February 2020 finally saw the end to a legal battle that threatened the ability of open source commentators to express opinions about open source licensing compliance. With the opinion of the Ninth Circuit in Open Source Security v. Perens, the court upheld the right to publicly comment on open source licensing issues free from the threat of meritless litigation.
Bruce Perens is one of the founders of the Open Source movement. He co-founded the Open Source Initiative and created the Open Source Definition. In the late 1990s, Perens served as Debian Project Leader, and has written software that is now used across the technology world, like the Busybox utilities for Linux. He was a key technician at Pixar for over a decade, and has been a tireless supporter of open source software over the years. Perens maintains a blog, perens.com, where he posts commentary about issues in open source licensing. He is well known and highly respected in the open source community.
Open Source Security, Inc. (OSS) runs a business providing security patches for Linux under the brand Grsecurity. (Patches are updates to software that fix problems in between major updates.) OSS does not share these patches with the kernel maintainers, and that had generated bad blood between them, because most Linux developers share patches freely for everyone’s benefit, as contemplated by the GNU General Public License that applies to the Linux kernel. Like the kernel, Grsecurity is governed by the GPL. But in an attempt to discourage its customers sharing patches, OSS used a customer agreement that said that OSS had the right to cease supplying future Grsecurity security updates to users that redistribute the Grsecurity software.
The customer agreement was brought to the attention of Perens, who posted about the agreement on his blog. He expressed his opinion that customers should avoid the Grsecurity product because the user agreement posed a risk of violating the GPL. The blog post also stated that Perens was not an attorney, and stated the facts that formed the basis for his opinions, including that the Grsecurity patch is inseparable from Linux and that GPL section 6 prohibits the addition of restrictions on certain rights such as distribution — the main clause that keeps free software free.
The blog post was then shared to Slashdot, and, true to its tradition of spirited discussion, extensive public comment ensued — on the issue raised in Perens’s post and a host of other issues, including best practices for improving the security of the Linux kernel. Even before that, OSS’s practices were no stranger to controversy. Linus Torvalds — the primary kernel maintainer who is well known for bluntness in expressing his opinions on the kernel — publicly called the Grsecurity product “pure garbage.”
Rather than join the Slashdot discussion or contact Perens about his opinion, on July 17, 2017, OSS filed a lawsuit against Perens, asserting that his blog post constituted defamation (among other claims) and seeking millions in damages. If that sounds surprising, it was. Defamation claims do not usually apply to businesses, and even when they are available under law for comments in a business context, most businesses avoid such claims because of the “Streisand effect” — where it brings more attention to the controversy than if they remain silent.
The defamation claim was deeply flawed, but nevertheless dragged on for over two years through appeal. To win a defamation claim, a plaintiff must establish that the defendant made a provably false statement of fact. Coastal Abstract Serv., Inc. v. First Am. Title Ins. Co., 173 F.3d 725, 730 (9th Cir. 1999). Opinions, particularly those whose factual basis is disclosed, are not usually actionable due to protections of free speech and public participation.
In its Complaint ¶¶ 22-23, Open Source Security v. Perens, Case No. 3:17-cv-04002, Dkt. 1 (N.D. Cal. July 17, 2017), OSS claimed that two statements in Bruce’s post were provably false facts:
- “It’s my strong opinion that your company should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.”
- “As a customer, it’s my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity.” .
OSS argued that these statements should be considered the equivalent of facts, rather than opinions, mainly because Perens was a known expert on open source licensing. Opp. to Mot. to Dismiss at 16–17, Open Source Security v. Perens, No. 3:17-cv-04002, Dkt. 20 (N.D. Cal. Oct. 2, 2017).
OSS filed its lawsuit in the Northern District of California. The case was decisively dismissed: The court found that the blog post contained opinions about an unsettled legal issue—whether the Grsecurity Access Agreement violated the GPL—and not provably false statements of fact. Order at 2, Open Source Security v. Perens, No. 3:17-cv-04002, Dkt. 53 (N.D. Cal. Dec. 21, 2017).
But Grsecurity had taken a risk in filing and pursuing the lawsuit based on Perens’s expressed opinions, and that risk came to fruition. The U.S. legal system generally does not support broad “fee-shifting” — unlike some jurisdictions that allow the winner of a lawsuit to get attorneys’ fees from the loser. But there are exceptions, one of which applied in the Perens case. Many states in the United States have laws to deal with specious claims, called “anti-SLAPP” suits. (SLAPP stands for Strategic Lawsuit Against Public Participation.) Anti-SLAPP claims help protect those who speak out on issues of public interest from lawsuits that threaten to stifle their ability to engage in public debate by burdening them with lawsuits and legal fees — exactly the kind of suit that OSS was using to try to silence Perens because it disagreed with his opinions. OSS argued that Perens’s blog post was not a matter of public interest because it was a matter of concern only to a “relatively small, specific audience,” (Opposition to Mot. to Dismiss at 14, Open Source Security v. Perens, Dkt. 20 (Oct. 2, 2017).)but the Ninth Circuit Court of Appeals rejected this argument. The Court recognized that an issue of interest to the open-source software community could meet the public interest threshold by being of critical interest to a narrow segment of society (without deciding that the impact of Perens’ blog post was so limited). Open Source Security, Inc. v. Perens, No. 18-15189 (9th Cir. 2020).
In fact, many questions about the interpretation of GPL are still unsettled. But OSS sought to use the defamation lawsuit to litigate the GPL interpretation question by proxy. That was problematic for a number of reasons including because the contributors to the Linux kernel code — those who may have had a legal right to enforce the GPL relating to OSS’ actions — were not parties to the case.
In its December 21, 2017 order dismissing OSS’s claims, the trial court noted that Mr. Perens’s statements were protected opinions made in a public forum and concerned issues of public interest, and dismissed the case. The court also went on to award Perens attorneys’ fees of over a quarter of a million dollars. Order, Open Source Security v. Perens, No. 3:17-cv-04002, Dkt. 95 (N.D. Cal. June 9, 2018).
OSS appealed both the dismissal and the attorneys’ fees award to the Ninth Circuit. The appeal was handled by the Electronic Frontier Foundation, working with the law firm O’Melveny & Myers, which handled the case in the district court. The case was argued on January 22, and on February 6, the Ninth Circuit affirmed the trial court’s decision.
The case underscored an important constitutional principle. Those who comment about legal matters of public interest, particularly unsettled ones, should not have to risk lawsuits and legal fees for expressing their opinions. That is why the anti-SLAPP statutes exist: to prevent bullies with lawyers from shutting down discussion. Expressing opinions on legal topics is also key to the functioning of a society of laws. We should all sleep more soundly knowing that public discourse is protected by outcomes like this one.
Note: I was part of the legal team at O’Melveny that handled this case. Thanks to my excellent colleagues Melody Drummond-Hansen and Kaitlyn Gosewehr for their contributions to this summary, to the entire team at O’Melveny and EFF for their dedicated and excellent work.