This is the second of five posts in a series called Open Source in Software Procurement. Click here for the first/introductory post.
Open source software is software licensed (a) with its source code included and (b) with the right to modify and redistribute. What’s wrong with that? Nothing. Concerns about OSS arise on two fronts. First, some people think it offers less security than traditional commercial software. Second, there’s a flavor of open source called “copyleft” – a.k.a. “viral open source software” – and that does create legal problems, though not for everyone.
Some professional think OSS is less secure because anyone can see its source code, including hackers. So if your software includes open source code, hackers might know how to hack it.
Many IT professionals dispute that idea. We’ll consider it controversial but still address security concerns under part 5, Security — to be posted soon.
Copyleft Open Source Software
Open source licenses are either permissive or copyleft. Those terms describe the licensee’s rights to redistribute the software. Permissive licenses don’t restrict redistribution — at least, not much. Most permissive licenses just require that the licensee include various notices (disclaimers) when it redistributes. So permissive OSS doesn’t necessarily create legal problems for the licensee, though some licensees do screw up the notices and so get into legal trouble. (Some of the best-known permissive licenses are the BSD and MIT licenses, for “Berkeley Software Distribution” and “Massachusetts Institute of Technology.”)
Just to be clear, when I talk about the “licensee,” I mean a company receiving OSS from its vendor, usually as part of a larger product. That company/licensee might not know about the open source license (whether it’s permissive or copyleft). The OSS could be buried in the vendor’s product, along with its license.
Copyleft licenses create more serious risks — at least, for some licensees. “Copyleft” is a play on the word “copyright.” It turns copyright around by requiring freedom to copy, through some unusual license terms. If the licensee redistributes the software, it has to give its customers the source code and the right to modify and distribute. In other words, if you redistribute, you have to use the open source model. (The best-known copyleft license is the General Public license, or GPL, from the Free Software Foundation.)
The problem for traditional proprietary software distributors gets worse from there. If the copyleft software becomes part of a larger software product, and the licensee distributes that product, it has to distribute the whole thing as open source software. So just by including a little bit of copyleft-licensed code in your software product, you’ve “infected” it with an obligation to use the open source model. Thus, copyleft’s unhappy nickname: “viral open source software.”
A side note: it’s actually unlikely that proprietary software could ever be transformed into open source software without its owner’s consent. Copyleft “infection” is more likely to trigger damages for breach of the open source license or an injunction: an order to stop distributing the proprietary software until the copyleft code is removed. So “viral” may be an over-dramatic nickname. Still, no one knows how far the courts might go in enforcing copyleft.
When Copyleft Matters
Here’s when copyleft matters to you as the licensee/buyer — and when it doesn’t:
- If you use OSS in-house, copyleft does not matter. You’re not redistributing the software; you’re just using it. So obligations triggered by distribution don’t impact you.
- If you distribute copies of OSS, alone or as part of your software product, copyleft does restrict you. You don’t want copyleft open source software in your system if you don’t want to distribute the whole software product under the open source model.
- If you include OSS in your software-as-a-service (SaaS) offering, copyleft usually does not matter. You’re not redistributing the copyleft software. You’re just running it on your own computers (or your cloud host’s computers) and letting your customers log in and use it. So rules triggered by distribution don’t matter. That means copyleft doesn’t impact you. Still, SaaS companies should keep two copyleft-related concerns in mind. First, you may think you’ll always be a SaaS company, hosting your own software, but what if a customer needs your system on a private cloud? Putting your software on the customer’s computers, or its cloud vendor’s computers, probably counts as distribution. Second, a small minority of copyleft licenses do apply to SaaS vendors. The “Affero GPL” license, for instance, applies copyleft restrictions to vendors that provide software over a computer network, without distribution. But not much software uses these Affero-type licenses.
David Tollen is the author of The Tech Contracts Handbook, the American Bar Association’s bestseller on IT agreements. He is an attorney and the founder of Sycamore Legal, P.C., a boutique IT, IP, and privacy law firm in San Francisco. His practice focuses on software licenses, cloud computing agreements, and privacy. And he serves as an expert witness in litigation about those same topics. Finally, David is the founder of Tech Contracts Academy and our primary trainer.
© 2018 by Tech Contracts Academy, LLC. All rights reserved.