Business Law Intellectual Property Legal Topics

Free, Open-Source, and Possibly Risky

177229229Once an exception, the use of free and open-source software (FOSS) in commercial software products has become the rule. FOSS is particularly attractive to resource-strapped companies looking to avoid high software development costs or licensing fees, but even the biggies in the tech industry use FOSS. Despite its common use, FOSS carries risks and you need to do your due diligence.

FOSS licenses typically allow the public to access, modify, and redistribute the source code for the licensed software free of charge. In many instances, FOSS licenses also include a “viral” aspect in that they require the source code of derivative or collective works that include the licensed open-source software to be made available publicly under similar open source terms. Some FOSS licenses are restricted to noncommercial use and forbid use of the licensed software in products for commercial sale.

Despite the ubiquity of FOSS, its use is not without risks, including:

  • Unintentional license grants or encumbrances on a company’s intellectual property;
  • Exposure to contractual or intellectual property claims from FOSS licensors, distributors, or customers; and
  • Damage to a company’s reputation within the FOSS and business communities.

When a company is planning a merger or acquisition, or an investor is interested in investing in a technology company, the transaction is almost always subject to a due diligence review process, in which the proposed acquiror or investor takes an in-depth look at the company or assets that are the subject of the transaction.

Appropriate due diligence review of FOSS will vary depending on the specific characteristics of the proposed transaction:

  • If the target uses software internally, but its products or services don’t incorporate or depend on software, a FOSS review may be unnecessary;
  • If the target’s rights to use software affects the value of the proposed transaction, there should be at least some FOSS due diligence; and
  • If the target’s rights to use particular software is fundamental to the value of the transaction, a thorough review of the target’s FOSS use, contributions, policies, and practices is critical.

FOSS due diligence used to involve simply making sure that so-called “copyleft” software hadn’t been used by the target, but current practice includes much more. For example, the acquiror or investor may review the complete inventory of the target’s FOSS and all FOSS provisions in agreements that the target may have with suppliers, contractors, partners, and customers.

FOSS can serve as the backbone of a wide variety of technology companies, but don’t ignore the risks associated with its use. For an overview of FOSS licenses and a look at the specific concerns for investors, check out Free and Open-Source Software Diligence in Mergers, Acquisitions, Public Offerings, and Other Investments by Andrew J. Hall in the Winter 2014 issue of the California Business Law Practitioner. A related article was in the Fall 2009 issue: Open Source: A Challenge Worth Meeting.

Open-source software licensing issues are also covered in CEB’s Internet Law and Practice in California, chapters 8 & 22, and Intellectual Property in Business Transactions, chapter 8.

Related CEB blog posts:

© The Regents of the University of California, 2014. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.

3 replies on “Free, Open-Source, and Possibly Risky”

This is a nightmare for those drafting licensing contracts, especially in the highly regulated financial services industry. Our policy is that either the contracting party must indemnify us as they would their own IP, or they must disclose each and every instance of “fourth-party” software, the contract terms, and details about the licensing scheme employed.

In the case of FOSS, there is such a wide range of potential risks for even using FOSS, that this is a significant, unanticipated overhead cost for both parties just to reach the point of having the necessary information to make an informed decision about risk mitigation strategies.

Like much of the outsourcing cost/benefit analysis, this significantly overestimates the savings of integrating FOSS into your products or third-party solutions. A supplier who acknowledges this cost and risk to customers will maintain very detailed source mapping documentation, and negotiate with their suppliers for indemnity wherever possible. In the case of FOSS suppliers, however, there is rarely (never) a willingness to offer indemnity for IP.

There probably is no great solution, save going through the costly due diligence, and to lobby for reforms in laws for downstream IP infringement liability for users of FOSS supplied by third parties.

Rob Berry-Esq.

Add your comment to the blog post

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s