An Open Source Software
Primer for Lawyers
July 17, 2014
Presentation to the ABA Open Source Committee, Section of Science & Technology Law
Joanne Montague
[email protected] Davis Wright Tremaine LLP
When legal issues arise
Developing and releasing products
containing OSS
Embedding/bundling third party
supplied software into products
Running a web-based service
using OSS
Using OSS for business
operations
Overview
Legal risks
Open Source Software (OSS) landscape
OSS licenses
Key risks to avoid
The open source landscape
• Software that is licensed under a license that conforms to the Open Source Definition (OSD)
Primary Definition of Open Source Software
• May be used to produce OSS but not always Community Development Projects
• Save in development costs particularly for operations and web-based services
• Promote commercial sales of other software, hardware, and/or support services
OSS licenses
Important requirements of the OSD
Must be royalty free
Must permit modifications and redistribution
Must not require license execution Must permit code extraction and separate redistribution
Just because you do not need to sign a license
does not mean that there are not significant terms and conditions. Nor does it mean that the IP is in the “public domain.”
$
I AgreePermissive and reciprocal licenses
Permissive Licenses
• BSD, MIT, Apache
• Reproduce notices and license • No requirement to make
source code available
Reciprocal: Copyleft
• Reproduce notices and license • Requirement to make source
code available
• Strong Copyleft licenses (GPL, LGPL)
• Do you need to understand inner workings of Copyleft code or is there a standard interface?
• Weaker Copyleft licenses (MPL, EPL, CPL)
• Usually limited to
modifications to the Copyleft code
Key risks to avoid
Loss of Trade Secrets
• Copyright infringement – Injunction, statutory damages • Breach of agreement – Damages, specific performance • Community outrage
Noncompliance with OSS Licenses
• Damages • Injunction
OSS Integrity/Pedigree
Is OSS enforcement different?
• No “physical” acceptance
• Use may avoid internal legal review
• May slips through internal procurement process
May be unaware of infringement
Copyright ownership and standing to
sue may be unclear
Violations may be easier to detect
Why it matters
Remedies for
breach of contract
• Damages most common • Specific performance • Injunction
Remedies for
Copyright Infringement
• Damages
• Copyright owner’s actual damages plus infringer’s profits; OR
• Statutory Damages (# of
infringing copies multiplied by statutory amount)
• Injunction
Enforcement Objectives
Follow rules
Raise “social” awareness
Ensure intended value is recognized
Attribution
Marketing
Sales of other products/services
Improve software
Compliance and Enforcement
Jacobsen v. Katzer (Fed. Cir. 2008)
Jacobsen manages OSS group called Java Model RR Interface (JMRI).
JMRI, with many participants, created DecoderPro.
Jacobsen holds copyright in the code, which he makes available for download
under the Artistic License.
Katzer develops commercial s/w for model train enthusiasts. Katzer failed to comply with the notice provisions of the Artistic
License Court held Katzer was a copyright infringer
Even though Katzer agreed to comply going forward the D. Ct. could still impose an injunction on the basis that Katzer might fail to comply
again
Settlement Feb. 18, 2010
Compliance and Enforcement
BusyBox Cases
BusyBox – Set of GPLv2 Unix utilities used in limited
resource devices (e.g. cell phones, DVD players)
Widely used in products sold by many manufacturers
Spawned several lawsuits alleging:
No inclusion of or offer for
source code
No copyright notice
Enforcement and Compliance
BusyBox Settlement Terms
Retain Open Source Compliance Officer
Disclose source code for the version of
BusyBox distributed
Take substantial efforts to inform previous
recipients of their rights under the GPL
Pay an undisclosed amount to the
Compliance and Enforcement
Issues Surrounding Android
2013-2014
52% 0 0 U.S. smartphones running Android 81% 0 0 Worldwide smartphones running AndroidCompliance and Enforcement
Issues Surrounding Android
Dozens of cases filed alleging patent infringement by devices using Android OS
Oracle v. Google: Allegations of copyright and patent infringement Jury found:
No patent infringement
Infringed Oracle’s copyrights of 37 Java packages
Infringed “rangeCheck” routine
No copyright infringement by 8 decompiled security files
Deadlocked on Google’s fair use defense
District Court found replicated elements of the 37 Java packages, including the declaring code and the structure, sequence, and organization, not copyrightable.
Compliance and Enforcement
Issues Surrounding Android (con.)
Oracle v. Google (Fed. Cir. May 9, 2014) Declaring code copyrightable
“The question is not whether a short phrase or series of short phrases can be extracted from the work, but whether the manner in which they are used or strung together exhibits creativity”
Structure, sequence, and organization of the API packages copyrightable
Reinstated jury’s infringement finding as to 37 Java packages Remanded Google’s fair use defense in light of this decision Affirmed district court’s decisions:
Granting Oracle’s motion for JMOL as to the eight decompiled Java files
Denying Google’s motion for JMOL with respect to rangeCheck function
Recent GPLv2 Cases
Continuent, Inc. v. Tekelec, Inc.
Complaint filed July 2, 2013, S.D. Cal.
Continuent, provider of database clustering and replication
management software, released Tungsten Replicator
under GPLv2
Continuent alleged Tekelec copied, modified, and
distributed Continuent’s code in Tekelec’s Subscriber Data
Management product
Recent GPLv2 Cases (con.)
XimpleWare Corp. v. Versata Software, Inc.
Complaint dated November 5, 2013, N.D. Cal.
During a different lawsuit, Ameriprise informed
XimpleWare that it had discovered portions of
XimpleWare’s GPLv2 code in Versata’s DCM product
Claims of:
copyright infringement Lanham Act violations breach of contract
breach of implied covenant of good faith and fair dealing unjust enrichment
Practice Tips
Comply with the licenses for OSS you use
Institute an OSS Corporate Policy and
Procedures
Identify an internal point of contact for OSS
questions
Scan code prior to transition points
Take corrective action when necessary
Respond immediately to any notification
Thank You!
Joanne Montague
