Non-compliance with the terms of an Open Source license is, in our experience, usually inadvertent. Many companies that use Open Source software in their development process do not fully understand their obligations and/or do not have sufficient procedures in place to ensure that each of their obligations are fulfilled. However, for many companies, the lack of attention to license compliance is also guided by the idea that the risks of non-compliance are minimal. While the risk of facing a lawsuit related to one’s non-compliance with the terms of an Open Source license was once remote, there has recently been a flurry of lawsuits focused on alleged violations of the GNU General Public License (the "GPL"), the most commonly used form of Open Source, or Free, software license.
The principal player in these lawsuits is the Software Freedom Law Center ("SFLC"). Founded in 2005, the Software Freedom Law Center provides support to Free and Open Source software projects that are in need of legal, financial and administrative support. In September 2007, the SFLC filed the first ever U.S. copyright infringement lawsuit based on a violation of the GPL on behalf of two developers of BusyBox, a program that provides Unix system utilities for use in embedded systems. The suit, "Erik Anderson and Rob Landley v. Monsoon Multimedia Inc." claimed that Monsoon Multimedia Inc., a distributor of a wireless video streaming device, infringed the copyright of the developers of BusyBox by distributing the BusyBox program in its device and, in violation of the GPL, the license under which BusyBox is distributed, failing to make the source code available to recipients of the Monsoon device.
Approximately one month after the lawsuit was filed, the parties agreed to dismiss the lawsuit and reinstate Monsoon Multimedia’s license to distribute BusyBox. Monsoon Multimedia also agreed to appoint an Open Source Compliance Officer within its company, publish the source code for the version of BusyBox it previously distributed on its Web site, and to notify previous recipients of BusyBox from Monsoon Multimedia of their rights with respect to the BusyBox program under the GPL. The settlement also provided for an undisclosed amount of financial consideration to be paid by Monsoon Multimedia to the plaintiffs.
On November 19th, 2007, a second round of GPL-based lawsuits was filed by the SFLC on behalf of the developers of BusyBox. As in the Monsoon case, the defendants in the two suits, Xterasys Corporation and High-Gain Antennas, LLC, were accused of distributing the BusyBox program without making the source code to such program available to its recipients. On December 17th, 2007, the SFLC announced that its clients had agreed to settle the lawsuit with Xterasys Corporation on substantially similar terms as the settlement with Monsoon. As at the time of writing this article, there had been no further announcement regarding the lawsuit against High-Gain Antennas, however, it is noted that its Web site includes the following statement: "High-Gain Antennas is committed to meeting the requirements of the open source licenses including the GNU General Public License (GPL) and will make all required source code available".
On December 6th, 2007, the SFLC filed its fourth lawsuit on behalf of the developers of BusyBox. The defendant in this lawsuit is Verizon Communications, one of the largest broadband and telecommunications providers in the United States. As in the previous lawsuits filed on behalf of BusyBox, the suit alleges that Verizon Communications infringed the copyright of the plaintiffs by distributing BusyBox as part of its wireless routers without providing the source code to the BusyBox program to the recipients of the device. The plaintiffs request that an injunction be issued against Verizon and that damages and litigation costs be awarded to the plaintiffs. At the time of writing this article, no further developments regarding this lawsuit have been announced.
While it is too soon to know the lasting effect of this recent spate of lawsuits, no longer can companies that distribute products that include Free and Open Source software dismiss the possibility that they may be sued if they fail to comply with the terms of the license that govern their use and distribution of such software. The successful settlement of the BusyBox lawsuits may encourage the authors of other Free and Open Source programs to take legal action to enforce their rights. The threat of litigation may also result in the settlement of more private enforcement actions.
Faced with the increased risk of legal action, companies that distribute Open Source and Free software as part of their products should ensure that they have implemented sound policies and procedures regarding the use and distribution of third-party software. In addition, companies that are considering the acquisition of other businesses or technology should ensure that they are fully aware of open source software usage by such businesses and in such technology. In many cases, an audit of third-party software usage is the best protection against future surprises. 1
Free Software Foundation Publishes Clarification of GPLv3 2
In June, 2007, the Free Software Foundation ("FSF") published the much anticipated Version 3 of the General Public License ("GPLv3"). Despite the wide-spread use of Version 2 of the General Public License ("GPLv2") for the licensing of Free and Open Source Software, the FSF concluded that GPLv2 had some shortcomings. In particular, the FSF thought that the issues of software patents and digital rights management, which the FSF regards as threats to the freedoms that it seeks to protect, were not adequately addressed in GPLv2.
With respect to the issue of patents, the FSF included in GPLv3, amongst other patent-related provisions, a limited patent retaliation clause which provides that the license to use the GPLv3-licensed program is terminated if a licensee brings a claim for patent infringements against the licensor of the program. Since the publication of GPLv3, some commentators have expressed concern regarding the meaning of the word "Program" as defined in the GPLv3 and its effect on the scope of the patent retaliation clause.
GPLv3 defines the term "the Program" as follows: "…any copyrightable work licensed under this License." Some have suggested that the use of the word "any" means that the term "the Program" refers to "all works ever licensed under the GPLv3" and not the singular work that is received by the licensee.
Those who suggest that "the Program" has the broader meaning, argue that the patent retaliation clause prevents a licensee of a GPLv3 program from bringing a claim for patent infringement against the licensor of any GPLv3-covered program, and not just the program that is being used by the licensee. Such commentators have also expressed concern regarding the impact of the broader interpretation of the term "the Program" on the express patent license grant under the third paragraph of Section 11 of the GPL.
To address these, concerns, the FSF has recently published a clarification of the meaning of the term "the Program". It has expressly stated that the term "the Program" means:
one particular work that is licensed under GPLv3 and is received by a particular licensee from an upstream licensor or distributor. The Program is the particular work of software that you received in a given instance of GPLv3 licensing, as you received it.
To read the FSF’s discussion and analysis of the meaning of the term "the Program", visit http://www.gnu.org/licenses/gplv3-the-program.html.
The GNU Affero General Public License: SaaS Providers Beware!
While much attention has been paid to the publication by the Free Software Foundation ("FSF") of the GNU General Public License version 3 ("GPLv3"), considerably less attention has been given to the recent publication by the FSF of the GNU Affero General Public License Version 3 ("AGPLv3").
Published in November, 2007, AGPLv3 is based on GPLv3, but includes an added provision that allows users who interact with the licensed software over a network to receive the source code for that program. This additional term could have a significant impact on companies who use open source software as part of their Software-as-a-Service ("SaaS") model.
Under a SaaS model, rather than providing customers with copies of software to install on their own computers, the SaaS provider hosts the software on its own servers and delivers the functionality of the software to its customers over the Internet. As copies of the software are not distributed to its customers, SaaS providers have generally not had to concern themselves with the distribution provisions of open source licenses such as the GNU General Public License ("GPL"). For example, the source code to modifications made to GPL-covered software could be retained internally and did not have to be shared with users of the SaaS service. This will no longer always be the case.3 SaaS providers will have to disclose the source code to modifications it makes to the AGPLv3-covered software. A failure to have appropriate policies and procedures in place regarding the use of AGPLv3 covered software could result in a SaaS provider having to reveal some of its key innovations to its competitors.