Open Source Cloud Authors: Liz McMillan, Elizabeth White, Mehdi Daoudi, Jason Bloomberg, Yeshim Deniz

Related Topics: Open Source Cloud, Java IoT, Microservices Expo, Containers Expo Blog

Open Source Cloud: Article

Buying Proprietary Software?

Protect your organization from open source surprises

Open source software has probably been the biggest driver of complex software solutions in the last decade. Access to a large variety of quality, peer-reviewed software has accelerated product development, reduced product introduction intervals and lowered the costs for producers of software and for those of us who leverage third-party software in our projects.

Many of us have heard about the trouble that organizations have come across when using open source improperly... remember Cisco/Linksys, Katzer, and the BusyBox chronicles? You may think that your organization is safe because you are buying proprietary software. However, if your software supplier unknowingly incorporated open source into its product, your organization may face unexpected legal and financial consequences arising from open source licensing obligations and the resulting intellectual property infringement claims. The good news is that there are various tools available at your disposal that can assist your organization in protecting itself from such open source surprises, such as contractual measures such as representations and warranties and indemnities; and extra-contractual tools such as software audits and a structured Open Source Software Adoption Process (OSSAP).

Some Basics About Commercial Contracts Relevant to Software Purchases
Commercial contracts include various provisions that protect and allocate risk among buying and selling parties. Among the most important are representations and warranties ("reps and warranties") and indemnities. Reps and warranties are assurances made by one party that are intended to provide certainty to the other party that relies on them. For example, a hypothetical software company ("Softco Supplier") may represent and warrant that it owns all of the intellectual property rights in the software it sells. If Softco Supplier does not in fact own all of the intellectual property rights in the software, the buyer ("Softco Buyer") has a right to claim damages for Softco Supplier's misrepresentation.

However, in many instances it is impossible for contracting parties to fully guarantee the accuracy of a statement. In these cases, parties opt to provide reps and warranties that are qualified by the knowledge of the party providing them. These types of reps and warranties can be problematic from the perspective of the party that seeks to rely on them. We will return to this in the following section, which specifically deals with the application of reps and warranties, and indemnities to open source.

Indemnities provide security against losses that are triggered by the occurrence of contractually specified events. Unlike reps and warranties, recovery from indemnities is not contingent upon whether a misrepresentation was made. In our example, if Softco Supplier (the "indemnitor") indemnifies Softco Buyer (the "indemnitee") for any intellectual property infringement claims against the software being sold, then in the event that such claims arise, Softco Supplier is obligated to compensate Softco Buyer for its losses.

Reps and Warranties vs. Indemnities in an Open Source World
In the software procurement context, it's important for buyers to determine whether open source code is incorporated into the software that is being purchased. The primary reason for this is that open source license obligations are binding. Failure to comply could have a diminishing impact on software value, as some open source cannot be mixed into products that have trade secret value. In addition, if a buyer purchases software without the knowledge that it includes open source, the buyer runs the risk of commercializing the product in a manner that violates the license that covers the open source code. This can leave the buyer exposed to costly intellectual property infringement claims.

The recent focus on open source reps and warranties and indemnification is linked to the growing instances of intellectual property infringement claims involving open source software. As courts in the United States, Germany and elsewhere have acknowledged the enforceability of open source licenses, notable violators have succumbed to costly settlements, and enforcement organizations such as the Free Software Foundation have become more aggressive in launching suits.

Because of the immense financial and legal implications of intellectual property infringement suits, a software buyer will often require its supplier to represent and warrant that the software being purchased does not contain any open source code. If open source is later discovered in the software, the buyer is entitled to seek damages from the supplier for the breach of the representation. However, as mentioned earlier, it's often difficult for contracting parties to fully attest to the accuracy of a representation. This situation arises in instances in which the contracting party experiences knowledge gaps. In these cases, a contracting party will seek to limit its liability by narrowing the representation to apply to the knowledge that it possesses. Taking our earlier example, if Softco Supplier had acquired code from a third party, or engaged in outsourcing of programming, it may not be positioned to fully attest to the fact that the software it sells does not contain any open source. As a result, Softco Supplier will represent and warrant that ‘to the best of its knowledge, open source is not incorporated into the product.' In this case, Softco Buyer is only entitled to damages if it can show that Softco Supplier knew that its representation was untrue at the time that it was made. If this fact cannot be established, Softco Buyer is left without a remedy for any losses arising from Softco Supplier's misrepresentation.

Unlike reps and warranties, recovery from indemnities is not contingent upon whether a misrepresentation was made. Thus, if Softco Supplier indemnified Softco Buyer for open source infringement claims against the software, Softco Supplier would be obligated to fully cover the losses arising out of any such claims. In this case, it would be irrelevant whether Softco Supplier had knowledge of the presence of open source, as liability is triggered by the occurrence of the contractually specified event (the presence of open source) rather than the misrepresentation made by Softco Supplier.

Buyer's Duty
Another important distinction between reps and warranties and indemnities in our example is in relation to the duty imposed on Softco Buyer to mitigate its own loss. Common law imposes a requirement on parties relying on reps and warranties to take action to mitigate their own losses. In the context of open source reps and warranties, once a software buyer becomes aware that open source is embedded in the software, the buyer must take action to minimize its loss, for example by immediately replacing the code, or making the code freely available. In contrast, there is no parallel requirement for the beneficiaries of indemnities to mitigate their own losses.

Software Audit Can Minimize Exposure
Although open source reps and warranties and indemnities can provide software purchasers with remedies for losses arising from intellectual property infringement suits, they cannot shelter the buyer from being sued in the first place, or from experiencing the loss of goodwill in relation to litigation. As a result, reps and warranties and indemnities should not be regarded as due diligence replacements. Rather than taking the risk of open source surprises, software purchasers can engage resources (internal or external) that have the ability to analyze software to determine the presence of open source prior to executing the purchase.

A software audit entails code scanning aimed at detecting third-party and open source code. After the scanning stage, the purchaser is provided with an audit report detailing the identified code and associated license obligations. Performing such audits at the pre-purchase stage allows the buyer to understand whether the license obligations of the open source code are in line with the intellectual property policies of its organization, and if not, then the buyer is positioned to request the supplier to replace the code in question, or to engage an alternate supplier.

Software Audit in the Supply Chain
One of the contexts in which software audits are particularly beneficial is in the supply chain. Shortly after Cisco acquired Linksys in 2003, it was faced with an infringement suit relating to the use of GPL covered code in its router firmware. It turned out that the infringing chipset was provided to Linksys by Broadcom, which in turn outsourced the development to a third party. As a part of the settlement that was reached, Cisco was forced to make the infringing source code freely available on its website, appoint an open source compliance officer, and make a monetary contribution to the Free Software Foundation. As the Cisco case suggests, software audits can be a helpful tool at the pre-purchase stage when dealing with a supply chain context in which the immediate supplier has little control or knowledge over the code pedigree of the final product.

Review of Available Contractual Tools
Software purchasers have contractual tools (reps and warranties, and indemnities) at their disposal to protect their organizations from open source liabilities; however, it is important to remember that not all tools provide equal protection. While reps and warranties can provide the buyer with a remedy against misrepresentation, in instances where these assurances are qualified by the knowledge of the supplier, the buyer may be left without recourse. From this perspective, indemnities offer increased protection to software purchasers concerned about intellectual property infringement claims in relation to the use of open source.

Open source indemnities are also beneficial in comparison with reps and warranties, as they do not impose an obligation upon the party relying on them to take any action to minimize their own losses in the event of a breach.

Although open source reps and warranties and indemnities can provide software purchasers with means of recovery from intellectual property infringement claims, these contractual measures provide for an imperfect after-the-fact solution to a problem that lends itself well to management practices that would reduce the risk in the first place. Structured open source license management practices and software audits aimed at identifying third-party and open source code and ensuring open source compliance provide an optimal level of protection. These tools provide certainty regarding code pedigree, and enable software purchasers to avoid the negative consequences arising from intellectual property infringement suits.

More Stories By Diana Marina Cooper

Diana Marina Cooper obtained a BA in Politics and Governance and a MA in Globalization Studies. She is currently a JD Candidate (2013), and is pursuing a concentration in Law and Technology. Follow Diana @Diana_M_Cooper

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@ThingsExpo Stories
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
DXWorldEXPO LLC announced today that "Miami Blockchain Event by FinTechEXPO" has announced that its Call for Papers is now open. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expe...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER give you detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPO also offers s...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...