In 2018, we saw a clear demonstration of the free and open source software (FOSS) business model's importance when IBM moved to purchase Red Hat for $34 billion. The FOSS ecosystem also celebrated its durability last year, as the Open Source Initiative (OSI) celebrated the 20th anniversary of the open source movement.
Meanwhile, old legal problems returned. We saw another significant increase in litigation decisions involving FOSS issues, and several of these cases are very important. This increase in litigation is a reminder of the importance of an active compliance program for all corporations that use FOSS (which now means virtually all corporations).
Continuing the tradition of looking back to spot trends that will affect the future, the following are 2018's top 10 legal developments in FOSS.
1. McHardy, the Linux system copyright troll in Germany, returns
Patrick McHardy, an early contributor to Linux, has been using the threat of litigation in Germany to obtain monetary settlements, essentially acting like a copyright troll. He has been active for five years and is believed to have approached over 80 companies. This number is difficult to estimate because many companies have settled without court action, and German court proceedings are confidential. McHardy's litigation activities were first identified publicly in 2016, and he was inactive for a time in 2017.
However, in early 2018, we saw an important decision in his enforcement action against Geniatech: Initially, McHardy won an injunction against Geniatech prohibiting further distribution of its satellite TV receivers due to their alleged violation of the GPLv2 for Linux software. However, in March 2018, the appellate court in Cologne reversed the decision, ruling that:
a) McHardy is not co-author of the Linux kernel nor Netfilter;
b) McHardy might have rights in derivative works but did not provide sufficient evidence of the copyrightability of his contributions; and
c) McHardy might have misused his rights (if any), but the court noted that this issue would require further analysis. McHardy avoided further proceedings by withdrawing his petition for injunctive relief.
The finding on "joint ownership" is quite important because it would be very confusing if contributors were found to be joint owners of the copyright in the relevant program because the effects of joint ownership vary dramatically by country.
This case was unusual because McHardy has rarely been in court; his strategy is to threaten copyright enforcement against a company for violation of the GPLv2 through the use of an expedited copyright enforcement procedure available under German law. He then obtains a "settlement" with the company that he alleges violated the GPLv2. The settlement agreement includes a provision that the company will comply with the terms of the GPLv2, a common term in these types of settlements in Germany. McHardy then returns to the company several months later with another demand based on the settlement agreement; these demands can be for hundreds of thousands of euros. The enforcement of a settlement agreement is considerably simpler than enforcement of the GPLv2, which would raise many novel issues (see the summary of the VMware case below). Although he will sometimes characterize his actions as focused on "compliance," he is clearly more concerned with making money.
2. EC antitrust decision against Google's tying of Android software to its services
The European Commission fined Google €4.34 billion for breaching European Union antitrust rules. According to the EC, since 2011, Google has imposed illegal restrictions on Android device manufacturers and mobile network operators to cement its dominant position in general internet search. In addition, the EC demanded that Google bring the conduct effectively to an end within 90 days of the July 18, 2018, decision or face penalty payments of up to 5% of the average daily worldwide turnover of Alphabet, Google's parent company. According to the EC, Google uses anti-fragmentation agreements to keep manufacturers on Google's version of Android; currently most Android handsets (in all countries except the People's Republic of China) ship with Google's software and services bundled on them. Commissioner Margrethe Vestager, in charge of competition policy, identified three restrictions that violated EU antitrust law:
a) Google has required manufacturers to pre-install the Google Search app and browser app (Chrome) as a condition for licensing Google Play, its app store;
b) Google has made payments to certain large manufacturers and mobile network operators on the condition that they exclusively pre-install the Google Search app on their devices; and
c) Google has prevented manufacturers wishing to pre-install Google apps from selling even a single smart mobile device running on an alternative version of Android that was not approved by Google (so-called Android forks).
Google has appealed the decision.
3. Red Hat expands commitments to the GPL Cooperation Commitment
Red Hat expanded the companies who have agreed to the GPL Cooperation Commitment, which is a statement, signed by GPLv2 and LGPLv2.x copyright holders, that gives licensees a "cure" period for projects licensed under GPLv2 and LGPLv2.x licenses to correct unintentional violations before their licenses are automatically terminated. This approach is based on the cure provisions included in GPLv3. Red Hat significantly expanded the number of signatories in 2018, from four companies in 2017 (Red Hat, Facebook, Google, and IBM) to 40 companies at the end of 2018. Red Hat is also inviting individual contributors to sign the Commitment. Red Hat has shown significant thought leadership in finding a solution to a significant problem for the community.
4. Open Invention Network continues its expansion
OIN has been critical in minimizing the potential for patent litigation in the Linux ecosystem. OIN says it is the largest patent non-aggression community in history, with more than 2,750 community members. Prominent new members joined OIN in 2018, such as Microsoft, Tencent, Ant Financial, and Alibaba. Microsoft was a particularly interesting recruit because as recently as 2014, it made about $3.4 billion from licensing its patents to manufacturers of products using the Android operating system. OIN also expanded the scope of patent non-aggression agreements to include 151 new packages, bringing the total number of protected packages to 2,873.
5. OpenSSL license change
The OpenSSL project announced that it had completed its shift from the OpenSSL/SSLeay license to the Apache Software License version 2 (ASLv2). The project announced the proposed change in 2015. The original OpenSSL/SSLeay license was a non-standard permissive license and included a number of clauses, particularly relating to attribution, which were common in early FOSS licenses but dropped from more recent ones. The process took three years and emphasizes the difficulty of completing such transitions and, thus, the importance of selecting the most appropriate license at the beginning of a FOSS project. ASLv2 is becoming the favorite license for FOSS projects targeted at the enterprise.
6. Rise of FOSS in blockchain projects
Many blockchain projects are licensed under FOSS licenses. However, the blockchain community has not engaged with the FOSS community, and many of its choices seem unusual for infrastructure technologies. For example, the traditional Ethereum blockchain clients were licensed under GPLv3 and LGLv3.0. However, the blockchain community appears to be becoming more sensitive to these issues, and the release of the new PegaSys client under the ASLv2 represents a new sophistication to these issues.
The team that developed PegaSys noted: "To get Ethereum to production, we also need to lower the barrier to entry for enterprises. Many companies’ legal or compliance departments restrict them from using software under the GNU Public License (GPL), which the mainstream Ethereum clients currently use. We have heard stories of enterprises that completed a successful pilot on Ethereum, only to be stopped from going to production because of company policies around OSS licenses. We hope to solve that pain point by releasing Pantheon Core under an Apache 2.0 license and smooth the path for adoption."
7. Oracle v. Google redux
The Court of Appeals for the Federal Circuit (CAFC) published its second decision in the ongoing case of Oracle against Google, ruling that Google's unauthorized use of 37 packages of Oracle's Java application programming interface (API) in its Android operating system infringed Oracle's copyrights. The CAFC overturned the first district court decision to find that the APIs were copyrightable and returned the case to the district court for a decision upon the fair use defense. Once again, the district court found against Oracle on the basis that Google's use of the APIs was fair use. Oracle appealed. The CAFC, once again, overturned the district court decision, finding that Google's use of the APIs was not fair use as a matter of law. The case has been remanded to the district court to rule on damages. Given the increasing use of APIs in FOSS, this case has important implications for FOSS license compliance in the future.
8. Red Hat enters an agreement with IBM for acquisition for $34 billion
Red Hat has entered into an agreement with IBM to be acquired for $34 billion. If approved, this price will be the largest amount ever paid for a software company, much less an open source software company.
9. Rise of cloud conflicts and new licenses
Many FOSS companies express concern about the use of their programs by cloud service providers who don't provide payments to the FOSS company. Last year, Redis Labs changed the license for Redis modules developed by Redis Labs from AGPL to Apache 2.0 modified with Commons Clause (these Redis modules are add-ons on top of Redis core, including RediSearch, Redis Graph, ReJSON, ReBloom, and Redis-ML). It introduced the Commons Clause (which it added to its ASLv2) to limit its products' use by cloud service providers. The introduction of this hybrid license was quite controversial, and very few companies adopted it.
To date, Redis Labs has not sought OSI approval for this license. In October 2018, a group called GoodFORM announced it was forking the code prior to the addition of the Commons Clause and would provide it under the AGPLv3. More recently, MongoDB took a different approach to this issue by revising the AGPLv3 to create the Server Side Public License (SSPL). This license has broader obligations to make Complete Corresponding Source Code available to users of the software. However, MongoDB has announced that it has submitted the SSPL to OSI for approval.
10. Tension between FOSS projects and standard-setting organizations
As FOSS has become widely prevalent as a development methodology, standard-setting organizations (SSOs) have been working to integrate FOSS approaches into their own processes. However, the methodologies of FOSS projects and SSOs are quite different: FOSS projects run on a more decentralized basis with very different assumptions. One source of friction is the common approach in SSOs that provides for members to license their patents on a royalty-bearing basis (under FRAND terms). However, most FOSS communities assume that patents in FOSS projects will be licensed on a royalty-free basis.
Although some FOSS licenses have express patent license provisions (such as ASLv2), the existence and scope of patent licenses in other FOSS licenses are more ambiguous. This difference in approach to royalty payments for patents is creating tension between the FOSS and SSO communities. This issue is unlikely to be resolved in the near term.