litigation and compliance in the open source ecosystem

31
Litigation and Compliance in the Open Source Ecosystem

Upload: black-duck-software

Post on 24-Jan-2017

712 views

Category:

Law


2 download

TRANSCRIPT

Page 1: Litigation and Compliance in the Open Source Ecosystem

Litigation and Compliance in the Open Source

Ecosystem

Page 2: Litigation and Compliance in the Open Source Ecosystem

Speakers

MARK RADCLIFFE Partner, DLA Piper

BERND SIEBERSCounsel, DLA Piper

PHIL ODENCEVP & General Manager,

Black Duck Software

Page 3: Litigation and Compliance in the Open Source Ecosystem

OSS Often Enters a Code Base Unchecked, Resulting In Risks

Code BaseCommercial3rd Party

Code

Purchasing• Licensing?• Security?•Quality?• Support?

Open Source

OPERATIONAL RISKWhich versions of code are being used, and how old are they

LEGAL RISKWhich licenses are used and do they match anticipated use of the code

SECURITY RISKWhich components have vulnerabilities and what are they

Management visibility…not!

Page 4: Litigation and Compliance in the Open Source Ecosystem

Black Duck’s Experience Analyzing Code

• Audits on average find 33% open source

• 99% of code audits find open source

• 95% of audits find unknown open source

• 75% of audits contain unknown licenses

• 67% of code contains vulnerable components

• 50% of code audits contain GPL

Page 5: Litigation and Compliance in the Open Source Ecosystem

FOSS Compliance: New Players

• Traditional FOSS Enforcement: Focus on Compliance• Software Freedom Law Center• Software Freedom Conservancy

(“SFC”)• gplviolations

• Shift to Commercial Licensors• Continuent v. Tekelec (GPL)• Versata Series of Cases

• New Enforcers• McHardy, copyright troll• Fligor: looking for clients

• Major Difference in Goals • Shift from compliance to revenue• Focus on injunctive relief

• Expansion of Traditional FOSS Enforcement• SFC assists in VMware litigation

Page 6: Litigation and Compliance in the Open Source Ecosystem

Existing Compliance Issues

• VMware litigation (SFC)• McHardy litigation • First copyright troll

• Versata: focus on hybrid product licensing• Will terminated licensees regularly raise the defense of “integration” with GPLv2

licensed code?• Will warranty claims against licensors arise from poorly drafted licenses become

common?

Page 7: Litigation and Compliance in the Open Source Ecosystem

Netfilter Project Suspends McHardy

The netfilter project regrets to have to suspend its core team member Patrick McHardy from the core team. This is a grave step, definitely the first in the projects history, and it is not one we take lightly. Over many months, severe allegations have been brought forward against the style of his license enforcement activities on parts of the netfilter software he wrote.  With respect to privacy, we will not publicly disclose the content of those allegations.Despite many attempts by us to reach him, Patrick has been unable or unwilling to comment on those allegations or defend against the allegations. The netfilter project does not have first-hand evidence. But given the  consistent allegations from various trusted sources, and in the absence of any response from Patrick, we feel it is necessary to suspend him until further notice.We'd like to stress that we do not take any sides, and did not "convict" Patrick of anything.  He continues to be welcome in the project as soon as he is be able to address the allegations and/or co-sign the "principles" [1] in terms of any future enforcement activities.

Page 8: Litigation and Compliance in the Open Source Ecosystem

SFC Criticizes GPL MonetizersThese “GPL monetizers”, who trace their roots to nefarious business models that seek to catch users in minor violations in order to sell an alternative proprietary license, stand in stark contrast to the work that Conservancy, FSF and gpl-violations.org have done for years.Most notably, a Linux developer named Patrick McHardy continues ongoing GPL enforcement actions but has not endorsed the community Principles. When Patrick began his efforts, Conservancy immediately reached out to him. After a promising initial discussion (even contemplating partnership and Patrick joining our coalition) in mid-2014, Patrick ceased answering our emails and text messages, and never cooperated with us. Conservancy has had no contact with Patrick nor his attorney since, other than a somewhat cryptic and off-topic response we received over a year ago. In the last two years, we've heard repeated rumors about Patrick's enforcement activity, as well as some reliable claims by GPL violators that Patrick failed to follow the Principles.In one of the many attempts we made to contact Patrick, we urged him to join us in co-drafting the Principles, and then invited him to endorse them after their publication. Neither communication received a response. We informed him that we felt the need to make this public statement, and gave him almost three months to respond. He still has not responded.Patrick's enforcement occurs primarily in Germany. We know well the difficulties of working transparently in that particular legal system, but both gpl-violations.org and Conservancy have done transparent enforcement in that jurisdiction and others. Yet, Patrick's actions are not transparent.In private and semi-private communications, many have criticized Patrick for his enforcement actions. Patrick McHardy has also been suspended from work on the Netfilter core team. While the Netfilter team itself publicly endorsed Conservancy's principles of enforcement, Patrick has not. Conservancy agrees that Patrick's apparent refusal to endorse the Principles leaves suspicion and concern, since the Principles have been endorsed by so many other Linux copyright holders, including Conservancy.

Page 9: Litigation and Compliance in the Open Source Ecosystem

New Compliance Issues

• Harald Welte announcement of an OSS Compliance Company, aggregating developers• Welte: ran gpl violations• Geographic focus not limited to Germany, but could include France and Spain

• David Fligor/Progressive LLP: Troll lawyer searching for a project, so far no cases filed

• Sound View Innovations: new ASF software patent troll based on Alcatel-Lucent patents• Sound View has sued Facebook • Sound View has sued LinkedIn• Sound View has sued Twitter

Page 10: Litigation and Compliance in the Open Source Ecosystem

German FOSS Enforcement

• Community Enforcers• Harald Welte/gpl-violations.org (Linux kernel, iptables)• Returning to compliance based on Barcelona FSFE Conference

• Thomas Gleixner (Linux kernel code used in U-Boot)• XviD project• Christoph Hellwig (Linux kernel, this is the VMware case)

• Other• Patrick McHardy (Linux kernel, iptables, iproute2)

Page 11: Litigation and Compliance in the Open Source Ecosystem

Community Enforcement

• Most cases are settled before they go to court. The agreement for a “declaration to cease and desist" in Germany has to contain a clause about a contractual penalty for a future infringement: if the defendant is caught violating GPLv2 again, then the defendant has to pay the penalty.

• Harald Welte (gpl-violations.org) has used these penalties for donations to charities like Chaos Computer Club, Wau Holland Stiftung, Free Software Foundation Europe, etc. because his focus was on process change, compliance and community norms.

• gpl-violations.org worked very closely together with Free Software Foundation Europe to get companies to talk about their problems and let them participate in the global discussion about open source compliance and other legal issues.

Page 12: Litigation and Compliance in the Open Source Ecosystem

German Court Procedure - Outline

I. Preliminary Injunction Proceedings1. General2. Requirements3. Standard of Proof4. Possible Remedies5. Procedural Aspects6. Enforcement

II. Proceedings on the Merits1. Overview2. Remedies

III. Pre-Litigation Strategies 1. Offense Position2. Defense Position

Page 13: Litigation and Compliance in the Open Source Ecosystem

German Court Procedure –Preliminary Injunction Proceedings1. General• Objective: Stop infringement as soon as possible• Often most dangerous threat to infringer, since immediately

enforceable (appeal has no suspensory effect!)• "General" time line: • Granted within hours (e.g. re trade fairs), 1-2 days (if ex parte),

2-6 weeks (with oral hearing); • Appeal hearing 2-4 months after decision in first instance

Page 14: Litigation and Compliance in the Open Source Ecosystem

German Court Procedure – Preliminary Injunction Proceedings2. Requirements• Generally courts issue in cases where• Infringement is very likely• No undue delay in filing an application for PI ("Urgency Requirement")• Plaintiff has to file the application for PI without undue delay

• Up to 4 weeks usually not problematic• Up to 8 weeks usually problematic; IP owner has to show exceptional circumstances in

determining the infringement / preparation of PI application• Over 8 weeks usually no PI granted!

• ACT FAST!

Page 15: Litigation and Compliance in the Open Source Ecosystem

McHardy German Litigation I

• Patrick McHardy uses the same enforcement mechanism but is seeking personal monetary gain

• Estimate is that McHardy has approached at least 50 companies that have been hit (some companies multiple times).

• Wide variety of companies, including retailers, telcos, producers, importers

• Best estimate is that he has received significant damages• Wide range of products• physical products (offline distribution)• firmware updates downloadable from a website• Over The Air (OTA) updates

Page 16: Litigation and Compliance in the Open Source Ecosystem

McHardy German Litigation II

• Tactics against companies1. Address a (minor) violation and have a company sign a cease and desist with

contractual penalty.2. Address another (minor) violation and collect the contractual penalty. Sign a

new agreement with a higher penalty.3. Wait some time, then go back to 2

• Devices usually have multiple violations of GPLv2 and he only will address one issue at a time to collect the contractual penalty.

Page 17: Litigation and Compliance in the Open Source Ecosystem

McHardy German Litigation III

McHardy's claims largely focus on:• Lack of written offer • Lack of license text in product• Inadequate terms of written offer• Lack of complete corresponding source code in repositories• EULA conflicting with GPL obligations• Written offer must come from last company selling product• More exotic• Written offer should be in German• GPL warranty disclaimers are inadequate under German law

In the past, McHardy did not do a thorough technical analysis, like a rebuild of the source code, but he has started doing so.

Page 18: Litigation and Compliance in the Open Source Ecosystem

McHardy German Litigation IV

Two recent hearings, McHardy lost on procedural issues• Case one: court decided that application was not sufficiently “urgent”

for preliminary injunction procedure• Case two: judge found that McHardy’s affidavits were inconsistent and

McHardy’s lawyer was not prepared to defend it: McHardy withdrew case

Statement by presiding judge (not required and without precedential value but shows thinking): • If only a tiny bit of the programming works was contained in the litigious

product and if that tiny bit was capable of being copyright protected, the arguments of the defendant would not be sufficient to rebut the claim. This might indeed result in Linux not being tradable in Germany. The industry might have to look for other platforms where the chain of rights can be controlled more easily

Page 19: Litigation and Compliance in the Open Source Ecosystem

Solving the McHardy Problem and Copycats

• Focus on compliance of your products going into Germany• Understand the McHardy business model• Collaborate on claims and share information• DLA Piper: Developing “Defense in a box” • Working with past litigants to provide information• Facts about McHardy• Summary of McHardy claims• Summary of McHardy arguments• References• Possibility of including actual complaints and other filings but more challenging

Page 20: Litigation and Compliance in the Open Source Ecosystem

Hellwig v. VMware I

• VMware is alleged to be using arts of the Linux kernel in their proprietary ESXi product, including the entire SCSI mid-layer, USB support, radix tree and many, many device drivers.

• Linux is licensed under GNU GPLv2 with a modification by Linus Torvalds

• VMware has modified all the code they took from the Linux kernel and integrated them into something they call vmklinux.

• VMware has modified their proprietary virtualization OS kernel vmkernel with specific API/symbol to interact with vmklinux

• vmklinux and vmkernel interaction is uncertain

Page 21: Litigation and Compliance in the Open Source Ecosystem

Hellwig v. VMware II

The court did not decide • If vmklinux and vmkernel can be regarded as a uniform work and, if so, • If the use of Hellwig's code in the vmklinux + vmkernel entity qualifies as a

modification (requiring a license) or as free use.

Page 22: Litigation and Compliance in the Open Source Ecosystem

Hellwig v. VMware III

Court required that Hellwig prove the following: • which parts of the Linux program he claims to have modified, and in what

manner;• to what extent these modifications meet the criteria for adapter's copyright

pursuant to Copyright Act § 69c No. 2 clause 2 in conjunction with § 3; and• to what extent the Plaintiff pleads and where necessary proves that the

Defendant has in turn adopted (and possibly further modified) those adapted parts of the program that substantiate his claim to protection.

Hellwig failed to meet this standard. He has appealed.

Page 23: Litigation and Compliance in the Open Source Ecosystem

Hellwig v. VMware IV

Not sufficient as evidence according to the court:• Copyright notices in header files• Reference to git repository • Provision of source code and git blame files

Increased requirements for demonstrating an infringement:• Exact identification of own contributions• Conditions for copyright protection of those contributions fulfilled• Source code comparison of own contributions and the allegedly infringing code

It is not the job of the court to analyze the source code for elements that might originate from the plaintiff, and to judge to what extent those elements might be protectable.

Page 24: Litigation and Compliance in the Open Source Ecosystem

Linux at 25: Disputes on Compliance

Greg Kroah-Hartman • "I do [want companies to comply], but I don't ever think that suing them is the right way

to do it, given that we have been _very_ successful so far without having to do that”• “You value the GPL over Linux, and I value Linux over the GPL. You are willing to risk Linux

in order to try to validate the GPL in some manner. I am not willing to risk Linux for anything as foolish as that.”

Linus Torvalds• “Lawsuits destroy community. They destroy trust. They would destroy all the goodwill

we've built up over the years by being nice.”Bradley Kuhn (SFC)

• “You said that you "care more about Linux than the GPL". I would probably agree with that. But, I do care about software freedom generally much more than I care about Linux *or* the GPL. I care about Linux because it's the only kernel in the world that brings software freedom to lots of users.”

Page 25: Litigation and Compliance in the Open Source Ecosystem

Linux Foundation

•Who owns the contributions in the Linux kernel• Linux kernel analysis to determine the identity of contributors to Linux kernel,

software has been completed and analysis will be done this year• Next step: identifying copyright owners

• Encouraging statements by kernel.org on community norms for enforcement

• Training programs• Core Infrastructure Initiative “Badge Program” (focused on security but

includes governance issues)

Page 26: Litigation and Compliance in the Open Source Ecosystem

Summary for Software Distributors

• More compliance actions seem likely, particularly in Germany• Develop a FOSS use (and management) policy to ensure that you

understand your obligations and can comply with them (for an overview of FOSS and FOSS governance see https://www.blackducksoftware.com/resources/webinar/introduction-open-source-software-and-licensing)

• Ensure that your policy covers updates and security issues• Review your distribution agreements to ensure that they take into

account any terms imposed by FOSS in your product and modify those terms as appropriate

Page 27: Litigation and Compliance in the Open Source Ecosystem

• Largest law firm in the world with 4,200 lawyers in 31 countries and 77 offices throughout the Americas, Asia Pacific, Europe and the Middle East

• More than 145 DLA Piper lawyers in IP transactions

• Global Open Source Practice• More than 550 DLA Piper lawyers

ranked as leaders in their fields

Global platform

Page 28: Litigation and Compliance in the Open Source Ecosystem

OSS Practice

• Worldwide OSS practice group• US Practice led by two partners: Mark Radcliffe & Victoria Lee• Experience• Open sourcing Solaris operating system• FOSS foundations: • OpenStack Foundation• PrPL Foundation• OpenSocial• Open Source Initiative

• GPLv3 Drafting Committee Chair (Committee D)• Drafting Project Harmony agreements

Page 29: Litigation and Compliance in the Open Source Ecosystem

Contact Information

Mark F. RadcliffePartner2000 University Avenue, East Palo Alto, California, 94303-2214, United States T +1 650 833 2266 F +1 650 687 1222 E [email protected]

Mark Radcliffe concentrates in strategic intellectual property advice, private financing, corporate partnering, software licensing, Internet licensing, cloud computing and copyright and trademark.

He is the Chair of the Open Source Industry Group at the firm and has been advising on open source matters for over 15 years. For example, he assisted Sun Microsystems in open sourcing the Solaris operating system and drafting the CDDL. And he represents or has represented other large companies in their software licensing (and, in particular, open source matters) including eBay, Accenture, Adobe, Palm and Sony. He represents many software companies (including open source startups) including SugarCRM, DeviceVM, Revolution Analytics, Funambol and Reductive Labs for intellectual property matters. On a pro bono basis, he serves as outside General Counsel for the Open Source Initiative and on the Legal Committee of the Apache Software Foundation. He was the Chair of Committee C for the Free Software Foundation in reviewing GPLv3 and was the lead drafter for Project Harmony. And in 2012, he became outside general counsel of the Open Stack Foundation and drafted their certificate of incorporation and bylaws as well as advising them on open source matters.

Page 30: Litigation and Compliance in the Open Source Ecosystem

Contact Information

Bernd Siebers Rechtsanwalt | CounselDLA Piper UK LLP Maximilianstraße 2D-80539 München T +49 89 232372 133 M +49 173 529 75 67 E [email protected]

Bernd Siebers has longstanding experience in advising national and international businesses in technology related matters, both contentious and non-contentious. His practice focuses on technology related disputes with a focus on software and failed IT projects.

Bernd has particular experience in advising on Open Source Software compliance and in dealing with Open Source Software related disputes, both in court and out of court.

Bernd has distinct specialist skills in copyright protection of software and in drafting and negotiating technology sourcing agreements including software development and maintenance agreements, and software licensing agreements.

Page 31: Litigation and Compliance in the Open Source Ecosystem