Breaking the International Log Jam: Cloud Computing and Open Source

Possibly the biggest challenge to the continued maturation of the open source and cloud technology industries is inconsistency in the treatment of legal and other issues across international borders. Great progress has been made on this front in the open source context both through community efforts, and by greater legal certainty from court decisions, legislation and government policies. While the cloud will benefit from the growing international consensus on open source, it differs in ways that create important limitations. We need a new international legal consensus for these technologies to continue their rapid evolution.

A. Open Source

Examples of the emerging international consensus on the validity of open source principles are becoming more common. Till Jaeger, a German attorney affiliated with the gpl-violations.org project, recently published an article on Groklaw entitled, "Enforcement of the GNU GPL in Germany and Europe." What I found most striking is that both the types of issues arising in Germany, and the manner in which they are adjudicated and resolved in Germany have direct parallels with the United States. In fact, I recommend this article as an excellent educational tool or refresher on the specific aspects of GPL most likely to lead to compliance issues whether you are in the U.S., Europe or elsewhere.

The consensus is also evident in that governments are increasingly accepting, or even adding preferences for, open source as part of their procurement policies.  For example, in 2009, the United States State Department and President Obama's Administration made headlines in the IT world for making open source prominent parts of their IT objectives. Roberto Galoppini also recently reported on a ruling by the Italian Constitutional Court finding that an Italian state law preferring open source is acceptable under Italian law.  All these factors show that open source is becoming mainstream with remarkable consistency in treatment across international boundaries.

B. Cloud

At first glance, the growing international consensus on the legalities of open source and the tight link between the open source and cloud technologies would seem to indicate that the cloud will achieve similar consensus. Take the Affero GPL as an example: the license is both nearly identical to the familiar GPL, and is specifically targeted for the proliferation of technology in a cloud and networking context. Unfortunately, minor differences between the Affero GPL and the standard GPL require a significant rethinking of how terms like "conveyance," "distribution," "derivative work," "corresponding source code" and other should apply in a cloud context.

The cloud also lacks international consistency in other ways too. Summarizing a 451 Group analysis, Charles Babcock at InformationWeek notes that U.S. investors appear to invest more money in cloud computing than their European counterparts, and the technology infrastructure for the foundational elements of cloud computing are not as mature in Europe as in the U.S. These impose practical challenges to the growth of the cloud computing infrastructure in Europe.

Differences in the U.S. and Europe legal environments potentially present an even bigger barrier. The 451 Group analysis also notes that the U.S. and Europe fundamentally differ in how they regulate data protection. As but one example: the U.S. Patriot Act, emphasizes the government's ability to access information under certain circumstances; whereas, the European Union Data Protection Directive emphasizes the rights of individuals to privacy and protection of their personal information. While these purposes do not necessarily conflict, they clearly are not aligned enough to claim any kind of consensus on how to handle data in a cloud environment.

C. Possible Solutions

We are nearing the time when cloud computing will become so fundamental to our use of technology that we need a set of legal principles, not just technical standards, that ensure broad access to data across international boundaries while also ensuring protection of intellectual property in a manner that promotes innovation and investment regardless of jurisdiction. Possibly the best model from which to start is the Berne Convention for the Protection of Literary and Artistic Works. Though the scope of adoption of the many clauses of the Convention has varied over the more than 100 years since its inception, the Berne Convention represents a broad consensus and acceptance of a core set of basic principles in copyright protection, which are largely consistent between the more than 160 signatory countries.

The same type of international discussion should focus on principles of validity and enforcement of open source agreements like the Affero GPL, as well as address appropriate measures for data portability while preserving data protection standards. The U.S., Europe and other jurisdictions should strive to reach at least a basic consensus on these issues in much less time than the 100+ years for the Berne Convention to reach its current level of maturity. The pace of change in cloud technology and our reliance on the cloud will face meaningful limits sooner rather than later. The growing international consensus on how to apply basic legal principles to open source in a consistent manner should serve as a model for achieving consensus over cloud issues.

OSBC 2010 - Highlights - Day 2

Day 2 of the 2010 OSBC again had several interesting sessions, including some insightful legal sessions.

A. Maximizing the Value of an Open Source Business

If you are looking for a nuts and bolts "how to" session on building an open source business from the ground up, this is the type of session you need to attend. Benchmark Capital's Rob Beardon made it through only half his presentation on "Tactics and Metrics for Scaling an Open Source Business" because of the volume of audience participation. Beardon, along with assistance from Zack Urlocker (former MySQL VP) and other open source veterans in the audience, sketched the following blueprint:

Guiding Principle: the value of an open source business is directly proportional to the size of the community and the company's ability to influence and monetize it.

Key Areas:

1. Foundation - every open source business must start with the following attributes to be successful:

• Technology - must add value by solving a customer's problem
  
• Community - must attract the best in the field with the promise of innovation and disruption
  
• Business Model - choose between the "owner/builder" (innovation) and packager/distributor (commoditization) models
  

2. Tactics - position for rapid scalability with viral awareness, then generating adoption, THEN sales

3. Metrics - traditional metrics are not relevant. State of the art is to measure web traffic, customer acquisition percentage and lead nurturing tools

A successful open source business will be able to create a "closed loop demand management" workflow that fuels growth. It is important to note that this methodology is not much different that standard "Entrepreneur 101" tactics, but is highly tuned to the particular needs of an open source business with a goal of a liquidation event for its VC vendors.

B. Legal Matters in Open Source
I attended several legal sessions on Day 2 as well. I won't recount all the details of the discussions, but here are some of the most interesting points:

1. GPL Enforcement. Karen Sandler, General Counsel of the Software Freedom Law Center, gave a thorough review of common open source software license incompatibility. Of note was her helpful clarification on the requirements of the GPL (Sec. 3 of v2, Sec. 6 of v3). In particular, she confirmed that the common practice of including only a download link to source code is not enough to satisfy the "written offer" requirement of the GPL. However, she also emphasized that a download link might be enough for all practical purposes as long as it is relatively easy to find the source code. This is true at least for the SFLC, which is more interested in software freedom than litigation. This is likely a relief for many developers that try their best to comply, even when the details often elude them.

2. Best Practices. Virginia Tsai Badenhope of Big Fix provided some great pointers in her session on how to handle open source within an organization. Her comprehensive checklist consisted of 5 categories:

• Inventory and assess usage of open source
• Comply with terms of open source licenses
• Implement an open source policy to whatever degree necessary to meet the business needs
• Update outbound licenses to ensure they reflect the use of open source
• Update inbound licenses to ensure suppliers make proper representations and warranties for open source

The details under each of these categories will vary depending on the company and particular circumstances, but it is critical to have a set of procedures in place to ensure nothing slips through the cracks.

3. Affero GPL. In his session on Open Source Litigation, Catalin Cosovanu from Wilson Sonsini primarily discussed litigation on enforcement of the GPLv2, but audience questions quickly transformed the discussion into the legalities of the Affero GPLv3. For example, the lack of definitive caselaw on the meaning of "distribution" under the traditional v2 means that the more comprehensive notion of "conveyance" under the could trigger more legal claims and lead to more uncertainty, particularly in the Affero network context. The network terms of Affero also make the notion of "corresponding source code" more ambiguous, particularly in a cloud environment. Finally, even simple questions like "where should the written offer appear?" are not as simple in the Affero context.

Cloud Nitty Gritty

The cloud industry is in the process of defining itself. Experts are organizing seminars and presentations to discuss best practices for the cloud business. This is true for the legal industry too, but the legal issues commonly discussed for clouds are similar to the issues seen in connection with service bureau, outsourcing and software as a service initiatives: Privacy, Security, Ownership, Intellectual Property, Jurisdiction, Applicable Law, Service Levels, Export Compliance. While these issues present unique concerns in a cloud context and are worthy of significant discussion, I would like to focus on a less discussed issue: how open source might be implemented within a cloud computing context.

Two important questions come to mind: (1) When does distribution to a cloud trigger the viral source code disclosure obligations under the GPL?; and (2) What is subject to the viral source code disclosure obligations under the Affero GPL?

1. Distribution to the Cloud

Consider what would happen if a developer creates a proprietary application, incorporates code licensed under GPLv2, and distributes the combined application to a cloud provider. We can narrow the answers down to 3 possibilities: yes, no and maybe. I'm not trying to make a joke ... this circumstance is not well settled from a legal standpoint and each of these answers might be valid.

a. Yes - viral obligations should apply because code distributed to a third-party is a "distribution" for purposes of the GPLv2.

b. No - Using a cloud to host an application is no different than using a leased server to provide end users with access over a network or hiring a service provider to act in the same capacity as the developer itself. In such cases, the cloud provider is nothing more than an extension of the developer itself. While this conclusion makes logical sense, it's not clear whether the Free Software Foundation would agree with the end result.

c. Maybe - Because both the yes and no answers can be legally supported or refuted, it would help to clarify the legal treatment in some way. Because the cloud provider would be the only party with standing to demand source code in this case, one option might be for the cloud provider to add a clause to its service agreement stating that it will not require disclosure of source code for applications submitted for operation on the cloud. The Free Software Foundation and a significant portion of the free software community would likely object to a cloud operator's affirmative refusal to enforce the freedoms provided by theGPL.

I believe "Maybe" is likely the right answer because it makes the most sense from a practical perspective. Operation of GPL-licensed software on a leased server does not interfere with any of the freedoms that the Free Software Foundation intended to promote with the GPL. This argument is strongest when the developer's cloud code is an application that could just as easily be operated on the developer's own requirement. By contrast, the argument is weaker the more the developer's cloud code relies on the infrastructure provided by the cloud operator such as in a "platform as a service" model.

2. Scope of Affero GPL Coverage

While end user interaction with applications licensed under GPL and hosted on a cloud do not trigger any source code disclosure obligations, use of the Affero GPL code instead of GPL leads to a different result. Such end user interaction occurs over a network, which constitutes distribution for purposes of theGPL. Clearly, the developer application containing AGPL code would need to be available for disclosure on request in that case.

One of the advantages of the cloud for developers is that cloud providers offer much of the software and hardware infrastructure needed to run developer applications. Consider whether any aspects of the cloud code itself should also be subject to the AGPL's code disclosure requirement. The "Maybe" answer above likely applies here as well, but for different reasons. Cloud components that are integrated with developer applications such that the cloud component and developer application are deemed a derivative or a work based on the developer application would also be subject to theAGPL's viral source code disclosure obligation. This is similar to the the type of GPL analysis we typically see in determining whether a derivative work is covered. Operating systems available on the cloud likely would not be at risk, but libraries and utilities essential to the operation of the developer application could be.

The emergence of cloud computing not only places the freedoms identified by the Free Software Foundation at risk, but it potentially undermines the ability of open source vendors to maintain a viable business strategy as their applications move to the cloud. In this context, it's clear whyFabrizio Capobianco, Funambol's CEO, is such an advocate for use of the AGPL instead of the GPL as new projects are rolled out ... not just for each open source vendor, but for the industry as a whole.