What Every VC Needs to Know About Open Source Software To Avoid Losing (Or Spending) Big Money

Enrico Schaefer - December 2, 2019 - Copyright Infringement on the Internet

img

Anyone familiar with software development knows that some of the most important software development tools are based on open source licenses that, generally speaking, allow anyone to copy and reuse the software for their own purposes. These include everything from fundamental programming languages like python and php, all linux-based operating systems, and even software development tools for integration with major platforms like Facebook and Google. Indeed, in most cases it would be fool-hearty and counterproductive to attempt any meaningful software development without using at least some open source software in some capacity. Thus, it would be wise to begin with the presumption that open source software is involved in any given software application, at least until proven otherwise.

So what does this mean and why does it matter from a legal perspective? The issue is that every piece of software, every line of source code, is potentially protected by copyright law as a literary work. And with each unique copyrighted work comes the potential for infringement under the Copyright Act.

But how can this be, isn’t open source software free? First, we need to remember that software freedom means the right to access the underlying source code, modify it, run it, and distribute copies. The oft recited maxim is software freedom means “free” as in “free speech,” not “free beer. Second, even in the case of open source licenses that are also free of monetary cost as in “free beer,” this is inconsequential from a legal perspective. Unless a work is forfeited to the public domain, an author still retains copyright protection regardless of how many times they license their software. That’s how Bill Gates got so rich.

Further, the lack of monetary compensation doesn’t mean an open source license fails to create a legally binding contract. As every first-year law student has hammered into their delicate mind, the essence of a binding contract is consideration or “bargained for exchange.” There is no question that you can have a binding contract regardless of whether money changes hands. Indeed, in Jacobsen v. Katzer, the Federal Court of Appeals for the Federal Circuit found adequate consideration in the case of the Artistic License, a seemingly innocuous open source license which the defendant violated by simply removing copyright notices and failing to note modifications to the source code. And there are far more complex and onerous open source licenses, such as the GPL and AGPL, that pose significantly heightened risks beyond mere monetary damages for copyright infringement (not that damages for copyright infringement are any small matter).

So, with each use of open source software there exists a risk of both breach of contract and copyright infringement. Considering the sheer volume and prevalence of open source software, and the ease with which a license can be violated (deleting a copyright notice, e.g.), there can be no doubt that anyone investing significant sums of money in software IP should be wary of open source software.

But what should be done about this significant risk? Open source software cannot be avoided, or at least, attempting to do so is likely to be even more costly than the risks associated with open source licenses. The only solution is to remain vigilant and establish policies for auditing every line of code for any transaction involving acquisition of significant software IP.

While reviewing millions of lines of code may sound like a daunting task, it’s actually something that can be done with minimal cost and inconvenience using open source scanning tools like FOSSology. A skilled attorney should be able to scan the source code and review the licensing for most software applications in just a few hours. Even large software projects should not take a skilled attorney more than a few days to sort through. Most issues can be resolved fairly easily, by removing problematic code or finding alternatives, if identified early on. In the context of a multi-million dollar IP transaction, a few thousand dollars on legal due diligence is a bargain.

Of course, for someone unfamiliar with open source software licensing, it’s easy to be convinced by snake oil salesmen that a source code audit is a momentous task requiring teams of technicians and tens of thousands, or even hundreds of thousands, of dollars just to provide a list of licenses and copyrights. While it would be rude to name names, this is exactly what the leading open source auditing companies are doing. Worse, since they’re not law firms, they’re unable to provide any meaningful legal guidance based on the license report they provide. They just say, “here’s a list of all the licenses and copyrights we found, enjoy” and slap you with a bill for $20,000 (on the low end). Others sell expensive, complex software systems that are difficult to integrate with your own development processes and do little more than FOSSology (or in some cases, much less).

Having performed thousands of open source license audits, I can confirm that the vast majority of software projects can be scanned and fully reviewed in a matter of hours. For example, with distributed software applications (mobile apps and such), the main concern is making sure there are no copyleft licenses and compiling a list of all copyright and license acknowledgments. For software with frequent updates and new releases, scanning each new version to check for new licenses would likely take just a few minutes. Even for companies with large volumes of open source software, processes can be established to automate much of the process and reduce auditing overhead.

So, if you don’t want to risk an expensive lawsuit, but also don’t want to spend a fortune on traditional open source auditing services, your best option is to find an attorney that understands open source software, is honest and doesn’t quote unreasonable prices, and has their own private FOSSology server setup.

GET IN Touch

We’re here to field your questions and concerns. If you are a company able to pay a reasonable legal fee each month, please contact us today.