Obviously, you should follow the licenses of open source code included in your projects and products when distributing this code to third parties, for example, when shipping your product to customers. Beyond the moral and legal argument, however, you may wonder: How important is it? After all, the software will do its job just fine, irrespective of whether it comes with correct legal notices or not.
Like most business decisions, this is an exercise in risk management. How much time and effort you spend on license compliance depends on your risk of getting sued for any license violations. Thus, a company has to assess its risk profile. Variables of the risk profile are market (consumer vs. enterprise), type of software (embedded vs. application), type of distribution (on-premise vs. cloud) and others.
There are two main sources of potential lawsuits:
- Copyright and patent trolls. Trolls are individuals or companies that sue you to extract as much money as possible; it is their business model.
- Copyleft enforcers. Enforcers will sue you specifically for copyleft violation; their origins are in the free software movement.
Copyright trolls use the copyright they hold in an open-source software to extract money from anyone who violates their rights, and patent trolls use patents they own to extract money from anyone who uses open-source software that utilizes these patents, knowingly or not. In general, both copyright and patent trolls search the web for potential violators, and if they find someone, start their work.
Copyright trolls look for missing or incomplete legal notices. If they find a software that is distributed to third parties in binary form and includes open source code in which they hold copyright, they will check the legal notices for correct copyright statements that gives them credit for their work. If they don’t find them, they set up the trap: They document all occurrences of license violations and inquire about one of them, using a traditional cease and desist letter. If the company signs the cease and desist declaration to get rid of the nuisance, the trap has sprung. The copyright troll will come back with other violations, asking the company to pay the typically hefty fines agreed to in the cease and desist declaration.
Patent trolls, more formally known as non-practicing entities (NPEs), don’t have to set up a trap; they will simply approach anyone using software that uses their patents and try to extract license fees, with possible escalation to the courts if the victim doesn’t pay up. Sadly, the availability of open source legal notices has made it easier for patent trolls to determine whether a particular software uses open source code they argue violates their patents.
Copyleft enforcers are organizations or individuals who might sue a distributor of open source code who does not follow any copyleft obligation in the distributed code. Typically, the open source code in question is the Linux kernel. There used to be individuals who tried to enforce copyleft licenses, but due to the legal costs of enforcement, most of this work has moved to the Software Freedom Conservancy, a U.S.-based 501(c)3 non-profit organization.
Historically, copyleft enforcement was driven by the moral impetus of “freeing all software” from the enslavement through software vendors. This heated rhetoric has abated, and today’s primary goal simply appears to be license compliance: To respect the original open source developer’s wishes as expressed by the chosen licenses.
The Software Freedom Conservancy does not randomly start lawsuits but rather approaches copyleft enforcement strategically: It finds or is approached by copyright holders of copyleft-licensed code whose rights are being violated. It may then start work if the case appears suitable to move forward the goal of copyleft compliance. The suitability of a case depends on multiple factors, but perhaps the most important one is how representative of a category of violations the case is. Then, enforcing copyleft compliance may serve as a warning to others and prevent further copyleft violations in the first place.
A lawsuit is the last resort. First, the Software Freedom Conservancy will simply ask to have the copyleft violation be fixed. Over time, open source licenses have added cure periods during which the distributor can fix any license violations, for example, by providing proper legal notices or corresponding source code. These cure periods typically last 30 days but you may be able to agree on a longer period. Key is the obvious and honest willingness to solve the problem. The Software Freedom Conservancy is likely to move to a lawsuit only if the response is confrontational and the problem simply doesn’t get fixed.
The situation keeps shifting. Copyleft enforcers, for example, have teamed up with the right-to-repair movement. To repair a malfunctioning device that runs on software, you obviously need the source code, whether it was built from copyleft-licensed open source code or not. As an outlook, we can expect more legislation to weigh in on the availability of source code.
© 2024 Dirk Riehle, used with permission.
Return to overview.