I have borrowed a headline from an earlier posting by Shane Schick to discuss something I saw this week. McAfee filed a report last month with the Securities and Exchange Commission that made a few statements about risks associated with their use of some Open Source software. These statements received quite a bit of media attention.
According to Information Week, McAfee’s statements included:
“To the extent that we use ‘open source’ software, we face risks,”
“Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,”
Discussing this SEC filing, reporters continued to talk about software being “infected” by the GPL, as if this was some sort of disease one can accidentally contract. While much of the media attention blew the issue out of proportion by suggesting that McAfee was already aware of license violations, the all too common underlying misunderstanding stands.
There is a lot of FUD (Fear, Uncertainty, and Doubt) spread about Free/Libre and Open Source (FLOSS) licenses. While companies dependant on older competing business models suggest these licenses are complex or “ambiguous”, the reality is quite the opposite.
The first thing to realize about licenses like the GPL is that they are not End User License Agreements (EULA). From the perspective of someone acting as an “end user” the way the Canadian Alliance Against Software Theft (CAAST) categorizes people, you don’t need to read the license at all. All you need to do is know that the software is under a license that has been approved by the Free Software Foundation or the Open Source Initiative. Once you have checked the license, you know certain things are true based on the definitions of Free Software and Open Source Software from those organizations:
- Without additional permission or payment, you may install and use the software on as many computers as you wish. These can be your own computers, or the computers of anyone else that wants to use the software.
- Without additional permission or payment, you may make verbatim copies of the software and share it with anyone
Where the additional terms of the wide variety of FLOSS licenses come into play is when someone is acting as more than an “End User”, and are a software firm or otherwise wanting to do things such as modify the software and distribute modifications. These are activities which are prohibited by most non-FLOSS licenses, and anyone who wants to carry out these activities has to sign contracts with the software copyright holder. These contracts are often unique to a specific relationship between two firms, and can’t be studied once and used many times like a FLOSS license.
I would put the relative simplicity of most FLOSS licenses against most of these developer contracts any day. While FLOSS licenses are often written with the aim of being able to be read by independent software authors without the help of legal council, many contracts between software firms will be written by the legal team at one firm with the intent to be read by the legal team at another firm.
The next question to ask is whether incorporating software is ‘inadvertent’.
No matter how software comes into your firm, your employees need to know that they can’t just cut-and-paste willy-nilly without having someone approving the outside software being incorporated. Any use of third party code must be fully documented, so that you are able to know your legal obligations.
If third party software is being added to your code base without anyone documenting this, then you don’t have a problem with a license or contract, you have a human resources problem. You should be adequately training your employees about this type of activity, clarifying for them that just because software is publicly available on the Internet does not mean that it is in the public domain. In fact, given the excessively long length of Copyright there is extremely little software that is in the public domain (largely stuff from the 1980’s dedicated to the public domain). You should have strict policies in place at your firm such that your employees know that if their willy-nilly undocumented cut-and-pasting is ever caught, that their employment will be terminated. It really should not matter if the source is publicly available FLOSS software or code from a business partner that happens to be visible to your employees.
While I encourage independent developers and software firms to decide to actively participate in FLOSS projects to receive the benefits of intended sharing, I have no sympathy for those who infringe software copyright. Using FLOSS software is the best solution to solve software copyright infringement available to end users, as the things they wish to do (install on many computers and share with friends) are already authorized without additional permission or payment. For software firms there is simply no substitute to running a professional shop and actually reading the contracts and license agreements you are binding yourself to by incorporating third party software, no matter what the source of that software.
I guess there is an irony with a company that is an active member of an organization called The Canadian Alliance Against Software Theft (CAAST) admitting in a US SEC filing that they are not sure whether they run a professional shop, and whether they might themselves be infringing copyright.