Open-Source Software can affect your business: Risks involved and ways to avoid them
Updated: Aug 14
While most of us understand the concept of Open-Source Software and use them frequently, do we fully understand the magnitude of risks and legal compliances attached to the use of this Software, let’s take an example of a common occurrence to understand it. Rahul is a software developer who is part of the team working on your company’s app. Instead of coding from scratch and re-inventing the wheels, Rahul uses online available open-source code that has already been built to perform that function and is absolutely free of cost. This accelerates the software development as Rahul got a ready base and had only to modify the source code of the software program to improve it by adding features or fixing parts that did not work properly. Can you relate to this?
What does not come out clearly is the downside of these simple and inadvertent actions that can cause irreparable loss to his organisation and attract legal liabilities. Every computer program or code, from the moment it is created, is by default protected under exclusive copyright. So, whether the code is found on GitHub or Stackoverflow it is automatically protected by copyright and the law entitles the author of the work to have a say in what others can do with it. This gives rise to the requirement of authors (initial developers) to give explicit rights or licenses to the users to use, copy, modify, distribute, or sell the Open-Source Software that they have created. But these licenses also have certain conditions attached to them that attempt to control the rights granted to the users.
In addition, open-source license agreements, by definition, are self-executing i.e., these licenses are deemed to be accepted just by the use of the Open-Source Software and do not require the user to click on “I agree” button when downloading Open-Source Software source code. Because of this, even if the Software developer (in our above example) did not have any explicit authority from the organisation to enter into the Open-Source Software license; however, given the principal and agent relationship inherently existing between the employer and the employee, the software developer most likely would be deemed to have apparent authority to enter into this self-executing license agreement on behalf of the organisation. And now, the organisation would have to abide by the Open-Source Software license terms and conditions, whether or not the organisation’s management has knowledge of it.
Most organisations in India do not adopt a formal policy to deal with open-source Software. This results in the discovery of compliance issues of these Open-Source Software at a much later stage, triggered commonly at the time of due diligence for expansion or restructuring of the organisation; or when required by the organisation to contractually verify whether any Open-Source Software is used in the end product; or the worst when the organisation is involved in related litigation. Dealing with these unforeseen Open-Source Software issues at any time not only causes unexpected financial loss and waste of time and efforts but also attracts negative publicity and impacts the reputation of the organisation.
To summarise, an organisation can reap the benefits of open-source software only if they stay both compliant and secure. Below are the 5 simple steps that every organisation must follow to comply with the Open-Source License requirements:
1- Formulate Open-Source Software Policy. The best way is to have a clearly written and enforced Open-Source Software Policy. Typically, open-source policies have a stop, go and caution list. Permissive licenses like MIT, BSD and Apache 2.0 allows the users to do anything with the code in lieu of simple requirement of the users to give attribution to the original authors in the form of a comment within the code. Therefore, most companies allow them without or few approvals. However, the challenge comes in case of copyleft license in which users are required to release their modified code and documents for others to operate under the same open-source license. Companies prefer to hold them under caution list and permit them only post legal review. Usage of network licenses like AGPL is generally restricted in all companies.
2- Track use of Open-Source Software with automation tools. Manual tracking of Open-Source Software has become extremely difficult nowadays given the volume of open-source components. Also, every license has different conditions, permissions, and compatibility requirements. Identifying and tracking the compliance requirements of all Open-Source Licenses manually is almost impractical and impossible. There are various automated tools that come in handy to hunt the Open-Source Software and prompt the compliances, compatibility, vulnerability, version updates, and other related information of every Open-Source Software.
3- Permit Product Release only after legal review. As mentioned above, most companies do not allow the use of the copyleft Open-Source Software without legal review as it can adversely impact the proprietary software. Also, the growing trend of copying Open-Source Software from online platforms like Stackoverflow where the Open-Source Software almost appears free and unlicensed but in reality, may contain even more detrimental terms. In such cases, reading fine prints becomes absolutely crucial. Usually, conditions attached to the Open-Source Software trigger upon distribution or third-party access. Therefore, legal review of all Open-Source Software incorporated in the product must be thoroughly checked before its release to any third party.
4- Spread awareness amongst the employees. It is also highly advisable to conduct training for the employees, especially Software developers, so they understand the policy and the reasons for it, as well as the risks associated with non-compliance and signing of license agreements and related agreement without proper authority.
5- Set up a dedicated team of lawyers and engineers to ensure compliance. As explained above, permission for Open-Source Software licenses mainly requires compliance with the obligations to keep the license information and copyright notices intact and provide attribution notices that identify the copyright holder. These are simple compliances that can be ensured without much effort and time. Additionally, an internal system to identify modifications your developers make to the software also needs to be maintained to make the source code available and comply with other obligations under copyleft Open-Source Software licenses.
For detailed discussion with an expert lawyer, please book a Free consultation here.