Monday, November 13, 2017

Patent and Copyright Trolls

Patent and Copyright Trolls are often called non-practicing entities.  These descriptions refer to actors who legitimately own intellectual property in the form of current patents or copyrights, but rather than using them to further commerce or science through research, development or licensing activities, they actively seek opportunities to profit through aggressive infringement litigation and settlement strategies.  These players are annoying at best and expensively dangerous to progress at worst.  The public policy behind intellectual property ownership is designed to reward innovators and creative efforts with government protection while ideas and forms of expression can be fully developed to move society forward.  Large corporations often devote significant capital and time into accumulating large patent portfolios of their own largely as a defensive mechanism against the various forms of Troll organizations.  Here is an earlier post discussing an example for a unique customer offering from Microsoft with its Azure platform regarding intellectual property defense.

This article by David Thompson is an interesting read around the potential role of the open source community to address this problem and is well worth your time.

Friday, August 11, 2017

Open Source for Voting?

I ran across this article in the New York Times recently.  It presents a fascinating juxtaposition of modern thinking on software security vulnerability approaches based on open source software with the very real need to ensure confidence in our electoral process. 

I have often made this argument myself in the corporate world but always in the context of saving money and increasing system resiliency.  I am not always successful but at least these are arguments that have some traction in most business organizations.

This spin on why community supported open source can be such a valuable resource to the democratic principles of society is both enlightening and encouraging.

Friday, July 21, 2017

What is Package Management and why do I care?

Package Management is now almost ubiquitous in modern software development circles due to the layers upon layers of dependencies between software components which are pulled together to achieve an end result.

For a simple overview of the topic, start with this Wikipedia entry.

This is especially true in the open source world where the very nature of community and crowd source development encourages re-use of code at every opportunity.

From a licensing standpoint, this code combination and inheritance phenomenon has the potential to introduce wrinkles when investigating the provenance and or applicable licensing for a particular component.

Two of the most common package repositories for open source components are:

  1. The Maven Repository containing almost 7 million artifacts as of the date of this post
  2. The NuGet Gallery currently hosting about 1 million artifacts concentrated on the Microsoft development platform.

I was recently researching the licensing for a component automatically included in a project when a developer using the Microsoft Visual Studio IDE was working on a web based application.  In effect, this "package" was pulled into the developer's work without their direct knowledge or choice from the NuGet Gallery repository.  Apparently it was necessary for some foundational functionality related to processing java script.

Upon investigation, I discovered the original component was released by the copyright holder under an MIT license, but had apparently been bundled together and re-released by Microsoft under its own NuGet license.  Nothing in the MIT license restricts this practice as long as primary attribution is maintained and promulgated, however there are additional terms in the NuGet license a consumer of this component might be more concerned about than when taking the code under the pure MIT license.  For example, the NuGet license specifically grants Microsoft the right to collect certain information from a package consumer's computer and or project as a condition of use.

The lesson here is that package management can impact a user's rights to open source code if used indiscriminately. Depending on the use case, it might be worth some investigation to determine if a component is available under more benign terms.


Thursday, July 6, 2017

Open Source in the Cloud

Cloud based infrastructure (IaaS), platform as a service (PaaS), serverless computing, DevOps architecture; these are all enticing concepts to the start-up business wanting to compete instantly with more mature organizations.  However new approaches to delivering almost limitless computing capacity via the myriad of cloud offerings available today require a fresh look at how to provision the software powering these new capabilities.

Traditional software as a service (SaaS) and annual licensing model vendors are struggling to adapt since their normal metrics for billing customers are changing faster than they can update their spreadsheet formulas.  How do you charge by the core in an elastic cloud environment? 

I suggest the answer will increasingly be an open source model.  Open Source is rarely free of obligation, but it blends smoothly with the new delivery paradigms.  While commercial software still has a niche in specialized applications, at least for a while longer, open source is the future.  The software powered economy will continue to thrive but the underlying intellectual property is quickly becoming a commodity.  Vendors are learning they need to bring value to their customers in the form of exceptional service, providing data insight, and adaption to or even anticipation of ever evolving security threats.  Modern customers above all want to avoid the technical debt associated with vendor lock-in which will hamper growth.  A closed source model is simply no longer flexible or responsive enough to keep pace.

A quick spin through capabilities available with the virtual swipe of a credit card from Amazon Web Services, Microsoft Azure, Digital Ocean, and Google Cloud reveals the big players are quickly transforming their business models to adapt and exploit this new landscape with a strong preference for open source.

How has the cloud changed your software procurement patterns?


Friday, June 9, 2017

I thought that was Open Source???

I am often asked to look into a product or component where there seems to be confusion as to the licensing model.  It is understandable as copyright owners often evolve their products and services in different directions in response to market demands.  Here are some of the scenarios I commonly discover:

  1. The product is truly open source, but has changed licensing models at least once if not multiple times throughout its life span.  This scenario is fairly easy to address; the user simply has to decide if the latest version with its attendant features and bug fixes is worth the conditions to be compliant with the current license.  If so, great.  If not, then the user can move back in time to a version released under a more palatable license and start from that fork, understanding that there may not be an active community for support and continued development.
  2. The product is not open source at all, but instead is released under some version of the "freemium" model.  A version with restricted functionality or which is time limited can be downloaded with no purchase required.  However, since source code is not provided accompanied by a license allowing perpetual use, creation of derivative works, and further distribution, it is definitely not open source.  Users are often the most disappointed in this outcome as it has somewhat of a deceptive feel.
  3. The product was released under a valid open source license up to a certain point in its development, but then the copyright holder chooses to evolve the code in a proprietary fashion and only offer new releases under commercial licensing terms.  Most often the open source community which grew up around the original code line falls away once they understand there will be no further commitment from the copyright holder to the open source branch.  While this scenario is understandable from the copyright holder's perspective, it can be seen as "burning a bridge" to the open source community.  It would be very difficult to once again leverage the benefits of the open source contribution models once a project owner had followed this path.
  4. By far the most common discovery is that a product has both a community edition and a commercial offering; the latter offering support and the latest features with the community edition lagging behind one or two releases.  This is often encouraging to potential consumers as it gives them a "try before you buy" option or even a chance to influence both versions of the product by becoming an active member of the community.  I usually encourage clients to begin with the community version, get involved and see what they can achieve.  Then if the product becomes a crucial part of their business plan, they have the option to upgrade to the commercial level at any time.

Each of these scenarios can present problems to potential consumers, but with solid information as to licensing lineage there are also opportunities to be found.


Friday, May 19, 2017

Artifex v. Hancom - OSS as Copyright or Contract?

I ran across a very interesting article the other day (Keith Collins as published in Quartz on 11 May 2017).  It discusses a recent case filed in the US District Court for the Northern District of California, Artifex Software, Inc. v. Hancom, Inc.

The gist of the dispute involves a software component published by Artifex under the GPLv3 open source license.  It was also made available under a proprietary commercial licensing option for consumers wishing to commercialize the component.  Hancom apparently wanted the best of both worlds, used the software under the terms of the GPL, yet refused to follow the terms regarding publishing derivative and or combined works under the GPL.

Artifex filed suit resulting in an interesting court order in response to Hancom's motion to dismiss.  Essentially, Judge Jacqueline Scott Corley ruled in part that Artifex could pursue its claim under a breach of contract theory. 

Defendant contends that Plaintiff's reliance on the unsigned GNU GPL fails to plausibly demonstrate mutual assent, that is, the existence of a contract. Not so. The GNU GPL, which is attached to the complaint, provides that the Ghostscript user agrees to its terms if the user does not obtain a commercial license. Plaintiff alleges that Defendant used Ghostscript, did not obtain a commercial license, and represented publicly that its use of Ghostscript was licensed under the GNL GPU. These allegations sufficiently plead the existence of a contract. See, e.g., MedioStream, Inc. v. Microsoft Corp., 749 F. Supp. 2d 507, 519 (E.D. Tex. 2010)(concluding that the software owner had adequately pled a claim for breach of a shrink-wrap license).

This appears to be a new approach in these types of actions which are more often discussed in solely terms of copyright violations.

It will be interesting to follow this case and see the ramifications to the broader interests of open source publishers and their ability to enforce the terms of the licenses chosen.

Stay tuned....

Friday, March 31, 2017

OSS Governance Policy

Open Source Software governance in the corporate context is the first step to both realizing the many benefits of OSS as well as mitigating any potential risks.  Any good governance process should begin with a corporate policy spelling out the parameters of its applicability and purpose.

  • Policy Applicability:  The policy should explicitly indicate who is covered.  For OSS purposes, the most common actors are employees, vendors, outside agents or contractors who use open source software in the performance of their responsibilities on the company's behalf.

  • Policy Statement:  The policy should include an affirmative statement of what is permitted subject to any review and approval processes.  At the policy level it is best to avoid laying out specific operational processes as these are often subject to change.  But it is helpful if the policy delineates the parameters and purpose of what expected governance processes will cover.  Examples might include:
    • ensuring license compliance
    • understanding provenance
    • evaluation and mitigation of risk to company intellectual property
    • indication of the various stakeholders to participate in review; legal, architecture, security, quality etc.
    • establishing an executive owner and providing for waiver discretion

  • Business Purpose: Since all corporate policies should exist for the purpose of achieving organizational goals, a good open source policy will describe the nature of the OSS ecosystem and why it is desirable to participate.  This background information will be useful as the policy is interpreted over time as necessary to evolve specific governance processes to meet new challenges and opportunities.

Finally, as a practical matter, I have found it better to address open source consumption policy separately from active participation and contribution to OSS community projects.  Many times an organization will find it beneficial to acclimate itself to the consumption side of the equation first while building confidence through experience.  Active community participation and contribution are a natural progression and often best served by separate policy considerations once the consumption processes are mature and functioning smoothly.

Next up, I will begin addressing ideas for specific OSS governance processes.

Open Source Contribution Policy Considerations

I have addressed Open Source Policy as a need for any organization which intends to consume from or contribute to the Open Source Community.  Such policies are critical to form the foundation upon which good governance processes can be constructed and put effectively into daily operation.

I thought it might be helpful to further discuss the policy needs as it relates specifically to the contribution side of the equation.

There are many reasons why an organization may consider becoming an active contributor to one or more open source projects:
  1. Cost efficiencies - contributing simple bug fixes and feature enhancements needed by the organization back to the community edition can save enormous time and resources in the long run
  2. Quality - a vibrant community supporting a project will most always result in a better project since every consumer is also a tester
  3. Security - contributors have a vested interest in secure code.  They take great pains to ensure their contributions follow best practices and reduce attack surfaces and vulnerabilities wherever possible in order to keep a project viable and a good long term investment.
  4. Reducing technical debt - every software platform or architecture decision comes with a certain level of commitment and open source is no different.  Active contributors ensure they have a voice in a project's direction and longevity ensuring the maximum return for their efforts.
This is by no means an exhaustive list but it is enough to justify the creation of a solid contribution policy for an organization to build upon in order to realize these and other benefits of open source.

So, here are my suggestions for how a good open source contribution policy should be crafted:

  • State objectives explicitly in the policy.  This will help guide process development for policy implementation.  The four reasons listed above are a good starting point and there are always others which may be specific to your client.
  • Don't lay out specific governance processes or procedures in the policy.  This will not allow for the normal evolution required in such a dynamic area.  Instead, list the subject matter which the policy expects to be covered by governance and implementation.  Here are few examples:
    • Evaluation of OSS license compatibility to business goals
    • Evaluation of patent/trademark questions
    • Quality controls including security issues
    • Criteria for evaluating a community compatible with business goals and culture
  • Clearly articulate who or what team is accountable to implement the policy, make final decisions on governance, and grant exceptions when necessary.
  • Set up clear expectations for artifact record keeping, including where process definitions, instructions and training materials will reside.
  • Include a definitive statement for policy applicability.  For example, does it apply to contractors as well as employees?
  • Indicate a time schedule for policy review to ensure updates are considered as needed.

Policy drafting is often viewed as less than useful, but if done with thoughtful input from those impacted it can enable clients to reach their open source goals.

Friday, March 17, 2017

Open Source Provenance

It seems like common sense.  In order to analyze potential risks for consuming a particular open source component or application, it is necessary to understand who owns the copyright and under what terms the owner has licensed it to the community.

However, as anyone who has delved into the OSS world knows these questions more often result in muddled answers than crystal clear ones.  Several reasons for the confusion become obvious once you step back and understand the nature of open source software:

  • OSS often begins with an individual who was simply trying to solve a particular problem or need and thought others might like to try their solution and perhaps improve upon it.  Such informal circumstances mean not much attention is paid to the OSS license chosen, and of course as is a copyright holder's prerogative, subsequent iterations of the same component are often released under different licenses over time.
  • OSS components are often bundled together into derivative works which taken as a whole address some larger problem, business or academic need.  These derivative works are sometimes assigned licenses without regard for terms applicable to the base components or downstream compatibility.
  • Communities which manage an OSS project will often have contributors acknowledge a contribution agreement before submitting a new feature or bug fix.  Most agreements I have reviewed contain all the basics one would expect but does the community carefully research the provenance of all the code submitted to ensure license compatibility?
  • Automated tools which scan code for license hints or even snippets of previously licensed code through sophisticated text comparison algorithms can often reveal a plethora of resulting "hits" and false positives to weed through.
  • It is becoming a common business model for companies to purchase the underlying copyrights for a popular open source project.  This often results in a roadmap where certain versions or features are retained in an open source community edition while the newest capabilities are only provided via traditional proprietary licensing.  And the line between the two is often shifting by design to maximize adoption and exploitation of the intellectual property.

Given all these potential concerns, how best to advise our clients?

How does your organization address such issues?

My approach is outlined next time.


Thursday, March 9, 2017

Licensing Obligations - Copyleft or Viral Requirements

Copyleft or Viral Requirements:  These requirements are either some of the most onerous in the open source world, or they are the reason open source has flourished.  It is really just a matter of perspective.

At its most basic, copyleft (a play on the word copyright) terms require that a consumer who uses an OSS component to create any manner of derivative work, or perhaps causes such a component to be redistributed to others, or both, to license the entire resulting work product under the terms of the copyleft license at issue.  This attachment of terms and conditions is sometimes why these licenses are referred to as viral in nature.

There are many nuances to these licenses depending on specific use cases and one's interpretation of their obligations.  However, there is agreement among professionals attempting to navigate these waters that it can be tricky at times.

Examples include:
  1. GNU GPL - version three found here
  2. GNU LGPL - version three found here
  3. GNU Affero GPL - version three found here
  4. OSL - version three found here

Corporate OSS consumers tend to be wary of these licenses with reciprocal terms because they limit an entity's ability to exploit the code for commercial purposes.  Conversely, those who choose these licenses to protect their intellectual property tend to do so exactly for the same reason, so that the code remains freely available for anyone to use, consistently available under the same licensing scheme without fear that later iterations will be walled off into some unacceptable proprietary licensing framework.

I am firmly convinced these  licenses have their place within the OSS ecosystem.  However, it is imperative that individuals or organizations which contemplate using code subject to their terms fully understand both the freedom of use and reciprocal obligations which accompany the intellectual property in question.


Friday, March 3, 2017

Licensing Obligations - Source Code Availability Requirements

Source Code Availability Requirements:  It is not unusual for an open source license to require downstream consumers make the component source code easily available as a condition of use.  This requirement nurtures the open source culture by ensuring any end user can have access to review and obtain copies of open source licensed code from applications in which they have an interest.

A few examples of common open source licenses where this requirement is expressed to one degree or another include:

  • Apache License 2.0
  • Mozilla Public License 2.0
  • Common Development and Distribution License 1.0
  • GNU GPL 2.0

Depending on the specific license involved, the source code requirement may be triggered by distribution or the creation of a derivative work or both.
In order to consistently comply with the spirit of these requirements across multiple licenses in a given organization, I have found an obligation statement similar to the following satisfies or exceeds the majority of license terms in this category and is easily understood by business and technology resources:
"Component source code and supporting files must be made available in a timely manner to any end user through a reasonable request process."

Such an approach allows software architects to plan on common compliance schemes such as providing web links to a publically available library of open source code or a soft transfer to an online knowledgebase or helpdesk request process.

Wednesday, February 22, 2017

Licensing Obligations - Endorsement Restrictions

Endorsement Restrictions:  It is very common for an open source license to restrict use of the various contributor names, companies and or product names which may be associated with the creation of or enhancement to an open source project.  This restriction allows people and entities to freely participate in the community driven development process without concern that downstream consumers or re-distributors might misappropriate or cause market confusion with valuable, often trademark protected intellectual property.

I have found an obligation statement similar to the following, modeled after the 3rd clause in the BSD 3-Clause license, satisfies or exceeds the majority of license terms in this category and is easily understood by business and technology resources:

"Neither the organization nor the names of contributors to the components may be used to endorse or promote products derived from  the components without specific prior written permission."

Next up, source code availability requirements.

Monday, February 13, 2017

How to do Public Domain the Right Way

I ran across this excellent article today in the Tech Times.  It describes how the New York Metropolitan Museum of Art has as of 7 February 2017 released approximately 375,000 high resolution images of its copyrighted artwork under the Creative Commons Zero ("CC0") license.

While I certainly appreciate the Met's effort to share its collection with the world, from an open source attorney's perspective I applaud their choice of the CC0 license to do so.

It doesn't happen very often, but when I run across software intellectual property in the public domain, it can be challenging to trace the provenance back to an explicit grant upon which I feel comfortable advising a client to place their reliance.  Since to my knowledge the earliest software was created in the 1940's and 1950's, it has probably not been in existence long enough for statutory periods to run.  Therefore a grant is best.  I have found some very simply one sentence grants that have to serve on occasion and from a practical standpoint have not been successfully challenged.  But I am much more confident in something with additional substance that attempts to cover specific ground such as:

  1. List of IP rights being addressed
  2. Waiver of those rights
  3. Fallback clause to try to catch any exceptions or loopholes created by specific jurisdictions or future changes or interpretations of law
  4. Limitations of Warranty and Disclaimers to protect the grantor(s) and retain patent and or trademark rights
In my mind the CC0 is best of breed for accomplishing a grant to the public domain and is an excellent vehicle for most such efforts.

Now I just need to work some of these cool Met images into my next presentations :-)

© 2000–2017 The Metropolitan Museum of Art. All rights reserved.


Wednesday, February 8, 2017

Azure IP Advantage includes OSS

I saw this about Microsoft Azure today and was intrigued: 

Microsoft Azure customers now have access to best-in-industry protection against intellectual property (IP) risks in the cloud with Microsoft Azure IP Advantage program. One of the most comprehensive protection programs, it is designed to help customers protect their cloud-based innovations and investments against IP lawsuits and risks. We take seriously our responsibility to help ensure that the cloud is used for good. In partnership with our customers, we are working hard to help create an ecosystem where developers, entrepreneurs, enterprises, and customers can innovate with confidence.
See full information here:  Azure IP Advantage.

For those of you consulting with clients on the benefits and risks of public cloud deployments it appears to be a new development in the industry which should certainly be considered.

Of course this feature is brand new and as far as I am aware untested, but I certainly commend Microsoft for addressing the problem directly. 

I really like the "Springing License" and "Patent Pick" components and am especially impressed that the new policy expressly includes open source code in its indemnity pledge for Azure services. 

See the details in the FAQ and receive a copy of the full terms and conditions from

I wonder if and when Google and Amazon will respond?

Wednesday, February 1, 2017

Licensing Obligations - Attribution, License Text Visibility and Re-distribution

Open source licenses range from extremely simple, single sentence expressions of a copyright holder's terms to very professional, multi-paragraph documents covering everything from attribution to patent protection provisions.  However, most licenses have terms creating categories of obligation on the part of each licensee.  I have found it useful to group these obligations by type and draft clear business language interpretations in order to achieve compliance with both the letter and spirit of applicable licensing terms.  My personal preference is to err on the side of a conservative interpretation when preparing these obligation statements.  This allows a governance process to be largely automated through your choice of simple workflow tools.  With this approach, only exceptional use cases require manual scrutiny and more precise analysis to ensure protection of both licensor and licensee interests.

Attribution:  It is very common for a license to specify one or more specific conditions requiring that the content creator(s) be given explicit credit for their work.

License Visibility and Re-distribution:  Many OSS licenses require license text be retained with the covered components.  Sometimes there are explicit requirements for display at run time or acknowledgement alongside any other expression of copyright or license.  It is also very common to require inclusion of the license text in the event components are redistributed either stand-alone or as part of a derivative work.

I have found an obligation statement similar to the following satisfies or exceeds the vast majority of license terms in both categories and is easily understood by business and technology resources:

"The full text of the applicable <license name and version> license including warranty disclaimers and all copyright, patent, trademark and attribution notices from the components must be made available for end user review through an appropriate user interface at all times and or a copy of the <license name and version> license must be distributed with the components as applicable.

Next up, endorsement restrictions.


Thursday, January 19, 2017

OSS Governance - Use Case Approach

Once a good corporate policy is in place to support open source consumption and or contribution for your organization, it is time to think about how to implement governance processes consistent with policy goals.

I prefer a use case based approach to set up a good decision making framework.  While communication and workflow processes will vary with the administrative infrastructure of an organization, the basic use case parameters should be fairly consistent.  My recommendation for the core focus areas of each use case is as follows:

  1. OSS component technical evaluation - First and foremost open source components or applications should be a good technical solution for the business problem at hand. They should also fit within any established enterprise architecture frameworks established as a strategic direction for the organization. 
  2. OSS component security evaluation - The prospective component should be scanned or otherwise evaluated for risk factors which might introduce an undesired vulnerability into your organization. 
  3. Method of use - Will the component be used  exactly as received from the community?  Or will modifications be necessary to achieve desired results?  Can it be isolated/abstracted from internal code or must it be directly embedded in existing projects to be effective?  Sometimes this last distinction is discussed in terms of dynamic or static references.
  4. Method of distribution (if any) - Will the component be used internally only?  Will it be hosted on a company web site or deployed to an internal cloud?  Will it be installed at a third party (customer or hosting facility)?  Will it become part of a standard distribution package (shrink wrapped or via electronic delivery)?
  5. Applicable license terms - The answers to the use case questions above must then be analyzed through the lens of the license(s) involved.  As noted in earlier posts about license types, certain license types are more permissive while others can be very prescriptive in the obligations imposed on the consumer.
I like to think of the first four use case parameters as the input needed from the requestor.  Depending on the use case, the requestor might be an internal product software development organization or perhaps just a business unit desiring to use an open source word processing application.

The licensing parameter is where a good OSS attorney can add value by providing advice on how to avoid unnecessary risks while still taking full advantage of the benefits open source has to offer.

Up next, I will discuss different types of licensing obligations found in open source and suggestions for compliance strategies.