Category:Tech

The Sneaky Sleepycat License

Generally, commercial entities are fairly comfortable using open source software in the products they distribute if the license is a the BSD license. Entities other than UC Berkeley often deploy the BSD license in their own name, so it is common to hear people refer to a BSD-style license, or a license that is BSD-esque when referencing the BSD license in another entity’s name.

Oracle Berkeley DB is one of the few open source software products that Oracle sells. It is dually licensed under a commercial license and an open source license. You can use the open source version for free or you can pay to use the commercial version.

A quick glance at the Oracle Berkeley DB open source license looks like a collection of BSD licenses, first from Berkeley, then from Harvard, and then from Oracle.

Visually, it would easily fall into the category of “BSD-style” or “BSD-esque.”

The standard BSD license has a copyright statement, 3 numbered paragraphs, and a big disclaimer of warranties and limitation of liability in all caps at the bottom. At a glance, it’s fairly easy to recognize (partially because it is so short and sweet compared to many open source licenses).

From 2000-2006, the top license in the Berkeley DB license was in the name of Sleepycat, and when Oracle acquired Sleepycat, they modified the copyright statement in the top license to refer to Oracle.

On closer look, the former Sleepycat and current Oracle license is most definitely *not* identical to the standard BSD license. In fact, it is very, very different.

The third paragraph in the standard BSD license states:

  • Neither the name of the [COPYRIGHT HOLDER] nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

But, the third paragraph in the Sleepycat/Oracle Berkeley DB license is quite different:

  • Redistributions in any form must be accompanied by information on how to obtain complete source code for the DB software and any accompanying software that uses the DB software. The source code must either be included in the distribution or be available for no more than the cost of distribution plus a nominal fee, and must be freely redistributable under reasonable conditions. For an executable file, complete source code means the source code for all modules it contains. It does not include source code for modules or files that typically accompany the major components of the operating system on which the executable file runs.

Both of these requirements are completely legitimate license conditions.

However, the traditional BSD license is a license that is notable for its lack of copyleft obligations — in other words, you can use software that comes to you via the BSD license without too much concern about it affecting the commercial license terms that you may put on your software that incorporates it.

On, the other hand, the Sleepycat/Oracle Berkeley DB license is an extremely strong copyleft license and requires that you distribute the source code to every piece of code you distribute that utilizes the Berkeley DB.

So, word to the wise, engineering managers and software legal departments: just because it’s a BSD-style license in the visual form, does *NOT* mean it’s BSD-style with respect to software freedom and copyleft.

As much as it’s annoying, someone with a licensing background needs to review and approve every third party in-license if the technology or software is going to be incorporated into a proprietary product or code.

The Techiest Use of a Garden

Recently, we were invited to dinner at our friends’ home. They pulled out what appeared to be a chemistry set to make dessert:

P1020941

Clearly, this was going to be a *very* technical dessert.

Apparently, our hosts were fans of molecular gastronomy. You know, like El Bulli. And the use of such fun ingredients as alginate, and sodium calcinate, plus a scale, mental math, a Vitamix for purées and high velocity hand-whisking:

P1020946.

First, we made the fake roe — aka, apricot peach purée boules:

P1020950

P1020954

Then, we made the faux nori (aka rolled chocolate over crushed tin foil):

P1020952

We filled the rolls with rice pudding, aka sushi rice, and we sliced some “ginger” aka, Georgia peaches:

P1020953

With the addition of pistachio-nut butter “wasabi” and raspberry purée “soy sauce” our desserts were complete:

P1020956

Truly, this is one of the techiest things you can do with things that come from a garden:

P1020960

Oracle is *not* going to play nice

I spend quite a bit of time talking through *theoretical* risks associated with using third party software in products, particularly with respect to software that’s been developed in connection with some type of promise of openness.

I try to explain to my clients that just because things have gone smoothly thus far with respect to a particular piece of code does not mean that it will continue to go smoothly.

Oracle has just made this explanation *much* easier for me by suing Google for its use of Java in Android.

The complaint is pretty straightforward (I guess he likes it here, because after spending so much time here with respect to the Prop 8 litigation, David Boies is named as pro hac vice on behalf of Oracle).

The complaint alleges infringement by Google in its use of Java technology in the Android Platform. 7 patents held by Oracle America (the new name of the former “Sun” subsidiary) are asserted. It also alleges copyright infringement.

In many ways, this move is shocking. The entire Java mobile development community is going to be reeling. But, in other ways, I think there will be some closure. Many of my clients have been waiting to see how Oracle would treat Java. And now we know…

In particular, I’m curious how the release of Java (including the Hotspot JVM upon which the Google JVM may very well be based) under the GPL v 2.0 by Sun prior to the Sun-Oracle acquisition will play into this. Does the GPL v 2.0 license contain an implicit patent license and/or create an argument for patent exhaustion?

**UPDATE: I have been informed that the Google JVM Dalvik is a completely new implementation, written from scratch by Google, which, assuming it’s true means that any arguments based on the GPL release of the Hotspot JVM are going to need to be much more complicated (e.g. it may play into the damages calculation, or perhaps they will still try to make the patent exhaustion argument).

Stay tuned.

This should be VERY interesting.

Open Source Hardware

One of the main differences between GPL v 2.0 and GPL v 3.0 is the modifications made to address some folks’ concerns that to truly embrace the idea of “Free” or “Open” software, the license must also prohibit restrictions at the hardware level that would prohibit folks from modifying the software.

The natural extension of this concept is the idea that there should be a way to contractually ensure that hardware should also be “Free” or “Open” to modification by its users.

In the software world, we have the Open Source Definition or “OSD,” as a set of community-defined principles to guide the use and development of the term “Open Source Software.”

Now, in the hardware world, a consortium of folks have proposed a draft Open Source Hardware Definition that hopes to establish the same thing for the term “Open Source Hardware.”

Today’s version of the draft indicates that they are drawing from the OSD, as well prior drafts of their proposal and the TAPR Open Hardware License.

I wish them the best in their efforts to converge on an agreed set of principles and look forward to working with the term FOSS/H in the future.

Internet Taxation of Software-as-a-Service

Recently, several states have made attempts at expanding their taxation of out-of-state businesses who provide services or products to customers within the state. (See generally, the Tax Foundation Special Report No. 176, March 2010).

In many of the analyses I’ve read, folks have jumped straight into the state law analysis. But, unless and until federal law changes, there are constitutional limits on states’ rights to tax out of state Businesses

Federal Law

The Supreme Court of the United States has issued a long line of cases which holds that in order for a state to tax a business conducted within that state there must be a “Substantial Nexus” between the business and the state.(*1) Developments in the delivery of electronic communications over the Internet have made it easier than ever before for out-of-state businesses to deliver goods or services to customers within states where they have no substantial nexus under the traditional test.

Specifically, the Supreme Court has issued a bright line distinction between . . . sellers with retail outlets, solicitors, or property within a State . . . on one hand and those who do no more than . . . communicate with customers in the State by mail or common carrier as part of a general interstate business . . . on the other hand.(*2) The Court has consistently held that businesses belonging to the second group (e.g. those who have no agents within the state, but communicate with customers and deliver products to customers via generally available distribution channels within a state as part of a general interstate business) may not be taxed by the state where customers reside because it places an undue burden on interstate commerce.

This initial federal legal analysis is very important to complete before performing the analysis of the applicability of a state’s tax law.

State taxation of goods and services that are provided by out-of-state businesses over the Internet is an evolving area of the law. In 2007, the U.S. Congress extended the Internet Tax Moratorium until the year 2014,(*3) signaling Congress’s commitment to prohibiting multiple and discriminatory taxes on Internet usage. Recently, several states have taken aggressive stances attempting to assert the right to tax goods and services delivered to such states via Internet usage.

Amazon.com, in particular, is actively disputing several of these newly enacted tax laws. Amazon has responded to laws that claim the state has a right to assert taxes on sales to residents in the state as a result of Amazon’s affiliate program by (i) canceling the affiliate program in the applicable state; or (*4) (ii) challenging the state’s right to tax it in court (and thereby subjecting the state’s tax collections to dispute and making them difficult for the state to use).(*5)

The case law that will arise as a result of Internet-based companies disputing these state laws should provide some additional clarity. Additionally, it is important to note that it is the U.S. Supreme Court’s interpretation of the Congress’s exercise of its powers under Commerce Clause of the Constitution that provides mostt of the limits on how far states may extend their power to tax out of state businesses. It is not only future case law that may modify the law in this area — in the event that the U.S. Congress were to pass new legislation with an express position on interstate commerce and state taxation of out of state business over the Internet, the law would necessarily change.

Therefore, Software-as-a-Service providers need to be diligent about staying abreast of new developments in the law in these areas to ensure that they are in compliance with the current laws of the United States as well as the various states where they have customers.

*NOTES:
(1)Quill Corp v. North Dakota, 504 U.S. 298 (1992).
(2)National Bellas Hess, Inc. v. Dept. of Rev. State of IL, 386 U.S. 753 (1967)
(3)Tax Foundation Special Report No. 176, March 2010 http://www.taxfoundation.org/publications/show/25949.html
(4)(e.g. Colorado, North Carolina, and Rhode Island) Id.
(5)The New York trial court found for the State of New York, the case is currently on appeal to New York’s intermediate court, the New York Supreme Court, Appellate Division. Id.

The Latest Case Against Facebook

On May 5, 2010, The Electronic Privacy Information Center (EPIC) filed a complaint with the FTC regarding Facebook’s privacy practices (or lack thereof).

The biggest two complaints, to my reading are that (1) Facebook unilaterally tried to convert some information previously designated as private to public; and (2) Facebook changed its developer data retention policy to allow developers to retain end user data indefinintely.

Neither of these changes benefits end users, no doubt. But, what I’m fascinated to see is that today, a mere 12 days after the complaint, the user experience is significantly different from the experience described in the complaint (notably, the experience is more protective of user’s data when compared against the experience described in the complaint).

The legal process is slow and cumbersome and using it to argue with a quick and nimble internet-based adversary is going to be frustrating, to say the least. However, where end users are concerned, perhaps the quick responsiveness of Facebook is a benefit. If enough people complain, they just roll out a fix, long before the Feds, or the courts order them to do so. Certainly, this means that the fix is likely to be on Facebook’s preferred terms, rather than what the court or Feds order, but isn’t a quick fix better than a long period of open sharing without a fix (when it comes to privacy)?

I’m not saying I approve of Facebook’s most recent blunders. But, I do applaud of their quick “opt-in” and “opt-out-of-all” additions after the complaint about the blunders. And, I’m fascinated to see how or where the law fits in this world where the facts upon which any legal claims may be based are so ephemeral.

The Google Shareholder Meeting: Tidbits

Yesterday, I took some time out of my day to attend the Google annual shareholder meeting.

This meeting is more of a formality than many such meetings held by public companies.  As of the record date, the officers and directors held a total of 70.2% of the voting power of the company — so, obviously, everything has (or should have) been decided before the meeting.

Perhaps because of this, the formal portion of the meeting was a dry speed-reading session of various folks reading their portion of the Proxy Statement out loud.

In contrast, the complimentary on-campus lunch on the patio and the product demos prior were a big hit with those in attendance, as was the informal presentation and post-vote question and answer period.

Eric Schmidt’s presentation included a great Chrome ad, and some fun Internet facts, such as:

-10 years ago, there were 300M users on the Internet, today there are 1.2B.

-Today, there are 800 exabytes (1 EB = a billion GB) of information on the reachable Internet.

-Every minute there are 24 hours of video uploaded to YouTube and about 1/2 of those videos receive comments

-Eric said, “If you’re not using Chrome, you need to try it — everyone else is starting to use it.”  I chuckled internally when I heard this, since I was sent to building 43 to print my shareholder proof, and the browser they presented to me was Firefox.

-Google Translate is translating 160M pages/day.  And Larry, when asked by the man behind Willworkforjustice.blogspot.com, said that he thought translate was the Next Big Thing. (Note — for more info check out this Play-by-Play post on the meeting)

Other than that, several folks took the microphone to give heartfelt praise and thanks to Google for their stance in China, and several others took the microphone to denounce and complain about the horrid handling of the proxy materials (Eric Schmidt asked  Patrick Pichette to personally meet with each of the grumpy folks after the meeting — I bet that was fun).

My favorite microphone participant was the very excited woman from Frederick, MD, who drove all the way across the country in her Google-themed car (with a brief stop in Topeka) to make a personal plea for Frederick, MD (with a second request on behalf of Topeka) to win the Google Fiber-Optic City contest.

All-in-all, it was a great way to spend a couple of hours.  Given that it’s down the street from my office, I think I may take the afternoon off to attend next year as well.

The Real Risks of Open Source Software

Every software start-up company I’ve ever worked with uses (or did use) some form of open source software. And yet, high level executives and board members at many of these companies, when asked whether their company uses any open source software, would regularly answer, “No” without hesitation.

Where is this disconnect coming from? Open Source Software is often perceived as “risky” or “untested” or “a liability nightmare” or, in the worst case, “an infectious disease” by some business folks, while most technical software people believe the correct use of open source software to carry minimal risk.

Risky?

There are risks associated with using any third party’s software. When that third party is unidentified, not bound by a support agreement, based out of a foreign country, and/or impossible to get a hold of, then yes, it is fair to say that using it would be “risky” when compared with an established company with a business reputation to protect and an SLA to cover errors.

Untested?

In some case — it’s true. There are many untested open source projects out there. These tend to be associated with a handful of developers instead of an active community, and a little due diligence should be able to help a start-up understand whether this particular ill is a problem with the open source software they are considering using.

A Liability Nightmare?

This is, by far, the most complicated issue I face as an attorney who deals with open source issues. At its most basic, the liability equation associated with open source software is the same as that associated with any third party component. The third party would like to disclaim liability for your use of their product.

The benefit of many proprietary software licenses is that the licensor may provide limited coverage for Intellectual Property claims related to their software. But, most software publishers go to great lengths to limit the amount and type of liability they will cover relating to a third party’s use of their software.

The typical open source license expressly disclaims all liability associated with the use of the software — effectively, it comes “AS IS” on a pure “BUYER/USER BEWARE” basis. On the other hand, if you read the license agreements of proprietary software carefully, you will find that most software (unless you pay quite a bit for it), comes with an express limitation on liability that is on the order of magnitude of the purchase price. It is consistent with the approach taken by proprietary software publishers that open source authors are liable for damages related on the order of magnitude of the license fee they receive (e.g. $0).

An Infectious Disease?

One flavor of open source licenses places conditions of “freedom” upon the use of the licensed code. The most famous of these licenses are the GPL, LGPL, and the AGPL. Essentially, these licenses require, as a condition of some uses or distributions, that software code combined with code licensed under these licenses must also be made available under the same license.

These conditions make these types of licenses “viral” because they may extend the license terms to some of the additional code (e.g. the start-up’s code) that the licensed code touches.

The key word in the previous sentence is *MAY.*

Actual Risk

The thoughtful evaluation of the issues outlined above and a comparison of the likely downside against the monetary benefit of using an open source component brings a start-up to understand what I call the “Actual Risk.”

By far, the most complicated part of the Actual Risk evaluation is the technical and legal analysis related to viral licenses. However, a technical read of the license by a knowledgeable tech attorney and code review with an engineer is likely to provide a good engineer or architect with comfort that the start-up’s use of a particular open source component is not subjecting the start-up’s code base (or the portion of the code base that they care about keeping proprietary) to any “viral” risk.

The Resource Risk

Investors and potential acquirors will want their own attorneys or possibly even code auditors to assess the Actual Risk, regardless of how correct the start-up’s own analysis may be. This investigation and analysis is a time and resource drain that can be minimized by good record keeping, but can never be entirely eliminated. Even in the event of zero Actual Risk, a company will incur some Resource Risk in connection with their use of open source software.

The FUD Risk

No matter what the final conclusion may be after the Resource Risk and the Actual Risk have been assessed and assumed by a start-up, there is the risk associated with the fact that a board member or a CEO will have to answer “Yes” to the question “Do your products contain open source?” A board member or CEO may not have the time to understand the outcomes and analysis of the folks who have willingly taken on the Resource Risk and the Actual Risk. If challenged, a board member or CEO need to feel confident that they can answer the question honestly, without incurring undue scrutiny or concern. In my opinion, the biggest risk associated with the use of open source software (assuming there is no Actual Risk that hurts the start-up’s business) is the FUD risk.

The best way to combat the FUD risk is to educate board members and CEOs so that they can comfortably speak about the company’s intelligent use of open source software as a cost reduction tool in areas where the Actual Risk is minimal or non-existent and the Resource Risks are less than the costs of the proprietary alternatives.

How To Find Your Start Up Lawyer

There are any number of ways to go about finding the lawyer that is the right fit for your new company. Matt Bartus recently posted his thoughts on some of the questions you should ask.

Overall, I agree with Matt, you should ask all of the questions he poses and evaluate the answers. However, I have a few additional points that you may wish to consider:

1. If you are bootstrapping your company entirely, and do not expect or intend to take any venture financing because you intend to build a successful cash business that you want to privately control, you may need to question much of the traditional “start-up” legal (and business) advice.

Specifically, if you are covering your own costs out of pocket, you will probably best served by finding two or three good specialized solo attorneys or attorneys at smaller law firms who specialize in the types of services you will need for small emerging businesses. These attorneys are likely to offer fast responses to your needs in the areas where you have issues, but they will have significantly less overhead (and thus significantly lower fees) than a traditional large law firm.

While many large law firms defer billing if they believe you will be getting venture capital funding or if you will be experiencing a liquidity event in the near future, if that is not your goal, it is likely that you will be asked to pay your fees to keep your account current.

2. The large law firm industry’s focus on “Senior Attorneys” “Junior Attorneys” and “Partners” is very different from the meritocracy within the start-up culture.

Rather than focus on how advanced an attorney’s skill set is, most large law firms categorize attorneys solely based on the number of years that each attorney has been in legal practice. This means, that in most firms, the titles are not related to how talented or how effective the attorneys are (with the exception of equity partnership, which often is an indicator of excellence as it is peer-selected).

It is possible that a Junior Attorney is actually a professional with 15 years of relevant business experience coupled with 2 years of legal training. In fact, at one law firm where I worked, an individual with a PhD and 18 years of relevant biotech experience started on day one as a “first year associate” in patent prosecution alongside his 24-year-old colleagues who hadn’t worked a day in the professional world. So, while I would agree with Matt that Junior Attorneys are often not more cost effective than attorneys with more experience, that is not always the case.

On the other end, it is possible in some law firms to earn a business card with the title of “Partner” after a set number of years (often 7 or more) so long as the attorney has billed the requisite number of hours each year. In these law firms, the partnership is often stratified between equity partners, income partners, partial equity partners, etc. An income partner may or may not be very talented, but the “Partner” title alone is not sufficient to guarantee that they will provide the skills you need. So, again I agree with Matt: ask for references and follow up.

3. A good solo or small firm attorney can act like in-house counsel — a cost-effective go-to first responder who evaluates the risks and, if necessary, can act as a gatekeeper to help manage the additional service providers who may be necessary to get the job done.

I work in many capacities with my clients, but the most common role I play is this — my clients have identified that the majority of their day-to-day legal needs fall into the category of “commercial contracts” that focus on intellectual property in all of its forms, services, and money. Because this is my specialty, I provide them drafting, editing, advice and legal analysis in this category, and when they ask for something outside of my expertise, I explain my relative inexperience, and let them know that I have a choice:

a) If I think it’s close to my practice area I can do the research and determine whether I think I can learn what I need to know to do a good job and then offer to do it while writing off my professional education time; or

b) I can refer them to someone I believe is a good fit for their needs.

In this way, my role as a solo practitioner is much more like the role a dedicated in-house counsel plays within larger companies (in-fact, I work on-site to support an in-house legal department of a public company one day per week, and in that capacity, I’ve been impressed by how important management of outside law firms is to running a successful legal department).

So, yes, a solo practitioner or small firm attorney who specializes in transactional work can’t walk down the hall and ask a litigation partner how to manage a dispute. But, if they are good, they should have a great network of qualified attorneys to whom they can refer. They can call litigators with whom they are currently working (I’m working with two litigation partners on a dispute for one of my clients right now), or with whom they’d like to work in the future (I’ve had several litigators take me out to lunch to pitch their expertise and desire to work with my clients) and ask for some professional courtesy advice.

A solo or small firm attorney can refer you to the best fit, no matter who they are, without fear of offending “the attorney down the hall.” And, if you do (and I hope you don’t) find yourself in need of a litigator, a good solo (like a good in-house counsel) can help you manage a competitive bidding process to ensure you get the best fit at the most cost effective price for your needs.