Open-Source Software – the Importance of Good Governance
In recent years, Open-Source Software (“OSS”) has exponentially integrated into the technological landscape, providing organisations with cost-effective solutions and encouraging innovation. However, as organisations progressively adopt OSS, it is crucial to grasp the legal aspects and associated risks with its use.
What is OSS?
OSS is software where the source code is freely available to the public, allowing anyone to access, use, modify and distribute the code under a licence that defines the terms of its use. Popular examples of OSS include the Mozilla Firefox browser, the Apache web server, and the Linux operating system.
Although the concept of OSS can be traced back to the early days of computing, the use of OSS was not widely used as it was seen as detrimental to the intellectual property rights of developers. The pivotal moment for OSS occurred in the 1980s with the initiation of the GNU project by Richard Stallman with an aim of creating a free and open-source operating system, however the term “open source” gained prominence in the late 1990s upon the emergence of the Linux open-source operating system in 1991.
OSS Licences
OSS licences come in many different shapes and sizes, but they are all typically concerned with allowing users certain freedoms, including freedoms of use and access to source code. However, that does not mean that the rights to use the code are unrestricted – some licences may impose various obligations ranging from the maintenance of a log documenting any changes made to the source code, whilst others require the user to buy the licensor a beer if they ever meet in person (i.e. the Beerware Licence).
OSS licences can be broadly grouped into two distinct categories, namely:
- Permissive licences - Permissive OSS licences usually require that the distribution of the original OSS must adhere to the same terms under which it was initially provided. These licences are designed to align with commercial proprietary software licences, allowing licensees the freedom to modify, adapt and integrate open-source code with proprietary code. Crucially, permissive licences do not impose restrictions on any such modifications, which grants licensees the flexibility to licence their derivative works with no limitations. Popular examples of permissive licences include MIT and Apache.
- Restrictive licences (also referred to as “Copyleft” licences) - Copyleft OSS licences, such as the GNU General Public Licence, are designed to ensure that any derivative works remain open source. These licences impose limitations and/or conditions when the OSS is modified, adapted or integrated with another code, whether proprietary or another OSS. Although the specific licence terms may differ in each case, Copyleft licences extend (to a certain extent) to the original OSS and any derivative work created from it. This can be concerning for organisations integrating Copyleft OSS with their proprietary software, potentially exposing their proprietary software to the original OSS licence.
The Open-Source Initiative (“OSI”) is a non-profit organisation which introduced a set of rules that define OSS, namely “the Open-Source Definition”. OSI is responsible for approving licences that comply with the Open-Source Definition and although the number of licences being approved per year has decreased, the total number of approved licences grows each year. The sheer number of different OSS licences, coupled with the extensive array of individually licenced OSS components, is making it increasingly challenging to evaluate the risks associated with a specific OSS product.
Potential Risks
Whilst the use of OSS can offer many benefits, including cost-effectiveness and speed of release, which is particularly beneficial for start-ups, almost all companies are now using OSS in one way or another, commonly without any processes in place to control and manage the risks associated with its use.
The Synopsis 2023 Open-Source Security and Risk Analysis examined over 1,700 commercial code bases across 17 industries and revealed that over 96% of codebases contained some OSS, and that OSS represented over 76% of the code within those codebases. Significantly, it was also reported that 54% of all codebases had licence conflicts, 31% contained OSS which had no licence, and 87% had security risks identified.
Some of the most prevalent risks associated with the inappropriate utilisation of OSS include:
- Non-compliance – all OSS licences come with varying terms, and failure to comply with these terms can lead to legal consequences and may affect the reputation of an organisation.
- This is particularly important in the context of copyleft licences due to the plethora of potential restrictions contained therein, including the requirement to redistribute derivative works, and may include limitations on commercialisation
- Cyber-security issues – OSS, whether used under a permissive or copyleft licence, is susceptible to cyber threats and can pose a risk of data breaches, especially if the organisation doesn’t have a full inventory of the OSS used in its software. An illustrative example is the Equifax incident which occurred in 2017 whereby the personal data of 143 million individuals was compromised due to the organisation’s reliance on vulnerable version of Apache Struts
- Risk of infringement of third-party intellectual property rights - OSS licences often come with limited warranties and lack liability infringement protection. Consequently, if the OSS containing infringing material is combined with other software, for instance the proprietary software of the organisation, there is an increased risk of the organisation becoming subject to a claim for infringement of a third party’s intellectual property rights
- Ambiguity relating to ownership – some open-source projects involve contributions from multiple individuals or entities, which makes it challenging to determine the ownership of specific code components, potentially leading to disputes over intellectual property rights. From the perspective of organisations involved in the development of software, developers should be wary when using OSS in their proprietary code, specifically OSS under copyleft licences, as the terms of such licence may compel the organisation to grant public access to the source code which the organisation may have originally intended to be proprietary
How can you manage the risk?
Regardless of whether your organisation uses OSS solely for internal purposes with no plans for external distribution or engages in software development using OSS for the purposes of distribution, implementing effective safeguards is crucial to avoid legal and security risks. Although the needs of each organisation will be unique in each case, some of the key safeguards include:
- Review of the OSS Licences – thorough review of ensures that organisations understand their obligations under the relevant OSS licences, particularly in the context of copyleft licences which may impose some unwanted restrictions on the use of the OSS. The open-source ecosystem comprises a plethora of unique licences and a diligent review ensures that the chosen licence aligns with the needs and objectives of the business, especially in terms of the interaction with the proprietary code.
- Governance Structure – organisations should implement and regularly review two key documents which set out how the use of OSS will be governed, namely:
- A Strategy Statement outlining what the organisation wants to achieve by using OSS, how compliance will be balanced with achieving those objectives, and how the OSS will be monitored and controlled alongside proprietary software
- A Policy Statement which will be incorporated into the organisation’s terms of employment, particularly aimed at employees and contractors responsible for product design, launch and support to ensure that each individual involved fully understands their duties, including specific approval processes, and their obligations contained in the relevant OSS licences. Such policies should also be accompanied by regular training programmes.
- Documentation and Audits – organisations should maintain detailed documentation of all open-source components used, including the applicable OSS licences. Regular code audits should also be carried out
Conclusion
Organisations face a complex challenge in navigating the legal aspects of OSS. To effectively address this challenge, organisations can maximise the benefits of open-source innovation while minimising potential risks by prioritising licence compliance, addressing intellectual property considerations, and implementing strong risk mitigation strategies.
If you would like any further information or advice, please contact Patrycja Paszewska from our Commercial team.
*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.