(5 votes, average: 9 out of 10)
Loading ...We’re not thieves. We just can’t read contracts (McAfee and Open Source)
I have borrowed a headline from an earlier posting by Shane Schick to discuss something I saw this week. McAfee filed a report last month with the Securities and Exchange Commission that made a few statements about risks associated with their use of some Open Source software. These statements received quite a bit of media attention.
According to Information Week, McAfee’s statements included:
“To the extent that we use ‘open source’ software, we face risks,”
“Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,”
Discussing this SEC filing, reporters continued to talk about software being “infected” by the GPL, as if this was some sort of disease one can accidentally contract. While much of the media attention blew the issue out of proportion by suggesting that McAfee was already aware of license violations, the all too common underlying misunderstanding stands.
There is a lot of FUD (Fear, Uncertainty, and Doubt) spread about Free/Libre and Open Source (FLOSS) licenses. While companies dependant on older competing business models suggest these licenses are complex or “ambiguous”, the reality is quite the opposite.
The first thing to realize about licenses like the GPL is that they are not End User License Agreements (EULA). From the perspective of someone acting as an “end user” the way the Canadian Alliance Against Software Theft (CAAST) categorizes people, you don’t need to read the license at all. All you need to do is know that the software is under a license that has been approved by the Free Software Foundation or the Open Source Initiative. Once you have checked the license, you know certain things are true based on the definitions of Free Software and Open Source Software from those organizations:
- Without additional permission or payment, you may install and use the software on as many computers as you wish. These can be your own computers, or the computers of anyone else that wants to use the software.
- Without additional permission or payment, you may make verbatim copies of the software and share it with anyone
Where the additional terms of the wide variety of FLOSS licenses come into play is when someone is acting as more than an “End User”, and are a software firm or otherwise wanting to do things such as modify the software and distribute modifications. These are activities which are prohibited by most non-FLOSS licenses, and anyone who wants to carry out these activities has to sign contracts with the software copyright holder. These contracts are often unique to a specific relationship between two firms, and can’t be studied once and used many times like a FLOSS license.
I would put the relative simplicity of most FLOSS licenses against most of these developer contracts any day. While FLOSS licenses are often written with the aim of being able to be read by independent software authors without the help of legal council, many contracts between software firms will be written by the legal team at one firm with the intent to be read by the legal team at another firm.
The next question to ask is whether incorporating software is ‘inadvertent’.
No matter how software comes into your firm, your employees need to know that they can’t just cut-and-paste willy-nilly without having someone approving the outside software being incorporated. Any use of third party code must be fully documented, so that you are able to know your legal obligations.
If third party software is being added to your code base without anyone documenting this, then you don’t have a problem with a license or contract, you have a human resources problem. You should be adequately training your employees about this type of activity, clarifying for them that just because software is publicly available on the Internet does not mean that it is in the public domain. In fact, given the excessively long length of Copyright there is extremely little software that is in the public domain (largely stuff from the 1980’s dedicated to the public domain). You should have strict policies in place at your firm such that your employees know that if their willy-nilly undocumented cut-and-pasting is ever caught, that their employment will be terminated. It really should not matter if the source is publicly available FLOSS software or code from a business partner that happens to be visible to your employees.
While I encourage independent developers and software firms to decide to actively participate in FLOSS projects to receive the benefits of intended sharing, I have no sympathy for those who infringe software copyright. Using FLOSS software is the best solution to solve software copyright infringement available to end users, as the things they wish to do (install on many computers and share with friends) are already authorized without additional permission or payment. For software firms there is simply no substitute to running a professional shop and actually reading the contracts and license agreements you are binding yourself to by incorporating third party software, no matter what the source of that software.
I guess there is an irony with a company that is an active member of an organization called The Canadian Alliance Against Software Theft (CAAST) admitting in a US SEC filing that they are not sure whether they run a professional shop, and whether they might themselves be infringing copyright.
January 12th, 2008 at 3:31 am
Interesting theory. I know you didn’t make up this theory, but in fact the GPL *is* an EULA. Who else would be the target of the warranty disclaimer? Only an end user would make use of a warranty, so the GPL must be a EULA.
Which means, of course, that the GPL is a contract, because only a contract can disclaim warranty.
January 12th, 2008 at 12:40 pm
Thanks for the clarification. I guess it would have been more correct to say that the GPL “contains” an end user license, but that most of the terms relate to things that an end user would never need to care about. It is only GPL (or other FLOSS license) that gives the end users the permissions I mentioned.
As to whether it is a bare license or a contract, you’ll know well that there is some debate about that. I think I’ll defer to Eben Moglen on that, although the situation will turn out to be different in different jurisdictions. Not all countries are under US law (thank goodness ;-).
January 13th, 2008 at 9:10 pm
Incorrect. A contract requires the other person to accept in a form of a signature, a click, etc.
I license is a permission such as a driver license. I thought the letter L in GPL would have give it away.
The warranty that you claim refers not the software (binary) but to the source code itself. It basically means that there is no warranty it the source code that you use, not the software. Remember that the GPL is pasted in only in the source code, not at the click-accept screen when a program start.
Some individuals use that GPL as an EULA does not mean that it is an EULA
January 14th, 2008 at 9:11 pm
In reply to Russel Nelson:
The GPL restricts only distribution, not use. As such, calling it and “End *USER* License Agreement” is inaccurate. You can take it and use it as you like. If you make modifications, and (this is important) *distribute* those modifications, you must share your changes. If you don’t distribute, the GPL essentially does not apply (this isn’t wholly accurate, but generally is for the vast majority of cases). I suppose you can technically call it as you wish, but it most certainly does not resemble anything like an EULA.