Posted by Mark Radcliffe on January 2, 2019
2018 saw developments in many free and open source software legal issues, including copyright, license compliance, patent nonaggression, and antitrust law.
By Mark Radcliffe, Victoria Lee and Chris Stevenson
The year 2018 was a year in which the FOSS business model demonstrated its success: IBM purchased Red Hat, Inc. for $34 billion. The FOSS ecosystem also celebrated its durability: OSI celebrated the 20th anniversary of the open source movement and Linux celebrated its 25th anniversary.
Meanwhile, however, old legal problems returned. The year 2018 has also seen another significant increase in decisions in litigation involving FOSS issues, and several of these cases are very important. This increase in litigation is a reminder of the importance of an active compliance program for all corporations that use FOSS (which now means virtually all corporations). Continuing the tradition of looking back over the top ten legal developments in FOSS, my selection of the top ten issues for 2018 is as follows:
Patrick McHardy, an early contributor to Linux, has been using the threat of litigation in Germany to obtain monetary settlements, essentially acting like a copyright troll. He has been active for five years and is believed to have approached over 80 companies. This number is difficult to estimate because many companies have settled without a court action, and, in any cases, German court proceedings are confidential. McHardy’s litigation activities were first identified publicly in 2016; for a time in 2017, he was not active. However, he has returned, and in early 2018, we saw an important decision in his enforcement action against Geniatech: initially, McHardy won an injunction against Geniatech prohibiting further distribution of its product due to its alleged violation of the GPLv2 for the Linux software. However, in March, 2018, the appellate court in Cologne reversed the decision, ruling that:
McHardy avoided further proceedings by withdrawing his petition for injunctive relief. The finding on “joint ownership” is quite important because if contributors were found to be joint owners of the copyright in the relevant program, it would be very confusing since the effects of joint ownership vary dramatically by country. This case was unusual because McHardy has rarely been in court: his strategy is to threaten copyright enforcement against the company for violation of the GPLv2 through the use of an expedited copyright enforcement procedure available under German law. He then obtains a “settlement” with the company that he alleged had violated the GPLv2. The settlement agreement includes a provision that the company will comply with the terms of the GPLv2, a common term in these types of settlements in Germany. McHardy then returns to the company several months later with another demand based on the settlement agreement; these demands can be for hundreds of thousands of euros. The enforcement of a settlement agreement is considerably simpler than enforcement of the GPLv2 because the enforcement of the GPLv2 raises many novel issues (see the summary of the VMware case below). Although he will sometimes characterize his actions as focused on “compliance,” he is clearly more focused on making money.
RELATED: Who owns Linux?
The EC fined Google €4.34 billion for breaching EU antitrust rules. According to the EC, since 2011 Google has imposed illegal restrictions on Android device manufacturers and mobile network operators to cement its dominant position in general Internet search. In addition, the EC demanded that Google bring the conduct effectively to an end within 90 days of its July 18, 2018 decision or face penalty payments of up to 5 percent of the average daily worldwide turnover of Alphabet, Google’s parent company. According to the EC, Google uses anti-fragmentation agreements to keep manufacturers on Google’s version of Android; currently most Android handsets (in all countries except the PRC) now ship with Google’s software and services bundled on them. Commissioner Margrethe Vestager, in charge of competition policy, identified three restrictions that violated EU antitrust law:
Google has appealed the decision.
Red Hat continued to expand the companies who have agreed to the GPL Cooperation Commitment, which is a statement, signed by GPLv2 and LGPLv2.x copyright holders, that gives licensees a “cure” period for projects licensed under GPLv2 and LGPLv2.x licenses to correct unintentional violations before their licenses are automatically terminated. This approach is based on the cure provisions included in the GPLv3. Red Hat has expanded the number of signatories significantly in 2018, from four companies in 2017 (Red Hat, Facebook, Google and IBM) to a total at the end of 2018 of 40. Red Hat is also seeking to convince individual contributors to sign the Commitment. Red Hat has shown significant thought leadership in finding a solution to a significant problem for the community.
RELATED: GPLv2 and the right to cure
OIN has been critical in minimizing the potential for patent litigation in the Linux ecosystem. According to OIN, it is the largest patent nonaggression community in history, with more than 2,750 community members. This year has seen significant new members join OIN, such as Microsoft Corporation, Tencent, Ant Financial and Alibaba. Microsoft was a particularly interesting recruit because as recently as 2014, Microsoft made about $3.4 billion from licensing its patents to manufacturers of products using the Android operating system. OIN also expanded the scope of patent nonaggression agreement to include 151 new packages, bringing the total number of protected packages to 2,873.
The OpenSSL project announced that it had completed its shift from the OpenSSL/SSLeay license to the Apache Software License version 2 (ASLv2). The project announced the proposed change in 2015. The original license, the OpenSSL/SSLeay license, was a nonstandard permissive license and included a number of clauses, particularly relating to attribution, which were common in early FOSS licenses but which had been dropped from more recent FOSS licenses. The process took three years and emphasizes the difficulty of completing such transitions and, thus, the importance of selecting the most appropriate license at the beginning of the FOSS project. The ASLv2 is becoming the favorite license for FOSS projects targeted at the enterprise.
Many blockchain projects are licensed under FOSS licenses. However, the blockchain community has not engaged with the FOSS community and many of their choices seem unusual for infrastructure technologies. For example, the traditional clients of the Ethereum blockchain were licensed under the GPLv3 and LGPLv3.0. However, the blockchain community appears to be becoming more sensitive to these issues and the release of a new client, PegaSys, under the Apache Software License version 2 represents a new sophistication on these issues. The team that developed PegaSys noted: “To get Ethereum to production, we also need to lower the barrier to entry for enterprises. Many companies’ legal or compliance departments restrict them from using software under the Gnu Public License (GPL), which the mainstream Ethereum clients currently use. We have heard stories of enterprises that completed a successful pilot on Ethereum, only to be stopped from going to production because of company policies around OSS licenses. We hope to solve that pain point by releasing Pantheon Core under an Apache 2.0 license and smooth the path for adoption.”
The Court of Appeals for the Federal Circuit (CAFC) published its second decision in the ongoing case of Oracle against Google, ruling that Google’s unauthorized use of 37 packages of Oracle’s Java application programming interface (API) in its Android operating system infringed Oracle’s copyrights. The CAFC overturned the first district court decision to find that the APIs were copyrightable and returned the case to the district court for a decision upon the fair use defense. Once again the district court found against Oracle on the basis that Google’s use of the APIs was fair use. Oracle appealed. The CAFC, once again, overturned the district court decision, finding that Google’s use of the APIs was not fair use as a matter of law. The case has been remanded to the district court to rule on damages. Given the increasing use of APIs in FOSS, this case has important implications for FOSS license compliance in the future.
The sale of Red Hat to IBM for $34 billion is a conclusive demonstration of the ability of open source business models to produce value. Moreover, press reports stated that other Internet giants, such as Amazon, Google and Microsoft, also considered acquiring Red Hat.
Many FOSS companies express concern about the use of their programs by cloud service providers without providing any payments to the FOSS company. Last year, Redis Labs changed the license for Redis modules developed by Redis Labs from AGPL to ASLv2 modified with Commons Clause (these Redis modules are add-ons on top of Redis core like RediSearch, Redis Graph, ReJSON, ReBloom and Redis-ML). It introduced the Common Clause (which it added to its Apache Software License version 2) to limit use of its product by cloud service providers. The introduction of this hybrid license was quite controversial, and very few companies adopted it. Redis Labs, to date, has not sought OSI approval for this license. In October 2018 a group called GoodFORM announced that they were forking the code prior to the addition of the Common Clause and would provide it under the AGPLv3. More recently, MongoDB took a different approach to this issue by revising the AGPLv3 to create the Server Side Public License (SSPL). This license has broader obligations to make Complete Corresponding Source Code available to users of the software. However, MongoDB has announced that it has submitted the SSPL to OSI for approval.
As FOSS has become widely prevalent as a development methodology, SSOs have been working to integrate FOSS approaches into their own processes. However, the methodologies of FOSS projects and SSOs are quite different: FOSS projects run on a more decentralized basis with very different assumptions. One particular source of friction is the common approach in SSOs which provides for members to license their patents on a royalty-bearing basis (under FRAND terms). However, most FOSS communities assume that patents in FOSS projects will be licensed on a royalty-free basis. Although some FOSS licenses have express patent license provisions (such as the ASLv2), the existence and scope of patent licenses in other FOSS licenses are more ambiguous. This difference in approach to royalty payments for patents is creating tension between the FOSS and SSO communities. This issue is unlikely to be resolved in the near term.
Gain insights into important legal developments from two of the leading open source legal experts: Mark Radcliffe, partner at DLA Piper and general counsel for the Open Source Initiative, and Tony Decicco, shareholder at GTC Law Group & Affiliates. Register now to watch live online Feb. 6 at 12 p.m. EST or after on demand.
Get the latest AppSec news and trends sent directly to you.