Out-Law Analysis | 25 Sep 2013 | 10:56 am | 4 min. read
Software engineers are heavily dependent on open source software. A recent survey by consultancy Mortimer Spinks and Computer Weekly found that 47% of software engineers predominantly use open source software when developing business applications. By reusing open source code and components, financial organisations can reduce the amount of software that needs to be developed. This not only saves time and money but by reusing components that have already been proven and used by end users helps to reduce quality issues and increase usability.
According to software quality firm SQS Group, more and more pressure is being put on financial services organisations to grow their businesses through mobile services. Being first to market with good quality, usable services is important for their success.
However, the use of open source within organisations is typically on an ad hoc basis and with little governance. Using open source in mobile applications rather than just internally without this governance increases the exposure organisations face from the various risks associated with using open source.
"Open source is ubiquitous – having a policy against open source is impractical and places you at a competitive disadvantage," said Mark Driver of Gartner. However, there are certainly legal and operational risks which seem to be all too easily forgotten or overlooked.
Although open source licence regimes differ, generally banks, insurers and other financial services organisations can be exposed to the following two risks if they use open source code without putting proper governance structures and contractual protections in place.
Loss of competitive advantage and use of exclusive technology
Some open source licences require that all 'derivative works' be distributed without restriction. If a financial services firm were to use code subject to such terms in its mobile development projects it could end up in a dispute as to whether that software is a 'derivative work'. This creates the risk that the firm could be prevented from keeping the source code underlying its newly developed mobile applications or other software confidential, posing both commercial and security risk.
The reality of this risk arising was illustrated some years ago in the United States when the Free Software Foundation (FSF) brought a complaint against Cisco Systems before a New York District Court. FSF claimed that Linksys Group, a Cisco subsidiary, had distributed wireless broadband routers that included chipsets reliant on source code subject to open source licences.
Linksys had chosen not to disclose the source code for its routers when distributing its products and the FSF claimed that in taking that decision it breached the open source licensing terms. The FSF's complaint stated that "The only permission available for distribution" of the software underlying the routers was "the contingent one granted [under the open source licences]".
Rather than contest the dispute, Cisco agreed to settle. The FSF has since reported that the terms of the settlement included obligations on Cisco to appoint a 'Free Software Director' to supervise Linksys' compliance with the requirements of open source software licenses; report periodically to the FSF regarding the extent of Linksys' compliance; notify previous recipients of Linksys products containing FSF source code of their rights; publish a licensing notice on the Linksys website, and make the complete source code used with current Linksys products freely available on its website.
Intellectual property infringement claims
A second risk which financial services firms face when using open source code is that of third party intellectual property claims. Just because source code has been taken from a library which claims to be subject to an open source licensing regime does not mean that it has not originated from proprietary software.
Unlike many commercial software licences, open source licenses often contain little or nothing in terms of warranty or indemnity protection, with licensees often taking the software on an 'as-is' basis leaving the licensee without recourse against the contractor in the event that a claim is made.
If development work is outsourced to contractors the solution revolves around practical and contractual protections and, in some cases, appropriate insurance.
Practically it is essential that the introduction of open source code within an organisation is controlled and inventories of what code is used are maintained. Inventories should also detail how code is used and the licence terms to which they are subject.
Whenever the use of open source code is logged, licence terms must be checked to ensure that they are workable for the organisation and the intended use of the developed software. Compliance must then be monitored thereafter, as illustrated above. It is essential to remember that while open source software is often free of charge, or low cost, it is subject to distribution and usage rules.
Contractual protections can be put in place to make contractors effectively underwrite the open source code that they utilise and "as is" approaches need to be avoided. It is also essential to ensure that contractors do not avoid responsibility for customisation work that incorporate open source software, or for any post go-live support provided.
If development work is conducted in-house the solution revolves around governance and taking the same practical measures as are noted above. But according to Julian Brock of SQS Software, "many organisations have no strategy, policy or process in place for the governance of open source".
Recent reports suggest that financial services institutions in the UK employ more IT professionals than any other industry, other than the technology supplier industry. Financial institutions therefore need to ensure that their governance processes are designed with the size of development teams in mind and workable on a day-to-day basis.
John Salmon is financial services expert at Pinsent Masons, the law firm behind Out-Law.com
Angus McFadyen of Pinsent Masons will be speaking on the issue of open source risks in mobile application projects at a complimentary Mobile Payments breakfast seminar on Tuesday 1 October 2013 hosted by SQS Group. To secure a place, please register.