Open Source Software (OSS) is becoming increasingly important. What used to be driven by private bedroom projects is now being pushed primarily by companies of all sizes. Nowadays, companies are taking various approaches (e.g. so-called Open Source Fridays) to encourage their employees to program and use OSS for various purposes. OSS can make a decisive contribution to the development of innovative products and services, as well as to the optimization of internal processes. Open access to source code promotes collaboration and innovation, which leads to faster progress and broader availability of technical solutions. It also leads to better and more long-term maintainability of software and reduces any dependencies on individual software suppliers, for example in the event of their insolvency.
License Requirements
Open source license conditions are characterized by fundamental requirements that must be met by the user. Depending on the specific license, these include:
- Free distribution: The license allows the software to be distributed freely. Users can copy, distribute and pass on the software without restriction.
- Source code accessibility: The source code of the software must be accessible. Users have the right to view, modify and improve the source code.
- Modification and derivative works: Users may modify the software and create derivative works. A special feature is a so-called copyleft license, which allows a work to be freely used, modified and distributed, provided that all derivative works are also licensed under the same license.
- No discrimination: The license may not discriminate against any person or group. It must be available to all users, regardless of their purpose.
- Technology neutrality: The license may not restrict the use of the software in specific technologies or product areas.
- Author’s source code integrity: While modifications are allowed, the license may require that the author’s original source code be preserved in a certain form, or that modified files be clearly marked as such.
- No usage restrictions: No restrictions may be imposed on the use of the software, for example, by prohibiting certain uses, such as setting an upper limit on the number of authorized users.
- Transfer of license: The rights granted in the license must also be transferred to third parties if the software is passed on.
However, different open source licenses (e.g. GPL, MIT, Apache, GPL) interpret these principles differently, which can lead to specific additional requirements.
Special Challenges in the use of OSS
Furthermore, there are a number of legal aspects that need to be considered when using OSS. Particular challenges are:
Compatibility of Different Licenses
OSS is made available under various licenses, each of which has specific requirements and restrictions. A wide range of licenses are used. These licenses range from very restrictive ones, such as the GNU General Public License (GPL), which requires that derived works also be published under the same license, to more permissive ones, such as the MIT license, which has less stringent requirements. A significant risk is that the careless mixing of different license types within a project can lead to incompatibilities and legal conflicts. This applies in particular to the use of copyleft licenses.
Copyright
Deploying OSS does not mean that the intellectual property of the original developers is abandoned. Rather, the copyright remains with the developer and the code is only made available under the terms of the respective open source license. Therefore, it is important to ensure that you respect the rights of the copyright holders and do not use or modify any copyrighted content without authorization. Checking the license terms is also important to assess potential liability risks. Depending on the type of license, violating the terms can automatically void the granted rights of use and lead to criminal prosecution. Even with less strict license terms, any violation can lead to general civil claims. In particular, licenses with copyleft clauses can result in an obligation to disclose your own source code.
Security and Liability Risks
Since OSS is publicly accessible, it is also easier to uncover potential vulnerabilities to hacker attacks. Companies that integrate OSS into their products or IT infrastructure must therefore ensure that they regularly carry out security checks and promptly apply patches. In addition, there is the question of liability if damage occurs as a result of using OSS. In many cases, the licenses offer no or only limited protection against such risks.
Digital Laws and Open Source
New product liability directive (planned to come into force by the end of 2024)
- Strict civil liability for software manufacturers
- Exemption for free or open-source software that is developed or made available outside of a commercial activity (Art. 2 No. 2)
- Commercial activity, among other things, already exists if personal data is used not only to improve the security, compatibility or interoperability of the software
AI Act (entered into force on July 1, 2024
- According to Art. 2 para. 12, the AI Act does not apply to AI systems that are provided under free and open-source licenses, unless they are marketed or put into operation as high-risk AI systems or as an AI system that falls under Art. 5 (AI prohibition) or Art. 50 (transparency)
- This effectively renders the “OSS privilege” of the AI Act meaningless
Cyber Resilience Act (planned to come into force at the end of 2024)
- High product-related legal requirements for the development of software for digital products
- Additional obligations for so-called open source software stewards, who support OSS development in a systematic and sustainable way, e.g. by hosting source code or software development platforms
Open Source Compliance
In order to fully exploit the enormous potential of open source software, it is advisable for companies to set up an effective compliance system. An effective open source compliance system includes several central components that ensure that OSS is used in a legally compliant and standardized manner throughout the company. The most important components include:
1. Open Source Policy
A clear and comprehensive open source policy forms the basis for every compliance system. This policy defines the rules and procedures for the use of open source software within the company, depending on the respective company. Among other things, it determines which license types are acceptable, what obligations are associated with them, and what steps are to be taken in the event of a license violation. The policy serves as a binding guide for all employees and supports compliance with legal requirements and the minimization of risks.
2. Expert Task Force
In order to bundle internal company know-how, the establishment of a central committee of experts is recommended, especially for open source projects. This group is crucially responsible for the effective implementation and monitoring of open source compliance. This group of specialists should have the necessary knowledge and experience to clarify questions regarding license compliance and to decide on the use of OSS components in case of doubt. It acts as a central point of contact for employees and ensures that all OSS uses comply with internal guidelines and external legal requirements.
3. Staff Training
Training employees is another essential component of an open source compliance system. It is crucial that all employees who work with or integrate OSS into their projects understand the importance of license compliance. Training helps to raise awareness of the potential legal and business risks associated with using OSS. It also provides knowledge about how to use OSS securely and effectively.