The SCO Group brought the issue to everyone's attention last year by suing IBM for $5 billion for alleged copyright infringement; others are now beginning to pick up the torch of litigium.
We at NewsForge believe that this is only the beginning; there will be many more people and companies trying to take advantage before the proprietary fringe market dies off.
In the interest of the public good, we have put together some suggestions -- or "ground rules," if you will -- to reference next time you find yourself on either side of a code-theft situation.
What to do if you think you've been violated
If you think someone in the free software community is using your code inappropriately, what do you do? John Weathersby of the Open Source Software Institute says, "I would recommend taking a very common-sense approach. Since you should be able to gain access to a free software package's code, start by requesting a copy of the program code and compare it to your code. If the code is identical, or share unique characteristics so that you can prove one belongs to you, then contact the appropriate person managing the free software program and let them know there is a possible dispute."
The "appropriate person" in question should be the project leader, or in his absence, one of the committers or lead developers. Visit the project's Web site and look through the list of contributors or developers.
For free software projects, make sure that you have reliable contact information clearly listed on your project site, including your name, appropriate phone number, and email address.
What you should not do is post "open letters," send out press releases, or troll message forums and blog comment sections on the matter, Weathersby said. "I am a strong advocate of trying to work out disputes amicably. This requires that all parties work together in good faith. It is rare that
you should launch into a situation with all barrels blazing or with the mindset that you're exactly right and they are exactly wrong ... that leaves little room for dialog or negotiations."
What to do if you are accused of being a violator
When you're on the receiving end of a code theft allegation, the best plan of action is to stay calm and compare code. "My advice is to listen to each allegation, weigh its merits, and respond to each issue or dispute thoroughly, calmly, and pragmatically," Weathersby said. "And document every step. Most of the disputes come down to the true ancestry or provenance of the code. Good documentation can put a definitive end to wayward claims of authenticity and patronage."
Dan Ravicher, founding attorney with Open Source Risk Management, agreed. "The right behavior for any particular person depends on their objectives and their means," he said. "Generally, it isn't advisable to go off half-cocked and make public accusations without having first fully investigated the matter. Doing this can subject the accuser to severe liability on his own part.
"However, at the same time, it is rarely the case that doing nothing is the right answer either, because that can result in a waiver of rights. Perhaps the only thing that one should NOT do when one believe one's rights are being maligned by another is NOT seek competent legal assistance."
If you're accused of improperly distributing proprietary code in your free software project and the code in question cannot be easily rewritten, then it's time to review that code and question the developer who contributed it.
"To deal with that problem," Ravicher said, "free software should diligently review the sources of all code adopted into the program and require all contributors to put in writing that they haven't taken anyone else's code and, if appropriate, their employer waives any rights that they may have to the contributor's code. As you may know, if an employee writes code for a company, the company may actually own the code and the employee may have no right to license it to the free software project. This type of provenance procedure is something FSF has done for years and something Linus Torvalds has recently adopted for the Linux kernel."
Prevention, the best medicine
If you run a sloppy project, you're asking for trouble. If you don't know who contributed each piece of code, how to contact them, and when the code was contributed, then you are not properly documenting your work. In addition to having a written agreement with your contributors, you'll also want to form a committee to deal with potential infringement claims. Lastly, you should try to consolidate ownership of the entire code base for the project.
"The stewards of the free software project should establish a system for monitoring, or at least receiving and investigating reports of, potential infringement," Ravicher said. "They should also adopt procedures to obtain ownership of all the code in the free software program. This is something FSF has also done for years, because it is helpful to have one owner of all the copyrights in the code, instead of several owners of different portions of the program, because it consolidates all the interests into one party who can more effectively manage and assert them."
Also very important is registering the copyrights in the code before or very soon after it is released, Ravicher said. This is required in order to sue another party for infringement. It also provides statutory damages -- a fixed amount prescribed by the statute -- and attorney's fees as potential remedies, instead of just actual damages. (Actual damages are the actual amount of economic harm suffered by the copyright holder from the infringement, which is often much less than the statutory damages and much harder to prove).
Finally, "having set procedures for dealing with reports of potential infringement can reduce the burden of dealing with such issues when they arise," Ravicher said.
We also asked Peter Lamont, CEO of Australia-based Miro International and a corporate supporter of the open-source Mambo project, what his suggestions were to keep open source projects free of proprietary code.
"Developing a policy, obtaining copyright assignment, and introducing terms and conditions are all steps in the right direction to ensuring that the code contributed is the author's own work and is free from encumbrances," Lamont said. "Miro has introduced copyright assignment in Mambo to ensure that the code does not infringe anyone's rights and is an entire singular copyright work."
In the event that some proprietary code is required for an impending release, it may be important to find every person ever connected with it and talk to them each personally -- and not simply rely on one person representing ownership of the code.
"Companies, especially larger ones, can't take any chances with using outside code," said Steve Mutkowski, an open source intellectual property attorney with Microsoft. "We've had to do this ourselves many times: We researched every person that was ever connected with an application that we were considering using and obtained sworn statements from each one as to what their contribution was. It can take weeks or months. When we couldn't verify each person, we had to find something else or consider scrapping the project. It's just not worth it to ship something -- especially in a major release, like Office -- that might come back at you with heavy duty litigation at some future date."
Special case situations
Theoretically, all code theft disputes can be settled by talking and resolved by backing out a few patches or rewriting some code. Often, however, there are gray areas, such as with licensing, copyright attribution, and derivative code. In many cases, the amount of code in question is very small and can be easily recoded to satisfy both parties. When you're dealing with legal issues and initial attempts at a simple and mutually agreeable resolution have failed, your best bet is to hire a lawyer.
"Whether it is proprietary code found in a free software program or, vice versa, free software code found in a proprietary software program, the issues are virtually identical," Ravicher said. "In both cases, a potentially copyrighted work (the code) is being used (or copied, modified, and/or distributed) by some third party in a way that the owner of the copyrighted code has not authorized. While it is true that the copyright owner has offered licenses to use the code under certain terms, the use made of the code by the third party is not in compliance with the terms of the offered license.
"This may, and I stress may, mean that the third party is infringing the copyrights held on the code, but it does not necessarily mean that is the case, since there are many issues that go into determining whether infringement has actually occurred. Just for an example, one can infringe copyrights without literally copying any of the copyrighted source or object code. However, it is also possible to not be infringing any copyrights, even if one has literally copied source or object code distributed by another. The point of saying this is that
there isn't a bright line test for copyright infringement," Ravicher said.
"I'd also note a very stark difference between code theft and copyright infringement," Ravicher said. "The former connotes an intentional act of taking from another with malicious intent. That's a very serious charge to
make against another, and one should be darn sure to have evidence to support such a claim before making it. Copyright infringement is a much broader category of behavior that can include actors who had entirely good-faith intentions to respect the rights of another, despite in the end not succeeding in that aim."
Lamont added a firsthand perspective. "The Internet has enabled global participation in software projects, and as such introduced the problem of very different laws in different countries regarding copyright and intellectual property," he said. "In Miro's case, where we are alerted to misuse of our copyright products, we first send a company letter stating our case (whatever it may be at the time). If the result is not satisfactory, we refer the matter to our lawyers, who partner with a law firm in that country to take steps appropriate to that country's laws."
What if you can't afford a lawyer? "People should not assume hiring a lawyer is cost-prohibitive, as many
lawyers are wiling to consider representation of free software clients either pro bono, on contingency, or at a reduced rate," Ravicher told NewsForge.
More on Page 2: How the FSF handles these issues
Follow the leader: The FSF sets good examples
When the Free Software Foundation experiences issues like these, it handles them in a quiet, professional manner; rarely does it have to go to court, Ravicher said.
"There is no one-size-fits-all solution to dealing with third parties who may be infringing your copyrights," Ravicher said. "For many people, the Free Software Foundation's procedures for handling GPL compliance matters can be a shining example of both successful resolution of such issues and successful promulgation of free software adoption."
To learn more about what FSF does, one can read articles by Eben Moglen, general counsel of FSF, regarding enforcement of the GPL (Part I and Part II), or attend an FSF seminar offered from time to time that gives an in depth discussion of FSF's GPL Compliance procedures. The process involves registering copyrights, approaching potential infringers in a respectful and discrete manner, and being reasonable and respectful in negotiating compliance, he said.
Balance and integrity: Making money ethically
The most-avoided question we asked our panel of experts was: "How do we balance open source software development with the desire to profit from software?"
Weathersby said, "That is what we're all trying to figure out. Open source software is only part of the total equation. The other part of the equation is your ability to combine, manage and service the program or solution you offer. From a business perspective, open source also demands a competitive economic landscape. Since we're all building with the same pile of blocks, you and I have access to the same basic resources. Your value add is how you put it together, manage it, and especially how you treat your customers."
Miro International paid a lot of money to redesign and recode the Mambo open-source CMS project, and then the company recoded it further to use as a commercial product. The commercial product shares no code with the open source project, a distinction which is necessary to maintain compliance with the licensing that both software packages are under.
"The only benefits Miro gets [by its support of Mambo] are by its association with the Mambo open source project," Lamont said. "Typically this is in the footer of many of the templates and in the header of the Mambo system files. There is usually no confusion about our commercial edition of Mambo CMS and the free Mambo OS, as we carry stories about the differences on both www.miro.com.au and www.mamboserver.com; however, some people opt to have their clients use our commercial version to take advantage of the commercial support we offer. This is the other benefit by association."
Ravicher had some advice on staying out of trouble with the GNU GPL. "In order to not violate the GPL, one either needs to not create a (proprietary and distributed) derivative work of GPL'd software (because doing so without permission of the copyright owner constitutes copyright infringement), or only create independent and separate works (because that is permissible under copyright law without the permission of the copyright holder in the original work). The line between derivative and independent is not clear. For a discussion of that issue, see my article on the subject."
Some people question what constitutes "redistribution" of GPLed software. Certainly you can make whatever proprietary modifications you want to, but you are not allowed to redistribute free software under a different license.
So what is redistribution, in the legal sense? "Redistribution of a copyrighted work is distribution of the work by one to whom it was distributed. Distribution of a work is any transfer (whether for fee or not, or for commercial or non-commercial purposes) of the work from one person to another, with the understanding that corporations are considered persons," Ravicher said.
If you have GPL code and are using it privately, do you have any recourse if someone else creates a derivative work from it and distributes it?
Open Source Initiative attorney Larry Rosen, author of the new book "Open Source Licensing: Software Freedom and Intellectual Property Law," said he "could not imagine any court issuing a judgment against any user of software released under the GPL, as long as the user abides by the rules of the license.
"By definition, all software released under the GPL means that one can assume the work may be copied, distributed, or otherwise modified by any other user," Rosen said. "The creator can't 'GPL' something and then turn around and say, 'I really didn't intend this to be used any other way.' That makes no sense."
Rosen pointed out the five main principles for designating an open source release under the GPL:
- The software may have unlimited usage.
- The user may copy and distribute copies -- as many as desired.
- The user may create derivative works on top of the source code.
- The source code itself can be reused for derivative work.
- The user has the right to combine the open source code with other (proprietary) software to create other derivative works.
Stanford University law professor and Creative Commons chairman Lawrence Lessig, asked what steps a person should take if he or she thinks proprietary code is being used in a free software program or project, replied: "It's very easy to know -- just look. The other way is not easy to know -- impossible for a free software project to know whether its code has been stolen."
What someone should not do when they suspect code misuse is "accuse," Lessig wrote in an email to NewsForge. "Ask first," he said. Lessig also said that "the FSF has begun a process of code authentication. It needs to be generalized."
Final advice and summary
So to sum it all up:
- Provide contact information for your project's leadership or designated liaison for code theft of copyright infringement issues.
- Maintain proper documentation for all contributors and their contributions.
- Assign copyright ownership immediately, preferably all to one person or entity.
- If you suspect code theft or copyright infringement, stay calm and be mature and professional. Have respect for the other party. Do not publish public statements or threats.
- Assume nothing until the code is examined and compared.
- Try to work out the dispute in a reasonable manner.
- If the other party refuses to negotiate, or if legal matters arise, it's time to get a lawyer.
- Don't try to create proprietary derivative works of free software projects and expect to maintain the sole copyright.
If you follow all of this advice, you will have a greater chance of avoiding public arguments and legal battles.
There are some good online resources available. Creative Commons, a two-year-old nonprofit whose board of directors is chaired by Lessig, has as its goal "to build a layer of reasonable, flexible copyright in the face of increasingly restrictive default rules." Its Web site offers online versions of the GNU GPL, the GNU LGPL, and an application for the Founder's Copyright.
The U.S. Copyright Office has its own Web site with information on copyrighting computer applications. If you want to copyright your own code with the U.S. Copyright Office, you'll need to fill out Form TX and pay a $30 non-refundable filing fee.
One of the most valuable things we learned came from Weathersby. "We, as a community, need to establish a model and venue in which to address these issues," he said. "This entity would serve as an arbitration board, with legal, technological, and mediation experts with binding arbitration powers." Who will step forward to assume this responsibility?
Jem Matzan is the author of three books, a freelance journalist and the editor-in-chief of The Jem Report. Chris Preimesberger is editorial director of IT Manager's Journal and an editor/writer for NewsForge.