The Open Source trials: hanging in the legal balance of copyright and copyleft

[Open source has been in the limelight for the last few years, but its legal implications have been in the dark. Research Partner Åse Stiller sheds some light into the legal precedents of open source, from Cisco to Skype]

For those meddling in open source software affairs, compliance with licenses is a very hot topic. In the last 2 years we have witnessed the licensing FUD (Fear, Uncertainty & Doubt) giving way to legal clarity with more and more relevant cases proving the acceptance of open source licenses by legal systems around  the world.

The secrets of Copyright
Open source software licenses are based on copyright law. The notion of copyright has a long history; some hundred years ago copying was hard to come by and a threat only to a few.  In contrast, in today’s digital world copyright is much more important as communications move around the world not in 80 days but in 8 seconds; and copying is as easy as pressing a button.

The story of international copyright starts with the Bern Convention in 1880, while the most prominent copyright law is probably the US Copyright Act from 1978. The Bern Convention was initiated by the French Author Victor Hugo in order to protect the rights of European writers against the illegal copying of books which was taking place on the other side of the Atlantic at that time.

In copyright law, the original creator has the exclusive right to reproduce a work by default, subject to certain conditions; firstly the work must reach a threshold of originality, and secondly if the work is created under commission, the person with the chequebook often becomes the copyright holder. The Fair Use doctrine also sets aside some good reasons to copy a work – for example for commenting, news reporting or research – without infringing on copyright.

Only the owner of a copyright can license or sell the right to copy the work to others, under terms and conditions of their choice. Violating these terms and conditions is in principle infringing on the copyright.

Copyright is also sticky. It will survive the creator by some 50-100 years depending on the application law at a country level. Once the copyright expires, the work enters the public domain and is no longer protected by copyright laws. Whilst open source software is by definition publicly available, this does not mean that it is freely available in the public domain as it is still under a license, be that a copyleft or copyright license.

Copyleft vs Copyright
Copyleft – one of the main innovations of open source licensing – is a word play on copyright. Copyright law is used by an author to prohibit others from reproducing, adapting, or distributing copies of the author’s work. In contrast, Copyleft allows an author to give out copies of a work with permission to reproduce, adapt or distribute, but requires any resulting copies or adaptations to also be bound by the same license agreement.

Copyleft is in reality enforced by copyright. which has been clearly demonstrated by a number of interesting legal disputes, e.g. in the New York District court case of BusyBox v. Westinghouse in July 2010 and by the US Court of Appeals for the Federal Circuit.in Aug 2008 in the Artistic License case of Jacobsen v. Katzer (more on this below).

Likewise the German and French courts have provided some good examples that they do accept copyleft licenses as valid and binding for anyone who chooses to make use of the work.

Open Source and Legal precedents
In researching the legal precedents for Open Source licenses we find that most open source license disputes are with regard to the GNU GPL v2, which was written in 1991 by the Free Software Foundation. It took more 10 years before the license was actually tried by any legal system, but since then there has been a number of highly relevant cases of open source license infringement, brought to court in Europe and in USA.

By the end of 2010 a long list of court cases have surfaced which test the validity and legality of open source licensing – the table provides a (partial) list:

Case	against	Year	Place	License	about	Ruling	Importance
MySQL	Progress Software	2002	District Court  Massachusetts	GPLv2	Trademarks	Settled 2002	GPL accepted by court
Harald  Welte	Dlink	2001	Frankfurt AM	GPLv2	GPL Binding?	ruled to Welte	using code = accepting GLP
	Fortinet UK Ltd	2005	Munich	GPLv2	compliance	ruled to Welte	Early test of GPL
	Gigabyte Technology Co. Ltd, TomTom	2004	-	GPLv2	compliance	Settled
	Iliad	2007	Munich	GPLv2	compliance	ruled to Welte	FSF France First case outside of Germany
	Sitecom	2004	District Court of Munich,	GPLv2	compliance	ruled to Welte	Fist case in Eur
	Skype	2008	District Court of Munich	GPLv2	Compliance/source code access	ruled to Welte	GPL must be followed strictly
SCO	AutoZone, Daimler Chrysler, IBM, RedHatIncl. countersuits	2003-2004	District Courts in  Utah, Delaware, Nevada,  Circuit Court Oakland	GPLv2	IP infringements Trade secrets contact breach	Settled, dismissed and referred to Novell case	Ownership over UNIX code in Linux
	Novell	2004	US Court of Appeal			ruled to Novel 2010
	SUSE Linux	2003	ICC International Court of Arbitration			ruled to SuSe
AFPA	Edu4	2009	Paris Court of Appeal	GPLv2	compliance	ruled to AFPA	Downstream rights
BusyBox	Astak Inc, BellMicroproducts, Best Buy, Comtrend, Dobbs-Stanford, Extreme Networks, GCI Technologies, High-Gain Antennas, Humax USA, JVC U, Monsoon, Phoebe Micro, Robert Bosch, Samsung Electronics US, Super Micro Computer, Verizon, Versa Technology, Western Digital Technologies, Xtrasys, ZyXEL Communications.	2007-2009	NY District Court	GPLv2	compliance	Settled/undisclosed still open (?)	Monsoon was the first case for  GPL in US
	Westinghouse Digital Electronics, LLC	2010				ruled to BusyBox	Damages awarded
FSF	Cisco	2008	NY District Court	GPLv2, LGPL 2 and 2.1	compliance	Settled	Compliance officer
Jacobsen	Katzer	2008	Federal US	The Artistic License	compliance	ruled to Jacobsen	Open source licenses are for real

The most typical violation of GNU GPL arises when consumer electronics vendors, or distributors of embedded devices using Linux (which is licensed under the GNU GPL v2.1), fail to supply the source code, copyright notice or to attach a copy of the license – all of which are required by the GPL license. It´s difficult to identify if this is caused by lack of knowledge, poor version control process, or disregard for compliance due to the perceived high cost for compliance procedures, paired with a low risk for detection.

Interestingly, in many cases, it’s not the copyright holder who sues, but a representative like Mr. Harald Welte in Germany or the Software Freedom Law center in USA.

The GPLviolations.org project, set-up in 2004 by Mr. Welte in Germany, is one such enforcer of the Open Source adherence. GPLviolations.org has brought more than 100 cases to court (including D-Link, Skype, TomTom, Motorola and Acer), all of which were successfully settled out of court. Additionally the GPLviolations and Harold Welte have won several victories in Europe over large companies such as Sitecom and Fortinet.

In the Sitecom case (2004) Welte identified his own source code in the binaries for Sitecom´s Network routers, which Welte had licensed under the GNU GPL v2.0 but Sitecom had not made the source code available or referenced the GNU GPL v2.0, both of which are a requirements of the License.  The District Court of Munich granted Welte an injunction against Sitecom Deutschland GmbH whereby Sitecom was prohibited to distribute the products, until they were compliant with the GPL terms. Sitecom appealed but lost and posted the terms for GPL on their Web FAQ for the router.

LikewiseFortinet Ltd UK was banned from distributing their Firewall and Antivirus products by the Munich district court in 2005, until they were in compliance with GPL. GPL-violations.org had found evidence that Fortinet used Linux kernel and other GPL licensed software in its FortiOS product. The Munich court granted a temporary injunction against the company for selling the products, and Fortinet was forced to make their OS available free. Fortinet had been warned by the GPLviolations.org about the violation but attempts to reach an out-of-court settlement failed.

The case of Skype
Similarly, Skype Technologies SA (a Luxemburg company) was accused of violating GPL in 2008 in the course of selling a Linux-based VoIP phone, through the Skype website. Harald Welte took Skype to a Munich court for failing to provide the source code and the license together with the phone. Skype claimed that a URL to where both license and code could be downloaded was provided in the documentation – however the German court found this insufficient under GPL v2. The license states that offering source code for downloading, is only applicable if and when the binaries are downloadable from the same place, which was not the case here. Skype Technologies eventually settled out of court.

D-Link
The2006 case of Welte vs D-Link GermanyGmbH, started much like any other open source legal dispute; D-Link failed to provide the source code for Linux Kernel modifications that were used in a network storage device, and failed to provide a copy of the GPL license. D-Link rectified this error but refused to cover the disbursements for Mr. Welte for the trial, claiming that the GPL license was not  binding for the company. The case then became more interesting as the focus thereby shifted from the usual GPL compliance to become a test of the binding mechanism for the license: Was using the software to be considered equivalent to accepting the terms in the license? The Frankfurt-am-Main’s District Court clarified that D-Link was indeed bound by the terms in GPL v2, solely by enjoying the benefits of the free software and therefore also must cover the lawsuit costs for the plaintiff, Mr. Welte.

Free Software Foundation; on the tail of license infringements
Free Software Foundation (FSF) is another non-for-profit organization that monitors GPL compliance. The FSF was founded in 1985 by Richard Stallman to promote free software, and has since set up regional entities in Europe (2001), India (2003) and Latin America (2005).

The organization is dedicated to promoting users’ rights to the four freedoms of Open Source: To Use, Study, Modify, and Redistribute software. The FSF sponsors the GNU project and maintains the GPL licenses as well as the Free Software Definition.

FSF’s is known to enforce GPL compliance through closed-door discussions rather than lawsuits, with the aim being compliance rather than monetary damages.

Aiding the FSF is the Software Freedom Law Center (SFLC), a US-based law firm founded in 2005 providing free legal services, to nonprofit open source developers. The SFLC has also published a guide on how to comply with GPL and advice on how to act if caught violating GPL.

Cisco – a case for the Supply chain manager
Assisted by The Software Freedom Law Center, the FSF initiated a case against Cisco for copyright violation under GPL and LGPL in 2008. Like many others, the case was settled out of court in 2009 resulting in a donation to the FSF, a pledge of commitment to the GPL and the appointment of a compliance director reporting to the FSF.

Cisco never disputed GPL as such but “bought themselves a lawsuit” through the acquisition of Linksys in 2003. Shortly after the acquisition, complaints started showing up on the Linux Kernel Mailing List and Slashdot on how Linksys was not providing source code for GPL licensed software used in the router firmware (Linksys had bought the chipset from Broadcom who in its turn had outsourced the driver development). FSF took action on behalf of several copyright holders against Linksys/Cisco and other companies using the same 802.11g router chipset from Broadcom, where the issue had originated.

BusyBox –  when no one is too big
Among the more interesting cases for general acceptance of Open Source licenses are the BusyBox cases which involved major corporations, including Verizon, Samsung and Westinghouse.

BusyBox is a set of common Unix/Linux utilities, all packaged in a small executable and typically used in embedded systems. The software is licensed under GNU GPL v2.

The BusyBox legal saga started with 4 different cases of copyright infringements, as a result of the distributors failing to provide source code. The first action was against Monsoon Multimedia which became the first GPL copyright lawsuit in US history. The case was settled in October 2007 with Monsoon agreeing to appoint an open-source compliance officer besides publishing the source code. There was also a monetary part of the settlement but the amount was never disclosed.

The Monsoon case was followed by High-Gain Antennas and Xterasys in 2007 and Verizon in 2008. Picking up speed and size, since 2009 14 new companies (including BestBuy, Samsung, Westinghouse, JVC) were sued by SFSC for violating the GPL license of BusyBox software.

Much like Monsson, Verizon settled in 2008 while it appears that four more defendants (Samsung, Comtrend, Dobbs-Stanford, and GCI Technologies) have also settled with the plaintiffs. The only exception was Westinghouse where a District Court in NY ruled in favor of BusyBox in August 2010. The infringement was considered willful and the damages were tripled by the judge.

MySQL, a near-test for open source derivatives
One of the reasons for uncertainty around Open source licenses and especially the GPL v2 is the often-discussed question about how to define derivative work, and how to link software to GPL-code without having to license that software under GPL too, a requirement of the GPL. This is often described as the ‘viral’ nature of the GPL and remains a core concern for many companies is the linking of proprietary software libraries to GPL licensed code.  It is generally accepted that if the linking is static then the proprietary code must also be included under the GPL license whereas if the linking is dynamic the linked software is not necessarily a derivative of the GPL and as such not bound to the GPL redistribution terms.

Now given that the definition of a derivative work in GPL v2 is unclear, this issue remains a concern, albeit slightly clarified in GPL v3.  For an analysis on the differences between GPL v2 and GPL v3, VisionMobile has published a free paper: The GPLv2 vs. GPLv3: The Two Seminal Licenses, Their Roots, Consequences and Repercussions.

In the context of derivative work and legal precedents, it is also worth discussing the case of NuSphere in 2002.  NuSphere produced a database add-on component (called Gemini) to the MySQL engine. As NuSphere’s Gemini component was statically linked with MySQL’s GPL-licensed database, MySQL sued NuSphere for non-compliance with the license terms. The judge however refused to allow the arguments in the case to expand beyond a mere trademark dispute and urged for an out-of-court settlement between the parties, leaving the definition of derivative work still in the dark and unclarified. 

The Jacobsen case and the Artistic license
The now-famous Jacobsen vs Katzer case revolves around a Java software interface for model railroads, made available under the Artistic License (an approved Open Source license) by the developer Mr. Robert Jacobsen. The software was used by Mr Katzer´s company, in a competing solution, but they failed to provide information about the origin of the software – in violation of the licensing terms. The case was first tried in a US District court and the ruling then was that the license was to be regarded as a contract – not a license.

However the case was appealed in 2008 to the US federal court, when the judgment was reversed in favor of the Artistic License and Mr Jacobsen, thereby providing a legal precedent for Open Source licenses as valid and legally binding.

The SCO Group opera isn’t over yet
This is a story about copyright of Linux code, featuring celebrities such as IBM, Novel, RedHat and SGI. In 2003, the SCO Group based in Utah, claimed that Linux infringed their copyright and trade secrets, and subsequently demanded that Linux users needed a license from them, for parts of the Linux code.

The SCO Group sued a number of companies for donating UNIX code to Linux. The software donations included code that SCO claimed ownership of and thus the accused companies had violated SCO´s copyright. SCO also argued that GPL would not be enforceable in this case because it was preempted by the copyright law, protecting SCOs rights. (see detailed story on Groklaw).

The SCO soap opera of legal precedents has no less than five acts: SCO v. IBM, Red Hat v. SCO, SCO v. Novell, SCO v. DaimlerChrysler and SCO v. AutoZone. It includes ingredients like lawsuits, countersuits, appeals and bankruptcy protection. In 2007 a US federal court ruled Novel to be the owner of UNIX, invalidating the claims from SCO but there is a new appeal from SCO, and a Novel has filed a petition for certiorari* with the US Supreme Court. Meanwhile the final episode in this saga is yet to come.

Edu4 and downstream rights
In 2009 Paris Court of Appeals set a French legal precedent in favour of GPL, in a typical case of binaries but no source. In this case the lawsuit was not filed by the copyright owner, but by the end-user, which makes it all the more noteworthy.

The story goes all the way back to 2000, when Edu4 had distributed a GPL licensed VNC remote access software, for PCs, to a French education organization (AFPA),but refused to provide the source code for its modified version of the program when AFPA, assisted by the French FSF, requested that.

Open source licensing gaining legal maturity
The number of law suits, rulings and discussions above indicate that Open Source licenses are indeed enforceable under Copyright law, and that the enforcers will not hesitate to take large corporations to court for violations. Giving software away for no monetary charge does not invalidate copyright, and damages will be awarded for infringements even though the price for the code was zero.

There is no longer a need to question the legality of Open source licenses.There are enough legal precedents demonstrating that Open source licenses are valid legal documents and binding for anyone who uses the code.

Knowing that the Open Source licenses are in fact tested, tried and fully accepted by the legal system may deal with the U (uncertainty) and the D (doubt) in FUD, but for the remaining F (fear) the best remedy is information. The only good way to mitigate the risk of infringements is to ensure that everybody involved in the development process, has a good understanding of the obligations and restrictions of Open Source licenses, and that the an organisation’s Open Source policy is appropriate – assuming of course that there is one.  Many engineers already know a lot about Open Source software and the licensing models, but do their managers know?

Keeping track of Open Source software that maybe included in the next software release is crucial for any company, and the best way to start is of course with a thorough review of existing codebase, establishing a solid process and of course a comprehensive training program for developers to CxOs.

There is obviously much to discuss besides the narrow focus of this article on court cases. Do you have more examples and experiences to share on open source licensing?

- Ase

* The U.S. Supreme Court uses the Latin term Certiorari for appeals.

[Åse is a Research Partner at VisionMobile specializing in software sourcing, policies and training. Åse co-delivers VisionMobile’s Open Source Chessboard, a full-day training course on the economics and competitive landscape of mobile open source, covering business models, licenses & patents, governance models, control points, community cultures, plus 10+ case studies on the who's who of open source.]

•