Open source software – What are the risks?
by Waldo Steyn - [email protected] -
During January 2011 Gartner, Inc. (a technology research and advisory company) published a report entitled “Survey Analysis: Overview of Preferences and Practices in the Adoption and Usage of Open-Source Software” that surveyed 547 information technology leaders in organizations in eleven countries.
According to the survey:
- 22% of the entities surveyed were adopting open source software consistently in all departments; and
- 46% of the entities surveyed used open source software in specific departments and projects.
Gartner predicted that by the middle of 2012, 30% of the overall software portfolios of organizations will be accounted for by open source software.
According to the survey, open source software is clearly becoming an increasingly large contributor to software portfolios of organizations, a conclusion supported by the numerous public enterprise entities throughout the world formulating procurement strategies that require the consideration of open source software as an alternative to vendor specific software solutions.
DEFINING OPEN SOURCE SOFTWARE
The meaning of the term “open source” remains in a stage of constant change. The Open Source Initiative (OSI), a non-profit organization for the open source community, describes “open source” as:
“… a development method for software that harnesses the power of distributed peer review and transparency of process. The promise of open source is better quality, higher reliability, more flexibility, lower cost, and an end to predatory vendor lock-in.”
OSI provides a useful definition of open source software by setting out the licensing conditions under which software must be released to be considered “open source”. This definition includes the following elements:
- free redistribution of software;
- allowing distribution in source code and compiled form;
- allowing modifications and derived works to be made/created;
- permitting distribution of software built from modified source code;
- no discrimination against persons, groups or fields of endeavor; and
- no dependence or restriction on the program being part of a particular software distribution.
BENEFITS OF OPEN SOURCE SOFTWARE
According to a Computerworld survey of 143 information technology professionals (reported in an article on 10 May 2010 by Brandel, M. entitled “Open-source software’s hidden snags”), 80% of those surveyed cited cost saving as the number one benefit of open source software. The appeal of open source software is, however, not limited to the apparent cost savings that may be associated with it, but also includes a higher level of flexibility, faster solution delivery times and swifter responses to required solution updates. A guide published by the Australian Government during March 2011 entitled “A Guide to Open Source Software for Australian Government Agencies” cites the following as benefits of using open source software:
- There is usually no upfront payment;
- It encourages a competitive market for support services;
- There are fewer restrictions on the users of the software;
- It may reduce vendor lock-in;
- It allows users to view and modify source-code;
- It allows users to take advantage of improved functionality of new releases more rapidly; and
- It may increase interoperability by inter alia reducing the cost of integration.
RISKS ASSOCIATED WITH OPEN SOURCE
Intellectual Property Ownership
The term “copyleft” was created as a play on the term “copyright” and captures the “open” philosophy of the open source community as it relates to the ownership and “restriction” of the use of copyrighted works. The term “copyleft” (which is also sometimes referred to as “reciprocity”) reflects the use of copyrights to ensure that works derived from open source licensed software code are made available to the open source community.
Copyleft is included to various degrees in different forms of open source license agreements and it is accordingly of particular importance to carefully consider the nature of the open source license in terms of which open source software is procured. There are a number of different license models including the General Public License, the Lesser General Public License, BSD-Style licenses and Permissive Licenses. Depending on the terms of the relevant license, how a licensee is entitled to act with software code derived from the open source software will be dependent on the nature of the relevant license.
In terms of, for example, a General Public License, licensees are required to submit the code of the software they developed as derivative works from the original licensed open source software back to the open source community. Clearly, this approach is in line with the “open” philosophy of the open source community and brings with it the benefits of having a large General Public License open source community. The implication when combining open source software with other software however, may include an obligation on the licensee to reveal the code for the whole “combined software work” to the open source community – meaning possibly giving access to competitors to proprietary source code.
Any proposed use of open source software should accordingly take into consideration the terms of the licenses under which the open source software will be used. Those terms and the obligations on the licensee must be aligned with the general commercial goals of the licensee and the specific nature of the solution the open source software is considered for.
Warranties and Indemnities
Software code is protected through the intellectual property rights associated with the code. In commercial software license relationships, it is the right to authorize third parties to use those intellectual property rights that underpin the commercial relationship. Where a party is incurring a significant expense when acquiring the right to use software, it expects the owner of that software to provide it with (i) a warranty that the use of that software will not infringe the intellectual property rights of a third party and/or (ii) an indemnity in the event that an action is brought against the licensee for the infringement of third party rights.
In the case of open source software, the relevant license terms are structured in a way that affords little protection to licensees. Typical open source software licenses do not include intellectual property warranties and indemnities in favour of the licensees. Considering that open source software projects comprise a development process that creates numerous opportunities for contributors to introduce infringing code, it is understandable why such provisions are not included. However, at the same time it compounds the risk of a possible claim of intellectual property right infringement.
When considering the absence of such warranties and indemnities from a practical point of view, it can be concluded that it will in any event be challenging to recover anything against an open source software licensor in a case of intellectual property right infringement, as many of the open source software projects appear to be owned by entities with little financial/capital substance.
Fitness for Purpose and Quality
Another legal risk to consider is the absence of representations of fitness for a particular purpose or quality of the software. Open source software licenses do not contain such provisions and licensees will have to consider the risks associated with software errors and possibly viruses that may impact business operations from a commercial point of view.
Despite the many apparent benefits of the use of open source software, it is important for organisations to be aware of the risks associated with the use thereof. Most notably, such use is not unconditional, but subject to licenses, the terms of which have been successfully enforced in for example the United States of America.
With continued economic pressures on organisations, it is to be expected that the appeal of the use of open source software will increase as a possible cost saving strategy. If such a strategy is to be pursued, (assuming it is in alignment with the commercial purpose of an enterprise) it is advisable that a specific open source software use and risk management policy be formulated. Such a policy may, as a minimum, require:
Identification of the relevant open source license;
- A review of the legal obligations related to the use of the open source software;
- An analysis of the legal risks associated with the use of the open source software;
- An analysis of the commercial risks associated with the use of the open source software; and
- An analysis of the business requirements and ongoing costs associated with the maintenance of the open source software or related solution.
Open source software appears to offer real benefits and may present a feasible alternative to vendor specific software. However, just like in the case of the procurement of vendor specific software, organisations need to carefully assess the legal and commercial implications of the use of open source software.