find the latest legal job
Banking Associate - 1-6PQE - Allen & Overy
Category: Banking and Finance Law | Location: United Kingdom
· Banking Associate - 1-6 PQE - Allen & Overy
View details
Academic Dean and Head of School of the TC Beirne School of Law
Category: Other | Location: Brisbane QLD 4000
· An outstanding opportunity · Provide educational, research and organisational leadership
View details
Senior Property Lawyer I Commercial Litigator
Category: Property Law | Location: Arncliffe NSW 2205
· Rapidly growing law firm, working with a highly experienced team in a high growth industry across all areas of property and strata law
View details
Senior Property Lawyer I Commercial Litigator
Category: Property Law | Location: All Sydney NSW
· Rapidly growing law firm, working with a highly experienced team in a high growth industry across all areas of property and strata law
View details
Senior Property Lawyer I Commercial Litigator
Category: Property Law | Location: Sydney NSW 2000
· Rapidly growing law firm, working with a highly experienced team in a high growth industry across all areas of property and strata law
View details
Ignorance of open source law is no defense

Ignorance of open source law is no defense

Hugh Darvall

Ignorance of the law is no defense, writes Hugh Darvall.

General counsels (GC) – be they from software/IoT corporations, or organisations that develop their own software – and law firms (that advise on IT, Intellectual Property, IoT and security) need to beware.

However, most are not aware of the risk of unexpected open source components in software, and their corresponding compliance status.

Usage of open source software is continuing to grow and has now become the default base for software development within the Asia-Pacific region. While open source components are free and available for anyone to use – there are still limitations. Open source components have licensing obligations that software developers must comply with or else risk penalties.

Education is key

While the law is established enabling enforcement of open source licences, most software developers are unaware of them. GC and law firms alike need to educate themselves about open source software licence compliance risk, then ensure their development teams and clients have the training, processes and automation in place to ensure continual IP and legal compliance.

While Open Source Software (OSS) has been around for decades, commercial software companies have had their traditional software design process flipped upside down in the last 10 years. When classic commercial software packages were first created years ago, there was very little third-party compliance that was required.

Now, the typical commercial product contains hundreds of high-quality open source components, though data shows that only a small percentage of these components are having their open source licensing obligations followed. Development practices have outpaced internal processes to manage the legal obligations and as a side effect, most companies are out of compliance.

The disconnect

Legal teams can often be under the misunderstanding that software developers are aware of the requirements of using open source libraries. Development seeks guidance and policy, but at the same time it is often under enormous pressure to get products out of the door.

This disconnect is very clear when a company producing a software product is required to present an independently verified disclosure of all the open source and commercial codes it uses.

This is a very common request during mergers and acquisitions, and at the request of large enterprise companies. Organisations are very surprised to see 20 times or more difference between what software developers think they are using, and what they are actually using. Typically, this would mean that they are out of compliance with each of those previously unknown components.

Acquirers and customers typically want technology companies to come into quick compliance from a legal perspective, as well as a vulnerability perspective. This means that the technology provider is required to frequently update their software to fulfill the obligations of the open source that they use.

The required actions would most likely include placing proper licence notices and copyright statements in documentation and About Boxes, change how libraries are linked and/or used, and provide source codes for the entire software product or certain components of it.

These actions are not always easy or possible to perform.

Vulnerabilities and patches

The consequences of not keeping track of third-party components is that organisations are not able to respond to reported vulnerabilities or patches that are required to keep these components up-to-date and secure.

This has the side effect of making products vulnerable to outside attacks. These attacks can then lead to data loss and/or financial damages. Legal teams are finding themselves more and more involved with security response, as well as the legal and financial repercussions of these types of attacks.

As a result, legal teams are putting in place policies around component updating as part of their efforts to reduce the amount of risks to their company.

By taking the lead, legal teams can reduce the amounts of risk for their organisations, and at the same time allow their companies to be good open source citizens.

As more companies start to understand their true dependency on open source, developers should be able to expect more financial and technical support towards these projects.

Therefore, better compliance allows developers to deliver higher quality, more secure and better supported products as well as help to support a stronger open source ecosystem.

Hugh Darvall is a director at Flexera Software Australia and New Zealand.

Like this story? Read more:

Book commemorates diamond milestone for WA law society

QLS condemns actions of disgraced lawyer as ‘stain on the profession’

NSW proposes big justice reforms to target risk of reoffending

Ignorance of open source law is no defense
lawyersweekly logo
Promoted content
Recommended by Spike Native Network
more from lawyers weekly
Legal body disappointed with DPP emails leaked to tabloid
The NSW Bar Association has expressed “profound disappointment” over leaked emails from the NSW ...
Gavel, legal book, criminal lawyers
Jan 19 2018
Three criminal lawyers named NSW magistrates
The NSW Attorney-General has announced the appointment of three new local court magistrates. ...
Jan 18 2018
Lawyer highlights ‘unintended consequences’ on SSM estate planning
A succession lawyer has warned that the right for same-sex couples to legally marry could have a sub...
Allens managing partner Richard Spurio, image courtesy Allens' website
Jun 21 2017
Promo season at Allens
A group of lawyers at Allens have received promotions across its PNG and Australian offices. ...
May 11 2017
Partner exits for in-house role
A Victorian lawyer has left the partnership of a national firm to start a new gig with state governm...
Esteban Gomez
May 11 2017
National firm recruits ‘major asset’
A national law firm has announced it has appointed a new corporate partner who brings over 15 years'...
Nicole Rich
May 16 2017
Access to justice for young transgender Australians
Reform is looming for the process that young transgender Australians and their families must current...
Geoff Roberson
May 11 2017
The lighter side of the law: when law and comedy collide
On the face of it, there doesn’t seem to be much that is amusing about the law, writes Geoff Rober...
May 10 2017
Advocate’s immunity – without fear or without favour but not both
On 29 March 2017, the High Court handed down its decision in David Kendirjian v Eugene Lepore & ...