The Myth and Promise of Open Source
When it comes to the legal foundations of open source, there is no spoon.
As a business attorney in a former life I represented debtors and creditors in judgement enforcement actions. This involves taking a final judgement from a court stating one party owes another party money and then enforcing it, a nice way of saying taking the losing party's money. This is called the post-judgement phase and can be a whole other lengthy court proceeding after a judge or jury issues their decision. The process often involves subpoenaing financial records and seizing assets through court procedures. My favorite asset I ever seized was a nightclub.
Civics lesson
Judgment enforcement, like many areas of the law in the United States, is guided by a large body of overlapping law, from state, federal, executive, legislative, and judicial sources. This is a consequence of our federal system in the US, which divides authority between the Federal and state governments, and the principle of separation of powers, which further divides authority between branches of government, executive, legislative, and judicial at the Federal and state level. The intent is to create a set of checks and balances that prevents any one branch or government from becoming too powerful, see Federalist No. 51:
[B]y so contriving the interior structure of the government as that its several constituent parts may, by their mutual relations, be the means of keeping each other in their proper places...
In my area of Georgia judgement enforcement law is derived from:
- The United States Constitution
- Legislation passed by the United States Congress and signed by the President
- Regulations and decisions issued by Federal administrative agencies, such as the Federal Trade Commission and Consumer Financial Protection Bureau
- Case law from the US Supreme Court interpreting statutes and regulations
- Case law from the US Eleventh Circuit Court of Appeals for Georgia, Alabama, and Florida
- Case law from the US District Court Middle District of Georgia, including Columbus, Macon, and Augusta
- Case law from the US Bankruptcy Court Middle District of Georgia
- The constitution of the State of Georgia
- Statues passed by the Georgia legislature and signed by the Governor
- Regulations and decisions issued by Georgia state agencies, such as the State Attorney General's office
- Case law from the Georgia Supreme Court and Georgia Court of Appeals interpreting all of the above (it is not uncommon for state court to have to apply Federal law and vice-versa)
- Federal Rules of Civil Procedure, the Uniform Rules of Superior Court in Georgia, and Local Rules adopted by each court.
The above collectively forms an ever-evolving and interlocking body of legal guidance used by businesses, attorneys, government agencies, and lower Federal and state courts in my area of Georgia. It combined addresses the most common legal issues that arise in judgement enforcement, from big questions about what types of business assets can be seized by creditors in a bankruptcy down to whether a UPS pickup scan is the same as a USPS postmark when mailing a legal notice.
You will notice that some of these sources of law listed above, such as the regional Eleventh Circuit Court of Appeal (covering Georgia, Alabama, and Florida), local US District Court (one of three in Georgia), and the state (one of 50 plus Puerto Rico, tribal courts, and various protectorates) will vary based on where you are in the United States. This is where things get complicated and is one reason why if you ask your lawyer a legal question more often than the answer is "It depends."
There is a nationwide set of law from the Constitution, Congress, Supreme Court, and executive agencies on the big issues. But below that, each state legislature, state court system, Circuit Court of Appeal, District Court have to develop their own unique statutes and case law to address routine mundane issues related to judgement enforcement. Just as in my area of Georgia this collective body of law will cover most of the common issues in just judgment enforcement, and indeed most areas of law, wherever you find yourself in the US.
This means that somewhere in every state the UPS pickup scan question will have been addressed by a state statute or court somewhere and there will be a citation on it all subsequent courts examining the question can point to. Notably this law is only applicable to the geographic jurisdiction of the courts and states it is developed in. States can only pass laws for their state and court decisions only become binding precedent in their geographic jurisdiction. A decision by the Eleventh Circuit Court of Appeals (covering Georgia, Alabama, and Florida) is not binding on a case in the Western District Court of Texas. So, law developed below the national level can vary based on where you are.
Yes, this does give rise to variations in the law. This is intended a feature though, not bug, because it allows states, agencies, and courts to find new and better policy approaches, subject to the checks and balances of the other levels and branches of government. It is the bazaar approach to government. It can have negative externalities at times. States attempted to reduce uncertainty in interstate business transactions in 1952, as consumer-fueled interstate commerce exploded. They did so by adopting the Uniform Commercial Code for business transactions. Just like software, the law benefits from having some common standards. There is an entire organization of legal experts that try to summarize the general consensus of state law and then work with state legislatures to adopt standardized legislation to improve uniformity. They are the ISO of the law.
When case law on a specific legal question arising in a lawsuit does not exist in a specific jurisdiction, case law will be created, usually by a federal Circuit Court, a state appellate court, or state Supreme Court in a court decision. It is developed by looking at higher court decisions, such as from the US Supreme Court, by applying canons of construction to statutes, and examining what other courts have done on similar issues. But a decision from another state or Circuit is not binding and frequently other cases are not really on the same issue, or on point. A Circuit can disagree with another Circuit, triggering a 'Circuit split' which then increases the chances of being taken up for review by the Supreme Court to resolve nationally, but until they do, it remains in place, different laws for different regions.
How, practically, do each state and Circuit manage to develop volumes of case law on judgement enforcement on all of these minor issues? Because hundreds of thousands of judgment enforcement actions are filed every year in state and District courts. The sheer number of cases guarantees a higher number of judicial opinions. The parties are incentivized to litigate high-value judgments. This means they will pay attorneys to appeal cases to courts that issue precedential opinions. Parties will also test new legal theories when they do not have any other approach, even attempt overturning entire sections of state law because occasionally it works.
The myth
Why the civics lesson? I saw several people weigh in on this tweet:
I have been thinking about this lately and responded:
This blog post has become a ridiculously long attempt to elaborate on this tweet and I applaud you for sticking around this long.
What I mean by 'we really don't know how legally enforceable open sources licenses...are' is that there are several fundamental unanswered legal questions surrounding the enforcement of terms of open source licenses, particularly the GPL:
- The GPL defers to copyright law. Whose? We assume the one in the United States, it is not specified. Does this mean a GPL copyright enforcement case in Germany should defer to Unites States copyright law? Does the court apply the definition of 'derivative work' used in the GPL or the one used under US law? If applying the definition under US law, which legal test of 'derivative work' should the German court apply, the 'abstraction, filtration, comparison' test used in most Circuit courts, or the 'analytic dissection' test in some other Circuit courts?
- Does the GPL meet the requirement of a signed contract under UCC § 2-201? If company A purchases GPL code from company B usually there will be a signature and, if not, if the product is delivered and paid for then the signature requirement is waived. But what if company A downloads GPL code from company B for free, modifies it, and then refuses to distribute the changes. In the absence of a signature or delivery and payment, can company A legally enforce the GPL terms?
- Is the GPL enforceable as a copyright license? That appears the original intent of the authors, a copyleft license. In some European jurisdictions the concept of a license does not exist though. Enforcing a US concept of copyright law in those countries might conflict with other laws, even free speech laws in those countries. If a defendant in a GPL violation case was able to successfully argue the GPL was invalid as a copyright license then their own rights to the software would revert to the right only to use the software and they would be liable for any copies they have redistributed just as if you sold copies of Windows on eBay.
- Is the disclaimer of liability in the GPL an adequate disclaimer of the warranty of merchantability, fitness for a purpose, and non-infringement required under UCC § 2-213, UCC § 2-315, and UCC § 2-312? If not, a GPL software vendor could still be held liable for bugs they are not responsible for in upstream GPL code they redistribute. The waiver of liability in most commercial software agreements tend to be much more detailed and all-encompassing than the GPL.
- The GPL is generally enforced as a contract. But how would the GPL fare in a state court which still actively apply privity of contract principles? Most Federal courts have moved away from privity of contract requirements but this common law requirement that there be a substantive connection between parties to a contract is still applied in state courts. If company A sold GPL software to company B who posted it online for free where company C downloaded it, modified it, and distributed it without the source, does company A have enough connect to company C to sue them to enforce the GPL?
- If the GPL is a contract, when it that contract entered? For enterprise users of GPL software, that is simple, when the contract with the vendor is signed. For users who download GPL software, is it effectively a 'shrinkwrap' or 'clickwrap' license? These are generally approved by courts for use of software after adequate notice. Is including the GPL text in download adequate notice? Not likely. But the GPL doesn't require assent for use of the software, only when it is copied or modified. Is referencing the GPL in the header of your source files sufficient notice of the GPL for developers making modifications?
- Could the GPL violate antitrust principles by encouraging a monopoly or serving on as a restraint of trade under the Sherman Act? Are large companies giving away open source software harmful to new proprietary software market entrants? Is the 'stickiness' of GPL terms a restraint on competitors using your code?
Despite all of these questions out there, there have only been a handful of legal decisions interpreting or applying terms of the GPL. A really small number for an industry and collective human effort as big as open source is.
The legal decisions on the GPL that do exist tend to only address a single issue related to the GPL, not the entire document. This is because by the time cases get to appellate courts the issues are usually narrowed to one or two important questions. It would be very unusual for an appellate court to reconsider all of the terms of a contract under dispute in an appeal.
Very few of GPL cases to date have resulted in a published binding court opinion that have any binding authority, most have been settled out of court. The court opinions that do exist have limited geographical jurisdictional scope in the US and are limited to a handful of states, for the reasons discussed above.
There are some general open source cases:
- Jacobsen v. Katzer, 535 F. 3d 1373 (Fed Cir. 2008) found that the defendant violated the Artistic License by copying work into commercial software products without the required notice. The court applied a copyright license theory to the case which, if applied to the GPL, could make enforcement impossible in some countries in Europe, particularly if those courts defer to US copyright law interpretation, which they might because the GPL does not specify which country's copyright law applies.
And cases involving the GPL specifically:
- Artifex Software, Inc. v. Hancom, Inc., Case No.16-cv-06982-JSC (N.D. Cal. Sep. 12, 2017) involving the GPL was settled, dismissed, and has no precedential value.
- Wallace v. International Business Machines Corp., 467 F.3d 1104 (7th Cir. 2006) in which the Seventh Circuit (Illinois, Indiana, Wisconsin) found that the GPL does not violate antitrust principles. This settles this one issue of the GPL in these three states in the US. It is still an open question in the other 47 states.
- Planetary Motion, Inc. v. Techsplosion, Inc., 261 F.3d 1188 (11th Cir. 2001) was a trademark in which the Eleventh Circuit (Georgia, Florida, and Alabama) found that that GPL software authors have trademark rights in their application name. This settled this one, GPL-related issue in these three states in the US. Another case in the Eleventh Circuit, Pitchford v. Aelitis, SAS, No. 8:12-CV-1897-T35-TGW, 2013 WL 12155928, at *4 (M.D. Fla. Apr. 11, 2013), held it was possible for a litigant to assert trademark ownership to a GPL application, and therefore declined to dismiss a case, but did not rule on the substance of the case before the parties settled and dismissed. These are the only two cases which reference the GPL in the entire the Eleventh Circuit.
- Free Software Foundation, Inc. v. Cisco Systems, Inc., Case No. 08-10764 (S.D.N.Y., filed December 11, 2008) involving the GPL was settled and dismissed and has no precedential value.
- The BusyBox cases in which BusyBox enforced the GPL terms of its software in the Southern District of New York. They filed against several device makers and retailers with the help of the Software Freedom Law Center. Almost all of these cases resulted in prompt settlements, none of which are binding precedent. One case resulted in a default judgment when Westinghouse didn't answer the lawsuit and as a result has limited precedential value.
There are major, ongoing cases involving aspects related to the GPL:
- SCO Grp., Inc. v. Int'l Bus. Machines Corp., in the Tenth Circuit Court of Appeals, originally filed in 2003, still ongoing, in which SCO has raised several of the issues with the GPL discussed above.
- Google LLC v. Oracle America Inc., recently heard in the US Supreme Court, over the ability to copyright API calls.
There are some more favorable cases regarding the GPL in Germany where the law makes it easier to form a contract, but these have no binding authority outside of Germany.
The end result though is that in most of the US there is no standing legal guidance on interpreting the GPL or other open source licenses, at all, at the state or Federal level, and nowhere near the amount of legal guidance available for other areas law, including other areas of intellectual property like music royalty law. Most other countries are in similar circumstances. We simply do not know the answers to fundamental questions raised about the GPL above. We tell each other what we think the GPL means but we don't really know how much of really sticks. And yet somehow, it does not seem to matter.
An industry estimated to be worth between 22 and 60 billion dollars annually has almost no legal precedent interpreting its fundamental legal documents. Compare this to the volume of law generated in each state and Circuit around judgment enforcement worth 11 billion dollars annually. How can an industry like open source function like it does, with their products in every smart phone and powering most websites, without the volumes of litigation like other industries?
The promise
Open source has survived without extensive litigation and government regulation for what I believe are three primary reasons:
- Shared values - Contributors to open source software have to agree to share their code with others. We can surmise they recognize some value from contributing to open source. Whether it is ideological, academic, or purely financial, all participants in open source have a common interest in ensuring the code that is out there remains open.
- Self-regulation - The vast majority of open source enforcement is done by the open source community itself, such as checking licensing terms and ensuring intellectual property compliance. Even when disputes do arise the vast majority of license disputes are settled without litigation and certainly before a decision is ordered in the case. Almost no party in open source, besides the zombie SCO case, have ever argued against the GPL.
- Good faith - Even the most highly competitive companies are able to cooperate around open source software. They not simply comply with terms of the GPL but often actively collaborate on code. Linux vendors push patches to projects hosted at other vendors. Microsoft contributes patches to Chromium. This requires that all parties act with and assume good faith.
Litigation simply isn't as necessary when you have people committed to a vision of open software, largely regulating their own conduct, and acting in good faith to push software development forward.
The vast majority of open source contributors do the right thing because we all tend to generally agree on what the right thing is when it comes to sharing our modified software. When people do the right thing you will have fewer disputes end up in litigation and even less being fought to the appellate courts.
The promise of open software is that it is something different from previous human endeavors, a new model of human cooperation, and that we can create, push, and share code and not be burdened with excessive litigation or government regulation. Open source is very much a thread of 90s tech libertarian utopianism that is alive and well.
The fine print
Okay, so how do attorneys and big corporations really manage the uncertainty of open source licensing?
Insurance.
Most enterprise contracts to purchase open source software include indemnification of the customer against copyright infringement claims. If the author of a package that is distributed in a Linux distribution attempts to sue a company that purchased Linux from a vendor under an enterprise contract then the vendor agrees to show up and defend them. More accurately the vendor's insurance company will hire lawyers to defend them.
Insurance companies are willing to underwrite these policies at rates that keep open source price-competitive with proprietary software precisely because there is so little open source litigation. As discussed above, almost all cases involving open source are settled before expensive trials and appeals.
The lack of legal certainty arising from the lack of a body of guiding legal precedent, which itself the result of the lack of litigation, is therefore mitigated by ease of obtaining insurance for open source products. This is made easy because there is so little expensive litigation. Thanks to the unique aspects of open source of shared values, self-regulation, and good faith.
tl;dr Open source doesn't have the body of laws interpreting the GPL you would expect of such an important part of modern life and for the size of the industry, but open doesn't need it because open source is special and also, we have insurance.
None of this is legal advice. If you have questions about the GPL you should consult a real lawyer. I recommend Marc Whipple.