Does Using GPL Software Violate Sarbanes-Oxley?

Anonymous Coward writes "eWeek is reporting that The Software Freedom Law Center has published a white paper that dismisses recent publications from embedded systems seller Wasabi Systems. Wasabi recently released statements focusing on alleged GNU General Public License violations in relation to the Sarbanes-Oxley Act of 2002. The white paper, titled "Sarbanes-Oxley and the GPL: No Special Risk," essentially counsels users of the free software license that they have no need to worry."

Worded poorly.

[Short+Circuit]

The SFLC wrote the paper titled "No Special Risk" ... Wasabi Systems alleged SO violations.

And no surprise...they advertise BSD-based products on their front page. (Not dissing Any of the BSDs, they're cool, IMO.)

Re:Worded poorly.

[ShieldW0lf]

Situation One: Your company owns the copyright to the software outright, released it under the GPL, and doesn't accept contributions. No problems. Situation Two: Your company distributes GPL software that it didn't write, with or without modifications. Your company recogizes that this is not its intellectual property, and never should have been, being that it wasn't written by them, and doesn't claim it as an asset. No problems. Situation Three: Your company distributes GPL software that it didn't write, with modifications. Your company fails to recognize that part of this software was never theirs in the first place and that the rest of it is not an economic asset because they do not have the ability to control access to it in exchange for money, but you try to pull some bullshit with the numbers to make it seem like an asset. By doing this, you're misleading your investors and committing fraud. You have a problem. But the problem isn't with the law. The law is working exactly as it should. If you're an OEM using open source software that you sourced externally for free and modified, it's not your property, and you shouldn't be listing it at all. If you've built your business around this lie, you're SUPPOSED to be fucked. That's what the law is for.

More info on SOX

[kebes]

In case you have no clue what "Sarbanes-Oxley" is, you can check out official info and the Wikipedia article. Basically it is a set of laws that place limits on what companies (and those working for them, especially upper management) can do. This has mostly to do with declaring assets and transfers of money. It tries to prevent companies from defrauding investors and so on. These laws were enacted after the Enron scandal.

Wasabi's complaint is that under these laws, you have to declare all assets, including intellectual property. Their rationale is that using open-source software, you may be in violation of the law if you do not review and declare that usage.

As was pointed out last time this was discussed on slashdot, a company would only be in trouble if they were already doing something illegal: violating the GPL. If you violate the GPL, then you're misrepresenting your ownership of IP (claiming to have a license you don't), and thus are also violating Sarbanes-Oxley.

So what's the problem? If a company follows the GPL, then everything is fine. They have nothing to worry about. If they violate the GPL, then they're breaking multiple laws. So, as always, companies should make sure that what they are doing is legal. This in no way diminishes the extent to which GPL software can be used in commercial environments. Wasabi acts as if there is some tremendous additional legal burden to using GPL software. However it seems that Sarbanes-Oxley would equally apply if you mis-represented your ownership of non-GPL software. So there's no difference. (You can read the Software Freedom Law Center white paper for a more complete explanation.)

Re:More info on SOX

[Fulcrum+of+Evil]

One of the biggest arguments against the GPL is that if you use it in your own code, you have to agree to its terms.

How is that an argument against the GPL? In most other cases, even getting the code will violate several laws, and you have no right to use it in your product. Seems the GPL gives you more than most. If you just want a library, the choice is simple - make your stuff GPL or don't use the library (with some exceptions).

Re:More info on SOX

[zero1101]

One of the biggest arguments against the GPL is that if you use it in your own code, you have to agree to its terms. In the case of the GPL, those terms mean that your code must be GPLed.

This is an extremely misleading statement, if not outright false. Your code must only be GPLed *if you redistribute it*. There are, unfortunately, plenty of cases where PHB's decide not to use GPL software because they don't understand this. And apparently neither do many Slashdot readers.

Re:More info on SOX

[Tony+Hoyle]

In practice though GPL stuff isn't enforced...

Witness the number of embedded devices (particularly routers) where you can't get the source code to the GPL parts, and where you can, they're hard linked to closed source binaries with 'no unauthorised distribution' clauses (Yes I mean you Broadcom!).

So it's perfectly legal to modify the GPL bits, but illegal to distribute the resultant code... thus the GPL is defeated by apathy because nobody cares.

Re:More info on SOX

[jschrod]

Check out http://www.gpl-violations.org.

Witness the cases where GPL gets enforced legally, when embedded devices violate the copyright of the netfilter project.

Re:More info on SOX

[zippthorne]

*sigh*

There are rights you cannot sign away. For instance, there is no form, statement, or contract you can sign, notorize, witness, swear before a judge, that grants another human being the right to take your life.

In the US, the vast majority of "liability waivers" that you sign before doing something that could be remotely dangerous (i.e. scuba lessons, skydiving lessons, bungee jumping, wall climbing, surfing, marathon running, go cart driving, you know, stuff you can't do sitting in front of a computer screen) are not valid contracts (however, rights that are appropriable may still be validly signed away, so the contract may not be wholly struck out. consult a lawyer).

Many in the GPL movement claim that similar law applies to reverse engineering for interoperability purposes. IIRC, the samba team in particular has had to do some kind of reverse engineering (i'm not sure if it was actual disasembly however), so their experience, and any cases they may have had to bring, would be informative.

Belief that a license is unfair is irrelevant, except where that unfairness runs into conflict with other laws, say.. anti-trust laws for instance. The outcome of a clash of multiple laws is not necessarily clear, and this is where the lawyers make their money.

Oh, and thanks for misconstruing my categorizing of some beliefs as an exposition of my own belief, then blowing it out of proportion for the purpose of discreditation via sarcasm.

Intended Consequences of laws

[dada21]

Some think that these situations are unintended consequences of laws that have "good" effects. Sarbanes-Oxley was intended, from the start, to be the ultimate way for governmentto control any corporation at will.

The law was initially meant to "fix" problems such as the Enron fiasco, but if you rewind just a few years, you see that most of these fiascos came directly out of trying to take advantage of loopholes in previous laws. The SEC colludes with the rest of the all powerful federal government to constantly keep non-preferred companies on their toes, while giving excessive power to the cronies. Sarbanes-Oxley will have the same effect.

The one light in Congress, Dr. Ron Paul, made an excellent note regarding Sarbanes-Oxley and the cost it will pass on to consumers. The Mises Institute also has a ton of great articles and blog posts regarding the horrors of this law.

It is time to realize that government is NOT good at regulating business, except from the point of view of the cronies. Bills like this will rarely be used for their original intent, and the un?-intended consequence in the long run is to see criminals made of innocents that had nothing to do with the law's purpose.

Instead of voting, I think we need to start pitching money in a hat to buy rope for those who violate their oath to uphold the Constitution.

Re:Intended Consequences of laws

[dada21]

I have absolutely zero dollars in publicly traded companies. I have no faith in the business of others -- in my own businesses I have so much "insider information" that I can't believe everyone else is a big enough sucker to trust these massive companies to tell the truth about everything.

That being said, I hate accountants. The average CPA is part of the problem in this country (CPAs as a group lobby Congress to make the tax code worse every year). Instead of requiring companies to do anything, how about telling people that they really shouldn't put their money anywhere but where they trust? I make between 20% and 50% on my various businesses, annually. Most stocks pay no dividend, so they actually make their owners no profit (except on sale, which is ridiculous as companies should pay profits).

The whole system is a mess, and its a mess because we keep requiring business to perform counter-productive to how a free market performs.

Re:Intended Consequences of laws

[rossifer]

An ounce of gold today buys about the same thing that an ounce of gold did in 1800 and an ounce of gold in 0 AD.

This statement is only true for a very carefully selected group of products (and almost no services). While an ounce of gold will still buy a nice men's suit of about the same relative quality as you might buy in 1800, for pretty much everything else, an ounce of gold will not buy you the same things you could get in 1800. This is due to relative changes in value of purchasables, especially the value of human services as compared to physical goods. The comparison to 0AD prices is that much more crazy (just because you can find one product that could be traded for about the same gold does not mean that there's equal value behind an ounce of gold over time).

Even more importantly, your assertion about the consistency of value behind an ounce of gold glosses over huge currency to value changes (hyper inflation and deflation) that have disrupted local economies and created great misery until things restabilized.

If the available interest rate of savings accounts is above the inflation rate, there is an incentive to save.
Yet the available interest rate is set by the same organization that prints the new paper currency!

Actually, a particular consumer bank's savings account interest rate is not set by the federal reserve and only bears the slightest relationship to any of the interest rates they do set. The biggest problem is that banks earn a lot more money from debt than from savings and are disincented from providing savings services, except as necessary to maintain their fractional reserves. How to correct this imbalance of incentives? It's more complex than you think.

My money is stable, and I don't fear stock market fluctuations, war, imperialism or a global loss of faith in the dollar.

Gold ended up being devalued hugely in the late '70's and early '80's (from about $800/oz to $300/oz in 1976 USD) and many people who thought like you do lost substantial fractions of their savings because they had fearfully put all of their money in gold as a hedge against disaster. Which turned out to be disastrous for them once the oil crisis passed.

Is your future safe?

Actually, pretty risky. Almost all of my money is in my home and will soon be in my own entrepreneurial venture. But I'm convinced that that's the best place for it, despite the risk that the company could fail. The independence and potential upside are too compelling to ignore.

Regards,
Ross

Re:Intended Consequences of laws

[killjoe]

"My 2 biggest successes were in the free markets that were unburdened by regulations."

I think that's everybodies point. Business loves to run free and do whatever it wants. It's great for you, sucks for everybody else.

As I said there are lots of places in the world where there are weak govenments and businesses run the country. I don't want to live in any of them. You want to live in Dubai? Under a king? No democracy? Go ahead. My guess is that you won't live there, you will set up a business and fuck the guest workers like all other dubai businesses do. Get them into the country and then take away their permission to leave so you can work them for cheap.

Dubai is great if you are a) connected b) rich c) royal d) visiting.

Re:Maybe I'm a bit thick but...

[ZachPruckowski]

How can GPL (or using GPL'ed software) violate the SOX, if GPL'ed software is used as the license permits? Reading the article didn't give me any insight about this issue.

You can not get in trouble for using software you have a license to use. Period. If you follow the GPL, you have a license to use OSS. Break the GPL, and well, you don't have that license anymore. Ditto with normal software. If you violate an EULA, or steal software, you don't have a license anymore. Using software you don't have a license to is a SOx violation, regardless of whether the software is free or not.

Re:Maybe I'm a bit thick but...

[Billly+Gates]

According to SOX you need to give an account on who owns all your IP.

The counterlink given in this article is just as biased.

Here is the problem. You run linux and your software is an asset used to help run your company. Who owns it? Does Linus own the kernel? What about the distro owner? How about the 250 people who contributed to the kernel?

Wasabi is saying that you need to keep track of all the thousands of kernel and FOSS developers since they own the copyright on the code in your accounting reports. Since that is impossible you therefore break the SOX law and your business can be held liable.

The GPL is not an EULA but just a license for the code. The issue of proper credit and who owns what is what the fud is all about.

This will scare some of the suits from using linux but they would typically find a reason not to use it anyway.

Re:SOX is change management over financial systems

[CodeArtisan]

I like what you said, but let's be clear... SOX says nothing about change management.

Not directly. PCAOB Audit Standard #2, however, does. The PCAOB Audit Standard is the SEC approved audit standard to which US Public Companies filing under Sarbanes-Oxley are held.

Paragraph 50 of the standard requiter that Change Management over financial systems should be tested by the auditor.

Re:Maybe I'm a bit thick but...

And you'd be [mostly] wrong. Although some of the linux contributors may have assigned the copyrights to their contributions to the FSF, Linus has not, and he retains copy rights on much of the kernel.

Re:Coming soon to slashdot:

[Door-opening+Fascist]

Bzzt. The IUPAC name for H2O is water, regardless of state.

Re:Coming soon to slashdot:

[darkmeridian]

water is not ice.
water is not steam.

ice is solid water.
steam is gaseous water.

Re:Coming soon to slashdot:

[venicebeach]

I think more to the point is whether a liquid can be "wet". Usually we use the term "wet" to refer to a solid that is covered with or has absorbed a liquid.

Cui bono -- who benefits -- is often important.

[jbn-o]

The reason why they're making their case against the GPL is important. Proprietors are saying that the GPL makes them nervous, they don't like the commons the GPL creates and maintains. Proprietors want to discourage everyone from using and developing GPL-covered code so that they have less competition and won't have to spend their time lobbying governments around the world to help make Free Software implementations of various programs impossible. Thus this is just another legal risk FUD case against the most widely used Free Software license, the GNU GPL which fails to mention what the Software Freedom Law Center points out:

"Historically, GPL violations have not triggered massive lawsuits for damages the way that violations of proprietary license agreements have. The primary enforcer of the GPL is the Free Software Foundation (FSF), who has never used a GPL violation as the basis to go to court to seek a large damage award or enjoin software distribution. The FSF's stated policy is to ensure compliance, not to prevent software distribution or to seek damages.

What this means practically for the vast majority of companies complying with SOX is that the threat to their businesses posed by potential GPL license violations, both inadvertent and intentional, is so low as to be immaterial. In any case, the financial impact of GPL violations is likely to almost always be lower than the impact of proprietary license violations, for which parties routinely bring suit for damages."

And when it comes to GPL-covered software being so complicated to deal with, the SFLC has this to say:

"In most instances, compliance with proprietary licenses is much more complex than GPL compliance because the GPL is a general license with obligations that are fairly simple and understandable. No money changes hands, seats are not counted, and licenses are not time-limited. GPL compliance is a fairly simply matter, and if a company has concerns about how to comply, the FSF is staffed with experts who can and do help companies create efficient compliance procedures. Proprietary licenses, on the other hand, often contain both a greater number of provisions and a greater complexity than the GPL. Thus, a company trying to understand its rights and comply with its obligations under such a complex and detailed license will have a much harder time than one who must merely comply with the GPL. Accordingly, the risk of inadvertent license violation is often greater with non-GPL licenses."

Re:Beware Your EULA

[julesh]

Under the MS EULA, once you upgrade your software, you have no rights to use the older version(s). This means that if the 'upgrade' breaks your mission-critical software you are so toast.

I believe you are mistaken. Not only would it violate the principle that once you have paid for a license it is yours to dispose of as you wish (doctrine of first sale), Microsoft specifically grants downgrade rights in many of their licenses anyway -- e.g., if you want a second license for Office 97 you can buy a recent version of Office and install from your old Office 97 disk if you want.