Larry Rosen: A Case Study In Understanding (and Enforcing) the GPL 191
lrosen (attorney Lawrence Rosen) writes with a response to an article that appeared on Opensource.com late last month, detailing a court case that arose between Versata Software and Ameriprise Financial Services; part of the resulting dispute hinges on Versata's use of GPL'd software (parsing utility VTD-X, from Ximpleware), though without acknowledging the license. According to the article's author, attorney Aaron Williamson (former staff attorney for the Software Freedom Law Center), "Lawyers for commercial software vendors have feared a claim like this for essentially the entire 20-odd-year lifetime of the GPL: a vendor incorporates some GPL-licensed code into a product—maybe naively, maybe willfully—and could be compelled to freely license the entire product as a result. The documents filed by Amerprise in the case reflect this fearful atmosphere, adopting the classically fear-mongering characterization of the GPL as a 'viral' license that 'infects' its host and 'requires it to become open source, too.'" Rosen writes: I want to acknowledge Aaron's main points: This lawsuit challenges certain assumptions about GPLv2 licensing, and it also emphasizes the effects of patents on the FOSS (and commercial) software ecosystem. I also want to acknowledge that I have been consulted as an expert by the plaintiff in this litigation (Ximpleware vs. Versata, et al.) and so some of what I say below they may also say in court.
Read on for the rest (and Williamson's article, too, for a better understanding of this reaction to it). An important take-away: it's not just the license that matters.
Let's be open about the facts here. Ximpleware worked diligently over many years to create certain valuable software. The author posted his source code on SourceForge. He offered the software under GPLv2. He also offered that software under commercial licenses. And he sought and received and provided notice of United States patent claims related to that software.
Unbeknownst to Ximpleware, Versata took that GPLv2 software and incorporated it into Versata products – without disclosing that GPLv2 software or in any other way honoring the terms of the GPLv2 license. The reason Ximpleware became aware of that GPLv2 breach is because some months ago Versata and one of its customers, Ameriprise, became embroiled in their own litigation. The breach of GPLv2 came out during discovery.
Ximpleware has terminated that license as to Versata. This is exactly what the Software Freedom Conservancy and others do when confronted by GPL breaches.
That earlier litigation is between two (or more) commercial companies; it is not a FOSS problem. These are mature, sophisticated, profitable companies that have the wherewithal to protect themselves. I know in my own law practice, whether I represent software vendors or their commercial customers, we typically provide for some level of indemnification. Perhaps Ameriprise and the other customer-defendants can count on Versata defending them against Ximpleware. Such a commercial dispute between big companies – even if it involves the GPLv2 software of a small company and separate indemnification for copyright or patent infringement – is between them alone.
But as to Ximpleware and its GPLv2 copyrighted and patented software, there are a few misunderstandings reflected in Aaron Williamson's article:
1. The notion of "implied patent licensing" has no clear legal precedent in any software licensing. While it is true that goods one purchases include a patent license under what is known as the "exhaustion doctrine," there is no exhaustion of patented software when copies are made (even though copying of the software itself is authorized by GPLv2). For example, a typical commercial patent license nowadays might include a royalty for each Android phone manufactured and sold. Companies that distribute Android phones and its FOSS software acquire patent licenses so recipients of their phones are indeed free to use those phones. But that isn't because of some implied patent licenses that come with Android software, but because commercial companies who distribute phones pay for those patent rights, directly or indirectly. I think it is entirely reasonable to require commercial companies to get their patent licenses in writing.
2. Versata's customers who received the (in breach!) GPLv2 software all moved to dismiss Ximpleware's infringement claims against them, pointing to Section 0 of GPLv2, which says, "[t]he act of running the Program is not restricted." What that sentence actually means is just what it says: The GPLv2 copyright grant itself (which is all there is in GPLv2) does not restrict the act of running the program. Nor could it; that is a true statement because running a program is not one of the enumerated copyright rights subject to a copyright license (17 USC 106). The authors of the GPL licenses have themselves made that argument repeatedly: The use of software is simply not a copyright issue.
3. Because there are U.S. patent claims on this Ximpleware software, Section 7 of GPLv2 prohibits its distribution under that license in the United States (or any jurisdictions where patent claims restrict its use). If Ameriprise and the other defendants were outside the U.S. where the Ximpleware patents don't apply, then GPLv2 would indeed be sufficient for that use. But inside the U.S. those customers are not authorized and they cannot rely on an assumed patent grant in GPLv2. Otherwise GPLv2 Section 7 would be an irrelevant provision. Reread it carefully if you doubt this.
The Versata customers certainly cannot depend on an implied patent license received indirectly through a vendor who was in breach of GPLv2 since the beginning – and still is! Versata ignored and failed to disclose to its own customers Ximpleware's patent notices concerning that GPLv2 software, but those patents are nevertheless infringed.
Should we forgive commercial companies who fail to undertake honest compliance with the GPL? Should we forgive their customers who aren't diligent in acquiring their software from diligent vendors?
As Aaron Williamson suggests, we shouldn't ignore the implications of this case. After all, the creator of Ximpleware software made his source code freely available under GPLv2 and posted clear notices to potential commercial customers of his U.S. patents and of his commercial licensing options. Lots of small (and large!) open source commercial companies do that. Although it is ultimately up to the courts to decide this case, from a FOSS point of view Ximpleware is the good guy here!
There is rich detail about this matter that will come out during litigation. Please don't criticize until you understand all the facts.
------------------------------------------
Lawrence Rosen
Rosenlaw & Einschlag (lrosen@rosenlaw.com)"
What if it were Microsoft code (Score:5, Insightful)
If they had a Microsoft library not authorized for free distribution in their program, Microsoft would be demanding substantial damages.
Re:What if it were Microsoft code (Score:5, Insightful)
Indeed. I fail to see why GPL software is being picked on here. You lift someone else's copyrighted code without permission and without abiding by any licensing agreements, you are SOL if you get busted.
Re:Software patents (Score:5, Insightful)
Re:What if it were Microsoft code (Score:3, Insightful)
Re:What if it were Microsoft code (Score:5, Insightful)
The difference is that the code is distributed for free. No judge is going to award damages for the redistribution of something that is free. At least, not actual damages, like $$$ per infringing copy. The breach of the terms (like not redistributing the source code) could be translated to some punitive damages, perhaps.
I don't see how the lack of a monetary cost for _one_ of the licensing options should affect awarding damages.
Probably the best outcomes you can hope for are: the violator of the license is either asked to stop distributing the software, or else to come into compliance: replace the GPL'ed part with a from-scratch workalike, so that the program is no longer distributed with any GPLed code, or else make the whole program GPLed.
You forgot the third option in this case. If Ximpleware is open to it, they could pay for a commercial license.
Re:What if it were Microsoft code (Score:2, Insightful)
The code wasn't distributed for free. It was distributed under a choice of two separate licenses: One was the GPL, one was commercial. Clearly, the commercial license route wasn't taken, and the GPL license wasn't adhered to.
Do What Though Wilt (Score:2, Insightful)
BSD license removes most of these legal acrobatics.
The GPL has behind it an altruistic notion. That is, that your code can be extended and improved and will still remain free. I've always been of the view that it is even more altruistic to let people do what they wish with my code, even if that means closing it off in proprietary products, not acknowledging my efforts, and making money off of it while not giving any back to me.
If a company does make money of of my code, then great, I hope they create lots of jobs and provide benefits, and generally improve whatever economy the reside in.
Morality vs The Law (Score:5, Insightful)
(For the sake of disclosure, IAAL, I am a software developer, I have written GPLv2 code, and I have litigated GPLv2 cases, but I have absolutely zero involvement in this matter)
The question here is really just the classic question of the morality and mentality of the free/opensource (I'll just say opensource from this point) movement vs. the harsh realities of patent and copyright law. The author above, and the author of the mentioned article, pitch this as some triumphant fight for the glory of something-or-other, but the truth is that it's: 1) a money grab, 2) a principled fight to teach violators a lesson, or 3) a some combination of both. Having reviewed the litigation tactics here; I have to lean towards money grab.
That said, having intimate knowledge of both sides of the equation here (opensource development ideas and IP attorney mentalities), I can attest that the ideals employed by both sides are, generally, diametrically opposed. Is Ximpleware is right, legally, in the fact that it can release a GPLv2'd software, file patents on the ideas, and then sue the living pants off everyone for patent violations? Frankly, yes because IP laws are harsh and designed to be massive swords. Still, the defendants have decent equitable arguments for estoppel under their implied license/baiting arguments which have precedent in the realm of copyrights. Outside the legalities, is it morally right as an opensource developer? No, probably not.
Suing the hell out of a violator? Go for it. Suing the hell out of a customer with knowledge of the infringement: Sure, why the hell not. But sending off lawsuits to unwitting customers who simply purchased a product they didn't know was infringing? Now you're pushing the line. Such actions have real world consequences. The litigation of these cases is extremely expensive, extremely time consuming, and a corporation must hire representation in U.S. courts (they cannot appear pro se). Most attorneys ignore those realities because, frankly, the suffering of a defendant is of no concern. The only thing that matters is whether the case is meritorious; if so, I'm suing the living pants off you because the law says I can. The motto is typically summarized as: legal, not ethical. But is that what the opensource world wants to present?
Mr. Rosen throws around "indemnification" and "diligent" arguments to justify the lampooning of what most people would consider "innocent" parties, but they're shill arguments at best. The simple truth, is that you're not furthering the opensource movement in any way. As for indemnification, it is a farce. First, it's speculative that any such agreement exists. Second, the indemnitor needs to: 1) agree to honor it's obligation; 2) have the resources to honor it's obligation; and 3) actually honor the obligations. The reality is that a request for indemnification is just as likely to result in more lawsuits, as it is to result in a resolution for the downstream users. Beyond that, if original defendant files for bankruptcy, indemnification is worth absolutely squat. As for "due diligence," any software engineer will readily admit, it is nearly impossible (especially for small to mid-sized firms that are letting non-technical staff handle acquisitions). It's not impossible, just cost prohibitive. Ask yourself, What purpose does destroying a company serve to the greater cause of opensource? Is it legally viable, sure, but is it worth it, morally?
All that to say, I wish people would stop trying to co-opt grand ideals and sugar coating these types of cases. The plaintiff has sued the living hell out of everyone because, legally, they can. In turn, those actions makes settlement more likely, since the upstream infringer is now getting complaints from his clients and costs are rapidly mounting up. Was it legal? Sure. Was it moral and in-line with the opensource movement's ideals? Well, that really depends on what side of the line you fall on. But regardless of where you are on that line, is possibly destroying the lives (yes, personal live
Re:What if it were Microsoft code (Score:5, Insightful)
So now your program A is GPL.
No. No, it isn't. Your program A is not GPL, it's infringing.
You may cure that infringment a number of ways, including: stripping the infringing code, paying the authors for an alternative license, pay the authors what the court orders you to pay them and, yes, releaseing program A under the GPL. The point is, how you cure the infringement is up to you. The GPL does not automatically attach to your code and if push comes to shove the court will order monetrary damages not compulsory licensing.
Re: What if it were Microsoft code (Score:2, Insightful)