Legal Developments in Open Source

Open source software — or software licensed under terms that allow anyone to access, modify, and distribute the source code, subject to certain conditions — is ubiquitous in many domains, such as web development, cloud computing, artificial intelligence, and blockchain. Open source software, however, poses critical legal challenges and risks, such as compliance with license obligations, management of security vulnerabilities, and protection of intellectual property rights, which have implications for developers, businesses, and users. Tracking the latest developments is therefore important.

The first major legal development in open source software occurred in 2022 with the rise of new license models that aim to address some of the perceived shortcomings of the traditional open source licenses. For example:

• The Cryptographic Autonomy License (CAL) was approved by the Open Source Initiative (OSI) as an open source license in April 2022. The CAL is designed to protect the rights of users to control their own data and cryptographic keys when using decentralized applications built on open source software. The CAL requires that any modifications or derivatives of the software must also be licensed under the CAL, and that any service provider that uses the software must provide users with their data and keys in a portable format.
• The Ethical Source License (ESL) was proposed by a group of developers and activists in October 2022 as means to prevent the use of open source software for unethical purposes, such as human rights violations, environmental damage, or discrimination. The ESL is not an open source license, but rather a set of additional terms that can be added to any existing open source license. The ESL grants users a revocable license to use the software, subject to compliance with a code of conduct and a list of prohibited uses. The ESL also allows the licensor to terminate the license if they believe that the user has violated the ethical terms.

Secondly, there is an increased awareness and enforcement of security vulnerabilities in open source components. According to the 2023 Open Source Security and Risk Analysis (OSSRA) report by Synopsys, 84% of the audited codebases contained at least one vulnerability, and 48% contained at least one high-risk vulnerability. The report also found that many industries showed concerning jumps in vulnerabilities over the past five years, indicating a lack of vulnerability mitigation activity. The report recommended that organizations should adopt a comprehensive approach to managing open source security risks, including conducting regular audits, tracking and updating dependencies, implementing patch management processes, and using automated tools.

A third legal development in open source software in 2022 was the ongoing litigation and controversy surrounding some prominent open source projects and contributors. For instance:

• Patrick McHardy, an early contributor to Linux, continued to assert compliance violations of GPLv2 against various companies, using the threat of litigation in Germany to obtain monetary settlements. McHardy has been accused of acting like a copyright troll and abusing his rights as a contributor. In 2022, he shifted his strategy from demanding contractual penalties to seeking reimbursement of his time for analysis.
• MongoDB filed suited against Amazon Web Services (AWS) in November 2022 alleging that AWS infringed its trademark and engaged in unfair competition by launching a cloud service called DocumentDB that is compatible with MongoDB's API. MongoDB claimed that AWS copied its API without complying with its Server Side Public License (SSPL), which requires that any service provider that offers a service based on MongoDB's software must also make available the source code of its service under the SSPL. AWS argued that MongoDB's API is not protectable by trademark or copyright law, and that the SSPL is not an open source license.

As open source software continues to grow and evolve, we can expect more legal issues and challenges to arise in 2023 and beyond. It is important for developers, businesses, and users to stay informed and aware of the legal implications of using and contributing to open source software, and to seek professional advice when necessary.