Introduction
Do you know what open source software is? Does your company run open source software on its servers? Do your proprietary software products incorporate open source code? Are you distributing open source code in accordance with open source licensing agreements? Do you know what the terms and obligations of those agreements are? These questions and more must be answered before prudent companies can feel secure in their technology infrastructures or software development, distribution, and licensing strategies.
In recent years, open source software has become a force in the software industry. Once considered to be fringe software with little use except in academia, open source software programs are now being implemented in a multitude of institutions ranging from startup companies to the Fortune 500 firms. Open source software manages the smallest file servers and the largest, most complex databases. Today, a significant number of web sites are hosted by Apache, an open source web server, and thousands of companies run Linux, an open source operating system.
Using open source software can be a cost effective way to develop and distribute software. However, every technology officer, director, manager, and general counsel must consider the legal ramifications associated with incorporating open source software into their company's software development strategy. Software vendors must consider the potentially viral effect of incorporating open source software into proprietary code that is protected as a trade secret. All companies must understand how the open source software model differs from the traditional proprietary software model as well as the risks and benefits associated with open source implementations.
Proprietary Model vs. Open Source Model
The proprietary and open source software models differ in their treatment of software source code. Source code is the human readable form of software and is distinguishable from object code, which is the machine readable form.
Traditionally, companies have treated source code as a trade secret to gain a strategic advantage over competitors by not allowing competitors to see how the software code was written. Companies routinely licensed only the right to use object code. By protecting the secrecy of source code, those companies reaped profits from software licensing fees and fees from ancillary products and services, such as software support, bug/fix requests, documentation, and custom modification development. This industry practice has been followed by an overwhelming majority of companies for decades and continues to remain a profitable and widely used model today.
In contrast, the open source model refers to distribution of source code under a license that requires source code to be revealed and typically permits anyone to use and modify that code. The open source model takes traditional software development thinking and flips it on its head, sometimes referred to as "copyleft" in lieu of "copyright." Under the open source model, software is "freely" distributed in source code as well as object code. The term "freely" in the open source model does not, however, refer to price; rather it refers to a licensee's freedom to view, modify, distribute, incorporate, copy, and create derivative works from the source code. Companies profit in this model from ancillary services and support agreements, not from the value of a trade secret.
Companies use open source software because it can drastically reduce the cost of software development, allowing them to incorporate and modify functionalities found in previously developed systems and eliminating the need to develop software "from scratch." Additionally, companies benefit from having programmers around the world collaborate with their own programmers to solve problems and develop more efficient programs. Before companies ever decide to take advantage of these benefits, though, they must first fully understand the potential pitfalls.
Open Source Risks
Understanding open source risks usually starts with analysis of the license that governs the particular software code. There are many forms of such licenses, but a widely used form is the GNU General Public License (GNU GPL), which is published by the Free Software Foundation. The Free Software Foundation holds copyright in the GNU GPL and prohibits modification of the document. Open source licenses vary in terms from harmless to devastating, and companies must understand the different obligations associated with them. The most notorious and restrictive open source licenses impose radical contractual obligations on licensees. For example, if a company programmer incorporates a single line of open source code retrieved from the internet into the company' s proprietary software program, that programmer may have " infected" the proprietary software with open source code. According to the terms of one open source license, that company is now obligated to freely distribute all of the company' s proprietary code as a result of inclusion of just one line of open source code. This can take place without management even knowing it has occurred. Such a result could be devastating and could compel a company essentially to give away trade secrets to competitors, thereby diminishing the value of the company' s assets and the value of the company in the acquisition marketplace.
Although no U.S. court has determined the validity or enforceability of open source licenses, on December 7, 2007, the Software Freedom Law Center (" SFLC" ) filed a complaint in the Southern District of New York on behalf of developers of the open source program "BusyBox" against Verizon Communications, Inc. for copyright infringement and breach of the open source license agreement. BusyBox is a Unix-based software program licensed under the GPL. The SFLC claims that Verizon violated the terms of the GPL when it embedded a version of the BusyBox source code into its "Actiontec MI424WR" wireless router and distributed the router without also distributing the BusyBox source code. The SFLC is seeking not only an injunction to prohibit Verizon from distributing its router without including a copy of the router' s source code, it is also seeking monetary damages including costs, attorneys' fees, actual and consequential damages. This is the fourth lawsuit filed by the SFLC on behalf of the BusyBox developers against companies for violating of the terms of the GPL open source license.1 Any ruling in favor of the BusyBox developers and the SFLC would be an unprecedented win for the open source community and the enforceability of the GPL and other open source licenses in general. Conversely, this kind of precedential support for the open source licensing model could result in unpredictable changes in the proliferation and use of open source software. The threat of an injunction and monetary damages presents a quantifiable risk to companies evaluating not only future open source development, but current open source usage.
Another risk for public companies is a Sarbanes-Oxley violation for inaccurately reporting the value of the company' s intellectual property assets. Because Sarbanes-Oxley states that intellectual property ownership is "material information," the Act requires strict controls and reporting mechanisms regarding the ownership of such assets. If a public company fails to institute audit and reporting systems regarding a company' s open source software usage, the company may not be able to truthfully report material information regarding ownership of its intellectual property assets. Commentators continue to debate the impact that Sarbanes-Oxley' s reporting requirements have on companies using or implementing open source software.
Action Steps
As the foregoing examples demonstrate, implementing open source code creates risks that management should not ignore. No company should wait for a court ruling or an SEC investigation before determining whether open source code already is, or will be, a part of its technology infrastructure or software development strategy. Companies should audit their software portfolios to determine current open source usage and to evaluate the costs and benefits of future open source development. To the extent companies have implemented or choose to implement open source code, they must obtain and analyze the licenses associated with that code.
Conclusion
Open source software can be a flexible, affordable, and widely collaborative tool that companies can profitably use, even within a traditional proprietary software model. However, a full understanding of the legal and business ramifications associated with open source development is essential to avoid open source pitfalls and maximize return on investment.
Footnotes
1 SFLC has also filed similar complaints against Monsoon Multimedia, Inc., Xterasys Corporation, and High-Gain Antennas, LLC for failing to distribute the BusyBox source code in accordance with the GPL open source license. Monsoon Multimedia and Xterasys have since settled their disputes with the SFLC and agreed to pay undisclosed sums of financial consideration to the plaintiffs, appoint Open Source Compliance Officers to monitor and ensure GPL compliance, and distribute the open source code per the terms of the GPL. Further details and copies of these complaints can be found on the SFLC website at http://www.softwarefreedom.orgThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
