Many startups use open source software ("OSS") in their service or product offering, to help lower their costs of development and to quicken their speed to market. However, too many startups do not fully realize the risks of using OSS or what "open software" even really means. To help further educate us on this topic, I engaged the expertise of my colleague, Christopher Cain, a Partner and startup lawyer at Foley & Lardner in Chicago, with deep expertise in copyright and software related matters.
At the outset, a term you will often associate in the open source context is "free software". Free software as a term distinguishes OSS from traditional copyrighted software. The two terms "free software" and OSS are used interchangeably, with most companies referring to OSS. So what distinguishes OSS from traditional software? OSS is software distributed under a license that ensures freedom (hence the term "free") to run, copy, distribute, study, change, and improve the source code. Specifically, OSS licenses typically require: (a) no fee or royalty for redistribution; (b) source code must be available; (c) licensee may create derivative works and modifications; (d) derivative works must be distributed under the same license as the original; (e) no discrimination against users; and (f) all rights granted in the original code must be granted in any redistribution.
So, the benefits of using OSS are pretty clear: the ability to get source code without a license fee and the ability to modify that source code and use it in your product offering or service, provided you live by the rules listed above. Moreover, with more popular OSS, you have a community that is supporting the code, finding and fixing bugs and adding features. These are all great things and most start-ups know these. What they don't often know or think through however are some of the risks of using OSS.
What are the risks in using OSS? Well for a start, OSS licenses typically lack any meaningful contractual protections. Most OSS licenses provide that the code is "as-is", without warranties of any kind. There is typically no support and no indemnity from intellectual property infringement. In addition, OSS licenses have not been fully tested by courts. Court decisions are an effective way to clarify the scope and extent of a license. That lack of clarity from courts is heightened by the fact that many OSS licenses were written years ago, without legal input. As such, the licenses can be less then clear. Not surprisingly then, conflicting license interpretations exist within the OSS community.
More specifically, no clear standard exists on what constitutes a derivative work of OSS. This is a serious issue because it is the ability to create derivative works of OSS that can get a start-up into unexpected trouble. A derivative work is a copyright term that means a work that is based at least in part on one or more original works. For example, version 2.0 of a software program is a derivative of version 1.0 if any of the code in 2.0 is based on the 1.0 code. Recall that one of the requirements of most OSS licenses is that they require you to distribute derivatives of the OSS under the same license terms as the original. That generally means that if your object code contains OSS, you have to distribute the source code for the entire program when you distribute the object code. Most start-ups that intend to license their software do not want to provide their "secret sauce" by providing the source code as well!
To avoid having to distribute all of your source code, start-ups should take care to "silo" the OSS code from their proprietary code or if the OSS is in the form of libraries, use dynamic linking instead of static linking. Both of these at least create an argument that the OSS code is separate from the proprietary code ,and as such, only the OSS source code has to be distributed. To be able to make this argument however, a start-up has to first be mindful of its OSS use. Each OSS use should be intended and compliant. For example, start-ups should keep an inventory of all OSS it uses. If it is not sure, there are automated tools and proprietary OSS databases (like Black Duck Software) that can help parse code and identify OSS components. Start-ups should have a designated person that approves all OSS use, how it is handled and modified in conjunction with the start-up's offering.
Note that you don't generally have to worry about OSS distribution risks if your business model is based on software-as-a-service or a cloud offering. That is becuase if you are not distributing your code that contains OSS, but instead, are making it available over the internet as a service, the OSS source code distribution requirement is not applicable. And, worth mentioning, companies can still charge license fees for products that contain some OSS, with the argument you are not charging for the OSS portion, but are charging for the entirety of the product offering including your proprietary code.
Note that you don't generally have to worry about OSS distribution risks if your business model is based on software-as-a-service or a cloud offering. That is becuase if you are not distributing your code that contains OSS, but instead, are making it available over the internet as a service, the OSS source code distribution requirement is not applicable. And, worth mentioning, companies can still charge license fees for products that contain some OSS, with the argument you are not charging for the OSS portion, but are charging for the entirety of the product offering including your proprietary code.
Bottom line is OSS is good and has benefits, but be mindful of the risks highlighted above. Your startup will be the better for it. If you have any questions from here, feel free to reach out to Christopher directly at 312-832-4553 or ccain@foley.com, and you can follow him on Twitter at @chrisccain.
For future posts, please follow me at: www.twitter.com/georgedeeb.