| Open Source
|
How to Deploy Open Source in a Litigious Environment
In "How to Deploy Open Source in a Litigious Environment", Abrahams and Arnott consider the continuing trend among governments, both in Australia and abroad, to adopt open source software on a wide scale. They provide an outline of the current threat of litigation in the area of open source and set out some practical solutions for organisations seeking to minimise these threats.
Nick Abrahams is the national leader of Deacons' Technology, Media and Telecommunications Group and the Asia Pacific representative on the American Bar Association's Open Source Committee. Alan Arnott is a lawyer in Abrahams' group with a background in programming and computer science.
1 Introduction
Almost all organisations are currently running open source software. There are numerous legal risks associated with using this software. Often assessment of these risks is being done by the software developers themselves without any proper legal review. This presents a real danger for organisations.
This article looks at the benefits of open source in the shadow of the SCO litigation and the threat of patent litigation and discusses a number of risk management strategies that organisations can adopt to minimise their risk.
1.1 Open Source in Government
Open source is gaining significant momentum throughout government departments on a worldwide scale. Domestically, the NSW Roads and Traffic Authority has already implemented a large scale open source project,[1] and the NSW Office of State Revenue has revealed that its mission critical applications will run on Red Hat Linux servers.[2] In addition, the NSW Government has recently announced that it will spend a minimum of A$40 million on deploying open source Linux throughout Government departments.[3] Other states and territories are also recognising the benefits of open source. For example, the ACT Government Procurement (Principles) Guideline 2002 now explicitly requires government entities to consider open source software as far as applicable.
In the US, open source adoption at the state level is at a more mature stage, with government bodies having already approved at least 90 open source projects. [4] Widespread implementation of open source in the US is continuing. For example, as part of the California Performance Review, a body of independent auditors and experts has recommended to Californian Governor, Arnold Schwarzenegger, that California more extensively consider implementing open source, as one of a number of recommendations with a combined potential to save California more than US$32 billion over the next five years.[5]
In Europe, the municipality of Vienna has announced that it will offer half of its government agencies the choice of migrating to open source in 2005 in an attempt to alleviate the current reliance on proprietary systems. [6] While over 500 German government agencies are already reportedly using open source,[7] Munich's government has also planned to migrate its systems to open source under the appropriately named "LiMux" (Linux for Munich) project. However, the Munich community has voiced publicly its concerns over the eminent threats to open source,[8] threats that IT professionals and legal practitioners should be aware of and ensure are contemplated in an organisation's requirements, or the analysis, design, or the maintenance and updating phases of the software development cycle.
1.2 What is "open source"?
Open source refers to the open-ended availability of source code (readable by humans) that is used by software developers and programmers to create computer applications. Source code is compiled or converted into an object code version (readable by computers), that is the "closed source" software package that is commonly available to end users. In relation to proprietary software, end users are not usually privy to the source code unless they surreptitiously decompile (reverse engineer) the object code, which is almost always strictly prohibited. Open source reverses this restrictive approach, by attaching a copy of, or otherwise making available, the source code to end users with each copy of the final object code version of the software application.
The main benefit of open source software, the majority of which is available for downloading via the Internet, is that it can be accessed, added to, modified and reconfigured by potentially thousands, if not millions, of programmers. The result is a system that is conducive to the collective development of source code resulting in software, at least in theory, that is more robust and secure than proprietary code developed by one organisation alone. This freedom to access source code is often misinterpreted as software free of licensing fees, which is not always the case. Further, the savings that can accrue from avoiding licence fees are often abrogated by significant mark-ups on ancillary services like maintenance and support.
There is no one single open source licence that is used in all open source applications. On the contrary, there is a plethora of open source licences. Some of the more well known licences are the Apache Licence, the General Public Licence (GPL) and the Mozilla Public Licence (MPL). However, software developers often draft their own terms and conditions based on their circumstances. Notwithstanding this, the Open Source Initiative (OSI), a non-profit corporation that manages and promotes the "Open Source Definition" has defined open source as software that can be distinguished from its closed source counterpart by the following features, a platter that each software licensor is of course, free to pick and choose from as they please: [9]
Free Redistribution: The licence cannot restrict a licensee from selling or giving away the software where it is combined with other software in an aggregate form and it cannot require payment of a royalty or any other fee for the redistribution;
Source Code: The source code must be distributed in both its precompiled (source code) and compiled (object code) forms, and must be easily accessible, preferably via the Internet;
Derived Works: The licence cannot restrict modifications and derived works and must allow redistribution of any derivations under the same terms as the original software licence;
Integrity of the Author's Source Code: Where "patch files" are used to incrementally modify the program at the time of compilation, the original source code may be restricted from being modified or derived works may be required to be separately identified;
No Discrimination Against Persons or Groups: The licence must not discriminate against any person or group of persons;
No Discrimination Against Fields of Endeavour: The licence cannot restrict or prevent the software from being used in specific fields of endeavour;
Distribution of Licence: The rights attached to the software must be redistributed with the program without the need for additional licences;
Licence Must Not be Specific to a Product: The rights attached to the software must not require integration into a particular product;
Licence Must Not Restrict Other Software: Any software, proprietary or open source, may be distributed along with the licensed software; and
Licence Must be Technology-Neutral: No provision of the licence may be predicated on any individual technology or style of interface.
2 Threats Arising from Open Source
Apart from the wide ranging legal threats arising from open source, such as the lack of warranties, mandatory obligation to redistribute proprietary code which "contains" open source code, potential claims of employee code ownership and potential security vulnerabilities, there is also the threat of open source litigation. However, if managed correctly, the potential injunctions and damages claims can be avoided or at least minimised.
2.1 "SCO" Copyright Litigation
The SCO Group, Inc., a company incorporated in Delaware (SCO), has been involved in litigation with a number of software vendors including IBM and Novell, claiming each vendor has breached SCO's intellectual property rights by incorporating SCO's proprietary Unix code into their own distributions of Linux. Other users such as Autozone and Daimler-Chrysler have also been subjected to claims from SCO. The claims are significant, with the claim against IBM now standing at US$3 billion. Should the SCO litigation find that the Linux Kernel (the "core" of the operating system responsible for providing computer programs with secure access to the hardware components) does in fact impede on SCO's intellectual property rights, it is likely that Linux users would be in breach of SCO's intellectual property rights unless the infringing sections of Linux were replaced or a licence was obtained from SCO.
2.2 Patent Litigation
Open Source Risk Management, Inc. (OSRM), recently announced it had found 283 software patents that could potentially be used in patent claims against Linux. [10] IBM Senior Vice President Nicholas Donofrio has stated that IBM would never use its patent portfolio against Linux.[11] However, Microsoft holds 27 patents that Linux users may potentially be infringing and it is unclear whether Microsoft would assert its patent portfolio against open source users.[12]
3 Assuaging the fear of litigation
For organisations looking to implement Linux and other open source architectures, there are a number of legal risk management options available. Some of the options available include:
- Purchasing a litigation insurance policy that can minimise the losses from potential litigation;
- Purchasing a patent licence, which must be done in a way that is consistent with the provisions of the applicable open source licence;
- Purchasing indemnification policies such as Red Hat's Open Source Assurance Plan or Novell's Linux Indemnification Program;
- For organisations involved in the development of software, taking care to inform software developers (both employees and external developers) that they are not to incorporate open source code into the organisation's proprietary software without approval. Organisations may require developers to sign an agreement that all code they contribute to projects is not open source and indemnify the organisation against any claims arising from any open source code they do include;
- Choosing a licence that contemplates issues arising from patent infringement claims for example, the MPL; and
- To the extent possible, linking to open source code at run time (i.e. when the software is run by users) via an Application Program Interface, which allows one piece of software to communicate with another, rather than incorporating open source into an organisation's proprietary source code. While this is a contentious issue in the open source community, it could reduce the risk of having an organisation's entire proprietary code base vulnerable as a result of claims that the proprietary software "contains" the open source code.
4 Conclusion
Opens source software represents the future of the software industry and organisations will need to adopt software development methodologies and procedures to accommodate the novel legal issues this movement has created. There needs to be an open dialogue between the IT department and the organisation's legal function to ensure that the organisation is fully protected from these legal issues.
Footnotes
1 Chris Jenkins 'NSW paves way for Linux move' (2004) news.com.au http://www.news.com.au/common/story_page/0,4057,10431763%5e15306,00.html
2 'NSW Office Of State Revenue Banks on Open Source for Mission Critical Applications' (2004) ORACLE Australia http://www.oracle.com/global/au/press_releases/oow_dell_osr.html
3 Ben Woodhead 'NSW increases Linux project to $40m' (2004) The Australian Financial Review
4 Stephen Shankland, 'Government bodies 'embracing open source'' (2004) ZDNet UK http://news.zdnet.co.uk/business/0,39020645,39165424,00.htm
5 'SO10 Explore Open Source Alternatives' (2004) California Performance Review http://www.report.cpr.ca.gov/cprrpt/issrec/stops/it/so10.htm
6 Correspondents 'Vienna joins open source trend' (2004) Australian IT http://australianit.news.com.au/articles/0,7204,10369714%5e15344%5e%5enbv%5e15306-15321,00.html
7 John Blau 'Over 500 German govt agencies using open source' (2003) Computerworld.com.sg http://www.computerworld.com.sg/pcwsg.nsf/unidlookup/0D52113E72876B8F48256D5500208F1B?OpenDocument>
8 Michelle Delio 'Munich Open Source Plows Ahead' (2004) Wired News http://www.wired.com/news/infostructure/0,1377,62236,00.html
9 http://www.opensource.org/docs/definition. php
10 eWEEK Editorial Board 'Time Is Now for Linux Vendors to Protect Users' (2004) eWeek http://www.eweek.com/article2/0, 1759,1634067,00.asp
11 Stephen Shankland 'IBM pledges no patent attacks against Linux' (2004) ZDNet http://zdnet.com.com/2100-1104_2-5296787.html
12 Robert McMillan, IDG News Service 'Microsoft patents could threaten Linux' (2004) TECHWORLD http://www.techworld.com/opsys/news/index.cfm?NewsID=2012
September 2004 contents
|
