Versata Software, Inc. (“Versata”) learned the cost of failing to manage free and open source software (FOSS): Versata’s routine attempt to terminate the license for its proprietary DCM software with Ameriprise Financial, Inc. (“Ameriprise”) exploded into three other lawsuits and resulted in eight of Versata’s clients being sued by a third party, XimpleWare Corporation (“XimpleWare”). This morass arose from Versata’s failure to manage the use of FOSS in its DCM software.
FOSS is widely used by companies in virtually all industries from cars to televisions. IDC noted that in 2012, thirty percent of the software used by the Global Fortune 2000 is licensed under FOSS licenses and the percentage is increasing. Yet many companies do not properly manage the use of FOSS, and a recent Gartner report in August 2014 stated less than half of IT organizations have an effective FOSS use policy. Gartner further noted:
By 2016, the vast majority of mainstream IT organizations will leverage nontrivial elements of OSS (directly or indirectly) in mission-critical IT solutions. Consequently, IT organizations must learn to manage hybrid portfolios that contain both OSS and CSS assets.
Versata discovered such inattention can be costly and these types of disputes are likely to increase as FOSS is treated more as a standard part of the software ecosystem rather than an exotic exception.
The Versata cases and the earlier lawsuit by Continuent against Tekelec strongly suggest that we have entered a new period where commercial (or monetizing) enforcers will become more common and seek monetary and other more traditional remedies for contract breach. In the past, the enforcement of FOSS licenses have been by members of the community (such as the Software Conservancy or the Software Freedom Law Center) which focus on compliance. These developments mean that both software distributors and users need to adopt and manage a robust process to manage the use of FOSS and ensure compliance with FOSS licenses. The failure to do so could be very expensive.
Versata licensed its DCM software to Ameriprise under a Master License Agreement (“MLA”) starting in 1999. Ameriprise used the DCM software to calculate the commissions for the financial products it provided to independent financial advisors. Versata claimed that Ameriprise violated its agreement by permitting certain third party contractors to use their access to the DCM software to create a competitive product. Ameriprise denied these claims and raised several defenses: Ameriprise claims that Versata violated the MLA because the DCM software included XimpleWare VTD XML software (“XimpleWare Software”) which was licensed under General Public License version 2 (“GPLv2”) and was, thus, not available under the terms of the MLA, a traditional proprietary license. XimpleWare Software reads and parses XML and is available under both GPLv2 and commercial licenses. The most important claim by Ameriprise was that the XimpleWare Software was integrated into DCM software in a manner which triggered the provisions of GPLv2 which extended its terms to the “proprietary components” of the DCM software. Opponents of FOSS sometimes refer to these terms as “viral”. Based on this theory, Ameriprise further demanded that Versata make the source code of the DCM software available to Ameriprise under the terms of the GPLv2, which would permit Ameriprise to use, distribute and modify the DCM software without payment to Versata.
Ameriprise also reported these violations of the GPLv2 to XimpleWare. Ameriprise certainly expected XimpleWare to sue Versata, but was probably surprised when XimpleWare also sued Ameriprise and eight other Versata licensees in two separate cases, based on copyright infringement and patent infringement. These cases are continuing and will be very important for all companies who distribute software either as its product or as part of its products. The GPLv2 is the most widely used and most important license for FOSS. Black Duck Software estimates that 16 billion lines of code are licensed under GPLv2. Despite its importance, the GPLv2 has been the subject of very few court decisions, and virtually all of the most important terms of the GPLv2 have not been interpreted by courts.
These cases will continue to provide importance guidance to complying with the GPLv2. By coincidence, two of the most important organizations enforcing the GPLv2 recently provided guidance on GPLv2: on October 30, the Software Freedom Law Center published the second version of their Practical Guide to GPL Compliance, and a few days later, the Software Conservancy and the Free Software Foundation published the first version of their guide, the Copyleft and the GNU General Public License: A Comprehensive Tutorial and Guide.
Anyone who is managing FOSS compliance needs to read the Versata cases and these guides. And they should keep track of new developments in the Versata dispute. All companies that are distributing and using software should ensure that they understand and can comply with their FOSS license obligations. Companies who are distributing software should take the following steps:
- Understand what FOSS is included in your products: most companies simply don’t know and need to use one of the scanning products such as Black Duck Software, Palamida, or FOSSology .
- Develop a FOSS use (and management) policy to ensure that you understand your obligations and can comply with them (For an overview of FOSS and FOSS governance, you can listen to my webinar on these issues: An Introduction to Open Source Software and Licensing. )
- Review your distribution agreements to ensure that they take into account any terms imposed by FOSS in your product
Companies who are using software should take the following steps:
- Understand what FOSS is included in software you are using. You may also want to consider using the scanning tools noted above.
- You should ensure that you have a FOSS use (and management) policy to comply with such FOSS obligations (you can listen to my webinar discussed above). As IT infrastructure has become more complex and the use of third parties have increased, you should ensure that your FOSS use policy takes that complexity into account (for example, Ameriprise is accused of violating the GPLv2 because of its distribution of the DCM software to its customers).
A more detailed analysis of these decisions can be found at http://opensource.com/law/14/12/gplv2-court-decisions-versata.