Who Has a Shaky Foundation?

The commercial software licensing business as we now know it started with the move from mainframe computers to affordable personal computers and has been around for at least 20 years. Similarly, open source licensing as we now know it arguably started with release of version 2 of the GPL just a few years later.

Even though these software license and distribution models have been in effect for roughly the same period of time, "conventional wisdom" (the Freakonomics definition) appears to be that the proprietary software license model is built on a solid legal foundation, while the open source model is filled with legal uncertainty. Recent developments on the legal front for both business models remind us that these stereotypes often do not hold true.

The open source community has had a recent string of recent "wins" giving it more credibility from a legal perspective. The continual flow of BusyBox cases, including the recent initiation of an action against Extreme Networks and settlement with Super Micro Computers, Inc., has shown that the GPL can be readily enforced, particularly in cases where GPL-covered code can easily be tracked and where the nature of the software requires the type of linking or integration that would create a derivative work or modification.

In addition, Red Had recently settled a patent dispute and showed that it is possible to successfully negotiate a patent license that protects the open source community as a whole. Both Red Hat's explanation of its strategy, and Mark Radcliffe's analysis of the license terms are fascinating reading for anyone who wants to see the gory legal details that go into making open source work for everyone.

By contrast, a recent case in U.S. Federal District Court in Seattle illustrates that the very foundation of the proprietary license model is still subject to uncertainty. In Vernor v. Autodesk, Autodesk found itself on the losing end of the court's interpretation of the "first sale doctrine," a principle in copyright law that permits purchasers of a copy of a copyrighted to distribute that copy without obtaining additional permission. Another implication of the first sale doctrine is that copyright holders cannot use license agreements to control distribution of copies of their work in perpetuity.

While this Autodesk case was decided in a district court, at least two U.S. Courts of Appeals have made similar rulings, and some others have yet to address the issue directly. The difference in opinion between the Circuit Courts has not been addressed by the U.S. Supreme Court. As another indication of the momentum behind this view, William Patry, Senior Copyright Counsel for Google and author of one of a highly respected legal treatise on copyright law, stated in response to the Vernor decision that to permit a license to circumvent the first sale doctrine "is an absurd position to me, and in such cases, federal courts should take a common sense view of the transaction in order to avoid abolition of the first sale doctrine".

The first sale doctrine is consistent with some of the basic principles of open source, but it does not provide the same level of freedom that copyleft and other open source licenses provide. As a result, the Vernor decision isn't likely to impact the open source model directly.

Instead, the important message here is that no matter how exciting the successes they enjoy or how dire the challenges they face, both the open source and proprietary software license business models as we know them today have solid legal foundations and will certainly survive.

Silicon Valley Cocktail Party Small Talk

Whether you scan the newspaper headlines once in a while as you pass the newsstand, or multitask with NPR in your headphones, New York Times RSS feeds to your laptop and CNN Headline News ported to your mobile phone via Slingbox, it's important to have a few interesting tidbits of recent information readily at hand if you happen to attend a cocktail party or other social gathering.

While the subject of open source software might not be the key to climbing the social ladder in many places, it would be a clear hit in Silicon Valley Extended (e.g., beyond the San Francisco Bay Area to include the Raleigh-Durham Research Triangle, Bangalore, India and other places that live and breath technology). With that in mind, here is a list of 5 important issues in open source that will likely continue to heat up over the coming months (in no particular order) and that are worthy of discussion with your tech colleagues:

1. Security of Open Source Software. When Fortify Software released its report on security in the open source software industry, it created an immediate reaction. Fortify noted that typical community open source development models and projects often do not incorporate the types of security safeguards that enterprises like to see. It was a critique of process more than security features of the software itself. While the underlying message was sound, it created an immediate reaction from (a) the open source development community, which took issue with the implication that open source software is not secure (in fact, a pillar of open source adoption has always been that it is more secure precisely because it is open and subject to constant testing), and (b) anyone else who wanted to spread fear, uncertainty and doubt ("FUD") about the open source industry. Commentators like Dana Blankenhorn recognized the overreaction by the media and others in their blog posts. Bottom line: While open source software processes are not always at the level of security typically employed by enterprises, the software itself is largely secure, and likely more secure than its proprietary counterparts.

2. Cloud Computing. Cloud computing is the availability and use of computing resources over a network when the actual machines used for processing tasks are not specifically identified ahead of time and are reassigned frequently. One fear for users of cloud computing (like Amazon's EC2 offering) is that the cloud will break and the one vendor that controls it will not be able to fix it. Even worse, user data will be stuck in the cloud. Classic vendor lock-in. As noted by the 451 Group, many believe that an open source cloud platform would reduce these risks and a number of alternatives to Amazon and the other big name cloud vendors. Bottom line: As in all other segments of the software industry, cloud computing vendors need to be aware of the disruptive capabilities of open source.

3. Mobile Infrastructure. Apple has been getting virutally all the buzz in the mobile market because of its release of iPhone 3G. While the closed nature of the iPhone's architecture has drawn heated criticism from the Free Software Foundation, it has gotten at least a temporary pass from the type of widespread critical commentary you might expect from others in the open source community. In parallel, the open source community is looking forward to LiMo and Android as the first true open source alternatives. Out of nowhere, Nokia's recent acquisition of the outstanding stake in the Symbian mobile operating system added even more strength to the mobile open source movement. In addition to the platform, we also have companies like Funambol, which has already brought a level of freedom to the mobile market that was previously unheard of. Bottom line: Open source will see rapid adoption in mobile, and they are just now getting their ducks in a row.

4. Virtualization. The recent emergence of virtualization technology presents a significant challenge to open source licensing. Virtualization enables the creation of software appliances, which combine software components into a finely tuned package. According to rPath, a one of the thought leaders in software appliances, virtualization can be used to combine operating systems, open source software and proprietary software into a single package without violating open source license obligations or subjecting proprietary code to copyleft. While the legal analysis is too new to have been well tested, it is easy to foresee scenarios in which virtualization is used to avoid they types of product interaction that would have been deemed a modification or derivative work of an open source work, and be subject to copyleft. Bottom line: The industry is just now starting to apply deeper levels of creativity in how virtualization is used, and the impact on all types of software license models, including open source, needs to be carefully considered on a case by case basis.

5. Standing to Sue in Open Source. From the open source perspective, one of the biggest limitations on enforcement of copyleft open source licenses is that the entire responsibility of enforcement falls on the copyright holder. If the copyright holder either doesn't want to pursue a license violation, or doesn't have the resources to do so, no one else can undertake that responsibility on behalf of the community. An enforcement mechanism that enables community members who lose access to source code that otherwise would have been available would solve this problem, but this would likely require a change to the copyright statutes themselves. Another option would be for the open source community to use its collective influence to urge copyright holders to either enforce their rights, or assign them for others to enforce. Bottom line: Nothing is likely to change any time soon on the legislative front, but a community body might be able to find alternative means of enforcement.

BONUS

6. Software/Platform as a Service. GPLv2 and v3 are extremely effective in applying copyleft to software distributed in the standard ways (through online download or on physical media). These licenses, however, have no effect on software used solely over a network connection without any distribution. The Affero GPL was created specifically to address SaaS and PaaS models by applying copyleft to software accessed over a network. The Affero GPL has seen modest adoption (125 projects, according to Palamida ), and Funambol CEO, Fabrizio Capobianco has been a fantastic advocate for the license including by adopting it for Funambol open source projects. Bottom line: With the growth of SaaS/PaaS, coupled with the growth of open source, more service providers will take a serious look at AGPL, which will likely increase adoption.

Please share your thoughts on the key trends in the technology industry that will impact the open source world.

GPL Enforcement, Frogs & Funny Hats

The GPL has become the most popular of open source licenses in large part because of its "copyleft" status. Not only does it virally attach to software code, but it automatically terminates if its source code distribution obligations are not honored. The severe consequences of breach, along with community pressure for compliance are strong deterrents to violations that would require enforcement measures. Even so, every open source company using GPL will be faced with GPL violations and must carefully consider both when enforcement is appropriate and what factors should be weighed as part of that decision.

To those open source companies that assume GPL enforcement is always the quickest, best strategy, I quote the great open source guru Homer J. Simpson: "you're living in a world of make-believe! With flowers and bells and leprechauns and magic frogs with funny little hats." Yes, it's true that enforcement serves a critical function. Not only does it prevent abuse of open source code on a case by case basis, but it also upholds the legitimacy of the GPL as a license vehicle and meets the community's expectations of its fellow members.

On the other hand, enforcement is not a panacea. The community might view inconsistent enforcement as arbitrary and self-serving, or it might have different views on what a company's enforcement priorities should be. In addition, enforcement actions might actually slow the adoption of open source in proprietary companies. A great recent example of this type of unintended consequence is the discussion arising from the recent string of settlements related to the Busybox GPL enforcement cases. Though widely criticized by a number of open source commentators, intellectual property attorney Edmund Walsh wrote an article in which he analyzed these cases and concluded that "for-profit companies [have] new reasons to re-evaluate the ways in which they use open source software as well as the extent to which they use it."

Open source companies should also consider strategic non-enforcement as an option, or take a further step and grant limited exceptions to open source licensing (assuming the company controls adequate IP rights). Among the benefits of these approaches is the ability to encourage specific types of partner and end user activities that would have been difficult to otherwise achieve without radically altering a dual license strategy. However, these approaches should be used with caution because they can easily backfire. The community might view this type of manipulation of open source strategy as counter to open source philosophy. It also could lead to end users using the software in unanticipated ways that negate the perceived or realized benefits of the approaches.

The moral of the story is ... as you consider your options with respect to enforcing the inevitable GPL violations that all open source companies face, avoid the frogs with funny little hats!

Speak to the Government in Language it Understands

Last week Matt Asay explored the downside of governments legislating open source use, and the theme was extended by Dana Blankenhorn who pointed out that the migration to open source must be evolutionary rather than something stipulated to occur at a point in time. Matt went further this week by highlighting the EU's recent message to its member countries urging them to use more open source, with the very astute observation that the tactics of advocacy and persuasion are likely to be more effective than legislation. The time is right to explore strategies for accelerated government adoption of open source.

In essence, the debate on how best to accelerate government adoption of open source has boiled down to whether to dictate use through legislation, or persuade governments through the same grass roots persuasion used for years by the open source community. In my opinion, we should not discount the value of the right kind of legislation, which can accentuate the positive aspects of the types of community persuasion that have been so effective. An ideal approach would be to create legislation that encourages the government to make procurement decisions based on criteria indicative of high-quality open source products and projects.

To explain what I mean, think of Section 508. Section 508 is a US federal law requiring government agencies to consider accessibility factors when purchasing IT products. Federal procurement rules implementing the law provide more details on the specific types of factors to be considered. In short, the government is not permitted to purchase software or hardware that does not meet its minimum accessibility standards (such as for use by blind or motion impaired workers or members of the public who access government information) unless choosing a fully accessible product over a less accessible product would create an undue burden.

Applying this idea to open source, we should start by identifying the procurement criteria that are the most advantageous to open source products and projects. Lower cost is clearly a primary factor for enterprises in determining when to convert from proprietary to open source. After a recent tour of several Fortune 100 comanies, Zack Urlocker of Sun/MySQL noted that the current weakness in the economy appears to be enhancing the effectiveness of the "cost savings" sales pitch.

While the same economic benefits will be attractive to governments, the unique nature of government services means that other factors will be at least as important if not moreso. Fortunately, the conventional wisdom is that the open source development model, as compared to the standard proprietary model, results in quicker development times, higher-quality features, features more relevant to end users, better scalability, more customizable products and more secure products (which is particularly important to agencies like the US Department of Defense). This is something that open source companies already do in their data sheets, white papers and savings calculators to convince commercial customers that purchasing open source is a good idea.

In order to make this kind of legislation happen, the open source community would have to muster its resources and undertake a significant lobbying effort. Even if it's not successful in creating new procurement rules or legislation, this type of unified effort would possibly be the best marketing campaign in the history of open source. In any case, an emphasis on the right kind of legislation could accelerate the typical grass roots marketing efforts and sales pitches.

Governments Dive Into Open Source: How Deep is the Pool?

Over the last few years we have seen a steady wave of news stories, blog postings and seminars have been telling us that the government is making a big splash by making open source IT solutions a priority. No doubt the rising tide of open open source will reach government just as it is reaching the rest of the software industry ... as Mark Radcliffe put it, open source is the Borg and resistance is futile! Even so, constituents have felt few drops from the splash that open source software has made, particularly here in Silicon Valley where it might be expected to be more prevalent. Consider this:

• Municipal/City Government - I live in San Jose, California, a city that proclaims itself the “Capital of Silicon Valley”, is home to some of the world’s largest technology companies, and host to an innovative festival combining technology and the arts. These high-tech credentials have not translated into adoption open source. In fact, the city rejected a 2008 proposal to ease budget pressures through the adopting lower cost open source software on the grounds that it would have limited impact and was inconsistent with other strategies.

• County Government - As far as I can tell, Santa Clara County, which includes the City of San Jose, has not adopted or even significantly considered the adoption of open source software on any meaningful scale.

• State Government - California, to its credit, is one of several states that seems to have made the adoption of open source a priority. Not only did the State formally authorize a search for open source replacements to proprietary software but, as Matt Asay has highlighted, the CIO for the California Air Resources Board has encouraged his staff to use open source software in any way possible. Other states have even gone so far as to propose legislation requiring the consideration of open source alternatives in any IT procurement.

• Federal/National Government - The US Federal Government has seen a steady increase the use of open source over the last several years, and this has been a regular topic of discussion by open source commentators such as open source commentators. The Department of Defense in particular has invested a great amount of resources into open source and has made significant efforts to reach out to the open source community.

• Regional/Continental Government - The open source movement has touched even higher levels of government. As the most prominent example, the European Union is probably the single biggest adopter of open source, with a pipeline of open source priorities that will likely keep the EU ahead of the curve for years to come.

These anecdotes are just a sampling of the type of news constantly swirling about government adoption of open source. While open source almost certainly is being utilized in critical government infrastructure and other ways that are not readily discernable to people other than IT administrators, all levels of government can do more to grab the wave of unique value that open source software provides and apply it in ways that better serve its constituents. Some governmental bodies, such as the EU and its member states, seem to have jumped into the deep end of the pool. (Matthew Aslett at the 451 Group recently embarked on an open source tour of Europe that has resulting in intriguing insights on the status of open source in Europe as a whole as well as specific countries including Austria, Switzerland, Romania and Russia.) In the meantime, governmental entities here in Silicon Valley continue to splash in the kiddie pool, or choose not to get wet at all. With some prominent exceptions of specific agencies that are clearly in the "deep end", the federal government and various states are wading in deeper pool waters, but no further than their feet can touch.

In my next post, I'll discuss some thoughts on a framework for government open source adoption that avoids the pitfalls of mandating it through legislation.

Relationships Matter

After a couple of postings focused on the state of the open source business, I would like to pick up the theme of earlier postings concerning fundamental legal considerations for open source businesses.

Good businesses are built on good relationships ... relationships with customers, partners, and employees. Open source companies have another important relationship to consider ... the community. In the spirit of the old adage "good fences make good neighbors," contracts, instead of wood or brick, help keep good relationships from going bad. While contracts are well accepted in customer, partner and employee relationships, they are not as effective in a community relationship. Whether through contracts or other means, open source companies must address the unique demands they face in balancing their profit motives with open source ideals.

The most fundamental of all business relationships is between vendor and customer, and standardized contracts are a well-accepted means of describing the expectations of these parties. While the commercial contracts of open source companies are generally the same as for proprietary companies, certain virtues of the open source development model allow open source companies to sidestep or minimize the many traditional commercial software contract clauses. For example, the availability of free software before purchase often makes customers less worried about issues like evaluation licenses, performance and ownership warranties, broad indemnification rights, and licensor liability obligations.

Partner relationships of all sorts (marketing, distribution, inbound licensing, joint development, etc.) also are commonplace in the open source business and typically addressed through standardized contracts. Because partners, like customers, can get the value of open source software without paying for it, open source companies must present additional value (such as marketing or referral benefits) compelling enough to entice partners to enter into agreements that provide adequate protection. Specific clauses might include prohibitions on forking the code or creating an unauthorized solution, or an obligation that a partner's solution must always be available under an open source license.

Employees are the most important assets of any technology business. As a result, employment agreements, related agreements governing ownership of inventions created by employees, and confidentiality agreements are regularly used. The traditional templates for these types of agreements are, however, at odds with the open source ideals of community participation because employees of open source companies are also members of the community. As a result, open source companies must challenge themselves to rethink the traditional scope of employer ownership rights and level of oversight in employee participation in outside projects and implement appropriate legal agreements and company policies. This type of flexible approach also has the benefit of being a great tool for recruiting potential employees from the community.

A community relationship is different than the other relationships above in that an open source company can't rely on a contract to set expectations ... the community has no single point of contact that can enter into contracts, and the relationship is based on a constantly evolving application of open source principles as well as trust established over time. However, a company's contributor agreement, the one important community-oriented legal agreement, should reflect community ideals such as by granting contributors joint ownership or broad usage right in contributed code. The community also looks to a company's position on patents as an indication of open source friendliness so a carefully considered patent policy is important see my previous post on patents for more on that). In general, open source companies need to establish a clear business strategy that incorporates open source principles, and be able to clearly and tactfully articulate why the community should accept a particular business decision even when it might conflict with open source ideals. Decisions as to when and how to enforce violations of open source licenses, or when to introduce closed source code into an open source solution are among of the most difficult for the community to accept, but a strong community relationship will help.

Each of these 4 relationships are vital to the success of an open source business. While contracts can play a primary role in open source companies and their customers, partners and employees being "good neighbors," the community relationship, by its very nature, is less predictable and requires trust along with the proper balance between sincerity in honoring open source principles and conviction on business strategies that might be seen as contradicting open source values.

Countdown - Open Source Style

I am a big fan of top 10 lists... particularly humorous ones a la David Letterman. While I can't claim that any of the top 10 list below is humorous, it does paint an interesting picture on the status of open source in the top 10 companies (by market cap) in the Software Application Industry (Technology Sector) of the stock market.

These 10 companies represent over 96% of the market capitalization in the Software Application category. At the end of each entry, I give the company a (purely subjective) grade reflective of its efforts, commitment and contributions to the open source community.

So, here we go...

10. Sybase ($2.7B) - Database Management, Information Management and Business Intelligence Software. Sybase appears to have made at least a minimal effort to embrace open source. It even has an OSI approved license (the Sybase Open Watcom Public License). More important is how many of Sybase's competitors have serious open source credentials ... MySQL/Sun, Pentaho, JasperSoft, GreenPlum. Grade - D.

9. Nuance Communications ($4.1B) - Speech and Imaging Solutions Software. A search for "open source" on the company website results in 0 hits. Enough said. Unfortunately, there are no open source options. Grade - F.

8. Red Hat ($4.2B) - Linux and JBoss Provider. Red Hat, as we all know, is one of the premiere examples of open source software industry success. Enough said. Other Linux providers exist, as do other OS providers, but Red Hat is the go-to open source vendor. Grade - A.

7. BMC Software ($7B) - Enterprise Management Including Application & Database Management. As with Nuance, a search for "open source" on the company website results in 0 hits. However, BMC has a developer network with various, small-scale open source projects. Grade - D.

6. Intuit ($9B) - Personal Finance, Small Business and Tax Software. Intuit does not appear to have any significant involvement in open source and this probably is not the type of software that has attracted a developer community to create open source alternatives. Grade - F.

5. CA ($12.3B) - IT Management Software. To my surprise, this 30+ year old company has embraced open source in a significant way. For example, CA has supported the open source industry's patent pledge for several of its patents. Grade - C.

4. Adobe Systems ($21.6B) - Creative, Knowledge Worker and Enterprise Software Applications. Facing the commoditization of it biggest revenue generating applications (Photoshop and Acrobat), Adobe has taken the initial steps it needs to diversify its business into open source in a significant way. Grade - C+.

3. SAP. ($60.1B) - Business Operations. SAP has dabbled in the open source world, partnering with MySQL on database technology. Overall, however, SAP hasn't made many significant contributions to the open source community. Grade - D.

2. Oracle ($111B). Database, Middleware and Enterprise Management. Oracle might be described as the Jeckyll and Hyde of open source. While it distributes several open source applications (such as Sleepycat and Innobase), it also actively challenges other open source providers (such as with Unbreakable Linux) and would likely acquire competing open source companies to eliminate a business model that threatens its own. This duality makes it hard to settle on a grade. Grade - C-.

... drum roll ...

1. Microsoft ($277B). It's no surprise that Microsoft is in the number one spot (even on Letterman the #1 is always anticlimactic). In spite of making substantial contributions of code as open source, Microsoft is the big bad wolf of open source for good reason... among other things, it has a very proprietary stance on patent licensing for open source projects. Grade - D.

Some other companies that didn't make the list due to technicalities are:

• Google ($178B) - would be the clear number 2 if it were in the "Software Application" category. Google would receive a B for OS Effort (knocked down from A because of its deceptively not open Android platform and other calculating open source strategies).
• Sun Microsystems ($10.2) - would be at number 6 if it were in the "Software Application" category (though its software business is probably valued at closer to $4B, which would drop it a few spots on the list). Sun would definitely receive an A for OS Effort as the largest open source software provider.
• Still other companies like HP and IBM have been long-time contributors to the open source movement, but are not reflected here.

I find it very interesting to note that of these top 10, only 1 got a grade better than C. In addition, one estimate of the total value of the open source industry ($60B) would place the entire industry at only number 3 on the list (though without an objective market cap value, it's hard to draw many conclusions from this).

On the other hand, if we add Sun and Google (two of the top open source contributors) we come closer to a critical mass of open source presence on the list, and lest we forget that numerous open source companies with no market cap at all (because they aren't listed on a stock index) are providing strong, competitive alternatives to the software and solutions provided by the companies on the list.

What can we conclude from all this? First and foremost, we can safely conclude that I am not a mathematician, statistician, or financial analyst, as evidenced by my loose use of numbers and grading to make my point.

More important, even a pessimist would have to say that the presence of a company like Red Hat on the list means open source is making significant inroads into the traditional software industry. The amount of innovation and competition presented by companies not yet public or too small to make the list yet indicates that the trend is strongly pointing towards greater adoption of open source. It might be only a handful of years before all of the top 10 companies on this list receive A's and B's.