Open Source and IP Management

From Granizada

Jump to: navigation, search


Originally a talk presented at Open for Business hosted by UK-wide law firm Shepherd and Wedderburn, this discussion paper is for business executives who want to understand the Intellectual Property implications of Open Source (OSS). It moves on from the tired old debates of "does your software infringe?" and the once-sensational "no software license fees" to looking business benefits driven by a different approach to Intellectual Property. Surprisingly, starting from a legal perspective can yield significant business insights.

With OSS, thanks to its legal foundations, come new business freedoms: freedoms to create new kinds of relationships with your suppliers, customers and risk underwriters.


Version 1.2

Dan Shearer 12:00, 22 July 2010

Contents

Introduction

When it comes to software, countless businesses are beholden to their supplier. Here's how so many unknowingly get in this situation:

  • Software that controls access to your vital corporate data comes with a non-negotiable license. "That's just how it is, Ma'am", and
  • You don't own the software. The licence agreement prevents any review, verification or independent support for the software, therefore
  • The only way to continue to access your data undisturbed is to keep paying the licence fees. Even if you are using standard storage formats (are you really?) there is always cost and risk in migration.

Price, performance and fitness of alternative software becomes irrelevant, because to switch suppliers means losing information or at least paying a high transition cost. For thirty years software licences like these have maximised the rights of the supplier at the expense of the user.

In the software business the marginal cost of manufacturing another copy is zero. So charging a licence fee per-copy makes excellent sense for the controlling supplier. It is not so good for the customers, because rather than spending IT budget on the most pressing business problems, they must pay a kind of tax for the privilege of using a product they cannot stop using even if they wish to.

A more business-friendly approach is now mainstream: Open Source Licensing. Open Source Software is different from the business software many are familiar with, and the licensing is also very different. A business looking to use Open Source for the first time should consider these differences and plan to make the most of the benefits while avoiding the risks.

The Mechanics of Open Source

The term "Open Source" as defined at opensource.org covers a group of software licenses that provide one important guarantee -- that the source code for the software will always be available to everyone. The source code is the building blocks used by technical people to generate applications. Changing the source code changes the applications.


The law:

Traditional software licenses are based on copyright, with extra conditions that you agree to at the same time, like "you can't even look at how my secret code works". These extra conditions are contract terms imposed when people accept the copyright license, for example on opening a cellophane package. Typical clauses say "The User may not try to understand how this software works", and "There is no warranty no matter what." Businesses would never expect items such as motor vehicles or office chairs to come with such extraordinary terms, but for some reason software has been different.

Copyright law is about the power to exclude: excluding others from copying, distributing and making derivative works. But copyright law also has the power to license: to grant rights to do what would otherwise be forbidden. That is why OSS people are so supportive of strong copyright law.

The main OSS license uses this power to give new permissions rather than add restrictions. Nearly all the restrictions of the copyright system are relaxed. The only requirement is that if you distribute OSS tools (for example, a spreadsheet), that all recipients have the same rights as you do. If you distribute a changed version (for example, your IT staff added a feature to the spreadsheet) those changes must also be covered by the same terms. If you are strictly an IT user and don't distribute software outside your organisation none of this applies.

The result:

Open Source Software is a virtuous system, whereby if people benefit from OSS and change it all other users also benefits from those changes. So long as someone is making improvements to an OSS software tool somewhere in the world, you can get the benefit of the improved tool. Even if the software is old. You need never be forced into a software upgrade again, ultimately there will always be someone to work on OSS even if you have to pay for the work yourself.

This is not to say that Open Source is a hotchpotch of contributions from unknown people, without quality controls or review. Quite the reverse! One of the major successes of OSS is that it encourages scrutiny from people who have nothing in common except a desire to see the software developed as professionally as possible. Numerous studies have confirmed this, most recently by Coverity.com (see the Open Source Quality Report on their site, funded by the US Department of Homeland Security.)

The business value:

Open Source Software is good news for you, the business user, but it poses a challenge to your existing software suppliers. Your suppliers' business model is probably built around being an exclusive supplier, which means if there is an Open Source equivalent to the software they sell they are automatically uncompetitive. IT suppliers who use OSS must compete on the basis of how well they can support and customise the product, knowing that there are alternative suppliers.

Open Source shifts the focus from the technical features of the program to the business value it offers you, the customer.

With Open Source your business is more likely to have a choice of suppliers, to be able to access data with multiple programs and to be able to devote IT budget to the problems that matter most.

Beyond the Obvious Open Source Legalities

The legal implications of Open Source Software relate to support contracts, purchasing, management of IT IP created in-house, general business insurance and IT indemity insurance.

Support Contracts

The benefits of Open Source can be carried forward into contracts. You can avoid granting your supplier any powers over your IT IP and demand that the supplier take much greater responsibility for solving problems (since the supplier has full access to the software). Be warned -- some of the major names in IT support offer traditional closed-source support contracts for Open Source services, so while the technology is probably better the business benefit is substantially reduced.

Purchasing

You cannot automatically assume that hardware you purchase will run any software, open or closed -- just ask any IT implementer! However with OSS you should require an explicit compatibility undertaking from your hardware suppliers. Some suppliers have no experience with OSS and therefore don't think to ask, and some will knowingly sell incompatible hardware such as printers. This is still true for server hardware, even though the OSS server market is booming. Caveat emptor, and ask your lawyer to help draft a purchase guarantee document that covers compatibity.

OSS Contributions Policy

If you have more than a trivial IT presence, and especially if you develop in-house systems such as an intranet, it is likely that your staff will change things in Open Source Software to make it suit your business. Changes happen as a result of getting the job done and the Open Source way is to preserve them by putting them back into public view. Changes can be as simple as improving documentation, through to a new feature in a spreadsheet or reporting tool. Contributing these changes back ensures the value stays available to you if the employee leaves. All employees should be required to abide by a simple system of approval and release developed for your company to guard against the possibility of accidentally leaking IP, and other risks. (As previously discussed you are only required to publish changes if you distribute the Open Source Software outside your organisation.)

Insurance

As in, the insurance you already have -- how would you like a lower premium? Comprehensive business risk insurance should address IT risk. If you can precisely define the ways you use OSS that demonstrably reduces risk you should have a new bargaining chip. Insurance companies work on averages, and fifteen years without a mail server virus is an excellent record compared to the main competition.

Indemnity Insurance

Open Source indemnity insurance is offered by a number of companies. Should you care? There are three angles to this:

  • Patent infringement. This applies equally to closed and open source. It is currently impossible to write any significant software without infringing on a US software patent. The US patent system is widely recognised to be a failure in the case of software but still, for US companies, the risk of extortion is very real. The risk is diminished with OSS, since it is easier to check for alleged violations and do something about them if true. Software patents do not yet apply in in Europe.
  • Copyright infringement. This is much the same as closed source software but with sharply diminished risk due to the transparency of OSS, both preventative (anyone concerned can check) and remedial (creating a non-infringing version can be done quickly, if necessary even without reference to the original authors.)
  • General fear of infringement. Some confusion resulted from the early stages of the SCO v. IBM law suit, and companies who have not previously cared about the IP status of their software are understandably concerned.

You should consider seeking legal advice about these and related areas.

Where is your IT IP?

Not only is software increasingly important to every business, but the definition of "data" is blurring and often contains essential business logic. Even if you consider just the very most essential IT IP of your business you will probably find products from several suppliers. That is because no software is an island, you can't just run a program without the support of other programs around it.


To be in control, you need to audit your IT IP. A thorough audit will involve more than visual inspection and guesswork, and as it happens Open Source software tools are ideal for helping with this task. If you run a closed-source IT operation, you can think of Open Source in auditing as being like an independent and accountable third party.

Every component in your IT IP needs a label that says "we have sufficient rights to this, it adds to the value of the company IP and is protected into the future." The challenge is finding that clarity in the melange of software most companies run. The Open Source approach can significantly reduce risk, and increase and protect IP value.

Open Source is a strong contender for:

  • locating your vital IT IP (Open Source auditing tools are more transparent)
  • protecting your IT IP (Open Source security tools are the best in the business)
  • deploying IT IP in your business (Open Source networks are compatible with any program you want to run)

Why do you Care how Your IP is Licensed?

Maybe you develop software, perhaps even without knowing it -- many companies do! For example in-house web applications (Intranets) often require thousands of lines of code even if those maintaining the site are not called software developers. These applications are core IT IP and should be wholly owned, but what about the software required to run them, web servers and so on?

Or maybe you don't develop software but do rely on IT to access data for everything you do. You should ensure your software licensing poses the minimum possible business risk and maximum possible business benefit.

Perhaps the data your business revolves around is stuck because only one program can access it. Have you signed an agreement with your supplier which makes it very difficult to extract the data for use with someone else's program? Many do, often without realising.


Recent history shows that you need to be able to answer these questions:

  • Can you say "no" when a supplier tries to force you to upgrade to a new version, maybe with an awkward or costly transition?
  • Can you say "no" to your software supplier when prices are raised unexpectedly?
  • Do you have a practical means of forcing your supplier to deliver quality software and support?
  • Can your supplier stand by you if a government (eg USA, Russia, France) passes a law banning your or your overseas offices from using software you need? This has happened many times. In recent years US companies were not permitted to sell highly secure software to companies from other countries, despite the leading security techniques being from elsewhere. In Russia there is a legal requirement for being able to make backups of software which contravenes the contractural terms of many software packages, potentially leading to an awkward legal situation. And in France for many years traditional software was required by law to prevent secure encryption regardless of the user's wishes.
  • If there is a dispute regarding the ownership of the IP in the software you need, can the software be reviewed without recourse to one of the parties to the dispute?
  • Can you immediately appoint an alternative support supplier with full access to your critical software if you don't like your existing supplier (or they vanish)?
  • Do you know precisely what closed source licenses you have currently rented, and can you prove you paid for them?

Properly applied, the licenses governing Open Source software can address these problems or at least buy you time.

Questions and Answers

Open Source or Open Standards?

Beyond the scope of this article is the related issue of Open Standards. Open Source has an incentive to be interoperable, whereas closed source software has an incentive to build walls of incompatibility. Therefore in considering your core IT IP you should examine the opportunity to make communications happen over Open Standards.

Scary Thought! Doesn't Open Source Software make me give away my IP?

No. If you are an IT user, the data you create is exclusively yours and your right to use the software is guaranteed by the license. If you develop applications in-house using OSS tools, especially web applications, this is your work exclusively. If you choose to add your work to existing Open Source IT IP, you know in advance what your licensing obligations are.

I've heard about Software Patents...?

Yes, Software Patents are unpleasant for business users. Equally appplicable to Open and Closed software, software patents are not currently enforceable in Europe. Even in the United States the lawsuits are currently aimed at the developers and distributors not the users. At least with Open Source you have everything available to determine whether a threat is real, rather than waiting for an opinion from a software supplier (who has little incentive to be thorough.) There are public indemnity funds and private indemnity insurance where legal advice indicates it is needed.

But someone might sue me because I use Open Source Software! (Answer 1)

Someone might sue you for anything they please, no matter what software you use! There is nothing inherently different about Open Source Software which makes you more or less liable to a lawsuit.

But someone might sue me because I use Open Source Software! (Answer 2)

True, there is one precedent for this, out of the hundreds of major software lawsuits around the world every year. The claim was that some of the Open Source Software had been stolen and therefore the user had no rights to use it even though they had downloaded it in good faith. The key is that with quality Open Source software it is very easy to check who added what code and when, so the merits of the case can be very easily determined. It also helps that Open Source Software tends to be developed by people who are very sensitive to possible infringements. An example of the alternative is Symantec's current (mid-2006) lawsuit against Microsoft. Neither Symantec nor Microsoft publish their code so it is impossible to get even a sense of the merits and users are left guessing about risk reduction strategies.

Conclusion

Open Source represents a way of spending your IT money where it most benefits your business. The savings go far beyond just relief from license fees, provided you make sure the benefits spread throughout your business. To capitalise on the savings and increased control possible with OSS you need to have the right contractual and purchasing framework in place. To guard against some of the new legal risks you need to review your particular use of Open Source with a specialist. But company after company reports -- not just FTSE 100 companies but even the FTSE Group itself! -- a well-managed Open Source Software deployment can deliver significant benefits and savings, now and in the long-term.



Creative Commons License
Creative Commons Attribution iconCreative Commons Share Alike icon
This content is licensed under the Creative Commons
Attribution ShareAlike License v. 2.5:
http://creativecommons.org/licenses/by-sa/2.5/
GNU head GFDL: Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". (shearer.org uses but does not currently recommend the GDFL and here's the explanation why. )
Personal tools
Navigation