Walking on the edge

The risk of poor open source practices is increasing (Part 1)

by VanL

So much of what we do in OSPOs is about trying to get things right. We usually focus on the positive sides of engaging with open source: lower costs, greater control, faster time-to-market, and higher developer satisfaction. But that doesn't mean that we also don't keep an eye on open source risks. A number of independent events have all converged to markedly increase the legal risk of poor open source practices.

Why risk matters

As OSPO stakeholders, we need to know what happens when things go wrong - either accidentally or (occasionally) because of conscious neglect.

I remember one conversation that I had a decade ago with someone who was weighing whether to comply with their open source obligations. I was encouraging the executive to do so, highlighting the benefits of engaging with open source as well as the risks associated with non-compliance. When I mentioned those risks, however, he stopped me.

"Who really is going to sue?" he asked. "There are only a few groups out there who are working on open source compliance, and we know which projects they are looking at. As for everybody else, what are they going to do? Sue us, and get statutory damages? The risk is low."

It was a disheartening conversation.

Thankfully, we were able to convince him to comply based upon the larger risks associated with poor publicity, difficulty attracting and keeping developers, and other standard arguments. But I never forgot the way in which he brushed aside the legal risk of copyright infringement.

What is legal risk?

It's important to understand what we are talking about when we discuss legal risk. In general, you can quantify legal risk by looking at three questions:

  1. Who can be a plaintiff?
  2. What arguments can the plaintiff make?
  3. How likely is the plaintiff to win?

Each one of these questions provides one dimension of legal risk. If there are more possible plaintiffs, there is more risk. If there are more causes of action, there is more risk. And of course, if plaintiffs are more likely to win, then there is more risk. It turns out that current events are leading to increasing risk across all of these dimensions. Put another way, the old framing of legal risks focused just on copyright. The new frame also has risks associated with contract law and corporate governance.

Framing the risks

No one should dismiss the risks around copyright enforcement - since the Supreme Court's decision in Oracle v. Google effectively affirmed the Federal Circuit's opinion on copyrightability in Oracle Am., Inc. v. Google Inc.*, No. 13-1021 (Fed. Cir. 2014) (" Oracle I*"), it has become slightly easier for open source copyright holders to win certain types of infringement cases (while making it harder to win others). But what is happening now is that new categories of legal risk are developing.

Contract risk

The most significant development associated with open source legal risk is the Vizio case (Software Freedom Conservancy, Inc. v. Vizio, Inc. et al). At issue in this case is whether people who receive copies of open source binaries (like the Linux kernel) have the right to enforce the open source license - here the GNU GPL - as third party beneficiaries.

Legal background of SFC v. Vizio

Those who follow open source will be familiar with the Software Freedom Conservancy (SFC). As well as hosting and supporting a number of open source projects, the SFC has been one of the most active enforcers of the GNU GPL. They have had a number of successful engagements and enforcement actions, always geared toward using the threat of copyright infringement to encourage their true goal - compliance with the open source license.

What makes SFC v. Vizio different is that although the SFC could have treated this case as a regular copyright infringement action, they instead filed a contract law claim as a purchaser of Vizio televisions. They argued that they had a right to Vizio's open source-derived source code as a third party beneficiary of the GNU GPL. The complaint was carefully pruned of any reference to possible copyright enforcement and filed in California state court.

Vizio, as expected, argued that because this was a case involving a software license (under copyright), the case should be removed to Federal court (CD CA 8:21-cv-01943-JLS-KES) due to it being preempted by the Copyright Act. After full briefing from each side, the Federal district court rejected Vizio's argument and remanded the case back to the California state court for adjudication of the claims under contract law.

Implications of SFC v. Vizio

This case is still ongoing, and it is still unknown whether the California court will find that there is an enforceable third party interest in Vizio's compliance with the GNU GPL. However, as third party beneficiary claims go, this one is on better ground than most. The GPL explicitly contemplates third parties would be the beneficiaries of the source code delivery provisions of the GPL, not the copyright holder. As stated in the preamble of the GPLv2:

...if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

What makes this case potentially difficult for the court is the issue of remedies. Courts are frequently unwilling to command specific performance. But realistically, any relief provided to the SFC will enable a much higher level of legal enforcement.

In the case of the GNU GPL, specific performance means providing GPL-licensed complete corresponding source code for all works that are derivative of GPL-licensed source code. That will trigger a wave of analysis about the use of open source code by corporations, particularly the use of reciprocally ("copyleft") licensed source code like that under the GNU GPL. It is unclear what this may mean for the industry. Some organizations may decide to ban all open source code (or at least all copyleft code) from their codebases. Other organizations may decide that certain types of IP - like patches to the Linux kernel - are just not that important or individually valuable, and move into compliance.

What about other possible remedies?

An injunction against shipping non-compliant televisions would likely have the same effect as an order for specific performance, but just with more teeth. When faced with the option of 1) Don't ship any products, or 2) comply with the GPL, every company will choose to comply with the GPL. It may be that the precedent associated with getting an injunction would encourage better up-front compliance, rather than waiting for customers to "discover" non-compliance.

Other possible remedies are more difficult. It is possible that a court may try to fashion a monetary remedy, for example by granting an award to compensate television purchasers for the lack of compliance. This is consistent with many cases in contract law which seek to provide an equivalent "benefit" rather than force specific performance. However, this path would quickly become thorny: How much is the software "worth" in a television? In a router? In a refrigerator?

Further, any possible award - even one as small as a couple of dollars - opens the door for class action lawsuits. Class actions are made for situations where a large number of plaintiffs have been harmed in a similar way, even when any particular harm is too small to be effectively litigated. If there is a precedent that non-compliance with open source licenses is worth any amount of money, it is likely that the sheer number of possible similarly-situated plaintiffs will result in widespread class action lawsuits by those who do not have software freedom and user empowerment as their primary goal.

Returning to risk

As noted above, legal risk is about the number of possible plaintiffs, the range of possible claims, and the strength of those claims. SFC v. Vizio seems likely to drastically increase all three of these measures of legal risk. While any individual claim may have a relatively low "value," the change from thousands of possible plaintiffs to millions completely changes the risk analysis. As the famous saying goes, "Quantity has a quality all its own."

If SFC wins - which I provisionally think will occur - I am hoping for an order for specific performance. Compliance with open source licenses doesn't require individualized negotiation - comply for one and you comply for all. Any other result is likely to result in drastic increases in litigation that will add "costs" to the use of open source by organizations.

(This is part one of the series about increasing legal risks associated with poor open source practices, focusing on SFC v. Vizio. Part two discusses the implications of the presidential Executive Order on Improving our Nation's Cybersecurity. Part three discusses the dangers of FTC actions resulting from poor open source practices.)