Open Source Compliance


Open source compliance failures can pose a serious threat to affected companies. Here is an overview.

After the first open source license was enforced by a German court in 2004, there is no longer any doubt about their validity. The community traditionally enforces licenses, which is known as community enforcement, but increasingly inpidual developers are enforcing licenses for their own interests. Since hundreds or even thousands of developers are often involved in open source projects, the trend from community enforcement to inpidual enforcement has created an increase in litigation risks.

Enforcement of Open Source Licenses

Violations of open source licenses have been pursued out of court since the 1980s – mainly in the US. The first court proceedings based on a license violation, however, did not take place until 2004 in Germany. Three years later, the first lawsuit was filed in the US. Since then, the number of enforcement actions in court has steadily increased. Today, scores of court proceedings concerning enforcement of open source licenses are conducted across Germany. One reason for this is the efficiency of summary proceedings in the German legal system.

Interim Injunctions Exert Pressure

In the event of license violations, cease-and-desist orders can be quickly obtained through summary proceedings. In such cases, users must immediately refrain from using the open source software in a license-violating manner. This also means that any products containing the open source software can no longer be readily used or sold. In a worst-case scenario, this can lead to a critical system outage or a ban on sales. Hence, cease-and-desist orders can quickly exert enormous pressure on companies using open source software in a license-violating manner.

Loss of Utilisation Rights

Lawsuits for non-compliance with open source licenses are usually based on the copyright-infringing use of open source software. The reason: open source licenses grant users comprehensive copyright utilisation rights, but at the same time they also provide safeguarding mechanisms. In many cases, sanctions for non-compliance are severe. In the event of license violations, users lose the utilisation rights they have been granted. Consequently, using the software in a copyright infringing manner can result in claims for removal, injunctive relief, and recall of the infringing products. These claims exist irrespective of fault. Whether or not the company was aware of its failure to comply with open source licenses is irrelevant.

The situation is compounded by the fact that with regard to many open source licenses the loss of utilisation rights is already triggered by minor license violations. Minor negligence in open source compliance can therefore result in the user being treated like a "software pirate."

Open Source Compliance: Community Enforcement

The open source community aims at ensuring open source compliance and does not attempt to punish companies for violating licenses. Most members of the developer community support the informal enforcement of open source licenses, and do not seek legal disputes. This idea also becomes apparent in the "Principles of Community Enforcement" developed by the Software Freedom Conservancy, a non-profit organisation supporting open source projects.

These principles make it clear that the open source community is committed to open source compliance. The primary objective is to provide violators with information they can use to bring open source software into compliance with the license terms in the future. Financial benefits are not a priority.

From the point of view of a company, however, the lenient approach of "community enforcement" helps little. Surely, companies will appreciate getting information on how to remedy non-compliance with a license. In many cases of license violations – such as wrong or incomplete copyright notices – companies can quickly take corrective action against them. It should be noted too that licenses usually contain some provisions that are problematic for companies.

Copyleft Effect Feared by Companies

The "copyleft effect" of many licenses is particularly feared. This refers to the company's obligation to make its own further developments of open source software, or possibly also software components that were combined with open source software available under the open source license. This means that companies can no longer license this software under their own license terms, which puts a stop to proprietary licensing strategies. This is exactly the purpose of copyleft. Since open source licenses usually demand that the software's source code be disclosed (at least) to all users, this poses the risk of loss of business secrets.

It is evident that in many cases companies cannot fulfil these obligations without risking their business model. Therefore, from the point of view of an affected company, the consequences of community enforcement can indeed be disastrous. On the other hand, it is understandable from the point of view of the community that such business interests cannot be taken into consideration. If a company refuses to comply with licensing obligations, community enforcement will result in court proceedings, despite the fact that legal action is a last resort.

Such proceedings are often sponsored by crowdfunding or donations, such as the lawsuit currently conducted by Christoph Hellwig against VMware.

Inpidual Actors and Copyright Trolls

Under German law (§ 8 (2) sentence 3 German Act on Copyright and Related Rights (UrhG)), each joint author is entitled to assert claims arising from violations of the joint copyright. In principle, each developer who contributed to open source software may assert claims and enforce such claims in court. Hundreds or even thousands of developers are often involved in open source projects, which means that innumerable claim holders can assert their own rights to open source projects.

Despite the large number of potential claim holders, independent inpidual actors have filed comparatively few lawsuits so far. Some developers, however, have started to take on the enforcement of their rights themselves. Contrary to community enforcement, profit interests often take precedence in this regard.

Disapproval for McHardy's cease-and-desist letters

The activities of Patrick McHardy, a former member of the Netfilter development team, have met with special disapproval in the community. For some years, McHardy has had numerous cease-and-desist letters sent for alleged violations of the GPL. In these letters, he specifically criticises copyright infringements relating to the iptables software package. In July 2016, the Netfilter development team suspended McHardy because – according to the team – his activities contradicted the community’s principles. These community principles, however, are merely unbinding guidelines. Inpidual actors such as Patrick McHardy can continue to assert their full range of claims.

The Main Focus is to Maximise Profit

The course of action taken by some inpidual actors enforcing open source licenses can be compared to actions taken by patent trolls. Similar to a patent troll, a copyright troll asserts numerous alleged copyright infringements. He does not seek to protect his own products, but to maximise profits. he open source compliance failure is criticised, and involves the obligation to pay a fine. Based on this cease-and-desist letter, a range of claims (including removal, injunctive relief, recall of the infringing products, compensation, etc.) is asserted, along with the demand that a cease-and-desist commitment (subject to punishment) be issued within a short period of time. This strategy is intended to create pressure. If the affected company does not issue the requested cease-and-desist commitment subject to punishment, the rights holder can obtain a cease-and-desist order by way of summary proceedings. This can lead to a court injunction, which may result in a ban on sales or a system outage.

Strategy: Exploiting Pressure

A copyright troll will exploit this high-pressure situation. The troll will offer either to refrain from enforcing rights against payment of a charge, or to license the software against payment of a license fee (dual licensing). In many cases, both options have only limited benefits for affected companies. The developer can license only those utilisation rights he is entitled to. All other developers can still assert their rights. If a company decides to pay a license fee to the developer, this can, in a worst-case scenario, bring copycats to the scene. Instead of settling the matter, a precedent is often created, which can quickly lead to further claims by copycats.

Another strategy used by copyright trolls is to take action against irrelevant software. Companies might then be inclined to cease use of this software and issue the requested cease-and-desist commitment subject to punishment. A holder of rights seeking to maximise profits will not leave it at that. He will apply this strategy to widely used open source components found in various software products. Since the software component may be used in other important software products for the company, this strategy can result in extensive payment claims.

Issuing the cease-and-desist commitment subject to punishment does not necessarily conclude the matter. On the contrary, the copyright troll will then attempt to profit from the cease-and-desist commitment subject to punishment. A particularly perfidious troll will identify a suitable "target" at an early stage. In many cases, this will be software that is highly important to the company.

Significance of Open Source Compliance

For some time, the open source community has discussed how to put a stop to the copyright troll game. Approaches such as the "Principles of Community Enforcement" and the Linux Kernel developers "Kernel Enforcement Statement" were created to regain lost trust. Large companies such as Facebook, Googleand IBM are already committed to these principles.

In view of the millions that can be generated by aggressively pursuing license violations, copyright trolls are likely to continue to their activities despite these measures.

In addition, many issues regarding open source law are still unclear. The wording of license terms is often so imprecise that even the scope of the rights being granted is not clear. This "construction error" can be exploited by anyone seeking to enforce claims for profit. Cases have become known in which even over-the-air distribution of open source software was criticised for license violations. The licenses do not contain a clear provision for this form of use, which can be exploited by a holder of rights seeking profits.

Excluding Open Source Software is Unrealistic

Despite all the risks, it is generally sensible to use open source software in companies. A general ban on open source software is outdated and unrealistic. It is, however, important to control the use of open source software by suitable governance while bearing in mind the risks. Software developers can, for example, introduce a compliance milestone where open source compliance is reviewed before the software is released. Software purchasers can, for example, request proof of open source compliance when placing an order for software.