Do you know what open source software is? Does your company run open source software on its servers? Do your proprietary software products incorporate open source code? Are you distributing open source code in accordance with open source licensing agreements? Do you know what the terms and obligations of those agreements are? These questions and more must be answered before prudent companies can feel secure in their technology infrastructures or software development, distribution, and licensing strategies.
In recent years, open source software has become a force in the software industry. Once considered to be fringe software with little use except in academia, open source software programs are now being implemented in a multitude of institutions ranging from startup companies to the Fortune 500 firms. Open source software manages the smallest file servers and the largest, most complex databases. Today, a significant number of web sites are hosted by Apache, an open source web server, and thousands of companies run Linux, an open source operating system.
Using open source software can be a cost effective way to develop and distribute software. However, every technology officer, director, manager, and general counsel must consider the legal ramifications associated with incorporating open source software into their company’s software development strategy. Software vendors must consider the potentially viral effect of incorporating open source software into proprietary code that is protected as a trade secret. All companies must understand how the open source software model differs from the traditional proprietary software model as well as the risks and benefits associated with open source implementations.
Proprietary Model vs. Open Source Model
The proprietary and open source software models differ in their treatment of software source code. Source code is the human readable form of software and is distinguishable from object code, which is the machine readable form.
Traditionally, compares have treated source code as a trade secret to gain a strategic advantage over competitors by not allowing competitors to see how the software code was written. Companies routinely licensed only the right to use object code. By protecting the secrecy of source code, those companies reaped profits from software licensing fees and fees from ancillary products and services, such as software support, bug/fix requests, documentation, and custom modification development. This industry practice has been followed by an overwhelming majority of companies for decades and continues to remain a profitable and widely used model today.
In contrast, the open source model refers to distribution of source code under a license that requires source code to be revealed and typically permits anyone to use and modify that code. The open source model takes traditional software development thinking and flips it on its head, sometimes referred to as “copyleft” in lieu of “copyright.” Under the open source model, software is “freely” distributed in source code as well as object code. The term “freely” in the open source model does not, however, refer to price; rather it refers to a licensee’s freedom to view, modify, distribute, incorporate, copy, and create derivative works from the source code. Companies profit in this model from ancillary services and support agreements, not from the value of a trade secret.
Companies use open source software because it can drastically reduce the cost of software development, allowing them to incorporate and modify functionalities found in previously developed systems and eliminating the need to develop software “from scratch.” Additionally, companies benefit from having programmers around the world collaborate with their own programmers to solve problems and develop more efficient programs. Before companies ever decide to take advantage of these benefits, though, they must first fully understand the potential pitfalls.
Open Source Risks
Understanding open source risks usually starts with analysis of the license that governs the particular software code. There are many forms of such licenses, but a widely used form is the GNU General Public License (GNU GPL), which is published by the Free Software Foundation. The Free Software Foundation holds copyright in the GNU GPL and prohibits modification of the document. Open source licenses vary in terms from harmless to devastating, and companies must understand the different obligations associated with them. The most notorious and restrictive open source licenses impose radical contractual obligations on licensees. For example, if a company programmer incorporates a single line of open source code retrieved from the internet into the company’s proprietary software program, that programmer may have “infected” the proprietary software with open source code. According to the terms of one open source license, that company is now obligated to freely distribute all of the company’s proprietary code as a result of inclusion of just one line of open source code. This can take place without management even knowing it has occurred. Such a result could be devastating and could compel a company essentially to give away trade secrets to competitors, thereby diminishing the value of the company’s assets and the value of the company in the acquisition marketplace.
At the time of this publication, no U.S. court has determined the validity or enforceability of open source licenses. In what is publicized as the first lawsuit to enforce the terms of the GNU GPL, the developers of an open source software program brought an action in September 2007 alleging copyright infringement by a company for not distributing source code to its customers, according to the terms of the GNU GPL.1 The defendant subsequently issued a press release announcing that it is in settlement negotiations with the plaintiffs to resolve the matter and that it intends to fully comply with all open source software license requirements. The parties announced on October 30, 2007 that they have reached an agreement and that the lawsuit will be dismissed. The plaintiffs have agreed to reinstate Monsoon Multimedia’s rights to distribute BusyBox software under the GPL, and Monsoon Multimedia has agreed to publish the BusyBox source code, to undertake substantial efforts to notify previous recipients of their rights, and to appoint an Open Source Compliance Officer to ensure GPL compliance. Monsoon Multimedia has also agreed to pay an undisclosed amount of financial consideration to the plaintiffs. Another risk for public companies is a Sarbanes-Oxley violation for inaccurately reporting the value of the company’s intellectual property assets. Because Sarbanes-Oxley states that intellectual property ownership is “material information,” the Act requires strict controls and reporting mechanisms regarding the ownership of such assets. If a public company fails to institute audit and reporting systems regarding a company’s open source software usage, the company may not be able to truthfully report material information regarding ownership of its intellectual property assets. Commentators continue to debate the impact that Sarbanes-Oxley’s reporting requirements have on companies using or implementing open source software.
As the foregoing examples demonstrate, implementing open source code creates risks that management should not ignore. No company should wait for a court ruling or an SEC investigation before determining whether open source code already is, or will be, a part of its technology infrastructure or software development strategy. Companies should audit their software portfolios to determine current open source usage and to evaluate the costs and benefits of future open source development. To the extent companies have implemented or choose to implement open source code, they must obtain and analyze the licenses associated with that code.
Open source software can be a flexible, affordable, and widely collaborative tool that companies can profitably use, even within a traditional proprietary software model. However, a full understanding of the legal and business ramifications associated with open source development is essential to avoid open source pitfalls and maximize return on investment.