Larry Rosen: A Case Study In Understanding (and Enforcing) the GPL

lrosen (attorney Lawrence Rosen) writes with a response to an article that appeared on Opensource.com late last month, detailing a court case that arose between Versata Software and Ameriprise Financial Services; part of the resulting dispute hinges on Versata's use of GPL'd software (parsing utility VTD-X, from Ximpleware), though without acknowledging the license. According to the article's author, attorney Aaron Williamson (former staff attorney for the Software Freedom Law Center), "Lawyers for commercial software vendors have feared a claim like this for essentially the entire 20-odd-year lifetime of the GPL: a vendor incorporates some GPL-licensed code into a product—maybe naively, maybe willfully—and could be compelled to freely license the entire product as a result. The documents filed by Amerprise in the case reflect this fearful atmosphere, adopting the classically fear-mongering characterization of the GPL as a 'viral' license that 'infects' its host and 'requires it to become open source, too.'" Rosen writes: I want to acknowledge Aaron's main points: This lawsuit challenges certain assumptions about GPLv2 licensing, and it also emphasizes the effects of patents on the FOSS (and commercial) software ecosystem. I also want to acknowledge that I have been consulted as an expert by the plaintiff in this litigation (Ximpleware vs. Versata, et al.) and so some of what I say below they may also say in court. Read on for the rest (and Williamson's article, too, for a better understanding of this reaction to it). An important take-away: it's not just the license that matters.

Let's be open about the facts here. Ximpleware worked diligently over many years to create certain valuable software. The author posted his source code on SourceForge. He offered the software under GPLv2. He also offered that software under commercial licenses. And he sought and received and provided notice of United States patent claims related to that software.

Unbeknownst to Ximpleware, Versata took that GPLv2 software and incorporated it into Versata products – without disclosing that GPLv2 software or in any other way honoring the terms of the GPLv2 license. The reason Ximpleware became aware of that GPLv2 breach is because some months ago Versata and one of its customers, Ameriprise, became embroiled in their own litigation. The breach of GPLv2 came out during discovery.

Ximpleware has terminated that license as to Versata. This is exactly what the Software Freedom Conservancy and others do when confronted by GPL breaches.

That earlier litigation is between two (or more) commercial companies; it is not a FOSS problem. These are mature, sophisticated, profitable companies that have the wherewithal to protect themselves. I know in my own law practice, whether I represent software vendors or their commercial customers, we typically provide for some level of indemnification. Perhaps Ameriprise and the other customer-defendants can count on Versata defending them against Ximpleware. Such a commercial dispute between big companies – even if it involves the GPLv2 software of a small company and separate indemnification for copyright or patent infringement – is between them alone.

But as to Ximpleware and its GPLv2 copyrighted and patented software, there are a few misunderstandings reflected in Aaron Williamson's article:

1. The notion of "implied patent licensing" has no clear legal precedent in any software licensing. While it is true that goods one purchases include a patent license under what is known as the "exhaustion doctrine," there is no exhaustion of patented software when copies are made (even though copying of the software itself is authorized by GPLv2). For example, a typical commercial patent license nowadays might include a royalty for each Android phone manufactured and sold. Companies that distribute Android phones and its FOSS software acquire patent licenses so recipients of their phones are indeed free to use those phones. But that isn't because of some implied patent licenses that come with Android software, but because commercial companies who distribute phones pay for those patent rights, directly or indirectly. I think it is entirely reasonable to require commercial companies to get their patent licenses in writing.

2. Versata's customers who received the (in breach!) GPLv2 software all moved to dismiss Ximpleware's infringement claims against them, pointing to Section 0 of GPLv2, which says, "[t]he act of running the Program is not restricted." What that sentence actually means is just what it says: The GPLv2 copyright grant itself (which is all there is in GPLv2) does not restrict the act of running the program. Nor could it; that is a true statement because running a program is not one of the enumerated copyright rights subject to a copyright license (17 USC 106). The authors of the GPL licenses have themselves made that argument repeatedly: The use of software is simply not a copyright issue.

3. Because there are U.S. patent claims on this Ximpleware software, Section 7 of GPLv2 prohibits its distribution under that license in the United States (or any jurisdictions where patent claims restrict its use). If Ameriprise and the other defendants were outside the U.S. where the Ximpleware patents don't apply, then GPLv2 would indeed be sufficient for that use. But inside the U.S. those customers are not authorized and they cannot rely on an assumed patent grant in GPLv2. Otherwise GPLv2 Section 7 would be an irrelevant provision. Reread it carefully if you doubt this.

The Versata customers certainly cannot depend on an implied patent license received indirectly through a vendor who was in breach of GPLv2 since the beginning – and still is! Versata ignored and failed to disclose to its own customers Ximpleware's patent notices concerning that GPLv2 software, but those patents are nevertheless infringed.

Should we forgive commercial companies who fail to undertake honest compliance with the GPL? Should we forgive their customers who aren't diligent in acquiring their software from diligent vendors?

As Aaron Williamson suggests, we shouldn't ignore the implications of this case. After all, the creator of Ximpleware software made his source code freely available under GPLv2 and posted clear notices to potential commercial customers of his U.S. patents and of his commercial licensing options. Lots of small (and large!) open source commercial companies do that. Although it is ultimately up to the courts to decide this case, from a FOSS point of view Ximpleware is the good guy here!

There is rich detail about this matter that will come out during litigation. Please don't criticize until you understand all the facts.

------------------------------------------

Lawrence Rosen
Rosenlaw & Einschlag (lrosen@rosenlaw.com)"

What if it were Microsoft code

[Animats]

If they had a Microsoft library not authorized for free distribution in their program, Microsoft would be demanding substantial damages.

Re:What if it were Microsoft code

[MightyMartian]

Indeed. I fail to see why GPL software is being picked on here. You lift someone else's copyrighted code without permission and without abiding by any licensing agreements, you are SOL if you get busted.

Re:What if it were Microsoft code

[Kaz+Kylheku]

The difference is that the code is distributed for free. No judge is going to award damages for the redistribution of something that is free. At least, not actual damages, like $$$ per infringing copy. The breach of the terms (like not redistributing the source code) could be translated to some punitive damages, perhaps. Probably the best outcomes you can hope for are: the violator of the license is either asked to stop distributing the software, or else to come into compliance: replace the GPL'ed part with a from-scratch workalike, so that the program is no longer distributed with any GPLed code, or else make the whole program GPLed.

Re:What if it were Microsoft code

[bulled]

The difference is that the code is distributed for free. No judge is going to award damages for the redistribution of something that is free. At least, not actual damages, like $$$ per infringing copy. The breach of the terms (like not redistributing the source code) could be translated to some punitive damages, perhaps.

I don't see how the lack of a monetary cost for _one_ of the licensing options should affect awarding damages.

Probably the best outcomes you can hope for are: the violator of the license is either asked to stop distributing the software, or else to come into compliance: replace the GPL'ed part with a from-scratch workalike, so that the program is no longer distributed with any GPLed code, or else make the whole program GPLed.

You forgot the third option in this case. If Ximpleware is open to it, they could pay for a commercial license.

Re:What if it were Microsoft code

The code wasn't distributed for free. It was distributed under a choice of two separate licenses: One was the GPL, one was commercial. Clearly, the commercial license route wasn't taken, and the GPL license wasn't adhered to.

Re:What if it were Microsoft code

[khellendros1984]

VTD-XML is a dual-licensed piece of software. From their FAQ:

If you don't like the restriction of GPL, XimpleWare also offers flexible commercial licenses for VTD-XML [contact info follows]

The software is distributed for free provided certain license terms are followed, and otherwise, a license can be purchased for it as a commercial product. This seems to be a case where the GPL-licensed version of the software was inappropriate, and Versata should've paid for a license. I think that it can be argued that there are real damages in this case.

Re:What if it were Microsoft code

IAAL (and I have litigated GPLv2 cases unlike most IP attorneys). Anyway, the current case law says that breaching the GPLv2 is actionable as a copyright violation. Depending on when the code was copyrighted, such violations carry their own statutory penalties (upwards of $150,000 per copyright violated if it qualifies as willful infringement), plus the more important punishment of attorney's fees. Basically, failing under the copyright act gives a plaintiff the ability to club the defendant with massive bills for what is, typically, a relatively easy case to prove.

Re:What if it were Microsoft code

[sribe]

The difference is that the code is distributed for free. No judge is going to award damages for the redistribution of something that is free. At least, not actual damages, like $$$ per infringing copy. The breach of the terms (like not redistributing the source code) could be translated to some punitive damages, perhaps.

Copyright law explicitly provides for statutory damages of up to $250,000 per copy, precisely so that authors who are ripped off do not have to definitely prove exactly how much they lost.

Re:What if it were Microsoft code

[dnavid]

The code wasn't distributed for free. It was distributed under a choice of two separate licenses: One was the GPL, one was commercial. Clearly, the commercial license route wasn't taken, and the GPL license wasn't adhered to.

Irrelevant if the patent owners argument is accepted that the GPL license did not include a license to use the software because you also needed to obtain a license for the patent that the GPL'd source uses. It's like cops putting out a plate of free 'special' (unmarked as such) brownies next to a plate of $5-per regular brownies at back-to-school night and promptly arresting everybody who eats one of the 'free' brownies.

If Oracle pulled such a BS claim out in their Java lawsuits, everybody but the corporate lawyers would be puking in disgust at such a bold admission of intent to entrap users.

I believe Larry Rosen's warning to learn the facts carefully applies here. XimpleHelp's argument is not that the GPL license did not include a license to use the software. The problem is more complicated than that. XimpleHelp's argument, as I understand it, is that the software was offered under two terms: one: you could abide by the GPL and use it (and redistributed it under certain conditions) for free. Two: you could buy a commercial license and use (and presumably redistribute) the software without any need to follow the GPL. The VDT-XML distribution site is pretty clear on this: it took me only a couple minutes to find and read the relevant part of the FAQ:

* Can you explain the GPL license a bit more? The GPL does not necessarily require one to disclose their source code when modifying a GPL-covered work or using GPL-covered code in a new work. This requirement arises only when the new project is "distributed" to third parties. If the resulting software is kept only for use by the modifier, no disclosure of source code is required. Although VTD-XML is protected by US patents 7133857, 7260652, and 7761459, as long as you abide by GPL, you don't have to worry about patent infringement. All licenses to any parties in litigation with XimpleWare have been expressly terminated. No new license, and no renewal of any revoked license, is granted to those parties as a result of re-downloading software from this or any other website If you don't like the restriction of GPL, XimpleWare also offers flexible commercial licenses for VTD-XML. Please email us at sales@ximpleware.com for more details.

XimpleHelp's legal argument as I understand it is that Versata violated the GPL when it used VDT-XML and *redistributed* the software in modified form without subjecting the derivative software to the terms of the GPL. That means effectively Versata did not have a valid license to VDT-XML, because they broke the GPL which granted it in the first place. Without that license, Versata was now not just in violation of the GPL, but also now violating XimpleWare's patent rights of the software - because Versata was using patent-protected software without permission.

Versata's customers may not have the right to estoppel they think they do, for the reason Rosen specifies: the GPL *would have* offered some protection to those customers if Versata itself had been compliant with the GPL. But since they are not, the GPL doesn't apply to Versata and neither does it apply to its customers - except insofar as they are in breach of it.

Addressing your analogy, nothing prevents Versata's customers themselves from downloading VDT-XML (or would have, before Versata terminated their ability to get a license because of the lawsuits) and using it, and nothing prevents anyone else from downloading VDT-XML and using it free from patent infringement allegations. If XimpleHelp tried to sue me for violating its patents just because I downloaded and used VDT-XML, they'd almost certainly lose that case both on legal merits and also because they explicitly said on their distribution site they would not do

Re:What if it were Microsoft code

[Spazmania]

So now your program A is GPL.

No. No, it isn't. Your program A is not GPL, it's infringing.

You may cure that infringment a number of ways, including: stripping the infringing code, paying the authors for an alternative license, pay the authors what the court orders you to pay them and, yes, releaseing program A under the GPL. The point is, how you cure the infringement is up to you. The GPL does not automatically attach to your code and if push comes to shove the court will order monetrary damages not compulsory licensing.

Re:What if it were Microsoft code

[sixoh1]

+1 - A lot of folks are playing amateur lawyer and making claims about what the GPL "does", but you should defer to Rosen here since he actually is a practicing lawyer who has actually been at a Plaintiff's table and enforced the GPL. He is very explicit that the GPL does not create new obligations upon authors who combine original works with GPL works. Your code is always your code, regardless of whether it is in a separate C file, or patched into an existing file licensed to you under the GPL. Go back and re-read the GPL, look for the words "distribution" and "distribute" which are the _ACTS_ that invoke the GPL terms of the upstream author.

The fact that we're still dealing with the "virus" meme suggests that Microsoft's dirty FUD war lives on long beyond it's usefulness to them. I only hope someday that karma pays them back when we have enough solid case law to make GPL the better legal framework for business and that we can repay their little FUD bomb one kick in the proprietary wall at a time.

Re:Software patents

[Kaz+Kylheku]

That unfortunate statement betrays a serious misunderstanding of copyright, patents, and the nature of software.

Re:Software patents

[jonbryce]

Yes it would. RMS invented the GPL because of copyright issues, and before software patents became a problem.

Fault appears to lie with Versata

[BaronM]

If I read correctly:

1. Versata produced software 'DCM' incorporating Ximpleware's GPLv2 licensed code.
2. Versata licensed DCM to Ameriprise, who then distributed copies to it's independent contractors.
3. Ximpleware's code is subject to patent claims in the USA, making distribution under GPLv2 impermissible, and Versata did not have a commercial license, making Versata's distribution of Ximpleware's code unlicensed (in the USA).
4. Ameriprise was not aware of (1) or (2) until discovery related to a lawsuit between Versata and Ameriprise.

If this is correct, I can see where Ximpleware has a copyright claim against Versata, but I don't see where Ximpleware has a copyright claim against Ameriprise for any distribution of DCM to it's contractors. Strictly speaking, I suppose Ameriprise did distribute copies of Ximpleware's code, but if they did so under good-faith belief that they had appropriately licensed DCM from Versata, I can not see it being reasonable to hold Ameriprise liable.

At the risk of a possible bad analogy, if Google included undocumented unlicensed code in Android, I would not consider it reasonable to hold each phone vendor liable for infringement, either.

Re:Fault appears to lie with Versata

[msobkow]

Perhaps simplistic, but mere possession of stolen goods is an indictable offense. It does not matter whether you were under the impression that the fence owned the items you bought; they're stolen, and you can't keep them.

The viral argument is misleading.

[queazocotal]

You distribute compiled code with GPL integrated, without complying with the GPL.

If this is discovered, then your customer has no right at all under the GPL to your whole code, and the GPL can never give them any rights.

The only way you can come into compliance with the GPL is to distribute sources for the whole blob - but in practice what has to happen to compel you to do this is for you to either decide that it is easier doing this than going to court - or for an author of the GPL code (or for the FSF where authorship has been assigned) to take court action for violating the licence - and then for the court to as the penalty require the release of source code.
The court is much more likely to go for financial damages - as that's what they know.

But Ameriprise is vulnerable to patent claims

[sirwired]

"Good Faith" helps reduce your damages in a patent claim, but mere use of patented software (much less distribution) leaves you open to patent claims, independent of copyright claims.

And yes, this is a problem with software patents. Both the distributor and end users are vulnerable to claims.

Android is indeed tied up in all sorts of patents, and every phone vendor has to pay up licensing fees, including to Microsoft. (As of a couple years ago, MS made about 10x their Windows Phone revenue just from Android lic fees.)

I'm quite sure that...

[mark-t]

... the GPL cannot compel you to realease your own source code for free, no matter what you do.

It can, however, make you guilty of copyright infringement if you don't comply (since permission to copy the work does not exist if you don't agree to the terms of the GPL), and this can result in a legally sustainable C&D against the distribution of any and all products by the company which utilize the GPL code in a noncompliant fashion until either all of the GPL code is removed, the code is released, or else alternative licensing arrangements can be made. Exact damages awarded to the copyright holder, if any, would probably be at the discretion of the court, but even if there were none, the company that infringed on the copyright would still have a fine for violating copyright law, payable to the state, and the amount applicable would escalate quickly if or when any willful infringement can be shown. so it's really not in anyone's best interests to go around ignoring it.

Do What Though Wilt

BSD license removes most of these legal acrobatics.

The GPL has behind it an altruistic notion. That is, that your code can be extended and improved and will still remain free. I've always been of the view that it is even more altruistic to let people do what they wish with my code, even if that means closing it off in proprietary products, not acknowledging my efforts, and making money off of it while not giving any back to me.

If a company does make money of of my code, then great, I hope they create lots of jobs and provide benefits, and generally improve whatever economy the reside in.

Re: Do What Though Wilt

BSD license removes most of these legal acrobatics.

Are you a sado-masochist or where does this desire to be exploited stem from?

You're thinking of the BDSM license, which is something else entirely. Don't worry; it's a common mistake.

Morality vs The Law

(For the sake of disclosure, IAAL, I am a software developer, I have written GPLv2 code, and I have litigated GPLv2 cases, but I have absolutely zero involvement in this matter)

The question here is really just the classic question of the morality and mentality of the free/opensource (I'll just say opensource from this point) movement vs. the harsh realities of patent and copyright law. The author above, and the author of the mentioned article, pitch this as some triumphant fight for the glory of something-or-other, but the truth is that it's: 1) a money grab, 2) a principled fight to teach violators a lesson, or 3) a some combination of both. Having reviewed the litigation tactics here; I have to lean towards money grab.

That said, having intimate knowledge of both sides of the equation here (opensource development ideas and IP attorney mentalities), I can attest that the ideals employed by both sides are, generally, diametrically opposed. Is Ximpleware is right, legally, in the fact that it can release a GPLv2'd software, file patents on the ideas, and then sue the living pants off everyone for patent violations? Frankly, yes because IP laws are harsh and designed to be massive swords. Still, the defendants have decent equitable arguments for estoppel under their implied license/baiting arguments which have precedent in the realm of copyrights. Outside the legalities, is it morally right as an opensource developer? No, probably not.

Suing the hell out of a violator? Go for it. Suing the hell out of a customer with knowledge of the infringement: Sure, why the hell not. But sending off lawsuits to unwitting customers who simply purchased a product they didn't know was infringing? Now you're pushing the line. Such actions have real world consequences. The litigation of these cases is extremely expensive, extremely time consuming, and a corporation must hire representation in U.S. courts (they cannot appear pro se). Most attorneys ignore those realities because, frankly, the suffering of a defendant is of no concern. The only thing that matters is whether the case is meritorious; if so, I'm suing the living pants off you because the law says I can. The motto is typically summarized as: legal, not ethical. But is that what the opensource world wants to present?

Mr. Rosen throws around "indemnification" and "diligent" arguments to justify the lampooning of what most people would consider "innocent" parties, but they're shill arguments at best. The simple truth, is that you're not furthering the opensource movement in any way. As for indemnification, it is a farce. First, it's speculative that any such agreement exists. Second, the indemnitor needs to: 1) agree to honor it's obligation; 2) have the resources to honor it's obligation; and 3) actually honor the obligations. The reality is that a request for indemnification is just as likely to result in more lawsuits, as it is to result in a resolution for the downstream users. Beyond that, if original defendant files for bankruptcy, indemnification is worth absolutely squat. As for "due diligence," any software engineer will readily admit, it is nearly impossible (especially for small to mid-sized firms that are letting non-technical staff handle acquisitions). It's not impossible, just cost prohibitive. Ask yourself, What purpose does destroying a company serve to the greater cause of opensource? Is it legally viable, sure, but is it worth it, morally?

All that to say, I wish people would stop trying to co-opt grand ideals and sugar coating these types of cases. The plaintiff has sued the living hell out of everyone because, legally, they can. In turn, those actions makes settlement more likely, since the upstream infringer is now getting complaints from his clients and costs are rapidly mounting up. Was it legal? Sure. Was it moral and in-line with the opensource movement's ideals? Well, that really depends on what side of the line you fall on. But regardless of where you are on that line, is possibly destroying the lives (yes, personal live

Specifically: problems with public domaining.

[Ungrounded+Lightning]

RMS invented the GPL because of copyright issues, and before software patents became a problem.

As I understand it: It was a (brilliant) workaround for two problems with putting software in the public domain, which releases ALL rights:

  - Derived works: Somebody makes a modified version and copyrights that. They do a bugfix or enhancement and even the original author is locked out of his own software's future. He can't do the same bugfix or a similar enhancement without violating the new copyright. Similarly with other users of the software.

  - Compilation copyrights: If somebody combines several public domain works into a combined work, they can copyright THAT, claiming violation if somebody uses excerpts from it - such as some of the original public-domain components or excerpts from them. In book publishing this covers publishers of collections and anthologies. In software, including a public-domained module in a library or distribution would let the distributors of that lock up the rights to the components. Again the original author and other users can get locked out of the author's own work. (For instance, nobody else could include it in a similar library or distribution.)

Stallman's trick solution was to keep the original work under copyright, but license it under terms that require derived works to also be licensed under the same terms and source to be included with obect. Expiration of the copyright might cause a problem - but with companies like Disney on the job lobbying congress, that's probably not going to happen in the US as long as there IS a US. Alternatively, eliminating copyrightability of software would also eliminate the need for the GPL.

 

GPL more Flexible in this Situtation

[Roger+W+Moore]

I think it's the nightmare scenario.

True but this is not specific to GPL at all. What has happened is company A bought code from company B and company B did not have all the correct permissions and licenses under both copyright and patent law to sell that code to them. It's true that company A is now stuck because they cannot sell any product which includes that code but this would be true regardless of whether company B violated the GPL or other license.

If anything company A has more options with the GPL that they would with a proprietary license: if they lack the money to pay for a commercial license for the code for all the copies they have sold then they can choose to release their source code under the GPL as well. Note that it is an option only and not required. The code is infringing and there are two ways to fix this: pay damages and ongoing license fees or release the source code. With a commercial license you would only have the first of these options.