Over the past decade, open source software has transformed from a perceived collection of amateur side-projects into an enterprise-level stack of applications. Among the growing pains in this transition are emerging concerns regarding intellectual property risks and vulnerabilities in developing and deploying open source software. This article identifies some of these risks and examines ways to mitigate uncertainty and potential patent exposure with open source software.
What is Open Source Software?
"Open source" software comprises any software released under a license meeting the "Open Source Definition" promulgated by the Open Source Initiative. The GNU General Public License ("GPL") and the Berkeley Software Distribution ("BSD") license are two examples of common open source licenses. Software meeting the Open Source Definition allows for free redistribution of compiled object code and human-readable source code, access to source code, and the right to create derivative works. Whereas object code is extremely difficult to modify, source code can readily be examined and modified by experienced programmers to create new software applications.
Open source projects and applications have gathered popular support in almost every area of the technology industry. Examples of prolific open source projects include the Apache web server from the Apache Foundation and the GNU/Linux ("Linux") operating system. The Apache web server is touted as the world’s most used web server. The Linux operating system, first developed by hobbyists as a UNIX clone for the PC, has now become an operating system of choice for many enterprise-level application bundles. Linux is even growing into such areas as embedded systems, handheld devices, and distributed computing.
The popularity of open source software lies not just in the ability to modify source code, but also in the underlying ownership and development structure. For example, products licensed under the GPL must provide the underlying source code and same modification rights as provided in the original license. Such a system departs substantially from the traditional proprietary software model, in which companies only distribute object code applications without any modification rights. Thus, open source licenses (like the GPL) provide software consumers with unique options and flexibility. For example, if an open source product vendor goes out of business or becomes an untenable proprietor, customers can freely take their business and the product’s source code elsewhere. A customer could seek alternate vendors who would use the source code to support the customer’s open source products. Customers could alternately take an open source software application in-house, and use internal programmers to further develop and support the software.
Open Source Tensions in the Software Marketplace
As open source applications gain popularity, many proprietary software vendors are facing market challenges from open source vendors who pursue revenue from support and services instead of from product sales. The reaction in the software industry to the market emergence of open source software has been mixed. A number of software companies are growing around core open source technologies, such as Red Hat, which provides an enterprise Linux distribution. Some traditionally closed-source companies have now added open source software offerings as a complement to their proprietary software products. Many of the remaining proprietary software vendors have taken a strong stance against open source software. Most notably, Microsoft has launched a marketing campaign touting the Linux operating system as less secure than comparable Windows products. Microsoft has gone so far as to call the underlying license in Linux (the GPL) a "cancer that attaches itself in an intellectual property sense to everything it touches" because modifications to redistributed software applications originally licensed under the GPL generally must be publicly released in source code form.
Emerging Patent Threats and Legal Uncertainty
As open source software becomes more widespread and profitable, intellectual property risks such as patent infringement claims are growing as well. In 2004, Dan Ravicher of the Public Patent Foundation conducted a patent analysis of the Linux kernel for Open Source Risk Management, an intellectual property insurer. Ravicher’s study found "283 issued but not yet court-validated software patents that, if upheld as valid by the courts, could potentially be used to support patent claims against Linux." Companies that presently promote or distribute Linux own many of the patents in the study. However, many other patents in the study are held by parties with no direct incentive to preclude them from asserting patents against Linux products, including Microsoft (which owns 27 of the patents).
At the same time, many worry that closed source companies could institute patent infringement lawsuits against open source software distributors or developers. The responses to such patent infringement risks have been varied. In January 2004, industry group Open Source Development Labs set up a legal fund to defend the Linux operating system against intellectual property lawsuits. Subsequently, in an effort to provide a safe haven of sorts, many large software developers have pledged not to assert portions of their patent portfolios against open source products. And, other open source distributors have pledged to use their own patents to defend the open source products that they ship. But, these developments do not eliminate the prospective patent risks in open source.
In light of these tensions and uncertainty, a growing concern in the industry is whether the pursuit of open source software simply carries too great of a patent infringement risk. In one sense, open source software is no more at risk from patent infringement exposure than analogous and similarly-functioning proprietary software products. However, open source software presents a unique liability situation in a few regards. First, there is often no central point of responsibility for a product, particularly when it comes to legal issues. Open source software is most often developed by a collection of decentralized individual volunteers and interested companies. In response, many open source vendors have contemplated intellectual property indemnification for the open source software products that they offer. Second, accepting a patent license or settlement may limit an open source software distributor’s ability to subsequently offer the open source products at issue. For example, Section 7 of the GPL provides that if as a result of a patent infringement claim conditions are imposed on an open source product that are contrary to any condition of the GPL (such as royalty-free redistribution), and the open source distributor cannot satisfy both obligations, then the GPL prevents any further distribution of the open source product. Third, potential patent plaintiffs have an evidentiary advantage in pre-litigation assessments of patent infringement in open source software. Because open source software contains the entire underlying source code, and often contains detailed logs indicating added features and dates, a party investigating patent infringement has access to the "guts" of a potentially infringing product before any discovery has commenced, and before any lawsuit has been initiated. Finally, open source software faces clouds of uncertainty and yet-to-be-raised legal issues on the horizon because, for the most part, open source products have not yet encountered multitudes of patent infringement threats and lawsuits met by their proprietary closed-source software counterparts through the years.
Avenues for Reducing Open Source Patent Risks
Companies interested in pursuing open source software distribution or development should evaluate whether the potential intellectual property risks outweigh the unique benefits of open source software, and what specific steps can be taken to mitigate these risks. Initially, software customers can look to their open source vendor to see if the vendor will assume indemnification against patent infringement lawsuits. Indemnification becomes a more complicated issue when a customer wishes to modify the open source product further. Prospective software customers should carefully examine scenarios in which the company’s modifications to open source software might terminate patent indemnification provisions. As an alternative, open source software customers can purchase intellectual property insurance through third party vendors. Open Source Risk Management now offers patent infringement indemnification for enterprise Linux users. Another useful step that software customers and distributors can perform is an intellectual property risk assessment of the specific open source software components that could give rise to potential liability. A company can then decide whether to pursue open source software on a component-by-component basis. If, for example, a company only wishes to distribute the Apache web server, a narrow patent risk assessment could be conducted. For a company considering distribution of the Linux operating system (which contains a substantial number of individual components and technologies), a risk assessment of a much larger scope would be appropriate. The risk assessment option is very sensible for companies only intending to distribute or utilize a limited number of open source components, and for companies that wish to deploy open source software where only a few components of the software cannot be otherwise indemnified.
Even in the case of patent assertion or litigation, companies may have unique risk mitigation opportunities with open source software. A patent owner may be amenable to an open source-specific license that is acceptable to both patent owner and open source software customers and distributors. For example, open source software distributors seeking to maintain their ability to continue distribution of open source software royalty-free pursuant to the GPL may compensate a patent owner in return for a royalty-free license to open source users under the GPL or other specific license. As another alternative, software customers and distributors wary of potential liability or faced with an adverse judgment can re-design their open source products in a non-infringing manner. One unique advantage of open source software is an unrestricted ability to "design-around" a patent by using freely available and readily modified source code. An open source customer or vendor faced with a blocking patent may internally develop or commission a third party to modify a non-infringing substitute for the specific infringing component of an open source software product.
Open source software presents a new and challenging form of development and distribution for the software industry, with many substantial intellectual property issues still in a state of uncertainty. However, a careful analysis of the specific legal risks in open source and an evaluation of the unique advantages and drawbacks of the open source licensing and development models may provide hesitant companies with the confidence to deploy or develop open source software.