Open-Source Risk Management Tools

As an example, shortly after Cisco acquired Linksys in 2003, it was faced with an infringement suit relating to the use of GPL covered code in its router firmware. It turned out that the infringing chipset was provided to Linksys by Broadcom, which in turn outsourced the development to a third party. As part of the settlement that was reached, Cisco was forced to make the infringing source code freely available on its website, appoint an open-source compliance officer, and make a monetary contribution to the Free Software Foundation.

As courts in the United States, Germany and elsewhere have acknowledged the enforceability of open-source licenses such as GPL, notable violators have succumbed to costly settlements, and enforcement organizations, such as the Free Software Foundation, have become more aggressive in launching suits. The net effect of these developments is the growing instances of intellectual property infringement claims involving open source software.

Reps and Warranties vs. Indemnities in an Open-Source World

Because of the immense financial and legal implications of intellectual property infringement suits, a software purchaser will typically require the seller to represent and warrant that the software does not contain open source. If open source is later discovered, the buyer is entitled to seek damages for the seller's breach. However, due to knowledge gaps regarding code pedigree, a hypothetical software company, let's say “Softco Supplier,” may represent and warrant that “to the best of our knowledge, open source is not incorporated into the product.” In this case, “Softco Buyer” is only entitled to damages if it can show that Softco Supplier knew that its representation was untrue at the time that it was made. If this fact cannot be established, Softco Buyer is left without a remedy for any losses arising from Softco Supplier's misrepresentation.

Unlike reps and warranties, recovery from indemnities is not contingent upon whether a misrepresentation was made. Thus, if Softco Supplier indemnified Softco Buyer for open-source infringement claims, it would be obligated to compensate the purchaser for any such losses. In this case, it would be irrelevant whether Softco Supplier had knowledge of the presence of open source, as liability is triggered by the occurrence of the contractually specified event (the presence of open source) rather than the misrepresentation.

Another important distinction between reps, warranties, and indemnities in our example is in relation to the duty imposed on the Softco Buyer to mitigate its own loss. The common law imposes a requirement on parties relying on reps and warranties to take action to mitigate their own losses. In the context of open source reps and warranties, once a software buyer becomes aware that open source is embedded in the software, the buyer must take action to minimize its loss, for example, by immediately replacing the code, or making the code freely available. In contrast, there is no parallel requirement for the beneficiaries of indemnities to mitigate their own losses.

Software Audit Can Minimize Exposure

Although open-source reps, warranties, and indemnities can provide software purchasers with remedies for losses arising from intellectual property infringement suits, they cannot shelter the buyer from being sued in the first place, or from experiencing the loss of goodwill in relation to litigation. As a result, reps, warranties, and indemnities should not be regarded as due diligence replacements. Rather than taking the risk of open source surprises in software acquisitions, in-house counsel can engage external resources that have the ability to analyze software to determine the presence of open source.

A software audit entails code scanning aimed at detecting third-party and open-source code. After the scanning stage, the purchaser is provided with an audit report detailing the identified code and associated license obligations. Performing such audits at the pre-purchase stage allows the buyer to understand whether the license obligations of the open source code are in line with the intellectual property policies of its organization, and if not, the buyer is positioned to request the supplier to replace the code in question, or to engage an alternate supplier.

Review of Available Due Diligence Tools

In-house counsel to software purchasers have contractual tools at their disposal to protect their organizations from open-source liabilities. However, it is important to remember that not all tools provide equal protection. While reps and warranties can provide the buyer with a remedy against misrepresentation, in instances where these assurances are qualified by the knowledge of the supplier, the buyer may be left without recourse. From this perspective, indemnities offer increased protection to software purchasers concerned about intellectual property infringement claims in relation to the use of open source. Open-source indemnities are also beneficial in comparison with reps and warranties, as they do not impose an obligation upon the party relying on them to take any action to minimize their own losses in the event of a breach.

Conclusion

Although open-source reps, warranties, and indemnities can provide software purchasers with a means of recovery from intellectual property infringement claims, these contractual measures provide an imperfect after-the-fact solution to a problem that lends itself well to management practices that would reduce the risk in the first place. Structured Open Source License Management Practices such as OSSAP, and software audits aimed at identifying third-party and open-source code and ensuring open-source license compliance, provide an optimal level of protection. These tools provide certainty regarding code pedigree, and enable software purchasers to avoid the negative consequences arising from intellectual property infringement suits.

Diana Marina Cooper has been working with Protecode (www.protecode.com) as an open-source corporate strategy consultant since 2011. Ms. Cooper is currently a JD Candidate (2013), pursuing a concentration in Law and Technology. Follow her at Diana@Diana_M_Cooper.

Many of us in the legal community have heard about the trouble that organizations have come across when using open source improperly (remember Cisco/Linksys, Katzer, and the BusyBox chronicles?). To help avoid experiencing the open-source surprises that these and other organizations have faced, the following is a discussion of various risk management tools that in-house counsel can rely on to perform effective open-source due diligence in software acquisitions. These include contractual measures, such as representations and warranties and indemnities; and extra-contractual tools, including software audits and a structured Open Source Software Adoption Process (OSSAP).

The Need for Open-Source Risk Management

The current software development and distribution environment calls for an increasing need to perform due diligence to determine code pedigree prior to executing a software acquisition. Instances of software being developed in-house from scratch are declining as a result of a combination of factors, including increasing accessibility of well-written open-source code; reliance on third-party developed code; and the rise of outsourcing and offshoring of programming. These factors suggest that software suppliers are susceptible to experiencing diminished control and imperfect knowledge regarding the composition of their code. So, what does this mean? If any parties in the supply chain unknowingly procure software containing open source and embed it into a product you are buying, your organization is at risk of facing unexpected legal and financial consequences arising from intellectual property infringement claims.

As an example, shortly after Cisco acquired Linksys in 2003, it was faced with an infringement suit relating to the use of GPL covered code in its router firmware. It turned out that the infringing chipset was provided to Linksys by Broadcom, which in turn outsourced the development to a third party. As part of the settlement that was reached, Cisco was forced to make the infringing source code freely available on its website, appoint an open-source compliance officer, and make a monetary contribution to the Free Software Foundation.

As courts in the United States, Germany and elsewhere have acknowledged the enforceability of open-source licenses such as GPL, notable violators have succumbed to costly settlements, and enforcement organizations, such as the Free Software Foundation, have become more aggressive in launching suits. The net effect of these developments is the growing instances of intellectual property infringement claims involving open source software.

Reps and Warranties vs. Indemnities in an Open-Source World

Because of the immense financial and legal implications of intellectual property infringement suits, a software purchaser will typically require the seller to represent and warrant that the software does not contain open source. If open source is later discovered, the buyer is entitled to seek damages for the seller's breach. However, due to knowledge gaps regarding code pedigree, a hypothetical software company, let's say “Softco Supplier,” may represent and warrant that “to the best of our knowledge, open source is not incorporated into the product.” In this case, “Softco Buyer” is only entitled to damages if it can show that Softco Supplier knew that its representation was untrue at the time that it was made. If this fact cannot be established, Softco Buyer is left without a remedy for any losses arising from Softco Supplier's misrepresentation.

Unlike reps and warranties, recovery from indemnities is not contingent upon whether a misrepresentation was made. Thus, if Softco Supplier indemnified Softco Buyer for open-source infringement claims, it would be obligated to compensate the purchaser for any such losses. In this case, it would be irrelevant whether Softco Supplier had knowledge of the presence of open source, as liability is triggered by the occurrence of the contractually specified event (the presence of open source) rather than the misrepresentation.

Another important distinction between reps, warranties, and indemnities in our example is in relation to the duty imposed on the Softco Buyer to mitigate its own loss. The common law imposes a requirement on parties relying on reps and warranties to take action to mitigate their own losses. In the context of open source reps and warranties, once a software buyer becomes aware that open source is embedded in the software, the buyer must take action to minimize its loss, for example, by immediately replacing the code, or making the code freely available. In contrast, there is no parallel requirement for the beneficiaries of indemnities to mitigate their own losses.

Software Audit Can Minimize Exposure

Although open-source reps, warranties, and indemnities can provide software purchasers with remedies for losses arising from intellectual property infringement suits, they cannot shelter the buyer from being sued in the first place, or from experiencing the loss of goodwill in relation to litigation. As a result, reps, warranties, and indemnities should not be regarded as due diligence replacements. Rather than taking the risk of open source surprises in software acquisitions, in-house counsel can engage external resources that have the ability to analyze software to determine the presence of open source.

A software audit entails code scanning aimed at detecting third-party and open-source code. After the scanning stage, the purchaser is provided with an audit report detailing the identified code and associated license obligations. Performing such audits at the pre-purchase stage allows the buyer to understand whether the license obligations of the open source code are in line with the intellectual property policies of its organization, and if not, the buyer is positioned to request the supplier to replace the code in question, or to engage an alternate supplier.

Review of Available Due Diligence Tools

In-house counsel to software purchasers have contractual tools at their disposal to protect their organizations from open-source liabilities. However, it is important to remember that not all tools provide equal protection. While reps and warranties can provide the buyer with a remedy against misrepresentation, in instances where these assurances are qualified by the knowledge of the supplier, the buyer may be left without recourse. From this perspective, indemnities offer increased protection to software purchasers concerned about intellectual property infringement claims in relation to the use of open source. Open-source indemnities are also beneficial in comparison with reps and warranties, as they do not impose an obligation upon the party relying on them to take any action to minimize their own losses in the event of a breach.

Conclusion

Although open-source reps, warranties, and indemnities can provide software purchasers with a means of recovery from intellectual property infringement claims, these contractual measures provide an imperfect after-the-fact solution to a problem that lends itself well to management practices that would reduce the risk in the first place. Structured Open Source License Management Practices such as OSSAP, and software audits aimed at identifying third-party and open-source code and ensuring open-source license compliance, provide an optimal level of protection. These tools provide certainty regarding code pedigree, and enable software purchasers to avoid the negative consequences arising from intellectual property infringement suits.

Diana Marina Cooper has been working with Protecode (www.protecode.com) as an open-source corporate strategy consultant since 2011. Ms. Cooper is currently a JD Candidate (2013), pursuing a concentration in Law and Technology. Follow her at Diana@Diana_M_Cooper.