Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Litigation and Compliance in the Open Source Ecosystem

2,674 views

Published on

Presented by Mark Radcliffe on October 12, 2016

This webinar examined the implications of recent developments in open source compliance and litigation. It touched on a series of Linux-related cases and stepped up compliance activity in Germany, in addition to current patent suits against Apache projects. The new litigation was discussed in the context of prior similar cases such as the Versata-Ameriprise case. Additionally, the webinar provided an overview of compliance best practices and how to reduce the risk of open source compliance and litigation.

Published in: Law
  • Be the first to comment

Litigation and Compliance in the Open Source Ecosystem

  1. 1. Litigation and Compliance in the Open Source Ecosystem
  2. 2. Speakers MARK RADCLIFFE Partner, DLA Piper BERND SIEBERS Counsel, DLA Piper PHIL ODENCE VP & General Manager, Black Duck Software
  3. 3. OSS Often Enters a Code Base Unchecked, Resulting In Risks Code Base Commercial 3rd Party Code Purchasing • Licensing? • Security? • Quality? • Support? Open Source OPERATIONAL RISK Which versions of code are being used, and how old are they LEGAL RISK Which licenses are used and do they match anticipated use of the code SECURITY RISK Which components have vulnerabilities and what are they Management visibility…not!
  4. 4. Black Duck’s Experience Analyzing Code • Audits on average find 33% open source • 99% of code audits find open source • 95% of audits find unknown open source • 75% of audits contain unknown licenses • 67% of code contains vulnerable components • 50% of code audits contain GPL
  5. 5. FOSS Compliance: New Players • Traditional FOSS Enforcement: Focus on Compliance • Software Freedom Law Center • Software Freedom Conservancy (“SFC”) • gplviolations • Shift to Commercial Licensors • Continuent v. Tekelec (GPL) • Versata Series of Cases • New Enforcers • McHardy, copyright troll • Fligor: looking for clients • Major Difference in Goals • Shift from compliance to revenue • Focus on injunctive relief • Expansion of Traditional FOSS Enforcement • SFC assists in VMware litigation
  6. 6. Existing Compliance Issues • VMware litigation (SFC) • McHardy litigation • First copyright troll • Versata: focus on hybrid product licensing • Will terminated licensees regularly raise the defense of “integration” with GPLv2 licensed code? • Will warranty claims against licensors arise from poorly drafted licenses become common?
  7. 7. Netfilter Project Suspends McHardy The netfilter project regrets to have to suspend its core team member Patrick McHardy from the core team. This is a grave step, definitely the first in the projects history, and it is not one we take lightly. Over many months, severe allegations have been brought forward against the style of his license enforcement activities on parts of the netfilter software he wrote. With respect to privacy, we will not publicly disclose the content of those allegations. Despite many attempts by us to reach him, Patrick has been unable or unwilling to comment on those allegations or defend against the allegations. The netfilter project does not have first-hand evidence. But given the consistent allegations from various trusted sources, and in the absence of any response from Patrick, we feel it is necessary to suspend him until further notice. We'd like to stress that we do not take any sides, and did not "convict" Patrick of anything. He continues to be welcome in the project as soon as he is be able to address the allegations and/or co-sign the "principles" [1] in terms of any future enforcement activities.
  8. 8. SFC Criticizes GPL Monetizers These “GPL monetizers”, who trace their roots to nefarious business models that seek to catch users in minor violations in order to sell an alternative proprietary license, stand in stark contrast to the work that Conservancy, FSF and gpl-violations.org have done for years. Most notably, a Linux developer named Patrick McHardy continues ongoing GPL enforcement actions but has not endorsed the community Principles. When Patrick began his efforts, Conservancy immediately reached out to him. After a promising initial discussion (even contemplating partnership and Patrick joining our coalition) in mid-2014, Patrick ceased answering our emails and text messages, and never cooperated with us. Conservancy has had no contact with Patrick nor his attorney since, other than a somewhat cryptic and off-topic response we received over a year ago. In the last two years, we've heard repeated rumors about Patrick's enforcement activity, as well as some reliable claims by GPL violators that Patrick failed to follow the Principles. In one of the many attempts we made to contact Patrick, we urged him to join us in co-drafting the Principles, and then invited him to endorse them after their publication. Neither communication received a response. We informed him that we felt the need to make this public statement, and gave him almost three months to respond. He still has not responded. Patrick's enforcement occurs primarily in Germany. We know well the difficulties of working transparently in that particular legal system, but both gpl-violations.org and Conservancy have done transparent enforcement in that jurisdiction and others. Yet, Patrick's actions are not transparent. In private and semi-private communications, many have criticized Patrick for his enforcement actions. Patrick McHardy has also been suspended from work on the Netfilter core team. While the Netfilter team itself publicly endorsed Conservancy's principles of enforcement, Patrick has not. Conservancy agrees that Patrick's apparent refusal to endorse the Principles leaves suspicion and concern, since the Principles have been endorsed by so many other Linux copyright holders, including Conservancy.
  9. 9. New Compliance Issues • Harald Welte announcement of an OSS Compliance Company, aggregating developers • Welte: ran gpl violations • Geographic focus not limited to Germany, but could include France and Spain • David Fligor/Progressive LLP: Troll lawyer searching for a project, so far no cases filed • Sound View Innovations: new ASF software patent troll based on Alcatel-Lucent patents • Sound View has sued Facebook • Sound View has sued LinkedIn • Sound View has sued Twitter
  10. 10. German FOSS Enforcement • Community Enforcers • Harald Welte/gpl-violations.org (Linux kernel, iptables) • Returning to compliance based on Barcelona FSFE Conference • Thomas Gleixner (Linux kernel code used in U-Boot) • XviD project • Christoph Hellwig (Linux kernel, this is the VMware case) • Other • Patrick McHardy (Linux kernel, iptables, iproute2)
  11. 11. Community Enforcement • Most cases are settled before they go to court. The agreement for a “declaration to cease and desist" in Germany has to contain a clause about a contractual penalty for a future infringement: if the defendant is caught violating GPLv2 again, then the defendant has to pay the penalty. • Harald Welte (gpl-violations.org) has used these penalties for donations to charities like Chaos Computer Club, Wau Holland Stiftung, Free Software Foundation Europe, etc. because his focus was on process change, compliance and community norms. • gpl-violations.org worked very closely together with Free Software Foundation Europe to get companies to talk about their problems and let them participate in the global discussion about open source compliance and other legal issues.
  12. 12. German Court Procedure - Outline I. Preliminary Injunction Proceedings 1. General 2. Requirements 3. Standard of Proof 4. Possible Remedies 5. Procedural Aspects 6. Enforcement II. Proceedings on the Merits 1. Overview 2. Remedies III. Pre-Litigation Strategies 1. Offense Position 2. Defense Position
  13. 13. German Court Procedure – Preliminary Injunction Proceedings 1. General • Objective: Stop infringement as soon as possible • Often most dangerous threat to infringer, since immediately enforceable (appeal has no suspensory effect!) • "General" time line: • Granted within hours (e.g. re trade fairs), 1-2 days (if ex parte), 2-6 weeks (with oral hearing); • Appeal hearing 2-4 months after decision in first instance
  14. 14. German Court Procedure – Preliminary Injunction Proceedings 2. Requirements • Generally courts issue in cases where • Infringement is very likely • No undue delay in filing an application for PI ("Urgency Requirement") • Plaintiff has to file the application for PI without undue delay • Up to 4 weeks usually not problematic • Up to 8 weeks usually problematic; IP owner has to show exceptional circumstances in determining the infringement / preparation of PI application • Over 8 weeks usually no PI granted! • ACT FAST!
  15. 15. McHardy German Litigation I • Patrick McHardy uses the same enforcement mechanism but is seeking personal monetary gain • Estimate is that McHardy has approached at least 50 companies that have been hit (some companies multiple times). • Wide variety of companies, including retailers, telcos, producers, importers • Best estimate is that he has received significant damages • Wide range of products • physical products (offline distribution) • firmware updates downloadable from a website • Over The Air (OTA) updates
  16. 16. McHardy German Litigation II • Tactics against companies 1. Address a (minor) violation and have a company sign a cease and desist with contractual penalty. 2. Address another (minor) violation and collect the contractual penalty. Sign a new agreement with a higher penalty. 3. Wait some time, then go back to 2 • Devices usually have multiple violations of GPLv2 and he only will address one issue at a time to collect the contractual penalty.
  17. 17. McHardy German Litigation III McHardy's claims largely focus on: • Lack of written offer • Lack of license text in product • Inadequate terms of written offer • Lack of complete corresponding source code in repositories • EULA conflicting with GPL obligations • Written offer must come from last company selling product • More exotic • Written offer should be in German • GPL warranty disclaimers are inadequate under German law In the past, McHardy did not do a thorough technical analysis, like a rebuild of the source code, but he has started doing so.
  18. 18. McHardy German Litigation IV Two recent hearings, McHardy lost on procedural issues • Case one: court decided that application was not sufficiently “urgent” for preliminary injunction procedure • Case two: judge found that McHardy’s affidavits were inconsistent and McHardy’s lawyer was not prepared to defend it: McHardy withdrew case Statement by presiding judge (not required and without precedential value but shows thinking): • If only a tiny bit of the programming works was contained in the litigious product and if that tiny bit was capable of being copyright protected, the arguments of the defendant would not be sufficient to rebut the claim. This might indeed result in Linux not being tradable in Germany. The industry might have to look for other platforms where the chain of rights can be controlled more easily
  19. 19. Solving the McHardy Problem and Copycats • Focus on compliance of your products going into Germany • Understand the McHardy business model • Collaborate on claims and share information • DLA Piper: Developing “Defense in a box” • Working with past litigants to provide information • Facts about McHardy • Summary of McHardy claims • Summary of McHardy arguments • References • Possibility of including actual complaints and other filings but more challenging
  20. 20. Hellwig v. VMware I • VMware is alleged to be using arts of the Linux kernel in their proprietary ESXi product, including the entire SCSI mid-layer, USB support, radix tree and many, many device drivers. • Linux is licensed under GNU GPLv2 with a modification by Linus Torvalds • VMware has modified all the code they took from the Linux kernel and integrated them into something they call vmklinux. • VMware has modified their proprietary virtualization OS kernel vmkernel with specific API/symbol to interact with vmklinux • vmklinux and vmkernel interaction is uncertain
  21. 21. Hellwig v. VMware II The court did not decide • If vmklinux and vmkernel can be regarded as a uniform work and, if so, • If the use of Hellwig's code in the vmklinux + vmkernel entity qualifies as a modification (requiring a license) or as free use.
  22. 22. Hellwig v. VMware III Court required that Hellwig prove the following: • which parts of the Linux program he claims to have modified, and in what manner; • to what extent these modifications meet the criteria for adapter's copyright pursuant to Copyright Act § 69c No. 2 clause 2 in conjunction with § 3; and • to what extent the Plaintiff pleads and where necessary proves that the Defendant has in turn adopted (and possibly further modified) those adapted parts of the program that substantiate his claim to protection. Hellwig failed to meet this standard. He has appealed.
  23. 23. Hellwig v. VMware IV Not sufficient as evidence according to the court: • Copyright notices in header files • Reference to git repository • Provision of source code and git blame files Increased requirements for demonstrating an infringement: • Exact identification of own contributions • Conditions for copyright protection of those contributions fulfilled • Source code comparison of own contributions and the allegedly infringing code It is not the job of the court to analyze the source code for elements that might originate from the plaintiff, and to judge to what extent those elements might be protectable.
  24. 24. Linux at 25: Disputes on Compliance Greg Kroah-Hartman • "I do [want companies to comply], but I don't ever think that suing them is the right way to do it, given that we have been _very_ successful so far without having to do that” • “You value the GPL over Linux, and I value Linux over the GPL. You are willing to risk Linux in order to try to validate the GPL in some manner. I am not willing to risk Linux for anything as foolish as that.” Linus Torvalds • “Lawsuits destroy community. They destroy trust. They would destroy all the goodwill we've built up over the years by being nice.” Bradley Kuhn (SFC) • “You said that you "care more about Linux than the GPL". I would probably agree with that. But, I do care about software freedom generally much more than I care about Linux *or* the GPL. I care about Linux because it's the only kernel in the world that brings software freedom to lots of users.”
  25. 25. Linux Foundation • Who owns the contributions in the Linux kernel • Linux kernel analysis to determine the identity of contributors to Linux kernel, software has been completed and analysis will be done this year • Next step: identifying copyright owners • Encouraging statements by kernel.org on community norms for enforcement • Training programs • Core Infrastructure Initiative “Badge Program” (focused on security but includes governance issues)
  26. 26. Summary for Software Distributors • More compliance actions seem likely, particularly in Germany • Develop a FOSS use (and management) policy to ensure that you understand your obligations and can comply with them (for an overview of FOSS and FOSS governance see https://www.blackducksoftware.com/resources/webinar/introduction-open-source- software-and-licensing) • Ensure that your policy covers updates and security issues • Review your distribution agreements to ensure that they take into account any terms imposed by FOSS in your product and modify those terms as appropriate
  27. 27. • Largest law firm in the world with 4,200 lawyers in 31 countries and 77 offices throughout the Americas, Asia Pacific, Europe and the Middle East • More than 145 DLA Piper lawyers in IP transactions • Global Open Source Practice • More than 550 DLA Piper lawyers ranked as leaders in their fields Global platform
  28. 28. OSS Practice • Worldwide OSS practice group • US Practice led by two partners: Mark Radcliffe & Victoria Lee • Experience • Open sourcing Solaris operating system • FOSS foundations: • OpenStack Foundation • PrPL Foundation • OpenSocial • Open Source Initiative • GPLv3 Drafting Committee Chair (Committee D) • Drafting Project Harmony agreements
  29. 29. Contact Information Mark F. Radcliffe Partner 2000 University Avenue, East Palo Alto, California, 94303-2214, United States T +1 650 833 2266 F +1 650 687 1222 E mark.radcliffe@dlapiper.com Mark Radcliffe concentrates in strategic intellectual property advice, private financing, corporate partnering, software licensing, Internet licensing, cloud computing and copyright and trademark. He is the Chair of the Open Source Industry Group at the firm and has been advising on open source matters for over 15 years. For example, he assisted Sun Microsystems in open sourcing the Solaris operating system and drafting the CDDL. And he represents or has represented other large companies in their software licensing (and, in particular, open source matters) including eBay, Accenture, Adobe, Palm and Sony. He represents many software companies (including open source startups) including SugarCRM, DeviceVM, Revolution Analytics, Funambol and Reductive Labs for intellectual property matters. On a pro bono basis, he serves as outside General Counsel for the Open Source Initiative and on the Legal Committee of the Apache Software Foundation. He was the Chair of Committee C for the Free Software Foundation in reviewing GPLv3 and was the lead drafter for Project Harmony. And in 2012, he became outside general counsel of the Open Stack Foundation and drafted their certificate of incorporation and bylaws as well as advising them on open source matters.
  30. 30. Contact Information Bernd Siebers Rechtsanwalt | Counsel DLA Piper UK LLP Maximilianstraße 2 D-80539 München T +49 89 232372 133 M +49 173 529 75 67 E bernd.siebers@dlapiper.com Bernd Siebers has longstanding experience in advising national and international businesses in technology related matters, both contentious and non-contentious. His practice focuses on technology related disputes with a focus on software and failed IT projects. Bernd has particular experience in advising on Open Source Software compliance and in dealing with Open Source Software related disputes, both in court and out of court. Bernd has distinct specialist skills in copyright protection of software and in drafting and negotiating technology sourcing agreements including software development and maintenance agreements, and software licensing agreements.

×