The legal risks of adopting open source software may not be confined to intellectual property problems of the SCO-IBM type.
Apart from issues such as copyright claims over Unix code in Linux, problems could also arise through the application of the open systems’ general public licence (GPL) to software derived from an open source product but which includes elements the developer wants to protect, says a lawyer.
David McGuinness, of law firm Simpson Grierson, told an audience at New Zealand's GOVIS conference of government IT managers that the unique and “non-legalistic” nature of the open source licence and the lack of specific legal test cases create uncertainty.
The GPL states that the user of an open source program “must cause any work that you publish or distribute that in whole or [in part] contains or is derived from the program or any part thereof to be licensed as a whole, at no charge, to all third parties under the terms of the licence”.
This raises the spectre of a large enterprise application founded on a relatively small amount of open source code being open for all-comers, including potential competitors, to acquire and use at no charge.
There is certainly “confusion and concern” on this front, McGuinness says.
The meaning of the term “derived” is not clear, and the pertinent clause is, he says, inconsistent with other parts of the GPL licence.
Conversely, some “flaws” in the open source licensing model may allow users to escape providing for general consumption derived products such as Linux utilities, which the open source community would consider should be so distributed.
The GPL is not typically enforced by a physical act of consent such as a signature or a tick on an online form. This may make agreement to the conditions subject to legal dispute.
Also, bearing in mind the zero or nominal fee attached to the acquisition of OSS, a question mark exists over whether a “valuable consideration” has actually been transferred, as required by contract law.
That could cast doubt on the need to abide by any of the terms of the licence.
McGuinness updated his audience on the still unresolved SCO dispute, “As I understand it, SCO’s evidence [for breach of copyright] is far from convincing,” he said; but, in any case, users of open source have been “put on notice” about the IP risk.
It appears unreasonable, he says, for one buyer of an open source software product to take on full responsibility for any intellectual property infringement committed by the developer of any part of the system, but this may well be the case.
Commercial software licences contain assurances protecting the buyer from action for any “upstream” IP breach, but the GPL contains no such assurances and is very loosely worded, McGuinness notes.
He also referred to the lack of user remedy for failure or inefficiency of performance under an open source licence.
His risk summary at Govis brought a reply from Chris Hegan of open source developer Asterisk, pointing out that there have been at least as many actions against proprietary software for IP breaches as there have been against open source software.
With the latter, the user can at least examine the code and check any allegations of inclusion of “ripped off code” from another’s product.
With proprietary software it is far more difficult to check the veracity of any allegation.
“We can all talk about risk,” Hegan says. “It’s risky to drive, we know that too.”
But both motor vehicles and open source software have been around for a long time and users take the risks on board as acceptably low, he says.