On June 14, 2013, the district court of Hamburg found that Fantec violated the obligation in the GPLv2 to provide to its customers the “complete corresponding source code” of the software http://www.ifross.org/publikation/lg-hamburg-az-308-o-1013.
The decision is one of the first to deal with this obligation to provide source code but the facts limit its value. For example, the damages are based on the breach of a prior cease and desist declaration between Welte and Fantec in which Fantec agreed not to violate the GPLv2. However, it does provide important guidance on how to manage FOSS compliance and the limits of delegation of these obligations.
Fantec, a European company, distributed a media player with a Linux-based firmware inside. Like many companies, Fantec used software from third parties. The firmware of the media player included the iptables software which is licensed under the GPLv2. Fantec provided a version of the source code of the firmware for download that they had received from their Chinese manufacturer. Harald Welte is one of the authors of the iptables software and has brought suit a number of times to enforce the GPLv2 for this software. Ironically, Welte had settled a prior violation by Fantec with respect to this firmware. As a result Fantec signed a cease-and-desist-declaration in 2010 and Fantec was contractually obliged to refrain from further GPLv2 violations (and otherwise to pay a contractual penalty).
The software available for download for the Fantec product was reviewed during a “Hacking for Compliance Workshop” in Berlin organized in 2012 by Free Software Foundation Europe. The hackers discovered that the source code provided by Fantec did not include the source code for the iptables software and that the source code for some other components did not match the versions used to compile the binary code of the firmware.
In 2012, the plaintiff gave Fantec notice of another GPLv2 violation and admonished Fantec to cease the infringement and to pay the contractual penalty and the out-of-court costs for legal prosecution. Fantec objected that it had been assured by his Chinese supplier that the source code received from the supplier was complete. And Fantec claimed that they had investigated options with third parties for source code analysis and had been informed that such reviews were quite expensive and not completely reliable.
Welte raised two arguments: first, Fantec provided source code that was incomplete and, second, that the source code was not the correct versions. The court affirmed a violation of the GPLv2 license conditions because the iptables code was not contained within the source code provided by Fantec. However, the court did not rule on the second argument that the source code was not up to date. Consequently, the decision does not provide significant guidance on the definition of the term “complete corresponding source code”.
The court required Fantec to pay a contractual penalty in the amount of € 5.100 based on the prior settlement agreement. In addition, the court awarded the plaintiff’s expenses in enforcing the GPLv2 (this award is standard under German law and is based on Section 97a (1), 31, 69c no. 3 and 4 of the German Copyright Act which awards costs for a justified warning by a party which is so cautioned). The court affirmed the culpability of Fantec’s violation by classifying the violation as negligent: the seller of firmware may not rely on suppliers´ statements about compliance. The distributor of GPLv2 software must carry out the assessment or commission experts to make the assessment even if they incurred additional costs. The failure to comply with the GPLv2 may not be defended such failure due to additional costs.
The decision is not surprising given existing German cases regarding the GPLv2. However, the case re-emphasizes the need for each company to have its own FOSS compliance process. Companies cannot simply rely on the statements of third parties. Each company should ensure that they have the formal process for handling the use of FOSS by their own employees and third parties. This process should include:
1. Policy for the use of FOSS (“FOSS Use Policy”)
2. Request and approval process for use of FOSS by employees
3. Approval and audit process for the use of FOSS from third parties, both through third-party products and acquisitions by the company
4. Auditing process for compliance with the FOSS Use Policy.
Given the rapidity of product development and the extensive use of third-party software in most products, a FOSS Use Policy must focus on managing relationships with third-party suppliers. A company must ensure that they have a clear set of standards for third-party providers for FOSS compliance. These standards should include an understanding of the FOSS management processes of such third-party suppliers. The development of a network of trusted third-party suppliers is critical part of any FOSS compliance strategy. The Free Software Foundation Europe has useful recommendations on complying with GPLv2 obligations http://fsfe.org/activities/ftf/useful-tips-for-vendors.en.html.
Many companies will decide that they need to automate the process by using the software to scan third-party code and manage the process. And companies may also wish to use the Software Packet Data Exchange framework to help communicate the FOSS in a particular product http://spdx.org/.
Companies should adopt a formal FOSS use policy which should be integrated into the software development process. Companies should also be prepared to respond promptly to any assertions of violation of FOSS licenses and swiftly correct the problem.
I would like to thank my colleagues in Germany, Thomas Jansen and Hannes Meyle for assisting me on this post.
I have just returned from the Open Source Think Tank in Sonoma http://thinktank.olliancegroup.com/agenda_public.php. We had a great time and the discussion was vigorous! The last year has continued the expansion of open source use, confirmed recently by Laurie Wurster’s March 2011 article in the Harvard Business Review http://lawandlifesiliconvalley.com/blog/?p=619. In particular, Android has been spectacularly successful and was a significant factor in Nokia’s recent failures in the handset market. The new Nokia CEO, Stephen Elop, described Nokia as being on a “burning platform” and identified Android as one of the major sources of their problems.
I provided my traditional Legal Update on Thursday (which you can see at http://www.docstoc.com/docs/76174077/Open-Source-Think-Tank-2011-Legal-Update). The success of open source has had consequences: it has focused attention of rights holders on the industry and made some open source companies targets for legal action. For example, Android’s success has been undercut by a tidal wave of litigation (with more than thirty eight lawsuits filed to date). I believe that these challenges (and its modest existing patent portfolio) are the motive for Google’s decision to bid $900,000,000 to purchase Nortel’s patent portfolio.
The ubiquity of the use of free and open source software has also resulted in many companies are demanding that their suppliers provide information on their use of free and open source software and how they comply with their licenses. Yet as recently noted by Laurie Wurster in her Harvard Business Review article, many companies have yet to adopt a formal approach to managing their use of free and open source software http://lawandlifesiliconvalley.com/blog/?p=619. At the request of our attendees, we addressed this management issue in a separate workshop.
The most interesting discussions were about the effect of cloud computing on open source. It was the subject of two panels and a brainstorming session. Nine out of ten groups in the brainstorming session believed that cloud computing was good for open source. However, attendees generally agreed that cloud computing undercuts two of the traditional advantages of open source: (1) low cost and (2) ease of use. Yet the flexibility of open source development techniques continue to provide significant advantages.
The attendees also agreed that open source companies (like all software companies) need to review their business models as customers in the cloud begin to expect “pay as you go” pricing. The tools in the cloud also permit very granular information on the use and interest in various features of a software program and the contributors who have provided those features: this capability may permit open source projects and companies to reward contributors directly for the success of their contributions.
The workshop led by AOL provided a great opportunity to work together to apply our cumulative experience in open source to real world problems. The conference works under Chatham House rules so you will need to see the results of those discussion.
As in the past, we included plenty of time to socialize with the other attendees. First Republic Bank put on a great cocktail party on Thursday, including tasting Araujo cabernet in their tasting (one of the cult cabs). The shift in venue from Napa to Sonoma enabled us to experience a new region of the wine country: Friday afternoon included tours at Chateau St Jean and Ledson (although Andrew somehow found wineries in Sonoma, the heart of Pinot Noir country, which focused on cabernet sauvignon). A hardier group went for a bike ride, but they split into the “wine group” who tasted and rode 12 miles; the hard core cyclists led by Peter Vescuso of Black Duck rode 30 miles. I think that the combination of topics and attendees made this Think Tank the best one to date.
We are already planning for next year, so please provide us with your suggetsions. As in the past, Andrew is working on a white paper which will provide more detail about our discussions. I look forward to the white paper to continue the dialog!
On February 10, 2010, the Linux Foundation and the Open Source Initiative co sponsored their first Legal Strategic Planning Session. I am glad to declare it a success. We had a very diverse group both professionally and geographically, with participants from Europe, Japan and the US.
We started the day with a discussion by Damien Eastwood (formerly of Sun Microsystems, Inc.) about his experience, both legal and practical, in moving Java and Solaris to open source models. We then had a series of presentations on license due diligence from FSF Europe and Hewlett Packard. We also discussed the increasing problem of license compliance through a constantly changing tool chain and the potential to have a consistent industry wide approach to this “Bill of Materials” problem. Heather Meeker provided an overview of the trademark issues arising in open source licensing.
Simon Crosby from Xen provided an overview of cloud technology which is the latest challenge for the FOSS community. Our luncheon speaker was Marten Mickos, who provided a business perspective on the open source model. Rob Tiller provided an overview of opensource.com. We also had a panel discussion of how best to respond to patent claims in a way which will not create problems during the litigation. Karen Copenhaver and I provided an overview of the status of the ALI Principles of the Law of Software Contracts. We finished up with a wine tasting from Pine Ridge arranged by Andrew Aitken of Olliance Group.
Karen Copenhaver deserves special thanks for conceiving of the opportunity and then organizing the first one (always, the toughest!). Given the number of legal issues for the FOSS community, I am sure that we will need to continue this tradition. if you want to learn more about the discussion, Karen Copenhaver and I will be summarizing it in our Black Duck webinar on Tuesday, February 23 http://www.blackducksoftware.com/files/legal-webinar-series.html.