FOSS compliance becomes more important

Free and open-source software could be subject to new compliance requirements

foss, CC BY-SA 2.0

Versata Software learned the high cost of failing to manage the use of free and open-source software (FOSS) in its proprietary distribution channel management (DCM) software: Its routine attempt to terminate a license for its DCM software with its licensee, Ameriprise Financial, exploded into several lawsuits resulting in eight of Versata’s clients being sued by XimpleWare Corp., the owner of some software embedded in the DCM software.

The case was finally settled out of court, so just how high the cost was is unknown. But certainly being a party to any extended lawsuit is expensive. There are lessons that can be derived from the Versata case that any company distributing or using FOSS should heed if it wants to avoid paying a similar price.

Ameriprise is in the business of providing financial products to its network of independent financial advisers, from whom it receives a commission. Versata licensed its DCM software to Ameriprise to calculate commissions for the financial advisers. And Versata agreed to permit Ameriprise to use third-party contractors to modify the DCM software, subject to stringent terms.

Ameriprise hired Infosys to make such changes. Versata claimed that Infosys was using the DCM software not only to develop functions for Ameriprise, but also to develop a competitive product. According to Versata, Ameriprise did not terminate the relationship with Infosys even though Infosys was violating the terms of the license to DCM, which permitted Ameriprise to use certain third-party consultants. Versata claimed that this failure to terminate Infosys breached the license. Ameriprise denied these claims and raised several defenses, including that Versata violated the DCM license because the DCM software included XimpleWare VTD XML software, which was licensed under GPLv2. The DCM license stated that Versata had the right to license the DCM software and that it did not include any software that was "encumbered."

The XimpleWare software reads and parses XML and is available under both GPLv2 (the most widely used FOSS license) and commercial licenses. According to Ameriprise, Versata had obtained the XimpleWare software under the GPLv2, but failed to comply with the terms of the GPLv2 by failing to include the text of the GPLv2 license, the required copyright notices and a copy of the source code of the XimpleWare software to its licensees. Many licensors who use the GPLv2 state that failure to comply with such terms results in an automatic termination of the license and that, consequently, Versata did not have the right to include the XimpleWare software in its DCM software.

Ameriprise also claimed that the XimpleWare software was integrated into DCM software in a manner that made all of the DCM software a "derivative work" under the GPLv2, and thus, the DCM software was subject to GPLv2. Ameriprise demanded that Versata make the DCM software available under the GPLv2 and provide the source code of the DCM software to Ameriprise. Ameriprise also reported these violations of the GPLv2 to XimpleWare. XimpleWare then sued Versata, Ameriprise and other alleged Versata licensees for copyright and patent infringement. 

FOSS is used by companies across industries that include everything from automobiles to consumer electronics. Yet many companies do not properly manage its use. In August 2014, Gartner reported that less than half of IT organizations have an effective FOSS use policy, noting that by 2016, “the vast majority of mainstream IT organizations will leverage nontrivial elements of OSS (directly or indirectly) in mission-critical IT solutions. Consequently, IT organizations must learn to manage hybrid portfolios that contain both OSS and CSS assets.” Costly disputes are likely to increase as FOSS is treated more as a standard part of the software ecosystem rather than an exotic exception.  

In the past, FOSS licenses have been enforced by members of the community (such as the Software Freedom Conservancy or the Software Freedom Law Center), which focus on compliance. The Versata cases represent a potential major shift in FOSS compliance, where commercial (or monetizing) enforcers may become more common and seek monetary and other more traditional remedies for contract breach. These developments mean that both software distributors and users need to adopt and manage a robust process to manage the use of FOSS and ensure compliance with FOSS licenses. The failure to do so could be expensive.  

Key organizations that enforce the GPLv2 recently provided guidance on GPLv2 compliance. On Oct. 30, the Software Freedom Law Center published the second version of its Practical Guide to GPL Compliance; and a few days later, the Software Freedom Conservancy and the Free Software Foundation published the first version of their guide, the Copyleft and the GNU General Public License: A Comprehensive Tutorial and Guide.

Anyone managing FOSS compliance should read the Versata cases and these guides, and should track new developments in the Versata dispute. All companies distributing and using software should ensure they understand and can comply with their FOSS license obligations.

Companies distributing software should take the following steps:

  1. Understand what FOSS is included in your products. Most companies simply don’t know and need to use a scanning product like Black Duck, Palamida or fossology.
  2. Develop a FOSS use and management policy to ensure you understand your obligations and can comply with them.
  3. Review your distribution agreements to ensure they take into account any terms imposed by FOSS licenses in your product.

Companies using software should take the following steps:

  1. Understand what FOSS is included in software that you are using. Consider using the scanning tools referenced above.
  2. Ensure that you have a FOSS use and management policy to comply with FOSS license obligations. As IT infrastructure has become more complex and the use of third parties has increased, ensure that your FOSS use policy takes added complexities into account. 

Mark Radcliffe is a partner in DLA Piper’s Intellectual Property and Technology group, based in Silicon Valley. He concentrates on strategic IP advice, software and Internet licensing, cloud computing and private financing.

Copyright © 2015 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon