In the first lawsuit by a commercial open source vendor, Artifex, which uses a “dual licensing” model (providing the software under both the General Public License (”GPL”) and a commercial license) for its MuPDF rendering engine, has filed suit against Palm for alleged copyright infringement (in the interests of transparency, I have worked for Palm in the past, but I am not involved in this matter). Artifex alleges that Palm has violated its rights by using MuPDF in the Palm Pre but failing to comply with the GPL or, in the alternative, take a commercial license. The complaint has very few details so it is difficult to determine how the GPL was violated.
This complaint may signal the beginning of a trend by commercial open source companies with ”dual licensing” models: the success of that model, which is used by most commercial open source companies, depends on the difference in the scope of rights available under an open source license and a commercial license as well as the value of the additional protections (performance warranties, support and indemnification) available under the commercial license. Thus, one important component of this strategy is to ensure that the open source version of their software is used within the scope of the open source license. However, litigation has been uncommon in the open source community in the US until recently and we will see if the trend towards more litigation continues next year.
In case of first impression in France, the Court of Appeals in Paris has issued a holding, as part of a larger dispute over the delivery of software, that supports the assumption that the General Public License is enforceable. http://fsffrance.org/news/arret-ca-paris-16.09.2009.pdf. The case also suggests a new basis for licensees to allege breach of contract for commercial licenses: the failure of the licensor to comply with the open source licenses for modules included in the commercial product.The case involved a claim for rescission under Civil Code Article 1184 that permits rescission of a contract and the award of damages, or specific enforcement, if the other party does not perform its contractual obligations.
The case originated when Edu4 won an RFP issued by AFPA for a system to run adult educational programs. The RFP required the use of VNC software. Edu4 provided the software, which was licensed under the General Public License (GPL).
The GPL requires that the company distributing the licensed software provide either the source code of the software or a written offer to provide the source code. Edu4 promised to provide the source code to AFPA, but failed to do so. Edu4 also removed two copyright notices in the VNC software and substituted its own notices; deleted the text of the GPL; and failed to properly indicate that VNC software had been integrated in the deliverables. In addition, Edu4 deleted user features that AFPA alleged created the risk of an intrusion of privacy.
AFPA subsequently argued that the contract had been breached, and ceased its performance. Edu4 claimed wrongful termination and was awarded damages by the lower court. On appeal, the Paris Court overturned the lower court decision, finding that Edu4 breached its contractual obligations by delivering a product that 1) created a risk to user privacy because modifications by Edu4 allowed other users or remote users to assume control over all the workstations and 2) did not comply with the GNU GPL because Edu4 had deleted two copyright notices in the VNC software and replaced them with its own copyright notice and had deleted the GNU GPL license language.
The case is also unusual because it involved a suit by a licensee, AFPA, against a distributor, Edu4, claiming breach based on violation of the terms of the GPL by the distributor. Other suits to enforce the GPL of which I am aware have been brought by the owner of the copyright (or its agent) in the GPL licensed product to enforce the GPL. I want to thank my partner in Paris, Carol Umhoefer, for assisting me in understanding the significance of this case.
This decision is important for two reasons:
1. For the first time, the GPL was found, indirectly, enforceable under French law.
2. It reminds us that licensees of the code can also sue to enforce the rights resulting from the GPL
3. It may also suggest a new basis for licensees to charge breach of the commercial license agreement: the licensor has failed to comply with the terms of open source licenses to software included in the product under the commercial license agreement
Legal issues continue to critical to the successful development and use of open source. And these issues are becoming more important with the increase in open source litigation http://lawandlifesiliconvalley.com/blog/?p=134. To assist the community to understand these issues, Black Duck Software has organized a series of webinars on legal topics. http://www.blackducksoftware.com/files/legal-webinar-series.html. Black Duck has selected Karen Copenhaver of Choate Hall & Stewart and I will be providing the seminars. Karen is the former General Counsel of Black Duck Software and counsel to the Linux Foundation, among others open source companies. She is one of the most thoughtful open source lawyers that I know and has been a leader on many legal issues for the community, such as the Jacobsen amicus brief and the ALI ABA proposals. We have the scheduled the following topics:
- Introduction to Open Source Software Licenses– Wednesday, January 28th, 11:30am ET
- Understanding the Top 10 Open Source Licenses- Wednesday, February 11th, 2pm ET
- Developing in a Hybrid Open Source-Proprietary World - March
- Best Practices in Managing Open Source - April
- Open Source Due Diligence in M&A and Financing - May
- Insights and Lessons from Open Source Case Law - June
And the price is right: free! We hope that you can join us.
The DLA Piper 2008 Technology Leaders Forecast Survey found that the use of open source software, while widespread, remains misunderstood. The Survey found that software companies used open source software in 65% of their products, as compared with use of open source software in 55% of the products of all technology companies. This number drops to 29% of the products when all respondents are included. However, only 48% of these companies have an open source use policy (software companies were more likely to have an open source use policy).
Smaller companies, those with fewer than 1000 employees, used open source software in almost half of their products (44%), yet 35% of these companies do not have open source use policies. Larger companies, those with more than 5,000 employees, reported use of open source software in only 9% of their products and 65% do not have open source use policies. I find that this number for use of open source software among large companies is strikingly low.
I think that the survey reflects a continued misunderstanding among large companies about how widespread is the use of open source software.The failure to have an open source use policy is very dangerous in the world of complicated “hybrid” products: open source licenses do not mix well with commercial licenses without careful analysis. http://lawandlifesiliconvalley.com/blog/?p=18. The risk is particularly high now because the financial downturn means that licensors will be carefully reviewing compliance with license terms to try to find new sources of revenue. For additional thoughts on this issue, you can see my interview. http://www.youtube.com/watch?v=MsZKWFmT0qs&eurl=http://www.dlatechlaw.com/search?updated-max=2008-10-21T13%3A46%3A00-04%3A00&max-results=7
The year 2007 has been the most active year for legal developments in the history of free and open source (“FOSS”). In fact, you would have been hard pressed in past years to enumerate even five important legal developments. However 2007 permits the creation of a traditional “top ten” list. My list of the top ten FOSS legal developments in 2007 follows:
1. Publication of GPLv3. The GPLv2 continues to be the most widely used FOSS license, yet the law relating to software has developed significantly since the publication of the original publication of the GPLv2 in 1991. The first revision of the GPLv2 had a number of drafts over an 18 month period. However the new GPLv3 license is much more comprehensive than GPLv2 and addresses the new issues which have arisen in software law in the last 15 years.
2. SCO’s Attack on Linux Collapses. SCO filed lawsuits claiming that Linux infringed SCO’s copyrights in UNIX. These suits suffered a fatal blow when the court in the Novell litigation found that SCO did not own the copyrights in UNIX. The ownership of the copyrights is essential to prosecute cases for copyright infringement. The melt down of SCO’s strategy was complete when it filed for bankruptcy soon after this loss.
3. First Legal Opinion on Enforcing a FOSS License. In August, the district court in San Francisco surprised many lawyers by ruling that the remedies for breach of the Artistic License were in contract, not copyright. Most lawyers believe that the failure to comply with the major terms of an open source license means that the licensee is a copyright infringer and, thus, can obtain “injunctive relief” (which means that the court orders a party to cease their violation). On the other hand, if the remedy is limited to contract remedies, then the standard remedy would be limited to monetary damages. Such damages are of limited value to open source licensors. The district court decision has been appealed.
4. First US Lawsuit to Enforce GPLv2. The Software Freedom Law Center filed the first lawsuit to enforce the GPL for the BusyBox software in August. Subsequently, it filed three other lawsuits. Although the first three lawsuits were against small companies, the most recent lawsuit was against Verizon. These lawsuits represent a new approach for the SFLC which, in the past, has preferred negotiation to litigation. SFLC has settled two of the lawsuits. Each of the settlements has required that the defendants pay damages, another new development. These suits may be the first of many.
5. First Patent Infringement Lawsuit by Patent Trolls against FOSS Vendors. IP Innovation LLC (and Technology Licensing Corporation) filed suit against Red Hat and Novell in what may be the first volley in a patent war against a FOSS vendor. Acacia is a well known patent troll which has been buying patents for some time and works through multiple subsidiaries. The FOSS industry provides a tempting target because of its rapid growth. These suits could slow the expansion of FOSS because many potential licensees express concern about potential liability for infringement of third party rights by FOSS.
6. First Patent Lawsuit by a Commercial Competitor against a FOSS Vendor. Network Appliances, Inc. (“NetApps”) sued Sun Microsystems, Inc. (“Sun”) for patent infringement by Sun’s ZFS file system in its Solaris operating system. The ZFS file system posed a challenge to NetApps products because it permits the connection of less expensive storage devices to the operating system.
7. Microsoft Obtains Approval of Two Licenses by OSI. Microsoft Corporation continues its schizophrenic approach to FOSS by simultaneously asserting that the Linux operating system violates Microsoft’s patents and submitting two licenses for approval by OSI. In October, the OSI Board approved the Microsoft Public License (Ms-PL) and the Microsoft Reciprocal License (Ms-RL) as consistent with the Open Source Definition.
8. German Court Finds that Skype Violates GPLv2 The enforcement of the GPLv2 in Germany continues with a Munich court finding that Skype had violated GPLv2 by not including the source code with the binary version of the software (instead, Skype had included a “flyer” with a URL describing where to find the source code version). The suit was brought by Harald Welte, who has been the plaintiff in virtually all of the German enforcement actions for GPLv2. Harald runs gpl-violations.org, an organization which he founded to track down and prosecute violators of the GPL.
9. New License Options. Two of the most controversial issues in FOSS licensing, network use and attribution, were addressed in new licenses adopted this year. A “network use” provision imposes a requirement that when a program makes functions available through a computer network, the user may obtain the source code of the program. Essentially, it extends the trigger requiring providing a copy of the source code from “distribution” of the object code (as required under the GPLv2) to include making the functions available over a computer network. An “attribution” provision requires that certain phrases or images referring to the developing company be included in the program. This provision was very controversial on the License Discuss email list for OSI. The Free Software Foundation published the Affero General Public License in the fall which expanded the scope of the GPLv3 to include a “network use” provision. A limited form of attribution was included in the GPLv3. And OSI approved the Common Public Attribution License which included both the “network use” and “attribution” provisions.
10. Creation of Linux Foundation. The Open Source Development Labs and the Free Standards Group merged to form the Linux Foundation. The FOSS industry is unusual because of the extent to which it depends on non profit entities for guidance. These entities include the OSI, Free Software Foundation, Mozilla Foundation, Apache Foundation and Eclipse Foundation. This merger provides a much stronger platform to promote Linux and open standards.
On Thursday, BusyBox, through the Software Freedom Law Center (”SFLC”) filed a new lawsuit to enforce the General Public License (”GPL”). The lawsuit claims that Verizon used BusyBox software in one of its routers without complying with the GPL. This lawsuit is the fourth filed by the SFLC in the last two months and confirms that the trend that I mentioned in my earlier post http://lawandlifesiliconvalley.blogspot.com/2007/11/software-freedom-law-center-files.html. SFLC appears to be taking a much more aggressive approach by filing lawsuits within weeks of the original demand letter. In this case, SFLC states that they gave notice to Verizon on November 16 and filed suit on December 5. The allegations in this suit are similar to the earlier complaints. However, this lawsuit is the first against a company of substantial size.
Companies should review their use of BusyBox software which is the basis for these claims and should be prepared to respond quickly to demand letters from the SFLC.
I have been traveling so I have not been able to comment on the recent Monsoon Media settlement (if you are in London and like Indian food, I highly recommend Quilon at 41 Buckingham Gate, SW1). The recent settlement in the Monsoon Media case has several important lessons for managing FOSS software. Everyone, including Monsoon Media, appears to agree that they violated the GPLv2 by not making the source code of the BusyBox software available as required under the GPLv2. It is less clear why Monsoon Media did not respond to the requests of the BusyBox authors and the SFLC to come into compliance. According to the complaint, they simply admitted that they were not distributing source code of BusyBox as required by the GPLv2. Although the settlement of the case means that we will not have a court’s view on the enforceability of the GPLv2 and the appropriate remedy for breach, it is not surprising.
The settlement was described as follows: As a result of the plaintiffs agreeing to dismiss the lawsuit and reinstate Monsoon Multimedia’s rights to distribute BusyBox under the GPL, Monsoon Multimedia has agreed to appoint an Open Source Compliance Officer within its organization to monitor and ensure GPL compliance, to publish the source code for the version of BusyBox it previously distributed on its Web site, and to undertake substantial efforts to notify previous recipients of BusyBox from Monsoon Multimedia of their rights to the software under the GPL. The settlement also includes an undisclosed amount of financial consideration paid by Monsoon Multimedia to the plaintiffs.
As I mentioned in an earlier post, this complaint was the first suit filed about the enforceability of the GPLv2 in the United States. In the past, the SFLC has sought compliance rather than damages http://emoglen.law.columbia.edu/publications/lu-13.html. However, in this case, Dan Ravicher of the SFLC noted (despite Monsoon Media’s public statements about coming into compliance): “Simply coming into compliance now is not sufficient to settle the matter, because that would mean anyone can violate the license until caught, because the only punishment would be to come into compliance.” This statement suggests a new more aggressive approach on financially penalizing violators of the GPLv2.
The case also recognizes an often overlooked problem for GPLv2 licensees: if you are out of compliance with the GPLv2, you do not have a license and, thus, are likely to be liable for both copyright infringement and breach of license. This “termination” can be particularly problematic if you have significant amounts of product already distributed and, thus, “unlicensed”.
The dispute moved very swiftly: according to the complaint, Monsoon Media was first informed of their violation on August 28, 2007 (and admitted to their failure to supply source code on September 5, 2007), contacted again by the SFLC on September 11, 2007 and the suit was filed on September 20, 2007.
The lessons from this suit are as follows:
1. You need to respond quickly and appropriately to any complaints about non compliance with open source licenses.
2. You should have a FOSS Use Policy to avoid these problems.
3. Your FOSS Use Policy should include a procedure for responding to these types of complaints.
4. Non-compliance, even “innocent” non-compliance, is getting more expensive.
If you don’t take these steps voluntarily, they may be imposed on you and you will have your own Open Source Compliance Officer.