Free and open source software (FOSS) has made huge inroads over the last decade or two, especially in the corporate world. Even so, some legal departments can be wary of their organizations using or contributing to FOSS.
Convincing the lawyers, and the firms employing them, requires education according to Andrea Casillas and Deb Nicholson of the Open Invention Network. At this year's LinuxCon North America, Andrea and Deb are giving a talk titled Use More Free and Open Source Software at Work—How to Approach the Legal Department. Ahead of their talk, Andrea and Deb took some time to answer a few questions about the issues surrounding FOSS in the enterprise.
What are some of the main objections legal departments have to using FOSS in an enterprise?
Deb Nicholson: I think a lot of the reluctance comes from a lack of understanding about how FOSS works. They hear "sharing" and are afraid that they'll have to share their database or their content along with their bug fixes, which is just not true.
Andrea Casillas: Generally, the legal concerns come from the standpoint of security, risk management and compliance. The "sharing" aspects associated with FOSS can seem overwhelming at first.
In your experience, why do they have these objections?
DN: The companies who are basing their businesses on FOSS tools all know about each other. They talk to each other and attend the same conferences. FOSS projects share ideas about best practices for using FOSS internally and contributing to FOSS externally. I suspect that the companies who aren't on board yet just aren't talking to their peers about these things.
AC: The lack of understanding and fear that Deb mentioned earlier plays a role when considering security breaches and risk management. When lawyers are unclear of how FOSS works, and instead only hear about how software is openly shared and further developed by the public, the process can seem vulnerable and time consuming to control.
Is it just large firms that are wary of using FOSS, or do small- and medium-sized firms have worries as well?
DN: Startups are often under pressure from funders to get patents and choose proprietary licenses. This is often not because it is in the new project's best interest, but because venture capitalists want assets they can sell if the startup fails.
AC: Medium-sized firms are often looking at competitors who are bigger and use proprietary software business models. If they think that the best way to compete with a larger player is to emulate them, they may be wary of choosing FOSS.
How long can it take to educate companies on the benefits of using and contributing to FOSS?
DN: 30 years? I'm only sort of kidding. Free software has been around for over 30 years and there are definitely some large legacy tech companies that have just started seeing the light. However, I do think the ubiquity of FOSS is going to make the adoption process shorter and shorter as we go along.
AC: Seriously though, having a point person who is comfortable understanding licenses within the company can make all the difference. There are many aspects that can seem nuanced to an organization that is just beginning to use FOSS. Having a point person that can provide internal guidance and give examples helps companies become proficient FOSS users and contributors.
What are the most important aspects of FOSS to educate company leadership about?
AC: Companies need to be aware of the various ways to protect all their intellectual property. For some, patenting might be the best option. However, this is not the only option and there are risks associated with patenting. Additionally, trademarks are critical for FOSS in a different way than they are for proprietary software companies.
DN: The idea of cooperating with your competitors is a huge cultural change for many traditional companies and so they end up reinventing the wheel. This is not how you get the most out of participating in a collaborative project. The sooner they realize that they can ask for help, find out what other companies are doing and how they are handling things in their legal departments, the better off they'll be.
What are the main points of resistance, and how can FOSS advocates get around them?
AC: There are legal issues associated with software—whether it is FOSS or proprietary. The environment becomes even more complicated when patents are involved. Luckily, FOSS has been around for many years so there are plenty of strategies and business models to borrow from. The solution for companies has to involve something more than ignoring these issues.
DN: Change is hard. There may have to be lots of small steps before you can convince your employer to become a model citizen in the FOSS community. Sharing examples of lucrative FOSS companies can go a long way.
In your experience, which FOSS licenses do most firms choose? And why?
DN: If they are joining an existing community, they go with the upstream license. If a company is savvy about patents, they'll choose a license with a patent clause, like GPLv3 or Apache 2.0, for their code.
AC: No matter which license you opt to use, choose something that is well-known. With the variety of licenses available, there is no need to create something from scratch.
How can companies make sure they comply with the FOSS licenses they choose?
AC: The best way to teach compliance is to learn about the licenses. Send your lawyers to a continuing legal education course! They don't teach us about FOSS in law school.
DN: Choose a governance model that clearly spells out what licenses you want for internal stuff and external stuff. There are several non-profit organizations that maintain FAQs about software licenses—for example, the Free Software Foundation, the Open Source Initiative, and the Apache Software Foundation. You can also consult the community regarding best practices.
This article is part of the Speaker Interview Series for LinuxCon, CloudOpen, and ContainerCon North America 2015. LinuxCon North America is an event where "developers, sysadmins, architects and all levels of technical talent gather together under one roof for education, collaboration and problem-solving to further the Linux platform."