The cloud and open source have revolutionised, and will continue to revolutionise, the way organisations manage and run their enterprise computing infrastructure, particularly in terms of hardware and software procurement, maintenance and support. Both represent a challenge to the traditional IT business models – the cloud offers a viable alternative to a costly and inefficient private data centre and open source offers a viable alternative to the costly proprietary software model. These technological developments have resulted from collaboration, openness and choice, and such factors are changing the way CIOs and CTOs look at their IT infrastructure.
Whilst the cloud and open source are ultimately independent of each other, the relationship between them gives rise to interesting legal and commercial questions, and it is arguable that neither would have been as successful without the other – Jim Whitehurst, Red Hat President and CEO, stated at Red Hat’s annual summit in May 2011 that ‘Without open source, clouds wouldn’t exist. Full stop‘. There is certainly truth in this statement. The success of the cloud and its association with open source has also helpfully dispelled some of the many myths associated with open source – something which has been long needed and has given rise to global acceptance of open source within the corporate user community.
The cloud movement
The definition of what the ‘the cloud’ is will never really be agreed. Many argue that the cloud is simply no different from the Internet – Larry Ellison, CEO of Oracle, famously argued that the debate is over style and not substance by saying that the computing world ‘is the only industry that is more fashion driven than women’s fashion‘. However, others argue that the cloud represents one of the most important changes in enterprise computing since the invention of the computer itself. This view is supported by the fact that there has been a radical change in the way service providers market their IT capabilities to end-users – it is now rare to see an IT service offering that does not mention the cloud. Regardless of the difference in views, most agree that what the cloud presents is an opportunity for organisations to outsource their computing capability to a third-party provider of networks, servers, storage, applications or services located in multiple jurisdictions. The success of this is already apparent and the potential for further growth is assured.
The open source movement
The definition of ‘open source’ will also never really be agreed. From the ethical principles of the Free Software Foundation to the pragmatism of the Open Source Initiative, there are still endless opportunities for academic debate over what truly is ‘open source’. However, from an enterprise computing perspective, the definition is crystal clear. Open source is the source code of software that an organisation can use and copy for any purpose whatsoever on a royalty-free basis, provided that the terms of the relevant open source licence are complied with. This represents a radical change from the traditional proprietary licensing model, where restrictive rights of use and licence fees are a major obstacle to exploitation, innovation and growth.
How has open source helped the cloud?
The remarks of Jim Whitehurst, Red Hat President and CEO, noted above are true in many ways. Open source has, for a number of reasons, significantly enhanced the success of the cloud and I identify some features of their relationship below.
Hardware expansion
Amazon coined the phrase ‘elastic cloud’ through its EC2 Elastic Compute Cloud service. At the heart of the elasticity of the cloud is the fundamental principle that if an organisation requires more or less capacity, the unit cost of scaling up or down is minimal. Cloud providers have largely mastered building big server clusters by using open source software on the hardware infrastructure. The key principle found in open source licences is that the copying and re-use of the source code does not give rise to any licence fee. As a result, cloud providers can build, increase and maintain their hardware infrastructure without repeatedly being held hostage by proprietary licence fees – indeed, if each of a cloud provider’s hundreds and thousands of servers ran exclusively on proprietary software, the cost of elasticity would arguably not be commercially attractive from the viewpoint of the cloud provider or customer.
The legal loophole of proprietary open source
Proprietary open source could perhaps be a contradiction in terms. However, partly through pre-cloud drafting, a loophole in the cloud has allowed developers and providers to exploit open source in a proprietary way by providing a software service over the cloud (i.e. SaaS) as opposed to the licensing of the software itself. At the heart of this exploitation is the definition of what is a ‘distribution’ for the purposes of GPL Version 2.0 (GPLv2) – the ‘copyleft’ licence found in approximately 50% of all open source projects. In a traditional licensing world, GPLv2 requires the licensor to disclose the source code to the licensee at the point at which the software is distributed. Whilst a licensor is able to charge a fee for the distribution of the source code, a coach and horses are essentially driven through a proprietary business model on the basis that the licensee is free to make as many royalty-free copies of the source code for redistribution – thereby negating any commercial advantage the licensor has in holding the original source code. Where software is provided as a service over the cloud, an arguable interpretation under GPLv2 is that a distribution does not take place – this is manifested in GPL Version 3.0 (GPLv3) which expressly states that mere interaction with a user through a computer network, with no transfer of a copy, is not a distribution. The consequence of this is that developers can use open source and provide access to the functionality of that open source through the cloud for a fee without being required to disclose the source code of the open source. This means that a developer can keep modifications to the open source private, thereby maintaining a competitive advantage over its competitors.
The open source movement has reacted to combat this loophole, with a particular focus on the GNU Affero GPL licence, by redefining what a distribution is – with express wording that states that interaction over a computer network amounts to a distribution. It remains to be seen whether the GNU Affero GPL licence will gather popular momentum, thereby preventing open source developers developing proprietary-type business models over the cloud. However, for now, GPLv2 can be used to permit service providers to use the cloud as a platform for commercialising open source software.
Virtualisation
The ability to virtualise servers has allowed the cloud to benefit from multiple locations, economies of scale and constant availability for the user community – once again, it is unlikely the cloud would have been as successful without the ability to virtualise servers. At a very basic level virtualisation allows a physical machine to be subdivided into several discrete machines, all of which can be described as virtual servers. Alternatively, virtualisation allows several different machines to act as one discrete virtual server. The key benefit of virtualisation is that the efficiency and utilisation of a server or cluster of servers can be increased dramatically using virtualisation technology.
Open source software has helped the growth of virtualisation in a number of ways. Virtual servers do not fit within the traditional proprietary model of identifiable servers, processors or core models. Under a traditional proprietary licensing model, the copying of software tends to be prohibited and the licensing is often linked to a serial number of a physical machine. As a result, the proprietary software world originally struggled with the licensing of software to run on virtual servers, particularly in circumstances where one virtual server can be migrated from one physical machine to another across multiple jurisdictions. With the open source licences, the key principle is that licensees are free to use the open source software for any purpose whatsoever – unlike proprietary software, this allows licensees to use the software on multiple machines, in multiple locations and without any conditions that would otherwise impede the licensees’ freedom to use. The innovative use of open source software and the ability of the community to develop and improve the software to fit within new technical solutions has therefore helped the cloud develop.
The consequence of the ability of open source to assist with technological innovation is that the bulk of the underlying software for the virtualised world is open source. Indeed, Amazon’s EC2 Cloud relies heavily on virtualisation, and this primarily stems from Amazon’s use of its version of the open source Xen hypervisor software. In the virtualised world, a hypervisor is the overseer of the competing demands that virtual servers have on a physical computer’s RAM, CPU, bandwidth and storage capacity.
The problems ahead
The use of open source software in the cloud is not without its problems, in particular where restrictive open source licences are used and derivative works created.
Proprietary lock-in
Whilst many cloud suppliers use the open source LAMP stack to run on their servers (i.e. Linux, Apache, MySQL and PHP) and open source hypervisors to manage their virtualised platforms (eg Xen or the Linux-integrated Kernel-based Virtual Machine (KVM)), they may still use proprietary application programming interfaces (APIs) or modified open source APIs upon which the virtual machines are built. This, in some cases, can make it difficult to transition from one cloud supplier to another without requiring a significant amount of work and resulting IT spend – especially where vendors are not making available any modified open source software on the basis that there has been no deemed distribution.
However, in reality, provided that cloud contracts are negotiated effectively, then the risks can be mitigated and the usual commercial considerations and costs of transitioning can be understood and agreed in advance. The complaint that some cloud providers are restricting the ability to move platforms is arguably unfair – the desire for a service provider to seek a return-on-investment is not a new phenomenon, nor are we likely to see an IT community where such a business model is not predominant. It is simply a commercial question which focuses on service duration and cost allocation. Many argue that the full value of the cloud will not be realised until customers are able to easily and effectively migrate from one cloud platform to another. Until this is the case, the proprietary cloud may still present a problem for those seeking a more ‘open’ cloud.
Distribution in the cloud
The issue of what is or is not a distribution in the cloud is discussed above, and the GNU Affero GPL licence now specifically dictates that providing access to software over the cloud (ie SaaS) does amount to a distribution. However, questions still remain on the interpretation of GPLv2 and GPLv3 and the answers will ultimately depend upon the jurisdiction in which the software is licensed or used. As the cloud is not confined to one jurisdiction, there is potential room for dispute where users are accessing SaaS in different jurisdictions. This may ultimately create problems for vendor business models in the cloud where a distribution is deemed to have occurred in the jurisdiction where the cloud is based and the open source software must therefore be distributed. If this is the case, the ability of providers to exploit open source software under a commercial business model may well be restricted.
Derivative works in the cloud
In the open source world, what is or is not a derivative work of the original open source software can have extremely serious consequences when reciprocal ‘copyleft’ licences are used – the general rule of GPL is that if you use GPL source code then any derivative work that you create from it must be distributed on the terms of GPL. In the commercial world, this creates problems if proprietary code is deemed to be a derivative work, as this derivate work cannot be licensed under a proprietary licensing model. This area has always caused controversy in the IT community, particularly when libraries are statically or dynamically linked to computer programs. On the other hand, the GPL licences allow aggregation of software on the same storage medium without the requirement of reciprocity. This is logically different from creating derivative works, as the act of creating a derivative work is not the same as combining software on separate storage media.
However, in the cloud there are new questions about what is or is not a derivative work and whether or not any interaction of applications is simply an aggregation. For instance, is the virtual image a derivative work? Is the interaction between applications on a virtual server a derivative work? As with much of the law on open source, the provisions of the GPL have not been challenged or interpreted in court and therefore these questions remain unanswered at this stage.
Conclusion
It is a well-known proposition that open source would not have been as successful had it not been for the Internet. It is also now clear that the cloud would not have been as successful had it not been for open source. The cloud and open source are now the darlings of enterprise computing and the continued growth in the use of these opportunities raises interesting commercial and legal questions. As these technologies become more widely used, it is important that organisations understand the underlying legal issues associated with the cloud and open source.
Richard Graham is a TMT & Outsourcing Partner at Edwards Angell Palmer & Dodge LLP: rgraham@eapdlaw.com.
