free and open source software litigation in 2016

Mark Radcliffe, Partner, DLA Piper, Silicon Valley

Enforcement of Open Source Licenses

PLIDecember 21, 2016

*This presentation is offered for informational purposes only, and the content should not be construed as legal advice on any matter.

FOSS Compliance: New Players

Traditional FOSS Enforcement: Focus on Compliance

Software Freedom Law Center

Software Freedom Conservancy (“SFC”)

gplviolations

Shift to Commercial Licensors

Continuent v. Tekelec (GPL)

Versata Series of Cases

New Enforcers

McHardy, copyright troll

Fligor: looking for clients

Major Difference in Goals

Shift from compliance to revenue

Focus on injunctive relief

Expansion of Traditional FOSS Enforcement

SFC assists in VMware litigation

Existing Compliance Issues

VMware litigation (SFC)

McHardy litigation

First copyright troll

Versata: focus on hybrid product licensing

Will terminated licensees regularly raise the defense of“integration” with GPLv2 licensed code?

Will warranty claims against licensors arise from poorly draftedlicenses become common?

Netfilter Project Suspends McHardy

The netfilter project regrets to have to suspend its core team member PatrickMcHardy from the core team. This is a grave step, definitely the first in theprojects history, and it is not one we take lightly. Over many months, severeallegations have been brought forward against the style of his licenseenforcement activities on parts of the netfilter software he wrote. Withrespect to privacy, we will not publicly disclose the content of thoseallegations.

Despite many attempts by us to reach him, Patrick has been unable orunwilling to comment on those allegations or defend against the allegations.The netfilter project does not have first-hand evidence. But giventhe consistent allegations from various trusted sources, and in the absenceof any response from Patrick, we feel it is necessary to suspend him untilfurther notice.

We'd like to stress that we do not take any sides, and did not "convict"Patrick of anything. He continues to be welcome in the project as soon as heis be able to address the allegations and/or co-sign the "principles" [1] in

terms of any future enforcement activities.

SFC Criticizes GPL Monetizers

These “GPL monetizers”, who trace their roots to nefarious business models that seek to catch users in minorviolations in order to sell an alternative proprietary license, stand in stark contrast to the work that Conservancy,FSF and gpl-violations.org have done for years.

Most notably, a Linux developer named Patrick McHardy continues ongoing GPL enforcement actions but has notendorsed the community Principles. When Patrick began his efforts, Conservancy immediately reached out to him.After a promising initial discussion (even contemplating partnership and Patrick joining our coalition) in mid-2014,Patrick ceased answering our emails and text messages, and never cooperated with us. Conservancy has had nocontact with Patrick nor his attorney since, other than a somewhat cryptic and off-topic response we received over ayear ago. In the last two years, we've heard repeated rumors about Patrick's enforcement activity, as well as somereliable claims by GPL violators that Patrick failed to follow the Principles.

In one of the many attempts we made to contact Patrick, we urged him to join us in co-drafting the Principles, andthen invited him to endorse them after their publication. Neither communication received a response. We informedhim that we felt the need to make this public statement, and gave him almost three months to respond. He still hasnot responded.

Patrick's enforcement occurs primarily in Germany. We know well the difficulties of working transparently in thatparticular legal system, but both gpl-violations.org and Conservancy have done transparent enforcement in thatjurisdiction and others. Yet, Patrick's actions are not transparent.

In private and semi-private communications, many have criticized Patrick for his enforcement actions. PatrickMcHardy has also been suspended from work on the Netfilter core team. While the Netfilter team itself publiclyendorsed Conservancy's principles of enforcement, Patrick has not. Conservancy agrees that Patrick's apparentrefusal to endorse the Principles leaves suspicion and concern, since the Principles have been endorsed by so

many other Linux copyright holders, including Conservancy.

New Compliance Issues

Harald Welte announcement of an OSS ComplianceCompany, aggregating developers

Welte: ran gpl violations

Geographic focus not limited to Germany, but could includeFrance and Spain

David Fligor/Progressive LLP: Troll lawyer searching for aproject, so far no cases filed

Sound View Innovations: new ASF software patent troll basedon Alcatel-Lucent patents

Sound View has sued Facebook

Sound View has sued LinkedIn

Sound View has sued Twitter

German FOSS Enforcement

Community Enforcers

Harald Welte/gpl-violations.org (Linux kernel, iptables)

Returning to compliance based on Barcelona FSFE Conference

Thomas Gleixner (Linux kernel code used in U-Boot)

XviD project

Christoph Hellwig (Linux kernel, this is the VMware case)

Other

Patrick McHardy (Linux kernel, iptables, iproute2)

Community Enforcement

Most cases are settled before they go to court. The agreementfor a “declaration to cease and desist" in Germany has tocontain a clause about a contractual penalty for a futureinfringement: if the defendant is caught violating GPLv2 again,then the defendant has to pay the penalty.

Harald Welte (gpl-violations.org) has used these penalties fordonations to charities like Chaos Computer Club, Wau HollandStiftung, Free Software Foundation Europe, etc. because hisfocus was on process change, compliance and communitynorms.

gpl-violations.org worked very closely together with FreeSoftware Foundation Europe to get companies to talk abouttheir problems and let them participate in the global discussionabout open source compliance and other legal issues.

German Court Procedure

- Outline

I. Preliminary Injunction Proceedings

1. General

2. Requirements

3. Standard of Proof

4. Possible Remedies

5. Procedural Aspects

6. Enforcement

II. Proceedings on the Merits

1. Overview

2. Remedies

III. Pre-Litigation Strategies

1. Offense Position

2. Defense Position


- Preliminary Injunction Proceedings

1. General

Objective: Stop infringement as soon as possible

Often most dangerous threat to infringer, since immediatelyenforceable (appeal has no suspensory effect!)

"General" time line:

Granted within hours (e.g. re trade fairs), 1-2 days (if ex parte),2-6 weeks (with oral hearing);

Appeal hearing 2-4 months after decision in first instance



2. Requirements

Generally courts issue in cases where

Infringement is very likely

No undue delay in filing an application for PI ("UrgencyRequirement")

Plaintiff has to file the application for PI without undue delay

Up to 4 weeks usually not problematic

Up to 8 weeks usually problematic; IP owner has to show exceptionalcircumstances in determining the infringement / preparation of PIapplication

Over 8 weeks usually no PI granted!

ACT FAST!

McHardy German Litigation I

Patrick McHardy uses the same enforcement mechanism butis seeking personal monetary gain

Estimate is that McHardy has approached at least 50companies that have been hit (some companies multipletimes).

Wide variety of companies, including retailers, telcos,producers, importers

Best estimate is that he has received significant damages

Wide range of products

physical products (offline distribution)

firmware updates downloadable from a website

Over The Air (OTA) updates

McHardy German Litigation II

Tactics against companies

1. address a (minor) violation and have a company sign a ceaseand desist with contractual penalty.

2. address another (minor) violation and collect the contractualpenalty. Sign a new agreement with a higher penalty.

3. wait some time, then go back to 2

Devices usually have multiple violations of GPLv2 and he onlywill address one issue at a time to collect the contractualpenalty.

McHardy German Litigation III

McHardy's claims largely focus on:

Lack of written offer

Lack of license text in product

Inadequate terms of written offer

Lack of complete corresponding source code in repositories

EULA conflicting with GPL obligations

Written offer must come from last company selling product

More exotic

Written offer should be in German

GPL warranty disclaimers are inadequate under German law

In the past, McHardy did not do a thorough technical analysis,like a rebuild of the source code, but he has started doing so.

McHardy German Litigation IV

Two recent hearings, McHardy lost on procedural issues

Case one: court decided that application was not sufficiently“urgent” for preliminary injunction procedure

Case two: judge found that McHardy’s affidavits wereinconsistent and McHardy’s lawyer was not prepared to defendit: McHardy withdrew case

Statement by presiding judge (not required and withoutprecedential value but shows thinking):

If only a tiny bit of the programming works was contained in thelitigious product and if that tiny bit was capable of being copyrightprotected, the arguments of the defendant would not be sufficientto rebut the claim. This might indeed result in Linux not beingtradable in Germany. The industry might have to look for otherplatforms where the chain of rights can be controlled more easily

Solving the McHardy Problem and Copycats

Focus on compliance of your products going into Germany

Understand the McHardy business model

Collaborate on claims and share information

DLA Piper: Developing “Defense in a box”

Working with past litigants to provide information

Facts about McHardy

Summary of McHardy claims

Summary of McHardy arguments

References

Possibility of including actual complaints and other filings but morechallenging

Hellwig v. VMware I

VMware is alleged to be using arts of the Linux kernel in theirproprietary ESXi product, including the entire SCSI mid-layer,USB support, radix tree and many, many device drivers.

Linux is licensed under GNU GPLv2 with a modification byLinus Torvalds

VMware has modified all the code they took from the Linuxkernel and integrated them into something they call vmklinux.

VMware has modified their proprietary virtualization OS kernelvmkernel with specific API/symbol to interact with vmklinux

vmklinux and vmkernel interaction is uncertain

Hellwig v. VMware II

The court did not decide

If vmklinux and vmkernel can be regarded as a uniform work and,if so,

If the use of Hellwig's code in the vmklinux + vmkernel entityqualifies as a modification (requiring a license) or as free use.

Hellwig v. VMware III

Court required that Hellwig prove the following:

which parts of the Linux program he claims to have modified, andin what manner;

to what extent these modifications meet the criteria for adapter'scopyright pursuant to Copyright Act § 69c No. 2 clause 2 inconjunction with § 3; and

to what extent the Plaintiff pleads and where necessary provesthat the Defendant has in turn adopted (and possibly furthermodified) those adapted parts of the program that substantiate hisclaim to protection.

Hellwig failed to meet this standard. He has appealed

Hellwig v. VMware IV

Not sufficient as evidence according to the court:

Copyright notices in header files

Reference to git repository

Provision of source code and git blame files

Increased requirements for demonstrating an infringement:

Exact identification of own contributions

Conditions for copyright protection of those contributions fulfilled

Source code comparison of own contributions and the allegedlyinfringing code

It is not the job of the court to analyze the source code forelements that might originate from the plaintiff, and to judge towhat extent those elements might be protectable.

Linux at 25: Disputes on Compliance

Greg Kroah-Hartman

"I do [want companies to comply], but I don't ever think that suing them isthe right way to do it, given that we have been _very_ successful so farwithout having to do that”

“You value the GPL over Linux, and I value Linux over the GPL. You arewilling to risk Linux in order to try to validate the GPL in some manner. Iam not willing to risk Linux for anything as foolish as that.”

Linus Torvalds

“Lawsuits destroy community. They destroy trust. They would destroy allthe goodwill we've built up over the years by being nice.”

Bradley Kuhn (SFC)

“You said that you "care more about Linux than the GPL". I wouldprobably agree with that. But, I do care about software freedom generallymuch more than I care about Linux *or* the GPL. I care about Linuxbecause it's the only kernel in the world that brings software freedom tolots of users.”

Linux Foundation

Who owns the contributions in the Linux kernel

Linux kernel analysis to determine the identity of contributors toLinux kernel, software has been completed and analysis will be donethis year

Next step: identifying copyright owners

Encouraging statements by kernel.org on communitynorms for enforcement

Training programs

Core Infrastructure Initiative “Badge Program” (focusedon security but includes governance issues)

Summary for Software Distributors

More compliance actions seem likely, particularly in Germany

Develop a FOSS use (and management) policy to ensure that youunderstand your obligations and can comply with them (for anoverview of FOSS and FOSS governance seehttps://www.blackducksoftware.com/resources/webinar/introduction-open-source-software-and-licensing).

Ensure that your policy covers updates and security issues

Review your distribution agreements to ensure that they take intoaccount any terms imposed by FOSS in your product and modifythose terms as appropriate.

Global platform

24

Largest law firm in theworld with 4,200 lawyersin 31 countries and 77offices throughout theAmericas, Asia Pacific,Europe and the MiddleEast

More than 145 DLAPiper lawyers in IPtransactions

Global Open SourcePractice

More than 550 DLAPiper lawyers ranked asleaders in their fields

OSS Practice

Worldwide OSS practice group

US Practice led by two partners: Mark Radcliffe & Victoria Lee

Experience

Open sourcing Solaris operating system

FOSS foundations:

OpenStack Foundation

PrPL Foundation

OpenSocial

Open Source Initiative

GPLv3 Drafting Committee Chair (Committee D)

Drafting Project Harmony agreements

Contact Information

26

Mark F. RadcliffePartner2000 University Avenue, East PaloAlto, California, 94303-2214, UnitedStates

T +1 650 833 2266F +1 650 687 1222E [email protected]

Mark Radcliffe concentrates in strategic intellectual propertyadvice, private financing, corporate partnering, softwarelicensing, Internet licensing, cloud computing and copyright andtrademark.

He is the Chair of the Open Source Industry Group at the firmand has been advising on open source matters for over 15years. For example, he assisted Sun Microsystems in opensourcing the Solaris operating system and drafting the CDDL.And he represents or has represented other large companies intheir software licensing (and, in particular, open source matters)including eBay, Accenture, Adobe, Palm and Sony. Herepresents many software companies (including open sourcestartups) including SugarCRM, DeviceVM, RevolutionAnalytics, Funambol and Reductive Labs for intellectualproperty matters. On a pro bono basis, he serves as outsideGeneral Counsel for the Open Source Initiative and on theLegal Committee of the Apache Software Foundation. He wasthe Chair of Committee C for the Free Software Foundation inreviewing GPLv3 and was the lead drafter for Project Harmony.And in 2012, he became outside general counsel of the OpenStack Foundation and drafted their certificate of incorporationand bylaws as well as advising them on open source matters.

German Court Procedure Appendix

German Court Procedure:

- Outline

I. Preliminary Injunction Proceedings

1. General

2. Requirements




6. Enforcement

II. Proceedings on the Merits

1. Overview

2. Remedies

III. Pre-Litigation Strategies

1. Offense Position

2. Defense Position



1. General

Objective: Stop infringement as soon as possible

Often most dangerous threat to infringer, since immediatelyenforceable (appeal has no suspensory effect!)

"General" time line:

Granted within hours (e.g. re trade fairs), 1-2 days (if ex parte),2-6 weeks (with oral hearing);

Appeal hearing 2-4 months after decision in first instance



2. Requirements

Generally courts issue in cases where

Infringement is very likely

No undue delay in filing an application for PI ("UrgencyRequirement")

Plaintiff has to file the application for PI without undue delay

Up to 4 weeks usually not problematic

Up to 8 weeks usually problematic; IP owner has to show exceptionalcircumstances in determining the infringement / preparation of PIapplication

Over 8 weeks usually no PI granted!

ACT FAST!




Applicant has to provide proof of infringement

Not complete evidence, but prima facie evidence is sufficient

Possible means of proof:

Documents, sworn affidavits, present witnesses (only in case oforal hearing)


Cease-and-desist

Disclosure of information (for obvious infringements)

Seizure of infringing goods (with bailiff)

Not possible: Damages, Destruction




Ex parte injunction

Court order has to be served within one month after issuing (or itwill become unenforceable!)

Injunction after oral hearing

Immediately enforceable judgment, no serving necessary

6. Enforcement

In case of violation:

Administrative fine of up to EUR 250,000 possible

Fine for "first violation" usually around EUR 5,000 to 20,000

Imprisonment of CEO of up to 6 months (very unusual)


- Proceedings on the Merits

1. Overview

Opposed to PI proceedings:

Also final decisions possible (awarding of damages, destruction,recall,…)

Full evidence necessary

Duration: usually 10-18 months until decision in first instance

Expert testimony

Parties can submit written expert opinions on specific issues (regardingmatch of copyrights works, consumer survey, etc.)

Court may appoint neutral expert "advisor" of court

Witness testimony

Parties can name witness(es) to prove a statement of fact

No "US style" cross examination



2. Remedies

a) Cease and Desist

Can also be granted before first violation (pre-emptive)

b) Information / Rendering of Accounts

To prepare damage claims and identify additional infringers(upstream / downstream)

c) Damages

No punitive damages

d) Destruction

Principal of proportionality



e) Product Recall

Only goods still in the possession of infringer

But: Obligation to address customers re return

Principle of proportionality

f) Publication of Court Decisions

The ruling will determine the medium (internet, newspaper,…)

Legitimate interest (e.g. to inform consumers about dangerousproducts)

Principle of proportionality


- Pre-Litigation Strategy

I. Offense Position

1. Warning Letter

Request to

Cease and desist from the infringement

Rendering of accounts

Recognize the IP owner's entitlement to damages (incl. costs)

Main purposes:

Achieve out-of-court solution

Avoiding cost risk associated with immediate acknowledgment

No obligation to send a warning letter

Risk of "warning" infringer to take precautions (esp. protective writor distribution of products)



2. Gathering evidence

Factual preparation of infringement case

Test purchase

Pre-Trial "Discovery"?

No discovery in Germany!

But: Inspection Claim

Possibility to inspect allegedly infringing goods,at premises of infringer

And: Criminal Proceedings

IP infringements may constitute criminal acts

Products seized by state prosecution authorities can be inspectedby infringed party to gather evidence for civil proceedings



II. Defense Position

1. Protective Writ ("PW")

Anticipatory statement of defense againstexpected application of preliminary injunction ("PI")

Purposes:

1st best case: Dismissal of PI application

2nd best case: Scheduling of oral hearing

Usually, PI can be granted ex parte if judge is convinced

Protective writ intended to raise reasonable doubts

Risk: Arguments presented in protective writ might makeclaim coherent



2. Preparations for possible PI:

Check affected products and estimated sales / distribution

Preparations for alternative distribution channels / distributionthrough other countries

Prepare work around / design around for affected products