www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lawrence Rosen" <lro...@rosenlaw.com>
Subject RE: Corporate Contributions
Date Tue, 22 Mar 2005 19:58:39 GMT
I agree with Jim on this. We should be very reluctant to turn ASF into some
sort of gatekeeper that monitors whether a contribution is made by an
individual or by an employee of a company. The legal issues are complex and
by no means consistent around the world. For example, I've been told
(hearsay!) that some countries take the very civilized approach of letting
the employee own his inventions and copyrights *unless* he contracts
otherwise -- an approach not available in the US.

There is another legal theory that should protect ASF and its software from
claims relating to employer/employee relationships: Negligent supervision. 

I would certainly argue that any company concerned about maintaining
ownership over its IP has a duty to inform its own employees and contractors
of its rules and to supervise them so that the company's rules are followed.
If a company allows its employees or contractors to contribute company IP
without authority, that's not ASF's responsibility nor the fault of the
downstream users of ASF software. 

As long as our website and contribution forms make our policy and our
disclaimer of responsibility clear to all concerned, I can't imagine ASF
having to get involved in an entirely private matter involving an individual
releasing corporate IP. 

If an improper contribution ever comes to our attention, I suppose we'll
have to deal with it at the time. I remember, for example, when an AOL
employee made an improper contribution under the GPL; the FSF said, in
essence, "we won't accept unclean code," and it was withdrawn. [This list
can speculate separately about the "can't unring a bell" doctrine as applied
to published open source software, but I'm convinced the public will
generally avoid software of questionable provenance like the body builds

/Larry Rosen

> -----Original Message-----
> From: Jim Barnett [mailto:jimb@bea.com]
> Sent: Tuesday, March 22, 2005 10:52 AM
> To: Joel West; Greg Stein; Lawrence Rosen
> Cc: legal-discuss@apache.org
> Subject: RE: Corporate Contributions
> Good points.  I agree that Apache could be made safer from submarine IP
> by making the validation process for ICLA-only signators stricter.  The
> question becomes "How strict is too strict?"
> Many truly freelance, self-employed developers contribute to OSS
> projects.  My fear is that the more cumbersome an OSS organization makes
> the qualification process for individuals, the greater the deterrent for
> those freelancers to choose to participate in projects sponsored by that
> organization.
> Taken to extremes, you could end up with projects mostly populated by
> employee-contributors from a handful of commercial software companies.
> Commercial firms tend to have their own strategic agendas for
> participating in OSS projects.  Those agendas may or may not be in the
> best interest of the particular projects they participate in or of the
> OSS community at large.  Individual contributors play an important part
> in protecting the independence of OSS projects from corporate interests.
> Out of curiosity, what sort of formal or informal validation does ASF
> currently do, if any, to determine whether an ICLA-only signator is
> self-employed?  E-mail addresses are suggestive, but obviously not
> foolproof.  Also I'm curious about other OSS organizations and their
> methods of reviewing individual contributors prior to accepting
> contrbutions.
> Bear in mind that the fact a contributor is confirmed via some vetting
> process to be self-employed does not necessarily eliminate the risk of
> submarine IP introduction.  Most freelancers are required to sign fairly
> lop-sided consulting services and invention assignment agreements with
> corporate principals for whom they develop code.  Such agreements are
> another source of adverse ownership claims similar to the claims of an
> undisclosed employer.
> Jim
> -----Original Message-----
> From: Joel West [mailto:svosrp@gmail.com]
> Sent: Monday, March 21, 2005 10:56 PM
> To: Jim Barnett; Greg Stein; Lawrence Rosen
> Cc: legal-discuss@apache.org
> Subject: RE: Corporate Contributions
> On 10:55 AM -0800 3/21/05, Jim Barnett doth scribe:
> >The CCLA-ICLA structure is certainly not foolproof.  Individuals
> >(intentionally or, more likely, unintentionally) may not disclose their
> >employment status at the time of contribution.  In some cases
> >employee-contributors may sign ICLAs when their employers have not
> >executed corresponding CCLAs.  In that case, the only assurance ASF
> (and
> >its downstream licensees) have is the representation made in the ICLA
> by
> >the contributor that he or she has the right to make the contribution.
> It seems to me that the CCLA is fine. In fact, it is a model for other
> OSS communities, including one I'm working on now. Instead, it's the
> option of the ICLA that creates the huge loophole and potential for
> exposure.
> Intentionally omitting one's employer is a problem. I don't know if the
> ASF has ever identified (or enforced) sanctions for misrepresentation of
> intellectual property or the right to make such a contribution.
> Even if we identify the employer, it gets sticky.
> If one is an employee of a company, and that company declines to sign a
> CCLA (either because the counsel hates it or is too busy to be
> bothered), then I find it hard to imagine a case where the
> employer/counsel would authorize the signing of the ICLA for IP
> generated by the employee.
> Suppose the employee is generating the IP on his own time, and it seems
> clear cut -- say the employer makes disk drives and the project is a
> Java interpreter. Still, (from my own experience as both an engineer and
> manager) interpretation of "own time" is a question of fact and law that
> would depend on things like an employment agreement and the relevant
> restrictions of state law.
> ASF has only limited resources and (like a firm) cannot possibly
> eliminate every legal risk. At the same time, the SCO suit is only the
> first example of other legal disputes that will arise over open source.
> One possibility to reduce the risk would be to create a questionnaire
> for ICLA signees. It would ask about occupation, employment, consulting
> arrangements, and maybe a few yes/no questions. The idea would be that
> if there are any factors that suggest a risk, perhaps it would be
> worthwhile to do a follow up to get further information.
> Another option is to take advantage of the skewed nature of
> contributions. For an ICLA contributor who passes a certain threshold
> (5? 10? 20?), do a due diligence to make sure everything is copasetic.
> That would cut down the amount a spadework to the cases with the most
> exposure.
> ASF seems less vulnerable a submarine IP or other hostile attack because
> of the nature of its market segment and competitors (as opposed to Linux
> that competes with lots of things). But given how many projects are
> being added and how broad a net they encompass, it seems like the risk
> would go up every month.
> Finally, ASF has been a pioneer for IP, for organizational structure,
> for incubating new projects. ASF's best practice will become the OSS's
> community's best practice, so the benefits of addressing this would go
> beyond the Apache projects.
> Joel

DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message