Enrico Schaefer - May 10, 2019 - Internet Law, Open Source Software
[Detroit, MI] In this episode of Tech Law Radio, Open Source Licensing Attorney Russel Gelvin talks about the importance of doing a software source code audit. If your proprietary code contains open source code, you may be violating a copyleft license if you do not allow distribution for free
Interview Highlights:
Some software has source code that only the person, team, or organization who created it—and maintains exclusive control over it—can modify. People call this kind of software “proprietary” or “closed source” software.
Open source software is different.Some open source licenses—what some people call “copyleft” licenses—stipulate that anyone who releases a modified open source program must also release the source code for that program alongside it. Moreover, some open source licenses stipulate that anyone who alters and shares a program with others must also share that program’s source code without charging a licensing fee for it.
“So what this means for proprietary software developers is that you need to know what other licenses may exist in your code. If there is copyleft code in your proprietary code, you may have a big problem says litigation attorney Enrico Schaefer.”
[rough transcript of this show]
Welcome to Traverse Legal Radio, the Tech Lawyer podcast, a show dedicated to helping entrepreneurs, CEOs, and founders navigate legal issues, grow revenue, and increase valuation. This podcast is sponsored by the, Corporate, IP and litigation attorneys at Traverse Legal, PLC. Visit traverselegal.com to learn how Traverse Legal’s attorneys are changing the way law is practiced. Now, here’s your host, trial attorney, Enrico Schaefer.
Enrico Schaefer: Welcome to Traverse Legal Radio. My name is Licensing Attorney, Enrico Schaefer. I do a lot of software licensing and software litigation for the law firm Traverse Legal, www.traverselegal.com. Today on the show, we have Russell Gelvin. Russell is also an attorney with Traverse Legal, and he specializes in-in software licensing, but he also has a lot of expertise in open-source software licensing. We’re going to learn a little bit about open source today and start talking about the various issues that face open-source developers, licensors, and licensees in the open-source space. Welcome to the show, Russell.
Russell Gelvin: Hi, Enrico. Thank you for having me.
Enrico Schaefer: Russell, why don’t you give us a little bit about your background and your, your special interest in open-source software.
Russell Gelvin: I’m coming from Ford Motor Company where I spent two years on their open-source team, helping the entire global enterprise with all of their inbound and outbound open-source licenses for any software they were using or any software they were distributing to the public.
Enrico Schaefer: As Ford takes in different software from vendors and internally develops software, and, obviously, one of the issues that every single company that’s dealing in the technology space where the software and hardware needs we think about is what kind of licenses are in the software that I’m using? Either because I’m bringing in third-party software, I’m using libraries, or what have you, and to make sure that you’re not violating someone else’s copyright license when you license your software, and part of that is just really understanding what’s in your code because there’s a lot of cut and paste out there. There’s a lot of use and reuse of code. There’s a lot of, um, companies that are using outsource software developers in bringing them into your projects.
You really have to have a full understanding of whose code is it? Making sure you have rights in that code and understanding what licenses might be coming into your project. Russell, let’s just start with some-some basics here. What is open-source software?
Russell Gelvin: Open-source software very generally refers to any software that is licensed under a software license that allows the recipient to access and use the source code that underlies the software itself. Now, this is important because the source code is where you’re able to modify the software, make changes adapt it to new uses and really add all kinds of functionality and do pretty much anything you want with the software. There are a number of different open-source licenses that all have their own requirements and obligations. Open source really just refers generally to a large class of different software licenses.
Enrico Schaefer: The open-source movement, obviously, has been incredibly important to the — both the birth and growth of the Internet really and whereas it was relatively new and novel at the beginning, it’s now a real important piece of the puzzle for virtually any company in the technology space, at least to be aware of if not to leverage and-and use and make sure that you’re compliant within all your own different IP, risk mitigation techniques. But they also comply with all open-source software, which means if there’s open-source software in your licensed software, you need to be aware of that because it may be causing you some-some liability problems and adding to your risk. What is kind of the history of open-source, and how did we get to this point today? If you can, give us kind of an overview of the open-source legacy issues and how we ended up at this point.
[From Wikipedia, the free encyclopedia] The open-source-software movement is a movement that supports the use of open-source licenses for some or all software, a part of the broader notion of open collaboration. The open-source movement was started to spread the concept/idea of open-source software. Programmers who support the open-source-movement philosophy contribute to the open-source community by voluntarily writing and exchanging programming code for software development. The term “open source” requires that no one can discriminate against a group in not sharing the edited code or hinder others from editing their already-edited work. This approach to software development allows anyone to obtain and modify open-source code. These modifications are distributed back to the developers within the open-source community of people who are working with the software. In this way, the identities of all individuals participating in code modification are disclosed and the transformation of the code is documented over time.
Russell Gelvin: Now open-source is becoming such a major issue for so many large enterprises because at the beginning of sort of software development and the Internet, most software was-was actually considered open-source just because developers and programmers weren’t taking too much interest in their copyrights and intellectual property rights in the software they were writing. It really wasn’t until a little bit later that individuals started to realize, “Hey, I can make a lot of money if I protect my software with copyright and make sure I enforce those copyright rights that I have.” The most of the software that folks are familiar with today is really proprietary software. It’s software that’s owned by some commercial entity that’s selling that software to make a profit. Most software wasn’t considered proprietary in that sense, and that’s why it’s kind of strange that software began in an open-source environment, and now it’s sort of coming full circle all the way back to open-source licensing where developers are really sharing their code and working together collaborating because they see value in that. I can try and strictly maintain my own code and not allow anybody to use it, but if I share it with others, maybe they can help me fix bugs. Maybe they can help me learn things that I didn’t know about it, and the-there’s really a mutual benefit there.
Enrico Schaefer: Open Source projects have been able to scale and grow because they bring an army of developers to the project, and those army of developers could be anywhere, could be anyone. They’re simply contributing to the code because they’ve got a particular problem they’re trying to solve, and then they’re adding that potentially to the platform, and the licensor, the person in control of the open source is making a decision as to whether or not to bring that into the source code making it available for download for everyone. But you end up being able to kind of crowd source your project in a way that is very hard to replicate DNA, especially in early stage or growth stage company because you’ve got limited resources, and, therefore, you’ve got limited developers. Why does open source really matter in today’s tech space?
Russell Gelvin: Quite frankly, at this point, it’s unavoidable. Every single piece of software out there is going to contain some open-source. It’s very rare for something to be completely written from scratch. Just because why re-invent the wheel? If you need a certain functionality, and there’s already something freely available for you to reuse out there you’re going to be wasting time if you try to rewrite it yourself. It’s really become ubiquitous. It’s everywhere in every product you’re using, everything from the cell phone in your pocket right now to the car you drive to your computer. Everything has some open source in it. It’s going to touch every aspect of our lives. We might not realize it. We might not see it because it’s hidden, but it’s certainly there, and the legal implications that surround the licensing aspects and the intellectual property aspects are going to be there as well.
Enrico Schaefer: Give us some examples of what are the most familiar devices or hardware or software platforms that if people use that implicate open source.
Russell Gelvin: Everything uses open source – there are platforms that are purely open source, though. We have to make the distinction between proprietary software that uses open source and then actual open-source software. On the proprietary side, just thinking of Windows or Mac operating system, and these things are certainly going to contain some open-source code, but on the open-source side, you do have open-source operating systems. The Linux-based system is probably the most popular being the Ubuntu system, and you can install that on any computer you want. You just have a computer. You might have to make sure that you remove Windows fully, but you can install Ubuntu, which is completely open source, and you’re free to modify that source code yourself, and it gives you a lot of freedom to create and innovate, and you’re not restricted by technical features built in to say Windows or Mac operating system.
Enrico Schaefer: I can’t go and modify Windows operating system to solve some problem or craft some solution that is unique to me, but in an open-source environment, all that’s available. You can either hire a developer. If you hire a developer, you can actually make those modifications on the fly and-and then make them available to other people as well.
Russell Gelvin: Absolutely. It gives you all the freedom to customize and make solutions that fit your particular needs. In enterprise settings, this can be instrumental to finding an efficient resolution to some complex problems.
Enrico Schaefer: Why does open-source software matter, let’s narrow that question down a little bit. Let’s say I’m a proprietary software company. Right? I’ve got $10 million in revenue licensing my software, charging a licensing fee for the use, for the download and use of my software. Why do I care about open source?
Russell Gelvin: In the context of proprietary software like that, the biggest issue that most companies are going to face is something called copyleft licensing, which is a play on the term copyright. A copyright is basically your right under the laws of whatever country you’re in to protect works that you create. If you’re — you write a book, or you write a piece of code, that’s your — that’s your property, or that’s your — that’s your material that you can protect, and you can say, “Hey, nobody else can copy this without my permission.” Copyleft is the opposite in the sense that it says anybody can copy this and reuse it with with my permission, and furthermore, anybody that they give it to, they have to make sure they also have the right to modify or redistribute it in all these things, and that can become a problem in the context of your own proprietary software because if you put some copyleft code in your own software, you’ve run the risk of your own software becoming a derivative of that copyleft open-source software.
And if your software is deemed a derivative of that software, then it has to be relicensed under the same terms as the open-source license, which can dramatically reduce your ability to control your own software and makes you lose a lot of rights that you would otherwise have under intellectual property laws.
Enrico Schaefer: For instance, the right to charge money for a license for your software or the right to control distribution of your software. Give us some examples of the types of things that might happen if you end up with a piece of open-source software in your code that you are trying to charge people money for.
Russell Gelvin: The-the biggest issue under these copyleft licenses is going to be that you’re forced to release your own source code for your software, and you’re forced to allow others to use it. For example, if you write an application that does certain things, and you don’t want other competitors to know how you make those things happen or how you did it you-you don’t want them to be able to see your source code.
You don’t want them to be able to copy and use your source code. If you were forced to comply with an open-source license, and you’re forced to release the source code for your own proprietary code, your competitors could go and take that code and completely replicate your product and start distributing their own product that does the same thing, or they could use it to understand your product and enhance their own products.
It’s really risking a lot of your own sort of trade secrets and intellectual property that you would otherwise want to keep secret from competitors.
Enrico Schaefer: Now, let’s talk a little bit about why this matters in a minute. Let’s say I’m the CEO of a software company. I’ve got four years into the project. I started out using outsourced developers, and I took an assignment of the rights from them to make sure that I own the code and added some employees and had developers coming and going, and now I’m making $50 million gross revenue for a year, and how would I even know if there’s any open-source software in my code? How do I understand what my risk is on this particular issue?
Russell Gelvin: Really, what it comes down to is the licensed terms that are provided with the software when you download it or receive it. You need to be mindful of any terms you’re agreeing to or accepting. We all see terms of use on websites and software and things we use, and it’s pretty typical to just click through, not read those terms and things like that, and that’s kind of the case with open-source is first of all, from the very beginning, you should be mindful of any terms you’re accepting.
Every piece of software you’re downloading and using to develop your own software or just as like a tool, you know, an application you install on your computer, you should be mindful of any terms that come along with that software, and the — really the tricky part with open-source software is that it’s extremely common for those licenses to sort of be hidden in the code itself because, you know, they’re providing you the code. If you want, you can go read the code, and you’ll see the licenses there.
And that’s where it could get tricky for smaller pieces of open-source software, you can go inside the-the files, go inside the directories, the folders, and things like that. Look for files that have names like license.text, license file, or copyright file, and you can look at those and try to see what terms came with it, but if it’s a larger software package, that might not be practical.
You might not be able to go through and click all of the — click through all of the files, click through all of the folders and everything to see what all the license terms are, and every single file could technically be under different terms like you could have 10 different files in a folder, and each file at the top of the file could say, “the-these are the terms that you agree to by using this file,” and you could have different terms in every one.
You need to check it all, and for larger things where it’s not practical to go and check by hand for each file, there are tools available you can download and use to scan the-the source code, the files, the text files for any software that you’re developing yourself or any open-source software that you’ve downloaded, and some of these tools are really effective and really powerful and will do a good job of identifying every single legal term or license that’s in there. And you can use that to determine what licenses you’re being bound by.
Enrico Schaefer: We do a lot of business with software companies. Part of the legal work we do as copyright licensing attorneys is develop approaches in business models around licensing for these companies, for their proprietary software, and we — every day we’re negotiating and drafting upstream and downstream licensing agreements for these companies. Rarely do you hear \ these companies actually having done a due diligence on their code. Right?
A copyright licensing attorney who is an open-source specialists can run that kind of search on someone’s code. It-it’s not something that you would typically see lawyers doing, but by default, there’s not a lot of vendors in the space who are — who are doing this kind of due diligence.
Tell us a little bit about the-the types of things you would do as a licensing attorney for a client that needed to understand their risk on open source with their proprietary software or with their open-source software, quite frankly.
Russell Gelvin: I will always start with interviewing the client to just understand their needs. What is their business model? What are they trying to do? Do they want to distribute their software? What are they using? And really, it’s all driven by the needs of the client and what the client is trying to do, and that’s going to be the starting point. And then once you understand that, um, I want to know what they’re using.
If it’s a piece of software that the client intends to distribute to third parties, to the public, or to their own customers, I would ask to get the source code of their software, and I would give it a scan under one of the tools we use, and that will allow me to identify any license or copyright language or any legal language that we need to be mindful of, and then from there I will generate a risk assessment where I look at every single license.
I determine which licenses apply because sometimes we can rule out these licenses. There are different reasons why an open-source license might not be valid or might not apply in a particular situation, and once I’ve sorted through which licenses apply and which ones don’t, I would generate a risk assessment for the client telling them what their requirements and obligations under all of the identified licenses are.
Making sure that what they want to do, what would comply with these licenses, and if I see any red flags or if I think that there’s anything that they’re trying to do that’s probably not going to comply with one of these licenses, I’ll let them know, and I’ll work with them to either ch-change the code, go find different tools, different code that they can use, rewrite it.
Anything we can do to either eliminate those licenses or get them in compliance with the licenses, and there’s a whole host of things that you’re going to have to do. All of these licenses have different terms.
As a base level for most open-source licenses, you are going to need to provide some sort of acknowledgement to the author of that open-source software, and that can be a big issue for larger software applications that have, you know, thousands of different open-source authors that you need to acknowledge every single one of them, and you’re going to have to identify the licenses, and that can be a lot of work.
It’s better to start it early in projects, but even for projects that are far along, I advise giving it a scan and doing what we can to identify all the licenses, all the copyrights and making sure we’re in full compliance because there is case law that failure to comply with an open-source license can be both a breach of contract and might in certain jurisdictions result in damages for copyright infringement, which can be significant.
Enrico Schaefer: You’ve got this risk of-of potentially getting sued or receiving a threat letter on, um, a particular problem with your code because it includes open-source software, and you’re violating the license of that open-source software, but as a copyright licensing attorney, you also have to be aware of the fact that there are funding rounds that usually go along with capitalizing these companies that there’s this kind of — there’s this asset value, the intangible assets, the tangible assets.
Certainly, your software code, this could be a primary asset. At any valuation stage, a really sophisticated venture capital group in the software space is going to want to understand the IP value, and part of that is understanding the risks. You know, we represent venture capital groups that are investing in technology companies. We do these sorts of due diligence projects running an application on the code in order to do this due diligence is critical.
Explain to us a little bit more about why this should not only be important for the-the-the software company but for any venture capital group or investor that’s looking to place money into a tech company.
Russell Gelvin: From the perspective of an investigator, they’re ultimately looking for a return on their investment. They want to make money, and if you pour a large investment into a company under the assumption that they’re going to be able to go out and sell licenses for copies of their software, and then it turns out that they can’t do that because they’re — they’ve virally infected their software with one of these copyleft licenses we’ve discussed.
They could get hit with a lawsuit, which could completely destroy, wipe out all of their profits, or their entire business model could just be undermined altogether, and as an investor, you really don’t want to take those kinds of risks. You don’t want to have sort of like a ticking time bomb waiting for you.
It’s really important, at the very least, you should ask the-the companies that you’re investing in, “Hey, do you — do you have a strong understanding of any third-party license obligations that you might be bound by? Have you done a license audit? Have you scanned your source code? Have you spoken to an attorney?”
Because companies that are, you know, aware of these things and sort of taking care of them early on, they’re not going to have as much risk, and, quite frankly, it sort of shows a sense of responsibility, a sense of just having it together for that small start-up. That, oh, they’ve been looking at these things from the beginning, and they’re taking every legal risk seriously. They’re not just clicking through license terms and things like that.
Enrico Schaefer: We’re used to-to talking the language of infringement and asset value, but I suppose at-at an investor level, if you’re investing in a piece of proprietary software, and it turns out that the source code is not protectable because of embedded copyleft software. Your entire premise for investing in this company that you have got a protectable proprietary asset could be turned upside down pretty quick. When should, when should someone, a stakeholder, in one of these issues really talk to an attorney?
Russell Gelvin: I wouldn’t say that everyone is going to need to talk to an attorney. Really, you’re going to have to look at your situation and determine the value of what you’re trying to do and the risk associated with that. If you think you’ve got a piece of software that you’re developing that’s got a lot of value to it. I mean you think it’s worth, you know, millions or something like that, but you’re not sure whether you have the right to redistribute it say as closed-source application that you control.
That’s a good situation to talk to an attorney. Generally, a lot of these high-risk open-source licenses are only going to be triggered on distribution to a third party. If you’re planning on just downloading a piece of open-source software and using it internally, you know, as like a tool, as a developer tool or something like that for your internal business usage, and you’re a small company, you might not need to talk to an attorney right away.
It’s really when you’re talking about distributing your own software applications and things like that that you’re going to be more in need of an attorney, and then if you’re a growing enterprise, if you’re looking for seed funding, if you’re growing — if you’re just looking to grow, if you are becoming larger, you might want to talk to an attorney just for an initial consultation on anything you should be looking out for. Maybe they can help you set up your own compliance program.
Because if you — if you start looking at these things early on, it’s much less of a headache in the long term. The worst-case scenario is when you get hit by an open-source issue that you didn’t even know existed, something that you didn’t know your developers were downloading, that you didn’t know that one of your developers put in the software those can really blindside you.
If all of a sudden you have somebody that’s demanding payment for license fees or worse yet, demanding that you release your source code, um, those are things that you want to look out for. Really, it’s just if you think that you run the risk of losing a lot of money.
Enrico Schaefer: Sometimes there’s a little money involved, and sometimes there’s a lot of money at stake. You need to calculate that all and in your risk assessment. May name is Attorney Enrico Schaefer. This is Traverse Legal Radio. Today we’ve been talking to Russell Gelvin, open-source licensing attorney. Russ, thanks for being on the show today.
Russell Gelvin: Thanks for having me today, Enrico.
You’ve been listening to the Tech Lawyer podcast sponsored by Traverse Legal, PLC, a law firm representing clients like you on matters just like yours. You can find the Tech Lawyer podcast on most podcast listening platforms including your home devices. Until next time, remember, that good attorneys win for their clients. Great attorneys tell you up front how they’re going to do it and how much it will cost.
