Four sources of Open Source compliance risk

There are four directions from which you may get in legal trouble when you’re not fulfilling Open Source license obligations:

1. The obvious source are authors, i.e. copyright holders. In practice, that case isn’t very prominent, apart from the occasional copyright troll, because software developers like to talk about licenses on web forums, but aren’t terribly interested in actually engaging with the legal system.

2. The big source in practice is customers. While it used to be that most customers were pretty laissez-faire in their contractual work regarding Open Source software contained in the products they buy, and even less interested in actually auditing that, at least the big companies have professionalized Open Source license compliance tremendously, building half-automated workflows, defining strict (and sometimes burdensome) requirements in contracts, and dragging their whole supply chain with them. The current SBOM implementation phase is also contributing to that.

3. Surprising to me, competitors are out of the picture in practice. While accusations of unfair business practices are at least a colorable argument, when your competitor expends time, energy and money into compliance work, but you don’t, there don’t seem to be any law suits about it, at least in Germany.

   I think the common argument in the form “I don’t hurt you, so you don’t hurt me” isn’t really an explanation, because it would also cover patent litigation. And that happens all the time.

4. The really interesting, but still speculative, source is users. The Software Freedom Conservancy has now advanced the Third Party Beneficiary doctrine both in America (the Vizio case) and in Germany (the AVM case, although only incidentally), claiming that the telos of the GNU General Public License is to empower users and to give rights to them, not only the software developers. Traditionally, that view was ruled out, because users generally aren’t considered to get rights from Open Source licenses. That’s a bit weird, though, given the founding philosophy of the Free Software movement that puts users first.

   If that goes through, and it looks like it might in America, the German case was settled without addressing that doctrinal issue, the consequences would be momentous. Since it’s usually pretty simple to contrive yourself into a contractual (license) relationship, you just buy the product, suddenly users become everybody.

   That means that the activist who despises proprietary software suddenly has standing to sue you, as does the ex-customer that feels wronged, or anyone upset about your recent viral social media posting.