Computer security firm McAfee has included a risk factor in its most recent annual report filed last month with the Securities and Exchange Commission (SEC) warning investors of potential risks posed to the company by “ambiguous” license terms governing open source software used in McAfee products. The report notes that “despite having conducted the appropriate due diligence,” these ambiguities “may result in unanticipated [licensing] obligations regarding our products. ” As the report puts it, “to the extent that we use ‘open source’ software, we face risks.” These are interesting comments indeed from a company more accustomed to issuing warnings about the dangers posed by software viruses and bugs to other companies.
McAfee appears to be particularly concerned with the terms of version 2 of the GNU General Public License (GPL), by most measures the most prevalent open source license in the world today. McAfee acknowledges use of open source software under the GPL in its annual report and notes that it perceives that there are risks posed by the fact that “the scope and requirements of the [. . . ] GPL have not been interpreted in a court of law.” They also, however, appear to acknowledge a broader scope of open source usage, indicating that “other forms” of open source software licensing present license compliance risks to McAfee which “could result in litigation or loss of the right to use this software.”
While not noted specifically in the annual report, the reference to “litigation” appears to have been prompted by the recent spate of lawsuits filed by the Software Freedom Law Center (SFLC) on behalf of its clients Erik Andersen and Rob Landley (the two principal developers of the BusyBox open source utility) alleging violations of the GPL. These suits, brought against Monsoon Multimedia, Xterasys Corporation, High-Gain Antennas, and Verizon Communications, represent the first lawsuits brought in the US to enforce the GPL (click here and here for more information about these cases). As a user of software licensed under the GPL, it appears from its annual report that McAfee considers the potential for additional suits by the BusyBox developers (or suits by the owners of other open source software used by McAfee in its products) to pose a potentially material risk to the company. Note that McAfee has also at times been an outspoken critic of open source software and the role they claim it plays in assisting hackers in the development of bots and other malware. Whether McAfee has come to perceive itself as a larger target for such suits as a result of these statements is not mentioned in their annual report.
Of course, McAfee is not the first company to include a cautionary statement regarding open source software or open source licensing in their SEC filings. For example, as InformationWeek notes in an article about McAfee, DVR-maker Tivo warned investors in its 2007 annual report that it may have to discontinue using open source software in its products due to concerns about the GPL. Likewise, many proprietary software companies have made references in their SEC filings to the risks posed by competition created by open source software. In particular, Microsoft created a stir when it noted in a prospectus filed in 2003 that, “the popularization of the open source model continues to pose a significant challenge to our business model.” McAfee itself has also included competition-related open source risk factors in previous filings, and includes one again in another section of its current annual report, warning of increasing “competition from numerous smaller companies, shareware and freeware authors and open source projects” that are developing competing products to those of McAfee.
While not unprecedented, the current filing by McAfee underscores the fact that the BusyBox cases (and the potential for other lawsuits like them) represent a series of changes ongoing in the open source software license enforcement landscape. The fact that McAfee has seen fit to include a risk factor in its annual report regarding the potential risks posed by cases such as these is a good example of how open source compliance practices are beginning to evolve to address these changes. As I have mentioned in the past, now more than ever, companies that do not take note and move to evolve their open source compliance practices to address these changes on their own terms will increasingly find themselves being required to do so on terms imposed by others. McAfee, it would appear, is not content to wait for this to happen.
Filed under: Business, Busybox, GPL, Open Source, SFLC, Updates | Tagged: McAfee, Risk Factor, SEC | Leave a comment »