The decision to embrace open source software should be taken at Board level

Open source software:

Open source software is software that is freely licensed to use, copy, study, distribute and change the software in any way, and the source code is openly shared so that people are encouraged to voluntarily improve the design of the software as licensed by the author (individual or organization) under a copyright license.

This is in contrast to proprietary software, where the software is under restrictive copyright and the source code is usually hidden.

The IP ownership and sharing concept between a proprietary software license and an open source license is markedly different and nuanced.

Open source software does not just mean access to the source code. The distribution terms of open-source software must comply with the following criteria:

·           There must be free redistribution.

·           The program must include source code, and must allow distribution in source code as well as compiled form.

·           The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software.

·           The license may restrict source-code from being distributed in modified form only if the license allows the distribution of "patch files" with the source code for the purpose of modifying the program at build time.

·           The license must not discriminate against any person or group of persons.

·           The license must not restrict anyone from making use of the program in a specific field of endeavour.

·           The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties.

·           The license must not be specific to a product.

·           The license must not place restrictions on other software that is distributed along with the licensed software.

·           The license must be technology-neutral.

Embracing open source software:

Open source software is very attractive to many companies.

When an organization indicates that they have embraced open source software, it should be noted that there are several ways that this can be interpreted:

·        Using open source applications (e.g. using LibreOffice, Picasa).

·        Using open source code or libraries created by someone else in their own applications.

·        Releasing something they have created (applications, libraries) as open source.

I would argue that the decision by any company to embrace open source software should not be taken by an individual software engineer, but rather by the Board of the company, as the decision to embrace open source software will almost certainly impact the value and risks of the company significantly.

Allow me to explain why.

The benefits associated with open source software:

There are a number of clear benefits when a company embraces open source software. These include:

Speed:

Open source software enables speed and provides business agility. One great advantage of open source software is this ability to take the community versions of the code to get started, and then quickly understand whether the software product or service created can solve the specific business problem you are trying to address. Open source software can help to deliver value very quickly.

Open source software may also enable a company to quickly test and experiment with emerging technologies to see whether it succeeds or fails, and then move on accordingly.

Cost effectiveness:

Open source software is generally much more cost-effective than a proprietary solution. Open source software solutions are typically much less expensive (almost free in regards purchasing) in an enterprise environment for equivalent or superior capability thus resulting in instant Return on Investment (ROI) as well as end of the periodic recurring charges from proprietary software. 

The longer one uses open source, the more one generally saves in terms of concrete efforts to maintain, fix bugs and add new features. The less a company spends on proprietary software, the more it can dedicate to other facets.

That said, a proper Total Cost of Ownership (TCO) exercise should be conducted regardless whether open source software or proprietary software is embraced.

Ability to start small:

With open source software, any company can start small and scale-up quickly using community versions of the code. The company can then migrate to a commercially-supported solution as the business matures if so required.

Security:

The responsiveness of the open source community relative to information security problems is generally faster and secure compared to proprietary software. At least this is the case with open source software with good community involvement.

The transparency of open source software code to vast number of developers means that ‘bugs’ are more easily found and patched, and users can inspect the code they are using themselves, which is most often very limited to a few set of developers  with proprietary software products.

The power of the crowd:

Open source software allows a company to derive benefit not only from its own employees, or from the employees of a proprietary software vendor, but from the whole open source community.

The benefits to a company will be low however when there are no existing open source software project in the community or if there is no true community interest.

Flexibility:

Open source software provides flexibility, allowing the users to add features freely, and reformat, refactor and redevelop their platforms however they see fit. Since open source software comes as an open book, it not only provides control but also gives capability by being able to develop better software which actually fits to the product requirement.

The future:

Open source is the future or at least the trend is heavily in that direction. Web, mobile, IoT and cloud solutions are increasingly built predominantly on open source infrastructure. The current trend in digital technology is strongly dominated by Big Data, Cloud and Mobile applications. All these three are accelerating the next big wave of IoT by converging together and open source sits right in the thick of things.

Various global surveys like Oxford  Economics and Gartner predict that three-quarters of global companies believe open source software will power their company’s cloud computing efforts in three years, while nearly two-thirds say open source will drive their Big Data initiatives in three years. More than half say open source is already supporting new products and services in their company and supporting cloud and IoT infrastructure.

One cannot deny the fact that open source is mainstream today with companies like Google, Facebook, Twitter, Amazon, Walmart, NYSE, Time Inc (and many more) plus government organizations like the White House, EU, UK Government, NASA, US DoD (and many more) being heavily dependent on open source. The open source era is well under way.  

The risks associated with open source software:

However, there are also issues or risks associated with open source software which need to be properly managed and mitigated. Some of these risks include:

Loss of intellectual property assets:

Care is needed to avoid the viral effect of open source software licenses. Care is needed that open source software license terms do not turn a company’s proprietary software coupled with open source software all into open source software. Some open source software licenses which are predominantly used can require the contributors and the distributors to automatically give a license to their IP for use in the open source software world. All such licenses include copyright license. Some open source licenses include explicit patent license. A company needs to take care in case no explicit patent license is included or if there is an implied patent license.

Infringing 3rd party IP:

Companies sometimes forget or are unaware that open source software is not an IP free zone. Embracing open source software is not a free pass to infringe the IP rights of others. If any 3rd party IP is infringed, a company may end up suffering a financial and reputational loss thus significantly and adversely affecting brand and shareholder value. Examples of companies who have suffered such type losses include Cisco, Verizon, Westinghouse Digital and VMware.

Security risks:

There is a possibility of data privacy & security risks to the company due to security vulnerabilities which comes along with certain open source software packages. This permeates into proprietary software as well, since no software producing company is untouched from open source software.

One such example is ‘Heartbleed’, a security bug disclosed in April 2014 in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client.

Operational risks:

Companies fail to realize that the greatest risk from open source software comes due to easy availability and the option to download freely from the internet unless there is a robust compliance procedure is in place to track every software usage in the organization. Open source software assessments of companies have identified operational inadequacies sometimes innocent, other times wilful in nature. These have included misstatements in open source license disclosures, unawareness of open source software versions, and scanning tool manipulation all of which may pose risks to the company.

Product launch delays:

Due to heavy adoption of open source, it not only benefits the consumer company with cost effectiveness but also acts like a catalyst to provide faster development lifecycle. But, companies fail to understand that open source adoption comes with different types of license obligation which may possess techno-legal implication which in turn creates an IP risk.

Realization of open source non-compliance at the latter part of the development lifecycle can create lots of rework and injunction to product’s release and companies’ time-to-market strategy, which works as a huge disadvantage from a business strategy perspective. In order to mitigate this disadvantage, open source compliance plays a critical role in each and every release of the product before it reaches to product launch delays.

Licensing issues:

Open source software comes with licensing complications which the General Counsel or Legal Department of the company need to be aware of. All open source licenses have a common fundamental principle of sharing and propagating software free of charge and encourage and adopt collaboration. This is evident from valuable pieces of software being made available for free by communities / foundations such as UC Berkley (BSD), MIT, Apache, FSF, and Mozilla.

However, the method to permit use and distribution determined by licensing permissions and restrictions is governed by particular philosophies followed by such organizations, which in turn gives rise to a wide spectrum, ranging from “permissive” licenses (BSD, MIT) to ‘copyleft’ or ‘restrictive’ licenses (GPL) and relevant compatibility issues. While all open source license are copyrighted and legally owned by the authors, ‘permissive’ licenses are geared towards ‘developer’ freedom while ‘copyleft’ licenses are designed for ‘user’ freedom. This lends the nuances and complexities of licensing obligations, which needs to be understood by the Legal Department in order to adopt open source in a compliant manner.

Warranties & indemnities:

Non-compliance of open source software licenses may end up creating risks to a company’s own client or vendor contractual agreements with respect to warranties & indemnities and incur huge damages contractually.

Data privacy obligations:

Companies strive to meet the best standards in computer and network security. Any failure there may result in a breach of proprietary and personal data and intellectual property leading to huge damage financially and brand value of the company. Data privacy breach results in contractual as well as strict statutory obligation breaches (for example EU Data Privacy Regulations) thus facing simultaneous client/vendor and class action or public lawsuits.

According to reports, outdated and vulnerable versions of WordPress and Drupal, broadly used as Open Source Content Management Systems, were behind the Panama Papers breach.

Due diligence:

If the company is looking for investment, seeking a buyer or wanting to divest part of its business, it can expect any buyer or investor to conduct a due diligence exercise. Any proper and professional due diligence exercise will include an open source software risk and compliance examination.

A Board decision:

Building software from scratch have become a rarity in today’s world due the complexity and feature-richness with copious and easy availability, combined with the perfection required for today’s requirements of real-time and quick releases.

The big proprietary software firms have realised that as software becomes more and more complex, the only way to overcome this complexity is to bring together the brains from different organisations and parts of the world. The Open Source software model of ‘shared development’ meets their requirement for their effort to time the market and to stay ahead of the competition. The answer lies not to discard open source software but to get involved with strong open source communities and well supported projects.

The challenge facing many companies is how to optimize the use of a company’s technology assets while simultaneously utilising open source software. As far as maintaining product or service differentiation, these are areas where the company does not want others to implement the same functionality as it has or plans to have, or layers “closely underneath” those specific areas. As far as a company's technology advantage is concerned, these are areas where a company’s software assets or IP portfolio are valuable and relevant open source software licenses mean legally or in practice that the company dilutes its position.

Neutral areas are those areas where use of open source has limited impact on a company's assets or that are non-differentiating considering the likely open source evolution among the current and likely future users of the asset.

Examining all of these issues should influence any decisions taken regarding if, when and how to embrace open source software.

For all of the reasons outlined above, it is imperative that the decision by a company to embrace open source software is taken at the Board level.

Donal O'Connell is the Managing Director of Chawton Innovation Services Ltd.

A special thanks to my colleagues Avi Biswas and Shuva Mitra for their contribution to this paper.

Chawton Innovation Services helps clients to understand and appreciate IP, and works to ensure IP adds value to the business.

Open source software risk and compliance management is one of the company's service offerings. More details are available on request.