Posts tagged 'legal'

It seems everyone is scrambling to understand what to do about AI. Based on our work with our clients, here are the emerging issues and best practices.

When you ship a program that uses open source code, you need to make sure that 1) your licensing is compliant, and that 2) you provide the necessary attribution, licensing, and (possibly) source code for the open source components you use. But many people are confused about how far back their disclosures need to go. Do you need to declare every dependency, including dependencies of dependencies? What do you need to share?

Every one of our clients has been asking for help on AI issues. We can't reason about AI correctly without understanding how these tools work. Accordingly, I want to bring my latest publication to your attention: Building and Using Generative Models Under US Copyright Law (18 Rutgers Bus. L.R. No. 2, 2023).

One of the time-honored traditions of open source is reverse engineering - working out how another person accomplished a goal and replicating it. Reverse engineering is an important tool in your toolbox and has been growing in importance. But it always involves some legal risk. So how do you make reverse engineering as effective as possible while managing the risk?

The biggest name in AI right now is OpenAI. With its wildly popular ChatGPT, GPT-3 and GPT-4, and Codex products, OpenAI has most of the buzz. But before you use any of its tools, make sure you are read OpenAI's terms of use.

You may remember the 2017 Equifax data breach. The records of more than 160 million people were exposed, making it one of the largest cybercrimes related to identity theft. Among various other penalties, Equifax was required to pay out $300 million to a fund for victim compensation, $175 million to the states and territories in the agreement, and $100 million to the CFPB in fines. The cause of the data breach? Not updating an open source component on Equifax's website.

Last year, the Biden administration issued the Executive Order on Improving the Nation's Cybersecurity. What most open source personnel don't realize - yet - is that one of the results of the Executive Order will be a contract requirement to manage open source risks as a mandatory contract term for anyone supplying the Federal Government.

So much of what we do in OSPOs is about trying to get things right. We usually focus on the positive sides of engaging with open source: lower costs, greater control, faster time-to-market, and higher developer satisfaction. But that doesn't mean that we also don't keep an eye on open source risks. A number of independent events have all converged to markedly increase the legal risk of poor open source practices.