Litigation and Compliance in the Open Source Ecosystem

Litigation and Compliance in the
Open Source Ecosystem

Speakers
MARK RADCLIFFE
Partner, DLA Piper
BERND SIEBERS
Counsel, DLA Piper
PHIL ODENCE
VP & General Manager,
Black Duck Software

OSS Often Enters a Code Base
Unchecked, Resulting In Risks
Code Base
Commercial
3rd Party
Code
Purchasing
• Licensing?
• Security?
• Quality?
• Support?
Open Source
OPERATIONAL RISK
Which versions of code
are being used, and how
old are they
LEGAL RISK
Which licenses are used
and do they match
anticipated use of the code
SECURITY RISK
Which components have
vulnerabilities and what
are they
Management
visibility…not!

Black Duck’s Experience Analyzing Code
• Audits on average find 33% open
source
• 99% of code audits find open source
• 95% of audits find unknown open
source
• 75% of audits contain unknown licenses
• 67% of code contains vulnerable
components
• 50% of code audits contain GPL

FOSS Compliance: New Players
• Traditional FOSS Enforcement:
Focus on Compliance
• Software Freedom Law Center
• Software Freedom Conservancy
(“SFC”)
• gplviolations
• Shift to Commercial Licensors
• Continuent v. Tekelec (GPL)
• Versata Series of Cases
• New Enforcers
• McHardy, copyright troll
• Fligor: looking for clients
• Major Difference in Goals
• Shift from compliance to revenue
• Focus on injunctive relief
• Expansion of Traditional FOSS
Enforcement
• SFC assists in VMware litigation

Existing Compliance Issues
• VMware litigation (SFC)
• McHardy litigation
• First copyright troll
• Versata: focus on hybrid product licensing
• Will terminated licensees regularly raise the defense of “integration” with GPLv2 licensed
code?
• Will warranty claims against licensors arise from poorly drafted licenses become common?

Netfilter Project Suspends McHardy
The netfilter project regrets to have to suspend its core team member Patrick McHardy from the core team. This
is a grave step, definitely the first in the projects history, and it is not one we take lightly. Over many months,
severe allegations have been brought forward against the style of his license enforcement activities on parts of
the netfilter software he wrote. With respect to privacy, we will not publicly disclose the content of those
allegations.
Despite many attempts by us to reach him, Patrick has been unable or unwilling to comment on those
allegations or defend against the allegations. The netfilter project does not have first-hand evidence. But given
the consistent allegations from various trusted sources, and in the absence of any response from Patrick, we
feel it is necessary to suspend him until further notice.
We'd like to stress that we do not take any sides, and did not "convict" Patrick of anything. He continues to be
welcome in the project as soon as he is be able to address the allegations and/or co-sign the "principles" [1] in
terms of any future enforcement activities.

SFC Criticizes GPL Monetizers
These “GPL monetizers”, who trace their roots to nefarious business models that seek to catch users in minor violations in order to sell an
alternative proprietary license, stand in stark contrast to the work that Conservancy, FSF and gpl-violations.org have done for years.
Most notably, a Linux developer named Patrick McHardy continues ongoing GPL enforcement actions but has not endorsed the community
Principles. When Patrick began his efforts, Conservancy immediately reached out to him. After a promising initial discussion (even contemplating
partnership and Patrick joining our coalition) in mid-2014, Patrick ceased answering our emails and text messages, and never cooperated with
us. Conservancy has had no contact with Patrick nor his attorney since, other than a somewhat cryptic and off-topic response we received over a
year ago. In the last two years, we've heard repeated rumors about Patrick's enforcement activity, as well as some reliable claims by GPL
violators that Patrick failed to follow the Principles.
In one of the many attempts we made to contact Patrick, we urged him to join us in co-drafting the Principles, and then invited him to endorse
them after their publication. Neither communication received a response. We informed him that we felt the need to make this public statement,
and gave him almost three months to respond. He still has not responded.
Patrick's enforcement occurs primarily in Germany. We know well the difficulties of working transparently in that particular legal system, but both
gpl-violations.org and Conservancy have done transparent enforcement in that jurisdiction and others. Yet, Patrick's actions are not transparent.
In private and semi-private communications, many have criticized Patrick for his enforcement actions. Patrick McHardy has also been suspended
from work on the Netfilter core team. While the Netfilter team itself publicly endorsed Conservancy's principles of enforcement, Patrick has not.
Conservancy agrees that Patrick's apparent refusal to endorse the Principles leaves suspicion and concern, since the Principles have been
endorsed by so many other Linux copyright holders, including Conservancy.

New Compliance Issues
• Harald Welte announcement of an OSS Compliance Company, aggregating
developers
• Welte: ran gpl violations
• Geographic focus not limited to Germany, but could include France and Spain
• David Fligor/Progressive LLP: Troll lawyer searching for a project, so far no
cases filed
• Sound View Innovations: new ASF software patent troll based on Alcatel-Lucent
patents
• Sound View has sued Facebook
• Sound View has sued LinkedIn
• Sound View has sued Twitter

German FOSS Enforcement
• Community Enforcers
• Harald Welte/gpl-violations.org (Linux kernel, iptables)
• Returning to compliance based on Barcelona FSFE Conference
• Thomas Gleixner (Linux kernel code used in U-Boot)
• XviD project
• Christoph Hellwig (Linux kernel, this is the VMware case)
• Other
• Patrick McHardy (Linux kernel, iptables, iproute2)

Community Enforcement
• Most cases are settled before they go to court. The agreement for a “declaration to cease
and desist" in Germany has to contain a clause about a contractual penalty for a future
infringement: if the defendant is caught violating GPLv2 again, then the defendant has to
pay the penalty.
• Harald Welte (gpl-violations.org) has used these penalties for donations to charities like
Chaos Computer Club, Wau Holland Stiftung, Free Software Foundation Europe, etc.
because his focus was on process change, compliance and community norms.
• gpl-violations.org worked very closely together with Free Software Foundation Europe to
get companies to talk about their problems and let them participate in the global
discussion about open source compliance and other legal issues.

German Court Procedure - Outline
I. Preliminary Injunction Proceedings
1. General
2. Requirements
3. Standard of Proof
4. Possible Remedies
5. Procedural Aspects
6. Enforcement
II. Proceedings on the Merits
1. Overview
2. Remedies
III. Pre-Litigation Strategies
1. Offense Position
2. Defense Position

German Court Procedure –
Preliminary Injunction Proceedings
1. General
• Objective: Stop infringement as soon as possible
• Often most dangerous threat to infringer, since immediately enforceable (appeal
has no suspensory effect!)
• "General" time line:
• Granted within hours (e.g. re trade fairs), 1-2 days (if ex parte),
2-6 weeks (with oral hearing);
• Appeal hearing 2-4 months after decision in first instance

German Court Procedure –
Preliminary Injunction Proceedings
2. Requirements
• Generally courts issue in cases where
• Infringement is very likely
• No undue delay in filing an application for PI ("Urgency Requirement")
• Plaintiff has to file the application for PI without undue delay
• Up to 4 weeks usually not problematic
• Up to 8 weeks usually problematic; IP owner has to show exceptional circumstances in determining
the infringement / preparation of PI application
• Over 8 weeks usually no PI granted!
• ACT FAST!

McHardy German Litigation I
• Patrick McHardy uses the same enforcement mechanism but is seeking personal
monetary gain
• Estimate is that McHardy has approached at least 50 companies that have been
hit (some companies multiple times).
• Wide variety of companies, including retailers, telcos, producers, importers
• Best estimate is that he has received significant damages
• Wide range of products
• physical products (offline distribution)
• firmware updates downloadable from a website
• Over The Air (OTA) updates

McHardy German Litigation II
• Tactics against companies
1. Address a (minor) violation and have a company sign a cease and desist with contractual
penalty.
2. Address another (minor) violation and collect the contractual penalty. Sign a new
agreement with a higher penalty.
3. Wait some time, then go back to 2
• Devices usually have multiple violations of GPLv2 and he only will address one
issue at a time to collect the contractual penalty.

McHardy German Litigation III
McHardy's claims largely focus on:
• Lack of written offer
• Lack of license text in product
• Inadequate terms of written offer
• Lack of complete corresponding source code in repositories
• EULA conflicting with GPL obligations
• Written offer must come from last company selling product
• More exotic
• Written offer should be in German
• GPL warranty disclaimers are inadequate under German law
In the past, McHardy did not do a thorough technical analysis, like a rebuild of the
source code, but he has started doing so.

McHardy German Litigation IV
Two recent hearings, McHardy lost on procedural issues
• Case one: court decided that application was not sufficiently “urgent” for
preliminary injunction procedure
• Case two: judge found that McHardy’s affidavits were inconsistent and McHardy’s
lawyer was not prepared to defend it: McHardy withdrew case
Statement by presiding judge (not required and without precedential value but
shows thinking):
• If only a tiny bit of the programming works was contained in the litigious product and if that
tiny bit was capable of being copyright protected, the arguments of the defendant would not
be sufficient to rebut the claim. This might indeed result in Linux not being tradable in
Germany. The industry might have to look for other platforms where the chain of rights can
be controlled more easily

Solving the McHardy Problem and Copycats
• Focus on compliance of your products going into Germany
• Understand the McHardy business model
• Collaborate on claims and share information
• DLA Piper: Developing “Defense in a box”
• Working with past litigants to provide information
• Facts about McHardy
• Summary of McHardy claims
• Summary of McHardy arguments
• References
• Possibility of including actual complaints and other filings but more challenging

Hellwig v. VMware I
• VMware is alleged to be using arts of the Linux kernel in their proprietary ESXi
product, including the entire SCSI mid-layer, USB support, radix tree and many,
many device drivers.
• Linux is licensed under GNU GPLv2 with a modification by Linus Torvalds
• VMware has modified all the code they took from the Linux kernel and integrated
them into something they call vmklinux.
• VMware has modified their proprietary virtualization OS kernel vmkernel with
specific API/symbol to interact with vmklinux
• vmklinux and vmkernel interaction is uncertain

Hellwig v. VMware II
The court did not decide
• If vmklinux and vmkernel can be regarded as a uniform work and, if so,
• If the use of Hellwig's code in the vmklinux + vmkernel entity qualifies as a modification
(requiring a license) or as free use.

Hellwig v. VMware III
Court required that Hellwig prove the following:
• which parts of the Linux program he claims to have modified, and in what manner;
• to what extent these modifications meet the criteria for adapter's copyright pursuant to
Copyright Act § 69c No. 2 clause 2 in conjunction with § 3; and
• to what extent the Plaintiff pleads and where necessary proves that the Defendant has in
turn adopted (and possibly further modified) those adapted parts of the program that
substantiate his claim to protection.
Hellwig failed to meet this standard. He has appealed.

Hellwig v. VMware IV
Not sufficient as evidence according to the court:
• Copyright notices in header files
• Reference to git repository
• Provision of source code and git blame files
Increased requirements for demonstrating an infringement:
• Exact identification of own contributions
• Conditions for copyright protection of those contributions fulfilled
• Source code comparison of own contributions and the allegedly infringing code
It is not the job of the court to analyze the source code for elements that might
originate from the plaintiff, and to judge to what extent those elements might be
protectable.

Linux at 25: Disputes on Compliance
Greg Kroah-Hartman
• "I do [want companies to comply], but I don't ever think that suing them is the right way to do it, given
that we have been _very_ successful so far without having to do that”
• “You value the GPL over Linux, and I value Linux over the GPL. You are willing to risk Linux in order to
try to validate the GPL in some manner. I am not willing to risk Linux for anything as foolish as that.”
Linus Torvalds
• “Lawsuits destroy community. They destroy trust. They would destroy all the goodwill we've built up
over the years by being nice.”
Bradley Kuhn (SFC)
• “You said that you "care more about Linux than the GPL". I would probably agree with that. But, I do
care about software freedom generally much more than I care about Linux *or* the GPL. I care about
Linux because it's the only kernel in the world that brings software freedom to lots of users.”

Linux Foundation
• Who owns the contributions in the Linux kernel
• Linux kernel analysis to determine the identity of contributors to Linux kernel, software has
been completed and analysis will be done this year
• Next step: identifying copyright owners
• Encouraging statements by kernel.org on community norms for enforcement
• Training programs
• Core Infrastructure Initiative “Badge Program” (focused on security but includes
governance issues)

Summary for Software Distributors
• More compliance actions seem likely, particularly in Germany
• Develop a FOSS use (and management) policy to ensure that you understand
your obligations and can comply with them (for an overview of FOSS and FOSS
governance see
https://www.blackducksoftware.com/resources/webinar/introduction-open-source-
software-and-licensing)
• Ensure that your policy covers updates and security issues
• Review your distribution agreements to ensure that they take into account any
terms imposed by FOSS in your product and modify those terms as appropriate

• Largest law firm in the world with
4,200 lawyers in 31 countries and 77
offices throughout the Americas, Asia
Pacific, Europe and the Middle East
• More than 145 DLA Piper lawyers in IP
transactions
• Global Open Source Practice
• More than 550 DLA Piper lawyers
ranked as leaders in their fields
Global platform

OSS Practice
• Worldwide OSS practice group
• US Practice led by two partners: Mark Radcliffe & Victoria Lee
• Experience
• Open sourcing Solaris operating system
• FOSS foundations:
• OpenStack Foundation
• PrPL Foundation
• OpenSocial
• Open Source Initiative
• GPLv3 Drafting Committee Chair (Committee D)
• Drafting Project Harmony agreements

Contact Information
Mark F. Radcliffe
Partner
2000 University Avenue, East Palo
Alto, California, 94303-2214, United
States
T +1 650 833 2266
F +1 650 687 1222
E mark.radcliffe@dlapiper.com
Mark Radcliffe concentrates in strategic intellectual property advice, private financing, corporate
partnering, software licensing, Internet licensing, cloud computing and copyright and trademark.
He is the Chair of the Open Source Industry Group at the firm and has been advising on open
source matters for over 15 years. For example, he assisted Sun Microsystems in open sourcing
the Solaris operating system and drafting the CDDL. And he represents or has represented
other large companies in their software licensing (and, in particular, open source matters)
including eBay, Accenture, Adobe, Palm and Sony. He represents many software companies
(including open source startups) including SugarCRM, DeviceVM, Revolution Analytics,
Funambol and Reductive Labs for intellectual property matters. On a pro bono basis, he serves
as outside General Counsel for the Open Source Initiative and on the Legal Committee of the
Apache Software Foundation. He was the Chair of Committee C for the Free Software
Foundation in reviewing GPLv3 and was the lead drafter for Project Harmony. And in 2012, he
became outside general counsel of the Open Stack Foundation and drafted their certificate of
incorporation and bylaws as well as advising them on open source matters.

Contact Information
Bernd Siebers
Rechtsanwalt | Counsel
DLA Piper UK LLP
Maximilianstraße 2
D-80539 München
T +49 89 232372 133
M +49 173 529 75 67
E bernd.siebers@dlapiper.com
Bernd Siebers has longstanding experience in advising national and international businesses in
technology related matters, both contentious and non-contentious. His practice focuses on
technology related disputes with a focus on software and failed IT projects.
Bernd has particular experience in advising on Open Source Software compliance and in
dealing with Open Source Software related disputes, both in court and out of court.
Bernd has distinct specialist skills in copyright protection of software and in drafting and
negotiating technology sourcing agreements including software development and maintenance
agreements, and software licensing agreements.

Litigation and Compliance in the Open Source Ecosystem

Litigation and Compliance in the Open Source Ecosystem

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Litigation and Compliance in the Open Source Ecosystem (20)

More from Black Duck by Synopsys (20)

Recently uploaded (20)

Litigation and Compliance in the Open Source Ecosystem