Tagged:Open Source

Year in Review

Wow!  That was fast.

I”ve been running my own law firm for over a year.  It’s been a blast and I’ve been very fortunate — quite a bit of exciting and interesting work came to my door last year.

Some of the highlights include:

  • Managing a dispute from initial demand letter to arbitration award — on my first day running my own firm, one of my clients received a cease and desist letter which we believed was invalid.  We pitched the case to litigators, hired them, and I was able to act as in-house counsel for the 7 month JAMS arbitration: editing and adding factual clarity to filings, attending all depositions and hearings, and eventually delivering the news after judgment.  In general, this is not my day-to-day practice, but it was very educational and modified my perspective on how contracts should be drafted and disputes relating to contracts should be approached.
  • Acting as on-site in-house technology counsel one day a week — sitting in the legal department of one of my larger clients gave me a very different understanding of the role that attorneys play within an organization.  I supported the third party inputs to software (reviewing both open source and third party proprietary licenses) and the enterprise licensing division and often witnessed first-hand the delicate balance that must be maintained between legal risk and business risk within a corporation.
  • Negotiating against the big guys — it’s part of the typical start-up experience.  Sure, you often negotiate and partner with other start-ups, but at some point, you will need something from one of the big established players.  It may just be Internet connectivity.  Or, large companies may be your sales targets.  Regardless, negotiating against a large company who insists that *we never change our forms*,  *everyone signs this without edits* and *this is completely standard* requires the expertise of someone who has seen many *standard* offerings in the applicable industry.  Over the years, I’ve dealt with Fortune 100 and Fortune 1000 companies in almost every industry, and this year was no exception.  Examples from this year include: Advertising Agencies, Amazon, Barclays, Blue Cross Blue Shield (of America and of various States), Bank of America, Chubb, Credit Suisse, CUNA Mutual Insurance, Discover, DOE Pacific, Earnst and Young, Experian, Facebook, Fidelity, Google, Honeywell, Horace Mann, Humana, JP Morgan Chase, KPMG, Lloyds, Lockheed Martin, Mass Mutual, Microsoft, Morgan Stanley, NBC Universal, Nationwide, PWC, Safeway, Samsung, State Farm, T-Mobile, Toys R US, Viacom, Walmart, and Warner Brothers.
  • Setting up the legal side of the business (forms) — a large portion of my job is limiting the amount of work I do.  I try to get my start-up companies into a position where their internal IP creation departments, online systems, sales forces, and business development teams can function with minimal legal input.  This involves an up-front investment of time to create forms that are correct for their business models.  I talk to my clients and truly understand their businesses before drafting, which avoids the extra legal fees companies often incur when their attorney starts with a square hole for a round peg.  Examples include:  Enterprise license agreements, Software-as-a-Service Agreements, trademark license agreements (branding/endorsement/certification programs), software development agreements, click-throughs (standard terms, privacy policies, API license agreements, payment obligations, revenue share, and more), commission agreements, reseller agreements, professional services agreements, master purchase agreements, NDAs, partner program agreements and technology assignment agreements.
  • Open Source — I went to law school because I was fascinated by the legal rights issues in Open Source Software.  I even wrote an award winning student note on the topic.  This year, I continued my commitment to Open Source legal issues with projects in several areas:  (i) aided a client in cleanly open sourcing a proprietary language they had developed (open source license evaluation and selection, branding issues, IP contribution agreements); (ii) performed open source audits of client codebases with the engineering teams and cleaned up any issues found; (iii) acted as special open source counsel in an Asset Purchase and Leveraged Buy-Out to help the acquirors become comfortable with the state of my clients’ open source uses; (iv) represented (and continue to represent) two clients whose business models are built around open source software projects that they manage (with monetization through professional services, support, maintenance, priority bug fixes, and bespoke development); (v) aided clients in the development of open source policies and approval processes to maintain the codebase in the proper state.
  • Everyday advice, counseling and communications — this catch all category is where the most surprises come.  Sometimes it’s just a phone call asking for a sanity check — Can we do this?  But sometimes there are more exciting issues such as requests from law enforcement, lawsuits that have been filed against clients, high level discussions about IP strategy (should we talk to patent counsel?  Should we file a TM?), letters hinting that lawsuits may be filed, formal letter writing in response to unfortunate situations, termination of contracts, privacy concerns, and much more.

Overall, last year was a great year full of good work, great learning opportunities and wonderful clients.  I can’t wait to see what this year brings.

The Sneaky Sleepycat License

Generally, commercial entities are fairly comfortable using open source software in the products they distribute if the license is a the BSD license. Entities other than UC Berkeley often deploy the BSD license in their own name, so it is common to hear people refer to a BSD-style license, or a license that is BSD-esque when referencing the BSD license in another entity’s name.

Oracle Berkeley DB is one of the few open source software products that Oracle sells. It is dually licensed under a commercial license and an open source license. You can use the open source version for free or you can pay to use the commercial version.

A quick glance at the Oracle Berkeley DB open source license looks like a collection of BSD licenses, first from Berkeley, then from Harvard, and then from Oracle.

Visually, it would easily fall into the category of “BSD-style” or “BSD-esque.”

The standard BSD license has a copyright statement, 3 numbered paragraphs, and a big disclaimer of warranties and limitation of liability in all caps at the bottom. At a glance, it’s fairly easy to recognize (partially because it is so short and sweet compared to many open source licenses).

From 2000-2006, the top license in the Berkeley DB license was in the name of Sleepycat, and when Oracle acquired Sleepycat, they modified the copyright statement in the top license to refer to Oracle.

On closer look, the former Sleepycat and current Oracle license is most definitely *not* identical to the standard BSD license. In fact, it is very, very different.

The third paragraph in the standard BSD license states:

  • Neither the name of the [COPYRIGHT HOLDER] nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

But, the third paragraph in the Sleepycat/Oracle Berkeley DB license is quite different:

  • Redistributions in any form must be accompanied by information on how to obtain complete source code for the DB software and any accompanying software that uses the DB software. The source code must either be included in the distribution or be available for no more than the cost of distribution plus a nominal fee, and must be freely redistributable under reasonable conditions. For an executable file, complete source code means the source code for all modules it contains. It does not include source code for modules or files that typically accompany the major components of the operating system on which the executable file runs.

Both of these requirements are completely legitimate license conditions.

However, the traditional BSD license is a license that is notable for its lack of copyleft obligations — in other words, you can use software that comes to you via the BSD license without too much concern about it affecting the commercial license terms that you may put on your software that incorporates it.

On, the other hand, the Sleepycat/Oracle Berkeley DB license is an extremely strong copyleft license and requires that you distribute the source code to every piece of code you distribute that utilizes the Berkeley DB.

So, word to the wise, engineering managers and software legal departments: just because it’s a BSD-style license in the visual form, does *NOT* mean it’s BSD-style with respect to software freedom and copyleft.

As much as it’s annoying, someone with a licensing background needs to review and approve every third party in-license if the technology or software is going to be incorporated into a proprietary product or code.

Oracle is *not* going to play nice

I spend quite a bit of time talking through *theoretical* risks associated with using third party software in products, particularly with respect to software that’s been developed in connection with some type of promise of openness.

I try to explain to my clients that just because things have gone smoothly thus far with respect to a particular piece of code does not mean that it will continue to go smoothly.

Oracle has just made this explanation *much* easier for me by suing Google for its use of Java in Android.

The complaint is pretty straightforward (I guess he likes it here, because after spending so much time here with respect to the Prop 8 litigation, David Boies is named as pro hac vice on behalf of Oracle).

The complaint alleges infringement by Google in its use of Java technology in the Android Platform. 7 patents held by Oracle America (the new name of the former “Sun” subsidiary) are asserted. It also alleges copyright infringement.

In many ways, this move is shocking. The entire Java mobile development community is going to be reeling. But, in other ways, I think there will be some closure. Many of my clients have been waiting to see how Oracle would treat Java. And now we know…

In particular, I’m curious how the release of Java (including the Hotspot JVM upon which the Google JVM may very well be based) under the GPL v 2.0 by Sun prior to the Sun-Oracle acquisition will play into this. Does the GPL v 2.0 license contain an implicit patent license and/or create an argument for patent exhaustion?

**UPDATE: I have been informed that the Google JVM Dalvik is a completely new implementation, written from scratch by Google, which, assuming it’s true means that any arguments based on the GPL release of the Hotspot JVM are going to need to be much more complicated (e.g. it may play into the damages calculation, or perhaps they will still try to make the patent exhaustion argument).

Stay tuned.

This should be VERY interesting.

Open Source Hardware

One of the main differences between GPL v 2.0 and GPL v 3.0 is the modifications made to address some folks’ concerns that to truly embrace the idea of “Free” or “Open” software, the license must also prohibit restrictions at the hardware level that would prohibit folks from modifying the software.

The natural extension of this concept is the idea that there should be a way to contractually ensure that hardware should also be “Free” or “Open” to modification by its users.

In the software world, we have the Open Source Definition or “OSD,” as a set of community-defined principles to guide the use and development of the term “Open Source Software.”

Now, in the hardware world, a consortium of folks have proposed a draft Open Source Hardware Definition that hopes to establish the same thing for the term “Open Source Hardware.”

Today’s version of the draft indicates that they are drawing from the OSD, as well prior drafts of their proposal and the TAPR Open Hardware License.

I wish them the best in their efforts to converge on an agreed set of principles and look forward to working with the term FOSS/H in the future.

The Real Risks of Open Source Software

Every software start-up company I’ve ever worked with uses (or did use) some form of open source software. And yet, high level executives and board members at many of these companies, when asked whether their company uses any open source software, would regularly answer, “No” without hesitation.

Where is this disconnect coming from? Open Source Software is often perceived as “risky” or “untested” or “a liability nightmare” or, in the worst case, “an infectious disease” by some business folks, while most technical software people believe the correct use of open source software to carry minimal risk.

Risky?

There are risks associated with using any third party’s software. When that third party is unidentified, not bound by a support agreement, based out of a foreign country, and/or impossible to get a hold of, then yes, it is fair to say that using it would be “risky” when compared with an established company with a business reputation to protect and an SLA to cover errors.

Untested?

In some case — it’s true. There are many untested open source projects out there. These tend to be associated with a handful of developers instead of an active community, and a little due diligence should be able to help a start-up understand whether this particular ill is a problem with the open source software they are considering using.

A Liability Nightmare?

This is, by far, the most complicated issue I face as an attorney who deals with open source issues. At its most basic, the liability equation associated with open source software is the same as that associated with any third party component. The third party would like to disclaim liability for your use of their product.

The benefit of many proprietary software licenses is that the licensor may provide limited coverage for Intellectual Property claims related to their software. But, most software publishers go to great lengths to limit the amount and type of liability they will cover relating to a third party’s use of their software.

The typical open source license expressly disclaims all liability associated with the use of the software — effectively, it comes “AS IS” on a pure “BUYER/USER BEWARE” basis. On the other hand, if you read the license agreements of proprietary software carefully, you will find that most software (unless you pay quite a bit for it), comes with an express limitation on liability that is on the order of magnitude of the purchase price. It is consistent with the approach taken by proprietary software publishers that open source authors are liable for damages related on the order of magnitude of the license fee they receive (e.g. $0).

An Infectious Disease?

One flavor of open source licenses places conditions of “freedom” upon the use of the licensed code. The most famous of these licenses are the GPL, LGPL, and the AGPL. Essentially, these licenses require, as a condition of some uses or distributions, that software code combined with code licensed under these licenses must also be made available under the same license.

These conditions make these types of licenses “viral” because they may extend the license terms to some of the additional code (e.g. the start-up’s code) that the licensed code touches.

The key word in the previous sentence is *MAY.*

Actual Risk

The thoughtful evaluation of the issues outlined above and a comparison of the likely downside against the monetary benefit of using an open source component brings a start-up to understand what I call the “Actual Risk.”

By far, the most complicated part of the Actual Risk evaluation is the technical and legal analysis related to viral licenses. However, a technical read of the license by a knowledgeable tech attorney and code review with an engineer is likely to provide a good engineer or architect with comfort that the start-up’s use of a particular open source component is not subjecting the start-up’s code base (or the portion of the code base that they care about keeping proprietary) to any “viral” risk.

The Resource Risk

Investors and potential acquirors will want their own attorneys or possibly even code auditors to assess the Actual Risk, regardless of how correct the start-up’s own analysis may be. This investigation and analysis is a time and resource drain that can be minimized by good record keeping, but can never be entirely eliminated. Even in the event of zero Actual Risk, a company will incur some Resource Risk in connection with their use of open source software.

The FUD Risk

No matter what the final conclusion may be after the Resource Risk and the Actual Risk have been assessed and assumed by a start-up, there is the risk associated with the fact that a board member or a CEO will have to answer “Yes” to the question “Do your products contain open source?” A board member or CEO may not have the time to understand the outcomes and analysis of the folks who have willingly taken on the Resource Risk and the Actual Risk. If challenged, a board member or CEO need to feel confident that they can answer the question honestly, without incurring undue scrutiny or concern. In my opinion, the biggest risk associated with the use of open source software (assuming there is no Actual Risk that hurts the start-up’s business) is the FUD risk.

The best way to combat the FUD risk is to educate board members and CEOs so that they can comfortably speak about the company’s intelligent use of open source software as a cost reduction tool in areas where the Actual Risk is minimal or non-existent and the Resource Risks are less than the costs of the proprietary alternatives.

Code as Speech

The most recent newsletter from Daniel Munitillo discusses U.S. export law as it applies to code, and determines that, for the most part, U.S. export restrictions do not apply to open source software.

Why? The First Amendment.

Specifically, he states:

. . . [a]ny and all computer code not considered classified by, or, not for official use only (FOUO) of the United States Government, which is open source, freely and publically available, exchanged for any non prohibited end use is protected under the case law cited as free speech. The case law is clear*.

Export compliance is a pain for small companies. The fact that open sourced software is protected speech and thus not subject to standard U.S. government export compliance is yet one more reason in a long list of reasons why small companies should consider open-sourcing some or all of their code when evaluating their business options.

*In accordance with Junger v. Daley, 209 F. 3d 481 (6th Cir. 2000); Bernstein v United States, 922 F. Supp 1426 (1996), 945 F. Supp. 1279 (1996), and at 176 F. 3d 1132 (9th Cir. 1997); and Karn v United States Department of State, 925 F. Supp. 1, 9-10 (D.D.C. 1996), remanded, 107 F. 3d 923 (D.C. Cir 1997), Code is protected as free speech under the First Amendment of the Constitution of the United States.