Open Source Software Licenses: Novel Case Explores Who Can Enforce Them

Companies (including through the use of AI) are increasingly reliant on open source software to expedite their software development. A recent case filed in California, SFC v. Vizio, calls upon the state court to interpret two common open source software licenses in a manner that could aggressively expand the number of individuals who can bring a lawsuit to enforce the terms of open source software licenses and the scope of the disclosure requirements in these open source software licenses. If the plaintiffs prevail, then any downstream purchaser of a product incorporating open source software subject to certain licenses may be able to bring a lawsuit to force the disclosure of the proprietary source code in that product.

SFC Files its Complaint

In October 2021, the Software Freedom Conservancy (SFC), a New York-based nonprofit consumer rights organization, filed a complaint against Vizio, Inc., maker of, among other things, smart TVs that incorporate Vizio’s SmartCast operating system, known as SmartCast OS. In developing SmartCast OS, Vizio embedded certain open source software (OSS) subject to the GLPv2 and LGPLv2.1 licenses (the GPL Licenses). The GPL Licenses state that “if you distribute copies of [the open source software], you must give the recipients all of the rights you have. You must make sure that they, too, receive or can get the source code.” By failing to provide its SmartCast OS source code, SFC argues that Vizio has breached the terms of the GPL Licenses.

SFC’s complaint is novel since SFC is not suing as the licensor of the OSS. Instead, SFC asserts that, as a member of the public intended to benefit from the GPL Licenses, SFC is entitled to seek enforcement of those licenses against Vizio as a third-party beneficiary to the GPL Licenses.

Why Can SFC Bring This Action Against Vizio?

SFC argues that the plain language of the GPL Licenses supports SFC’s reading that Vizio must disclose the SmartCast OS source code, but what makes SFC of all parties entitled to sue and seek this disclosure? In the past, litigation enforcing the terms of OSS licenses have been brought by the rights holders, e.g., the authors or licensors of the OSS code. SFC admits that it does not have any copyright ownership interest in the OSS at issue and that SFC is not the licensor of any software used by SmartCast OS.

Instead, SFC argues that the GPL Licenses were created to ensure free and open access to software by the public, and that by purchasing a Vizio TV which uses the SmartCast OS, SFC becomes a third-party beneficiary of the GPL Licenses. A third-party beneficiary is someone who benefits from a contract without being a party. SFC argues that when Vizio sells a TV running the SmartCast OS, it distributes the SmartCast OS subject to the GPL Licenses, and all distributions of OSS under the GPL Licenses require disclosure of the entire SmartCast OS source code. SFC asserts that, as a purchaser of applicable Vizio TVs, it is therefore entitled to receive the source code under the terms of the GPL Licenses.

What Could This Mean for Software?

Vizio made several arguments in an attempt to dismiss SFC’s complaint. However, none were successful, and the case is now scheduled for trial in September of this year. If SFC is successful, this case could open the floodgates to third-party beneficiary enforcement of OSS licenses and, downstream purchasers of products or services including OSS governed by copyleft OSS licenses could bring a lawsuit to require the sellers to disclose their proprietary source code. Additionally, the proliferation of AI-powered tools and services may add a new dimension of risk in using OSS. One difficulty with enforcing OSS licenses has been detecting OSS usage by third parties. The development of AI systems capable of reverse engineering black box functions of programs could provide third parties unprecedented abilities to monitor and detect OSS usage. A decision in SFC’s favor, paired with the rapid innovations brought by AI, would significantly increase the risks associated with non-compliance of OSS licenses due to both: (1) the cost of defending against claims brought by third-party beneficiary plaintiffs, and (2) the burden of complying with any resulting settlement or court order (including the possible disclosure of source code).

While the Vizio case is still pending, SFC recently took aim at John Deere in a blog post accusing the farm equipment manufacturer of similar GPL violations and calling on them to disclose the source code of the software integrated into their products to downstream recipients of those products. According to the blog post, SFC has privately sought for over two years to convince John Deere to comply with its GPL obligations and disclose its complete source code to no avail. SFC has not yet filed a complaint against John Deere seeking to force disclosure of the source code.

Until we have more clarification from the court, what are some things that businesses could do to reduce the risk around the use of OSS?

• Develop, enforce and train employee and contractors on policies addressing the usage of open source software in your business: Implementing a company-wide policy to ensure that employees and contractors are informed of how to (and how not to) use OSS is often the first step in protecting from unwanted license requirements. Employees and contractors should be familiar with and regularly trained on these policies to safeguard against unintended uses of OSS. OSS policies may address pre-approval of OSS licenses before incorporation of OSS code and implement controls regarding the distribution and modification of OSS. OSS policies should be tailored to the nature of the business and the risks involved. When putting together an OSS policy, companies should think critically about how their business may create, use, or grow OSS.
• Become familiar with some of the common open source software licenses and their requirements: Not all OSS licenses require derivative source code to be disclosed or made available at no cost. Many OSS licenses focus on notice, attribution to the original authors, or disclaiming liability. When considering whether to include OSS in a project, review the licenses accompanying such OSS to check what obligations or rights they contain.
• Consider external legal and contractual obligations: Whether in the context of hiring a software developer, acquiring a SaaS company, or purchasing a software product from a key vendor, contractual terms can mitigate risk associated with OSS license requirements. Contractual protections may include clauses that require developers and vendors to disclose any OSS used in their products or services, allowing customers to review the OSS license requirements. Contractual protections may also allocate risk, for example including a representation that none of the software at issue includes OSS that would require the disclosure of any source code. Limitation of liability schemes should also address the potential costs of misuse of OSS. Companies should carefully consider their circumstances and what rights and obligations make sense for their business objectives.
• Review and remediate open source software usage on an ongoing basis: Numerous third party vendors and tools perform software audits to analyze a codebase and identify OSS and associated risks. If these audits identify problematic uses of OSS, companies may remediate by removing, re-developing, or replacing problematic OSS.

Whether your business needs help understanding OSS obligations, complying with OSS licenses, or negotiating agreements involving OSS, Orrick’s Technology Transactions team (or one of the authors) can help.