Latest top ten legal developments in FOSS
Top 10 FOSS legal stories in 2016
The year 2016 resulted in several important developments that affect the FOSS ecosystem. While they are not strictly "legal developments" they are important for the community.
For one, Eben Moglen, the general counsel of the Free Software Foundation, stepped down. Eben has been a leader on FOSS legal issues since the late 1990s and has been critical to the success of the FOSS movement. The FOSS community owes him a huge debt of gratitude, and I expect that he will continue to be active in the FOSS community. The success of FOSS adoption was dramatically illustrated when Microsoft joined the Linux Foundation and summarized in the article, Open Source Won. So, Now What? in Wired magazine.
The year 2016 has also seen another significant increase in decisions in litigation involving FOSS issues, and several of them are very important. This increase in litigation is a reminder of the importance of an active compliance program for all corporations who use FOSS, which now means virtually all corporations. Continuing the tradition of looking back over the top ten legal developments in FOSS, my selection of the top ten issues for 2016 is as follows:
1. First Linux system copyright troll in Germany revealed
Patrick McHardy, an early contributor to Linux, has been using the threat of litigation in Germany to obtain monetary settlements, essentially acting like a copyright troll. He has been active for three years and is believed to have approached over 80 companies. This number is difficult to estimate because many companies have settled without a court action, and, in any case, German court proceedings are confidential.
Although I have discussed this case privately in the past, I and many other lawyers have been reluctant to discuss it in public to avoid encouraging copycats. However, in July 2016, the Netfilter project suspended McHardy from the Netfilter core team because "severe allegations have been brought forward against the style of his license enforcement activities." This suspension was the first time that any contributor had been suspended. The next day, Karen Sandler and Bradley Kuhn of the Software Freedom Conservancy published a blog characterizing McHardy as a "GPL monetizer."
We have been involved in a number of enforcement actions brought by McHardy. His strategy is to threaten copyright enforcement against the company for violation of the GPLv2 through the use of an expedited copyright enforcement procedure available under German law. He then obtains a settlement with the company he alleged to have violated the GPLv2. The settlement agreement will include a provision that the company will comply with the terms of the GPLv2, which is a common term in these types of settlements in Germany. McHardy then returns to the company several months later with another demand based on the settlement agreement; these demands can be for hundreds of thousands of euros.
The enforcement of a settlement agreement is considerably more simple than enforcement of the GPLv2 because the enforcement of the GPLv2 raises many novel issues (see the summary of the VMware case below). Although he will sometimes characterize his actions as focused on "compliance," he is clearly more focused on making money. For more information, see my presentation from the Practicing Law Institute.
2. CyanogenMod: Android fork fails
CyanogenMod LLC was a venture capital-backed company that developed CyanogenMod, a customized, aftermarket firmware distribution for several Android OS devices. The CyanogenMod firmware is based on the Android Open Source Project. CyanogenMod firmware was considered a significant potential competitor to Google’s Android OS because of its significant funding. As I noted last year, the company had a significant dispute based in India with one of its competitors. In a surprising development, CyanogenMod announced on December 23 that it would be shutting down. The company fired its CEO in the fall and laid off all of its workers at the end of 2016. After the termination, a group of CyanogenMod employees formed Lineage, which they describe as "more than just a 'rebrand'" and "a return to the grassroots community effort that used to define CM while maintaining the professional quality and reliability you have come to expect more recently."
3. Successful forks: ownCloud and MariaDB
The story of ownCloud is a reminder of the critical importance of a project’s founder and its community. OwnCloud, a German company, was a venture-backed company with a U.S. subsidiary that had raised $10 million. The company used an "open core" model in which certain parts of the software were not made available under an open source license. However, the founder and CTO, Frank Karlitschek, left ownCloud and announced that he was starting a new company, Nextcloud, which would provide the project on a completely open source basis. Karlitschek stated that he believed ownCloud's strategy was inconsistent with the desires of the community, and Nextcloud's strategy would be to make all of the project software available under an open source license. The departure of Karlitschek caused the U.S. subsidiary of ownCloud to shut down within 24 hours. Two weeks after his departure, Nextcloud had released a new version of the project software. Most of the community appears to have followed Karlitschek to Nextcloud. MariaDB, the fork of MySQL, announced that it had raised an additional $12 million in funding from venture capital investors in two tranches: $9 million and $3 million. The company also announced the appointment of Michael Howard as the CEO in December 2015.
4. Mozilla Foundation creates the Secure Open Source Fund
The Mozilla Foundation announced a $500,000 fund to assist open source projects in becoming more secure. It is designed to fund the auditing and correction of security problems for open source projects. Security is a major issue for all software users and has become increasingly important for users of open source software. The fund is similar in purpose (but more focused) to the Linux Foundation Core Infrastructure Initiative (LFCII), which was founded in 2015 and aims to back open source projects that may not otherwise have support (and the support includes assistance with security problems). The LFCII is supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, Salesforce.com, and VMware. The LFCII was founded after the Heartbleed virus in the OpenSSL project created significant concerns in the community. The Mozilla Foundation said that it intends to work collaboratively with the LFCII. The foundation said that fund's focus on point-in-time solutions is the main difference between LFCII and the fund. The fund has worked on six security audits of major projects.
5. Hellwig suit against VMware for the violation of GPLv2 dismissed
The Linux operating system is one of the most widely used FOSS programs in the world, yet it has rarely been involved in litigation, although that may be changing as shown by the McHardy litigation mentioned. In March 2015, Christoph Hellwig, a key Linux kernel developer, sued VMware in the district court of Hamburg, Germany. Hellwig asserted that VMware had violated the terms of the GPLv2 by combining VMware's proprietary code, called "vmkernel," with Linux in a manner that created a derivative work, but did not provide the complete corresponding source code of vmkernel under GPLv2. The vmkernel is the "kernel" of VMware's ESXi operating system that manages the hardware and software resources of the physical server.
VMware has responded that vmkernel is not a derivative work of Linux but only interacts with Linux through the VMK API. VMware also noted that drivers working with vmkernel do not need to be Linux drivers, but according to VMware it offers a "compatibility alternative through a loadable kernel module called 'vmklinux,' which in association with any Linux drivers, is loaded by the vmkernel and interfaces with the vmkernel through VMK API." The facts relating to the dispute cannot be confirmed because the complaint and other court documents are confidential under the rules of German courts.
The Hamburg court dismissed Hellwig's complaint on the basis that Hellwig had failed to prove which components of the Linux system he had developed and whether such components were used by VMware. Hellwig has announced that he will appeal the ruling.
6. Project governance: Problems with contributors
The increasing reliance upon FOSS by commercial users has focused attention on project governance. The potential challenges of managing contributions was illustrated when developer Azer Koculu removed his modules from NPM. One of the modules, labeled Kik by Koculu was particularly important to many projects. Koculu had contributed the code to NPM, and it was an extension for the popular programming language Node.js. The Kik code was used by thousands of programs.
Kik, the popular messaging application with over 200 million users, objected to Koculu's use of Kik to name the module in a polite letter. Koculu refused to change the name and Kik sent a demand to NPM. Based on NPM's package name dispute resolution policy, NPM notified both parties that the package name should be changed. In response, Koculu pulled out his files from the NPM project without warning. Koculu said, "This situation made me realize that NPM is someone's private land where corporate is more powerful than the people, and I do open source because, Power to the People. Summary: NPM is no longer a place that I’ll share my open source work at, so, I’ve just unpublished all my modules."
The removal of these modules broke thousands of projects even though another contributor replaced a critical project (left-pad) using Koculu's code with modules with the same functionality, and other contributors provided forked versions of the other 273 projects unpublished by Koculu. Many users of the NPM site criticized the project for poor management of contributions and permitting the "unpublishing" of the modules. According to NPM, the problem was resolved within 2.5 hours.
The incident resulted in considerable discussion and misunderstanding of the legal issues involved by the community. This experience emphasizes the need to consider carefully the policy for managing contributions and to educate developers about legal issues. I have dealt with this issue for a number of projects and agree with NPM's approach of changing the package name. Koculu's response to Kik's request demonstrates his fundamental lack of understanding of the legal issues, and his "unpublishing" of his modules is inconsistent with FOSS ethos. In fact, it seems petulant. However, the resolution of the problem also reflects the flexibility of FOSS because NPM was able to resolve the issue very quickly through the forking of the original modules.
7. Project governance: Compliance strategy for Linux
The Linux project continues to be one of the most important and widely used open source projects. Linux celebrated its 25th year in August 2016, and it is a tremendous success. Ironically, the celebration of this anniversary coincided with a dispute over how to achieve compliance with the license for the project, GPLv2. Bradley Kuhn of the Software Freedom Conservancy (and some others) argued strongly that the lawsuits were essential to obtain compliance, saying that the choice is binary, "In response, we have two options. We can all decide to give up on the GPL, or we can enforce it in the courts."
Greg Kroah-Hartman strongly opposed this formulation, and described his success in negotiating with companies to obtain compliance and how those companies then became active community members. Linus Torvalds supported Kroah-Hartman and stated that lawsuits should almost never be used to seek compliance because persuasion is much more effective, and lawsuits damage the community. Although eventually the parties appeared to come to agreement that litigation should be the last resort, it is not clear that they agreed on when the “last resort” should be exercised.
The challenge for the Linux community is to decide when to bring litigation to enforce the GPLv2. What it means in many situations is that to be compliant is currently left to individual contributors rather than being based on a set of community norms. As Theodore Ts'o noted, this issue really concerns project governance. Although permitting individual contributors to make these decisions may be the Platonic ideal, the tradeoff is ambiguity for users trying to be compliant as well as the potential for rogue members of the community (like McHardy) to create problems. The members of the Linux community and other FOSS communities need to consider how they can best assist the members of their community to understand what compliance means and to determine when litigation might be useful in furtherance of the community's goals.
8. Corporations release projects under FOSS licenses
As I have noted for the last two years, many large companies are using FOSS as an explicit strategy to build their software. This trend continued this year and broadened to include many nontechnology companies. Walmart open sourced OneOps, a cloud management tool the company uses internally to run the infrastructure that underpins its e-commerce sites. ExxonMobil released a developer toolkit under an open source license to help oil and gas companies adopt standard data formats. These releases continue a trend where major corporations use FOSS development techniques to manage projects that they have developed internally, but which can be more cost effectively managed by a community.
9. Google Android litigation
The copyright litigation over the Java APIs between Oracle and Google continued this year. After a victory by Oracle Corporation in the Court of Appeals for the Federal Circuit (CAFC) in 2014, the case was remanded to the district court for a finding on the fair use defense. Under U.S. law, the determination of "fair use" is determined based on consideration of four factors: (i) the purpose and character of your use, (ii) the nature of the copyrighted work, (iii) the amount and substantiality of the portion taken, and (iv) the effect of the use upon the potential market. In May 2016, a jury determined that Google's copying of certain code from the Java APIs was fair use. Oracle filed its appeal later in the year. The CAFC decision that the structure, sequence, and organization of the Java APIs is protectable under copyright law remains in effect and will affect the interpretation of FOSS licenses in the future.
10. FCC's potential ban on open source software for routers
The confusion about FOSS, which I discussed last year, stems from the FCC's proposed new regulations for routers. The initial draft appeared to prohibit the use of FOSS because of the requirement that manufacturers prevent user modifications that would enable radios in the routers that operate outside of their license or licensed parameters. The FCC noted that its actions are meant to address "interference" with FAA Doppler Radar weather systems caused by modified devices and other potential problems.
After a massive negative response by the FOSS community, the FCC clarified that the guidance was not meant to prevent the use of FOSS and that router manufacturers can implement the guidance using a number of technical approaches. Many FOSS commenters remain skeptical about the FCC’s response.
In a continuation of the controversy, the FCC fined TP Link USA $200,000 in 2016 for its failure to comply with these regulations. In the decision, the FCC expressly stated that the use of FOSS was not prohibited; however, the decision went on to state that the software used in routers cannot permit users to change certain functions to operate outside of the assigned frequencies or types of modulation permitted in the FCC regulations. The reaction to this fine, as well as the FCC’s attempt to clarify its position in the FOSS community, has been negative. The conflict between the FCC and the FOSS community goals does not appear to have a simple resolution. The FCC has a reasonable goal to prohibit changes to the router functionality that would result in potential interference with spectrum use, and the goal of the FOSS community is to have complete flexibility to modify the functions of the router software. I expect that this conflict will continue.