Is Your IP Really Yours? Navigating Open Source Compliance
In the ever-growing landscape of modern software development, open source plays a pivotal role in accelerating innovation and reducing time-to-market. However, the widespread use of open source brings with it legal complexities that demand the attention of legal professionals involved in M&A, tech due diligence and outsourcing contracts.
This article covers what open source code is, how to understand open source licencing and explains how legal professionals play a vital role in guiding clients through the complex topics, looking at open source due diligence and managing licence compliance in the context of M&A and outsourcing contracts.
What is Open Source Code?
The occurrence of open source code in modern software solutions cannot be overstated. Developers leverage shared libraries, components and frameworks from platforms like GitHub and npm. These components are typically shared under an open source software licence.
This enables other developers to re-use these components on other projects and means they do not need to repetitively code common functionality from scratch. This is a huge benefit as it reduces the time to deliver a solution to market and at a lower cost.
In a recent research report titled Emerging Tech: A Software Bill of Materials Is Critical to Software Supply Chain Management, written by Gartner analyst Mark Driver, he noted that “Gartner estimates 40% to 80% of the lines of code in new software projects come from third parties. “Most of this external code comes from myriad open-source projects; the remaining proprietary code comes from suppliers that provide little or no transparency to its status or condition.”
With help from Escrow London, when performing audits for investors and software companies, the extent of open source components and their varying licence types discovered in applications is often very surprising. (example see Figure 1).
Figure 1: The Licence Mix Found in a proprietary E-Commerce Cloud Solution audited by Source Code Control – 93% Third-Party Open Source Software
Understanding Open Source Licencing
Commonly, open source code is perceived as freely accessible for utilisation, modification and distribution. However, this perception opposes the legal obligations which are needed to be met. The capacity of a third party to use and exercise rights over the software depends on the terms of the open source licence granted by the copyright owner.
As seen in figure 2, the permissive licences present a low level of commercial risk because they do not obligate you to share code and, non-compliance is easily rectified.
Figure 2: Open Source Software Licence Spectrum
The restrictive ‘copyleft’ licences present a higher level of commercial risk because of their obligations to share source code and to licence modified or derivative works under the same copyleft licence (also known as reciprocating the licence).
The obligation to share source code may be undesirable for organisations that hold value in their IP as this act could significantly diminish or even eliminate the products commercial viability.
Additionally, the obligation to reciprocate the licence often creates licence conflicts where organisations licence their modified works under another licence such as a proprietary End User Licence Agreement or another open source licence.
Developers use open source because of its benefits. However, are often unaware of the licence obligations attached to open source components. Which, unknowingly to them, exposes their organisation and its IP to risks, which may be costly and time consuming to resolve.
The resulting licence violations may expose an organisation to the risk of copyright infringement, litigation, forced source code disclosure, adverse publicity, vilification by the community and in an investment or merger and acquisition (“M&A”) scenario, the devaluation of the organisation.
Enforcement and Compliance
Recent years have seen a shift in enforcement dynamics, with companies like Microsoft and Google taking proactive measures to ensure compliance with open source licences. In fact, Microsoft is the largest open source contributor on GitHub. As a result enforcement in this space is increasingly driven by companies rather than individual right holders.
High-profile cases, such as Cokinetic Systems vs. Panasonic Avionics, highlight the potential financial repercussions of licence violations, emphasising the need for robust compliance frameworks.
The emergence of dual licensing models, where companies offer both open source and commercial licences, reflects efforts to monetise open source while mitigating compliance risks. However, the onus remains on organisations to navigate the intricate web of licence obligations and ensure adherence to legal requirements.
Open Source Due Diligence
In the context of M&A transactions and outsourcing contracts, open source due diligence is of utmost importance. Audits conducted by specialised firms, like Escrow London, help identify open source components and assess compliance with licence terms. Common licences, including GPL, LGPL, MPL, AGPL, GNU, and Apache, each carry distinct obligations that must be carefully evaluated.
Managing Licence Compliance
Effective licence compliance requires ongoing vigilance and adherence to best practices. The publication of standards like the OpenChain ISO/IEC 5230:2020 underscores the industry’s commitment to improving licence compliance in the software supply chain. Legal professionals play a pivotal role in guiding clients through the complexities of open source licensing, ensuring adherence to legal requirements and mitigating risk.
Conclusion
As open source continues to play a pivotal role in software development, legal professionals must remain vigilant to ensure compliance with licence obligations. Proactive due diligence, and ongoing monitoring are essential for navigating the legal details of open source software. By prioritising compliance and adopting best practices, organisations can harness the benefits of open source while safeguarding against potential risks and liabilities.
##
About Escrow London
Escrow London is a global software and SaaS escrow company with offices in London, UK, and Sydney, Australia. Our North American division called The Escrow Company, is based in Atlanta, US.
We have invested considerable resources into innovation to reinvent software escrow for a SaaS world. Escrow London provides a range of SaaS continuity escrow solutions suitable for AWS, Microsoft Azure and Google Cloud hosted SaaS applications. We support a wide range of clients includes major law firms, banks, central banks, insurance companies, technology companies and government organisations.
To find out more about Escrow London and our software escrow and SaaS continuity escrow solutions, visit our YouTube channel.