www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From robert burrell donkin <rdon...@apache.org>
Subject Re: Corporate Contributions
Date Fri, 25 Mar 2005 10:50:25 GMT
On Thu, 2005-03-24 at 19:54 -0500, Geir Magnusson Jr. wrote:
> On Mar 24, 2005, at 5:51 PM, robert burrell donkin wrote:
> >
> > i also find it hard to understand how any contribution by a UK employee
> > could put any downstream users at risk. if an employee takes existing
> > code copyrighted by their employer and intentionally makes it available
> > without permission then this is theft. a buyer acting in good faith who
> > purchased stolen goods is not liable (though stands to lose the good in
> > question which would mean that implementation would have to be 
> > rewritten
> > around the stolen material, i suppose). this applies in a very
> > straightforward fashion to open source contributions (from UK 
> > employees,
> > at least): providing that the copyright has been assigned to the ASF 
> > and
> > has no obvious signs that it has been stolen, then it can be safely
> > accepted.
> >
> I see at least two risks.
> First, is the SCO problem - that someone will be able to come and shake 
> them down after they have made a significant investment of 
> infrastructure and development around the software we create and 
> distribute.  Think about it - what if there was something in httpd that 
> allowed someone to go to Amazon and "offer" them a license or require 
> they drop their web servers....  It's probably a fairly easy 
> calculation to figure out what you could squeeze out of them.

i'm not at all sure that this scenario is possible under UK law in
particular or european law in general. in germany, SCO's attempts to
extract license money on the basis of code that it may or may not own
resulted in SCO being sued rather than the other way around. 

copyright is a criminal matter here and what matters is that the
downstream users act in good faith. it doesn't matter whether you buy
commercial software from a middleman who turns out to be fraudster or
download an open source product which turns out to contain stolen code:
providing that you acted in good faith, the worst that can happen is
that a court can rule that the software was stolen and that you must
return it to it's lawful owner. 

"offer"ing a promise not to report a crime in return for cash may be
construed as blackmail which is a serious criminal matter in the UK (and
most european jurisdictions, i think). IIRC this legal argument was the
one that persuaded SCO to stop offering licenses in germany.

for code contributed by european committers, i suspect that there really
isn't any middle ground: either the original code contained copyright
notices indicating that it was owned by the employer which were removed
unlawfully by an employee in an attempt to steal the code or the code
was never actually owned by the employer (the employee was moonlighting
on company time). 

in either case, until a court order is obtained by the employer,
downstream users should be safe provided that they act in good faith. i
would hope that any such court case would necessarily involve the
contributors who (it would be hoped) notify the ASF as soon as any writ
was moved. this should provide time to isolate and remove any suspect
IP. the ASF is right in demanding assurances from it's contributors
since this will prove that it was acting in good faith. 

the jurisdiction shopping element is more interesting. i wonder whether
ownership of copyright would have to be proved in a european court using
european ownership laws for code created in europe or whether a
multinational would be able to persuade a US court to apply US rules
governing ownership. i'd be interested to hear speculation on this


> Second, I'm worried about how an OSS project could be disrupted or even 
> hijacked - let some employee commit employer code and/or do work a 
> project in a significant way, and then after enough of that work 
> becomes core and fundamental to the project, announce it wasn't 
> permitted by employer and that the ASF must remove said code, which in 
> the absence of some indication that the employee had the right, we 
> would do.  That would have a significant adverse affect on a community, 
> and could allow in certain circumstances, that employer to fork the 
> project by licensing the employees work under a license we can't deal 
> with, and letting the project continue under their control....


there are two possibilities in this case: either the code in question
was owned by the company (and so had copyright notices) or the code was
owned by the employee when it was submitted.

copyright theft is a serious criminal matter in europe. admitting that
you removed copyright notices from code owned by your employer and
peddling it on the open market seems very likely to end up with you
spending a long time in gaol. providing that the ASF and downstream
users could prove they acted in good faith, then they would simply have
been the victims of an elaborate fraud and would have to rewrite the
codebase or license it from the company. from fraud, a CCLA provides no

if an employer allowed a european contributor to create code on company
time which was not copyrighted to the company, it would be difficult for
the company to claim ownership of the code. UK law in particular is
based on master-servant and there is a duty for the master to supervise
the activities of the servant adequately. where there is no question of
fraud, the usual sanction would be the sack. automatic assignment is
limited under UK statue. IIRC in the past, long court cases have been
required to reassign ownership from an employee to an employer and have
not always succeeded. again, in this case a CCLA would provide no real
protection: the relevant employment statue would be the question. 

again, the jurisdiction shopping element is interesting.


> > if the ASF is serious in going down this route then maybe some
> > consideration of the consequences on committers outside the US may be
> > appropriate...
> Of course :)  We may not get a perfect solution, but I believe that we 
> can improve on the situation.

US employment law seems pretty clear and requiring CCLAs from
contributors employed in the US sounds like a very good idea. in other
jurisdictions, though, employment law is very different. an enhanced CLA
for some jurisdictions may be a better idea. 

- rohert 

DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message