There is more to free software applications than meets the eye. John Buyers looks at the legal risks of open source software
At face value, the open source software (OSS) proposition looks too good to be true. Free, or at least inexpensive, software applications that provide equivalent functionality to much more expensive proprietary products, backed up by thousands of software developers constantly working on upgrades and fixing bugs.
As ever, the reality is more complicated. OSS may usually be free and flexible, but it is still protected by copyright and licensed. To quote the Free Software Foundation (FSF): "Free software is a matter of liberty, not price. To understand the concept you should think of ‘free’ as in ‘free speech’, not as in ‘free beer’."
It is the proliferation of different licences for OSS that can create problems for businesses using or adapting open source applications or code. These include the most commonly found licence templates, such as the General Public License (GPL), the Mozilla Public License, the Apache License and the Berkeley Software Distribution License while others are issued by IT companies such as Intel, Sun Microsystems and IBM.
Many open source licences are certified by the Open Source Institute (OSI) and generally, these certified licences allow for the source code to be inspected, used, copied, modified and distributed without paying a fee or royalty, but even OSI-approved licences can have some critical differences.
For example, some, such as Mozilla, require that any modification to the code should be made publicly available and there are usually stipulations about how modified versions of the code can be relicensed, particularly with regard to crediting the original source, warranties, disclaimers and indemnities.
The latest version of the GPL — GPLv3 — currently being drafted by the FSF, seeks to tighten the restrictions on the exploitation of OSS by restricting the use of digital rights management (DRM) and software patenting in open source code. This somewhat crusading measure is seen as particularly targeting hardware devices that contain embedded OSS.
The Tivo PVR set-top box is a particular example. This device, although based on Linux architecture, is heavily protected by patents and DRM protection. It is this so-called ‘Tivoisation’ which is outlawed by the latest GPLv3. Linus Torvalds, creator of the Linux operating system, has voiced strong opposition to this measure, pointing out that it should not be the job of OSS providers to dictate what can and cannot be specified in hardware devices.
To illustrate the variety of open source approaches, some OSS licences permit users to inspect the code but not to modify it, as is the case with those issued by proprietary developers such as Microsoft. However, other OSS producers may also issue different versions of an open source licence, depending on whether the end user is a business or home user. Other products, for example Sun Microsystems’ Star Office package, are sold on a proprietary ‘shrink wrap’ basis with technical support, while also being freely available as an unsupported open source downloadable distribution.
None of these are particularly complicated issues on their own, but legal complications can arise when a business uses a number of open source applications or sources of code, each with different restrictions and obligations and there still remains a lot of uncertainty about the legal position when integrating open source code or adapting it by the creation of derivative versions.
For instance, some licences, including the current version of the GPL, require that all derivative works must "in turn" be licensed under the GPL — a rather difficult concept to accept if you have just funded extensive bespoke adaptation that could potentially give you an edge over your competitors.
Given the relative newness of the OSS concept, it can sometimes be difficult to pinpoint where the dangers of using OSS lie. Indeed, the proponents of OSS accuse the proprietary software industry of spreading scare stories (socalled ‘FUD tactics’ — Fear-Uncertainty-Doubt) to undermine the growth of the open source sector.
However, there are some areas where businesses should clearly be mindful of the risks of using open source-based software. In 2003, the SCO Group, which develops products around the Unix operating system, sued IBM and subsequently other companies including DaimlerChrysler and Autoparts for using the open source Linux operating system (which was developed from a Unix ‘kernel’ and is now a hugely popular open source operating system), claiming that part of its code was subject to its copyright.
Although the cases are still ongoing, SCO’s argument looks weak, but in terms of time and aggravation, the matter has been a costly one for the defendants.
As time passes, the growth of software patents in the US may also spell trouble for OSS — hence the move in the GPLv3 to declare software patent protection incompatible with open source principles — however this will almost certainly be a problem for the proprietary vendors as well. Traditionally, software was only viewed as being protected by copyright, but the US Patent and Trademark Office has in recent years increasingly under-mined this principle by the granting of ever more software-based patents.
In Europe, the immediate threat of a directive on software patenting has receded with the overwhelming rejection by the European Parliament in July 2005 of the proposed directive on the patentability of computer-implemented inventions.
As far as aftersales care is concerned, although some companies provide comprehensive support for the mainstream software, such as their own distributions of Linux, many open source products often have limited or no technical support. While the size of the community of open source developers means that OSS is often debugged more rapidly than proprietary software and becomes more reliable as a result, there is also no warranty with open source products and no software developer to take responsibility for (or at least to indemnify an innocently infringing user for) a product that is found infringe another’s intellectual property.
The US Department of Homeland Security, ever mindful of the security threat to the US economy that bug-ridden software could pose, has recently commissioned a national database from, somewhat ironically, a proprietary consortium of companies to document known bugs in OSS code.
Many of these issues are a function of the youth of the open source concept and the lack of standardisation that inevitably results.
Although ‘freeware’ has been around for some decades, the open source concept has only been in common use since 1998 and debate continues about the its exact definition. There are a variety of ‘flavours’ of open source, each dictated by their own licensing terms, so one must be careful not to fall into the mistake of treating all OSS uniformly.
The uncertainty that these problems creates has inevitably drawn the attention of the authorities in the more highly regulated industries, such as the banking and financial services sector. Furthermore, the licensing issues around a businesses’ open source applications infrastructure are also becoming a more important factor during merger and acquisition negotiations — specifically in relation to the due diligence process.
This does not mean businesses should not take advantage of the many excellent open source products in the market but businesses do need to tread carefully. Programmers frequently incorporate open source code into their work without considering the licensing implications and it is clear that many chief information officers may not yet know the precise and pervasive extent to which OSS has permeated their company’s systems architecture.
The more prudent CIOs will be aware of where open source code has been used in their company and will have paid for a solution to track such usage. They will have an understanding of which licences apply where and how these licences constrain use of their deployed OSS, above all, they will have a full appreciation of the old maxim: there really is no such thing as a free lunch (or, indeed, a free beer).
John Buyers is a partner and head of commercial, outsourcing and technology at Stephenson Harwood.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.