www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David A. Wheeler (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LEGAL-100) Modifications to CCLA for the National Security Agency
Date Thu, 13 Oct 2011 14:32:12 GMT

    [ https://issues.apache.org/jira/browse/LEGAL-100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13126618#comment-13126618

David A. Wheeler commented on LEGAL-100:

I completely agree that the Apache CCLA needs to be modified to allow contributions by governments
(at least the U.S. and Crown copyrights).  In fact, the ICLA has the same defect.  I suggest
rewording them using existing agreements of other organizations as a guide, with help from
the contributors.  Only a small change is needed, and the result should be simple and clear.

This kind of text, acknowledging that contributors need not have the copyright, is *normal*
in journals and standards bodies, and its omission in Apache's CCLA (and ICLA) is a problem
that needs fixing.  For example, look at the IEEE contribution form (http://www.ieee.org/publications_standards/publications/rights/copyright_form.html)
which says: "The undersigned hereby assigns to ...IEEE... all rights under copyright that
may exist...  U.S. Government employee certification (where applicable)....  This will certify
that all authors of the Work are U.S. government employees and prepared the Work on a subject
within the scope of their official duties. As such, the Work is not subject to U.S. copyright
protection."  Notice that this contribution agreement is specifically worded to account for
this.  You'll find this kind of text is really common in organizations that take contributions
from governments.  It's a mistake that Apache's agreements do not, but it's a mistake that
is easily corrected.

I don't think the proposed wording is correct, though.  First of all, you don't have to be
a copyright holder to have the right to make this agreement.  For example, the government
often isn't the copyright holder, but has the same rights as a copyright holder, and that's
what matters.  The proposed "2. Grant of Copyright License..." looks okay, but I'd change
the the definition of "You" to simply say:
   "You" (or "Your") shall mean the copyright holder or a legal entity authorized to make
this Agreement with the Foundation.
You should probably change "Corporation" to "Corporation or Government" too.

I've written a journal article about the legal rules when the U.S. government wants to release
open source software that it developed:
  http://journal.thedacs.com/issue/56/180  (see especially "case A").

Asking "who holds the copyright" is often the wrong question, as I discuss here: http://www.dwheeler.com/essays/ask-not-holds-copyright.html

The key thing here is that when U.S. government employees develops software as part of their
official duties, the result cannot (normally) be copyrighted in the US at all, per 17 USC
105.   This doesn't apply to software developed by contractors.

There are lots of comments on this topic; please allow me to reply to a few.

> We do not need permissions from "the owners of contributions not subject to copyright."
Indeed, they are not copyright owners. What does NSA believe they are the owners of?

I agree that the proposed text is not well-worded.  I hope that my comments above help fix

> A copyright license is already limited to material for which copyright exist; nothing
else needs a license. Please stop asking us to acknowledge that we can use what is free for
the taking.

The CCLA is not just a copyright license.  There are lots of reasons that a government work
cannot be included in Apache, not just copyright.  If Apache wants to abandon the CCLA entirely,
that is Apache's choice, but if Apache asserts that "everyone must sign the CCLA" then the
CCLA needs to be written in a way that allows everyone to sign it.

> The CCLA does that. It doesn't require that a contribution be copyrighted before a patent
license is granted for that contribution.

I don't see how you can support that interpretation.  The text in http://www.apache.org/licenses/cla-corporate.txt
" 'You' (or 'Your') shall mean the copyright owner or legal entity authorized by the copyright
owner that is making this Agreement with the Foundation."  Since there is no copyright holder
in the US, by definition there is no one who can be referred to as "you", so the whole agreement
cannot apply (because it's an agreement with "you").

> If NSA wants to establish a broader relationship with Apache than the CCLA calls for,
please let us know what that is. Otherwise, we just need a license to whatever copyrights
they actually own, and the existing CCLA is perfectly adequate for that.

The problem is that the CCLA text requires that there is a copyright holder (it's embedded
in the definition of "you"), and there is none.

> Benson, I agree that a CRADA is a giant PITA, but it is also a way for a government agency
to define the level of cooperative participation it expects to play in an Apache PMC. It is
a way for a government agency to describe process *other than copyright licensing*, although
statements of its commitment to (e.g., Apache's) particular licensing model belongs in a CRADA
also. My understanding of CRADA documents is limited to one with the Dept. of Defense that
took far more time for the government lawyers to write up than it took to implement. But the
government operates by its own rules, and I'd encourage them to ask their own lawyers what
to do in this case.

There is no law that requires that a CRADA be used for this purpose.  A CRADA like an aircraft
carrier: When you need it, you need it, but it's expensive to use.  There's no need for a
CRADA here.  The US government is just asking for the same kind of text that other standards
bodies have.

>> Perhaps the patent license would be unnecessary until such time as NSA actually held
or applied for a patent on the relevant material?
>The CCLA doesn't require that there actually be patent claims at stake. The patent grant
would be nugatory until NSA actually held relevant patents.

Sure, but the NSA can't sign the CCLA as it is currently written for this particular package.
 They could sign it if contractors had written the code, but they can't in this case.

> I'm sorry, I still don't understand what *real* problem NSA is trying to solve by revising
our CCLA. May I be so bold as to suggest that the government lawyers you are talking to don't
understand copyright and patent licensing or the public domain in the context of open source.

That certainly happens, but I don't think that's the problem in this case.

> I'll be glad to speak directly with whatever government attorney is suffering from licensing
heartburn. The CCLA is fine as it is for the purposes NSA intends.

No, the CCLA is absolutely NOT okay in this case.  As I quoted above, the CCLA *requires*
that there is a copyright holder.  It is not optional, because the existence of a copyright
holder is baked into the definition of 'you' in particular. But in this case, because only
government employees wrote the code, as part of their official duites, there is no copyright
holder (in the US at least).  So either Apache (1) waives the CCLA for these cases, (2) creates
a special CCLA-like document for government contributions, or it fixes the CCLA.

> In order to encourage government employee committers to work within Apache, I welcome
them to sign ICLAs. Why not?

Because the ICLA has exactly the same defect.  The ICLA (http://www.apache.org/licenses/icla.txt)
says, " 'You' (or 'Your') shall mean the copyright owner or legal entity authorized by the
copyright owner that is making this Agreement with the Foundation."  Since there is no copyright
holder, there is no "you" or "your" to refer to.

> As for receiving contributions that are in the public domain: What law prevents us from
just taking them?

If the government has itself released the software without it being copyrighted, then Apache
can just use it.  But in that case, Apache needs to state that Apache will NOT require CCLA
or ICLA signatures for code that is not copyrighted in its country of origin.  It's just Apache's
house rules that require contributors to sign the CCLA or ICLA.  But if Apache wants people
to sign the CCLA or ICLA, then contributors must be able to honestly sign it.

>  Or more appropriately, perhaps, filing a Freedom of Information Act (FOIA) demand for
their production.

That does not necessarily work.  I can give you more details offline if you like, but that
is a long discussion that is tangent to this one.

> Nor do I want my government to avoid working with us because they don't know how to give
us something we already co-own.

The term "ownership" is actually really misleading.  Apache doesn't own the software produced
by government employees as part of their official duties!  I'd suggest changing "copyright
owner" to "copyright holder" (because you HOLD right, not OWN rights), and so on.  That's
not required to make this work, but if you're going to make changes anyway, it may as well
get clearer.  See: http://www.dwheeler.com/essays/intellectual-rights-not-intellectual-property.html

> The reason I suggested a CRADA previously is that these agreements are designed for *cooperative*
research and development. If NSA or any other government agency wants to work with us, with
either a written CRADA or an implied one, Apache should accept that cooperation gratefully.

If the government wants to set up a CRADA, sure.  But that's suggesting the use of an aircraft
carrier, when a one-page letter will do. CRADAs are NOT easy things to get in most places.
 A small fix in the CCLA (and ICLA) is all that's needed.

> Modifications to CCLA for the National Security Agency
> ------------------------------------------------------
>                 Key: LEGAL-100
>                 URL: https://issues.apache.org/jira/browse/LEGAL-100
>             Project: Legal Discuss
>          Issue Type: Question
>            Reporter: Adam Fuchs
> In preparation for contributing Accumulo to the incubator, the National Security Agency
has submitted a modified version of the CCLA. The modifications include a broadening of the
definition of "You" and "Your" to include owners of contributions not subject to copyright,
and a limit on the copyright license to the material for which copyright exists. We would
like to know if this modified CCLA is acceptable to cover our participation as Apache committers.
The modified paragraphs follow:
> ...
>     "You" (or "Your") shall mean the copyright owner, the owner of a
>     contribution not subject to copyright, or legal entity authorized by
>     the copyright owner that is making this Agreement with the Foundation.
>     For legal entities, the entity making a Contribution and all other
>     entities that control, are controlled by, or are under common control
>     with that entity are considered to be a single Contributor. For the
>     purposes of this definition, "control" means (i) the power, direct or 
>     indirect, to cause the direction or management of such entity, whether
>     by contract or otherwise, or (ii) ownership of fifty percent (50%) or
>     more of the outstanding shares, or (iii) beneficial ownership of such
>     entity.
> ...
>  2. Grant of Copyright License. Subject to the terms and conditions
>     of this Agreement, You hereby grant to the Foundation and to
>     recipients of software distributed by the Foundation a perpetual,
>     worldwide, non-exclusive, no-charge, royalty-free, irrevocable
>     copyright license to reproduce, prepare derivative works of,
>     publicly display, publicly perform, sublicense, and distribute
>     Your Contributions and such derivative works, to the extent that
>     copyright exists in the Contribution(s).
> ...

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message