Open Source Legal and License Trends Takeaways from 2017
The open source community prefers to keep disputes and enforcement out of the courts. Is 2018 likely to take us in a new direction?
The freedom to code, contribute, and collaborate is a core ideal of the open source community. As such, there is a strong preference to keep disputes out of the courts whenever possible in favor of internally enforcing strong principles of how to respect the licensing structure.
Looking back at 2017, we can see a number of examples of how the community and commercial actors have generally made good strides in keeping open source from falling into the pit of legal tangles that the proprietary software industry often finds itself in, seemingly perpetually with one foot in the courtroom.
There are of course a number of notable exceptions to this trend, but as in most cases, their particulars do more to prove the rule of how rare it is that open source license violations will actually make it before a judge.
In hopes of getting a sense of whether or not the OS community was moving towards a more litigious posture, we spoke with Haim Ravia, a Senior Partner at the Tel Aviv-based firm of Pearl Cohen Zedek Latzer Baratz.
From his vantage point, he notes that, “Considering the widespread use of open source code, cases where enforcement actions are taken are relatively rare, and the proceedings are very interesting when compared to regular software copyright cases, where enforcement is conducted through traditional legal processes, with a damages suit.”
Ravia points to the fact that when disputes are brought to court, they often result in a backlash from the open source community, explaining that these cases “are more likely to come from commercial organizations, that release their products under a double license: both an open source license like GPL and a commercial license, because their business model is based on selling commercial licenses,” and therefore are more likely to require turning to the traditional legal system to resolve.
Keeping Enforcement In-House
Instead of calling the lawyers, the community appears to rely more strongly on setting out the principles of how they want to see licenses used, minimizing the need for naming and shaming to get results.
In a reaction to the wave of patent suits that were filed by Linux kernel contributor Patrick McHardy — who is considered to have been in bad form with his many lawsuits over copyrights and one of the rare cases where the community aired — the Software Freedom Conservancy issued a set of guidelines for how to encourage community enforcement of standards for working with licenses.
“The principles of community enforcement are very interesting,” says Ravia, explaining that they, “mainly favor enforcement over compensation.”
“The goal is achieving GPL compliance — and other FOSS licenses — fixing the violation rather than requesting compensation. This doesn’t mean financial compensation won’t be requested as violators will be asked to cover legal costs, but they won’t demand the maximum fine according to copyright law.”
Referring to the second principle that says that “Legal action is always a last resort,” Ravia says that the community always prefers quiet action.
“The FOSS community are willing to conduct compliance negotiations confidentiality because they understand companies are more willing to solve things quietly, to avoid public outcry or shaming for license violations,” he says, pointing to their position that, “compliance actions are primarily education and assistance processes to aid those who are not abiding by the license.”
From the SFC’s statement, they believe that the vast majority of violations come from honest mistakes and should therefore not result in throwing the books at the naively negligent offender. At the same time, they note that for instances where the misuse truly crosses all lines of good taste, “there is no duty to be empathetic in those cases.”
Corporate Fear of Community Backlash
While the community leaders make an effort to enforce license policies, even the big players appear to be using a lighter touch in hopes of avoiding anger against them. These companies are less fearful of being penalized in legal courts than they are of being roasted in the court of public opinion.
For those out there wondering why companies have an interest in whether or not they are accepted by the community, the answer is that they want their code be seen as setting standards within the industry, being used by developers and, as a by-product, receiving improvements as it is reviewed by the public.
Last month, Facebook, Red Hat, IBM, and Google committed themselves to “providing a fair cure period to correct open source GPLv2” compliance issues,” in an attempt to bring companies that are developing incorrectly with the more restrictive code in from the cold without penalty.
Facebook learned first hand this year how vicious the response can be when the community decides that a corporate is not playing fair. Ravia notes the outcry over the social network’s addition of a patent clause to the BSD license, stating that anyone involved in a patent lawsuit against Facebook loses the right to use their React code. The move was explained as way for the company to defend themselves from lawsuits, but was widely perceived as giving them an upper hand in going after smaller developers.
As a lawyer, he says that his firm was approached by numerous companies that questioned whether or not they could still use Facebook’s software without giving up on their own rights, and were deterred from using it in their development.
Facebook issued an apology stating that it failed in convincing the open source community of the patent clause’s advantages, and that it was sorry that many members of the community avoided using their software and started looking for alternative projects as a result. The company then announced that version 16 of React would be released under a simple MIT license.
“Facebook is still deciding what to do with other open OS projects that are still under the very restrictive patent clause,” says Ravia.
Reinforcing his perspective that the community’s voice is able to have a great effect on how companies, which have a strong interest in having developers throughout the ecosystem using their software, brought about the desired change “without any legal paperwork written or a lawsuit.”
What Happens When Suits Are Brought to Trial
Sometimes, a lawsuit is inevitable. More often than not — excluding the McHardy example — these occur when companies sue each other, and not individual developers.
One case that Ravia brings attention to is the suit between California-based Artifex and the Korean Hancom, where the latter is accused of having violated the former’s GNU GPL license. The dispute arose from Hancom’s incorporation of Artifex’s Ghostscript code into one of their products, wherein the Korean company would have had to either make their product compliant with the GNU GPL license, thereby open source as well, or pay them for a commercial license. However Hancom refused to do either and they went to court over it.
For their part, Hancom appears to have violated the principles of good behavior in working with GPL, which we can consider to be more of a set of norms than actual laws. The case brought into question whether a license could be considered a contract. According to Ravia, the California federal court ruled that GPL isn’t just a copyright license but also a legally binding document.
“Among other things, the court also dismissed the claim that the GPL stipulations/ instructions that require users share source code are against US copyright laws,” explains Ravia, adding that the court found “that the GPL license is also a binding legal contract.”
“The fact that this ruling comes from a relatively low federal court, and still got a lot of air-time globally, shows how rare it is in the world of open source licensing enforcement that these types of cases even get to court,” he says, noting that the ruling which could come out next year will be one of the interesting cases to watch. How the court decides on the case could set a significant precedent, and potentially cause a fair amount of outrage in the community.
Playing Safely with GPL
Despite the disputes that can come up when using GPL code, Ravia is firm in his position that GPL software for commercial products can be used without putting your company at risk.
“The open source community is happy when organizations use GPL,” he says, adding that, “However when they do, they have to play by the rules. It’s as simple as that.”
He says that he is seeing a push by developers at companies to get a better handle on their open source component usage.
“More and more companies that either didn’t monitor open source or relied on manual reports, are trending towards monitoring and management tools,” he says, citing that among other reasons for the increased use of the tools is because the price is lower, and also because “they are meant to be tools for developers, not just for compliance. So the incentive to use these tools isn’t only coming from legal, but also from the development teams themselves.”