Using GPL code in your software

I’ve written an article on using GPL code in your software, covering “the essentials” on:

  • The GPL (GNU General Public License) and LGPL (Lesser GPL)   *US spelling…
  • Challenges of interpreting the GPL
  • Key legal issues when incorporating GPL-licensed code in proprietary programs
  • Issues and consequences arising from GPL violations.

The article doesn’t cover other open source licences. While GPL is the most well-known open source licence, an interesting issue is the apparent (let’s say alleged) trend away from copyleft open source licences (such as the GPL) towards permissive open source licences such as the Apache, MIT and BSD licences.

Whatever licence is used on a third-party components of your software, it is important from a legal and commercial perspective to ensure that you understand the implications. As outlined in my article, consequences of a GPL (or other) licence breach can include:

  • Liability to the licensor or an injunction;
  • Problems arising from IP audits or due diligence projects, which could have significant implications for a proposed business/asset sale, valuation, joint-venture or merger;
  • Breaches of IP warranties or other contractual obligations to end-users; and
  • Potential conflicts with end-user procurement policies (i.e. policies stating that all suppliers must fully comply with licensing requirements)

Technology law update 6 October 2010

Virtualised software licensing

Licensing virtualised software isn’t getting any easier:

Big picture: Software licensing for virtual desktops is incredibly complex, confusing and, in some cases, prohibitively expensive. “It’s like the tax code,” says Dave Buchholz, principal engineer at Intel’s IT unit

Like the tax code – ouch. This is not new, yet from a contractual point of view, licensing virtual software is relatively straight-forward. The complexity is not an inherent licensing problem, but simply a commercial consequence – partly due to the well-worn idea that complexity is good for business (think mobile phone plans), and partly due to vendors trying to have their cake and eat it too.

Besides piracy, studies show that even users who actively try to be fully compliant often cannot understand the licensing rules (and as the article says, even vendors can struggle to understand their own licensing). The reality is that in most cases, if there is money on the table that a licensing tweak could recover, those tweaks would have already been made. But while the practice of overly-complex licensing has perhaps lasted longer than expected, disruptive technologies such as usage-based cloud computing, and open source software and the increasing use of virtualisation itself, mean the trend will be toward simplified licensing and subscription models.

Name suppression laws to be tightened

The Government has announced changes to name suppression laws, following a number of high profile incidents, a prosecution, and a Law Commission report into the matter. Among the announced changes:

Introducing a new offence to capture New Zealand-based Internet service providers or content hosts who do not remove locally hosted suppressed information which they know is in breach of a suppression order, and who fail to block access or remove it as soon as reasonably practicable. [emphasis added]

This is an improvement on the Law Commission’s recommendation that ISPs and hosts “carrying” suppressed information should “block access” to it, which would have caused practical problems for ISPs (see my comments here). Having a requirement simply to remove locally hosted content is a simpler and more realistic approach. But it still remains an iffy matter – IT lawyer Rick Shera raises some pertinent questions here.

Coincidentally, on the same day as the Government’s announcement, a name suppression order forced a number of bloggers to remove posts that had previously the identity of certain individuals. By which time the information was already available in caches, syndicated posts, Twitter, etc – just another reminder of the difficulty of name suppression in the present day.

Who’s suing who(m)?

Another day, another US patent infringement claim. There are so many flying around, its hard to keep up. Fortunately the Guardian gives us this diagram. Expect to see a few more arrows added in the near future.

If you can’t beat ’em?

Minorly ironical: Ars Technica reports on antipiracy lawyers apparently pirating the legal forms of other antipiracy lawyers.

Open source in government tenders

Computerworld reports:

A requirement that a component of a government IT tender be open-source has sparked debate on whether such a specification is appropriate.

The relevant part of the RFP (for the State Services Commission) puts the requirement as follows:

We are looking for an Open Source solution. By Open Source we mean:

  • Produce standards-compliant output;
  • Be documented and maintainable into the future by suitable developers;
  • Be vendor-independent, able to be migrated if needed;
  • Contain full source code. The right to review and modify this as needed shall be available to the SSC and its appointed contractors.

The controversy is whether this is a mandate of open source licensing (which it isn’t). The government should not mandate open source licensing or proprietary licensing on commercial-line tenders. More precisely, it should not rule solutions in or out based on whether they are offered (to others) under an open source licence. The best options should be on the table.

The four stated requirements are quite sensible. As the SSC spokesman said, there is nothing particularly unusual about them in government procurement. These requirements (or variations on them) are similarly common in private-sector procurement and development contracts. In the public sector in particular though, vendor independence and standards-compliance help avoid farcical situations like the renegotiation of the Ministry of Health’s bulk licensing deal.

Open standards and interoperability in public sector procurement is gaining traction around the world. Recently, the European Union called for “the introduction of open standards and interoperability in government procurement of IT”. And in the recent UK election, all three of the main parties included open source procurement in their manifestos.

So why the controversy in this case? Most likely it’s the perhaps inapt use of the term “open source” in the RFP (even though the intended meaning is clarified immediately afterwards). The term “open source” is a hot-button word that means many things to many people, but today it generally means having code licensed under a recognised open source licence, many of which are copyleft. Many vendors simply could not (or would never want to) licence their code under such a licence, and it would be uncommercial and somewhat capricious for a Government tender to rule out some (or even the majority of) candidates based on such criteria.

However, it is clear that the SSC did not use the term in that context, and does not intend to impose such a requirement. An appropriate source-available licence is as capable of meeting the requirements as an open source licence (see my post on source available vs open source). The requirement for disclosure of code to contractors and future modification can be simply dealt with on standard commercial IP licensing terms.

A level playing field for open and proprietary solutions is the essential starting point, with evaluation – which in most cases should include open standards and interoperability – proceeding from there.

Tech Law news 25 March 2010

Not a never ending licence

A UK court has ruled, and a customer found out the hard way, that what was described as a “perpetual” software licence was not a “never ending” licence. In BMS Computer Solutions v AB Agri Ltd (UK High Court, 10 March 2010) the customer was granted a “UK-wide perpetual licence” for a program. However, the contract granting the licence also required the customer to keep buying support from the developer:

In the event that the software technical support agreement is terminated for any reason whatsoever this agreement shall terminate.

The customer wanted to terminate the support agreement, but keep using the software. Terminating the support agreement would terminate the contract which had granted the licence. It is quite common for specific terms of a contract (including software licences) to survive termination (assuming that is what the parties intended). The question in this case was whether the grant of the “UK-wide perpetual licence” intended to create a never-ending licence that would survive termination of the main contract. The judge said:

The word “perpetual” can carry different shades of meaning. It can, for example, mean “never ending” (in the sense of incapable of being brought to an end) or it can mean “operating without limit of time”.

The judge found that in this instance, the “perpetual licence” meant a licence “operating without limit of time”, i.e. it continued until either party terminated it for some valid reason (such as ending the support agreement).

The ruling does not mean that every “perpetual licence” is perpetual until terminated. A contract (such as a licence) is always interpreted according to its terms and intentions of the parties. In some cases, “perpetual” will clearly mean “never ending” (in which case it may be a good idea to record it as “perpetual, irrevocable licence”). In this case, the “perpetuality” was trumped by the tied support requirement, and could not have been intended as never-ending – either a case of poor drafting by the customer, or good (or fortuitous) drafting by the developer.

Smoking gun emails

The major court battle over copyright infringement between YouTube and Viacom currently underway in the US has turned up some pretty damaging internal emails between the founders. E.g. this from YouTube co-founder Steve Chen to Jawed Karim:

“jawed, please stop putting stolen videos on the site. We’re going to have a tough time defending the fact that we’re not liable for the copyrighted material on the site because we didn’t put it up when one of the co-founders is blatantly stealing content from other sites and trying to get everyone to see it.”

While the founders probably aren’t too concerned (having long since cashed out), the evidence may yet cause YouTube’s owner Google a headache. Another reminder not to put damaging comments in writing – in litigation, almost everything is potentially discoverable.

More audio/visual technology in NZ courts

“A bill that will allow greater use of audio visual links in courtrooms passed its first reading in Parliament yesterday.” more…

Nestlé trade marks Kit Kat shape

Nestlé has won an appeal allowing it to trade mark (in Australia) the shape of a Kit Kat bar (or as the application prosaicly calls it, “Chocolate confectionary being chocolate-coated confectionary blocks or bars and chocolate-coated wafer biscuits”). Trade marking shapes is permitted in New Zealand and other countries (for example Toblerone chocolate in some countries). In fact, many “non-lexical” things can be trade marked, including (in New Zealand) colours, smells, sounds, and tastes.

Strangely, chocolate has long been a major battle-ground for trade mark disputes. In New Zealand, Cadbury lost a 2008 Court of Appeal battle to trade mark the word “purple” (though not the colour, which it already trade marks). Last month in Australia, Guylian lost a Federal Court battle to trade mark its seahorse shaped chocolates, which the court found “not sufficiently inherently distinctive”.  In contrast, two years ago a Japanese court allowed Guylian the same trade mark in Japan, finding that the shape was sufficiently distinctive.

Unhealthy negotiations

Today’s report of the “successful” renegotiation of the Ministry of Health’s bulk licensing deal with Microsoft provides a text-book example of why the Government must properly mandate open standards and multi-vendor capable solutions for future state-sector IT procurement. From the article:

Mr Hesketh says the health sector is paying slightly more for software licences under the new three-year agreement. …

“We got the best possible deal out of Microsoft we could have got at this time.” …

The commission has encouraged government agencies to investigate alternatives to Microsoft products, including open-source software, but this was not an option for the sector as Microsoft is heavily embedded in its infrastructure, says Mr Hesketh.

There is no suggestion that Microsoft software is not perfectly suitable, and in all likelihood the best, choice for the Ministry at present time. But it makes a mockery of the idea of “renegotiating” a deal when an alternative supplier is, by the purchaser’s own admission, “not an option”. By definition, monopolies do not compete. At least when there is a viable alternative (even if not an ideal one), it enables price and other such factors to be negotiated to some degree and a competitive assessment to take place. Not so in a one horse race.

Nor would it be fair to criticise the current management for the single-vendor dependent situation it finds itself in. In fact, it is very likely that Microsoft was the best choice at all relevant times in the past, resulting in the current situation through no fault of anyone (and commendably smart business and great products by Microsoft). The point is that it provides an example (if another is needed) of why proprietary lock-in in the taxpayer-funded (public) sector should be avoided where possible going forward.

It would be interesting to hear some further explanation as to how the MoH can possibly claim the outcome as a “win”, when the result was it ended up paying more than the old deal – especially when the State Services Commission all-of-government negotiations broke down over price.

The article says the “win” claimed by the MoH is that each department did not need to “go through their own legal process of vetting the agreement and doing the negotiation process. We did that once rather than 24 times”. This is a highly dubious claim for several reasons:

  • In what way were the “negotiations” possibly going to be different for each department? A supplier in a monopoly position, who has already hard-balled the biggest Government procurement agency, is hardly going to negotiate 24 much smaller deals. The commercially sensible premise is “take it or leave it”.
  • If the SSC had no ability to leverage on price, there is no basis for claiming as “savings” the cost of not negotiating 24 much smaller sub-agency agreements.
  • The “marginal cost” of legally vetting an agreement of the type negotiated here should not be significant for a lawyer familiar with software procurement and licensing issues. 90% of it would be boilerplate, standard terms and disclaimers (see The allure and illusion of commercial software support). If the agreement was identical to an already “vetted” version, as would seem likely, the marginal cost would be around zero.

Equally as dubious is the claim that the deal allows “licences to be transferred between the participating health sector agencies at no extra cost should they be reformed or reconfigured”. How much of a benefit is this? Let’s see:

  • The standard EULA‘s in Microsoft Office 2007, SQL Server 2008 and Windows 7 Ultimate (to pick 3 examples) allow no-cost transfers to a third party.
  • At law, the benefits of a contract can (generally) be transferred freely “by default”.
  • In the case of any statutory reforming / reconfiguring departments, legislation is able to deal with assignment of assets (including intangibles) to the new entities.

So how is the free transfer of licenses, already provided for in the standard EULA’s, regarded as a “win”?

Source available != open source

Someone recently asked what open source licence would enable them to provide their customers with source code, but prevent the customer from redistributing or reselling that code.

They had a commercial model, in that they sold their software and did not want to “give it away” as open source just yet. But they still wanted to be able to provide their customers with the source code – not because their customers actually needed it, but in order to be “transparent” and provide customers the assurance of having the source code.

Two points came to mind:

  1. “Source available” != open source. Not for any reason of semantics (semantically, I think it’s acceptable to say open source == source available), just that open source now has a fairly well understood meaning which includes redistribution and other rights. It could be confusing to customers to label a restricted “source available” model as open source. I wouldn’t go as far as calling it misleading and deceptive, but I would recommend using an alternative term if what is being provided is outside of a commonly accepted meaning of open source.
  2. If all you want to do is provide your customers with source code for your proprietary software, there is no need to use a “standard licence” (and little point). There are a few such licences in use – the Microsoft Reference Source License probably being the most common – but these are very basic (which is all they need to be) and not comparable to the GPL, Apache, etc.  A few extra sentences in your standard proprietary license can do the trick just fine.

The growth of open source means that the source available model (I’ll stick with that term for now) will become increasingly common for proprietary software. Probably the best example is Microsoft’s shared source initiative, which has been around for a couple of years now, although this does provide more liberal licensing than the example I’ve given.

Source available will also, in most cases, supersede the little-used (but often cited) code escrow model. Except for special/high-end situations, code escrow has become increasingly irrelevant and has probably long been more hassle than it’s worth. (Has anyone actually called on a code escrow? If so, what did they do with the code?)

So why would a proprietary software developer want to supply their source code on a no-redistribution basis? Three reasons are:

  • To give customers the ability to audit their code (or at least to know it is auditable).
  • To give customers some assurance of being able to fix their code and modify/ /integrate the code for in-house purposes (the code escrow purpose).
  • To improve interoperability.

The down side is that the developer would generally lose any technical ability to control distribution or copying of their code, whether or not that is legally permitted by the licence.  This may be critical where the code itself constitutes a trade secret, such as for high-end complex applications, code implementing proprietary algorithms / processes, and applications with significant market value.  In such cases, if the developer nevertheless still wants to provide the source code, a contractual indemnity (i.e. requiring the customer to indemnify the developer for the customer’s breach) may be appropriate.

However, in some cases this “down side” should be weighed against the decreasing costs of development. The barriers to entry for software development are continually lowering. Free IDE’s and platforms and better tools and libraries continue to make software development quicker, easier and (supposedly) cheaper. Open source development provides vast free resources to projects.

As a result, some proprietary source is not the asset it used to be. Consequently the commercial value of maintaining source code as a trade secret has decreased; not yet to any critical degree – there is no question that proprietary software continues to be an exceptionally successful industry model – but enough to make services and subscriptions an important strategy for many proprietary developers. It may make commercial sense to accept some of the downside risk for the up-side benefits.

Key points

Some key points for licensing on a source available, no redistribution basis:

  1. If you do not intend the customer to disclose the source (if you did, you probably want an open source licence), make sure it is covered by a confidentiality provision.
  2. As with all confidentiality agreements, make sure the “confidential information” is properly defined. A classic mistake is to impose an obligation of confidence over ill-defined (or even undefined) material.
  3. Specify what the customer is and isn’t allowed to do with the source. Can the customer create and distribute derivative works? Can the customer adapt the work in-house? Must the customer provide any improvements back to you?
  4. The source code should not be assignable, sub-licensable, etc, without prior written consent.
  5. The licence should be “collapsible”, i.e. the licence should automatically terminate upon certain events such as insolvency of the customer.