by Tim Molino

Open source, the cloud and sleeping better at night

May 01, 2018
Cloud ComputingIT LeadershipOpen Source

As open source solutions are becoming more important in the cloud, staying ahead of potential patent, as well as copyright infringement claims, is vital.

The growing swath of enterprise open source solutions (OSS) is playing an important role in how companies and governments modernize their IT infrastructures, especially when migrating to the cloud.  The benefits of enterprise open source are vast, as it provides enterprises with options and capabilities they would not otherwise receive through proprietary software. Moreover, CIOs are never locked into a single vendor’s solution because the capabilities provided by open source are ubiquitous and constantly evolving.  Open source allows for the easy integration of new solutions, thus enabling IT professionals to improve legacy infrastructure more efficiently than working with proprietary solution vendors.

Open source solutions also lead to cost reductions.  As such, in its 2016 Federal Source Code Policy the federal government argued the effective implementation of the right open source tools can save a significant amount of money.  Cost reductions are especially relevant when migrating to the cloud, as the less a company spends on proprietary software, the more it can devote to its digital transformation efforts. 

However, there is always a catch . . . 

Open source is free in a monetary sense, but it is not necessarily free of legal obligations.  Open source software is like proprietary software in that they are both protected by copyright and, oftentimes, patents.  Thus, an enterprise must still comply with the applicable licenses to legally use the open source software.  It is incredibly important that enterprises fully understand their risks for both patents and copyright.  While programmers will have a thorough understanding of how the code operates, they likely will not understand—or even know—the legal implications of using a open source component.  Therefore, it is imperative that CIOs understand these legal scenarios, and that there are policies in place to prevent using code that is not properly licensed.  Still, there will always be risk, and managing that risk is essential. 

Managing the patent risk

As larger enterprises and developers continue to embrace open source, the number of patent infringement assertions is increasing.  The Citrix and Sound View Innovations cases are two examples.  Because the code is public, it is easy for a patent owner to determine whether the code infringes their patent.  Once a patent owner is confident an OSS component infringes its patent, the owner can then easily detect whether the invention is being used by an enterprise.  One can detect usage of OSS through job postings or knowledge of Hadoop, and once the OSS component user is identified, it is easy to efficiently prove infringement by comparing the code to the patent.  Non-practicing entities that own patent reading on OSS components have a great interest in focusing on common elements used by large numbers of entities, which allows them to efficiently assert infringement against multiple enterprises. 

While most companies think of patents as a potential litigation risk when implementing new software technologies, they often forget about the copyright angle.  This is likely one reason why there has been an uptick in assertions from copyright “trolls.”  So far, most of these lawsuits have occurred in Germany, but this could easily broaden out as lawyers get more creative.  The assertions derive from the notion of enforcing compliance with the OSS license.  So, as long as an enterprise is complying with all of the terms of the license, they are fine.  But if for some reason they don’t meet the license terms, the license can be terminated, and they have just become a copyright infringer. For example, the GPLv2 license is automatically terminated when one of its conditions is not met, and can only be reinstated by a copyright holder, thereby creating a potentially important exposure to copyright claims. The Linux community was recently able to successfully defend themselves, but other, more sophisticated copyright trolls may emerge over time.  In an attempt to get ahead of the game, a number of companies (RedHat, Google, Microsoft, etc.) recently announced a set of cure rights for software under their General Public Licenses (GPL).  The goal is to create industry norms that allow for fixing honest mistakes in complying with GPL software.

Furthermore, it is unclear how the recent appeals court decision in the Oracle v. Google case will change the litigation landscape in the United States.  Some stakeholders assert that it could create a storm of copyright litigation in the software space. 

As you migrate to the cloud, what can you do to make sure your company doesn’t fall prey to an assertion?  First, there are groups that are defining best practices for minimizing OSS risk.  For example, your enterprise could commit to the aforementioned cure rights.  You could also ensure your cloud provider has a broad indemnity policy. One of the main reasons you are moving to the cloud is to sleep easier at night—not only do you want your enterprise to be more secure and the system to be more reliable, you also want to ensure your legal liability is more limited than before.