Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm
Precedence: bulk
Received-SPF: pass (hermes.apache.org: local policy)
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: Corporate Contributions
Date: Thu, 24 Mar 2005 16:43:56 -0800
Message-ID: <32D5845A745BFB429CBDBADA57CD41AF0E752617@ussjex01.amer.bea.com>
Thread-Topic: Corporate Contributions
Thread-Index: AcUww7WpGo//4+1tR+mtItihcN/TTQAAPddw
From: "Jim Barnett" <jimb@bea.com>
To: "robert burrell donkin" <rdonkin@apache.org>, <legal-discuss@apache.org>

There are actually three distinct legal constructs implicated by the
example you give:  (1) innocent purchaser status, (2) license to use vs.
title, and (3) fiduciary duties of agents to their principals.

One principle of common law holds that where you have a good faith or
innocent purchaser who pays value for goods that turn out to be stolen,
that good faith purchaser nevertheless obtains the right to keep the
goods.  What is key here, however, is that a "sale" has taken place.

A license is a permission to do something.  A license does not pass
title to goods or other property.  In the ASF context, the ICLA signator
grants to ASF and downstream takers a license to do something with his
or her contribution.  He or she does not transfer title to the
contribution to ASF, but instead retains title to the contribution.
Accordingly, ASF and downstream licensees cannot be "purchasers" since
they never receive title.

A licensee generally can receive from its licensor no greater rights
than the licensor had the right to grant.  In the undisclosed employer
scenario, the employer rather than the employee-contributor may own the
contribution.  If so, when the contributor grants ASF and downstream
takers a license under the ICLA, that contributor can at most grant to
ASF and downstream takers what the contributor had the right to grant.
If the contributor had no right to make a grant at all (i.e., no license
or permission from its employer with respect to that contribution), ASF
and downstream takers receive no right at all to use the contribution.
That is why SCO went after not only IBM, but also several prominent
Linux users.

Employment laws in the US and the UK both derive from English common law
principles of "Master and Servant" or agency.  One feature of agency law
is that the agent owes his or her principal a fiduciary duty of loyalty.
This means that the agent is tasked with putting his principal's
interests before the agent's own interests for matters within the scope
of the agency. =20

To use a 19th century hypothetical example, the principal, knowing that
the barley harvest locally was poor, engages the agent to go to market
and purchase as much barley as the agent is able for 50GBP.  Upon
arriving at market, the agent learns that a Dutch ship has just arrived
loaded with barley from central Europe, boosting supply locally and
depressing the price.  The Dutch merchant is offering barley for 1 tonne
per GBP.  And has 50 tonnes available.  Instead of using the principal's
50GBP to buy 50 tonnes for the principal's account, the agent instead
uses the agent's own money to buy all 50 tonnes for 50GBP.  The agent
then offers the barley to the principal for 10GBP per tonne, thereby
breaching its fiduciary duty of loyalty to the principal.

To use a more current hypothetical example, say I am hired as an
employee by Company Z to work on Company Z's J2EE Java Application
Server.  I am specifically tasked with helping develop an EJB 2.0
implementation and related work.  Knowing that Company Z is interested
in EJBs and J2EE in general, each night when I return home, I use my own
laptop and my own ISP, electricity, etc., to develop a great EJB
generation tool.  Clearly that tool has direct application to Company
Z's business and more specifically to the specific tasks I've been
engaged to perform for Company Z.  I smell opportunity and I offer the
tool to the highest bidder for $10 million, in violation of my duty of
loyalty.  It does not matter that I have used my own time and resources.
The reality is that after entering into the agency relationship with
Company Z (and accepting the benefits of that relationship such as my
salary), my duty of loyalty to Company Z with respect to work in the
J2EE space requires that I provide all such "in scope" opportunities to
Company Z as part of the agency.

The principles of agency have evolved into statutory requirements which
vary state by state in the US, but most states' labor laws assign
ownership of work done by an employee within the employer's line of
business to the employer, irrespective of when the work was done or
whose resources were used to create it.  It sounds as if current UK
labor law may differ from the corresponding laws in the US.

It may be more likely that a UK employee will own the contributions he
or she develops due to more pro-Employee invention ownership laws, that
increased likelihood of a "clean" contribution still does not address
the root question:  How does the ASF know that an employee's
contribution is really "clean" in the absence of a CCLA from his or her
employer?  Even under UK law the question of whether the employee worked
exclusively on his or her own time using his or her own resources
determines whether the employer or employee owns the contribution.

Has ASF ever considered some form of employer "quitclaim" document?
That would be a document that acknowledges the employment status of a
contributor, acknowledges that the employer is aware that the employee
is working on an ASF project and has no objections, and a disclaimer of
any right, title or interest in any works the employee contributes to
the project.  It might be less burdensome than a formal CCLA, in that
the CCLA actually has the employer making representations and granting
rights to ASF and downstream licensees whereas a quitclaim would really
be more a disclaimer of any rights in or responsibilities for an
employee's contributions.

Hmm... =20

-----Original Message-----
From: robert burrell donkin [mailto:rdonkin@apache.org]=20
Sent: Thursday, March 24, 2005 2:51 PM
To: legal-discuss@apache.org
Subject: Re: Corporate Contributions

On Thu, 2005-03-24 at 13:41 -0500, Geir Magnusson Jr. wrote:
> I got rid of all the CCs.
>=20
> On Mar 22, 2005, at 1:51 PM, Jim Barnett wrote:
>=20
> > Good points.  I agree that Apache could be made safer from submarine
IP
> > by making the validation process for ICLA-only signators stricter.
The
> > question becomes "How strict is too strict?"
>=20
> I've proposed asking that a CCLA be required from everyone with an=20
> employer specifically to protect the employee as well as the ASF, to=20
> prevent accidentally (or intentionally) submarining IP into a project.
>=20
> I realize that this is an additional burden for contributors and the=20
> foundation, but... ("SCO, anyone?")
>=20
> The JCP is also looking at this issue as there is a real fear there=20
> that IP will be contributed accidentally by an individual that would=20
> put the implementors and users of a spec (as well as the spec) at
risk.

FWIW i fear that requiring CCLA may cause difficulties for (in
particular) european committers.

IANAL but...

employment law in the UK (and the rest of Europe, i think) is both
different and clear: any work you do in your own time on your own
machines belongs to you (unless you specifically assign it to your
employers). however, the CCLA is a difficult document for european
employers. the effect of it's incorporation into a UK employment
contract is hard to predict. it may not be enforceable. alternatively,
it may translate into a positive right to create open source on company
time. at the very least, any company would be faced with the not
inconsiderable expense of seeking a legal opinion.=20

i have always asked whether there are any objections to my hacking OSS
in my own time (for politeness sake) but my experience has been that
though employers may agree verbally and may even be willing to agree to
a memorandum of understanding about the current UK employment statue,
they will not sign a document like the CCLA. it simply exposes them to
too many potential liabilities.=20

i also find it hard to understand how any contribution by a UK employee
could put any downstream users at risk. if an employee takes existing
code copyrighted by their employer and intentionally makes it available
without permission then this is theft. a buyer acting in good faith who
purchased stolen goods is not liable (though stands to lose the good in
question which would mean that implementation would have to be rewritten
around the stolen material, i suppose). this applies in a very
straightforward fashion to open source contributions (from UK employees,
at least): providing that the copyright has been assigned to the ASF and
has no obvious signs that it has been stolen, then it can be safely
accepted.=20

if the ASF is serious in going down this route then maybe some
consideration of the consequences on committers outside the US may be
appropriate...

- robert


---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org