Business Crime and Compliance Conference
Out-Law Analysis | 03 Mar 2017 | 12:40 pm | 6 min. read
Open source software is ubiquitous. Its use continues to grow year-on-year as organisations spot its potential to lower product development costs and access innovative software solutions created and maintained by a large community of experts.
However, there are legal and security risks involved in using open source software that business users must familiarise themselves with and take action to minimise. Organisations that address the risks will be well placed to obtain a competitive advantage through their use of open source software.
What is open source software?
In simple terms, software is made up of source code and object code. Source code is what coders actually 'write'. That code is then compiled into object code which is what the computer can 'read' and uses to run computer programs.
When organisations buy off-the-shelf-software, typically they are able to run the software but not view, edit or modify the source code or the core functionality. The situation is different with open source software as the source code is by its nature accessible to view, modify and edit. The core functionality of the software can therefore be modified or combined with other solutions.
Crucially, open source software does not typically attract licence fees or royalties, making it often far cheaper than a similar off-the-shelf-solution.
Licensing of open source software is governed by a number of standard-form licenses, for example the GNU General Public License (GPL), which is one of the most common. In general, these licenses guarantee end-users the freedom to run, study, share and modify the source code, subject to complying with certain conditions – the central condition being that the source code must be made publicly available. Other conditions might include, for example, a requirement that open source software users redistribute the software on the same terms as it was originally licensed.
Why is open source software important, and what benefits does it bring?
Over recent years there has been a surge in the amount of companies using open source software. A 2015 survey by industry specialist Black Duck found that 78% of businesses use open source software in some way.
Open source software is hugely valuable to businesses, as it helps them lower development costs. This is because large bodies of open source code are freely accessible and modifiable, meaning companies can use the code to customise a product to their own specific needs.
Beyond cost, other benefits of open source software include the security and accountability on offer in comparison to that provided when using proprietary software solutions.
Open source software has long-term viability and is usually on the cutting-edge of technology. It is created and supported by a worldwide community of organisations and individual developers, many of whom also live by open source values like collaboration and volunteerism. This network of experts serves as a peer-review mechanism, so that any security vulnerabilities within open source code are identified and plugged quickly.
Using open source software also opens up a number of business and revenue-raising models for organisations to consider, from dual licensing of proprietary and open source code, to offering software-as-a-service or support and maintenance services.
The use of open source software is positively encouraged in the UK public sector. Under the government’s Technology Code of Practice, any government department undertaking a new IT project must give "equal consideration to free or open source software" when selecting which technology to use. The code needs to be followed by anyone designing, building or buying technology for a government organisation.
What are the risks in deploying open source software?
The risks in using open source software can broadly be split into two areas: legal and security.
Legal risks relate in particular to copyright infringement as a result of a breach of the licensing conditions attached to open source code.
Like any other kind of software, to use open source code without committing a breach of copyright, organisations will need a licence.
Open source software licences fall broadly into two categories: restrictive and permissive.
Permissive licences allow users to distribute the software with very few restrictions, and are for the most part compatible with proprietary software development. Code licensed under permissive licences can generally be incorporated into proprietary solutions and sold on for profit.
Restrictive licences, however, sometimes known as 'copyleft' licences, impose licensing restrictions where the open source code is further distributed, either as the original product or a modified derivative, to third parties.
Restrictive licences often state that any distribution of open source code, including as part of a wider derivative product, must be done under the terms of the original licence.
Problems can arise where users of open source code combine it with other, proprietary software. In doing so, those organisations may inadvertently make their ‘proprietary’ derivative software subject to the terms of the open source software licence and its conditions. Where this occurs, businesses may find that their proprietary code must be disclosed in line with the open source licence, exposing them to third party action if they do not comply.
In addition, businesses that do not comply with the requirements of open source software licences could find themselves on the hook for damages, even if the breach is trivial or technical in nature.
In the context of an M&A transaction, open source software presents potential risks for a buyer where the licence terms have not properly been complied with. Issues or disputes around open source code can result in severe delays to completion of deals, or an increase to the proportion of the purchase price withheld from being paid until certain conditions are satisfied. In other cases, unsatisfactory arrangements around open source software, such as incomplete audit trails, might lead to the devaluation of the target business or, in extreme cases, a deal falling through altogether.
In addition to legal risks, businesses that do not keep on top of their use of open source software may leave themselves open to serious security vulnerabilities.
If businesses are not aware what open source code they are using, because, for example, it has been incorporated into their systems or products by a third party developer or contractor, then they may not be aware of the need to keep that software up-to-date, and is likely to mean that they are running old software with known security vulnerabilities.
The US Department of Homeland Security has estimated that 90% of security incidents result from exploitation of defective software. Many of these security flaws are widely known but nonetheless downloaded – in 2011 two open source software components with known vulnerabilities were downloaded 22 million times.
According to a 2016 study carried out by North Bridge and Black Duck, nearly half of organisations (47%) lack "formal processes" for tracking open source code and nearly a third lack a "process for identifying, tracking or remediating known open source vulnerabilities". The companies' previous report in 2015 revealed that 67% of organisations do not monitor open source code for security vulnerabilities.
The most high profile case of a security vulnerability being found in open source code was the so-called 'Heartbleed' bug, which was publicised in 2014. When this security flaw was first unearthed it was found that over 66% of all active websites were vulnerable.
Address the risks to harness the benefits
Organisations should establish rigorous open source software policies and procedures to address the legal and security risks inherent in its use.
Users of open source code should know what open source code they use, whether any open source code has been used within their own proprietary software and, if so, how it has been deployed.
Organisations should also be aware of what licensing terms govern the open source software they use, and regularly check that those terms are being complied with both internally and externally. It is vital that organisations using open source code are aware of the difference between restrictive and permissive licences.
In addition, businesses should be able to identify the origins of the open source code they use and track how it has been modified, for example by using support records and/or an audit trail charting all open source code use. Businesses should ensure that all open source software they use is up-to-date and secure.
Businesses should consider carrying out an audit to determine what software might cause a problem in future, and think about removing any incompatible code, particularly in circumstances where that code software may be scrutinised, for example in a due diligence context. Specialist tools are available in the market to scan code for the presence of open source code, and third party forensics experts can also be engaged to evaluate and assess the software companies use.
Iain Connor, James Robb and Tom Hadden are experts in open source software at Pinsent Masons, the law firm behind Out-Law.com.
Business Crime and Compliance Conference