RISK MANAGEMENT FOR OPEN SOURCE Ria Farrell Schalnat Open Source Should Not Work (but it does anyway) The Birth Pangs of Open Source January 24, 1956: Antitrust settlement. 1964: Bell Labs and MIT collaborate on Multics (forerunner to UNIX). Summer 1982: AT&T breaks up. The Baby Bells fly the nest. AT&T starts charging A LOT for its version of UNIX. A schism results. AT&T promotes is more stable commercial development. Berkeley continues along the academic, avant-garde and CHEAP deployment.
AT&T versus Berkeley: The Honeymoon is Over And a little thing called the Internet didn t hurt either Open Source s Painful Adolescence Late 1980 s- Early 1990 s BSD was mired in a legal quagmire that made its future uncertain, for several critical years. The Open Source Movement cried out for a new hero. Who can save us?
But even Linux has had its growing pains The Legal Birth of Open Source 1979: Stallman tried to fix a Xerox printer at MIT. When Xerox wouldn t give him the source code, he got mad really mad. 1984: Stallman founded the Free Software Foundation and developed the GPL which gave birth to the concept of copyleft.
Walk Softly But Carry a Big Stick Copyright 17 USC 504. Infringer Liability (1) the copyright owner's actual damages and any additional profits of the infringer; or (2) statutory damages (not less than $750 or more than $30,000; willful infringement can increase the award to $150,000). 17 USC 505. Remedies include Costs and attorney's fees 17 USC 506: Criminal Penalties. Patent Stick Patent 35 USC 271: Exclude others from making, using, and selling. 35 USC 284: Increased damages available for willful infringement but not statutory damages like Philosophies of Open Source
FSF Style Open Source Definition Source code must be distributed with the software or otherwise made available for no more than the cost of distribution Anyone may redistribute the software for free, without royalties or licensing fees to the author Anyone may modify the software or derive other software from it and then distribute the modified software under the same terms. GPL License Philosophy Cannot use GPL code to build proprietary products Static versus Dynamic Why does this make a difference? Which program is doing the primary work the proprietary program or the GPL ed one? LGPL explicitly permits proprietary software to make calls to GNU Libraries.
GPL versus BSD The viral clause of the GPL clashed with pragmatic views of many programmers. The BSD license was less restrictive than the GPL, in the fundamental sense that it did not require derivatives to remain free but instead allowed the creation of proprietary products from open code. SUN s Community Source License Philosophy Sun Microsystems has argued that its community source license SCSL would take the advantages from each of the proprietary and open source models and eliminate the disadvantages. The core SCSL idea is to create an open source like community among individuals and organizations who want to extend and build applications on top of a common infrastructure (e.g., JAVA). JUST LOOKING INTERNAL DEPLOYMENT COMMERCIAL Business Models
So How Do You Make Money On Open Source? Technical Support Loss Leader Sell it then free it Accessorize Service Enablers Branding Examples of the Ancillary Business Model Yggdrasil charged for providing a neat distribution. Then he went one step further and combined a proprietary GUI toolkit for use with Open Source Code. RedHat: Packaged Linux installations Caldera: Married his open source and proprietary code a bit too close for the community comfort. The New Business Model The world is moving more toward services and away from software in a box models. The source code is free through open source and your clients will pay you to warrant it, maintain it, document it, etc.
How do you differentiate yourself? Trademark and branding becoming more important in the world of Open Source Positioning your Open Source Project for Purchase Make sure you get contributor agreements and copyright assignments from any contributors to your open source codebase. Scrub the code. Don t just take the contributor s word for it. The Licenses
The Price of Knowledge Newspaper: $5 Nieman Marcus Cookie Recipe: $250 Microsoft Office Suite: $400 There are some things money can t buy Open Source Code: Priceless (except for all those fine print conditions that might get you depending on the license agreement). The Coldstone Creamery Model On the surface, Open Source seems like Baskin Robbins with 31 flavors. OSI (Open Source Initiative) has actually approved over 60 licenses. And sometimes you get dual licenses so make sure you know which one you have: http://www.oracle.com/technology/software/ products/berkeley-db/htdocs/licensing.html Are They Enforceable? Yes, they Are!
Managing the Risk Security Risks Types of Risk Quality Risks Infringement Risks Managing Security Risk
Security - Whose Eyes Are on the Code? Question posed by ADTI: What if the Federal Aviation Agency were to develop an application to control 747 flight patterns from a widely distributed GPL open source code. Just How Secure Is It? Any major project today has millions of lines of code!!!!!!!!!!! Sensitive government programs do not have to be distributed and therefore don t have to trigger publication requirements. Government can add proprietary security mechanisms as needed. Managing Quality Risk
Managing Quality Risk Who has control? Forking How strong is the community around it? Warranties Support Hierarchical Control (BSD) Who is in control? Leadership Baton (Perl) Committee Vote (Apache) Fun with Forks The right to fork per se is not at issue. What causes contention is the issue of legitimacy. It is a question of who can credibly and defensibly choose to fork the code, and under what conditions.
Meritocracy Here s my standing on keping control: I won t. The only control I ve effectively been keeping on Linux is that I know it better than anybody else. - Linus Torvalds (LINUX creator) Strategies Look for an active community if it is active then you have more eyeballs and a more active meritocracy. No warranties how much risk/liability are you comfortable with? Use CAPS on your level of liability with downstream clients if you can get them. For big projects, you can outsource the warranties. Remember you get what you pay for in Open Source! Managing IP Risk
We Have a Problem, Houston Code/Product is about to ship. You discover that open source code has contaminated your proprietary codebase. If you release, you are #$#@$@. If you don t release, you are #$#@$@. Changing the License Generally difficult and may be prohibited if the new license will break the philosophy or goals of the original license. There are some sanctioned exceptions Affero GPL LGPL GPL Otherwise, you must ask the permission of not just your licensor but the entire chain back to the original distributor. Clean room development and re-release. Making an Open Source Plan a.k.a. Managing Your IP Risks
Managing IP Risk 1 How are you going to use the open source code? Which license applies? What requirements does the license impose? (attribution, etc.) Who owns the code? Managing IP Risk 2 Contributors Mergers & Acquisitions Managing IP Risk 3 Remember that if you are acquiring a foreign target that you should determine whose laws are going to rule in the event of a dispute. USE LOCAL COUNSEL IN OTHER COUNTRIES.
Managing IP Risk 4 Do you specify projects via specific websites or do you let people Google for open source projects? How do you know that the license is the legitimate license? Once a project is in how do you monitor it and maintain it? Where are you going to use it (servers, CDs for distribution as a product in stores, etc.) How do you deal with new versions of the software? Managing IP Risk 5 How do you make sure that internal downstream use is aware of open source restrictions so that you don t accidentally run into an external distriubtion? Approval Process Audit Third Party Tools to Scrub Code Free www.olex.openlogic.com Might be a good starting point but, generally, in life you get what you pay for. The scrubber is only as good as its database of open source code which is constantly growing and changing. Expensive (used by Sun Microsystems and Cisco) Blackduck Palomino Build your own scrubber IBM doesn t trust anyone but itself to vet its code. YOU CANNOT SCRUB FOR PATENTS THOUGH!!!!!!!!
The Red Hat Case Firestar, which Firestar owned a patent to Object Model Mapping and Runtime Engine for Employing Relational Database with Object Oriented Software, sued Red Hat and alleged that the Hibernate program infringed the patent. On June 11, 2008, the parties announced their unorthodox settlement: The covered products include all software distributed under Red Hat's brands, as well as upstream predecessor versions. The settlement also protects derivative works of, or combination products using, the covered products from any patent claim based in any respect on the covered products. Jumping Into the Pool What are Patent Pools Fairy Godmothers or Future Trolls? Motivation to join may range from altruism to access to the patents in the pool to a share of the overall royalty stream. http://www.uspto.gov/web/offices/pac/dapp/opla/pat entpool.pdf
Wuxi Multimedia 3C Patent Pool for DVD technical standards (Philips, Sony, Pioneer) Pool members must grant licenses to essential patents for DVD-Video or DVD-ROM on a non-exclusive basis. Requires licensees to grant back to the licensors any essential patents they own. Wuxi sued 3C members in 2004 for antitrust violations because 3C allegedly charged higher licensing rate to Chinese manufacturers. The suit was dismissed for failure to state a claim. Antitrust U.S. DEP T OF JUSTICE & FED. TRADE COMM N, ANTITRUST GUIDELINES FOR THE LICENSING OF INTELLECTUAL PROPERTY (1995) ("IP Guidelines"), reprinted at http://www.usdoj.gov/atr/public/guidelines/ipguide.htm. Open Source Licenses in Plain English (or at least as plain as a lawyer can make them!!!!!) (CAVEAT: These are just some highlights you need to read the whole thing to fully interpret your obligations.)
Some Ground Rules Many licenses require that any re-distributions include the source, modified source, provide the appropriate notices (some are quite specific re the language and the publication method), a change file, and provide a copy of the applicable license. Many licenses impose an obligation on the Distributor/Licensor to also license any IPR they have in the modified code (patent, copyright, trade secret). Berkeley BSD Style Licenses Redistribution (original or modified / source or binary) and use are permitted provided: Include notice, license conditions and disclaimer. The name of the author may not be used to endorse or promote products derived from this software without specific written permission. Traditional Disclaimer of Warranty - Software provided AS IS. Mozilla 1.1 Commercial Use means distribution or otherwise making the Covered Code available to a third party. Covered Code means the Original Code or Modifications or combinations or portions. Larger Work means a work which combines Covered Code or portions thereof with code not governed by the terms of this License (See, Sections 3.7 & 5) Include a LEGAL file describing any third party IP rights to code or implementation of APIs. Ongoing duty. Contributor represents that code is original and that they have sufficient rights to grant (Section 3.4) If you sue a Participant (Initial Developer or Contributor) for patent infringement, this License shall terminate upon 60 days notice unless you (see, Section 8.2): Agree in writing to pay a royalty for past and future use or Withdraw your litigation claim.
Netscape 1.1 Incorporates Mozilla 1.1 + extra. Licensor s Branded Code is excepted from this License even if it intersects with Covered Code. Licensor may be contractually limited from providing 3rd party code in the Covered Code. 3rd Party Code may be integrated into the Covered Code without triggering this License. Licensor can include Covered Code in other Licensor products for 2 years before the provisions of this License are triggered. GNU General Public License - Version 2 June 1991 Preamble: Freedom means libre not gratis. Think free speech not free beer. Picture of Beer. 0. License applies to any program with the GPL Notice. Activities other than copying, distribution, and modification are not covered by this License. The act of running the Program is not restricted and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For FSF software, write to the FSF which may make an exception for this. Decision may will be guided by preserving free status of all derivatives and the sharing/reuse of software generally. Affero (AGPLv1) The GNU GPL does an excellent job of protecting freedoms for users and developers, but there are questions about the applicability of the license for software that is run over a network. This is based on GNU GPL except for section 2(d).
GNU Lesser General Public LicenseVersion 2.1, February 1999 Preamble: Applies to specially designated software packages typically FSF libraries and those who use this license. Any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. This license permits linking certain libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two (according to FSF) is a derivative work of the original library. The ordinary GPL therefore permits such linking only if the entire combination fits its criteria of freedom. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a work that uses the Library. Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a work that uses the Library with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a work that uses the library. The executable is therefore coverred by this License. GNU General Public License Version 3 Section 3: No covered work shall be part of a technological measure. fulfilling [legal copyright] obligations. Section 8: Allows cure prior to termination and reinstatement kinder and gentler than GPLv2. Section 11: Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor s essential claims to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. No discriminatory license deals. Questions Ria Farrell Schalnat Patent Attorney & Counsel President of CincyIP 2200 PNC Center 201 East Fifth Street Cincinnati, OH 45202-4182 (513) 651-6426 (513) 651-6981 rschalnat@fbtlaw.com www.frostbrowntodd.com
Sources The Success of Open Source Steven Weber Law Seminars International Open Source Software June 9, 2008 Computer Software Agreements by Quitmeyer, Ridley, and Matuszeski Computer Contracts Roditti Various websites associated with Open Source Licenses