www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karan, Cem F CIV USARMY RDECOM ARL (US)" <cem.f.karan....@mail.mil>
Subject RE: [Non-DoD Source] US Army Research Laboratory Open Source License (ARL OSL)
Date Fri, 29 Jul 2016 21:43:39 GMT
Hi Roy, as promised, I've gotten answers from ARL Legal, so I think I can 
answer your questions and comments at this point.

First off, I want to settle once and for all the question of whether or not 
the US Government can be sued.  Under the Federal Tort Claims Act (FTCA) - 28 
U.S.C. 1346(b), passed in 1946, the US Government waives some of its sovereign 
immunity claims.  In particular, if a plaintiff claims negligence on the part 
of the Government, they get to sue.  The Justice department cannot claim 
sovereign immunity in that case.  In addition, putting material in the public 
domain does not release the US Government (or anyone else) from responsibility 
or liability.  This is why ARL is not interested in either public domain 
release, or any of the weaker licenses.

Further comments are inlined below.

> -----Original Message-----
> From: Roy T. Fielding [mailto:fielding@gbiv.com]
> Sent: Wednesday, July 27, 2016 6:17 PM
> To: Karan, Cem F CIV USARMY RDECOM ARL (US) <cem.f.karan.civ@mail.mil>
> Cc: ASF Legal Discuss <legal-discuss@apache.org>
> Subject: Re: [Non-DoD Source] US Army Research Laboratory Open Source 
> License (ARL OSL)
> > On Jul 27, 2016, at 11:58 AM, Karan, Cem F CIV USARMY RDECOM ARL (US) 
> > <cem.f.karan.civ@mail.mil> wrote:
> >
> > I see your point, and your clause is a really good one, but the
> > problems of liability, etc. still need to be covered for the portions
> > of the code that are not protected by copyright.
> It isn't a clause.  Effectively, it is an additional license that a 
> recipient can choose to use if they ever have a need.  No, they won't ever 
> have
> that need, since the copyright owners are effectively stopped by their own 
> contributions.
> The only remaining concern would be contributions that are made by someone 
> who is not (controlled by) the copyright owner, which can
> only be addressed by the process surrounding accepting contributions.

If you mean someone taking code and contributing it in contradiction to the 
other rights holders (e.g., an employee of a company taking company code and 
contributing it without permission), then that falls on the person that 
violated the contract.  I'm not going to worry about that.

> >  As I understand it (I am not a lawyer, so I may be getting this
> > wrong), a license is a contract that pertains to intellectual property
> > (e.g., copyright) and contracts always have clauses.  Some contracts
> > put in a severability clause
> > (https://en.wikipedia.org/wiki/Severability) to ensure that as much of
> > the contract survives as possible should any part be found
> > unenforceable.  The Apache 2.0 license doesn't have that, so what happens 
> > if the license is found to not cover the uncopyrighted
> portions?
> It isn't relevant if the license in unenforceable, since nobody is trying to 
> enforce it.

It IS relevant if the liability, no warranty, and trademark clauses are also 
found to be unenforceable.  Again, the US Government doesn't like to be sued, 
especially if it has taken some effort to warn users that the code has no 
warranties associated with it.

> >  Does that open up the government to liability claims?
> No.

Yes it does.  See my comment at the very top of this message.  If the license 
is invalid, it is possible for the Government to be found to have been 
negligent, and get sued.

> >  What about other claims that
> > the Apache license would protect against if it were in force?  We need
> > a contract that works for all portions of the code, whether or not
> > there is a copyright.
> The software license is intended to protect the recipient of the software, 
> not the organization that chose the license.  You can't arbitrarily
> disclaim responsibility for your acts just by posting a notice of 
> disclaimer.

We can disclaim negligence, just not gross negligence.  If it were impossible 
to disclaim any negligence, then clauses 7 & 8 in the Apache 2.0 license would 
be pointless.

> The only thing the Apache license disclaims is liability for the recipient 
> choosing to make use of the rights being given to them, which is
> something you cannot (and don't need to) disclaim for stuff in the public 
> domain.

OK... so you're saying that if someone chooses to use the code, they do it 
under the license, correct?  Under the Apache 2.0 license, clauses 7 & 8 say 
that if you use this code, then the licensor disclaims liability and warranty. 
How is that any different from what the ARL OSL is trying to do?

> In any case, nobody is going to sue the government for making software 
> public domain, since that is required by law.  What you might
> want is a legal disclaimer on a website that is hosted by the government and 
> on which it publishes information for distribution to the
> public, but that should reflect the terms of use for that service.  It has 
> nothing whatsoever to do with the license on what is being
> distributed.

Now I'm confused.  Isn't that what the Apache 2.0 license is doing already? 
If you use material that is licensed under it, then you must comply with the 
terms, or your license to it is terminated, correct?  And part of the license 
are clauses 7 & 8, which explicitly disclaim liability and warranty.  How is 
that different from what the ARL OSL is trying to accomplish?  We can't do it 
via copyright enforcement, only by contract.

> > We can impose copyright like restrictions by contract even though
> > there might not be a copyright.
> No, that's not how copyright law works (you don't need a contract in order 
> to do what you are already legally entitled to do) and other
> laws, like the Freedom of Information Act, would immediately make such a 
> contract null and void.  The government can impose other
> restrictions, such as required security clearances and procedures, and might 
> even be able to control distribution under a patent if one has
> been granted.

The FOIA is much more unsettled around software that most would like to think. 

for more information.  Put simply, there is no guarantee that any given FOIA 
request would result in the software being released.

Copyright is a bundle of rights which attach to a work.  The copyright owner 
can restrict the ability of others to copy, perform, etc. the work.  The 
license is a contract that the copyright owner enters into promising anyone 
that redistributes the code that as long as they adhere to the terms of the 
license, the copyright owner won't sue them.  Because of copyright, if someone 
in possession of the code is not adhering to the license, they can be ordered 
to stop copying, performing, etc. the work, even if they've never entered into 
a contract.

So what about works that don't have copyright?  You may still enter into a 
contract with the other party.  The ARL OSL is a possible contract; anyone 
that downloads it will be agreeing to the contract.  So at this point, let's 
consider 3 parties, the US Government (USG), party A, and party B, and see how 
different scenarios play out:

1) Everyone plays by the rules, following the ARL OSL to the letter.  Everyone 
is happy, so this is the easy case.

2) Party A downloads the code from the USG.  At this point, they are in a 
contract with the USG.  If party A claims negligence, or warranty breach, etc. 
against the USG, the USG can point to the contract (the ARL OSL).  This also 
cover IP claims against the USG.

3) Party A downloads the code from the USG, and then passes it to party B, 
with or without modifications, but under the ARL OSL which is the original 
license.  Party B has now entered into a contract with party A, and all the 
terms follow.  There is no contract with the USG.  However, since they 
obtained the unmodified code under the ARL OSL from party A, party B must 
abide by all the terms, including clauses 7 & 8, which states that the USG 
provided the code 'as-is' and disclaimed all liability as the licensor (or 
contributor, in this case they could be used interchangeably).  This can be 
inductively extended to any party further down the chain.

4) Party A downloads the code from the USG, and strips out the license before 
handing it off to party B.  Party B decides to sue the USG. Since party A has 
violated clause 4, it is now responsible for its actions.  The USG may choose 
to go after party A for breach of contract.

5) Party A supplies IP entangled code to the USG, with the intention of suing 
anyone that downloads and uses it.  Once again, this is easily covered by the 
ARL OSL and the Apache 2.0 license.  It is NOT covered by public domain 
release, FPL, or other weaker licenses.  Although the USG is not directly 
harmed, it is embarrassing and causes a significant chilling effect as no-one 
knows if they are going to be sued by other contributors, so no one wants to 
use ARL-supplied code.

I hope that all this explains what we're trying to avoid by creating the ARL 
OSL, and why we need it.

Cem Karan

View raw message