Legal analysis of source code

[ RMLL 2013, Bruxelles – Thursday 11th July 2013 ]

Legal analysis of source codePresenter : Dr Ir Robert Viseur

2

General context

• Media coverage about violations of intellectual property in ICT industry.

• Intellectual property ? Mainly:• patents,• copyright,• industrial design rights,• trademarks.

• Examples: several trial between Apple, Samsung and Nokia about patents, copyright (look&feel) and industrial design rights violation.

3

Free software context (1/2)

• Media coverage about free software licenses violation.• Case of gpl-violations.org.

• Goal: « The gpl-violations.org project tries to raise public awareness about past and present infringing use(r)s of GPL licensed software »

• Case of NeoNova et Israpunt trial in Netherlands.• Mixed development -> trial about the use of closed part

(GUI).• URL: http://www.techzine.nl/nieuws/26429/israpunt-beschuldigd-van-softwarediefstal.html.

4

Free software context (2/2)

• Case of the election software in Belgium.

• Distribution without license but...

• One of the files in the source code available under the terms of the GNU GPL 2 license.

• URL: https://joinup.ec.europa.eu/news/be-government-publishes-source-code-election-software.

• Case of multiple violations in mobile applications store.

• Various violations: lack of notices/attribution files (AL), incompatibilities between licenses,...

• URL: http://techcrunch.com/2011/03/08/potential-open-source-license-violations-in-android-and-ios-apps/.

5

Protection of computer softwares

• No specific law.• Covered by copyright.• Possibility to patent software.

• In particular cases in Europe (e.g. industrial process).

• Widely used in United States.

• Legal rights and duties explained in licenses (contracts).

• The licenses are build on copyright but can also refer to commercial brands and patents.

6

Software licenses

• Three types of licenses: • Proprietary licenses.

• E.g. CLUF for Microsoft softwares.

• Hybrid licences (rare).• E.g. former SCSL for Sun Microsystems softwares.

• Free software licenses.• E.g. AL, BSD, GPL, LGPL,...• More or less 70 free software licenses.

7

Free software licenses (1/2)

• Two families of free software licenses:• Permissive / academic licenses.• Copyleft / restrictive licenses (licenses with

reciprocity).

• Three types of licenses with reciprocity.• Weak reciprocity.

• File-based, or not.

• Strong reciprocity.• Network reciprocity.

8

Free software licenses (2/2)

9

Issues for companies (1/2)

• Problem of incompatibilities between free software licenses.

• Problem of incompatibily between free software licenses and agreements in marketplaces.

10

Issues for companies (2/2)

• Problem of specific obligations in free sofware licenses (e.g. notices, automatic patent license agreement or patent reciprocity, etc.).

• Problem of commercial brands and patents.• Problem of developments mixing free and

proprietary source codes (e.g. partnerships).• (Problem of « wild » copy and paste behaviors).

11

How to address those issues ?

• Introduce corporate governance rules.• See for example the « Open Source Review Board » at

Hewlett-Packard (Gobeille, 2008).

• Take account of license constraints in the modelling of the software (architecture).• See for example the « Software Architecture License

Tracability Analysis » tool based on ArchStudio4 or...

• « OSSLI » (Open Source Software Licensing) tool based on Eclipse and Papyrus (Alspaugh et al., 2009; Lokhman et al., 2012).

• Conduct a legal analysis of source code.• See for example FOSSology (www.fossology.org).

12

Tools for legal analysis of source code

• Proprietary software: Black Duck Software.

• Available open source tools:

• The most famous: FOSSology (see http://www.fossology.org).

• The lightest: Ohcount (see http://www.ohloh.net/p/ohcount).

• Others: ASLA (see http://asla.sourceforge.net/), LIDESC (see http://www.mibsoftware.com/librock/lidesc/), etc.

• Some criteria of choice:

• availability,

• ease of installation,

• lightness,

• support of licenses (+ precision / recall),

• community,

• updates.

13

Presentation of Ohcount, Find and Grep (1/2)

• Ohcount: • Formally: source code line counter.

• But...

14

Presentation of Ohcount, Find and Grep (2/2)

• Ohcount: • Option « -l, --license » : display detected licensing

information contained in each source code file.• Available in Synaptic.

• Find: search for files in a directory hierarchy.• Grep, egrep, fgrep: print lines matching a pattern.

15

What we used

• Ohcount for collecting licensing information.• Find and grep for detecting files related to

attributions, patents or commercial brands.• List of keywords and...• Matching with filenames or textual content.

• Output: report (in HTML format) processed by configurable PHP script.

16

Example 1: simple library

• Detection of forgotten licensed files:

17

Example 2: free software suite (1/4)

• Detection of attributions (by filename / by content):

18

Example 2: free software suite (2/4)

• Detection of commercial brands (by filename / by content):

19

Example 2: free software suite (3/4)

• Detection of patents (by filename / by content):

20

Example 2: free software suite (4/4)

• Detection of licenses (information from Ohcount) :

?!

?!

21

Limitations of the method

• Some crashes with Ohcount in big file trees. • Problem with the version of the license (Ohcount).

• Example: GPL v2, GPL v2+ or GPL v3.

• Pay attention to the files covered by several licenses.

• Pay attention to the list of supported licenses.• Don't be afraid by false positives...• No architectural view.• No recognition of open content (e.g. CC) or open

data licenses.

22

Stay tuned

• Some planned improvement on the script.• Examples : recognition of CC licenses, better filtering of

find/grep outputs, deeper analyze of tables (licenses), etc.

• Fast evolution of tools.• Example : FOSSology 2.2.0 released in June 2013.

• Interest in integration with source code analysis softwares.• Example: plugin for FOSSology in the wish list of Sonar

(www.sonarqube.org).• URL: http://docs.codehaus.org/display/SONAR/Plugins+under+development.

23

Thanks for your attention.

Any questions ?

24

Useful additional readings...

• Alspaugh, T.A., Asuncion, H.U., & Scacchi W. (2009), « Intellectual property rights requirements for heterogeneously-licensed systems », 17th IEEE International Requirements Engineering Conference (RE’09), pp. 24–33, Augustus 31 - September 4, 2009.

• Gobeille, R. (2008), « The FOSSology project », MSR '08 Proceedings of the 2008 international working conference on Mining software repositories.

• Lokhman, A., Luoto, A., Abdul-Rahman, S., & Hammouda, I. (2012), « OSSLI: Architecture Level Management of Open Source Software Legality Concerns », Open Source Systems: Long-Term Sustainability, pp. 356-361, Springer Berlin Heidelberg.

• Tuunanen, T., Koskinen, J., & Kärkkäinen, T. (2006). « Retrieving open source software licenses », Open Source Systems, pp. 35-46, Springer US.

• Viseur, R. (2011), « La valorisation des logiciels libres en entreprise », Jeudis du Libre, Université de Mons, 15 septembre 2011.

• Viseur, R. (2012), « Gérer la propriété intellectuelle dans les projets à base de logiciels libres », 17ème conférence de l'Association Information et Management, Mai 2012.

25

Contact

Dr Ir Robert Viseur

Email (@CETIC) : robert.viseur@cetic.be Email (@UMONS) : robert.viseur@umons.ac.be

Phone : 0032 (0) 479 66 08 76 Website : www.robertviseur.be

This presentation is covered by « CC-BY-ND » license.