The risks of using open source software

The flurry of lawsuits in 2008 alleging infringement of open source software licenses underscores the importance of investigating a company’s use of open source software and addressing the risks of such use in investment or merger and acquisition documents.

For businesses developing proprietary software products or electronic devices that run proprietary software (such as medical equipment, cellular phones, computer equipment, etc.), the use of open source software with those products can present serious implications for evaluating the value of the business in an investment or acquisition context. For investors and buyers, the importance of source code due diligence should not be overlooked.

“Open source” is generally used to describe an approach to software development that is community-based and subject to a specific type of licensing arrangement. A party looking to develop an open source program makes the program source code freely available to others at no cost and gives them the right to modify the source code. In exchange, others who modify the source code contribute those changes back to the developing party. The program continues to evolve through the changes of potentially thousands of contributions.

The use of open source over the past few years has been prolific. Open source programs such as Apache and Linux are commonly used tools in a variety of business systems today.

‘Copyleft’ principles

Rather than being available in the public domain without restriction, open source software is often subject to a special type of licensing arrangement. This type of license, often referred to as a public license or open source license, permits users to use, modify and further distribute the source code and to sub-license these rights.

However, these public licenses contain “copyleft” principles as well. Copyleft generally requires that if open source software is incorporated into proprietary source code, the entire source code (open source + proprietary) must be made available to others on the same terms as the existing public license.

Remedies available when open source software is used in violation of its general public license can include requiring the infringing company to release the proprietary source code incorporating the open source software to the public, requiring the re-engineering of the product to remove the open source software and obtaining an injunction to force the removal of the infringing products from the marketplace.

Given the proliferation of open source software in many business systems, the open source issue facing investors and buyers is not whether open source software is used by a target company (it most likely is in some fashion) but how it is used and how it interfaces with the target company’s proprietary software.

Many products perform open source software audits. They primarily work by comparing the target company’s source code with a set of known open source components to determine if open source code has been embedded into the company’s proprietary code.

While the audits themselves can be expensive, costs for the audits are likely only a fraction of the costs of acquiring software that the buyer may then be forced to release to the public for free. Moreover, the results of the audit can give both the investor or buyer and the target company the chance to assess the transaction, re-allocate the risks associated with the problem or remediate the software to remove the open source software.

An investor or buyer also may want to explore the purchase of a specialty insurance policy in the event of business interruption for having to withdraw a product from the market in the future due to open source software taint.

Paul C. Remus, a shareholder in the law firm of Devine Millimet, focuses his practice on intellectual property and emerging companies. Kristin A. Mendoza, an associate at the firm, is a member of its Corporate Practice Group.