Legal and Practical Concerns with Software Development
-
Upload
rogue-wave-software -
Category
Software
-
view
54 -
download
0
Transcript of Legal and Practical Concerns with Software Development
#ESCminn#ESCminn
Legal and Practical Concerns with Software Development
Rod Cope, Rogue Wave SoftwareRick Leach, Brooks Kushman, P.C.
#ESCminn
Disclaimer
• This presentation shall not be taken as legal advice and is only for educational purpose.
#ESCminn
Software touches all IP categories• Copyright – The main theme of this presentation
• Patent – currently under scrutiny by the USPTO in regards to Patent Eligibility under §101.
• Trade Secret – Consider the new Defend Trade Secret Act of 2016 (DTSA).
• Trademark – Consider a GUI (Color scheme, Boot Sounds, Imagery, Icons, Arrangements, etc.)
#ESCminn
DTSA – Brief Overview• Ex Parte Seizures – The DTSA provides for the seizure of property necessary to prevent the propagation or dissemination of
the trade secret.• Immunity Notice Requirements – For an employer to preserve its rights to exemplary damages and attorney fees, the
employer “shall” provide notice to an employee, contractor, or consultant of his or her immunity rights.• Inevitable Disclosure – Under DTSA, a court cannot prevent a person from entering into an employment relationship, and
any conditions placed on such employment shall be based on evidence of threatened misappropriation and not merely on the information the person knows.
• State Law Preemption – The DTSA provides for a Federal forum for relieve but the DTSA does not preempt state law.• In summary, given the extreme value of trade secrets, and the growing threat of trade secret theft, businesses should audit
their trade secret protection practices in light of DTSA, and existing state laws, and to take appropriate steps to protect those trade secrets. This includes • (1) instituting practices to detect trade secret misappropriation – especially through electronic means – as soon as possible, • (2) revising all contracts or agreements relating to trade secrets or other confidential information with any employee, contractor, or consultant to
provide the notices required by DTSA, • (3) instituting employee exit strategies to warn both the exiting employee and their next employer of the employee’s trade secret obligations, and • (4) reviewing the measures taken to protect trade secrets to ensure that such measures meet the requirements of both DTSA and state law
#ESCminn#ESCminn
Why use Open Source Software?• ~$60B/year savings*• > 4 Billion Files• >7,500 repositories• > 2,000 Licenses
• ~ 97% say they use OSS• ~ 64% companies participate in OSS projects• ~ 88% companies expect to increase
contributions to OSS
https://www.blackducksoftware.com/* http://www.freesoftwaremagazine.com/articles/creating_wealth_free_software
#ESCminn
OSS Compliance: Should I care?• Diversion of Time, Talent,
Resources
• Impact to Customers & Reputation
• Potential waiver of IP rights
• Potential Damages
#ESCminn#ESCminn
Benefits and RisksOSS Projects are on the rise … and so is Policing of the projects
#ESCminn
Copyright: What is it?• Protection of Artistic Expressions, not
ideas or functionality
•Music•Movies• Artwork• Literature• Software
#ESCminn
Rights of a Copyright Owner• Exclusive rights• Distribute – Sell• Reproduce – Copy• Adapt – Create derivative work• Perform• Display• Transmit
• Neither Registration nor notice required to create protection
#ESCminn
Copyright Introduction
License
$$$
Copyright
Owner User
• Owner chooses to enter into a contract with User• Owner grants rights to Sell, Copy, Adapt, . . .
• User provides some consideration ($$$)• User agrees to abide by the license terms
• Other people not allowed to Sell, Copy, Adapt, . . .
#ESCminn
Introduction to ‘Copyleft’
CopyleftLicense
$0.0
• Owner chooses to enter into a contract with User• Owner grants rights to Sell, Copy, Adapt, . . .
• User provides some consideration ($$$)• User agrees to abide by the license terms
• Everyone is allowed to Sell, Copy, Adapt, . . .(As long as they comply with license terms)
#ESCminn
Strong Copyleft – The Cost of Freedom • Strong Copyleft is a copyright licensing scheme for making a
program (or other work) free, and requiring all modified and extended versions of the program to be free as well
http://www.gnu.org/copyleft/copyleft.en.html
#ESCminn#ESCminn
Permissive Licenses• “… [A] permissive license that is short and to the point. It lets people do anything
they want with your code as long as they provide attribution back to you and don’t hold you liable.“ - http://choosealicense.com/
• Common permissive licenses include BSD, MIT, Apache
13https://en.wikipedia.org/wiki/Permissive_software_licence
#ESCminn
Top 20 Common Open Source Licenses
https://www.blackducksoftware.com/top-open-source-licenses#top20
What’s the difference?
> 75% of software uses 5 Licenses
#ESCminn
MIT LicenseThe MIT License (MIT)
Copyright (c) [year] [fullname]
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
http://opensource.org/licenses/MIT
#ESCminn#ESCminn
GPLv2 License select sectionsPreamble. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty
http://www.gnu.org/licenses/gpl.txt
#ESCminn
GPLv3 License select sections1. "The ‘Corresponding Source’ for a work in object code form means all the source code needed to
generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. . . . ”
6. Conveying Non-Source Forms: You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License
10. Automatic Licensing of Downstream Recipients: "...and you may not initiate litigation (including a cross-claim or
counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it."
11. Patents: . . . Each contributor grants you a non-exclusive, worldwide, royalty-free patent license . . .
http://www.gnu.org/licenses/gpl.txt
#ESCminn
A History of License Options19911988 2001 2004 2007 2012
BSD & MITLicenses
GPLv2 Apache 2.0 GPLv3 MPL 2.0CPL
· Implied License &/or Estoppel
· Implied License &/or Estoppel · Patent Disincentive Clause
· Express Patent License· Broad Patent Retaliation Clause
· Express Patent License· Patent RetaliationClause
· Broad Express Patent License· Anti-Tivoization clause· Patent Non-Assert· Patent Disincentive Clause
· Express Patent License· Patent RetaliationClause
#ESCminn
Thoughts on Derivative Works? Proprietary
SoftwareMIT
License
Static OR Dynamic Linking
• Provide Copyright Notice• Provide License
Proprietary Software
LGPL v2.1
Dynamic Linking
LibraryExecutable
Proprietary Software
LGPL v2.1
Static Linking
Executable
Proprietary Software GPL v3
Static OR Dynamic Linking
• Provide Copyright Notice• Provide License• Provide Open Source code• Provide modifications &
change log• Provide Disclaimer of
warranty in the OSS• Provide Library Source
Code
• Provide Copyright Notice• Provide License• Provide Open Source code• Provide modifications &
change log• Provide Disclaimer of
warranty in the OSS• Provide proprietary Object
Code and/or Source Code so that a modified Library can generate an executable
• Provide Copyright Notice• Provide License• Provide Open Source code• Provide modifications &
change log• Provide Disclaimer of
warranty for all GPL code• Provide proprietary Object
Code and/or Source Code• Provide License to all IP in
the proprietary code that uses or is linked to GPL
Related to linking or something else?
#ESCminn
Infringement – Consequences• § 504 – Damages (Actual or Statutory)• Actual damages to Owner and profits of the Infringer• Statutory (Timely Registration required) $750 - $30,000 per
infringement, If willful up to $150,000!• § 505 – Costs and Attorney Fees• Usually linked with Willfullness (Pre-Registration required)
• § 502 – Injunction, § 503 – Impounding, and § 506 – Criminal Prosecution
#ESCminn
Step 1: Have a license policy• You must decide which licenses are acceptable for your
company (and potentially your customers).• The policy depends on how you plan to use the software.
• GENIVI has the following policy• Red – GPLv3; LGPLv2/3; BSD 4; MPL1.1; Flora• Yellow – GPLv2; LGPL2.1; AFL 3; OSL 3; OpenSSL; Public domain• Green – MPL 2.0; BSD 2/3; MIT/X11; Apache 1.1/2; Artistic 2/1
http://docs.projects.genivi.org/License/Public_Policy_for_GENIVI_Licensing_and_Copyright_v_1.0.pdf
NO
OK
???
#ESCminn
Step 2: Educate your Developers•Which software/licenses are acceptable and not
•Which software licenses need to be discussed
• How and who to contact with questions – Point Person
• Disclosure of software use to Point Person
#ESCminn
Example Supply ChainComponent Manufacturer
Development Board –Drivers Sub-Assembly – Libraries
Product Manufacturer
OSS contribution Retailer
#ESCminn28
Dependency Issues Impact Licensing•OSS often depends on or bundles other OSS•Need to look at all the dependencies and bundled
projects and their licenses• Important: The licenses may not be the same!
•Example:• Geronimo (Apache license) uses MySQL (GPL) through the
MySQL driver (formerly LGPL but now GPL)
#ESCminn29
Multiple Packages, Multiple Licenses• When a developer downloads and installs those projects they also get additional open source components
that are installed automatically (over 90 additional!!)
AspectJ (19) - Ant (1.6.3) - Apache Avalon (4.1.2) - ASM (2.0) - ASM (2.2.1) - Batik (unknown) - BCEL (5.1) - Commons BeanUtils (unknown) - Commons Digester (unknown) - Commons Logging (unknown) - DocBook XML (4.1.2) - DocBook XSL Stylesheets (1.44) - FOP (0.20.5) - JDiff (unknown) - JUnit (3.8.1) - Jython (2.1) - Regexp (1.2) - Saxon (unknown) - Xalan (2.4.1) - JDK (1.4.2_12)
Spring Framework (61) - ActiveMQ (1.1) - Ant (1.6.5) - ANTLR (2.7.5H3) - AOP Alliance (1.0) - Apache (OJB) (1.0.4) - Apache xml-apis (1.2.01) - c3p0 (0.9.0.4) - cglib (2.1.3) - com.oreilly.servlet (1.0) - Commons Attributes (2.1) - Commons BeanUtils (1.6) - Commons Codec (1.3) - Commons Collections (3.1) - Commons DBCP (1.2.1) - Commons Digester (1.6) - Commons Discovery (0.2) - Commons Fileupload (1.0) - Commons HttpClient (3.0) - Commons Lang (2.1) - Commons Logging (1.0.4) - Commons Pool (1.2)
Ant (7 bundled) - Apache xml-apis (1.5) - Xerces (2.6.2) - BCEL (5.1) - BeanShell (1.3.0) - BSF (2.3.0) - JUnit (3.8.1) - JDK (1.4.2_12)
MySQL Connector (9)
- Ant-Contrib (1.0-b2) - AspectJ (1.2) - c3p0 (0.9.1-pre6) - Commons Logging (1.0.4) - JBoss Application Server (3.2.7) - JDBC (2_0) - JTA (1.0.1) - JUnit (3.8.1) - Log4j (1.2.9)
- Commons Validator (1.1.4) - dom4j (1.6) - EasyMock (1.1) - Ehcache (1.1) - Enterprise Java Beans (2.0) - Free Marker (2.3.4) - Hessian (3.0.1) - Hibernate (2.1.7) - Hibernate (3.0.5) - HSQLDB (1.8.0) - iBATIS (2.1.7) - iText (1.3) - J2EE Connector Arch (1.0) - Jakarta JSTL (1.0.3) - Jamon (1.0) - Jasper Reports (1.0.3) - Java Servlet API (2.4) - JavaBeans (JAF) (1.0.1) - JavaMail (1.3) - JavaServer Faces (1.1)
- JAX-RPC (1.1) - Jaxen (1.1-beta4) - JDBC (2_0) - JDO (2.0) - JMX (1.0) - JOTM (2.0.9) - JTA (1.0.1B) - JUnit (3.8.1) - jxl (2.6) - Log4j (1.2.13) - ORO (2.0.8) - POI (2.5.1) - Quartz (1.5.2) - Rowset (1.0.1) - Struts (1.2.8) - Tag Libs (1.0.6) - TOPLink (1.0) - Velocity (1.4) - Velocity Tools (1.1) - XDoclet (1.1)
#ESCminn
Bundling OSS into other code
Project Foo:GPL v2
Project Time:BSD
Project Commercial:Restrictive EULA
Project Foo:GPL v2
Project Time:BSD
What if I take a file that is under one license and I distribute it under a different license–do I have to comply with the original license?
#ESCminn
Use of OSS under GPL
Revisions made to FOSSLinked to or bundled with
proprietary code Use by whollyowned sub
Sub is sold to a 3rd party
Internal Use
Use by anoutsourcer or
contractor
Software shared with “partner” during further development
Software distributed to
end users
Using OSS Distributing OSS
Changes in how FOSS is used can impact license compliance
Example: How OSS is used may change...
#ESCminn
Jacobsen v. Katzer: Opens the door•Model train software under Artistic License• Distribution without notice (non-compliance)• Question: contract or copyright• Contract – State Court and no consideration (OSS is free)• Copyright – Federal Court, • OSS license obligations are conditions precedent to the license.• Failure to comply with obligations extinguishes license.
• Case settled.
#ESCminn
Google v. Oracle: 9 lines is enough“the jury reasonably found that Google’s copying of the rangeCheck files was more than de minimis;” - CAFC
#ESCminn
APIs/taxonomy are copyrightable
• “the declaring code and the structure, sequence, and organization of the API packages are entitled to copyright protection” – CAFC (Google v. Oracle)
#ESCminn
Upon Remand – Google saved writing a $9.3 Billion check by “fair use” doctrine• June 2015 – Supreme Court denied Certiorari
• March 2016 – Oracle Filed for $9.3 Billion• Actual Damages of 0.475B and Profits Apportioned to Infringed Java Copyrights $8.829B.
• May 2016 – On remand to the District Court for a trial on Google’s fair use defense, a jury unanimously found that Google’s was protected by Fair Use
• Under Fair Use, reproduction for purposes such as criticism, comment, news reporting, teaching, scholarship, or research, is not an infringement of copyright
#ESCminn
Versata, Ameriprise, Ximpleware• “the GPL is a ‘viral’ license in the sense the incorporation of a GPL-covered
software program into a new program ‘infects’ the new program and requires it to become open source , too” – District Court W.D. Texas
• Take away: Compliance is important even for customers (Ameriprise)
#ESCminn
Welte v. Fantec – Germany• GPLv2.0 software used in a media player• Fantec : Fantec’s supplier assured them compliance with GPL terms.• Result: Welte was awarded Attorney’s fees and damages.• German Court stated:
• “Here, Defendant was not allowed to rely merely on its suppliers’ assurances that the works supplied did not infringe any third-party rights.
• In any case, Defendant should have performed its own review of the software, or have someone preform, by hiring knowledgable third parties, such a review of the software offered and provided by Defendant – even if this would have resulted in additional costs.”
#ESCminn#ESCminn
Ximpleware v. Versata – Downstream use• Versata provided Distribution Channel Management software to Ameriprise
• Versata sued Ameriprise for redistributing DCM software
• Ameriprise counterclaimed Versata violated GPLv2 under copyright that preempted the breach of contract filed by Versata.
• XimpleWare developed and owns XML parsing software used by Versata
• XimpleWare sued both Versata and Ameriprise• Ameriprise patent license under preamble, never modified code, did not distribute• XimpleWare, downstream license terminates when Versata license terminates
• Court Held: “even if the original licensee—here, one of the Versata entities—breaches its license for whatever reason, third-party customers of that original license retain the right to use XimpleWare’s software so long as the customer does not itself breach the license”
40
#ESCminn#ESCminn
Ximpleware v. Versata – Take-away• “the GPL is a ‘viral’ license in the sense the incorporation of a GPL-
covered software program into a new program ‘infects’ the new program and requires it to become open source , too” – District Court W.D. Texas
• Compliance is important even for customers (Ameriprise)
#ESCminn
Roadmap to Compliance• 1st appreciate Open Source Software’s benefits• 2nd develop an Open Source Software Strategy• 3rd know your code: Education, Point Person• 4th know the licenses associated with your code• 5th comply or use different software
#ESCminn#ESCminn
Rod Cope
• CTO, Rogue Wave Software• Previous:
• Founder and CTO, OpenLogic• IBM, IBM Global Services, GE, Anthem BCBS
• roguewave.com• [email protected]• @RodCope
#ESCminn#ESCminn
Rick Leach
• Intellectual Property Attorney at Brooks Kushman, P.C.
• brookskushman.com
• LinkedIn Information