ABA Open Source Panel in New York

While much of the open source community was in San Francisco last week at the LinuxWorld Expo , I was in New York at the 2008 Annual Meeting of the American Bar Association (ABA) speaking at the “Life after GPLv3: New Developments in Open Source Software Licensing” event organized by the ABA Section of Intellectual Property Law. My presentation covered an update on the lawsuits filed over the past 12 months by the Software Freedom Law Center (SFLC) on behalf of their clients Erik Andersen and Rob Landley (the two principal developers of the BusyBox open source utility) against Monsoon Multimedia, Xterasys Corporation, High-Gain Antennas, Verizon Communications, Bell Microproducts, Inc., Super Micro Computer, Inc. and Extreme Networks alleging copyright infringement based on a violation of version 2 of the GNU General Public License (GPL) in connection with BusyBox. In addition to discussing the history and resolution of the BusyBox cases (including my involvement with several of the cases), I also highlighted the similarities and differences between these cases and past open source software license enforcement efforts outside of the courts by the Free Software Foundation (FSF) and Harald Welte of gpl-violations.org. The presentation materials are now available online. I understand that the ABA will be posting the materials from the other presenters at the event, as well as a podcast of the entire event, on the ABA website in the coming weeks.

Many thanks to Mark Wittow and Gloria Archuleta, co-charis of ABA IP Section for organizing the event and inviting me to speak. Thanks also to my co-presenters Terry Ilardi of IBM Corporation, Jim Markwith of Microsoft Corporation, and Gabe Holloway of Leonard, Street and Deinard, as well as the moderator of the panel discussion portion of the event, Sue Ross of Fulbright & Jaworski L.L.P.

BusyBox Goes Extreme

Adding to the already substantial list of lawsuits filed on behalf of its clients Erik Andersen and Rob Landley (the two principal developers of the BusyBox open source utility), the The Software Freedom Law Center (SFLC) has announced today the filing of yet another suit alleging copyright infringement based on a violation of version 2 of the GNU General Public License (GPL) in connection with BusyBox.  The current suit has been filed against Ethernet solutions provider Extreme Networks.  As with the previous suits brought by Andersen and Landley (against Monsoon Multimedia, Xterasys Corporation, High-Gain Antennas, Verizon Communications, Bell Microproducts, Inc. and Super Micro Computer, Inc.) , the complaint against Extreme Networks alleges that Extreme makes and sells various products containing firmware in which BusyBox, or a modified version of BusyBox, is included.  Specifically, the complaint names the Summit X450 Series network switches as one of the offending products offered by Extreme.  According to the lawsuit, Extreme continues to distribute this product and others with firmware containing BusyBox without making the source code to BusyBox available in accordance with the terms of the GPL.   As the complaint notes, under the terms of the GPL, Extreme is obligated to provide the source code of the BusyBox software to recipients of products with firmware containing BusyBox.

According to the complaint, Extreme was first notified of the requirements of the GPL as early as July of 2006 by a “third party” who requested a copy of the Busy Box source code.  The complaint further alleges that the SFLC later contacted Extreme in February 2008 on behalf of the BusyBox developers and that the parties have had multiple interactions since that time in an attempt to settle the allegations against Extreme.  The complaint continues, however, that Extreme has failed to respond to the latest notice provided by the SFLC on June 26, thus prompting the lawsuit.  As with the complaints in previous cases, the complaint filed against Extreme  requests that an injunction be issued against the defendant and that damages and litigation costs be awarded to the plaintiffs.

The take away from this latest suit is fairly simple.  As the campaign of lawsuits brought by BusyBox continues to roll forward (and it appears safe to now call it a “campaign”), and as mentioned in connection with the previous BusyBox suits, product vendors (particularly in the wireless and terrestrial networking space) should take note of whether and to what extent the products distributed by their organizations (including products produced by third parties) contain BusyBox or other open source software.  And, as shown by the timeline in this and the other BusyBox cases, those vendors should take seriously any contact from the SFLC or other organizations inquiring about potential violations of the GPL or other open source licenses.

BusyBox is Back, Back Again

The Software Freedom Law Center (SFLC) has announced today that it has filed a new round of lawsuits on behalf of its clients Erik Andersen and Rob Landley (the two principal developers of the BusyBox open source utility) alleging copyright infringement based on a violation of version 2 of the GNU General Public License (GPL). The defendants in the new lawsuits are Bell Microproducts, Inc. (dba “Hammer Storage“) and Super Micro Computer, Inc., each well-established distributors of a wide range of storage and other computer hardware products and components. These two new suits bring the total of lawsuits brought by the SFLC on behalf of the BusyBox developers to six (the previous four having been filed against Monsoon Multimedia, Xterasys Corporation, High-Gain Antennas, and Verizon Communications.

The complaints against Bell Micro and Super Micro were filed on June 10, 2008 in the United States District Court for the Southern District of New York and are available online at — Erik Andersen and Rob Landley v. Bell Microproducts, Inc. d.b.a. Hammer Storage and Erik Andersen and Rob Landley v. Super Micro Computer, Inc. The complaints are similar in many respects to the complaints previously filed by filed in the Monsoon Media, Xterasys, High-Gain and Verizon suits. In each case the complaint alleges that the defendant “makes and sells various communications and hardware devices” containing firmware that contains BusyBox (either directly or in modified form). In the case of Bell Micro, the complaint specifically targets the Bell’s “MyShare HN1200 network attached storage device” and with Super Micro the complaint specifically names the “AOC-SIM1U+ IPMI 2.0 System Management Card“. Under the terms of the GPL, each complaint alleges that the defendant is obligated to provide the source code of the BusyBox software to recipients of the named products containing the firmware containing BusyBox. According to each lawsuit, Bell Micro and Super Micro continue to distribute products containing firmware containing BusyBox without source code in violation of the GPL, despite having been contacted by SFLC. Each complaints seek an injunction against each company and requests that damages and litigation costs be awarded to the plaintiffs.

It remains to be seen if the current cases will be settled out of court (as has happened in each of the prior cases brought by BusyBox to date) or continue on and become the first lawsuit alleging a violation of the GPL ever to go to trial in the U.S. Regardless, these cases signal that after a brief hiatus Eric Andersen and Rob Landley (and the SFLC) appear again to be interested in enforcing the GPL against alleged violators in court rather than pursuing out of court settlements. As mentioned in connection with the previous BusyBox suits, now is the time to take steps to identify whether and to what extent your organization is using BusyBox and other open source software and to ensure that you are in compliance with the open source software licenses applicable to that software.

OSBC 2008 Presentations Online

Last week marked the completion of another very successful Open Source Buinsess Conference (OSBC) in San Francsico.  Presentations from OSBC 2008 are now online.

Included among those presentations is my presentation on Putting Open Source Compliance to Work (On Your Own Terms).  The presentation covers a lot of ground, but is focused on providing companies that use open source software with tools to deal with the increasing level scrutiny of open source that has arisen with the ever-widening variety of roles in which open source software is being put to work by those companies.  Among the examples of this increased scrutiny, the presentation covers:

— The BusyBox lawsuits brought by the developers of the BusyBox open source utility against Monsoon Media, Xterasys, High-Gain and Verizon based on alleged violations of version 2 of the GNU General Public License (GPL);

— Renewed open source license enforcement by GPL-violations.org Project in Europe against Skype and others;

— Enforcement of software patents against open source software in cases involving RedHat and Novell; and

— The increasing trend of disclosures around open source usage and liability made by public companies in their filings with the SEC.

The presentation makes the point that companies that are not taking steps to implement open source compliance measures on their own terms are increasingly finding themselves being required to comply on terms set by one of these other groups.  The presentation discusses tools companies can use to put open source compliance to work on their own terms to address this changing source enforcement landscape, including:

— Strategies to address increased diligence and scrutiny from customers, investors, shareholders and others;

— Tools to evaluate the changing risks posed by open source;

— Current best practices for implementing compliance measures to address open source compliance risks; and

— Techniques for taking open source compliance efforts beyond merely risk mitigation to help add value to your business.

I encourage you to download a copy of the materials.

SFLC Settles With Verizon – Lessons Learned

The Software Freedom Law Center (SFLC) announced on Monday that an agreement has been reached to dismiss the lawsuit brought by Eric Andersen and Rob Landley, the two principal developers of the BusyBox open source software utility, against telecommunications giant Verizon Communications alleging that Verizon violated version 2 of the GNU General Public License (GPL) through the distribution of BusyBox in the firmware of the Actiontec MI424WR wireless router provided by Verizon to customers of Verizon’s “FiOS” fiber-optic Internet and television service. To date Andersen and Landley have also brought and settled similar suits alleging violations of the GPL against Monsoon Multimedia, Xterasys, and High-Gain Antennas. The Verizon settlement marks the end of the last of the suits brought by Andersen and Landley to date.

While the full terms of the settlement were not announced (other than as summarized in the press release issued by the SFLC), the terms appear to track those included in the settlement of the other cases. In particular, in return for reinstating the rights of Actiontec and Verizon to distribute BusyBox under the GPL, Actiontec has agreed to:

– Appoint an Open Source Compliance Officer within its organization to “monitor and ensure GPL compliance”;
– Publish the source code for the version of BusyBox it previously distributed on the Actiontec web site;
– Undertake substantial efforts to notify previous recipients of BusyBox from Actiontec and its customers, including Verizon, of their rights to the software under the GPL; and
– Pay an undisclosed amount of financial consideration to the plaintiffs.

The settlement does appear to be unique from the settlements reached in the other BusyBox cases in at least one respect. Each of the previous settlements (as announced on the SFLC web site) imposed obligations directly on the party named in the lawsuit — this despite the fact that in at least two of the other three BusyBox cases the allegedly offending device was provided to that party by a third party vendor. The settlement in the Verizon case, however, appears to impose obligations directly on Verizon’s third party vendor Actiontec. The reason for this appears to be related to the fact that, while Actiontec was not named as a defendant in the lawsuit, the agreement under which Actiontec provides its MI424WR wireless router to Verizon is rumored to include a clause under which Actiontec agreed to indemnify Verizon for liability relating to claims and lawsuits by third parties against Verizon relating to the router. If accurate, the indemnification clause would help explain why Actiontec (and not Verizon) played a central role in the settlement of the lawsuit against Verizon and appears to have agreed to bear the majority of the obligations under the settlement.

The presence of an indemnification clause in Verizon’s procurement agreement with Actiontec also underscores the value of being proactive in open source (and other) technology procurement measures. Open source compliance measures (and intellectual property and license compliance measures in general) are certainly not uniform across all companies — and companies cannot always depend on their suppliers to be as diligent as they themselves have been in their own compliance efforts. As a result, taking the step of reviewing procurement agreements to help ensure that suppliers of software and other technology agree in advance to stand behind their products and services in the event of an intellectual property infringement, license violation or other issue is an increasingly important practice (and one that appears to have paid dividends for Verizon in their BusyBox lawsuit).

Busy Box Settles Another Case

News today from the Federal District Court for the Southern District of New York that Eric Andersen and Rob Landley, the two principal developers of the BusyBox open source utility, have moved to voluntarily dismiss the case they brought again High-Gain Antennas alleging that High-Gain had violated the GNU General Public License (GPL) by distributing the Busy Box software without complying with the terms of the GPL. The dismissal itself was officially approved by Judge Leonard B. Sand on March 3, 2008. While no press release has yet been issued by the Software Freedom Law Center (SFLC) , the non-profit legal group that represented the Andersen and Landley in the case, the strong presumption in a situation such as this is that the dismissal signals that case against High-Gain Antenna has reach a settlement. To date Andersen and Landley have brought similar suits alleging violations of the GPL against Xterasys Corporation, High-Gain Antennas, and telecommunications giant Verizon Communications. A settlement in the case against High-Gain Antenna would mark the third such settlement leaving only the case against Verizon still pending.

While Busy Box and the SFLC have not brought another suit since filing their case against Verizon back on December 6, 2007, action in the Verizon case looks to be coming soon as Verizon currently has until March 14, 2008 to answer or otherwise respond to the complaint filed against them in the case. It remains to be seen if the case against Verizon will be settled out of court or continue beyond this date and become the first lawsuit alleging a violation of the GPL ever to go to trial in the U.S. Regardless, the cases brought by Busy Box remain significant in demonstrating that open source licensors have the will and the ability to successfully enforce the GPL against alleged violators in court, rather than limiting themselves to pursuing other means of enforcing violations outside of court. What changes these and any future cases drive in the open source license enforcement landscape and open source compliance largely remains to be seen, but for certain they are driving changes. For additional information on the previous settlements, please refer to my prior posts (here, here, here, here, and here).

McAfee Issues Risk Factor Over Open Source Licenses

Computer security firm McAfee has included a risk factor in its most recent annual report filed last month with the Securities and Exchange Commission (SEC) warning investors of potential risks posed to the company by “ambiguous” license terms governing open source software used in McAfee products. The report notes that “despite having conducted the appropriate due diligence,” these ambiguities “may result in unanticipated [licensing] obligations regarding our products. ” As the report puts it, “to the extent that we use ‘open source’ software, we face risks.” These are interesting comments indeed from a company more accustomed to issuing warnings about the dangers posed by software viruses and bugs to other companies.

McAfee appears to be particularly concerned with the terms of version 2 of the GNU General Public License (GPL), by most measures the most prevalent open source license in the world today. McAfee acknowledges use of open source software under the GPL in its annual report and notes that it perceives that there are risks posed by the fact that “the scope and requirements of the [. . . ] GPL have not been interpreted in a court of law.” They also, however, appear to acknowledge a broader scope of open source usage, indicating that “other forms” of open source software licensing present license compliance risks to McAfee which “could result in litigation or loss of the right to use this software.”

While not noted specifically in the annual report, the reference to “litigation” appears to have been prompted by the recent spate of lawsuits filed by the Software Freedom Law Center (SFLC) on behalf of its clients Erik Andersen and Rob Landley (the two principal developers of the BusyBox open source utility) alleging violations of the GPL. These suits, brought against Monsoon Multimedia, Xterasys Corporation, High-Gain Antennas, and Verizon Communications, represent the first lawsuits brought in the US to enforce the GPL (click here and here for more information about these cases). As a user of software licensed under the GPL, it appears from its annual report that McAfee considers the potential for additional suits by the BusyBox developers (or suits by the owners of other open source software used by McAfee in its products) to pose a potentially material risk to the company. Note that McAfee has also at times been an outspoken critic of open source software and the role they claim it plays in assisting hackers in the development of bots and other malware. Whether McAfee has come to perceive itself as a larger target for such suits as a result of these statements is not mentioned in their annual report.

Of course, McAfee is not the first company to include a cautionary statement regarding open source software or open source licensing in their SEC filings. For example, as InformationWeek notes in an article about McAfee, DVR-maker Tivo warned investors in its 2007 annual report that it may have to discontinue using open source software in its products due to concerns about the GPL. Likewise, many proprietary software companies have made references in their SEC filings to the risks posed by competition created by open source software. In particular, Microsoft created a stir when it noted in a prospectus filed in 2003 that, “the popularization of the open source model continues to pose a significant challenge to our business model.” McAfee itself has also included competition-related open source risk factors in previous filings, and includes one again in another section of its current annual report, warning of increasing “competition from numerous smaller companies, shareware and freeware authors and open source projects” that are developing competing products to those of McAfee.

While not unprecedented, the current filing by McAfee underscores the fact that the BusyBox cases (and the potential for other lawsuits like them) represent a series of changes ongoing in the open source software license enforcement landscape. The fact that McAfee has seen fit to include a risk factor in its annual report regarding the potential risks posed by cases such as these is a good example of how open source compliance practices are beginning to evolve to address these changes. As I have mentioned in the past, now more than ever, companies that do not take note and move to evolve their open source compliance practices to address these changes on their own terms will increasingly find themselves being required to do so on terms imposed by others. McAfee, it would appear, is not content to wait for this to happen.