The Open Source Software Crunch

December 2, 2008

Technology is at the forefront of our lives. It is growing and evolving all the time, and although it is itself an industry sector, more businesses in other sectors are increasingly dependent on technology. Accordingly, issues relevant to technology in corporates and in mergers and acquisitions affect most businesses to a greater or lesser extent. There is no doubt that there has been a significant increase in M&A activity within the technology sector. On 3 August 2008 the Financial Times reported, under the headline ‘Techs ride out the storm’, that ‘mergers and acquisitions may have fallen away this year, but in technology a steady drumbeat of deals in recent months – buoyed by cheap valuations – is showing that the sector is proving remarkably resilient.’


 


Recent M&A deals – both within and outside the technology sector – have highlighted a number of tech-specific issues. Why should these matter? They matter because they often relate to the key assets of a business. Indeed, for an increasing number of companies, software technology may be the key asset of the business.


 


Open source software has had and is having a dramatic effect on businesses. As it enables its users to use, modify and distribute software code without paying a licence fee, it appears highly attractive. It is even becoming the subject of political debate as certain high-profile politicians make the most of opportunities which they perceive OSS presents, particularly in regard to large government IT initiatives. However, OSS also has significant pitfalls which need to be understood by everyone, particularly those in senior management of businesses. The impact of OSS can be dramatic and it is interesting to note that UK companies do not appear to be disclosing OSS risk at the same level as US companies. This suggests that many UK companies may not see the risks which may arise from OSS, or do not feel these risks are material enough to disclose. Many company directors could be making serious mistakes in this regard.


 


1. OSS and why it can be so critical


 


OSS is not intellectual property that has been put into the ‘public domain’ with no strings attached. The software remains subject to copyright law and must be used under the terms and conditions of a licence agreement. What distinguishes OSS from other types of licensed software are the special licensing obligations that apply to its use. Some of these obligations have a significant impact on commercial business models.


 


Information technology has become increasingly important to companies across a range of business sectors. A target company’s software is often an integral part of the assets that a buyer needs for the operation of the purchased business. The arrival of OSS has complicated a company’s ability to use and develop software. OSS has emerged as a highly significant risk in M&A transactions in that it could mean that a company may not own or be able to control its products.


 


(a) Impact of OSS in M&A deals


 


M&A professionals – not only lawyers and accountants but also financial advisors, bankers and in-house corporate development teams – are having to change the way they approach the deal process. Some recent examples illustrate why this is necessary.


 


(i) Cisco’s Acquisition of Linksys


 


In March 2003 Cisco Systems paid $500 million to acquire Linksys, the manufacturer of home networking equipment. Several months after the acquisition, allegations surfaced on the Web that Linksys was using OSS in its products and was violating the terms of the principal OSS licence, the General Public License (GPL), by failing to publish the source code for the software inside the router (the device which selects the best path for data to be sent from one computer network to another).[1] Shortly thereafter, the Free Software Foundation (FSF), a non-profit group that promotes the development and use of OSS, organised a coalition of copyright holders to force Cisco to release the source code. FSF effectively threatened to bring a lawsuit alleging copyright infringement and licence violations based on Cisco’s use of several different OSS programs inside the router.


 


It turned out that Linksys was not directly responsible for adding the OSS code to its product. Another company that supplied Linksys with chips used OSS code in the software that it installed on the components it provided to Linksys. Nevertheless Linksys became liable for violating the GPL because it built its product around these chips, distributing the OSS code as part of the components within the product. Eventually Cisco was forced to admit that it was violating the GPL and published a copy of the router software on its website in order to bring itself into compliance. Then in January 2007, Cisco was forced to admit that it was again violating the GPL in a different Linksys product that used OSS.


 


(ii) Practical experience with acquired software


 


Sophisticated buyers of technology companies now carefully review the software code that a target company uses in its products and systems in order to determine what software has been developed outside the company. In particular, buyers need to look for any software code that is used under the terms of an OSS licence, such as the GPL and other ‘reciprocal’ licence agreements (which are described below).


 


Based on our experience in recent technology M&A deals, we have found that an increasing proportion of the code purchased has not been written by the target’s employees and contractors. A significant proportion of this third-party code would be considered open source software based on the licences that apply to its use. In one target company in an M&A transaction, approximately 90% of the code was subject to open source licensing obligations. As a result, buyers are often forced to incur significant costs in conducting detailed analyses of target company code during due diligence and in rewriting software post-closing to remove OSS and third-party software where licences are missing.


 


All this highlights the problem of poor IP management practices when it comes time to sell a business. Target companies and businesses that cannot identify the licences governing their use of software which has not been developed internally face difficulties during due diligence. Not only is it difficult for these companies to respond to due diligence enquiries, but buyers are likely to seek a discount in the purchase price as a result of the legal uncertainties over IP rights.


 


In addition, companies that have not properly managed the risks of using OSS may also create uncertainty about their ability to protect IP and commercialise their products. This can also have an effect on a target company’s valuation and even result in potential purchasers walking away from deals. An extreme example is Oracle’s potential acquisition of technology company JBoss, which was rumoured to have been aborted due to concerns raised in due diligence that JBoss’s OSS code could not be used with Oracle’s traditional proprietary software licensing model.[2]


 


(b) Why is OSS attractive?


 


Although there are at least 70 different OSS licences,[3] they generally fall into two broad categories of licence agreements: ‘academic licences’ and ‘reciprocal licences’. Both allow the use, modification and distribution of the software code without paying a licensing fee. Academic licences add the requirement that distributors must indicate that the OSS code has been used in the software they distribute, but impose few other significant obligations. As a result, software subject to academic licences can be incorporated into commercial ‘closed source’ products and distributors are free to charge licence fees for using the product. This is compatible with traditional business models in the technology industry in which companies charge licence fees for copies of software provided only as computer-readable object code and carefully guard the source code in order to protect their investment in creating the software and guarantee future licensing revenues.


 


Reciprocal licences are based on a very different bargain: the software code can be used for free and can even be changed and used to create new software, but the modified code must be made available on the same terms as the OSS code. The General Public License is the most important reciprocal licence as well as the most commonly used OSS licence: almost 70% of open source projects used one of the two versions of the GPL for licensing their software.[4] Most OSS licences (including the reciprocal kind) allow code to be used within a business and even modified for internal use without imposing many obligations on the licensee. However, if a company uses software code subject to a reciprocal licence like the GPL to create and distribute a product, that product’s software must be made available in source code form and others must be permitted to use, modify, distribute and incorporate the software into other software without charging a licence fee.[5] Consequently, reciprocal licences are not compatible with the traditional fee-based business models for licensing software. Companies that depend on software licensing revenue or the sale of equipment containing embedded software face problems using code that is subject to these reciprocal licensing obligations.


 


The use of OSS has become widespread in recent years as software developers have looked for ready-made solutions for tasks that they need to write into software. The fact that OSS code is available for ‘free’ (ie there is no licence fee) and can be freely modified is obviously attractive to developers. The applications and tools available as OSS have also grown considerably in recent years so that there is now a broad diversity of offerings. Websites offer large databases of source code that can be efficiently searched. The modular nature of modern software means that development tools (eg libraries of computer code that perform discrete functions) are particularly important, and many useful tools and libraries are now available as OSS via the Web. Furthermore, the Internet allows a ‘community’ of developers to maintain and correct open source applications, which gives an individual developer ready access to others for assistance with questions and fixes.


 


OSS used to be something that was written and used just by computer science students and hobbyists. Now prominent companies, such as Red Hat, IBM, Sun Microsystems and Novell, are selling products and services based on OSS. These companies have made big bets on the commercial use of OSS. For large technology companies like IBM and Oracle, licence revenues may not be very important. These companies can make money selling profitable consulting services, hardware and databases alongside other products built on OSS. But for other companies, relying on OSS can present risks to their main sources of revenue.


 


(c) The risks of OSS in M&A


 


Despite the advantages that OSS offers in the writing of software, OSS introduces a range of new concerns about the ownership and use of software which are changing how companies are able to create and commercialise their technology. As we have already seen, this is having an impact on risks in M&A deals as well as creating new concerns about litigation and public disclosure requirements.


 


We have described above the impact of OSS, particularly code governed by reciprocal licences like the GPL, on commercial business models and potentially on a target’s valuation. Future revenue streams may be put at risk if companies are forced to make the source code of their products freely available without a licence fee. Equipment manufacturers risk losing control over how their devices operate if they are required to publish the source code on the Web. As an example, digital video recorder manufacturer TiVo has faced a long-running dispute with the Free Software Foundation over its use of OSS on TiVo DVRs. By making its device software readily available, TiVo risks limiting its ability to enter into revenue-generating commercial deals with content owners because purchasers of TiVo devices may be able to reprogram their recorders to circumvent advertising from film and TV companies.


 


The use of OSS also creates general uncertainty about IP ownership and a target’s rights to use software. OSS licences typically provide no warranties or indemnities from the licensor that it owns or controls all of the IP in the code being licensed. If an OSS project has not received proper assignments of the IP rights in code created by individual contributors, companies using the software may face IP infringement claims in the future.


 


After years without much litigation, there is now a trend towards legal action to enforce the terms of OSS licences, such as the GPL. Beginning in 2007, a series of copyright infringement cases have been brought based on the commercial use of a set of software utilities called BusyBox, which is licensed under the GPL. BusyBox is used in writing software applications that run on a variety of consumer devices, including TV set-top boxes. The cases have sought injunctions compelling the disclosure of source code as well as the payment of damages and litigation costs. The most high-profile defendant has been Verizon Communications, which distributed BusyBox to its customers in consumer devices provided by one of its suppliers. The case against Verizon and separate cases against several less prominent defendants have been quickly settled, with the defendants agreeing to publish source code on their Web sites, appoint an ‘open source compliance officer’ and pay undisclosed amounts in compensation.


 


More recently, in August 2008, a US court delivered a precedent-setting decision on the enforcement of OSS licence terms. In the first decision by a US federal appeals court in the burgeoning area of open source licensing, the Court of Appeals for the Federal Circuit has confirmed in Jacobsen v Katzer that violations of open source software licences constitute copyright infringement. This means that powerful remedies are available under US copyright law for these breaches, including injunctions and statutory damages. Authors of OSS code should find it easier to enforce conditions on the use of open source software using copyright law instead of being forced to pursue less effective breach of contract claims. It seems likely that the OSS litigation trend will continue and perhaps even intensify.


 


Recognising these new risks, companies have begun including disclosures about OSS in their public reports to shareholders and in prospectuses when they list on the stock market. Companies with securities registered in the US that rely on software are now regularly including statements about OSS risks in their 10-K and 10-Q reports in order to limit securities litigation claims that they have not properly disclosed risks that are material to the company’s business and future prospects. These disclosures range from statements noting that a company’s ability to distribute software may be limited by future changes in OSS licences to more significant disclosures about a company’s potential non-compliance with OSS licensing obligations and potential requirements on the company to release source code to its competitors.


 


Companies are now including similar disclosures in UK offering documents. Listing particulars and prospectuses note frequently that ‘there is a risk that third parties, including the Company’s competitors, could have the right to use and distribute certain elements of the Company’s software products’.[6] Other companies have included the following more general statement about the risks of using OSS:


 


The use of open source software raises the risk that software developed by [the company] may inadvertently incorporate open source governed by licensing provisions requiring that any ‘derivative work’ be distributed under the same terms as the original open source software . . . The [company] could be required to replace these components with internally developed or commercially licensed equivalents which could delay [the company’s] product development plans, interfere with the ability of [the company] to support its customers and require [the company] to pay licensing fees.[7]


 


How do buyers (and targets) manage the deal risks?


 


In the past, software-related issues rarely had a major impact on the process of reviewing a potential acquisition, negotiating the purchase agreement and integrating the new operations into the buyer’s business. In the acquisition of a technology company or business with software as an important asset, it has always been important to make sure that the purchaser gets the necessary rights to use and commercialise the technology being bought as covered in the earlier part of this article.


 


However the widespread use of OSS has altered the legal risks associated with software, and so buyers must respond by adopting new IP due diligence procedures and ensuring that targets have appropriately managed their IP. Similarly, companies that are planning for a sale must be ready to respond to due diligence enquiries focused on IP ownership and the use of OSS and demonstrate that IP issues do not threaten future revenue streams. Venture capitalists, who are eager to protect their return on investment and not endanger an exit, are also requiring that their portfolio companies manage OSS issues properly.


 


2. The OSS crunch and getting the message


 


As we now know the infamous sub-prime crisis involved lending banks appearing to ignore what would seem to be clear lending risks. One might say that OSS risks are similar in the sense that there are many companies getting into the act, but it does not seem that the risks of complying with the special terms of OSS licences are always fully appreciated and properly managed. Open source software is a term that is often misunderstood – at least in the general business world – as implying the free and unconditional use of technology, which of course is not the case. We’ve had the Credit Crunch, and we could soon be seeing an ‘OSS Crunch’ in which unmanaged OSS risks lead to lower valuations on businesses, which will make it harder to get VC financing and ultimately more difficult to convince a buyer to pay full value for a business that depends on software technology.


 


Technology businesses are amongst the fastest growing businesses in the world. They change in the most dramatic fashion so that it’s necessary to maintain a watching brief on managing risks. A growing number of businesses outside the technology sector rely increasingly on technology so that intellectual property rights represent a significant proportion of the value of their total assets. All this means that purchasers of companies and businesses need to be more aware of how to make sure they are buying what they think they are buying when it comes to technology. OSS presents particular challenges and in many cases that means that companies need to take urgent action to contain and minimise risks. Technology law specialists have typically been those most aware of OSS licensing terms and the resulting compliance issues. However, lawyers now need to get the message across to CEOs and CFOs that these are not boring intellectual legal issues relating to software. OSS issues can give and have given rise to dramatic financial consequences for companies – whether in the technology sector or where companies rely heavily on technology.


 


David Boutcher is head of the European and Middle East Corporate Group at Reed Smith and Bob Stankey is a partner in the Advertising Technology and Media Group at Reed Smith. To contact David or Bob, call +44 (0)207 247 6555.


 






[1] The software inside the Linksys router included both a copy of the core part of the Linux operating system (the Linux ‘kernel’) as well as other software code governed by the GPL.



[2]If Legal Questions Killed an Oracle-JBoss Deal, Why Not Red Hat-JBoss?” eWeek.com, 10 April 2006 at http://www.eweek.com/c/a/Database/If-Legal-Questions-Killed-an-OracleJBoss-Deal-Why-Not-Red-HatJBoss/.



[3] See the Open Source Initiative’s license database at http://opensource.org/licenses and Computers & Law, vol 19, issue 3, p 27.



[4] See www.blackducksoftware.com/gpl3



[5] The reciprocal rights granted are not limited to copyright but also include patent rights, which can severely limit a company’s rights to enforce or cross-licence its portfolio of patents.



[6] See AIM admission document of March Networks (April 2005).



[7] See AIM admission documents of Silanis International Limited (June 2007) and Sandvine Corporation (March 2006).