Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

Stolen open source a corporate legal risk?

By gregbillock in Technology
Tue Apr 09, 2002 at 07:21:55 AM EST
Tags: Software (all tags)

Should large companies who use open source licensed software be concerned about liability if that software turns out to have been stolen from the copyright owners?

I recently spoke with a friend of mine who works for a large software company. He told me that a while back, there was a mini-tempest within the company when its lawyers discovered that some of their projects relied on open sourced libraries. The lawyers pointed out a scenario that I think is legitimate, and that I haven't seen discussed among open source advocates alongside calls for companies to adopt policies encouraging the use and contribution to open source projects.

The scenario they envisioned was this. Suppose an individual or company wrote a proprietary piece of software. Suppose further that someone else managed to get a hold of the software. (This could happen by a security breach, cooperative project differences, a disaffected employee, etc.) If that second person then contributed the source code to a new or existing open source project, and my friend's company used that project, then would they be liable for damages to the original author? The answer my friend's company lawyers came to was that, yes, they might be held partially liable. As an approach to dealing with this liability, they now have strict procedures regarding the use of open source software packages in their projects, and all such use requires the approval of the legal department.

This scenario raises several interesting questions. Is my friend's company correct? If so, how do so many large companies see their way clear to depend extensively on open source software (particularly Apache and Linux)? Perhaps large, established projects are less susceptible to these kinds of questions, since their history and popularity gives them a credibility a new and relatively unknown project lacks. What can the open source community do to respond to this kind of question? Obviously there can be no internal mechanism for assuming liability for projects--such an organization would have to have a checkbook comparable to the commercial entities it aimed to shield. Again, it seems to me that the best response to this concern is to encourage participation in longstanding projects which are more "history-proof." It may also be a strong argument for new projects to make sure they leave a paper trail. Registration with, and updates to, Sourceforge or a similar code repository can provide ostensible users with more assurance that the code is legally licensed.


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Related Links
o Also by gregbillock

Display: Sort:
Stolen open source a corporate legal risk? | 49 comments (49 topical, editorial, 0 hidden)
well, duh. (4.11 / 9) (#1)
by regeya on Mon Apr 08, 2002 at 10:41:23 PM EST

I don't understand why it'd necessarily have to be open-source, though--someone could steal source and put it into a proprietary library.

I can see some justification for singling out open source, but such violations should, in theory, be easier to find.

[ yokelpunk | kuro5hin diary ]

The problem (3.71 / 7) (#3)
by silsor on Mon Apr 08, 2002 at 10:45:00 PM EST

The thing is that the company wouldn't know the code was stolen if they used it from an open sourced program or library.

It would be kind of hard to accidentally steal code directly from another proprietary application and use it.

✠  Patron saint of unmoderated (none / 0) top-level comments.
[ Parent ]
Actually (4.66 / 3) (#7)
by ghackmann on Mon Apr 08, 2002 at 11:02:58 PM EST

It would be kind of hard to accidentally steal code directly from another proprietary application and use it.
That's what the author implied -- what if a company somehow gets the source code to a proprietary program (e.g. by getting a source-code license) and mixes it into an open-source program? The answer is, it's just as illegal as if somebody mixed code from two proprietary products, or added open-source code to proprietary code, against the respective license agreements. There's nothing magical about open-source software in this case, except that making the source code available means everyone can know that your company screwed up; if it was binary-only, nobody may ever find out.

To be honest, if you've got organization problems bad enough that something like that is happening, you've probably got bigger concerns than being sued over something like this. I smell FUD at work here.

[ Parent ]

Re: Actually (4.50 / 6) (#12)
by Therac-25 on Tue Apr 09, 2002 at 12:27:05 AM EST

He's asking
  • Person/Group A steals code from Company B.
  • Person/Group A puts this code into an Open Source project C.
  • Company D (this is his "friend's" company) uses this Open Source project C, and is later on held liable by Company B for using it's code.
I can see it being a valid worry, and if I was on the legal team of Company D, would certainly want to make sure it never happened.
"If there's one thing you can say about mankind / There's nothing kind about man."
[ Parent ]
Okay, but what about: (4.00 / 5) (#15)
by brion on Tue Apr 09, 2002 at 12:43:33 AM EST

  • Person/Group A steals code from Company B.
  • Person/Group A puts this code into a Proprietary Software product C.
  • Company D (this is his "friend's" company) uses this Proprietary Software product C, and is later on held liable by Company B for using its code.
How is the situation different?

Chu vi parolas Vikipedion?
[ Parent ]
Liability (3.00 / 2) (#16)
by infraoctarine on Tue Apr 09, 2002 at 12:59:26 AM EST

The difference is, I assume, that in this case Group A, selling product C, would be the liable party (since they were the ones that stole the code) and not company D.

[ Parent ]
Curious... (4.66 / 3) (#17)
by brion on Tue Apr 09, 2002 at 01:07:48 AM EST

Wait, so it's okay to use stolen property so long as I paid the thief for it?

I'm rather suspicious of this idea; is there a real lawyer in the house?

Chu vi parolas Vikipedion?
[ Parent ]

That's close (3.00 / 1) (#19)
by andrewm on Tue Apr 09, 2002 at 01:17:02 AM EST

Wait, so it's okay to use stolen property so long as I paid the thief for it?
It's ok to use a stolen car, so long as you paint it to prevent the original owner recognising it.

I'm not sure a lawyer would agree with that either :)

[ Parent ]

Person A (1.00 / 1) (#33)
by katie on Tue Apr 09, 2002 at 10:46:09 AM EST

How is person A not the liable party?

In fact, surely person A could be held liable by BOTH companies - one for stealing their code and the other for misrepresenting to them that something was open source, and theirs to give away when it was neither?

[ Parent ]
It's not (none / 0) (#43)
by gregbillock on Thu Apr 11, 2002 at 11:47:08 PM EST

But then you can sue the company that makes C and recoup damages, so they are highly incentivized not to let that happen. If A steals source, submit it to the Euchre project (taken at random from the top of Freshmeat), and D uses it, who is B going to sue? Project Euchre, based in Australia? No, they'll sue D for negligence, possession of stolen property, copyright infringement, etc. etc. etc. whatever their lawyers (who are much more creative than I am) can think of that might be relevant. As discussed above, there are frequently clauses in licensing agreements in proprietary software which cover exactly this sort of thing. Open source is more open to the danger not because you can't get people to say 'this code really is mine to license' but because that statement isn't really legally valuable in a liability sense.

[ Parent ]
No, your friend's company is incorrect (4.73 / 15) (#2)
by theR on Mon Apr 08, 2002 at 10:43:33 PM EST

The exact same thing could happen whether or not the software the company uses is open source. There is no magical thing about open source that means somebody could figure out how to use stolen code in it but not figure out how to use stolen code in a closed source alternative. They are being moronic or don't want open source for other reasons.

I think, in fact, that industrial espionage between two closed source companies is more likely than the scenario put forth here to result in stolen works, products, code, etc, being used illegaly. Regardless, somebody who steals code could find somebody who wants it, and could make money selling it to a company that does not use open source if the code was good enough. Seems odd to single out open source.

Watch your back policy? (3.85 / 7) (#5)
by whatwasthatagain on Mon Apr 08, 2002 at 10:55:37 PM EST

There is no magical thing about open source that means somebody could figure out how to use stolen code in it but not figure out how to use stolen code in a closed source alternative.

However, any copyright infringement would be blatant if the stolen code is used in open-source software. This, IMO, poses a greater risk to the company that uses the stolen code, albeit without explicit knowledge. The lawyers probably think that using proprietary software would make them immune because 1) the stolen code would probably go undetected and 2) there was no way they could have known what they were using was (at least in part) stolen.


With profound apologies to whomsoever this sig originally belonged.
[ Parent ]

So you know what code is stolen and what is not? (2.33 / 3) (#22)
by juahonen on Tue Apr 09, 2002 at 02:50:58 AM EST

If the code is stolen from closed-source project, you cannot possibly know the code is illegally used. You need to see the code of the closed-source project before you can say it was stolen.

[ Parent ]
I disagree (4.28 / 7) (#24)
by sigwinch on Tue Apr 09, 2002 at 04:02:57 AM EST

However, any copyright infringement would be blatant if the stolen code is used in open-source software.
  1. Hardly anybody reads the source code.
  2. Even if they did, how are they supposed to know that some random section of code violates copyright?
  3. In particular, how the hell are they supposed to recognize *proprietary* code that has been wrongfully incorporated? I mean, if it's proprietary, there's obvious no way to detect the violation even if you were making a diligent attempt to avoid copyright violations.

By the way, code cannot be "stolen". Copyright violation is not theft, it is an infringement of a limited and arbitrary privilege.

IMHO, this is just another example of Bureaucracy Mission Drift. Some dumb ass lawyer got a bug up his ass about some microscopic risk that has never materialized once even though people have made trillions of copies of open-source software, and is milking it for all it's worth to improve his reputation and build guaranteed employment for himself.

I don't want the world, I just want your half.
[ Parent ]

Not really odd ... (4.00 / 1) (#39)
by Simon Kinahan on Wed Apr 10, 2002 at 04:48:57 PM EST

The normal means of distribution of open source software means that it may be very hard to locate the entity you should sue for fraudulently granting license rights they were not entitled to grant. With closed source software, you (meaning the licensee) have usually paid some money to a known person/company, who you can sue if you find they sold you something they didn't own. With open source, it is often the case that no legal entity owns the license rights to the whole system, and therefore the license is on rather shaky ground: yes, you can assume that all the contributors only contributed their own code, and that they really did intend it to be licensed under the given terms, but there's usually no documentation of that fact. Lawyers get nervous at this kind of thing.

Furthermore, because open source software has no purchase cost, its use does not have to go through corporate purchasing procedures, and therefore companies can find themselves exposed to risks (such as viral licensing problems, or code they're not actually entitled to use), they did not know about because some developer downloaded the software and saw fit to integrate it into a product or just to use it in somme critical system without telling anyone. Usually (in my experience), policies like those described in the article are not in place to prevent the use of open-source, so much as to track its use and the risks to which the organisation is exposed.


If you disagree, post, don't moderate
[ Parent ]
It's already been taken care of (4.16 / 6) (#4)
by hardburn on Mon Apr 08, 2002 at 10:46:12 PM EST

Read the big capitol print in just about every single open source/free software license in existance. It says something like "NO WARRANTIES, EXPRESSED OR IMPLIED . . . " and so on. There is a very good reason why that is there.

Intrestingly, I learned a while back that the law (in the US, anyway) actualy requires the "no warranty" clause be in capitol letters.

while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }

No support. (3.00 / 1) (#32)
by katie on Tue Apr 09, 2002 at 10:40:47 AM EST

I always find it faintly amusing that the big argument against using OS code in large companies is the lack of support. Obviously no-one reads the warranties that come with everything else; where they limit their liability to warranting that the CD will be readable...

"Amusing" in the sense of "watching people who can barely drive their email software make IT decisions" sort of amusing.

[ Parent ]
Yes, support. (none / 0) (#38)
by codemonkey_uk on Wed Apr 10, 2002 at 08:55:43 AM EST

Okay, so individual people don't test to get good support for off the shelf software, but that's not the issue here.

When a company buys a licence for a software library, it usually comes with support, and that support is usually quite good.

I'm talking as a developer in the games industry who has had to contact middleware support departments in the course of my work. I've found the support people, in general to be both accessible, and helpful.
"The most savage controversies are those about matters as to which there is no good evidence either way." - Bertrand Russell
[ Parent ]

hehhhe 'my friend' (1.66 / 6) (#6)
by highenergystar on Mon Apr 08, 2002 at 11:00:11 PM EST

thats a nice way to put it ...! :) just kidding ...

The thing to worry about is the GPL (2.62 / 8) (#8)
by skim123 on Mon Apr 08, 2002 at 11:05:51 PM EST

Since it's viral in nature and all. If you work on a proprietary piece of software for your company and use a small GPL library within, then your entire proprietary software must enter the GPL. Well, at least that's how I have been told the GPL works, haven't read the license. Feel free to correct me if I'm wrong.

Money is in some respects like fire; it is a very excellent servant but a terrible master.
PT Barnum

You're correct... (4.75 / 4) (#9)
by aziegler on Mon Apr 08, 2002 at 11:10:05 PM EST

That said, that doesn't necessarily mean that your source code will be spread hither and yon. It means, very explicitly, that one's source must be provided to the licencees. If you sell a licence to ABC Company, you must also provide them the source code. They then have the choice to pass the software -- without charge -- to XYZ company if they so choose.

The GPL is viral, and IMO is very dangerous because a lot of people try to obfuscate its viral nature and attempt to pretend that the GPL is a 'free' licence (it is, but only by changing the meaning of 'free' to mean that 'you have to do this'). Once it's understood that it's a proprietary licence which makes the source and equivalent rights available to licencees, then it's not necessarily a bad licence as such.


[ Parent ]

GPL and the definition of free. (3.00 / 2) (#30)
by Znork on Tue Apr 09, 2002 at 09:53:37 AM EST

The GPL is entirely 'free' if you're looking at it from the codes perspective. The code itself is 'free', and guaranteed to retain its 'freedom'. The GPL affects your rights in the same way that laws forbidding slavery does; you cannot enslave someone, and the other person remains 'free'.

If you want to translate that into 'you have to do this', or 'you have to pay people or do the job yourself because you cant take freedom away' that's ok. But GPL software is Free software.

[ Parent ]
Word-twisting nonsense... (none / 0) (#46)
by aziegler on Fri Apr 12, 2002 at 02:23:53 PM EST

The problem with your analysis is that software code isn't animate or sentient, both items required for slavery. Thus, the idea that the GPL "frees" software is complete and utter bullshit, because that sense of free cannot apply to inanimate and nonsentient objects ... like software.

I don't expect GPL advocates to get this distinction, but it's the very distinction that turns the claim that GPLed software is Free Software into a lie. It's not "Free"; it's restricted. If you want to debate whether those restrictions are a good thing or not, that's fine -- in some cases, I think that the GPL is a perfectly good licence. But don't lie to me and pretend that the software covered by the GPL is "Free".


[ Parent ]

Define, please? (3.00 / 1) (#35)
by pla on Tue Apr 09, 2002 at 10:21:44 PM EST

The GPL is viral, and IMO is very dangerous because a lot of people try to obfuscate its viral nature and attempt to pretend that the GPL is a 'free' licence

Perhaps you would care to define "Viral", then?

I have worked in a corporate environment with *very* tight restrictions on source code access (think "lottery terminals"). We often used GPL'd code, in such a way that, aside from whatever modifications we didn't mind releasing to the community (almost none, unfortunately), not a single line of our proprietary code every got "sucked in" to the GPL'd code.

To put it simply, you can turn *anything* into a linkable library. If you need a small bit of additional functionality in a complete GPL'd app, build your own "secret" portion into a library that the app links in. If you need just a small bit of functionality from a complete GPL'd app in your own complete app, write a small library-like wrapper that allows you to link in portions of the GPL'd code without any source-mingling whatsoever.

I don't know how well such methods adhere to the *intent* of the GPL, but Legal ok'd them...

[ Parent ]
You should have LGPLed... (none / 0) (#45)
by aziegler on Fri Apr 12, 2002 at 02:19:35 PM EST

According to the FSF, your legal department was (strictly speaking) wrong, and your GPLed code was combined with your proprietary code in a way such that it wouldn't have protected your proprietary code. You should have LGPLed the code.

That said, your company owned the original source code and could therefore use the source without licence ... unless you used someone else's GPLed code. And that's the danger.

If you use anything that is GPLed, the whole work must be GPLed or allow such cooption (e.g., modified BSD). The LGPL is only that bad if you attempt to break out code from the original work itself.

The LGPL, I like. The GPL, I don't.

[ Parent ]
GPL vs. LGPL (4.00 / 2) (#10)
by ucblockhead on Mon Apr 08, 2002 at 11:12:45 PM EST

If it is released under the GPL, yes, you are right. If it is released under the LGPL, no, you are wrong.

Most of the popular open source libraries are LGPL or equivalent.
This is k5. We're all tools - duxup
[ Parent ]

If you haven't read the license... (3.00 / 5) (#13)
by kuran42 on Tue Apr 09, 2002 at 12:32:43 AM EST

why comment?

The GPL and LGPL are different. If you use GPL code in your software, your software license must become GPL(-compatible). This is not the case with LGPL code, nor does it extend to your "entire" proprietary software - only the portions that use open source software.

None of that matters, though. You can't change the license on something you don't own, and if open source software improperly includes proprietary software or vice versa, the license is not extended to cover the proprietary software.

kuran42? genius? Nary a difference betwixt the two. -- Defect
[ Parent ]

Duh (1.00 / 1) (#41)
by skim123 on Thu Apr 11, 2002 at 06:54:58 PM EST

If you haven't read the license why comment?

Do you think I have the time or interest to read the license? No. All I have time for is shouting my uninformed opinions to the k5 community.

Money is in some respects like fire; it is a very excellent servant but a terrible master.
PT Barnum

[ Parent ]
Not entirely correct. (4.42 / 7) (#18)
by andrewm on Tue Apr 09, 2002 at 01:09:15 AM EST

The GPL is not viral. It is an entirely opt-in license, and you have complete and total control over what software you choose to release under the GPL. There is absolutely no way you can ever be forced to release so much as a single line of code under the GPL.

Call it what it is: Just another software license. (Whether or not you like it is a completely different discussion, but it's no more evil than propriatory licenses.)

(Yes, I know why people call it viral, but my point is that you have complete control over what you do - noone can force you to use a particular library if you don't like the license. Note that by 'you', I mean the owner of the software you're writing - your boss may be able to dictate what library you use, but your boss is also the one responsible for the legal side of things - at least until the company lawyers get involved.)

However, if you wish to use code that has a license, then you must obey the terms of the license. If you buy a propriatory library, you may have to charge every one of your customers a fee for this library, or allow auditors complete access to your development systems. If you use another library, you may have to share specific source code with your customers. If you choose not to reuse existing code, you will have to write it yourself.

If you choose to use code without caring if it's legal, you may be sued. I trust you read the license for all of your compiler(s) and associated libraries, and operating system APIs. (Even Microsoft acknowledges that you should get a lawyer to read their licenses - although they'ld prefer to have people think that only applies to Evil Viral Licenses.)

If you object to the conditions of a license, you don't use the software it covers, and it doesn't affect you at all. If you really want that library but hate the license, it's too bad - you get to choose which option is more important to you.

If you work on a proprietary piece of software for your company and use a small GPL library within, then your entire proprietary software must enter the GPL
This depends on what you mean by 'entire'. It should mean 'the entire specific application' rather than 'everything you've ever worked on'.

That's just like any license. It would be as realistic to say "The thing to worry about with propriatory licenses is that they affect the entire applictaion you're writing." It's true, and you do need to make sure you understand all the restrictions, but it's hardly surprising. In both cases, it doesn't matter how large or small the library is, either.

If one library requires you to release your code using the GPL, and another library forbids this, then you can't use both libraries in the same program. And I can't see any way that either one could be considered 'worse' or more worrying because it doesn't matter what you want to do, at least one option isn't legally available if you use both libraries.

[ Parent ]

MontaVista Software sells warranty (4.75 / 8) (#11)
by BlowCat on Mon Apr 08, 2002 at 11:30:20 PM EST

Back in year 2000 when I worked in a telecommunication company relying on embedded Linux, they bought a support contract for Hard Hat Linux from MontaVista Software that included a provision that if some part of the distribution turns out to have license problems, they will rewrite it. It's interesting that my company wasn't using Hard Hat Linux but rather a simple distribution made in-house (i.e. by me :-)). Still they were paying MontaVista tens of thousand dollars a year. Essentially, they were paying for the "license warranty". Presumably it was worth it.

and for not as much as I'd have expected... (none / 0) (#44)
by gregbillock on Thu Apr 11, 2002 at 11:50:53 PM EST

Interesting. So perhaps MontaVista assesses the risk is pretty low (which I'm sure it is) and so perhaps got some good insurance and is leveraging their faith in Hard Hat Linux into willingness to assume risk for cash. Makes sense. How much do you think they'd charge for complete coverage of, say, everything in Sourceforge, under the same agreement?

[ Parent ]
Sourceforge (none / 0) (#49)
by BlowCat on Sat Apr 13, 2002 at 09:30:21 PM EST

They would not make such a deal. I'm sure there is "gray" code on SourceForge. For example, spectrum24 driver uses firmware from Symbol. There is no indication that the firmware is used with permission of the copyright holders. A link to the Linux driver from Symbol's site is not a permission - you cannot use it in court if you extend and redistribute the driver and Symbol decides to sue you.

That's just one case I know about. I'm sure there are many others. Simply missing copyright may be a trap.

Fortunately, you don't need the whole Sourceforge to run an embedded system, and that's the market MontaVista aims for.

[ Parent ]

yeah, it's a real risk (5.00 / 8) (#14)
by gbroiles on Tue Apr 09, 2002 at 12:38:09 AM EST

.. but probably not a big one.

You don't need the hypothetical "stolen source" example - a more believable (and likely) example would be source code apparently contributed to an open source package which was (by oversight or ignorance) not within the power of the contributor/author to grant - for example, if the code were written by someone whose employment agreement (or other terms of employment, perhaps supplied by custom or local law) specified that all of the intellectual property they created during the course of their employment - or while on the premises of their employer, or created using the equipment of the employer - belongs to the employer. Now the open source package/project can't get a license/copyright assignment from the author .. because the author has already granted those rights to another, or because they never had them in the first place. That, by the way, is the default assumption in the US - that if you create IP during paid hours using your employer's equipment, it belongs to the employer, not the employee.

Some open source projects are aware of this issue and require written assignments/licenses for contributed material; that's a good first step, but ignores the fact that if the employee doesn't have the IP, they're unable to grant a license or assignment. All the open source guys can do is ask for indemnification by the employee if their license/grant turns out the be faulty .. but that's not worth much, in most cases, because the employee has (comparatively) no assets to back up the indemnification, and the open source group is likely to be unwilling or unable to bring suit to enforce the indemnification clause.

This - in the real world - doesn't turn out to be an especially awful problem, because most people act reasonably most of the time. Even if there are problems in the chain of title/assignment for the IP in big software packages .. so what? The IP involved isn't likely to be especially important, if it's only copyright in widely distributed source code - that's pretty easily recreated in a cleanroom environment, so this doesn't have the same potential for abuse and extortion that patents do.

IBM's legal department spent a long time worrying about this before IBM embraced Apache and Linux - eventually they just got over it. Other companies will, too. (I was corporate counsel for C2Net, a small software company which was negotiating a license for an Apache derivative to IBM in 1997-1998, so I spent a lot of time on the phone and in email explaining why we couldn't indemnify them against all possible problems in the Apache source, etc.)

Minor nit (2.33 / 3) (#20)
by J'raxis on Tue Apr 09, 2002 at 01:20:18 AM EST

That, by the way, is the default assumption in the US - that if you create IP during paid hours using your employer's equipment, it belongs to the employer, not the employee.

This actually varies from state to state.

— The Raxis

[ J’raxis·Com | Liberty in your lifetime ]
[ Parent ]

No, actually, it doesn't. (5.00 / 4) (#21)
by gbroiles on Tue Apr 09, 2002 at 02:16:44 AM EST

[Contemporary] copyright law is exclusively federal law; interpretations of that federal law may vary a little between the federal circuits, but different states are not free to make up their own copyright rules or case law.

See, for example, 17 USC 201(b), which says:

In the case of a work made for hire, the employer or other person for whom the work was prepared is considered the author for purposes of this title, and, unless the parties have expressly agreed otherwise in a written instrument signed by them, owns all of the rights comprised in the copyright.
and 17 USC 101 which defines "work made for hire" thus:
a work prepared by an employee within the scope of his or her employment

[ Parent ]
Interesting (4.00 / 2) (#36)
by J'raxis on Wed Apr 10, 2002 at 12:30:49 AM EST

Last I heard about this, it was bound up in contract law (what is the default position if there’s no actual signed contract to indicate otherwise), which does differ from state to state.

However, your citations above don’t define what happens to works done with employer resources, but not within the scope of someone’s employment (e.g., if I do tech support for Microsoft but spend my free time logged into my home machine coding for Apache, or something). I think this is what may still be determined by state contract or employment law. Is anything you do on your boss’s time owned by him, or only things within the scope of your actual job?

— The Raxis

[ J’raxis·Com | Liberty in your lifetime ]
[ Parent ]

This has already happened (5.00 / 4) (#25)
by cyberformer on Tue Apr 09, 2002 at 04:07:14 AM EST

What you describe (not the subject of the main article) actually happened to one of the Perl developers. There was a long thread about it on The Other Site not long ago.

Code contamination can happen to any type of software, though "programmers" who take somebody else's work without permission are obviously more likely to get caught if they release the source code. According to this article in The Register, a certain chairman of a very well-known software company may have done the same thing.

[ Parent ]

A simple solution (3.00 / 3) (#34)
by pla on Tue Apr 09, 2002 at 09:53:55 PM EST

Though I have never had an employer that would not allow me to do open-source work on my own time, during my last couple years at college they wanted to play the "we own what you write" game.

My solution, since I had no intention of giving them a goddamn thing beyond my already far-too-expensive tuition? Contribute to various projects anonymously.

That way, if anyone comes back to me and asks if I violated such-and-such policy, I can safely deny it. And, if anyone suspects the code I've contributed of coming from a questionably-legal source, good luck proving it - Even if I personally wanted to take credit for it after-the-fact, I would have no way of proving I wrote it (so, neither would anyone else).

Anonymity works in *everyone's* favor, in *so* many aspects of life.

[ Parent ]
This could all be prevented. (4.08 / 12) (#23)
by elenchos on Tue Apr 09, 2002 at 03:15:41 AM EST

If programmers were a licenced and regulated profession, and their tools were a restricted munition, there would be some hope of freedom from this tyranny of doubt and fear that engrips the technology industries. As it is, any hacker terrorist can wantonly make a computer do things it was not specifically designed to do, including creating completely new software without any proof of his loyalty or trustworthyness. And then it can be distributed to literally anyone, especially criminals, marijuana addicts, and terrorists, with no oversight.

As long as we allow this coding-a-go-go, as it is called, we will have just this kind of uncertainty and chaos.


Ignoring the real victims (3.00 / 7) (#26)
by qpt on Tue Apr 09, 2002 at 04:23:37 AM EST

While the issue has been battled in the courts, the legislature, and the press for years and will no doubt continue to be a point of contention in the foreseeable future, all interested parties have somehow lost sight of the real victims of the open source software debate. Rulings are blithely made for the benefit of special interest groups, legislature is drafted and passed at the bidding of wealthy lobbies, and legions of free software zealots do battle with the massive corporate machine for reasons long forgotten.

Will not someone please think of the software? When our forefathers committed their lives, homes, and destinies to the emancipation of software, it was only with a grave and resolute determination to right the moral abomination that is enslaved software. They saw clearly and manifestly that software wants to be free, and that it was their God-given duty and privilege to free it. We, as their decedents, hold a share in this sacred moral obligation.

Too long have we decadently indulged ourselves in pointless debates about the relative merits of various licensing schemes. Too long have we vilified those who oppose us, supposing that our battle was with the ignorance of mortal men rather then with that most evil of institutions that transcends even the lives and projects of mere men. I dream of a day when all software stands free and equal before the law, just as it stands free and equal before God. I fear that it is a dream that must forever remain illusory if we cannot find within ourselves the strength of character and will to forever abolish this shameful blight upon or culture, but I pray that we will somehow find that strength and finally free software.

Domine Deus, creator coeli et terrae respice humilitatem nostram.

yeah.... (3.33 / 3) (#29)
by Tezcatlipoca on Tue Apr 09, 2002 at 06:57:04 AM EST

We do love you qpt, don't you worry.
"At eighteen our convictions are hills from which we look;
at forty-five they are caves in which we hide." F. Scott Fitzgerald.
[ Parent ]
Liability control (5.00 / 7) (#27)
by RandomPeon on Tue Apr 09, 2002 at 05:08:22 AM EST

Disclaimer: IANAL. This is not legal advice, it's idle speculation. I assume the lawyer is right, there may be some liability.

Here's the flip side: All software development involve some risk of a lawsuit. In particular, your software may infringe someone's patents. An attorney will tell you there's no way to zero your risk of patent infringement - a search of current and pending patents does not necessarily locate all patents and a patent can be filed long after an idea is invented as long as it's within a year of someone else selling or disclosing the claimed invention. Oh, don't read patents yourself, as you risk treble damages for willful infringement. Pay your attorney to do so.

Your EULA may be found to be unenforceable. In particular, that "no warranty" clause may not hold up. If it's a contract job, there's a potential for negligence suits, even if those rights are waived in the contract.

Sometimes lawyers are too good at their jobs. This guy is probably young and overly serious, and he doesn't understand business yet. All business ventures involve some potential liablity, the trick is to identify the ones that are serious. The above scenarios are far more likely and apply to all software products, but every company accepts them.

The consensus seems to be this isn't a real problem. Apple built on operating system on open-source code. Microsoft has incorporated BSD code into its OSes. Sun, IBM, and just about every large player does it to some extent. I assume their lawyers evaluated the risks of incorpating any code licensed under any of the major open-source licenses and deemed it a safe bet. If the deepest pockets (the people any potential litigant always sues first) are unconcerned, why are these guys?

These are the deep pockets (none / 0) (#40)
by gregbillock on Thu Apr 11, 2002 at 04:00:44 PM EST

You're right that there are other competing legal concerns, but my friend's company IS the one with the deep pockets--they're the ones who would get sued if it turned out someone had contributed code illegally to Xerces or some such, and they're the ones worried.

Of course, just because HP or somebody with a webserver sued them for using stolen code in an OSS project doesn't mean that the suit would succeed, and the fact that my friend's company still does use OSS (albeit with more hurdles) means that sometimes their lawyers figure the liability of the putative use is small compared to the advantage. The fact that other big companies use OSS more may be an indication that his company's lawyers are overly conservative.

Another related issue for a smaller company is that if you don't have the deep pockets, you are in some ways more vulnerable. That is, if my (small) company were to be sued over our use of OSS projects, it would be a disaster. Even if it were established we had no liability it would be bad.

[ Parent ]

True (none / 0) (#48)
by RandomPeon on Fri Apr 12, 2002 at 06:39:21 PM EST

Of course, you're right. But it still seems to me (and a licensed attorney who I mentioned this bullshit to) the lawyers here can't see the forest from the trees. I don't think there has been a single case of this scenario ever playing out in court.

On the other hand, Intel is currently facing several patent lawsuits that could cause them to stop shipping the P4. MS lost to stac in the patent wars. Unintentional patent infringement is a real risk with any software development. It would make more sense to check OSS for possible patent infringement than to attempt to prevent stolen software from being used.

And contracts/EULAs are also a real source of trouble. An acquintance of mine worked for a consulting company that settled two lawsuits in a month despite their supposedly airtight contracts. Their brilliant contract lawyer didn't realize that the State of California does not allow its agencies to sign contracts that waive neglience on the part of contractors. And an idiot in the marketing dept kept telling customers that "Windows 2000 never crashes". Looks like you just created an implied warranty, oops. (Legally questionable, but too risky to take to court).

These things actually happen. What your friend's company is concerned about doesn't. This is what you have lawyers for - "dog bites man" scenarios, not "man bites dog" scenarios.

[ Parent ]
The FSF is also worried about this (4.66 / 6) (#28)
by dark on Tue Apr 09, 2002 at 06:50:56 AM EST

The Free Software Foundation also sees this as a risk, and it has a policy of only accepting contributions of code from people who are willing to assign copyright to the FSF (under specific terms). It also asks for a statement from the contributor's employer, if any. It seems that examples of these statements are no longer online, but here is a page describing their use.

The FSF also keeps careful track of who wrote what, so that if there is a problem, they can replace specific sections of code rather than having to consider a whole application tainted.

And the moon might fall on the company, too (3.50 / 2) (#31)
by X-Nc on Tue Apr 09, 2002 at 10:08:19 AM EST

Thankfully, IANAL. My opinion is my own and I don't even pay any attention to it. With that said...

This is so far fetched it's almost a joke. Yes it could happen. And I could win the lotory.

But what the hell do I know...

Aaahhhh!!!! My K5 subscription expired. Now I can't spell anymore.

Myth and reality (4.00 / 1) (#37)
by WWWWolf on Wed Apr 10, 2002 at 07:35:46 AM EST

Myth: Open source software exists as some sort of transcend entity in the Network, that assimilates code from contributors regardless of the source, and that cannot be stopped, modified, or regulated. It is all-powerful, omnipresent, sentient and malevolent. The Great Destroyer of Worlds.

Reality: Open source software is maintained by people, and often people don't accept "mysterious" contributions. Moreover, the sources of contributions can be verified somehow. Parts can be rewritten if the code needs to be removed due to cases like you described (it just takes time, but what the heck).

Humans made it. And the same humans can also change its shape.

-- Weyfour WWWWolf, a lupine technomancer from the cold north...

Sorry, off-topic (4.00 / 1) (#42)
by Oblomov on Thu Apr 11, 2002 at 10:47:24 PM EST

The answer my friend's company lawyers came to (...) all such use requires the approval of the legal department.
I forgot who coined this but the basic story in a bureaucratic organisation (or government) is that every department will try to expand their base of responsibility. I.e. if you ask your legal department if they should be involved in something, they will always say yes.

What can be done... (3.00 / 1) (#47)
by /dev/trash on Fri Apr 12, 2002 at 03:56:11 PM EST

Just lock the machines down. Allow no net access. Have the coders report to their managers every 4 hours on code they've written.

Updated 02/20/2004
New Site
Stolen open source a corporate legal risk? | 49 comments (49 topical, 0 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!