If you attend a conference concerning Open Source Software, inevitably, the speaker will ask if anyone in the audience is using Open Source. Either everyone in the audience will raise their hands or nobody in the audience will raise their hands. Guess which group is right?
Open Source governance continues to heat up as the intellectual property issue du jour for precisely this reason. These two groups of hands divide into four types of recognition regarding the legal risks attending Open Source. Group 1 has instituted a governance program, as well as an audit of existing software, to control their exposure to risk. Group 2 recognizes that the issue exists but is stymied by the prospect of dismantling the virtual mountain of code that has been incorporated into the company over, perhaps, decades. Group 3 recognizes the issue exists but thinks they don't have to worry about it as all their code is used internally so they won't trigger any of the more notorious provisions of Open Source licenses. Finally, Group 4 hopes the recent case law on Open Source licensing is simply a bad dream that they'll wake up from someday.
If you are in Group 1, good for you, I'm preaching to the choir! Otherwise, each group needs to take more proactive steps to mitigate the risks attendant with Open Source. Why? The Software Freedom Conservancy (http://conservancy.softwarefreedom.org/), just won an Open Source copyright victory, over a set of Unix utilities called Busybox, against Westinghouse Digital Electronics (7/27/2010) in the Southern District of New York. Judge Scheindlin granted an injunction and awarded enhanced statutory damages to the tune of $90,000 along with attorney's fees. While this was a default judgment, it is the first judgment on record of the more notorious GPL Open Source license. This builds on the decision from a federal appeals court in 2008 (Jacobsen v. Katzer) which endorsed the enforceability of Open Source licenses, in the context of the relatively benign Artistic License. Remember, until two years ago, while many lawsuits were filed regarding Open Source licenses, all of these cases eventually settled; so, there was no actual rule of law in the United States regarding the enforceability of Open Source licenses. These two cases, however, are harbingers of further threats of litigation in this area.
This is particularly true in an economy in which companies are merged, acquired, spun-off or change long-standing practices regarding internal use of code to launch a new product to a previously unidentified market of customers. Increasingly, in these scenarios, downstream buyers are requesting warranties and indemnifications against the pitfalls of Open Source licensing. The inability to provide such can drastically affect the money involved in such deals or open a company to indemnification risks that may not fall under caps established in such agreements.
The good news is that an ounce of prevention is worth a pound of cure. By instituting a governance program and training programmers and managers as to the obligations and risks associated with Open Source usage, companies can immediately begin to contain the costs associated with a more comprehensive audit. For the virtual mountain of code, prioritization is key – determine which projects/products are most important to the company's future initiatives and assign internal levels of trust regarding such source code. This won't solve the issue overnight but it will provide essential education … from there a remediation plan can be implemented without the deadlines of an impending sale or release. Used correctly, Open Source provides a wonderful strategic option for companies to gain access to cost-efficient, cutting edge software.