Software development has moved from a closed-off proprietary process to a more open, collaborative one that takes full advantage of the benefits of third-party code, outsourced code and open source software to speed up development and reduce costs. The increased use of open source makes it more important than ever to understand the composition of your code base in order to comply with associated license obligations.
One of the most common obligations (and in the examples to follow, an easy one to overlook) is the attribution clause. The attribution clause involves a notice acknowledging the identity of the original creator(s). At a basic level, the attribution clause makes enforceable the generally accepted moral notion that credit should be given where credit is due. In addition, the presence of an attribution clause acts as deterrent to those who would otherwise strip the code of any information identifying the original author(s), and present the code as their own, promoting code ownership and code accountability—two common concerns that arise with open-source software (OSS) use.
There have been a number of high-profile examples where organizations have drawn scrutiny from the open source community, or in some cases faced legal action for failing to fulfill attribution requirements. The most recent was the case of the U.S. Department of Health and Human Services’ Affordable Care Act web portal, healthcare.gov. The code used to build the site incorporated the open source script DataTables, distributed by SpryMedia under Gnu Public License Version 2 (GPLv2) and Berkeley Software Distribution (BSD, 3-point) open source licenses. SpryMedia’s licensing agreement explicitly stated that the copyright notices must be kept in place, which the Affordable Care Act site failed to do. This incident added to the bad press of an already volatile political situation. The publicity around this case resulted in the government admitting the inadvertent mistake and adding the copyright notices to the code, although it appears that SpryMedia did not take any subsequent legal action.
Google found itself in a similar position in 2011 when it copied hundreds of files from a GPLv2 licensed C library called the Bionic Library, modified the header files and claimed that the library was no longer licensed under the GPL. Jacobsen v. Katzer is another high-profile case, in which Katzer copied Jacobsen’s software but failed to comply with the attribution clause of the Artistic License, under which Jacobsen’s software was licensed. The parties eventually settled.
Attribution in a Remix World
Some of the cases referenced here, such as the case involving the Affordable Care Act website and SpryMedia, may have been inadvertent. Compliance with attribution requirements has been significantly complicated by the fact that many companies are often unaware that a product that they assume proprietary rights over can contain open source code. This—along with an increased reliance on code developed by third parties and on outsourced software—has left development organizations feeling they’ve lost control over their products’ code composition.
Best practices in software distribution and the acquisition of assets that contain software include identifying all third-party and open source code in the software and ensuring that the asset is in compliance with the requisite license obligations. This can be achieved through the use of manual or automated software scanning, which identifies all third-party code and associated licensing obligations, as well as any violations of company’s licensing policies and license incompatibilities. Once a license that contains attribution requirements is identified, a product or asset can be brought into compliance.
