Ongoing legal considerations associated with open source use include license enforcement, dual licensing, and deciding whether to license out your own code.
Modern software development involves putting together software puzzle pieces from a variety of sources, and open source represents an ever-growing and important part of that puzzle. Lawyers need to be aware of all the potential risks that come with using open source components in a commercial codebase if they are to advise their clients and protect them from those risks. This article is the third in a three-part blog series that discusses the costs, challenges, and ongoing implications of open source use from a legal perspective.
Many lawyers act strictly as open source license compliance gatekeepers; after evaluating any potential licensing challenges, they remove themselves from the ongoing management of open source reuse. Given the implications of a security breach or a license enforcement action, for instance, this is a mistake. Lawyers must stay involved and keep driving the continuing management of open source if they are to act in their clients’ or company’s best interests.
One area where ongoing legal participation is particularly important is in license enforcement. The nature of license enforcement/compliance actions in open source has morphed from enforcement for ideological reasons to enforcement driven by companies against other companies for commercial reasons. This company-versus-company enforcement is potentially more concerning for open source users, since it isn’t just about “doing the right thing” but rather motivated by commercial drivers, such as lost revenue or competitive advantage.
The classic example of commercially driven license enforcement is dual licensing. A company, as the copyright holder with the rights to license their software in almost any way they deem fit, may decide to license essentially the same code under two separate licenses. They may license their code under a traditional OEM-style license (typically for a fee) to anyone who wants to take that code and reuse it or embed it in a distributed commercial product without any GPL copyleft concerns. That same licensor may simultaneously license the same, or essentially the same, code under the GPL for those who want to use that code internally or who have no concern for the possible GPL copyleft implications, for whatever reason.
It happens with some frequency that a licensee, either out of lack of good open source management or negligence or as a product of willful misconduct, uses the code licensed under the GPL in their commercial applications where they should have paid for and used an OEM license that reflects their intended or actual use. In this scenario, it’s also likely that the licensee is not adhering to the other requirements of the license and is in breach.
This is straight-up copyright infringement. The GPLv2, under which many of these cases arise, has no cure provision. Accordingly, any breach of the GPLv2 results in an immediate termination of all rights granted thereunder, and thus any continuing use of that software is unlicensed. The dual-licensing scenario presents an easy case for calculating damages because the licensor can look at the OEM side of its business and calculate what the infringing licensee should have paid in royalties had that licensee assumed the correct license in the first place. Dual licensing is not the only scenario in which company-versus-company enforcement arises, but it is frequent and illustrative.
Another area where ongoing legal management is important concerns the licensing out of open source, which many companies consider to be an important part of their business strategy. Companies adopting this strategy may include those who:
The decision to license out one’s own code, especially under one of the permissive-style licenses, should not be taken lightly. Once done, it is very hard, if not impossible, to reverse the implications of that decision. Recently, companies such as Redis Labs and MongoDB have expressed misgivings about building their businesses around permissive open source-licensed platforms in a manner that has allowed others, including competitors, to leverage those platforms without giving any commercial advantage back to the licensors (Redis Labs or MongoDB) or contributing any improvements or developments to the open source community generally.
Differences of opinion exist with respect to how a licensee who takes advantage of open source code exclusively for their own commercial advantage should be perceived, but the fact is that the permissive open source licensing model fully allows for this.
Our new white paper, What Lawyers Need to Know About Open Source Licensing and Management, provides more information on the history and risk of open source software, the challenges related to open source use, and the security implications of open source vulnerabilities. It also offers practical advice for helping your organization or clients.
Matthew Jacobs was Vice President and General Counsel at Black Duck Software, Inc., recently acquired by Synopsys, Inc. He is now a director with the legal group at Synopsys. Organizations worldwide use Synopsys’ industry-leading products to secure and manage open source software, eliminating the pain related to security vulnerabilities, compliance, and operational risk. Matt’s work at Synopsys includes managing licensing and contract negotiation and advising senior management on day-to-day legal affairs. In addition to being a frequent speaker on open source–related topics, Matt routinely advises Synopsys’ customers with respect to leading-edge open source adoption, use, and compliance matters. Prior to joining Black Duck in 2009, Matt was with Bernstein Shur, where he counseled companies on a variety of intellectual property matters, including open source compliance. Before that, he held in-house positions with Cabletron Systems and Standex International. Matt earned his law degree from the University of New Hampshire School of Law and holds a master’s degree in business from Plymouth State University.