Weekly Edition
Return to the Announcements page
| |||||||||||||
|
| |||||||||||||
Moglen and company on Sarbanes-Oxley
Software Freedom Law Center Addresses Erroneous Interpretation of
Sarbanes-Oxley as Applied to the General Public License
NEW YORK, March 7, 2006 The Software Freedom Law Center (SFLC), provider
of pro-bono legal services to protect and advance Free and Open Source
Software (FOSS), today announced it has published a white paper on its
position regarding alleged General Public License (GPL) violations in
relation to the Sarbanes-Oxley Act (SOX). The paper, titled Sarbanes-Oxley
and the GPL: No Special Risk, is available at:
http://www.softwarefreedom.org/publications/Sarbanes-Oxle....
Recent discussions regarding the GPL and SOX have been wrought with false
information and have prompted the SFLC to issue its position on the topic,
said Eben Moglen, chair of the Software Freedom Law Center. It is our job at
the SFLC to provide the best legal advice and resources to our clients. This
paper will help users of the GPL, from developers working on FOSS projects to
CIOs working at Fortune 500 companies, to clearly understand there is no new
need for concern. The fact remains that no criminal charges on the basis of
violating the SOX Act have ever been brought against a GPL user.
The SFLC paper defines the realistic impact of a GPL violation as it could
be applied under SOX. The SFLC paper points out that SOX generally applies
only to public companies and that disclosure in a company's SEC reports is
not necessary if a companys use of the license is immaterial to its
business. It also states that companies that must comply with SOX bear the
full cost of SOX compliance regardless of the licenses of the software they
choose.
Lastly, the paper explains that if SOX applies to a GPL violation, it is
not likely that a company or developer would be criminally liable, since the
Act cannot be criminally violated without intentional misconduct.
The idea that a GPL violation could result in jail time is unreasonable,
said Karen Sandler, attorney at the Software Freedom Law Center. You take
away this unlikely threat, and the argument is reduced only to compliance,
and GPL compliance is remarkably simpler than that of alternative licenses.
About The Software Freedom Law Center
The Software Freedom Law Center directed by Eben Moglen, one of the
worlds leading experts on copyright law as applied to software provides
legal representation and other law-related services to protect and advance
Free and Open Source Software. The Law Center is dedicated to assisting
nonprofit open source developers and projects. For criteria on eligibility
and to apply for assistance, please visit the website at
www.softwarefreedom.org.
(Log in to post comments)
They missed a point. Posted Mar 7, 2006 22:35 UTC (Tue) by Baylink (guest, #755) [Link] Visualize with me for a moment.
$LARGE_COMPANY assembles an embedded product, using Linux, and ships a whole crapload of them.
Someone later discovers that they've used GPL'd software and failed to respect the license. But $LARGE_COMPANY, you see, were Bad Boys, and commingled the GPL'd code with patented or copyrighted code from other sources *to which they do not have the rights* (as many have speculated might be the reason it's so hard to get free drivers out of VGA card companies), and if they *do* comply with the GPL, they're going to get materially sued for millions or tens of millions of dollars of their shareholders money by the people who hold those rights.
What solution would *you* choose?
Not relevant Posted Mar 7, 2006 23:09 UTC (Tue) by man_ls (subscriber, #15091) [Link] Now picture the same situation with proprietary software: $LARGE_COMPANY ships the same embedded product mixing Windows CE code (somehow they got hold of it, after all they are Bad Boys) and code from other highly-proprietary sources for their device. They are going to be sued for millions or tens of millions of dollars no matter what. At least with GPL'd software you have more choices: you can either ship all source code, comply just for the part of the software which is GPL'd and pray for the best, or acquire rights to said GPL'd software and distribute it under a convenient license. With the GPL you might have an honourable way out, unless you were Very Bad and digged a hole too deep to escape.And besides the paper just speaks about criminal liabilities, not civil lawsuits.
You, too, have missed the point. Posted Mar 7, 2006 23:33 UTC (Tue) by Baylink (guest, #755) [Link] If they commingled several commercial products, one or more of which they perhaps didn't have the rights to, they're much less likely to be found out, cause how would anyone looking *know* (there are lots more people who can recognize GPL'd code in such an image...)
*My* point was that *there's no way they can fix it* if they've done it with the GPL, sort of negotiation with every copyright holder of the GPL'd code for a commercial licence -- which ain't never gonna happen if it's the kernel.
Maybe I missed it Posted Mar 8, 2006 0:05 UTC (Wed) by man_ls (subscriber, #15091) [Link] Why do you suppose that people (especially relevant people) are more likely to notice GPL'd code than proprietary code when both are in binary form? Maybe you could have a point for the kernel, which is quite popular; but this is just a special case. Software under the GPL is a huge world, the kernel is a famous sight. That's why I talked about Windows CE which is just as popular. Once someone finds, say, the familiar "My Whatever" icons, I wouldn't bet on the perpetrator.*My* point was that *there's no way they can fix it* if they've done it with the GPL, sort of negotiation with every copyright holder of the GPL'd code for a commercial licence -- which ain't never gonna happen if it's the kernel.Your point is only relevant for the kernel then, which is again a special case: thousands of contributors, distributed rights, huge popularity. Most GPL'd software has very few contributors of substance, so you can probably negotiate your way out easily. For instance, when there is no other solution the FSF will just ask you to stop distributing the offending code. In other cases (MySQL or Qt come to mind) the provider will be all too happy to sell you a license for binary distribution -- what you call "commercial license" taking a certain liberty, since GPL'd software is often used for commercial purposes. And finally, even if it's the kernel: that commingling of code might not require the distribution of source code for other parts. Maybe the interface is open enough that the result is not considered a derivative work, maybe you can use the "system library" exception, maybe you can put the proprietary parts in a kernel module; consult your lawyer when in doubt. Just publishing source code for the GPL'd software is a possibility peculiar to the GPL, and it might well be enough in your case. So I'm afraid that your point is not true. There's lots of ways to fix the situation you pictured, all of them with rich case law behind them.
Maybe I missed it Posted Mar 8, 2006 13:59 UTC (Wed) by Wol (guest, #4433) [Link] For instance, when there is no other solution the FSF will just ask you to stop distributing the offending code. I think this ONLY applies where the violation was accidental. For instance, Linksys rebadged their router and didn't realise the OEM had put GPL code in it. Where a violation has been deliberate, I'm fairly sure the FSF gouges the perpetrator pretty heavily for a "donation". And if I were in those shoes, I'd gouge them pretty seriously, too! Put it this way. If the other party has acted in good faith, I'll do the same and try to come to a mutually acceptable solution. If the other party has knowingly tried to rip me off, then sorry mate! You've just handed me all the aces, and I'm damn well going to use them! Cheers,
Does anybody register their releases? Posted Mar 8, 2006 19:40 UTC (Wed) by sepreece (subscriber, #19270) [Link] In the US, you can't sue for infringement unless you have registered the work (provided it to the copyright office, filled out a form, and paid a fee). If you don't do that within 3 months of first publication, the most you can recover is actual damages. Figuring actual damages for unauthorized distribution of open-source code would be an interesting exercise; I don't know whether that has come up in GPL cases to date.
If the work is registered within 3 months of publication, then statutory damages apply and can be significant. I have no idea whether OSS projects typically register the copyright on their releases. Would be interested to know.
I believe injunctive relief against further distribution would be possible regardless of registration.
[DISCLAIMER: IANAL. This information is based on http://www.copyright.gov/circs/circ1.html. There is a pointer there also to Circular 61, which covers registration requirements for software.]
consequences of violating FSF copyright Posted Mar 12, 2006 2:05 UTC (Sun) by giraffedata (subscriber, #1954) [Link] Where a violation has been deliberate, I'm fairly sure the FSF gouges the perpetrator pretty heavily for a "donation". And if I were in those shoes, I'd gouge them pretty seriously, too! FSF has said publicly that it seeks only future compliance. But there is very little information available on what FSF does demand. FSF makes a point out of doing the enforcement in private, and has never gone to court. If someone did have the grapes to deliberately violate FSF copyright, it would probably at least try defending in court (there's plenty of gray area when the code is licensed under GPL -- it might turn out not to be a violation after all), and we'd know about it.
|
|
||||||||||||