a brief synopsis of the ins and outs of the laws governing Android:

The Mi A1 is Xiaomi’s very first Android One device. Android One devices run on a nearly-stock version of the operating system, and companies work closely with Google to integrate the software. Google introduced the Android One program to bring some cohesion to the Android user experience across different types of hardware, and the Mi A1 has the distinction of being the first Android One device to launch globally.

But it’s been three months since the device hit shelves, and Xiaomi has yet to post the source kernel.

That infraction of the GPL might be understandable if there weren’t a disturbing trend: it was six months after the releases of 2016’s Mi 5 and 2017’s Mi 6 when their source codes went live. If this trend continues, it will be April 2018 before we’ll see the source of the Mi A1.

How can a company as large as Xiaomi be at odds with the GPL so regularly and not face any consequences?

It was six months after the releases of 2016’s Mi 5 and 2017’s Mi 6 when their source codes went live.

To be clear, there is no ostensible reason for these delays. The Samsung Galaxy S8 and S8 Plus hit store shelves on April 21, 2017. The source code for the devices appeared on April 26, 2017. Five days is a reasonable amount of time to copy a pre-existing file to a website. Six months is not.

This is especially confusing since the Galaxy S8 runs a heavily modified version of Android known as Samsung Experience. Taking some time to post a kernel filled with unique code is understandable, but the Mi A1’s code is not much different from the files publicly available right now at the AOSP site. So why isn’t Xiaomi following the rules?

See also Xiaomi Mi A1 review: the perfect budget phone? Introduced in 2014, Google’s Android One program never quite took off the way the company had envisioned. The program focused on developing markets like India and aimed to deliver budget smartphones with a stock Android …

The most obvious explanation for Xiaomi playing fast and loose with the GPL is because there are no real repercussions. There have been numerous cases of companies violating their GPL obligations in the past, but offenders have rarely been taken to court over it. In fact, legal action over GPL is practically unheard of in the Android ecosystem. Even if a stakeholder would decide to sue Xiaomi, they would need to do it in China — which has notoriously lax regulations when it comes to intellectual property infringements — India, or one of the other markets where Xiaomi has significant market share. Suing Xiaomi in the US wouldn’t make sense, simply because Xiaomi doesn’t have an official presence there.

Legal action would have to be filed in multiple jurisdictions to have a real effect (similar to how Apple and Samsung fought each other in courts from a dozen countries). It can take close to a decade, and millions of dollars, to bring such cases to their final conclusion. And, in the end, the plaintiff would probably not be awarded any damages, simply because it’s hard to prove that the GPL violation caused any financial loss to the plaintiff.

If Xiaomi wants to come to America (which company reps have mentioned several times as being a goal) it might not be able to ignore GPL statutes for long. Under threat of litigation, the Mi A1 code would have to be posted to the public within a reasonable amount of time.

If Xiaomi wants to come to America it won’t be able to ignore GPL statutes.

As long as it’s just focused on China and India, Xiaomi doesn’t have to worry about abiding by the standards set by competitors who operate globally. This is unfortunate because the power of the GPL is set by the companies and individuals who uphold it. It may seem alarmist, but it’s a slippery slope from not posting source code in a reasonable amount of time, to not posting source code at all, to then charging people for accessing the code (which companies have tried to do).

Even if you ignore the ethics of non-compliance with the GPL, the safety and security of devices are put at risk when the source code isn’t freely available. One of the significant benefits of open source code is that anyone can go through it to look for issues. Once a vulnerability appears, it can be examined, patched, and that patch can spread. But if users can’t view the source code, security threats could go unmonitored for weeks or even months, putting smartphone owners in genuine danger.

Where is Google in all of this? As the developers of the Android operating system, Google and its parent company Alphabet have a vested interest in making sure Android derivatives adhere to the GPL. Even though the Mi A1 is the first of its kind and a flagship device of the Android One program, Google has yet to comment on Xiaomi’s track record of source code releases, and hasn’t made any public moves to push Xiaomi to release the code.

Ultimately, Xiaomi is a successful brand and will continue to dominate sales in China, India, and other markets, regardless of whether or not it follows the GPL. If it ever wants to make its mark worldwide, this glaring issue will have to be addressed.

We’ve reached out to Google and will update the article should the company make a statement.

UPDATE 01/25/18, 9:55 A.M. EST: Xiaomi issued an official response to Android Authority regarding the kernel source timeline: