Open Source Software
Hidden liability risk in your company?
18 July 2019
A main consequence of digitalisation is the drastic increase of different types of software in any field of business. It is not just the Tech sector and their big players like Google, Facebook or SAP & Co. Any large company nowadays uses software other than the absolute basic operation systems, text processing programs or web browsers. Companies employ software and computer programs for a vast variety of processes, and maintain huge databases. Software helps – or even replaces – production processes, and boosts communication and more frequently becomes the main asset of start-ups.
This fundamental importance of software for contemporary economy is reason enough to direct our attention to specific legal problems in this field. Of course, software issues are a modern, classic aspect of Intellectual Property Law. Software and computer programs make for a fair amount of Copyright Law and, sometimes, Patent Law work. One rather unfamiliar aspect of software-related matters is Open Source Software (OSS). This is astonishing since nearly every complex piece of software employs OSS code.
This article is meant to provide you with an overview of the factual and legal implications of OSS. Based on these principles, we focus on liability risks that come along with the use of OSS in a company. Is your company also affected? Find out!
What is Open Source Software?
OSS is software, or more precisely, a group of computer programs, which is distributed under publication of its source code. The source code is the text written in a computer language which contains the control commands to be processed by a computer. The opposite of OSS is proprietary software, where the owners keep the source code confidential and only distribute the software in binary code (also called "object code"). The object code is the machine-readable compilation of the source code. Computers can only process data in binary form, i.e. zeros (0) and ones (1).
Thus, OSS gives software developers the opportunity to analyze the structure of the computer program and identify weaknesses or develop improvements. Further, OSS is normally free to use, copy, modify and combine with other works. However, free in this context does not mean that there are no license conditions. Actually, OSS is licensed under standardized license texts with certain standard license obligations for the user.
Such standardized license models are, among others, the MIT license, the Berkeley Software Distribution (BSD) license, the Apache 2.0 license or the important GNU General Public Licenses (GPL) in its versions two and three. Each text varies in its obligations and ranges from permissive licenses with nearly no restrictions (see MIT and BSD licenses) to strict license conditions imposing harsh restrictions on users and developers (see GPL).
Many popular standard software tools are OSS. There are OSS operating systems such as Linux or Android for mobile phones that are alternatives to the proprietary systems like Windows or Apple iOS. In the field of application software, there are Mozilla Firefox and Thunderbird which are OSS alternatives to Microsoft products like Internet Explorer or Outlook. Another example is GIMP (GNU Image Manipulating Program) which is an alternative to Adobe Photoshop. This list could go on and on.
OSS is also very important in modular software development. There a reams of OSS libraries and frameworks, i.e. programs that form templates for known problems in software development. Programmers can download these libraries and frameworks from internet sources such as GitHub and implement them into their software projects in no time. And since there so many great OSS projects, many software modules of individual software consist of OSS code to a lesser or greater extent.
OSS tools will become more and more important because many Big Data applications such as Apache's Hadoop, Spark or Storm are used by Tech giants like Amazon, Facebook, IBM or Twitter. It also plays a crucial role in embedded systems in the Internet of Things ("IoT") where the operating software may be OSS. It is also expected that autonomous driving software might contain a significant amount of OSS code.
What are the risks of using or implementing Open Source Software?
As already indicated above, OSS comes with more or less strict license conditions. One obvious risk is the lack of awareness of the license conditions. It is important to note that many OSS license models, in particular the widespread GPL version 2, foresees an automatic termination of the granted license in case of breach of license conditions.
Since Intellectual Property Law foresees liability for cease-and-desists regardless of negligence or fault, a breach of license conditions may lead to the automatic termination of the right to use the OSS and, consequently, to warning letters and/or preliminary injunctions against OSS owners. Such cease-and-desist consequences might range from simple workarounds that only require a few hours of work to major obstruction of a business if the OSS is major component which may not be easily replaced by another code. In the latter case, the economical risk could be tremendous.
Besides cease-and-desist claims, users of OSS in breach of OSS license conditions could be subject to damages claims. Two aspects mainly arise in this context: on the one hand there must be fault or negligence by the user, and on the other hand the amount of damages is not easily determinable. Regarding negligence, users may not effectively defend by proving that they did not know the OSS license conditions and/or their breach thereof. The omission of having an OSS license management or compliance system could be sufficient to establish negligence. With a view on the amount of damages, breaching users may not refer to the software being available free of charge. At least in German law, damages could also be determined by the saved investment time and cost by using OSS libraries or frameworks. In other jurisdictions, there could also be punitive damages. In particular, international businesses should be very aware of OSS legal implications.
One of the most prominent problems in the context of OSS is the "Copyleft" effect. What is the Copyleft effect? According to the Free Software Foundation’s definition:
“Copyleft is the general method for making a program free software and requiring all modified and extended versions of the program to be free software as well.”
This means Copyleft is a means to keep the program and all modifications of it Open Source. It is in contrast to the traditional goal of Copyright Law to award exclusive rights to the creator of a work. This is also the reason for the peculiar term "Copyleft" – whereas Copyright means exclusivity, the "Copyleft" effect goes in another direction.
The Copyleft effect is not a characteristic of any OSS. It depends on the applicable OSS license. As the Copyleft effect is probably the most restrictive obligation in an OSS license, the Free Software Foundation – which is responsible for standardizing OSS license texts – categorizes mainly three groups of OSS licenses:
- Strong Copyleft Licenses,
- Weak Copyleft Licenses and
- Permissive Licenses.
Strong Copyleft Licenses require any modification of an OSS to be licensed under exactly the same OSS license as the original OSS. Prominent examples of these licenses are the different versions of the GPL.
The Copyleft effect is triggered when the modified software is distributed (as is the wording in the GPL Version 2) or conveyed (as is the wording in the GPL Version 3). These broad terms trigger the Copyleft effect without a doubt if the modifications are made publicly available over the internet.
The strong Copyleft effect is sometimes also referred to as the "viral effect". This is due to the consequence of combining proprietary source code with OSS code and thereby modifying the OSS, potentially triggering the Copyleft effect on the entire code assembly. The proprietary code will be "infected" with the Copyleft license. If the new modification will be distributed or conveyed, it legally must be under the strong Copyleft license. If such publication under the OSS is omitted, it leads to the aforementioned liability risks.
You might ask: "How shall anybody take notice of this?" Do not feel too secure. If your company's work based on strong Copyleft OSS is publicly available, OSS right owners may detect the implementation of their OSS code with specific tools. Even if such software work is only conveyed intra-group, whistleblowers pose a risk to your software developing investment.
Weak Copyleft Licenses also contain the described obligation to publish modified works under the same license texts, but not in generality and only in specified cases. Examples for Weak Copyleft Licenses are the GNU Lesser General Public Licenses ("LGPL") or the Mozilla Public License ("MPL"). Both employ specific delimitations of Copyleft effected use or unrestricted use of the affected OSS code. In doubt, a technical expert in collaboration with a legal expert should assess the risk of Copyleft effects if you detect Weak Copyleft Licenses in your software stack or seemingly proprietary code.
Permissive Licenses generally are admissible without greater concerns. This is especially true for the very popular MIT and BSD Licenses. However, there are still license terms to respect. While the MIT and BSD Licenses are very short, another popular Permissive License is Apache 2.0, which indeed contains several obligations that might interfere with other OSS and even in-licensed proprietary software.
Finally, you might also encounter OSS license texts with an option to choose if a String Copyleft effect or a similar effect will be triggered (e.g. the Artistic License 2.0 which is not overly popular).
Summing up, the Copyleft effect poses immediate risks to your investment in software development. The inclusion of Strong Copyleft licensed code and the "wrong" inclusion of Weak Copyleft licensed code might lead to a vulnerable situation for your software dependent business. Developing or in-licensing a workaround comes with huge effort and costs, especially if the OSS is included deep down in your software's code. Sometimes a workaround might not even be possible – the absolute worst-case scenario.
Another relatively unknown risk among software developers is OSS license compatibility. Due to the Copyleft obligations which urge you to put modifications under the exact strong Copyleft License as the implemented OSS, they might interfere with other license texts demanding the same. This is the scenario where Copyleft Licenses may cause issues.
A conflict might also become problematic between a Copyleft and a Permissive License. For example, the GPL Version 2 is considered incompatible with the permissive Apache 2.0. This is due to the fact that the GPL Version 2 prohibits imposition of further restrictions on the recipients' exercise of granted rights. The Apache 2.0 forestalls such further restriction by automatically terminating the license in case a licensee brings a patent infringement lawsuit against the patent owner of the licensed subject matter.
Prominent incompatibilities are the abovementioned GPL Version 2 & Apache 2.0, GPL Version 2 & GPL Version 3 or Apache 2.0 and MPL.
What makes matters even worse is that many widespread software libraries include loads of OSS – but not necessarily all compatible to each other. Therefore, your software developing department might have included a library in your software solution that contains inextricable incompatibilities. And the mere fact that many people and companies use those libraries does not justify the potential infringement of OSS owners' legal rights.
Compliance and criminal liability
In most jurisdictions, patent and copyright infringements are criminal or administrative offenses. Further, most jurisdictions do not require knowledge of the infringement and negligence is sufficient. This poses another risk to your company and even the personal interests of CEOs and managers. OSS management is a compliance issue like Data Protection, Bribery and Money Laundering, albeit relatively unknown.
However, this might change with digitalization altogether. With the increased importance of software in all parts of business and everyday life, it is just a matter of time until the first "blockbuster" OSS cases will be discussed on a larger scale. Not having implemented a viable process for verifying OSS compatibility and compliance of Copyleft licenses might easily result in a claim for negligence.
Is your business affected?
To answer this question, you might ask yourself the following questions: Does my business develop software or has the business instructed external software developers to develop custom software solutions? Have I ever heard about the Copyleft effect or OSS license compatibility? Have we ever screened our proprietary code for OSS code? Do we have a code clearing system? (How) Do we encounter these risks in collaboration with third parties?
If the answer is "yes" for the first question and "no" for the others, there is a realistic chance your business might be affected by OSS-induced risks. It might be a good idea to put OSS on the agenda and right the ship, if and as necessary.
Summing up, software becomes inevitable in the age of digitalisation. Being aware of OSS means knowing one of the riskiest and under-the-radar pitfalls of our time. Good news: the risk may be mitigated by instituting good processes, raising awareness and training employees. Avoid liability, loss of investment and compliance issues and update your business managing processes for the future.