Stand up for Your Product!: Negotiating IP Indemnities for Open Source Software

For transactions lawyers, negotiating intellectual property infringement indemnities is an unfortunate and often painful fact of life. Allocation of risk terms are notoriously difficult to resolve, and often are the last issues in a deal to be agreed. Business persons consider them abstruse “lawyer work,” and lawyers consider them business issues that get short shrift in deal memos. But for transactional lawyers, negotiating indemnities is part of the life we have chosen.

As open source software has become integral to technology development, negotiating allocation of risk terms for IP infringement has become even more challenging. Open source software does not fit well into the traditional paradigm for allocating IP infringement risk, so a difficult negotiation topic has become even more difficult. 

Clients, often frustrated with this process, always ask two questions: What is “market”? And what is reasonable? The answers are anecdotal at best, and usually not the same for both questions.

Clients repeatedly ask two questions: What is “market”? And what is reasonable?

This analysis is intended to help lawyers and business people understand how to analyze allocation of risk terms for third party open source software in commercial transactions. I refer to this issue as the “IP Question.” This analysis posits a negotiation between a vendor of a technology product that contains third party open source software, and a potential customer.

But the principles of the IP Question can also be applied to indemnities in other kinds of transactions, such as investments, acquisitions or joint development deals. My thesis is that vendors today are regularly asked to bear an unreasonable amount of liability due to a misunderstanding of the IP Question. While that may seem on face like a windfall to customers, it leads to unsustainable business agreements for vendors and customers alike.

Beyond Good and Evil

One of the hurdles in negotiating the IP Question is that negotiating parties tend to view it as a moral issue. In the moral conflict, the vendor views an indemnity against third party open source infringement as an unfair cost. The customer wants the vendor to be morally responsible for any harm that may befall the customer as a result of using the product. Regardless of which view you take, it is clear that reducing the IP Question to a moral question makes it a zero-sum game, and those are always difficult to resolve. While the moral view may be tempting, it is not very useful to get deals done.

The IP Question manifests when, at some point in the negotiation, the customer utters the phrase, “You need to stand up for your product!” And once this gauntlet has been thrown, and the IP Question has thus been reduced to a moral dilemma, the vendor and customer have no choice but to ham-handedly exercise their relative bargaining power tor resolve it, without either side engaging in the burden of critical thought. If the vendor is small and the customer is big, the customer wins. If the vendor is big and the customer is small, the vendor wins. But if you are an intrepid soul willing to engage in a more thoughtful approach, this analysis will help you “think outside the box” about the IP Question.

Indemnities are Costly

In fact, indemnities are not moral choices, but economic mechanisms to share risk. An infringement indemnity reduced to its purest form is an insurance contract. If I get hurt, you pay me. No one makes the mistake of thinking that insurance is free of charge, or a moral dilemma. But customers often expect vendors to bear broad indemnities for their products at no additional price.

Suppose that a third party insurer were willing to write a policy to indemnify the customer against third party open source intellectual property infringement. What would happen?

  • There would be a money premium for the insurance
  • The policy would contain limitations on coverage, and the premium would be priced accordingly

Unfortunately, in negotiations between vendors and customers on the IP Question, infringement indemnities are not negotiated in this way. If they were, the result would be simple:

  • The customer would choose whether or not to pay extra to get the indemnity.
  • The price of the indemnity would be calculated based on the type and amount of coverage the customer chose.
  • The vendor and the customer could, if they chose, share the cost of the premium by negotiating a discount.

Indemnities are difficult to negotiate because they are never reduced to a priced deal point in this way. But why not, when doing this is so obviously sensible? Mainly because third party insurance for such risks is generally not available, making most vendors self-insured. Also, when parties negotiate the terms of contracts, they treat indemnities as undisclosed “legal” terms rather than essential deal terms — meaning they have merely kicked the can down the road for the lawyers to argue over.

But it does no good to lament this phenomenon. If the vendor and customer will not view the IP Question as a pure economic decision, then how do they actually come to agreement?

What is Not Relevant

First, let’s understand what the IP Question is not. There are two similar issues that arise when negotiating IT procurement deals, that should not be conflated with the IP Question.

Vendor Compliance. The first of these is the vendor’s open source license compliance. Because open source compliance claims are usually cast as copyright infringement claims, non-compliance is potentially an IP risk, but not a risk arising from third party actions. A vendor who supplies a customer with third party open source software must follow the license terms that facially apply to that software. That duty does not arise from the customer contract; it arises from the open source licenses. The customer contract may require the vendor to pay legal fees to defend a compliance claim against a customer, if that claim arises from a failure of the vendor to comply with the open source license terms when it delivers the product to the customer. But few vendors attempt to avoid responsibility for their own compliance. The IP Question, instead, is about third party open source software that is infringing of third party IP rights, even when the vendor has complied with the facially applied license. In other words, it is a risk the vendor cannot control.

For example, suppose a project is on GITHUB and bears an Apache 2.0 license, but the project contains code that was improperly contributed by a person without the right to make the contribution, or a cut-and-paste of third party code under GPL. That could result in copyright or trade secret claims against re-distributors or users of the project. It is one cause of the IP Question. Alternatively, a project may, unbeknownst to the project’s maintainers, infringe third party patent rights. That can result in claims of patent infringement against users of the code. But neither of these arise from malfeasance by the vendor, or by the customer.

Performance Warranties. The second is warranties or indemnities arising from the performance, or non-performance, of software. These are commercial warranties, and vendors often undertake them for third party open source elements, because the vendors are engaging in quality control, maintenance and support for their products that happen to include the third party open source elements. These are not IP claims at all, and they are not part of the IP Question.

Two Theories: Control and Internal Pricing

Now that we know the boundaries of the IP Question, and accepting the dismaying premise that we cannot simply price it out as insurance, we consider other ways to rationally allocate the risk it represents. In contracts, there are a couple of common theories as to why one party or another should bear risk: control and economic efficiency.

Control. Most lawyers focus on the control theory, under which the party who is best able to control the risk bears the liability. The cost of bearing that risk will tend to change the bearer’s behavior toward reducing the risk. This approach works well for risks like products liability. If a vendor manufactures a light switch, the vendor can make sure the light switch is properly built, will not short circuit and injure the user, and is properly tested for compatibility with local electrical standards. Moreover, the vendor can easily insure against products liability risk. So, it makes sense for the vendor to undertake that risk, because of its relatively high level of control.

The difference with the IP Question, of course, is that the vendor has almost no control over whether third party open source software infringes IP rights. So, if a vendor sells a smart light switch, it may include open source software that interfaces with a mobile app to set automatic on and off cycles via Bluetooth. The vendor probably gets that software from a third party open source project.

Customers will argue that the vendor can make a build-or-buy decision to address this risk. For example, instead of getting the Bluetooth control software from an open source project, the vendor could write its own software. Obviously, that would raise the development cost for the light switch, perhaps substantially, and the vendor would pass that cost on to the customer. And a sophisticated vendor will also point out that home-grown software is unlikely to be as reliable or secure as existing open source software. Moreover, if the light switch is intended to conform to a larger specification for IoT, like a Google Home or Apple Home system, writing home-grown routines will tend to make the device incompatible, or require the vendor to reinvent the wheel to figure out how to make it compatible. In such cases, if the vendor exercises control over developing the software, it will actually make the product worse. For these reasons, control is not a very useful theory to resolve the IP Question.

The flip side of the control argument is that risks better addressed by the customer should be borne by the customer. For example, if a customer elects to use the vendor’s product in high risk activities or in ways that violate the agreement between them, the customer would usually bear liability for those uses, because the customer can best control those decisions. While indemnities from customers to vendors are not as common as vice-versa, these allocations of risk sometimes take the form of express terms limiting the vendor’s liability in the contract, rather than allocating them to the customer. Risks that are not expressly allocated in contracts will fall to the parties in accordance with background law.

The control theory is also significantly out of alignment with the way open source infringement problems are solved in practice. If there is an IP problem with an open source project, particularly a project that is widely used, that problem is not solved by one vendor. If there were an IP problem with Linux, or Hadoop, or Firefox, that problem would be solved by the maintainers of the project — probably with plenty of help from the community. For a single vendor using that project to try to resolve it would be inefficient and counterproductive. At a minimum, it would cause the vendor to have to fork the code to engineer around the problem, defeating many of the benefits of including open source software in the product. In fact, licenses, like GPL3 actually limit the possibility of doing so, by requiring licensees to clear patent rights for everyone if they clear it for themselves via a license. So in sum, the vendor has no reasonable way to either prevent IP problems, or resolve them.

Allocation of Internal Risk Premium. The other theory or risk allocation is based on economic efficiency, and under this theory the vendor essentially loses the argument. In any deal, one party is usually paying and the other is getting paid. The party making the profit from the transaction can therefore more easily bear the cost of the indemnity, and take a reasonable reserve against its profits as self-insurance. The problem with this approach, of course, is that the vendor is likely to build this reserve into the product cost, thereby raising the product price. So, while a customer may always win this argument, it may be a Pyrrhic victory, and it places a high burden on the vendor to amortize an unknown risk.

These two approaches once worked fairly well for products developed by a single vendor — the cathedral rather than the bazaar. But in today’s landscape of heavy use of open source, this analysis is broken.

What is the Product?

Now, finally, we can find a path through the IP Question, but only if we leave the old ways behind. Contemporary IT systems are increasingly vertically dis-integrated. Once upon a time, you may have bought a computer and all of its software in one transaction from one vendor, but those days are ancient history. Yet vendors and customers are still negotiating the IP Question as if IT systems are monolithic technology of the 1980s. When the customer utters the battle cry, “Stand up for your product!”, the next question is: what exactly is the product?

Vendors in today’s computing world are, more than ever, systems integrators of layered technology solutions that largely consist of third party open source software and IP. Taking an extreme example, a company like Red Hat, which sells subscriptions to Linux distributions, is mostly selling quality control. The software is free, but the QC has a price. Most IT products today, of course, are not so starkly reliant on third party open source software, but even the most “proprietary” products today are not developed in a vertically integrated manner. That’s a good thing; it means that because of the wealth of open source software in existence today, vendors no longer need to reinvent the wheel. The job of vendors today is to select and integrate open source components with their own technology,add their own value in the form of unique product functionality, and provide quality control.

So, it makes sense to develop a more nuanced notion of what constitutes a vendor product. In the old, monolithic model, it is everything that the vendor delivers to the customer. But in the more nuanced model, the vendor delivers a substantial amount of third party software as a courtesy to the customer — much of which is not reasonably considered part of the vendor’s product.

Consider, for example, a software vendor contract in which the vendor, FOOBAR, Inc., delivers its application, FOOBAR for Linux. Once upon a time, that product would have been delivered on a diskette for the customer to install on its own Linux system. In those circumstances, the vendor would be asked to indemnify for IP infringement arising from the FOOBAR application, but not the Linux operating system. This business expectation is by no means unique to open source; if the product were FOOBAR for the Windows operating system, no customer would expect the vendor to indemnify for IP infringement arising from Windows.

The Product of Today

Today, FOOBAR will just as likely be delivered as part of a virtualized image or container that includes FOOBAR and Linux. It’s the same product, but packaged differently. It would, of course, be possible for the customer to get Linux on its own, free of charge. But that would only cause technical problems, because the vendor can better ensure that it is delivering compatible versions of Linux and FOOBAR. The delivery of the operating system is a convenience for both parties, but it doesn’t mean the operating system is part of the vendor’s product. This approach to delivery is possible only because the operating system is open source, so the vendor has the right to distribute it free of charge.

Why, then, does this result in a customer demanding infringement indemnities for the entire package? It is because the parties have failed to correctly define the vendor’s product in light of contemporary delivery practices. To correct this, those negotiating IT deals need to understand the difference between software and the environment in which it runs. Here is a very simple version of the difference:

The above is the “birds and bees” version of the modern software landscape. It is a very simple abstraction using only two computing layers — the application and the operating system, but it gets the point across. It’s no wonder the parties have trouble understanding the scope of the product. It is quite possible that that vendor will make a warranty about the performance of the entire container, including both the FOOBAR application and the operating system, when it is the vendor’s job to deliver a quality, integration solution. But this should not drive the definition of the product for the purpose of the IP Question.  

The problem of defining the product is more stark when one considers a more realistic version of what vendors today actually deliver.

Any application sold today now rests on a formidable stack of open source software that makes it faster, and more fault-resistant, flexible, and powerful. This is the breakthrough in software that allow companies to run thousands or millions of applications in parallel, and maintain consistent data bases across them. That stack of software is sometimes referred to as the “LAMP stack” (Linux, Apache, MySQL and Python) but today, even LAMP is an oversimplified view, so let’s just call it the computing landscape. 

If we want to think rationally about the IP Question, we need this more nuanced view of the technology landscape. And it isn’t hard to understand. Suppose you want to buy a boat. A boat dealer sells you the boat. You cannot sail the boat without an ocean. Is the boat dealer responsible for the ocean? Of course not. Today, the open source stack is like the ocean. It is the basis on which software products are developed. But it is not the vendor’s product.

That open source landscape now represents the backbone of the world’s information technology. So, when a customer demands that the vendor indemnify against IP infringement for this “product,” the customer is essentially making one vendor take responsibility for the entire technology landscape of the world.

Moreover, the customer probably already has all this software within its organization. It gets the open source stack from each of its vendors, as well as its own internal IT activity. The use of a product of one vendor rarely contributes more than a fraction of the marginal risk arising from the use of that software.

The UCC Gets this Right

There is a long-standing precedent for this view in the Uniform Commercial Code.

Unless otherwise agreed a seller who is a merchant regularly dealing in goods of the kind warrants that the goods shall be delivered free of the rightful claim of any third person by way of infringement or the like but a buyer who furnishes specifications to the seller must hold the seller harmless against any such claim which arises out of compliance with the specifications.

UCC Section 2-312(3)

Moreover, although the UCC does not expressly provide for this, it has long been market practice in technology contracts to absolve the vendor of liability for products that infringe only because they meet enunciated industry standards that both parties elect to use. This makes sense in light of the UCC. A customer would usually specify that it wanted to buy products that meet industry standards, and vendors will conform to industry standards because their customers demand it.

If we view the open source landscape as part of the customer’s specifications, and not the vendor’s build-or-buy decision, then it makes more sense for the vendor to avoid liability for the landscape. Alternatively, we can view the software landscape as an industry standard, for which neither the vendor nor the customer should undertake liability on its own.

But even if we can agree that the vendor should not be responsible for the software landscape, that doesn’t release us from the IP Question entirely, because we still need to understand where the vendor product ends and the landscape begins.

The Build or Buy Decision

For negotiating parties to solve the IP Question, they need to separate the definition of the vendor product from the software landscape stack. Of course, if the parties have settled on the exact stack to be delivered, the product and the stack can be listed ad hoc in their agreement. But for those seeking a more general approach, one useful point of reference might be the definition of “Linux” promulgated by the Open Invention Network (OIN). OIN is a patent pool covering Linux, but its definition of Linux is broader than merely the Linux kernel, and includes many of the major components in the landscape stack. https://www.openinventionnetwork.com/joining-oin/linux-system/

Even after the parties make that distinction, there will be some third party open source embedded into in the vendor’s product that is not part of the landscape. Examples might include small routines to do generic calculations, or libraries that are included in the vendor product executable. The vendor should be far more likely to accept liability for this software, given it has made more granular decisions to use these elements in its products.

Some Provisions for Your Toolkit

Below are some suggested contract provisions to help differentiate the vendor product from its open source landscape.

“Open Source Computing Stack” means any open source software created by third parties that is so referenced in the specifications for the computing environment of the Product in the applicable purchase order, which software may include operating systems such as Linux, web server software such as the Apache web server, language engines such as Java, PHP, Python or PERL, and database software such as MySQL. The Open Source Computing Stack includes without limitation all software included in the definition of a Linux System promulgated by the Open Invention Network.

Vendor will have no liability under [reference indemnity provision] for infringement of third party intellectual property rights by the use of the Open Source Computing Stack; provided, however, that the foregoing sentence will not limit Vendor’s liability for compliance by Vendor with the terms and conditions of the open source licenses applicable to the Open Source Computing Stack.

Alternatively, focusing on open source software already in use by the customer — which is likely to include much of the open source computing stack:

Vendor will have no liability under [reference indemnity provision] for infringement of third party intellectual property rights by the use of any open source software made generally available by third parties that is in use by Customer prior to the delivery of the Vendor Product hereunder ; provided, however, that the foregoing sentence will not limit Vendor’s liability for compliance by Vendor with the terms and conditions of the open source licenses applicable to such open source software.

NDAs and Chronic Care

Non-disclosure agreements (NDAs) are some of the most “plain vanilla” technology agreements around. They are usually short, and don’t vary dramatically in content from one set of boilerplate to another. Technology companies sign NDAs all the time with little or no negotiation.

In fact, despite their brevity and simplicity, NDAs are significant obligations that recipients of information should avoid. But they are also a fact of life. Think of them as a chronic disease you can’t get rid of, but have to manage.

The name of an NDA can be misleading. NDAs usually contains both non-disclosure and non-use provisions. It may be workable to avoid disclosing documents given to you, but it is harder to avoid disclosure of information given to you, whether the information was communicated in documents or oral discussions. And it is a tricky task not to use information given to you. You can’t “unlearn” information. So while the agreement is called a non-disclosure agreement, complying with the non-use requirements is the harder task. This problem is sometimes referred to as taint — being exposed to information you can’t forget but you can’t use, even if you might have come up with it independently.

To make it worse, NDAs are intrinsically expensive contracts to breach. Whereas most commercial agreement contain limitations on liability, the point of an NDA is to put the recipient on the hook for legal liability. So, violating an NDA can expose you to high damages.

Most NDAs specify a limited purpose for use of information. Most often, that purpose is to negotiate a more detailed agreement. But sometimes, the purpose is to evaluate technical or business information for a more specific purpose. Receiving technical information under NDA is more risky than receiving general business information. So while you may sign NDAs routinely to negotiate commercial deals, think carefully about your risks under NDA if you intend to evaluate a product, particularly if you will be exposed to software source code or detailed technical specifications that you may plan to independently develop. That can place you in the difficult position of “proving a negative” — that you did not use the information in breach of the NDA.

To be safe, you should talk to a lawyer before signing an NDA — but that’s easy for a lawyer to say. In the real world, legal review costs money and time. If you are presented with an NDA to sign, particularly if you are a startup, you may not have the resources to have a lawyer review the agreement. Even if you could engage a lawyer, you might not have any bargaining power to negotiate the NDA terms. That’s particularly true when you are using the NDA to negotiate your first big customer deal.

Here are some tips for managing the chronic disease that is NDAs.

  • Ask for a 2-way NDA. Some companies have 1-way and 2-way forms, and as you might imagine, the 1-way forms are more aggressive in favor of the company presenting the NDA to you. Reciprocal terms are not always fairer, of course. In any NDA, one party will act more in the role of discloser and one will be more in the role of recipient, so equal terms won’t have an equal effect. Even most 2-way NDAs are written somewhat in favor of the discloser or recipient , and clever companies will have two different 2-way forms to present to you, depending on which side they expect to be on. But 2-way obligations tend to “keep people honest” and avoid some of the most draconian terms that appear in 1-way forms.
  • Segregate the information. When you receive information that will be subject to the NDA, store it in a special-purpose location (password protected) that is only accessible to those who need to see it. Do not make copies. This can be more challenging than it sounds — remember that email cc’s and routine backups can result in lots of copies. If you make paper copies, shred them after use. Or, refuse to accept electronic copies. If you do get electronic copies, avoid forwarding them to personal email accounts where they might persist. Delete them after you do not need it any longer (including from desktop trash cans and email deleted-items folders.) Give similar treatment to the notes you take transcribing orally disclosed information. When you delete the copies, keep a record that you did so, such as a note to file or a note to the other side saying you have done so.
  • Limit what you receive. Avoid receiving information that might overlap with your product roadmap. If you unexpectedly get information that you are concerned will “taint” you, return or destroy it and tell the other side in writing that you have done so. Or best, ask first what information the other side plans to send, and if you think it will taint you too much, decline to receive it.
  • Implement a Document Retention Policy. Keeping all documents forever is not a good idea, and a systematic plan to routinely delete unused documents is an important shield against trade secret claims. But deleting documents when you know a legal claim is looming is usually unlawful, so you should have a policy for deletion of documents that is content-neutral. That way, confidential information of others will be less likely to persist for too long, even if you fail to delete it when the NDA requires you to.
  • Use special-purpose consultants for risky reviews. If you have to review high-risk information, instead of receiving it under NDA, you might agree with the discloser to engage a third party consultant to do the review. There, the consultant, and not you, would be subject to the most significant obligations of the NDA, and would only communicate to you the results of the review.

You, Too, Can Learn to be a Lawyer

If you want to learn more about how to review and negotiate NDAs, you can learn to do it the same way lawyers learn. Any smart and diligent person can learn to review NDAs, and in fact, reviewing NDAs is a common task for junior lawyers as they cut their teeth on technology transactions practice. Below is a quick summary of the most common issues in NDAs. If you have the opportunity to negotiate some of these points, give it a try. But you may want to tread lightly: a fierce negation over an NDA can sour follow-on negotiations. Your potential business partner may — rightly or wrongly — consider them “standard” agreements to which no one should object. (If you want to see an example of a standardized NDA, take a look at the Waypoint NDA.)

  • Definition of Confidential Information. The broader the definition of Confidential Information, the more favorable the NDA is to the discloser. Most NDAs define Confidential Information with a long laundry list of items that is meant to be broad. But a few NDAs are limited to cover specific types of information for the particular deal, for example, source code, product designs, or customer lists.
  • Writing requirements. One of the biggest variations in NDAs is called a writing requirement. Writing requirements are very favorable to recipients. They mean that the NDA does not cover any information that is disclosed orally, such as at meetings, unless it is embodied in a document or summarized in writing promptly after the meeting. Disclosers will be concerned that failing to write down all confidential information is a “foot foul” that will cause valuable information to escape coverage. Examples are of clauses implementing a writing requirement are:
    • Confidential Information must be communicated in writing.
    • Oral disclosures must be reduced to writing within 30 days after disclosure.
  • Exceptions. All NDAs make exceptions to confidentiality. These are sometimes styled as exceptions to the definition of Confidential Information, and sometimes as exceptions to the confidentiality obligation. These exceptions roughly track the limits of misappropriation in trade secret law. They exclude from coverage information that:
    • was publicly known to the recipient prior to disclosure
    • became publicly known after disclosure other than due to the fault of the recipient
    • was already in the possession of recipient at the time of disclosure
    • was disclosed to the recipient by a third party without a duty of confidentiality
    • is independently developed by the recipient — note here that deleting the information in a timely was will help you prove that you have engaged in independent development
  • Screened Disclosure. As noted in the “chronic care” points above, some NDAs specifically say that any disclosure can only take place after a written request describing the information, and the written consent of Recipient.
  • Exceptions to Disclosure. NDAs often expressly allow certain kinds of disclosure:
    • Upon court order or subpoena, but recipient must cooperate to give the discloser has opportunity to challenge the order or seek confidential treatment
    • As required by law (such as SEC filings), but recipient must cooperate to seek confidential treatment or redaction of the information in public filings
    • To accountants or attorneys operating under their own NDA or an equivalent duty of confidentiality, in connection with due diligence or audits (note that accountants and financial auditors often have a higher duty under law than would be imposed by an NDA)
    • To affiliates, but may require recipient to have the authority to bind them to the NDA terms
    • Disclosure to potential acquirors and investors, under their own NDA
  • Degree of Care to Keep Confidential. These terms usually track the requirements for treatment of information to qualify for protection under trade secret law.
    • No less than reasonable measures to protect against disclosure
    • At least those measures that the recipient takes to protect its own similar information
    • Prompt notice of any unauthorized use or disclosure and assistance in stopping it
  • Residuals. This is the single most significant variation in NDAs (short of omitting the non-use provision entirely, which is rare, but always worth checking). A residuals clause is extremely favorable to the recipient. It says that the recipient may use ideas, information and understandings retained in the memory of the recipient’s personnel. It is usually an exception to the non-use requirement, but not the non-disclosure requirement. Residuals clauses are written in many different ways and need to be reviewed on a case-by-case basis.
  • Parties. Pay attention to how the parties to the contract are defined. If the parties include affiliates or other parties, the sphere of disclosure might be broader. (For example, “Recipient means Company XZY and all its affiliates.”) If you are disclosing, consider limiting disclosure to a single recipient entity. Also, NDAs normally do not allow disclosure certain categories persons:
    • Those with a need to know for the defined purpose
    • Employees who are bound to confidentiality agreements or equivalent obligations
    • Contractors who sign confidentiality agreements (often subject to approval of the agreement by discloser)
  • Duration. In a sense, all NDAs have two durations. One is the period during which information will be exchanged. This is sometimes called a capture period and is often the same as the term of the agreement. Although some NDAs continue indefinitely, many are limited to a capture period of one year. The other duration is the period during which information, once disclosed, must be kept confidential. These range from indefinite to short, typically 2-5 years. Keep in mind that, as a discloser, you may not be able to protect your information from use by other parties once it is free for unrestricted use by any one party. 2-5 year limits work for information that has no value after that time; business plans and customer information may be stale after that time. However, technical information can often have value for a much longer period.
  • Warranty Disclaimer. Disclosure of information is usually made as-is, with no warranties as to quality or accuracy.
  • Return of Materials. NDAs usually require return or destruction of the information upon termination of the disclosure period, or earlier upon discloser’s request. Disclosure of information under NDAs is usually voluntary, which means that a sudden termination of the disclosure period is usually not considered an issue.

Neo4J Wins a Victory for Trademark Rights in Open Source Products

On May 21, 2020, the US District Court for the Northern District of California granted a motion for judgement on pleadings by Neo4J, a developer of graph database software, in Neo4J, Inc. v. Purethink LLC, 2020 WL 2614871.

Neo4J had brought a trademark infringement suit against Purethink, LLC, an erstwhile reseller of Neo4J’s enterprise products, and its related entity iGov. After the reseller agreement between the parties terminated, Neo4J sued alleging trademark infringement, and the defendant counterclaimed that the trademark had been abandoned.

Neo4J offers both a community edition under GPL/AGPL, as well as a commercial edition, which had additional features only provided under commercial terms. The defendant argued that Neo4J’s trademark was unenforceable because Neo4J used the mark on its open source software as well as its enterprise product. The defendant characterized licensing under GPL and AGPL as “naked licensing” (i.e. licensing of a trademark without exercise of sufficient quality control), which can lead to a loss of rights in the trademark.

The court rejected the argument, saying,”Defendants do not raise any allegations indicating the Plaintiff has failed to exercise actual control over licensees’ use of the trademark….[T]he fact the Plaintiff distributed Neo4J software on an open source basis pursuant to the GPL and AGPL is not, without more, sufficient to establish a naked license or demonstrate abandonment.”

This result is not unexpected, but it is a useful precedent. Open source licenses like GPL are not trademark licenses, and therefore cannot be “naked” trademark licenses. When it comes to stewarding brands, it is the actual work of maintaining quality control, and not the software copyright license terms, that matters. There are many companies that implement an open core business models with community and enterprise editions. While those companies, like any company, are wise to properly manage their brands, that management is by no means antithetical to an open source licensing model.

PolyForm Project Launches Licenses Limiting Competitive Uses of Software

PolyForm Project has launched the last of its first tranche of licenses: Perimeter and Defensive. Each of these licenses are used to make source code available, but place certain limitations on its use.

The Perimeter license prohibits use of the software in a manner competitive with the software. The Defensive license prohibits use in a manner competitive with the products and services of the company licensing the software.

This adds to the PloyForm suite of source-available licenses released last year. Below is a handy chart to show the differences among them.

LicenseUseChangeDistri-buteLimitationNotes
StrictYes  Non-Commercial
NoncommercialYesYesYesNon-CommercialUse to enable R&D and Non-Profit Use
Free-TrialYesYes TrialUse to enable a limited evaluation
Internal UseYesYes InternalEnd user license with source code
Small-BusinessYesYesYesSMBUse to enable commercial use by small organizations
PerimeterYesYesYesNo Competition with SoftwareUse to limit competition with the licensed software
DefensiveYesYesYesNo Competition with LicensorUse to limit competition with all your related products

More information about the PolyForm Project is here.

US Supreme Court Confirms US States Immune to Copyright Infringement

This week (March 23, 2020), in ALLEN ET AL. v. COOPER, GOVERNOR OF NORTH CAROLINA, ET AL the United States Supreme Court ruled that US states cannot be liable for copyright infringement due to sovereign immunity.

In 1996, a salvage company called Intersal discovered the wreck of a pirated slave ship, The Queen Anne’s Revenge, that ran aground off the coast of North Carolina in 1718. Intersal was under a salvage contract from the legal owner of the wreck, which was the State of North Carolina.* Intersal contracted with videographer Frederick Allen to document its efforts. Allen took photos and videos of the recovery for more than a decade and registered copyrights in his works. (Presumably their contract did not provide for an assignment of copyrights that would be typical in such a contract, but those facts were not outlined in the Supreme Court decision.) When North Carolina published some of Allen’s videos and photos online, Allen sued for copyright infringement. The state asserted sovereign immunity as a defense.

US states are immune from legal liability of most kinds in civil lawsuits. However, there are various exceptions. That is why, when one sees lawsuits against state agencies for negligence or other civil claims, they are usually styled with an individual state governor or other official as a defendant. In the US, sovereign immunity is a complex doctrine, given our federal system includes states, which exercise basic sovereign powers, and the federal government, which only has limited powers, the two of which often overlap, and where each kind of authority enjoys some level of sovereign immunity, under doctrine or statute.

The question in this lawsuit was which doctrine trumped: sovereign immunity, or copyright law, as reflected in a federal law called the Copyright Remedy Clarification Act. The US Constitution Article I, §8, gives Congress authority to grant copyrights. The CRCA, in turn, relies on that power, saying that for claims of copyright infringement, a state “shall not be immune, under the Eleventh Amendment [or] any other doctrine of sovereign immunity, from suit in Federal court.”17 U. S. C. §511(a). The Supreme Court unanimously decided that the CRCA was unconstitutional to the extent it authorized a claim in Allen, because Congress lacked constitutional authority to take away the state’s immunity. The court’s opinion left the door open for Congress to amend the CRCA to make it constitutional.

In this opinion, the Court relied on Florida Prepaid Postsecondary Ed. Expense Bd. v. College Savings Bank, 527 U. S. 627, which invalidated provisions of the Patent Remedy Act, a law allowing for patent infringement claims, similar to the CRCA for copyright. When weighing congressional authority against sovereign immunity, “There must be a congruence and proportionality between the injury to be prevented or remedied and the means adopted to that end.” City of Boerne v. Flores, 521 U. S. 507, 520. In Florida Prepaid, the Court defined the scope of unconstitutional patent infringement as “intentional conduct for which there is no adequate state remedy.” In contrast, most copyright infringement claims have no requirement of intent, though some kinds of damages can be enhanced if infringement is willful.

* If you want to read about ownership fights under maritime law, and the technological challenges of shipwreck diving, try Shadow Divers.

Another COVID19 Post: Force Majeure Hygiene

In the last few weeks, it seems every organization I have ever had contact with is telling me their COVID19 plans. While I am impressed that my mortgage company has plans to keep me safe and healthy — even though I have never spoken to nor interacted with any actual human representative of this company since my loan was sold to them nearly 10 years ago — the pandemic now seems to be developing into yet another reason for disingenuous customer outreach, rivaling even the California Consumer Privacy Act in its ability to produce unwanted email in the first month of 2020.

We technology transactions lawyers barely require human contact in the first place, so the most serious long term effect for us may be that we finally have to understand force majeure clauses. For those of you non-lawyers intrepid enough to read this post to this point, that phrase is a legal term of art roughly equivalent to an “Act of God,” and it sets rules about when parties to a contract, particularly suppliers, can breach contracts but not be held legally liable, a legal doctrine sometimes referred to as excusing performance.

Like many of the clauses in the miscellaneous section of a contract, force majeure clauses tend to go unread — or worse, become like the socks collected in the discontinuous time-space continuum of our clothes dryers — an ever-growing laundry list of items no lawyers are brave enough to remove, in case they “miss” something and are later blamed for the omission. But, like all contract clauses, force majeure clauses should be written thoughtfully, or they have the potential to backfire.

What if you say nothing?

First, chances are high that the state statute governing your contract already contains some useful rules about force majeure. That statute may not use the words force majeure at all, so it might be easy to miss. The common terms of art are frustration of purpose, impracticability and impossibility, but modern rules favor impracticability over the older impossibility doctrine. The UCC, for example, says:

§ 2-615. Excuse by Failure of Presupposed Conditions.
Except so far as a seller may have assumed a greater obligation and subject to the preceding section on substituted performance:

(a) Delay in delivery or non-delivery in whole or in part by a seller who complies with paragraphs (b) and (c) is not a breach of his duty under a contract for sale if performance as agreed has been made impracticable by the occurrence of a contingency the non-occurrence of which was a basic assumption on which the contract was made or by compliance in good faith with any applicable foreign or domestic governmental regulation or order whether or not it later proves to be invalid.
(b) Where the causes mentioned in paragraph (a) affect only a part of the seller’s capacity to perform, he must allocate production and deliveries among his customers but may at his option include regular customers not then under contract as well as his own requirements for further manufacture. He may so allocate in any manner which is fair and reasonable.
(c) The seller must notify the buyer seasonably that there will be delay or non-delivery and, when allocation is required under paragraph (b), of the estimated quota thus made available for the buyer.

UCC 2-615

UCC 2-614, Substituted Performance, addresses more specifically unexpected disruptions in availability of carriers and means of payment. UCC 2-616, Procedure on Notice Claiming Excuse, describes the process of notice of the application of Section 2-615.

Impracticability, Impossibility, and Frustration of Purpose

Courts do not require that performance actually be impossible to apply the doctrine embodied in the UCC, merely that it be commercially impracticable, such as due to excessive cost. But the doctrine has its limits. For example, in Watson Labs. v. Rhone-Poulenc, Inc., 178 F. Supp. 2d 1099 (C.D. Cal. 2001), plaintiff Watson sought relief for breach of a pharmaceutical supply agreement. The supplier in the contract, an RPR affiliate, operated a manufacturing plant for the pharmaceutical product in question. At the time the agreement was signed, the plant was already operating under an FDA consent decree, resulting from “violation of numerous… Good Manufacturing Practices” established by FDA regulations, and providing that the FDA could shut down manufacturing in the event of future violations. After the plant was actually shut down and the supply disrupted, the buyer sued for breach of contract and seller invoked the force majeure clause, but the court did not excuse defendants’ failure to perform because the shutdown was foreseeable, and within the defendant’s reasonable control. The court probably gave weight to the fact that the contract was expressly intended to meet all of the plaintiff’s requirements for the drug, and that both parties knew there was no other approved supplier.

Frustration of purpose happens when the supplier is willing to perform, but one of the contract’s basic premises fails. This is sometimes referred to as creating an implied condition to performance. If you are a lawyer, you probably remember from law school the old coronation cases such as Krell v. Henry, 2 K.B. 740 (1903), in which a man rented a room temporarily to watch the coronation parade of King Edward VII. The coronation was rescheduled due to the King’s appendicitis, so the purpose of the contract was frustrated, and the renter was excused from renting the room. Notably, the application of this doctrine resulted in excuse for the buyer, not the seller.

In sum, these doctrines are meant to handle the unexpected — facts that the parties could not have reasonably foreseen when they entered into the contract. They are intended to be general in nature, so they are flexible enough to handle circumstances that are difficult for parties to predict.

Drafting Specific Force Majeure Clauses

One might be tempted this month to change all the contract forms in existence to include “pandemic,” and consider the matter handled, but that’s probably not the right long-term approach. The endlessly-growing-laundry-list is doomed to failure, because it pits the lawyer’s imagination for catastrophe against that of reality, and in that respect, reality always wins. Despite the famously pessimistic imagination of of most lawyers, none of us knows what the next crisis will be. So, think hard about what you write, particularly if you are a seller, because you may be foregoing some of the automatic relief from performance the statute would otherwise provide.

But force majeure clauses don’t merely define what events make performance excusable; they can be used to set the details of what happens when performance is excused. For example, they can outline a specific process for notice of shipment delays, set preferences for allocation of orders among customers in the case of shortage, or set the process to cancel an order or contract if the event persists. These specific remedies and procedures need to be based on the facts of the deal.

Force majeure clauses can also seek to expand the application of the doctrine to specific contingencies, unexpected changes in the cost of the inputs of goods, which may be not captured by background doctrines of impracticability. For example, in the early 2000s, “worldwide semiconductor shortages” were a popular addition to the laundry list, due to a phenomenon that Wikipedia charmingly calls “chip famine.” Otherwise, “[e]conomic events, such as failures of markets, are very difficult to assert as events of force majeure…” ( J. Kelley, “So What’s Your Excuse? An Analysis of Force Majeure Claims,” 2 Texas Journal of Oil, Gas, and Energy Law 91 , 110 (2006).)

If you want to guide a court’s finding of frustration of purpose, you can draft wisely to that effect as well. The purpose of a contract is often set out in its recitals — yet another reason to write them correctly and specifically for the deal.

Does Force Majeure Cover COVID19 Disruptions?

Of course, that’s a trick question because it can’t be answered generally, only with reference to specific facts. The existence of a virus standing alone would not trigger a force majeure clause, but resulting actions or developments could be considered force majeure. For example:

  • Travel restrictions imposed by government or suggested by health authorities
  • Embargoes, export or import restrictions
  • Broad failure of supply chains
  • Closure of public buildings or cancellation of events
  • Quarantines
  • Shortages of products due to hoarding
  • Shortages of medical services or supplies due to pandemic conditions

Courts will generally tend to interpret express force majeure clauses narrowly, and will not excuse performance merely because the of potential existence of a performance problem, or a performance problem with simultaneous causes other than force majeure. General economic downturns that make performance unprofitable do not generally qualify — that’s a risk of doing business. The court will look for a specific external cause that could not be reasonably avoided. For an example of a detailed test used by one federal court, see Transatlantic Fin. Corp. v. United States, 363 F.2d 312, 315 (D.C. Cir. 1966), a case involving the 1956 nationalization of the Suez Canal.

Practical Steps

As with everything in life, the practical steps to addressing force majeure due to the COVID19 pandemic in Q1 2020 are less exciting than reading overwrought news headlines about it. If contracting parties today have concerns about invoking force majeure clauses, those concerns need to be analyzed on a case-by-case basis. The relevant law is state law, so one can’t merely rely on the UCC, even though most state statutes roughly follow it; one must check relevant state cases for more detailed rules. Here are a few citations to relevant statutes for the most common jurisdictions, for a starting point. To find the relevant case law, it’s helpful to turn to an annotated version of the statute, or look for cases that cite the statute.

Keep Calm and Wash Your Hands

As for the rest of it, now is the time to be grateful for whatever free time you have recaptured from cancellation of your doubtless excessive professional commitments, and to do your taxes, plant a victory garden, use up those groceries in your freezer, and watch the new episodes of Better Call Saul. And wash those hands.

Bruce Perens Wins Victory for Free Speech

February 2020 finally saw the end to a legal battle that threatened the ability of open source commentators to express opinions about open source licensing compliance. With the opinion of the Ninth Circuit in Open Source Security v. Perens, the court upheld the right to publicly comment on open source licensing issues free from the threat of meritless litigation.  

Bruce Perens is one of the founders of the Open Source movement. He co-founded the Open Source Initiative and created the Open Source Definition. In the late 1990s, Perens served as Debian Project Leader, and has written software that is now used across the technology world, like the Busybox utilities for Linux. He was a key technician at Pixar for over a decade, and has been a tireless supporter of open source software over the years. Perens maintains a blog, perens.com, where he posts commentary about issues in open source licensing. He is well known and highly respected in the open source community.

Open Source Security, Inc. (OSS) runs a business providing security patches for Linux under the brand Grsecurity. (Patches are updates to software that fix problems in between major updates.) OSS does not share these patches with the kernel maintainers, and that had generated bad blood between them, because most Linux developers share patches freely for everyone’s benefit, as contemplated by the GNU General Public License that applies to the Linux kernel.   Like the kernel, Grsecurity is governed by the GPL. But in an attempt to discourage its customers sharing patches, OSS used a customer agreement that said that OSS had the right to cease supplying future Grsecurity security updates to users that redistribute the Grsecurity software. 

The customer agreement was brought to the attention of Perens, who posted about the agreement on his blog.  He expressed his opinion that customers should avoid the Grsecurity product because the user agreement posed a risk of violating the GPL.  The blog post also stated that Perens was not an attorney, and stated the facts that formed the basis for his opinions, including that the Grsecurity patch is inseparable from Linux and that GPL section 6 prohibits the addition of restrictions on certain rights such as distribution — the main clause that keeps free software free. 

The blog post was then shared to Slashdot, and, true to its tradition of spirited discussion, extensive public comment ensued — on the issue raised in Perens’s post and a host of other issues, including best practices for improving the security of the Linux kernel. Even before that, OSS’s practices were no stranger to controversy.  Linus Torvalds — the primary kernel maintainer who is well known for bluntness in expressing his opinions on the kernel — publicly called the Grsecurity product “pure garbage.” 

Rather than join the Slashdot discussion or contact Perens about his opinion, on July 17, 2017, OSS filed a lawsuit against Perens, asserting that his blog post constituted defamation (among other claims) and seeking millions in damages.  If that sounds surprising, it was. Defamation claims do not usually apply to businesses, and even when they are available under law for comments in a business context, most businesses avoid such claims because of the “Streisand effect” — where it brings more attention to the controversy than if they remain silent.

The defamation claim was deeply flawed, but nevertheless dragged on for over two years through appeal.  To win a defamation claim, a plaintiff must establish that the defendant made a provably false statement of fact. Coastal Abstract Serv., Inc. v. First Am. Title Ins. Co., 173 F.3d 725, 730 (9th Cir. 1999). Opinions, particularly those whose factual basis is disclosed, are not usually actionable due to protections of free speech and public participation. 

In its Complaint ¶¶ 22-23, Open Source Security v. Perens, Case No. 3:17-cv-04002, Dkt. 1 (N.D. Cal. July 17, 2017), OSS claimed that two statements in Bruce’s post were provably false facts: 

  • “It’s my strong opinion that your company should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.” 
  • “As a customer, it’s my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity.”  .  

OSS argued that these statements should be considered the equivalent of facts, rather than opinions, mainly because Perens was a known expert on open source licensing. Opp. to Mot. to Dismiss at 16–17, Open Source Security v. Perens, No. 3:17-cv-04002, Dkt. 20 (N.D. Cal. Oct. 2, 2017).

OSS filed its lawsuit  in the Northern District of California. The case was decisively dismissed: The court found that the blog post contained opinions about an unsettled legal issue—whether the Grsecurity Access Agreement violated the GPL—and not provably false statements of fact.    Order at 2, Open Source Security v. Perens, No. 3:17-cv-04002, Dkt. 53 (N.D. Cal. Dec. 21, 2017).

But Grsecurity had taken a risk in filing and pursuing the lawsuit based on Perens’s expressed opinions, and that risk came to fruition. The U.S. legal system generally does not support broad “fee-shifting” — unlike some jurisdictions that allow the winner of a lawsuit to get attorneys’ fees from the loser.  But there are exceptions, one of which applied in the Perens case. Many states in the United States have laws to deal with specious claims, called “anti-SLAPP” suits. (SLAPP stands for Strategic Lawsuit Against Public Participation.) Anti-SLAPP claims help protect those who speak out on issues of public interest from lawsuits that threaten to stifle their ability to engage in public debate by burdening them with lawsuits and legal fees — exactly the kind of suit that OSS was using to try to silence Perens because it disagreed with his opinions. OSS argued that Perens’s blog post was not a matter of public interest because it was a matter of concern only to a “relatively small, specific audience,” (Opposition to Mot. to Dismiss at 14, Open Source Security v. Perens, Dkt. 20 (Oct. 2, 2017).)but the Ninth Circuit Court of Appeals rejected this argument. The Court recognized that an issue of interest to the open-source software community could meet the public interest threshold by being of critical interest to a narrow segment of society (without deciding that the impact of Perens’ blog post was so limited). Open Source Security, Inc. v. Perens, No. 18-15189 (9th Cir. 2020).

In fact, many questions about the interpretation of GPL are still unsettled. But OSS sought to use the defamation lawsuit to litigate the GPL interpretation question by proxy. That was problematic for a number of reasons including because the contributors to the Linux kernel code — those who may have had a legal right to enforce the GPL relating to OSS’ actions — were not parties to the case.

In its December 21, 2017 order dismissing OSS’s claims, the trial court noted that Mr. Perens’s statements were protected opinions made in a public forum and concerned issues of public interest, and dismissed the case. The court also went on to award Perens attorneys’ fees of over a quarter of a million dollars. Order, Open Source Security v. Perens, No. 3:17-cv-04002, Dkt. 95 (N.D. Cal. June 9, 2018).

OSS appealed both the dismissal and the attorneys’ fees award to the Ninth Circuit.  The appeal was handled by the Electronic Frontier Foundation, working with the law firm O’Melveny & Myers, which handled the case in the district court.  The case was argued on January 22, and on February 6, the Ninth Circuit affirmed the trial court’s decision.

The case underscored an important constitutional principle. Those who comment about legal matters of public interest, particularly unsettled ones, should not have to risk lawsuits and legal fees for expressing their opinions. That is why the anti-SLAPP statutes exist: to prevent bullies with lawyers from shutting down discussion. Expressing opinions on legal topics is also key to the functioning of a society of laws. We should all sleep more soundly knowing that public discourse is protected by outcomes like this one.

Note: I was part of the legal team at O’Melveny that handled this case. Thanks to my excellent colleagues Melody Drummond-Hansen and Kaitlyn Gosewehr for their contributions to this summary, to the entire team at O’Melveny and EFF for their dedicated and excellent work.

Cryptographic Autonomy License Approved by OSI

After a submission process of over a year and three versions, the CAL was approved last week by OSI.

CAL is a copyleft license, requiring a redistributors to make source code available, but more importantly, also contains a requirement to “maintain user autonomy” with respect to user data processed using the software:

4.2. Maintain User Autonomy.
In addition to providing each Recipient the opportunity to have Access to the Source Code, You cannot use the permissions given under this License to interfere with a Recipient’s ability to fully use an independent copy of the Work generated from the Source Code You provide with the Recipient’s own User Data.
“User Data” means any data that is an input to or an output from the Work, where the presence of the data is necessary for substantially identical use of the Work in an equivalent context chosen by the Recipient, and where the Recipient has an existing ownership interest, an existing right to possess, or where the data has been generated by, for, or has been assigned to the Recipient.
4.2.1. No Withholding User Data. Throughout any period in which You exercise any of the permissions granted to You under this License, You must also provide to any Recipient to whom you provide services via the Work, a no-charge copy, provided in a commonly used electronic form, of the Recipient’s User Data in your possession, to the extent that such User Data is available to You for use in conjunction with the Work.
4.2.2. No Technical Measures that Limit Access.  You may not, by the use of cryptographic methods applied to anything provided to the Recipient, by possession or control of cryptographic keys, seeds, or hashes, by other technological protection measures, or by any other method, limit a Recipient's ability to access any functionality present in the Recipient's independent copy of the Work, or deny a Recipient full control of the Recipient's User Data.
4.2.3. No Legal or Contractual Measures that Limit Access.  You may not contractually restrict a Recipient's ability to independently exercise the permissions granted under this License. You waive any legal power to forbid circumvention of technical protection measures that include use of the Work, and You waive any claim that the capabilities of the Work were limited or modified as a means of enforcing the legal rights of third parties against Recipients.

The intention of this license was to help preserve a user’s access to its own data. The license was promulgated by Holochain, which develops a framework on which developers can build their own applications. Holochain is a distributed ledger technology that was designed to avoid the scalability issues of familiar block-chain based systems like Bitcoin and Ethereum. It uses peer-to-peer networking for processing where “every device on the network gets its own secure ledger, or Holochain, and can function independently while also interacting with all the other devices.” The conditions of the license disallow use of the software with distributed-ledger applications that withhold from a user cryptographic keys that control the user’s own data in the network.

We want Holochain apps to be trusted as maximizing end-user autonomy and control. As that starts to happen, we can’t let someone claim their software is a “Holochain” app if they are actually maintaining central control of end-user cryptographic keys. Otherwise, people will think they’re in control of their accounts, money, personal information, or communications without realizing, at any moment, someone could strip them of their autonomy via revocation keys or a master seed.

https://medium.com/holochain/understanding-the-cryptographic-autonomy-license-172ac920966d

At the center of the OSI license approval controversy was whether the conditions requiring sharing users’own data were effectively a restriction in violation of section 6 of the Open Source Definition, or a necessity to compel behavior to preserve freedom, similar to the “Installation Information” requirements of GPL3.

The controversy over the scope of copyleft these days remains brisk. Regarding CAL, it was so heated that OSI founder Bruce Perens resigned in protest, as the license approached approval. There is a also a larger controversy over whether copyleft licenses written by single companies, and not part of the community drafting process, should be approved, regardless of content.