The legal ‘perils’ of open source software

Whatever the technological and economic advantages of open source software, there is a potential legal risk from software that doesn’t offer the warranty protection of commercial products. Open source software might violate third-party intellectual property rights if a programmer has added infringing code to your open source application or operating system without your knowledge, exposing your business to potential injunctions and damages claims.

Global law firm Simpson Grierson advises that, as open source code is written by a number of programmers, OS software is usually provided on an “as is” basis, without warranties. And as has been reported in the Economist magazine and elsewhere, the open source movement’s general public licence (GPL) has never been legally enforced.

Genevieve Gill is the principal of a New Zealand commercial law practice specializing in information technology law and commercial contract negotiation. Most of the risks surrounding open source relate to licensing, and Gill’s open source-related work largely revolves around examining those licences and explaining the risks.

“Generally speaking, the clients I’ve spoken with use open source in a fairly application-specific way. They’re not running their entire business on open source software. They tend to use open source in particular areas, and not in mission-critical parts of their business operations.”

The variety of licences is bewildering to those new to open source. There are currently 54 different licences approved by the Open Source Initiative (OSI) for example. Each incorporates different degrees of restrictions regarding copyright notices and the like, but they all grant end-users certain rights. Licences for proprietary software rarely grant the end-user anything other than the right to use the software.

Shiny geek toys Just because you’re working in the open source world doesn’t mean you should skimp on contracts with contractors and developers, Gill cautions. “Unfortunately, people often have relationships and bring developers in to do development work without properly documenting it. In any decent development contract, you should specify the deliverables, and the specifications and functionality required.

“I have come across cases where the customer has just given the outline of what they want in broad terms, and then it’s very difficult if they don’t get what they like and there’s no specification to tie it back to. But you get good and bad developers everywhere — this isn’t a problem unique to open source software.”

As if to underscore this, Mark Shuttleworth, founder of Thawte (a company that specializes in digital certificates and internet privacy), as well as the Ubuntu project, which promises “a free, high-quality desktop OS for everybody”, has blogged about his bad experiences with open source development.

Shuttleworth found that paying geeks to write code without assigning them managers resulted in “shiny geek toys”, rather than the product he thought he was paying for.

But if your developer leaves you in the lurch for a better paying project, moves overseas or just goes bust, none of this should be as problematical as it would be if your developer was from a closed source software house, because you will already have the source code; in contrast to proprietary software arrangements, where you normally wouldn’t hold the source code unless you had an escrow agreement with the vendor.

Software source code escrow agents hold source code in the event that the creator of the source code refuses (or is unable) to release the source code to the user of specialized software if that software no longer functions, or under certain other circumstances.

“With open source software, it should be more straightforward to find somebody to step in and fix it up,” says Gill. “Although there are many more people who are used to working on Linux systems than some esoteric piece of software. But again, you have that greater community of potential support.”

Software hoarding In software coding, the idea of so-called “copyleft” relates mainly to the provision to modify and improve code and freely distribute it. The concept apparently arose when the founder of the free software movement, Richard Stallman, was working on a piece of software that another company asked to use.

Stallman agreed to supply it with a public domain version of his work, the company improved the program, but when Stallman asked to access these improvements, the company refused to show them to him. In order to prevent such “software hoarding”, many open source licences specify that the author of a derived and modified work can only distribute such works under the same or an equivalent licence.

It’s this “business unfriendly” licence, the GPL, that Microsoft Corp. dislikes so fervently. Richard Waid, technical director of IOPEN Technologies Ltd., part of the Effusion Group, says Microsoft doesn’t like the fact that the GPL requires people who modify code to release their modifications to the code. “What’s preferable to them, and you can see why, is to be able to modify my code then sell it without having to offer me the modifications in return.”

But there are open source software licences that don’t have copyleft provisions in them, Gill points out. The risk for organizations using open source code under a licence such as the GPL is that at some point a test case might be heard in the New Zealand courts.

“Right now, it’s largely untested, and that’s both part of the risk and, for some people, part of the fun; certainly for the anti-Microsoft contingent, who are big fans of open source.”

US company The SCO Group is engaged in a “corporate war” with the open source community. SCO claims that many of the most popular variations of Linux violate its intellectual property and it has sued a number of large companies, including IBM Corp. and car maker Daimler Chrysler AG, in an effort to secure licence fees.

SCO’s litigation also claims IBM “devalued” its version of the Unix operating system by embedding SCO’s intellectual property in the Linux code-base. And while the worst of the action appears to be over, there is still legal action pending.

The indignation in the open source community continues also to run high. “How could they possibly dare to try something like that?” asks Nick Wallingford of Internet NZ, who expresses admiration for the OS software groups that immediately moved to redesign and rewrite sections of the code from scratch to remove any ambiguity about origin and IP rights.

Nevertheless, Donald Christie of Catalyst IT Ltd. in Wellington says SCO is now largely ignored by the free software community. “This has been a watershed case, as it’s forced some of the world’s largest IT companies to take a stand in favor of open source. SCO’s beef turns out to be contractual issue with IBM, and not an intellectual property issue at all.”

Gill says she isn’t sure how relevant the SCO action is to New Zealand businesses and how much notice they’re taking of it. “It’s complicated, it’s very political and it’s on a completely different scale from what most businesses experience in New Zealand … [which] has a culture where people look at the risks, are mindful of them, and then make a decision about whether they’re prepared to accept those risks.”

Some lawyers, such as US law firm Thelen Reid & Priest, recommend that Linux users don’t buy licences such as those offered as a remedy against SCO taking legal action. Not only was there a very soft response in the US Linux user community to the licence offer, even New Zealand users are cynical about SCO’s opportunism.

“I feel it’s part of a general problem. Generally, there are far too many attempts to stifle developments through spurious claims to ‘own’ particular ideas when those ideas are clearly in the common domain,” says Neil James, information technology strategy and policy consultant, and executive officer of the New Zealand vice-chancellors’ standing committee on information technology at the University of Otago.

Related Download
3 reasons why Hyperconverged is the cost-efficient, simplified infrastructure for the modern data center Sponsor: Lenovo
3 reasons why Hyperconverged is the cost-efficient, simplified infrastructure for the modern data center
Find out how Hyperconverged systems can help you meet the challenges of the modern IT department. Click here to find out more.
Register Now