Open-source license enforcement; risk to companies

Open-source software - software that is provided for free for others to use and distribute - has become ubiquitous in modern commerce. From the operating system Linux to the tools used to make a website, open-source software touches all aspects of our increasingly online businesses. Though open-source software is offered for free, using it can carry hidden costs. In particular, using open-source software requires a person to agree to the accompanying open-source license, which can contain provisions that are risky to a company.

Hundreds of different open-source licenses are in use today, each with differing requirements and obligations. However, many of the licenses are so-called "copyleft" licenses. Copyleft licenses grant a limited license to those who wish to use or modify software. However, copyleft licenses also require companies that distribute products using open-source software to freely release all the software on the product to anyone who purchases the product. Thus, companies that integrate open-source software into their own code could be forced to release their proprietary software to the public.

There have only been a few efforts to enforce copyleft licenses against companies, most of the time unsuccessfully. However, recent developments show that the barriers to enforcing these licenses may be lifting.

The first development is the case Software Freedom Conservancy v. Vizio, filed in California state court in October 2021. The Software Freedom Conservancy (SFC) is a nonprofit with the goal of promoting free and open-source software projects. SFC brought suit against the television manufacturer Vizio, alleging that Vizio failed to release the software code for its smart televisions incorporating the open-source Linux operating system, in violation of the Linux copyleft software license. SFC is seeking specific enforcement of the copyleft license, which would require Vizio to publicly release its smart television code. In a first for open-source software litigation, SFC claims they have standing to enforce the Linux license as a third-party beneficiary because SFC purchased Vizio televisions and did not receive the source code for the television as required by the license. If SFC is successful with this argument, it will open the door for third parties that want access to a company's source code, including motivated non-profits like SFC and even a company's competitors. This will vastly expand the number of parties who could attempt to enforce open-source software licenses.

The second development in this area is the case of Doe 1 et al., v. GitHub Inc. et al, a class action filed in the Northern District of California in November 2022. GitHub is a popular online repository of source code, owned and operated by Microsoft. A feature offered by GitHub is its Copilot artificial intelligence (AI) system, which assists programmers. Copilot suggests code that may complete the software function the developer is programming in much the same way a text messaging app suggests the next word you may want to type in a sentence. The plaintiff in Github alleges that the Copilot AI is suggesting the use of open-source licensed code without following the license requirements of that code. In another first for open-source software enforcement, the plaintiff is seeking to certify a class of all the users on Github that uploaded code under the terms of various open-source licenses.

If the plaintiff is successful in certifying this class, it would pave the way for additional class actions seeking to enforce open-source software rights that, on their own, may have only nominal value. Further, if the SFC is successful in bringing its third-party beneficiary claim, it could also be possible to certify a class of third-party beneficiaries, such as a class of purchasers of products that allegedly violate open-source licenses.

The final development is a 2021 change to the Digital Millennium Copyright Act (DMCA). The DMCA prevents parties from circumventing measures to protect copyrighted material, including software code. However, in 2021 the federal agency that administers the DMCA promulgated a new rule that allows parties to breach protection measures for the specific purpose of determining whether the underlying code violates an open-source license agreement. This change significantly eases the ability of individuals to detect open-source license violations.

Together, these three developments substantially increase the risk for companies that use open-source software by potentially expanding the pool of potential plaintiffs, opening the door to class actions, and making it easier to discover when open-source software is being used. Companies should consider doing an open-source audit, in conjunction with legal counsel, to identify a company's exposure to open-source software risk and take steps to mitigate that risk.