Much of the world’s most important, commercially significant software is distributed under copyright licensing terms that give recipients freedom to copy, modify and redistribute the software known as Free and Open Source Software or FOSS. One could not send or receive e-mail, surf the World Wide Web, perform a Google search or take advantage of many of the other benefits offered by the Internet without free software. Businesses, however, must learn efficient ways to manage open source software without fear of legal risks.
The ‘copyleft’ licences of the Free Software Foundation are concerned with protecting the freedoms of programmers, but, more importantly, these licences protect the freedom of all users. The goal of the copyleft licences is to ensure that all users of a program, or any work based on the program, have four fundamental freedoms:
- The freedom to run the program for any purpose, without any additional permission
- The freedom to read, study, understand and use any know-how or techniques taught or contained by the source code of the program
- The freedom to modify, adapt, improve, or reuse any or all of the program code
- The freedom to share with anyone, or no one, both modified and unmodified versions of the program
The easiest way to understand licence terms is to begin with why, rather than what. The GNU licences include the GPLv2 (under which the Linux kernel is distributed), GPLv3 (which is now the licence for all GNU projects), LGPLv2 and LGPLv3 for different libraries, and AGPLv3 for Software as a Service. These licences have been written by teams comprising leading developers and their lawyers, so that they can be used by all developers without any need for aid or assistance from lawyers. The purpose is to assure the four freedoms to all their users, and all users of modified versions or new programs containing portions of their programs. The essence of these freedoms is the prevention of proprietary enhancements to copylefted programs.
Copyright and copyleft
The primary legal regime that applies to software is copyright law. Copyleft, which uses functional parts of copyright law to achieve an unusual result (legal protection for free sharing) forms the core legal principle of these licences. It modifies, or ‘hacks’ copyright law, which is usually employed to strengthen the rights of authors or publishers, to instead strengthen the rights of users. Any work that is based on a copylefted program must also be licensed under the same copyleft licence. This is sometimes referred to as the ‘hereditary effect’ of copyleft or the ‘share and share alike’ principle.
With a lot of software now available under FOSS licensing terms, questions are often raised about compliance obligations, dual-licensing structures and enforcement strategies, especially now when monetisation by some copyright holders has happened at an unprecedented scale. Most organisations assume that their only choice is to buy expensive code scanning software that scans their own code and issues a Protex report concerning a product, which often doesn’t flag problems that result in litigation.
It is not advisable to rely blindly on code scanners as they work too late in the process to improve your governance and too early in the process to catch problems in your delivery and post-sale provisioning. Code scanners do the less important parts of the job, expensively, and do not do the more important parts of the job at all. Use them where they are cost-effective, as a supplement to your own governance and verification processes, but not as a primary tool for risk management.
There are more efficient ways to manage open source software without fear of legal risks. It is better to get on early in the process than pay to defend yourself against legal action. The key to compliance is governance. Software governance means the processes by which businesses document and control what software they take in, what software they distribute, and what licence terms they incur or offer on those inbound and outbound transactions. Whether the business is selling physical products with software embedded, or software products and services, good software governance is the key to minimum-cost preparation when it comes to meeting compliance obligations.
Open source is no longer a choice but a necessary raw material as you build your company; so hire knowledgeable team members to build efficient, compliant systems at the very onset, because you need to use your resources efficiently.
In my experience of working with commercial parties building GPL compliance programs—as well as in my role as a lawyer representing GPL licensors coping with the consequences of compliance failures—I have observed that there is a significant mismatch between the assumptions businesses make about compliance and the realities of what goes wrong, what causes disputes, and how those disputes are resolved. Often, companies incur great expenses in preparing to avoid unlikely risks that have low historical incidence of occurrence and low cost of remediation, while leaving unmanaged the risks that have historically resulted in all the litigation and other adverse outcomes.
Businesses must, therefore, prepare to meet their compliance obligations with minimal effort and at minimal cost, dealing preventively with the compliance risks they really face.