Open source licensing violations can spell trouble
Up to 80% of more than 1 200 commercial software codebases scrutinised by the Black Duck Audit Services team at Synopsys last year contained open source components with licence issues.
Of those, 68% contained components with licence conflicts; 38% contained components that were `not licensed’; and 32% contained custom licences that `had the potential to cause conflict or needed legal review’.
That’s according to the 2019 Open Source Security and Risk Analysis (OSSRA) report published recently by Synopsis. The report is based on analysis of data from the Synopsys’ four Cybersecurity Research Centres.
While many open source users – from individuals to enterprises to developers – think of open source software (and its components) as `free’, the fact is that use of most open source software requires you to have a licence. This licence allows the source code to be used, modified or shared in terms of a defined set of conditions.
Keeping track of open source licences can be difficult. The report notes that the Software Package Data Exchange lists around 350 licence types, while the Black Duck KnowledgeBase lists over 2 500 licences associated with software with source code that is freely available on the Internet. On the other hand, the Open Source Initiative (OSI) lists 82 OSI-approved licences, of which eight are regarded as `popular, widely used, or having strong communities’.
Risk of being sued
Not complying with the licence of the software being used can result in all kinds of problems, not least of which is the risk of being sued. And the consequences of being sued are more than monetary – there can be a negative impact on corporate reputation, and a loss of IP if licence compliance means you have to distribute source code.
One of the most famous cases of open source licence conflict – it involves Oracle and Google – has been dragging on for eight years, with no end in sight. In March this year, a US federal appeals court overturned an earlier court finding against Oracle, which had stated that Java was open and free for everyone. This time, the federal court ruled that Google had violated Oracle’s copyright when it built a custom version of the Java platform for the Android operating system. Now Google is appealing to the US Supreme Court.
In 2017, CoKinetic Systems Corporation, a major player in the in-flight entertainment market, sued its competitor, Panasonic Avionics Corporation, for over $100 million, claiming – among other issues – that Panasonic had violated the GPL v2 open source source licensing requirements, which allows users to copy, distribute and modify the software, provided they track changes and dates of changes. The case was eventually dismissed, but it illustrates how open source licensing compliance can be used as a stick to beat a competitor.
As Heather Meeker, a leading intellectual property transactions lawyer in the US pointed out at a Compliance Manager Summit a few years ago: “While there can be damages associated with (open source licence violations), they are not usually very high. The bigger costs have to do with business disruption.”
Cisco found this out when it acquired Linksys in 2003. Unbeknown to Cisco, Linksys was violating the licensing terms of some of the open source software it was using. Cisco was then sued by the Free Software Foundation in 2008 and the parties settled in 2009 for an undisclosed amount.