Previously published in The Lawyers Weekly, May 30, 2008

Many open source licences are only two or three paragraphs long and read more like a manifesto than a traditional software licence. The simple but unorthodox nature of open source licences, along with the fact that the software is provided "free," has lulled many into a false sense that these licences must surely be unenforceable and that the use and redistribution of open source software will have no consequences.

This attitude belies the fact that despite a superficial and non-legalistic veneer, open source licences rely on traditional copyright principles and contract law – albeit in a non-traditional way – and therefore are prima facie enforceable. However, despite widespread adoption and significant use of open source software over the past 20 years, little jurisprudence has developed to determine exactly to what extent open source licences will be enforced.

In light of the dearth of case law, many have been carefully watching four recent claims brought by the Software Freedom Law Center (SFLC) in the U.S. District Court for the Southern District of New York. These are purportedly the first claims in the U.S. regarding the GNU General Public License (GPL), one of the most common and influential open source licences. The New York-based SFLC provides legal representation to non-profit open source developers and projects to protect and foster the development of open source software.

The SFLC acted on behalf of the developers of the popular BusyBox software utility collection, which is widely used in embedded form in devices. BusyBox is licensed under version 2 of the GPL.

The first claim was against Monsoon Multimedia Inc., a manufacturer of multimedia products, on Sept. 20, 2007. This was followed by similar infringement claims on Nov. 21, 2007, against High-Gain Antennas and Xterasys Corporation, both manufacturers of wireless access points and networking products.

Then, on Dec. 7, 2007, the SFLC filed its fourth claim — against Verizon Communications Inc., the second-largest telecom provider in the U.S., which distributed routers containing BusyBox code manufactured by the co-defendant, Actiontec Electronics Inc. This was the largest target yet for an open source claim.

Each claim alleged that the defendants had distributed products with embedded BusyBox software without providing the modified source code, contrary to the terms of the GPL. A key and distinctive provision of the GPL is that any re-distributor of modified GPL code must provide access to downstream recipients of such code.

The BusyBox developers sought both an injunction and damages arising from the infringement.

Each case was settled in short order. Monsoon Multimedia settled at the end of October 2007; Xterasys in December 2007; High- Gain Antennas on March 6; and Verizon and Actiontec on March 17.

In each case, the announced settlement was that in exchange for the dismissal of the lawsuit and the right to continue to use the GPL software at issue, each vendor agreed to four conditions:

  1. appointing an "Open Source Compliance Officer," whose responsibility is to monitor the use of GPL software compliance of the vendor;

  2. publishing the source code for the BusyBox software at issue;

  3. undertaking "substantial efforts" to notify previous customers of the devices to their rights under the GPL; and

  4. paying a confidential settlement amount to the plaintiffs.

It is likely the possibility of an injunction that led the various defendants to quickly settle the claims. It can also be inferred that in each case, none of the defendants were willing to try their luck that the courts would find the GPL unenforceable.

For those seeking clarity on the enforceability of open source licenses, the settlement of these claims is disappointing because we will have to wait longer for instructive case law.

Although settled, these lawsuits are thought to reveal a growing assertiveness in the open source community to enforce open source rights and licences. The fact that the defendants each settled the claims in short order (despite – in at least Verizon's case – having the deep pockets to defend the claim to a judicial resolution) also suggests that the claims had serious merit.

In light of these developments, companies should redouble their efforts to ensure compliance with open source licences, and be aware that there are real risks to their contravention.

The risks of careless use of open source software have become more acute and uncertain with the advent of version 3 of the GPL, released in June 2007, which adds novel and controversial terms regarding the use of embedded software and deemed patent cross-licences by licensors.

As a preventive measure, companies may want to consider adopting an emerging best practice, as revealed by the BusyBox settlement terms. In much the same way that companies are appointing privacy officers to monitor privacy compliance, companies that use and redistribute open source software may be well-advised to appoint an open source compliance officer to monitor open source usage and licence obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.