Open Source License Compliance in the Cloud (CELESQ) (October 2012)

Copyright 2012 Bryan Cave
October 24, 2012
Jason D. Haislmaier
jason.haislmaier@bryancave.com
@haislmaier
Open Source Software License ComplianceOpen Source Software License Compliance
in Cloud Computingin Cloud Computing

Open Source Software
This presentation is intended for general informational purposes only and should not
be construed as legal advice or legal opinion on any specific facts or circumstances,
nor is it intended to address specific legal compliance issues that may arise in
particular circumstances. Please consult counsel concerning your own situation and
any specific legal questions you may have.
The thoughts and opinions expressed in this presentation are those of the individual
presenters and do not necessarily reflect the official or unofficial thoughts or opinions
of their employers.
For further information regarding this presentation, please contact the presenter(s)
listed in the presentation.
Unless otherwise noted, all original content in this presentation is licensed under the
Creative Commons Creative Commons Attribution-Share Alike 3.0 United States
License available at: http://creativecommons.org/licenses/by-sa/3.0/us.
Disclaimer and Rights

Who’s using open source?
Who’s using cloud computing?

Who’s using cloud computing?in cloud computing?

Who’s using cloud computing?
not
in cloud computing?
Not just use but reliance

What is it?
Cloud
Many definitions, key characteristics

Why
“Cloud?”CloudCloud
What is Cloud Computing?

Cloud

Steve Ballmer
CEO,
Speaking at a Microsoft
event in Singapore
“I'm not sure my goal for today is going to be to
actually explain it to you, but I do want to make
sure that people understand that I think everybody
in our industry accepts it's the next major
transition point in terms of how IT gets done.”

NIST Definition
• Initial NIST draft definition – April 2009
• Final NIST definition – September 2011
Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or
service provider interaction. This cloud model is composed of
five essential characteristics, three service models, and four
deployment models.

NIST Definition - Essential Characteristics
• On-demand/self-service
• Broad network access
• Standard access mechanisms
– Thin client (e.g., browser) or thick client (e.g., program interface)
– Multiple devices (e.g., mobile phones, tablets, laptops, workstations)
• Resource pooling (multi-tenant model) and location independence
• Rapid elasticity in provisioning and release
• Measured service (resource usage is monitored, controlled,
and reported)

NIST Definition - Service Models
• Software as a Service (SaaS)
– Standard applications running on a cloud infrastructure
– Accessible through various devices
– Consumer does not manage or control the underlying cloud infrastructure
• Platform as a Service (PaaS)
– Consumer-created or acquired applications deployed on a cloud infrastructure
• Infrastructure as a Service (IaaS)
– Consumer-created or acquired software deployed on consumer-provisioned
cloud computing resources (e.g., processing, storage, networks, etc.)
– But does control operating systems, storage, and deployed software

NIST Definition - Deployment Models
• Private cloud
– Provisioned for exclusive use by a single organization
– May include multiple consumers (e.g., business units) within that organization
– Owned, managed, and operated by the organization or by a third party
• Community cloud
– Provisioned for exclusive use by multiple organizations having shared concerns
(e.g., mission, security, policy, privacy, or compliance)
– Owned, managed, and operated by the organizations or by a third party
• Public cloud
– Provisioned for use by the general public
– Owned, managed, and operated by the organization providing the service
• Hybrid cloud
– Two or more distinct cloud infrastructures (private, community, or public)
– Interfaced to enable data and application portability

“network access”

“client”
“provider”
“vendor”

“thin client”
“thick client”

“location independence”
“on or off premises”

Distribution of “software”
Distribution of “functionality”

Transparency and Understanding

Know your “Cloud”

Cloud
Open Source in the Cloud

Why does distribution matter?
Open Source Licenses

Distribution occurs via:
• Sub is sold to 3rd party
• Software shared with “partner”
during further development
• Change in technical or business
model requires use by end users
• Permissions granted by OSS licenses are dependent on the
way in which the OSS is used
• Be wary of changes in the use of OSS over its lifecycle
In-license of
OSS under GPL
• Revisions made to OSS
• Linked to or bundled with
proprietary code
Use by wholly
owned sub
• Initial analysis is important
• Equally important to refresh when use changes
Internal Use
Changing Use of OSS
Legal Issues

Open source software is
licensed software
Open source licenses
make the software “open source”

Open source licenses are
dependent on copyright laws
Open source licenses are
not anti-copyright

“Copyleft”
All Rights Reversed
Copyright
All Rights Reserved

• Open source software licensing has arisen (at least in part) as a
response to the advance of copyright law
• In the US, this is the Copyright Act of 1976 (17 U.S.C. §§ 101 – 810)
• Under the Copyright Act, a copyright attaches to “original works of
authorship, fixed in a tangible medium of expression” (See § 102)
• The Copyright Act allows only very narrow means for an author to
“opt-out” of receiving a copyright on an otherwise copyrightable work
• Computer software is generally viewed as being potentially
copyrightable subject matter
Open Source Licenses Depend on Copyright

• Open source licensing relies on the ability of a copyright owner to
choose how to enforce (or not enforce) the copyright in his or her
software
• Each open source license is intended to act as a set of permissions
(and restrictions) granted by a copyright owner under their copyright
• Like most licenses (or contracts), open source licenses have limits
• Unlike proprietary licenses, these limits generally allow for more
“open” or “free” use of the software
• The limits of each open source license comply with a document
called the “Open Source Definition”
Open Source Licenses Depend on Copyright

• The “Open Source Definition” (OSD) articulates the
“distribution terms” with which licenses must comply
to be considered “open source”
– Availability of source code
– Free redistribution
– Availability of “derived works”
– Integrity of the author’s source code
– No discrimination against persons or groups
– No discrimination against fields of endeavor
– License must travel with the software
– License not dependent on particular software distribution
– License does not restrict other software
– License technology neutral
• Used by the Open Source Initiative (OSI) to approve licenses as
“open source”
The Open Source Definition

Approved Open Source Licenses
• The OSI maintains a program to approve licenses as compliant
with the OSD
• Nearly 70 different licenses approved as “open source” by the OSI
– All implement the OSD, each with its own specific terms
– One definition, many different types of licenses
• Many more unapproved “open source” licenses exist
– Never formally approved by the OSI, but comply with the OSD
– Still refer to themselves (and referred to by others) as “open source”
• Many other licenses are referred to as “open source” but are anything but
– Perhaps based in some part on the OSD or on an OSI-approved license
– No guarantee of compliance with the OSD

Just how different
are open source licenses?

CopyleftAcademic
Very
Permissive
• Berkley Software
Distribution License
(BSD)
• MIT License
• W3C
Less
Permissive
• Apache Software
License
• Eclipse Public License
• Artistic License
Less
Restrictive
• Mozilla Public License
(MPL)
• Common
Development and
Distribution License
(CDDL)
• Common Public
License (CPL)
• IBM Public License
More
Restrictive
• GNU GPL v2
• GNU GPL v3
• GNU LGPL v2.1
• GNU LGPL v3
• Affero GPL v3
Many Varied Consequences

Example: BSD License
• Triggered by “Redistribution" and use”
• Express conditions apply to “redistributions”
• Does it matter given the permissive nature of the BSD?

Example: Apache License (v2.0)
• Permits the ability to “freely download and use”
the covered software
• Express conditions are triggered upon
redistribution

Example: Mozilla Public License (v1.1)
• Does not apply to “private modification and distribution”
• “Private” includes “inside a company or organization”
• Does not clarify what counts as “inside”

Example: Mozilla Public License (v2.0)
• Does not apply to “private modification and distribution”
• “Private” includes “inside a company or organization”
• Does not clarify what counts as “inside”

Example: GPLv2
• Triggered by distribution
• Merely running the program for internal use is not restricted

Increasingly, it’s not
just about “distribution”

Example: GPLv3
• Not triggered directly by a “distribution” but by a “conveyance”
• Conveyances expressly exclude
– Executing on a computer or making a “private” copy
– Use over a network

“So doesn’t this mean that the GPL
is the new BSD license. . . and that
Google is the new Microsoft ?”
Bradley Kuhn
Former executive director of the FSF

Example: AGPLv3
• Expressly covers use over a network
• Treats use over a network as a conveyance is treated under GPLv3
(or as a distribution is treated under GPLv2)

What constitutes a
“distribution” of software?

• In the U.S., the Copyright Act provides copyright owners with
five exclusive rights (See §106)
– Reproduce
– Distribute
– Display (publicly)
– Perform (publicly)
– Prepare derivative works
• “Distribution” itself is not defined by the Act
• But the Act does provide some guidance
• The right of “distribution” is framed by additional language in §106
– Distribution of copies (or phonorecords)
– To the public
– By transfer (sale, rental, lease, or lending)
Distribution Under Copyright Law

• A “publication” is defined in §101 of the Act
• Requires the exchange of an actual physical copy
• The Act links the two terms
– States that offering to distribute copies to others “for purposes of further
distribution” constitutes a publication (§101)
– Contrasts publication from a public performance or display
• Courts have also likened the right of distribution to a publication
(See, e.g., Harper & Row v. Nations Enterprises, 471 U.S. 539 (1985))
• History of the Act also supports a connection between the two terms
(prior versions of U.S. copyright law prior to the Copyright Act of 1976)
• Attempts to extend the definition of “distribution” to include “making
available” (without the exchange of an actual physical copy) have met with
resistance from the courts
• This can be very country specific

“I know it when I see it”
Justice Potter Stewart
Jacobellis v. Ohio, 378 U.S. 184, 197 (1964)
(Concurring)

Internal use
by employees
Traditional
software licenses
D iD i s ts t r ir i b ub u t it i o no n
Internal subcontractors
Outside consultants
Subsidiaries
Partially-owned Affiliates
Outsourcers
Web hosting providers
Co-location providers
Leases and loans
Demos
Joint Venture “Partners”
Mergers
Acquisitions

What are the consequences
of a distribution?

• GPLv2 covers the program licensed under GPLv2 and
“works based on the program”
• Requires works in whole or in part “derived from the Program” to be
licensed under the terms of the GPL
Example: GPLv2

• Refers to a “derivative work” under applicable copyright law as a guide
• Also provides its own interpretation of what would be included as a
“work based on the program”
Example: GPLv2

Many (many, many)
questions of interpretation

• GPLv2 sets multiple boundaries
– Triggered by a “distribution”
– Allows modification to form a “work based on the Program”
– Requires a work that “in whole or in part contains or is derived from the
Program” to be subject to the GPL
• Does not fully define these terms
• Refers to applicable copyright law for aid in providing definitions
• Copyright law is also not well-defined as it relates to these terms
(particularly in the context of software)
Example: GPLv2

• Multiple interpretations and understandings have emerged
– Free Software Foundation and other open source groups
– Open source legal community
– Very limited court decisions regarding open source
– Court decisions in other areas of copyright law
• Relatively little dispute at either end of the spectrum
• Uncertainty exists in the many variations in-between
• Cloud implementations add additional variations
• Even “accepted” interpretations are highly fact-dependent
Example: GPLv2

• Copyright law gives the copyright owner power to enforce their copyright
• Issuing licenses is part of this power
• The copyright owner decides
– Whether to apply GPLv2 to their software
– How to interpret GPLv2 as applied to their software
– When and how to enforce GPLv2
• Court decisions apply (if they are available)
• Accepted interpretations and practices can carry weight
• Where the law is unclear and multiple reasonable interpretations exist, the
copyright owner has the power to decide which interpretation to adopt
Example: GPLv2

What happens when a difference in
interpretation occurs?

• Legally, open source is (still) all about the licenses
• Cloud computing puts the focus on different issues than traditional software
delivery models
• Distribution is an important issue, but is not the only concern
• Other traditional open source legal issues are still (very) relevant
• Interpretation of these issues requires an understanding of the “cloud”
• Focus on the core characteristics of the cloud
• Understand how those characteristics affect the interpretation of open
source licenses
• Premium (as always) on preemptive action
• Increased risks (and hassles) for unprepared companies
• Update existing open source compliance programs (before you are
required to do so)
Takeaways

Thank You.
Jason Haislmaier
Email: jason.haislmaier@bryancave.com
Twitter: @haislmaier
LinkedIn: http://www.linkedin.com/in/haislmaier

Open Source License Compliance in the Cloud (CELESQ) (October 2012)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Open Source License Compliance in the Cloud (CELESQ) (October 2012)

Similar to Open Source License Compliance in the Cloud (CELESQ) (October 2012) (20)

More from Jason Haislmaier

More from Jason Haislmaier (17)

Recently uploaded

Recently uploaded (20)

Open Source License Compliance in the Cloud (CELESQ) (October 2012)