Does Using GPL Software Violate Sarbanes-Oxley?

Anonymous Coward writes "eWeek is reporting that The Software Freedom Law Center has published a white paper that dismisses recent publications from embedded systems seller Wasabi Systems. Wasabi recently released statements focusing on alleged GNU General Public License violations in relation to the Sarbanes-Oxley Act of 2002. The white paper, titled "Sarbanes-Oxley and the GPL: No Special Risk," essentially counsels users of the free software license that they have no need to worry."

Worded poorly.

[Short+Circuit]

The SFLC wrote the paper titled "No Special Risk" ... Wasabi Systems alleged SO violations.

And no surprise...they advertise BSD-based products on their front page. (Not dissing Any of the BSDs, they're cool, IMO.)

Re:Worded poorly.

[ShieldW0lf]

Situation One: Your company owns the copyright to the software outright, released it under the GPL, and doesn't accept contributions. No problems. Situation Two: Your company distributes GPL software that it didn't write, with or without modifications. Your company recogizes that this is not its intellectual property, and never should have been, being that it wasn't written by them, and doesn't claim it as an asset. No problems. Situation Three: Your company distributes GPL software that it didn't write, with modifications. Your company fails to recognize that part of this software was never theirs in the first place and that the rest of it is not an economic asset because they do not have the ability to control access to it in exchange for money, but you try to pull some bullshit with the numbers to make it seem like an asset. By doing this, you're misleading your investors and committing fraud. You have a problem. But the problem isn't with the law. The law is working exactly as it should. If you're an OEM using open source software that you sourced externally for free and modified, it's not your property, and you shouldn't be listing it at all. If you've built your business around this lie, you're SUPPOSED to be fucked. That's what the law is for.

More info on SOX

[kebes]

In case you have no clue what "Sarbanes-Oxley" is, you can check out official info and the Wikipedia article. Basically it is a set of laws that place limits on what companies (and those working for them, especially upper management) can do. This has mostly to do with declaring assets and transfers of money. It tries to prevent companies from defrauding investors and so on. These laws were enacted after the Enron scandal.

Wasabi's complaint is that under these laws, you have to declare all assets, including intellectual property. Their rationale is that using open-source software, you may be in violation of the law if you do not review and declare that usage.

As was pointed out last time this was discussed on slashdot, a company would only be in trouble if they were already doing something illegal: violating the GPL. If you violate the GPL, then you're misrepresenting your ownership of IP (claiming to have a license you don't), and thus are also violating Sarbanes-Oxley.

So what's the problem? If a company follows the GPL, then everything is fine. They have nothing to worry about. If they violate the GPL, then they're breaking multiple laws. So, as always, companies should make sure that what they are doing is legal. This in no way diminishes the extent to which GPL software can be used in commercial environments. Wasabi acts as if there is some tremendous additional legal burden to using GPL software. However it seems that Sarbanes-Oxley would equally apply if you mis-represented your ownership of non-GPL software. So there's no difference. (You can read the Software Freedom Law Center white paper for a more complete explanation.)

Re:More info on SOX

[zero1101]

One of the biggest arguments against the GPL is that if you use it in your own code, you have to agree to its terms. In the case of the GPL, those terms mean that your code must be GPLed.

This is an extremely misleading statement, if not outright false. Your code must only be GPLed *if you redistribute it*. There are, unfortunately, plenty of cases where PHB's decide not to use GPL software because they don't understand this. And apparently neither do many Slashdot readers.

Re:More info on SOX

[Tony+Hoyle]

In practice though GPL stuff isn't enforced...

Witness the number of embedded devices (particularly routers) where you can't get the source code to the GPL parts, and where you can, they're hard linked to closed source binaries with 'no unauthorised distribution' clauses (Yes I mean you Broadcom!).

So it's perfectly legal to modify the GPL bits, but illegal to distribute the resultant code... thus the GPL is defeated by apathy because nobody cares.

Re:More info on SOX

[jschrod]

Check out http://www.gpl-violations.org.

Witness the cases where GPL gets enforced legally, when embedded devices violate the copyright of the netfilter project.

Intended Consequences of laws

[dada21]

Some think that these situations are unintended consequences of laws that have "good" effects. Sarbanes-Oxley was intended, from the start, to be the ultimate way for governmentto control any corporation at will.

The law was initially meant to "fix" problems such as the Enron fiasco, but if you rewind just a few years, you see that most of these fiascos came directly out of trying to take advantage of loopholes in previous laws. The SEC colludes with the rest of the all powerful federal government to constantly keep non-preferred companies on their toes, while giving excessive power to the cronies. Sarbanes-Oxley will have the same effect.

The one light in Congress, Dr. Ron Paul, made an excellent note regarding Sarbanes-Oxley and the cost it will pass on to consumers. The Mises Institute also has a ton of great articles and blog posts regarding the horrors of this law.

It is time to realize that government is NOT good at regulating business, except from the point of view of the cronies. Bills like this will rarely be used for their original intent, and the un?-intended consequence in the long run is to see criminals made of innocents that had nothing to do with the law's purpose.

Instead of voting, I think we need to start pitching money in a hat to buy rope for those who violate their oath to uphold the Constitution.

Re:Intended Consequences of laws

[dada21]

I have absolutely zero dollars in publicly traded companies. I have no faith in the business of others -- in my own businesses I have so much "insider information" that I can't believe everyone else is a big enough sucker to trust these massive companies to tell the truth about everything.

That being said, I hate accountants. The average CPA is part of the problem in this country (CPAs as a group lobby Congress to make the tax code worse every year). Instead of requiring companies to do anything, how about telling people that they really shouldn't put their money anywhere but where they trust? I make between 20% and 50% on my various businesses, annually. Most stocks pay no dividend, so they actually make their owners no profit (except on sale, which is ridiculous as companies should pay profits).

The whole system is a mess, and its a mess because we keep requiring business to perform counter-productive to how a free market performs.

Re:Maybe I'm a bit thick but...

[ZachPruckowski]

How can GPL (or using GPL'ed software) violate the SOX, if GPL'ed software is used as the license permits? Reading the article didn't give me any insight about this issue.

You can not get in trouble for using software you have a license to use. Period. If you follow the GPL, you have a license to use OSS. Break the GPL, and well, you don't have that license anymore. Ditto with normal software. If you violate an EULA, or steal software, you don't have a license anymore. Using software you don't have a license to is a SOx violation, regardless of whether the software is free or not.

Re:Coming soon to slashdot:

[Door-opening+Fascist]

Bzzt. The IUPAC name for H2O is water, regardless of state.

Cui bono -- who benefits -- is often important.

[jbn-o]

The reason why they're making their case against the GPL is important. Proprietors are saying that the GPL makes them nervous, they don't like the commons the GPL creates and maintains. Proprietors want to discourage everyone from using and developing GPL-covered code so that they have less competition and won't have to spend their time lobbying governments around the world to help make Free Software implementations of various programs impossible. Thus this is just another legal risk FUD case against the most widely used Free Software license, the GNU GPL which fails to mention what the Software Freedom Law Center points out:

"Historically, GPL violations have not triggered massive lawsuits for damages the way that violations of proprietary license agreements have. The primary enforcer of the GPL is the Free Software Foundation (FSF), who has never used a GPL violation as the basis to go to court to seek a large damage award or enjoin software distribution. The FSF's stated policy is to ensure compliance, not to prevent software distribution or to seek damages.

What this means practically for the vast majority of companies complying with SOX is that the threat to their businesses posed by potential GPL license violations, both inadvertent and intentional, is so low as to be immaterial. In any case, the financial impact of GPL violations is likely to almost always be lower than the impact of proprietary license violations, for which parties routinely bring suit for damages."

And when it comes to GPL-covered software being so complicated to deal with, the SFLC has this to say:

"In most instances, compliance with proprietary licenses is much more complex than GPL compliance because the GPL is a general license with obligations that are fairly simple and understandable. No money changes hands, seats are not counted, and licenses are not time-limited. GPL compliance is a fairly simply matter, and if a company has concerns about how to comply, the FSF is staffed with experts who can and do help companies create efficient compliance procedures. Proprietary licenses, on the other hand, often contain both a greater number of provisions and a greater complexity than the GPL. Thus, a company trying to understand its rights and comply with its obligations under such a complex and detailed license will have a much harder time than one who must merely comply with the GPL. Accordingly, the risk of inadvertent license violation is often greater with non-GPL licenses."