www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jim Barnett" <j...@bea.com>
Subject RE: Corporate Contributions
Date Fri, 25 Mar 2005 01:15:01 GMT
All of this sounds imminently reasonable and common sensical.  But
remember, we aren't dealing with common sense here, but rather with law
and lawyers.  (How's that for a little self-deprecation?)


Some thoughts in-line, below.


-----Original Message-----
From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net] 
Sent: Thursday, March 24, 2005 3:32 PM
To: Geir Magnusson Jr.
Cc: legal-discuss@apache.org
Subject: Re: Corporate Contributions


At 12:41 PM 3/24/2005, Geir Magnusson Jr. wrote:


>I've proposed asking that a CCLA be required from everyone with an
employer specifically to protect the employee as well as the ASF, to
prevent accidentally (or intentionally) submarining IP into a project.


There is an additional theory I'll relate as heresay, IANAL,

but to limit the unwanted spread of trade secrets, intellectual

property etc requires adequate supervision by the employer.


Trade secrets are a very different beast than copyrighted and/or
patented works.  The Uniform Trade Secret Act (variants of which have
been enacted in many states), affirmatively requires that the owner of a
trade secret exercise some degree of care in preserving its secrecy and
limiting by contract third party access to such trade secret.  No such
requirement exists as clearly with respect to other types of
intellectual property.


I'd be fascinated to see any case law, but one could argue that

open source contributions are one of the (technically) most

transparent external activities one can engage in outside of

one's employer.  An engineer moonlighting for another firm would

be totally outside the view of one's employer.  But anyone can

see one's public activities on the internet.  


<me>googles "Geir Magnusson" and chuckles</me>


It seems counterproductive to require a CCLA.  If it is a malicious

contribution, we can deflect the onus back on the employee, and

ultimately on the owner of the intellectual property if they were

party to 'submarining' our code base.  Their claim to own code they

'planted' in our code base would (IMHO) be laughable.


What if it is a malicious contribution as it relates to the employee,
but not as it relates to the employer?  In other words, what if the
employee maliciously, willfully, intentionally, etc., hacks into his or
her employer's secure internal systems and lifts valuable code belonging
to his or her employer, without the employer's knowledge or consent,
then contributes that code to an ASF project?  In this example, the
employer (1) owns the code and (2) never agreed to permit its
contribution to ASF.  Under US law, at least, the employer most likely
could require ASF and all downstream licensees of the stolen code to
stop using it.  It is even possible that ASF and those taking through it
could have some liability for money damages to the employer.  Under the
ICLA ASF could go after the employee for breach of the employee's
representation that he or she had the right to make the contribution,
but will that make ASF and/or downstream takers whole?  Not likely.   


It's sort of like leaving a $20 bill on the table at McDonalds,

and leaving the establishment.  Your 'ownership' of that $20 bill

becomes most dubious.


The real risk is an employee who doesn't understand their employment

contract, and doesn't know to see a CCLA based on their employment

contract, state law, and their Employer's awareness / complicity in

their open source participation.  The most dangerous situation is

a jurisdiction in which the Employer owns all IP the employee creates,

and was never made aware of the employee's participation.


So perhaps modifying the CLA to point out that these situations can

lead to problems, remind them they are asserting they have the legal

right to grant their code submissions, and point them to the CCLA

if the situation is either ambiguous or if they explicitly do not

have such rights.


The problem with stopping at the ICLA is that the ICLA is a contract
soley between ASF and the contributor.  The contributor's employer is
not a party, no matter what ASF requires the employee to represent with
respect to the employer's awareness of or consent to the employee's
participation.  That document does not have any effect on the employer's
actual rights and remedies.  In the case where an employee-contributor
for whatever reason (malicious or simply accidental) signs an ICLA, and
does not have his or her employer sign a CCLA, then later contributes
something that actually belongs to the employer, having a beefy, clear
ICLA on the issue is great for ASF asserting its remedies against the
employee, but accomplishes little defensively against the employer's
ownership claim.   


There's a second side effect, assuming we must have a CCLA from

every employer opens the ASF to huge issues today.  There is no

reason to go that far overboard, IMHO.


How do other organizations (W3C, Oasis, Eclipse, etc.) handle this
issue?  Do they have employers sign separate contribution agreements
covering employee participation?  I'm wondering of we can come up with
some industry "best practices" on this issue.


Bill <IANAL> Rowe





DISCLAIMER: Discussions on this list are informational and educational

only, are not privileged and do not constitute legal advice.


To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org

For additional commands, e-mail: legal-discuss-help@apache.org


View raw message