The Supreme Court has ruled in Google’s favor, stating that the use of 12,000 lines of code from Oracle’s Java SE program was permitted as “fair use.”
In its ruling, the Supreme Court states Google’s copying “only those lines of code that were needed to allow programmers to put their accrued talents to work in a new and transformative program” was deemed “a fair use of that material as a matter of law.”
The copied lines of code were “part of a user interface’ that provides a way for programmers to access prewritten computer code through the use of simple commands,” the court reasoned.
“As part of an interface, the copied lines are inherently bound together with uncopyrightable ideas (the overall organization of the API) and the creation of a new creative expression (the code independently written by Google)” the ruling states. “Unlike many other computer programs, the value of the copied lines is in significant part derived from the investment of users (here computer programmers) who have learned the API’s system.”
“Given these differences, application of fair use here is unlikely to undermine the general protection that Congress provided for computer programs.”
“The Google platform just got bigger and market power greater. The barriers to entry are higher and the ability to compete lower,” a spokesperson for Oracle said in a statement. “They stole Java and spent a decade litigating as only a monopolist can. This behavior is exactly why regulatory authorities around the world and in the United States are examining Google’s business practices.”
What does this new precedent mean for the future of Open-Source compliance?
Let’s consider the well-known fight with open-source licenses that began in October of 2018 when MongoDB, changed its license from the AGPLv3 license to something Mongo calls the Server Side Public License (SSPL). They were attempting to address an issue the company was experiencing with cloud providers that were using MongoDB code as their backbone to host SaaS versions of the database without sending money or contributions to Mongo.
“The market is increasingly consuming software as a service, creating an incredible opportunity to foster a new wave of great open-source server-side software,” said Eliot Horowitz, MongoDB’s co-founder and then-CTO, at the time. “Unfortunately, once an open-source project becomes interesting, it is too easy for cloud vendors who have not developed the software to capture all of the value but contribute nothing back to the community. We have greatly contributed to and benefited from open-source, and we are in a unique position to lead on an issue impacting many organizations. We hope this will help inspire more projects and protect open-source innovation.”
In June of 2019, Cockroach Labs, changed the license on its flagship product, CockroachDB, from Apache License version 2 to the Business Source License (BSL). The company isn’t stating that its license qualifies as open-source but refers to it as a “source available” license.
The change doesn’t affect users unless they use it for a commercial SaaS offering, the same as the MongoDB license.
“CockroachDB users can scale CockroachDB to any number of nodes,” the company said in a statement. “They can use CockroachDB or embed it in their applications (whether they ship those applications to customers or run them as a service). They can even run it as a service internally. The one and only thing that you cannot do is offer a commercial version of CockroachDB as a service without buying a license.”
We will continue to see enterprise companies move from permissive to more restrictive to enact more control of their products. Viral licenses such as the GPL require that if you modify or include code that is under a viral license in your code, you have to redistribute those modifications under the original license.
Most companies do not have Google-sized pockets to fight litigation. Few companies want to go through this arduous, expensive, and time-consuming process that only seems to benefit the lawyers fighting the case. 90% of the code used to build commercial software comes from open-source. How does an organization keep abreast of what open source their developers are adding on a daily basis? How do you know if a viral license is attached?
And If your company is considering a merger, acquisition, or internal corporate restructuring, it is important that intellectual property contracts (such as software licenses) are carefully reviewed to determine if the merger may have an effect on the surviving company’s ability to use the software or other intellectual property.
Threatrix scans your source code to produce a bill of materials that reports all of the open-source software used in and by your proprietary code. We report on all vulnerabilities and licenses that are associated with those open source components and make suggestions to move to a secure version of the component or automatically upgrade it to the next secure version or the latest secure version. We can quickly and seamlessly integrate into your existing DevOps environment to automate open source detection and automatically remediate vulnerabilities and ensure license compliance.