OPEN SOURCE ISSUES IN BUSINESS

OPEN SOURCE ISSUES IN BUSINESS
By
Cestjon McFarland
Holly Towle1
I.
INTRODUCTION
Open source software presents issues of increasing significance for businesses. If you are not
already familiar with these issues and your business is using or considering the use of open source
software, it’s time to take note. This article analyzes considerations that businesses should keep in
mind when deciding whether to use this type of software. As with any licensed technology, open
source is governed by the terms of the open source license. Actively copying, modifying, developing
products with, or distributing open source software without understanding those terms can jeopardize a
company’s business endeavors. On the other hand, businesses that take the time to research and
investigate open source licensing models and that are familiar with the issues described in this article
are more likely to be successful in deciding whether and when to use open source.
II.
TWO HYPOTHETICAL SCENARIOS
It’s helpful to ground this discussion in a specific context. Consider the following scenarios:
SCENARIO #1, CODE DEVELOPMENT FOR DISTRIBUTION: Your business is developing a proprietary
software program with high hopes of profitable distribution. Your market edge resides in the
features and functionality that your skilled developers have included in this program, and you
protect your source code from disclosure to unauthorized third parties. But one of your
employees (or an independent contractor working with your development team) included a
small piece of open source code in your product. Or perhaps the code was introduced when
your company merged with another business, and an acquired product was merged into the
original product code base; open source issues weren’t flagged in the acquisition due
diligence process.
SCENARIO #2, INTERNAL USE: You have based your company’s internal operations on open
source software. Your company is not in the software business, you don’t plan to distribute
software, and therefore you don’t care that your open source license requires you to share with
others any adaptations and improvements you make to the source code. You just like the
program. Then you get a notice of infringement – the letter says you must stop using the open
source software because your use violates the rights of one of perhaps several hundred
Cestjon McFarland and Holly Towle are partners in the Technology and Intellectual Property practice group of
Preston Gates & Ellis, LLP, a national law firm (http://www.PrestonGates.com). They are located in the firm’s Seattle
office. Holly is the author of The Law of Electronic Commercial Transactions (2003, A.S. Pratt & Sons). This article
was prepared with assistance from Shankar Narayan, an associate at Preston Gates & Ellis, LLP, and Eric Keppler, an
attorney at Lee & Hayes, pllc.
1
1
developers who contributed to the program. You have to defend the suit and stop using the
software.
As you read through the following sections, you will find that the terms of your open source license
would affect your fate in both scenarios.
III.
BACKGROUND ON OPEN SOURCE
A.
WHAT IS OPEN SOURCE SOFTWARE AND WHERE DID IT COME FROM?
The open source software movement had its origins at the MIT Artificial Intelligence
Laboratory. In the early 1970s, when the source code for most computer software was readily
available, the lab’s programmers were free to refine it for their own purposes. As software increasingly
came to be distributed on a proprietary basis in the early 1980s, a programmer named Richard
Stallman became frustrated with his inability to collaborate with his colleagues on refining proprietary
operating system code. This frustration was the genesis of the “GNU Project” (GNU rhymes with “new,”
but is preceded by a hard “g”). The GNU Project’s mission was to create a non-proprietary UNIX-like
operating system, GNU being a recursive acronym for “GNU’s Not Unix.”i Stallman implemented this
project under the auspices of the Free Software Foundation, which he formed in 1985.ii
Somewhat fortuitously, while Stallman and others at the GNU Project focused on the
development of high-level operating system functions for GNU, a young Finnish programmer named
Linus Torvalds decided to create his own alternative to the Unix operating system.iii Torvalds started
with the low-level functions performed by an operating system. These are known as the “kernel.” He
released his original “Linux” program code in 1991 over the Internet, and encouraged other
programmers to modify and enhance it. Torvalds and the GNU Project team then discovered each
other, and by the mid-1990s had combined the high-level functions produced by GNU and Torvald’s
kernel to form a single operating system known as Linux.iv
Linux was released under an open source license crafted by Stallman called the General
Public License or “GPL.” The GPL was designed so that any enhancements or improvements to
software licensed under the GPL would also be made openly available in source code format, thereby
allowing for development of an ever-expanding common code base that, via the GPL terms, could be
improved-upon by programmers around the world. Ironically, while Stallman abhorred the protectionist
rights imbued upon copyright and other intellectual property right owners, the GPL relies on those very
rights to “free” the software; that is, to require anyone who modifies and distributes GPL software to
grant others the same rights in those modifications as the user received to the original code under the
GPL.v The Free Software Foundation characterizes this as a form of liberation for programmers, as
follows:
[Open source restrictions help] programmers who want to contribute improvements to free
software get permission to do that. These programmers often work for companies or
universities that would do almost anything to get more money. A programmer may want to
contribute her changes to the community, but her employer may want to turn the changes into
a proprietary software product.
2
When we explain to the employer that it is illegal to distribute the improved version except as
free software, the employer usually decides to release it as free software rather than throw it
away.vi
The other common terminology used in reference to open source software is that it is “copyleft” rather
than “copyright.” This term was inspired by a message scribbled on the outside of an envelope sent to
Stallman in the mid-1980’s: “Copyleft—all rights reversed.”vii
B.
OPEN SOURCE SOFTWARE IS OFTEN CALLED FREE SOFTWARE – IS IT REALLY?
In this context, “free” doesn’t necessarily mean at no charge. It does mean that the source
code must be “open” for viewing. Many companies offering open source software derive revenue either
by charging for the copy or related services:
The intention was that nobody would have to pay for *permission* to use the GNU system .
. . I have learned to distinguish carefully between “free” in the sense of freedom and “free”
in the sense of price. Free software is software that users have the freedom to distribute
and change. Some users may obtain copies at no charge, while others pay to obtain
copies--and if the funds help support improving the software, so much the better. The
important thing is that everyone who has a copy has the freedom to cooperate with others
in using it.viii
The GNU web site offers this clarification: “think free as in ‘free speech,’ not as in ‘free beer.’”ix Thus,
the GPL permits charging a fee “for the physical act of transferring a copy” of the open source software,
or for offering warranty protection.x But any work that contains or is derived from the open source
software must be “licensed . . . at no charge.”xi In short, under the GPL some fees may be imposed
subject to restrictions which need to be parsed.
C. HOW MANY TYPES OF OPEN SOURCE SOFTWARE ARE THERE?
The growth of the Internet in the 1990s made “free software” an increasingly attractive model
for developing and distributing software. One challenge posed by this model, however, was enticing
proprietary software vendors to use open source products. To fill the needs of developers interested in
providing open source software for the commercial market, variations of the open source model started
to appear. This ultimately exposed some tensions within the free software community. Inspired by
Netscape’s announcement in early 1998 that it planned to release the source code for its flagship
Netscape Navigator internet browser, a group of Linux developers and other free software enthusiasts
formed the “Open Source Initiative” (OSI) with the goal of making “free software” more commercially
viable. As described on the OSI Web site:
[w]e realized it was time to dump the confrontational attitude that has been associated with
‘free software’ in the past and sell the idea strictly on the same pragmatic, business-case
grounds that motivated Netscape. We brainstormed about tactics and a new label. ”Open
source,” contributed by Chris Peterson, was the best thing we came up with.xii
Though they share a number of goals, the missions of the “free software” camp represented by
Richard Stallman and the Free Software Foundation, and the “open source” camp represented by OSI,
Linus Torvalds, and the various commercial heavyweights who have thrown their support behind Linux,
are different. The Free Software Foundation remains antagonistic toward all forms of proprietary or
“restricted source” software, while the OSI accommodates certain combined open source and
proprietary software development through less restrictive open source license terms. Specifically, OSI
3
developed a certification scheme under which software licenses satisfying the OSI criteria would be
entitled to use the label “OSI Certified Open Source Software.”xiii
There are now many different software programs distributed under the GPL, as well as other
forms of open source licenses.xiv Over fifty licenses currently qualify for OSI certification.xv Even NASA
has developed its own open source license, the NASA Open Source Agreement or “NASA NOSA” (also
recently qualifying for OSI certification), raising interesting issues given that NASA, as a part of the
federal government, does not have a copyright in software developed by its own employees.xvi
In summary, motivations for open source licensing vary, as do the licenses themselves. It is
simplistic and incorrect to assume that all “open source” software licenses are the same. The
differences can have significant consequences for developers and users of the software.
IV.
ANALYZING OPEN SOURCE LICENSES
A.
NOT?
WHY SHOULD A BUSINESS CARE IF THE SOFTWARE IT LICENSES IS OPEN SOURCE OR
As with all software, the license is the key for businesses seeking to use open source software.
Software is protected by copyright and other intellectual property laws which, among other things, allow
the owner to limit a user’s ability to copy, modify or distribute the software. The details regarding what
is or is not permitted are specified in the license. Some open source licenses require users who
combine open source code with their otherwise proprietary software, to make the source code for the
whole product entirely open. That is why some speak of open source software as infecting other code,
or as being “viral.” If a company’s business plan depends upon keeping its code confidential, such a
result would clearly pose a problem. Whether open source software is “better” or “worse” than other
software depends on many factors, both technical and legal, and the user’s ultimate goals. It’s
important to understand these license terms, however, to avoid potentially unpleasant surprises.
B.
WHAT ARE SOME OF THE DIFFERENT TYPES OF OPEN SOURCE LICENSES?
As noted above, there are numerous variations on the open source license theme, making it
impossible to discuss each one in this article. Some of the particularly prominent licenses include, in
addition to the GPL, the Lesser General Public License or “LGPL,” the Berkeley Software Distribution
License or “BSD,” and the Mozilla Public License or “MPL.” This section describes the OSI criteria
mentioned above and some of the salient license terms in the GPL, LGPL, BSD, and MPL, to give the
reader a flavor for some of the variations that one might expect among open source licenses. While by
no means exhaustive, the discussion will help outline the types of issues businesses should consider
when assessing whether to enter into such a license.
1.
THE OSI DEFINITION.
OSI’s definition of an “open source” software license includes a series of ten minimum
requirements that must be satisfied to qualify for the “OSI Certified” label. These requirements are
intended to be flexible enough to embrace a variety of open source licensing models. The OSI
requirements are as follows:
4
(a) Free redistribution. The license can’t prohibit anyone from selling or giving the licensed
software away as part of an aggregated software program containing code from other sources,
nor can the license require a royalty or fee for such a sale.
(b) Source code. The licensed software has to include source code, and the license must
allow distribution in source and binary format. If a version of a product is distributed only in
binary format, then there must be a well-publicized means for obtaining the source code for no
more than a reasonable reproduction cost (preferably, downloading via the Internet without
charge). The source code must be in the preferred form for modification by a programmer.
(c) Derived works. The license must allow the creation of modifications and derivative works,
and must allow any such modifications or derivative works to be distributed under the same
terms as the license for the original software.
(d) Integrity of the Author’s Source Code. A license may require that the base source code
be distributed unmodified, and that any modifications be provided in the form of "patch files"
with the base source code, for the purpose of modifying the program at build time. The license
must explicitly permit distribution of software built from modified source code. The license may
require derived works to carry a different name or version number from the original software.
(e) No discrimination against person or groups. Nothing in the license should discriminate
against any person or group of persons.
(f) No discrimination against fields of endeavor. The license must not restrict anyone from
making use of the program in a specific field of endeavor (such as in a business or for genetic
research).
(g) Distribution of license. The rights attached to the program must apply to all to whom the
program is redistributed without the need for execution of an additional license by those parties
(such as a non-disclosure agreement).
(h) License must not be specific to a product. The rights attached to the program must not
depend on the program's being part of a particular software distribution. All parties to whom
the program is redistributed should have the same rights as those that are granted in
conjunction with the original software distribution.
(i) License must not restrict other software. The license must not place restrictions on
other software that is distributed along with the licensed software. For example, the license
must not insist that all other programs distributed on the same medium be open-source
software.
(j) License must be technology-neutral. Nothing in the license may be conditioned or based
on any individual technology or style of interface. xvii
The first three criteria articulate the open source fundamentals:
•
there can be no prohibitions on distribution, and no fee should be charged for distribution
(though a fee could be charged for support);xviii
•
the source code must be made available; and
•
modification of the source must be permitted (along with distribution of those modifications).
5
The remaining OSI criteria primarily emphasize another fundamental, which is that open source
licenses should otherwise be as unrestrictive as possible as to certain items—no limitation by user, type
of use, type of software distribution, or technology. There is also an express requirement that open
source and proprietary software must be able to co-exist on the same medium, without having the open
source infect the companion proprietary code. Each of the licenses discussed below qualifies as an
OSI Certified license.
2.
THE GPL
The GPL, reflecting its heritage in the free software camp, is the most extreme of the major
open source licenses in its rejection of some typical proprietary software license terms. For example,
simple use of GPL software is outside the scope of the GPL license: “[t]he act of running the Program
is not restricted…..”xix The acts of copying, distributing and/or modifying the Program, however, do fall
within the scope of the GPL provisions and can have significant consequences.
Unlike many other open source licenses, the GPL requires that, when proprietary code is
combined with GPL code, the entire combined work must be distributed under the GPL: “You must
cause any work that you distribute or publish, that in whole or in part contains or is derived from the
Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms
of this license.”xx
The term “Program” is defined to include the GPL program itself and any “work based on the
Program,” with the latter being “the Program or any derivative work under copyright law: that is to say, a
work containing the Program or a portion of it….”xxi The GPL further provides that the distribution
requirement applies to the modified work “as a whole:”
If identifiable sections of that work are not derived from the Program, and can be reasonably
considered independent and separate works in themselves, then this License, and its terms,
do not apply to those sections when you distribute them as separate works. But when you
distribute those same sections as part of a whole which is a work based on the Program, the
distribution of the whole must be on the terms of this License, whose permissions for other
licensees extend to the entire whole, and thus to each and every part regardless of who wrote
it.xxii
Although the GPL clarifies that merely shipping proprietary source code and GPL code on the same
storage medium would not bring the proprietary source code within the scope of the GPL’s terms,xxiii the
precise amount of integration or combination which would make the proprietary source code part of a
“work based on the Program” is not expressly outlined under the GPL.
If, therefore, a proprietary software company wishes to combine GPL code with its proprietary
source code, the company may only distribute the combined work under the terms of the GPL. Since
this would normally be an unacceptable result for a proprietary software company, the practical effect of
these GPL provisions is to preclude a proprietary software company from intentionally combining GPL
code and proprietary source code into one software product.
Proprietary software companies that are aware of the GPL terms are likely to be cautious
about avoiding such combinations. It’s possible, however, for this to happen inadvertently.
A
proprietary software company faces potential GPL “taint” whenever there is an opportunity to introduce
GPL code into its proprietary source code distribution line. Significantly, the GPL contains provisions to
address cases where GPL code is distributed without notice that the GPL is applicable to the open
6
source code (as required by Section 1),xxiv which would be the case where GPL code is inadvertently
incorporated into or combined with proprietary source code. The GPL provides: “[e]ach time you
redistribute the Program (or any work based on the Program), the recipient automatically receives a
license from the original licensor to copy, distribute or modify the Program subject to these terms and
conditions. You may not impose any further restrictions on the recipients’ exercise of the rights granted
herein.”xxv
In a situation, therefore, where an independent contractor or value-added reseller combines
some GPL code with a proprietary software company’s code, and that combined code is distributed
without the proprietary software company’s knowledge that GPL code has been introduced into its
product, the creators of the GPL would likely claim that the company has lost the right to impose its
proprietary restrictions on its code base. There are obvious issues under contract formation, agency
and other legal doctrines that would be raised by any such assertion, but this illustrates the kinds of
tensions that can arise under the GPL.
The increasing use of open source development tools can heighten the risk of inadvertent
inclusion of GPL code into proprietary source code. Can a development tool available pursuant to a
GPL license be used to create untainted proprietary source code? The GPL provides that “[t]he act of
running the Program is not restricted, and the output from the Program is [subject to the terms of the
GPL] only if its contents constitute a work based on the Program (independent of having been made by
running the Program). Whether that is true depends on what the Program does.”xxvi This suggests that
GPL development tools may be used to generate proprietary source code, but companies must
carefully assess the functionality of the tool and whether the output is likely to qualify as a “work based
on the Program.”
3.
THE LGPL
The GNU Lesser General Public License or “LGPL” (and its predecessor, the GNU Library
Public License) was an early concession by the Free Software Foundation to the need for flexibility in
bridging the gap between the open source and the proprietary software models, but in the limited
context of software libraries. This license was designed to permit developers to link such libraries into
non-open source programs. The reason for creating this “lesser” GPL is explained in the license itself:
[O]n rare occasions, there may be a special need to encourage the widest possible use of a
certain library, so that it becomes a de-facto standard. To achieve this, non-free programs
must be allowed to use the library. A more frequent case is that a free library does the same
job as widely used non-free libraries. In this case there is little to gain by limiting the free
library to free software only. . . In other cases, permission to use a particular library in non-free
programs enables a greater number of people to use a large body of free software.xxvii
The LGPL provides that any licensee can distribute the relevant software library, as received, in source
code format (and object code, though the source must accompany any binary codexxviii), as long as
proper copyright notices and warranty disclaimers, as well as a copy of the LGPL license, are provided
with the code.xxix Distribution requirements governing modifications to the software library depend upon
how the library is linked to the non-open source program.
(a) Works Based on the Library. The LGPL distinguishes between “works based on the
library,” which it describes as work containing code derived from the library, and “works that use the
library,” which it describes as works that do not include any derivative of the LGPL library but are
7
designed to work with the LGPL library by being compiled or linked with it.xxx The LGPL licensee may
distribute the former category of works (i.e., works containing code derived from the library) only if (i)
the modified work is also a software library, (ii) the modified files contain prominent notices of such
modification and the dates thereof, (iii) the whole work is licensed under the LGPL at no charge, and
(iv) the licensee makes a good faith effort to ensure that the library, as modified, is able to
independently perform functions that are to be supplied by an application program, should the
application fail to do so.xxxi The modified work may be distributed in object code only if it is also
accompanied by the source code.xxxii
(b) Works That Use the Library. Works that use an LGPL library fall outside the scope of the
LGPL, when distributed in isolation.xxxiii If, however, such a work links to the library in a manner that,
when compiled, the executable contains a portion of the library, then the LGPL licensee can distribute
that work under license terms of the licensee’s choice provided that the license must allow “modification
of the work for the customer’s own use and reverse engineering for debugging such modification.”xxxiv
Further, the licensee in that case must (i) satisfy specific notice requirements designed to inform
downstream licensees that the LGPL library is covered by the LGPL, and (ii) take certain steps to
ensure that downstream licensees have access to source code for the library (and any modifications
thereto) or to a suitable shared library mechanism for linking to the library.xxxv
Tracking the requirements of the LGPL to ascertain when the licensee must distribute source code for
its own work under the LGPL terms, requires precise knowledge of the manner in which the LGPL
libraries will be used and careful navigation of the LGPL terms.
4.
A MORE PERMISSIVE APPROACH: BSD-STYLE LICENSES.
The Berkeley Software Distribution or “BSD” style license is a more permissive alternative to
the GPL, and represents one of the less restrictive licenses to obtain OSI certification. It is quite brief,
with the license terms reading as follows:
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
•
Redistributions of source code must retain the above copyright notice, this list of conditions
and the following disclaimer.
•
Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
•
Neither the name of the <ORGANIZATION> nor the names of its contributors may be used to
endorse or promote products derived from this software without specific prior written
permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
8
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. xxxvi
Unlike the GPL, the BSD License does not expressly require that the entire work into which BSD code
is combined be distributed in source code form. At the www.mozilla.org Web site, the BSD is described
as follows:
It is very non-restrictive in its terms, basically allowing anyone to do anything with code
covered by the license, but requiring a reference to the copyright holder in accompanying
documentation -- essentially requiring only credit where credit is due. This makes the license
acceptable to commercial developers, but opens others to the possibility that their work may
be incorporated into products that may be proprietary to someone else.xxxvii
5.
MIDDLE GROUND: THE MOZILLA PUBLIC LICENSE
The MPL is notably different from its apparent namesake, the GPL. Most significantly, the
MPL outlines mechanisms for combining proprietary software with open source code without “tainting”
the proprietary software. The MPL also specifically parses copyright and patent rights granted under
the license, and contains a defensive suspension mechanism for terminating MPL license rights as to a
given licensee should that licensee bring patent infringement claims against upstream MPL developers.
(a) Segregation by File. Similar in concept to the GPL, the MPL requires each person or
entity that seeks to modify the MPL code to grant others a “world-wide, royalty-free, non-exclusive
license . . . to use, reproduce, modify, display, perform, sublicense and distribute the Modifications
created by” that person or entity.xxxviii “Modifications” include any additions or deletions from the original
MPL code received by the contributor, but the MPL goes on to clarify that:
When Covered Code is released as a series of files, a Modification is:
A. Any addition to or deletion from the contents of a file containing Original Code or previous
Modifications.
B. Any new file that contains any part of the Original Code or previous Modifications.xxxix
“Covered Code” is the original MPL code and any “Modification,” and “Original Code” is the original
source code first put out under a given MPL license. Unlike the GPL, therefore, the MPL allows
proprietary software companies to protect their proprietary code from being subjected to open source
license terms by putting it in files separate from any MPL or modified MPL code. To the extent,
however, that MPL code (modified or unmodified) is included in the same file as proprietary software,
then the MPL provisions have a similar viral effect on the proprietary software as the GPL.
(b) Patent License and Defensive Suspension. The MPL also expressly delineates the
copyright and patent licenses, providing that “Contributors” to the MPL code base (i.e., each entity that
develops Modifications) grant a world-wide, royalty-free, non-exclusive license under their patents to
make use, sell, offer for sale, have made and/or otherwise dispose of not only the “Modifications” made
by that Contributor, but also the combination of Modifications made by that Contributor with “its
Contributor Version.”xl The “Contributor Version” is defined as the combination of the original code
placed under the MPL license, “prior Modifications used by a Contributor, and the Modifications made
by that particular Contributor.”xli Each Contributor, therefore, grants a combination license for
9
combinations of the original MPL code with any Modifications that Contributor has used (previously) or
developed.
The MPL also includes a section on termination, providing that the license can be terminated
automatically for a breach of the license terms and failure to cure within 30 days of becoming aware of
such breach. The license may also terminate if the licensee commences patent infringement litigation
against the initial MPL code developer or any subsequent Contributor, asserting that either (a) the initial
MPL code developer’s or any Contributor’s contribution directly or indirectly infringes a licensee patent,
or (b) any other software, hardware or other device of the MPL code developer or Contributor (as the
case may be) directly or indirectly infringes a licensee patent.xlii Such a provision seeks to avoid the
scenario where a licensee of the “free” open source software would continue to get the benefit of the
license while asserting patent claims against those who have contributed to the MPL code base. The
reach of this defensive suspension clause, however, is quite broad, covering patent infringement claims
that are related as well as unrelated to the MPL code. Potential MPL licensees, therefore, must
consider the implications that would arise should they find themselves facing patent infringement by
other MPL contributors after the licensee has developed products using MPL code.
C.
HOW CAN OPEN SOURCE SOFTWARE AFFECT A COMPANY THAT ONLY USES IT
INTERNALLY, TO RUN THE BUSINESS?
Companies that modify or distribute open source software, even if only for their internal
business operations (e.g., customization of code for their particular systems or distribution to their
subsidiaries) may be exposed to a copyright infringement action by a party claiming that their software
was introduced into the open source code base without proper authorization. Patent infringement
claims are a similar risk, especially given that the scope of patent rights obtained under a given open
source license can be more limited than a user might expect. For example, the MPL does not require
developers of the initial MPL code to grant a patent license for the combination of their original code
with other software—rather, the combination patent license applies only to subsequent licensees who
modify the original code.xliii
Of course, claims of infringement can happen with any software. One difference with open
source, however, is that the license and development scheme embodies an informal permission and
submission structure that arguably enhances the risk of such claims. One commentator, in fact, has
characterized the Linux kernel code base as “legally radioactive” given the loose manner in which
Torvalds allowed contributors to add to the code base without tracking whether the contributors had
appropriate rights in their submittals.xliv
Perhaps not surprisingly, Linux code is the subject of a prominent lawsuit filed in March 2003
by the SCO Group against IBM Corporation. The SCO Group alleges that IBM violated SCO’s rights by
incorporating pieces of SCO’s proprietary UNIX operating system into the Linux operating system, and
by inducing and encouraging third parties to misappropriate SCO’s proprietary software.xlv IBM, for its
part, contends that SCO has not only failed to allege with specificity the manner in which IBM has
misappropriated the UNIX software, but flatly denies any misappropriation or violation of any
agreement.xlvi IBM has also struck back with counterclaims alleging that it is, in fact, SCO that is
infringing on IBM’s contributions to the Linux platform, as well as violating several of IBM’s UNIXrelated patents.xlvii The case is scheduled to go to trial in November, 2005. In a parallel development,
SCO has become increasingly vocal about its intent to pursue litigation against Linux end users. In
January of 2004, SCO announced on its website its intent to “expand its relationship” with a law firm for
10
the purpose of suing end users of Linux,xlviii and in March of 2004, SCO sued Autozone, Inc., and
DaimlerChrysler Corporation, both Linux end users.xlix The SCO lawsuits reinforce the notion that open
source users should be aware of litigation risks that may be associated with use of a given open source
program.
D.
ARE OPEN SOURCE LICENSES ENFORCEABLE?
Whether a given open source license is enforceable depends on whether contract law
requirements are satisfied, e.g., has each licensee developer ensured that the next transferee agreed
to be bound by the open source license? Where open source code is casually distributed from one
user to the next, scenarios may arise where a user may not know about the license or fails to
intentionally engage in conduct sufficient to pass muster as legal assent. There are many ways to
consent to a contract in modern commerce and there’s nothing about open source that alters those
choices – the problem is in tracking whether they have been used. Failure to obtain proper consent to
the license terms at any point along the open source development chain creates problems everywhere
below the weak link. Contracts can also be formed by trade usage – but this raises issues regarding
whether a licensee was aware of that usage, what the terms of the usage are, and whether the licensee
can be bound by a contract it did not realize it had made.
According to a recent article,l a German court enforced the GPL against a developer who had
incorporated certain code subject to the GPL into the developer’s own program, without abiding by the
GPL terms.li The court noted, according to the article, that rights flow from licenses and deficiencies in
complying with the license requirements can result in a lack of rights:
The right to use the software is lost if the user violates the license requirements, the court held,
and in such case the rights revert entirely to the author of the license. Even if it had found the
GPL invalid, the court added, [the licensee] would still have no privilege of use because if the
license is invalid, then [the licensee] has not received any rights to make use.lii
To complicate the enforceability issue, some open source “licensors” adopt the legal position
that their “licenses” are not contracts at all and that, therefore, contract law can be ignored. Under this
view, open source terms are merely a notice given by the copyright owner of what can or cannot be
done – a user who ignores the notice will not breach a contract, but will be subject to an infringement
action.liii
E.
WHY NOT JUST GET PERMISSION FROM SOMEONE IN AUTHORITY?
That’s easier said than done. Take a children’s story: many people have intellectual property
rights in it, including the illustrator, the author and the publisher. Now make the story a software
product and add music, sound effects, code allowing different endings, film clips and much more. All of
those creators have intellectual property rights too. In a proprietary product, the publisher would
typically obtain appropriate rights from the owners or authorized licensors of each of those components.
Open source software is similarly comprised of contributions from many different sources, and there
may be hundreds of creators, rather than dozens. Further, in many cases these various contributions
will have been submitted over a significant span of time. Identifying all the relevant parties may be
difficult, and even where they can be identified, tracking them down could be quite costly.
11
F.
HOW DO I GET MY DEVELOPERS OR IT STAFF TO THINK ABOUT THESE ISSUES?
What a company communicates to its developers or information technology staff regarding
open source software depends on the nature of that company’s business, the purpose the software is
to fulfill, and the license governing the software. For example, if development is purely for internal
systems and not for software that goes into commercial products, then the issues raised by open
source software may focus on infringement risk and costs of support. These concerns would be
balanced against the uniqueness of the software in fulfilling the identified operational need. If, on the
other hand, the company distributes proprietary software, then the company must take steps to ensure
that its developers do not jeopardize their proprietary distribution by inadvertently introducing open
source software into their products.
With respect to development, ideally the legal department and company programmers will
work together in formulating a company open source policy. Such a policy should be based on the
particular needs and business model of that company, and should include a practical methodology for
promptly addressing open source issues as they arise, whether that be through a single contact
person, intranet guidelines and other documentation, or more detailed authorization procedures. For
example, companies that distribute proprietary software products should have a streamlined process by
which their programmers can quickly assess the legal ramifications associated with using a particular
open source development tool or other open source software. The more knowledgeable the
programmers are about the legal issues, the better equipped they will be to assist in providing
information relevant to the legal analysis. In particular, they should understand that the legal analysis
depends on:
•
What the software is being used for and how (e.g., is it provided in source or object code form?
Will it be copied, modified or distributed, or merely “used”? If the programmer is linking to the
open source code, is it a static or dynamic link)?
•
Will the software be integrated in any way with company proprietary code?
•
What license(s) govern the software?
Another way in which open source can be introduced into a company is through an acquisition.
It is important for the acquiring entity to investigate during the due diligence phase whether the target
company uses any open source software. The acquiring entity should make sure that this inquiry is
posed directly to the target company’s programmers, because their response may be quite different
from that of the target company’s legal department (no big surprise, but it is not uncommon for the legal
department to be unaware of the use of open source code). Ultimately, the company should assess
open source issues revealed during due diligence in the context of the business goals for the
acquisition. For example, if the target company’s software product will be moth-balled following the
acquisition, then the incorporation of open source into that product may be less of an issue, though
there could be some liability exposure associated with pre-acquisition distribution of the product (e.g., in
a merger versus asset purchase scenario).
CONCLUSION
Circling back to the two hypothetical scenarios posited at the beginning of this article of a
company desiring to protect is proprietary software code and hoping to make a profitable distribution,
and a company that simply wants to use open source software for its internal operations: in each case,
12
the software may be “free” but free lunches usually come at some price and so does “free” or open
source software. Both companies need to learn more before consuming their free meal, and to
consider that various issues that we have discussed here.
http://www.gnu.org/gnu/gnu-history.html, “Overview of the GNU Project.”
See http://www.gnu.org/fsf/fsf.html, “Free Software Foundation.”
iii Parloff, Gunning for Linux, FORTUNE, May 17, 2004, at 94.
iv Id.
v See id.; see also http://www.gnu.org/copyleft/copyleft.html#WhatIsCopyleft.
vi See http://www.gnu.org/licenses/licenses.html#Intro, “What is CopyLeft?”
vii http://www.gnu.org/gnu/thegnuproject.html, “Copyleft and the GNU GPL.”
viii http://www.gnu.org/gnu/manifesto.html#f1 at Note 1.
ix http://www.gnu.org/philosophy/free-sw.html, “The Free Software Definition.”
x http://www.opensource.org/licenses/gpl-license.php, Section 1.
xi Id., Section 2(b).
xii http://www.opensource.org/docs/history.php.
xiii http://www.opensource.org/licenses/index.html, “The Approved Licenses.” OSI uses the certification mark “OSI
Certified” to signal that the underlying software license meets OSI’s fundamental requirements. Id. The term “open
source” alone is not necessarily determinative as to the true nature of a given license.
xiv See, http://opensource.org/licenses/index.html, “License Index,” for a list of over 50 open source licenses. See also
Mitre Corporation, Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense, Version 1.2,
October, 28, 2002, Appendix A for a list of approximately 115 different free and open source software applications
used by the U.S. Department of Defense, and Appendix B for a list of 40 different licenses associated with those
applications.
xv Id., “License Index.”
xvi Warnecke, NASA Will Become First Agency to Get OSI Certification of Open Source Agreement, ELECTRONIC
COMMERCE & LAW REPORT, March 31, 2004, at 304. The NASA NOSA is based in part on portions of the Mozilla Public
License, the GNU General Public License, and the IBM Public License. Because software created by the federal
government is not protected under U.S. Copyright law, NASA looks to contract rights to enforce the terms of the
license for such code. Id.
xvii http://www.opensource.org/docs/definition.php.
xviii See http://www.opensource.org/advocacy/faq.php, “How do I make money on software if I can’t sell my code?”
xix http://www.opensource.org/licenses/gpl-license.php, Section 0.
xx Id., Section 2(b), emphasis added.
xxi Id., Section 0.
xxii Id., Section 2, emphasis added.
xxiii See Id., Section 2: “mere aggregation of another work not based on the [open source program] with the [open
source program] . . . on a volume of a storage or distribution medium does not bring the other work under the scope of
this License.”
xxiv Id., Section 1.
xxv Id., Section 6.
xxvi Id., Section 0.
xxvii http://www.opensource.org/licenses/lgpl-license.php, Preamble.
xxviii Id., Section 4.
xxix Id., Section 1.
xxx Id., Preamble and Section 5.
xxxi Id., Section 2.
xxxii Id., Section 4.
xxxiii Id., Section 5.
xxxiv Id., Section 6.
xxxv Id.
xxxvi http://www.opensource.org/licenses/bsd-license.php.
xxxvii See http://www.mozilla.org/MPL/FAQ.html#5.
i
ii
13
Id, Section 2.2(a).
Id., Section 1.9.
xl Id., Section 2.2(b).
xli Id., Section 1.2.
xlii Id., Section 8.2.
xliii Id., Section 2.1(d). See also, Section 2.2(b).
xliv Parloff, Gunning for Linux, FORTUNE, May 17, 2004, at 94.
xlvhttp://www.caldera.com/ibmlawsuit/second_amended_complaint.pdf.
xlvi http://www.caldera.com/ibmlawsuit/20040329_ibm_2nd_amended_counterclaims.pdf.
xlvii Id.
xlviii http://ir.sco.com/ReleaseDetail.cfm?ReleaseID=126359, http://ir.sco.com/ReleaseDetail.cfm?ReleaseID=129996.
xlix http://ir.sco.com/ReleaseDetail.cfm?ReleaseID=129978.
l “German Court Recognizes Enforceability of GPL License Under German Copyright Law”, 9 Electronic Commerce &
Law, BNA Inc. 678 (8/4/04) (“BNA Article).
li Citing Welte v. Sitecom Deutschland GmbH, LG Muenchen, 21 O 6123/03 (5/19/04).
lii Id. BNA Article.
liii For a brief discussion of the tension this view creates regarding the legal difference between a “notice” and a
“contract,” see Holly Towle and Raymond Nimmer, The Law of Electronic Commercial Transactions at ¶ 8.03[2] (2003,
A.S. Pratt & Sons)
xxxviii
xxxix
14