Free and Open-Source Software Diligence in Mergers, Acquisitions, and Investments Andrew J. Hall Fenwick & West LLP April 16, 2013 Linux Foundation Collaboration Summit
Presentation Topics Introduction and background FOSS concerns of acquirers and investors The FOSS diligence process Preparing for transactions involving FOSS diligence 2
3
4
5
Intellectual Property Licensing 6
IP: Rights to Exclude Others Patent owner has the right to exclude others from making, using, practicing, importing, offering to sell, or selling the patented invention. Copyright owner has the exclusive right to reproduce (copy), distribute, display, perform, and prepare derivative works of (adapt) the copyrighted work. IP owners can grant permission to practice one or more of their exclusive rights by granting a license to their IP. In granting licenses, IP owners may: specifically define the permitted activities; and place conditions (obligations and restrictions) on the license grant, such as requiring royalty payments or IP notices or prohibiting reverse engineering. 7
IP Infringement IP infringement refers to practicing the exclusive rights of the IP owner either: 1. without permission or a license; or 2. outside the terms of the license. 8
Free and Open Source Free Software Foundation Free Software (four freedoms) Open Source Initiative The Open Source Definition (ten requirements) Free and Open-Source Software (FOSS) 9
FOSS (Public Source) Diligence For commercial diligence purposes: i. software, made available to the public ii. in source code form iii. under a specific, non-negotiable license 10
Transactions Transactions involving FOSS Diligence: Mergers and acquisitions Initial public offerings Investments and company funding Licensing software and hardware incorporated into licensee s products For the purpose of this presentation: Transactions, Investors, and Targets 11
FOSS Concerns of Acquirers and Investors 12
Common Investor Concerns Primary FOSS concerns of Investors: 1. Loss of proprietary rights (copyleft) 2. Aggressive or litigious FOSS licensors 3. Limitations on patent enforcement* 4. Breach of contract claims 5. Infringement and non-compliance claims 6. Atmospheres of non-compliance 7. Security risks* 8. Export control* 13
1. Loss of Proprietary Rights Improperly incorporating copyleft OSS can create obligations for the Target to release its proprietary source code under the terms of the same copyleft license ( tainting ) Terms of copyleft licenses are often inconsistent with commercial licensing and distribution models Extent of the copyleft effect: Copyleft (viral, hereditary) licenses generally taint derivative works. Weak (file-level) copyleft licenses generally taint modifications. 14
2. Aggressive/Litigious Licensors FOSS that has been the subject of enforcement efforts, litigation, or aggressive licensing campaigns Private enforcement: Java, MySQL Community enforcement: Busybox FOSS licensed by a Target s competitors 15
3. Patent Enforcement Limitations* Target distribution of FOSS can result in: Target granting patent licenses covering the FOSS and/or recipient modifications to the FOSS. Target being subject to retaliation clauses which restrict Target s ability to assert patents against the FOSS or the FOSS licensor. * Of particular importance to Investors that strategically assert their patent portfolios. 16
4. Breach of Contract Claims Increasingly, licenses for the redistribution of software (e.g., OEM, VAR) include representations, warranties, and indemnities relating to the Target s use of FOSS. Failure to comply with Target s FOSS obligations can result in significant monetary costs, reputational damage, and strained relationships with Target customers. 17
5. Infringement/Non-Compliance Failure to satisfy FOSS license obligations and restrictions may result in allegations and findings of copyright infringement. FOSS licenses universally include broad warranty and infringement disclaimers and no indemnification from FOSS licensors. Non-compliance is often the impetus for FOSS enforcement actions. 18
6. Atmospheres of Non-Compliance Investors may investigate Target policies and procedures with respect to FOSS. Effectiveness of policies and practices will be apparent if commercial FOSS scanning is used. Absence of appropriate policies and practices can invite additional scrutiny. 19
7. Security Risks* Some Investors investigate FOSS use and maintenance for known security risks. * Of particular importance to Investors and Targets subject to heightened security regulations (e.g., banks, medical services providers) or that handle personal or sensitive information. 20
8. Export Controls* Some Investors review Target s distribution of FOSS for information security, cryptography, and other technology subject to export control restrictions. * Of particular importance to Investors and Targets that distribute software abroad or to foreign persons or entities in the United States. 21
The FOSS Diligence Process 22
The FOSS Diligence Process 1. Assessing Investor and Target risk profiles 2. FOSS disclosures 3. Commercial FOSS scanning services 4. FOSS interviews 5. FOSS remediation 23
1. Creating Risk Profiles What is the value of the Target s software to: the Target? the Investor? What is the proprietary value of the Target s software assets? How are the Target s software assets used to generate revenue? What is the value of the Investor s patent portfolio to the Investor? 24
2. Foss Disclosures FOSS information requested by most Investors: FOSS package name and version number; FOSS license covering the FOSS packages (e.g., GPL, LGPL, MPL); Source of FOSS package (e.g., website from where package was downloaded); FOSS interaction with Target s proprietary software (e.g., aggregated, dynamically or statically linked); Whether the FOSS package has been modified; Whether the FOSS package is distributed; and Copies of FOSS policies and other FOSS documentation. FOSS information requested by some Investors: A copy of the FOSS license covering each FOSS package; The date the FOSS package was downloaded; The name of the FOSS licensor; (the entity that publishes or licenses the FOSS package); and The function the FOSS package serves within Target s software. 25
3. Commercial FOSS Scans Should be expected where the Target s software represent a primary Target asset Targets will need to identify and provide the commercial FOSS service provider with a copy of the source code included within distributed Target products. Some undisclosed FOSS is expected but a significant amount or the revelation of rampant FOSS misuse can severely impact the Transaction. 26
4. FOSS Interviews and 5. Remediation After analyzing the FOSS disclosures and commercial scanning results, Investors typically: Interview Target regarding FOSS use and policies; Request additional information regarding Target s FOSS use, policies, and practices; and Request remediation of any copyleft and noncompliance concerns. Investors may request broad FOSS indemnifications and/or delay the closing of the Transaction until the requested remediation has been completed. 27
Preparing for Transactions Implement FOSS policies and procedures appropriate to the Target s risk profile Seek advice of FOSS experts prior to incorporating copyleft software into core software assets Conduct FOSS audits to assess copyleft and compliance risks - remediate as appropriate Remediation often can t be accomplished during the compressed diligence period Prepare FOSS disclosures commonly required in Transactions Preparation during the diligence period often leads to errors, omissions, and delay resulting in additional FOSS scrutiny and Target absorbing additional risks and costs 28
Thank you! Questions? Andrew J. Hall Fenwick & West LLP 650-335-7644 ahall@fenwick.com