Some Linux Users Violate Sarbanes-Oxley

Goyuix writes "According to the IT Observer, publicly owned companies who are using Linux, could be violating the federal securities laws as part of Sarbanes-Oxley. The article goes on to say that companies are required to "disclose ownership of intellectual property to their shareholders." How are these companies supposed to really list out all the IP owners if they were to install a full desktop or server environment - there could be literally thousands of parties listed! What are the current Fortune 500 companies doing, as many of those use Linux in one form or another?" update several people have pointed out that this is about companies who are violating the GPL, not everyone.

Not just Linux

[balster+neb]

It appears that this would apply to any free software, not just Linux. It would apply to at least all GPL'd software, including gcc, etc.

Re:Not just Linux

[tobiathan]

As one who has had the sad misfortune of suffering through a few SOX audits, it is more about how the auditors choose to interpret and apply the regulations, and less about the regulations themselves.

There is also the argument about what constitutes a "material" defect or weakness. Unless someone is running the backbone of their financial system on Linux or other sw covered under GPL, this is probably not relevant as it would not be considered material to the integrity of their financial data.

Re:Not just Linux

[Hal_Porter]

As a certified Internet Lawyer I can advise you that it doesn't apply to FreeBSD. That's right, use Linux and go a federal pound me in the ass prison, or use FreeBSD and stay, well Free.

Hence the name.

Here's an Operating System fud^H^H^Hfact sheet

1) Windows. Expensive. Not FreeBSD. You may BURN in HELL forever if you use it.
2) Linux. Free Unix type OS, unquantifiable risk of prison rape. No strlcat.
3) NetBSD. Let's face it do you really need all those platforms? Why not concentrate on optimising for today's mainstream hardware. My friend Bob installed it on his new box, and it caught fire and burned down his house.
4) OpenBSD. Kick ass security. Theo seems a bit odd. Lags a bit feature and driver wise. There are reports that OpenBSD users may die of untreatable brain cancer.
5) MacOs. Slick. Good for clients. Expensive. You may have to grow a goatee, wear black polo necks. Mac OS users won't accept you as one of them, they will mock your dress sense behind your back.

Face it, FreeBSD is the best choice for every person in the world. Fact.

Re:Not just Linux

[Marillion]

The article is really focused on GPL violators.

This really seems to apply to companies that incorporate Linux into a product. Well known examples include Tivo and the Linksys WRT54G (v4 and below). In such a case, Linux is an important part of those companies' product portfolio and thus and important factor in assessing the tangible and intangible worth of that company. For the companies that only use Linux in operational capacities, it wouldn't have any impact unless SCO wins. (yea, right)

Put another way: ownership of a patent on a hammer is important for a tool maker, but not for the construction company that uses it.

Ownership != utilization

[SIGALRM]

companies are required to "disclose ownership of intellectual property to their shareholders." How are these companies supposed to really list out all the IP owners if they were to install a full desktop or server environment - there could be literally thousands of parties listed!

There's a big difference between ownership and utilization. For example, if McDonalds employs the use of WinXP workstations in their facilities, that does not mean that they own, but instead license Microsoft's IP.

Re:Ownership != utilization

[bedroll]

There's a big difference between ownership and utilization. For example, if McDonalds employs the use of WinXP workstations in their facilities, that does not mean that they own, but instead license Microsoft's IP.

I completely agree. Just to expand on that, it should also be noted that the GPL does not transfer ownership of IP unto you, it merely gives you license to modify and reuse it. A company would then have to disclose their IP after they changed that code.

Reading the article, it appears that the author is a little confused. The second sentence talks about violating the GPL. You don't violate the GPL by simply using Linux. So maybe the real issue is with companies that release GPLed software without proper attribution and GPL compliance, but that's not the way the article reads.

explain to me again

[blackcoot]

how exactly using linux in violation of the gpl is a violation of sarbanes oxley? the article does an awful lot of handwaving but doesn't actually explain any of the hows or whys.

i'll have to read again, but it looks like this is f/oss trying its hand at the fud game.

GPL violators are at risk

[crumley]

The synopsis above is misleading. Its is GPL violators, not simply GPL users who are at risk. From the article:

"Linux is a powerful operating system," says Jay Michaelson, an author of the study and Wasabi Systems' General Counsel. "But if companies violate the license, the consequences can be more severe than they think. If companies are violating the GPL, they don't have the right to use that software. And if they don't have the right to use the software, they're violating federal law if they claim that they do."

What article did the OP read?

[mattbelcher]

Did the OP even read the article he submitted? It says that if a company violates the GPL, that this might also be a violation of Sarbanes-Oxley if they claim that they still have a right to use Linux despite the GPL violation. There is nothing about listing the IP holders. On an aside, I didn't think there was any violation to the GPL that could stop you from being able to use Linux. A GPL violation would make you lose your right to distribute it, right?

Re:What article did the OP read?

[Hope+Thelps]

There is nothing about listing the IP holders.

Yes there is. The article says:

According to the study, the problem lies with the requirements of the Sarbanes-Oxley Act that companies disclose ownership of intellectual property to their shareholders.

It does go on to say:

The study indicates that dozens of companies are discovered each year to have violated the terms of GPL, and if they are public companies, they are violating Sarbanes-Oxley.

But that doesn't negate the first statement and the article never explains the connection between the two statements.

What are the Fortune 500 doing?

[Syberghost]

We're using Linux and treating it just like we do Solaris, HP-UX, and Windows, where we also can't identify everybody who wrote the OS.

The auditors don't seem to be having a problem with it. Wonder how much Microsoft paid IT Observer for that FUD?

Article Title Misleading

[hattig]

Instead of "Might Linux Violate Sarbanes-Oxley?" which it doesn't, it should be "Non-compliance to terms of GPL might violate Sarbanes-Oxley".

Which makes sense.

I.e., if you claim to have the right to use Linux for your product, but you aren't complying with the license, you might be violating Sarbanes-Oxley.

GPL Violation == Sarbanes Oxley Violation

[panda]

I think a lot of folks here have missed the point. The article's author is making an intellectual exercise in asking out loud and in public if companies that violate the GPL in their software are not also violating Sarbanes-Oxley.

This is because they are required to list what intellectual property the company owns to shareholders and if it is later found out that the company doesn't really own it, because it is based on a GPL'd software, then is that a Sarbanes-Oxley violation.

I'd have to say, it looks like one, but I'm no MBA, nor a JD.

Re:GPL Violation == Sarbanes Oxley Violation

[DRJlaw]

This is because they are required to list what intellectual property the company owns to shareholders and if it is later found out that the company doesn't really own it, because it is based on a GPL'd software, then is that a Sarbanes-Oxley violation.

Wrong.

A corporation is required to account for intangible assets that the company owns, and timely and accurately report the acquisition cost, book value, and sale value, if any, in aggregate as part of its normal financial reporting. Refer to SOx sec 302 and FASB statements 141 and 142. SOx requires that existing financial reports be more accurate, not more detailed, in general. Those assets will be reported in categories, as part of particular transactions, or both, but not item by item in most corporate financial reports. IBM does not list the value of the individual patents held in its portfolio in its reports to investors, and I can fairly confidently say that it never will. GPL software is no different in that respect.

GPL software is different in that it should not even be an issue in most cases because it has no intrinsic acquisition cost, no book value, and no sale value. If a corporation pays for GPL software, they are almost certainly paying for a SERVICE supporting the GPL software, which is an expense, not an asset. Remember all those "You really can make money off GPL software" discussions that have cropped up on Slashdot over the years? This point alone makes the SOx argument almost laughable.

The issue is not whether a company has violated the GPL, but whether a corporation knows that is has violated the GPL and failed to account for the potential liability, artificially inflating the value of the corporation. This information is not necessarily even going to be public, as it can be lumped into a litigation reserve along with every other potential liability associated with identified assets. Assuming that there is no pending or probable litigation, you are not going to find a corporate report that identifies the separate 'potential liability' associated with, say, products liability suits over Tickle-Me-Elmo dolls as well. It's the same reporting detail issue described above.

Remember, SOx is about accuracy and certification -- it's requires that corporations display an accurate external appearance, not provide a CAT-scan like view of the entire workings of the business. You are not gaining additional transparency, you are supposedly gaining assurance that the corporation is not lying about the gross and net numbers under the existing reporting style. If there's no accounting irregularity, the software compliance issue is almost meaningless to SOx (although still important to operations).

I am a SOX IT auditor

[kalpol]

Rather new at it, it's true, but so far if we find a company has a problem of this sort, it's generally not a very big deal especially if they rectify it before their fiscal year ends. This is just one little piece of the huge SOX pie and often there are other controls in place that mitigate the effect of a finding anyway. Now if the company practiced systemic licensing violations then that's a different matter.

Poor headline

[shogarth]

Come on people, let's pay attention to the article. Contrary to the poster's headline, nothing in it even hints that using Linux would violate Sarb-Ox. Sarb-Ox is supposed to make investing a bit safer by forcing companies to audit their practices and disclose potential problems.

If someone is building products on GPL code (like, say broadband router/NAT boxes based on Linux) then they are supposed to disclose that tidbit to their investors. The important part is that they don't own all of the intellectual property for that product and investors should know since that could change the company's value. If they fail to disclose the data, then they have violated Sarb-Ox.

Re:Poor headline

[georgewilliamherbert]

Right. The source article at http://www.wasabisystems.com/gpl/ is not intended to discourage the use of GPL software; it's a not-so-subtle slam on some of Wasabi's competitors who are using Linux (with the GPL) in embedded systems and possibly not properly disclosing the IP issues to their investors. That might be a SOX violation, yes. But doesn't matter to Joe Linux User on the street. They aren't claiming there's anything wrong at the user end; just at the distributor end, if you improperly distribute modified Linux (or other GPL) products and don't release the source. In this, RMS and the Free Software Foundation agree. Wasabi is correct that their use of a Berkeley license makes their operations safer that way. But it also doesn't make a difference to a Linux-using vendor if the vendor obeys the GPL as the GPL requires...

Missing the bigger picture

[davidsyes]

I think a lot of people are missing the bigger picture by not asking the question:

"WHAT is the main reason and who are the authors behind the SOX wording" about this disclosure requirement.

It COULD be a specious attempt by lobbyists on the part of their supporters to FORCE the companies using GPL/FLOSS/Linux to disclose themselves so that ms and their henchmen can start targetting the companies that (public or private) are using Linux/free/free software. It has the 'beneficial' effect of causing their competitiveness or chance of success to be diminished or at least perceived as rogue, reckless, uninformed...

Moreover, it indirectly helps ms by causing the commercial (non- or anti-Linux/GPL/FLOSS) companies/developers to target and entice those companies 'back into' the fold if they have escaped or managed to get one foot out of the field.

This isn't to say that employees don't talk. Of course employees talk, whether complaining or bragging about their companies. BUT, by forcing companies to list that they are anti-ms or unwilling to be 100% in ms' farm, then the shareholders who WANT to be in ms' fold (for stock/portfolio reasons) just MIGHT call for the necks of the IT managers.

Just one jaded/cynical/scary thought...

Anyone else can add to or refine my ideas here...

Not using, abusing

[xarak]

The study indicates that dozens of companies are discovered each year to have violated the terms of GPL, and if they are public companies, they are violating Sarbanes-Oxley.

The article said that if you violate the GPL, you violate SOx. This would therefore be A Good Thing (TM) as it would give even more power to the FSF to clear up abuses.

Misinterpreting articles in this way sends the wrong message to managers, however, who might think they're better off with M$. And no, managers don't read the article.

IMHO, the same company would be violating SOx as much if they bundled any M$ or other proprietary DLL/EXE/bitmap image into their software without explicitly mentioning it.

Yum yum yum, I love FUD

[MoxFulder]

The title of the post is pure FUD, "Some Linux Users Violate Sarbanes-Oxley!!! TFA is only slightly better...

Why stop at Linux, or free software in general? If a company makes an embedded device that uses a pirated copy of a proprietary RTOS, that would violate the Sarbanes-Oxley law too.

This seems to me a fundamentally good law (at least this provision): companies must not claim to have rights to use or distribute software, unless they actually do have those rights!

So why is anyone linking this provision to Linux?????? The only reason is because it's easy to get Linux for free, so incompetent people think they can do whatever they want with it. No one would make the same mistake with Microsoft software, simply because it's wrapped in a menacing 10 page EULA.

Who ownes the Stolen code in Windows?

[Lost+Penguin]

By the same token;
What IP is in Windows?
We already know Microsoft has been caught stealing code many times, what is still lurking?
Without a full source to any OS how can anyone know whose IP they are using?