Black Duck Lawyer: Due Diligence Can Help Avoid IP Disputes

By Peter Galli  |  Posted 2005-01-31 Print this article Print

At the OSDL Enterprise Linux Summit, an attorney for Black Duck Software advises enterprises using open-source software to establish policies to protect against intellectual property claims.

BURLINGAME, Calif.—As the issue of intellectual property and patent enforcement continues to gain traction in both the open-source and proprietary software industries, lawyers from open-source companies are clearly taking the issue seriously. In a talk entitled "Reviewing the Use of Open Source Software in the Enterprise" at the OSDL Enterprise Linux Summit here on Monday, Karen Copenhaver, general counsel at Black Duck Software Inc., said that copyright infringement was a crime and in order to protect themselves and their customers from potential legal issues, enterprises using open-source software need to assess their code base, evaluate the processes that are in place and undertake remediation.
Companies then need to roll out a compliance program, establish a due diligence policy and implement automated end-auditable business controls, she said.
Black Duck, of Waltham, Mass., is an information services company offering IP risk management and mitigation solutions. Black Ducks ProtexIP development program provides companies with an extensive license and source code knowledge base that can be used to identify instances of open-source software and associated license conflicts. Companies are already using ProtexIP in their open-source projects. Some, such as Testa, Hurwitz & Thibeault LLP, a leading Boston law firm, have found it useful in counseling its operating-company clients—as well as venture capitalists and institutional investors—on open-source issues. Its also important to note that when an enterprise decides to assess its code base, the first investigation is the most important, and who conducts that investigation is also critical as the process needs to be managed to best get accurate information, Copenhaver said. Companies also need to look at what steps they want to take to preserve attorney-client privilege when undertaking such an assessment so as to allow the information flow to be controlled and to limit the number of people involved in the investigation, she said. "But once a company has decided to scan all its code, it should prioritize projects and not assess the entire code base at once. One project should be reviewed at a time and that review should be completed before the next review is started. They must also make a real resource commitment and must be prepared to follow this through to the end. Also, the number of people involved in the review should be limited," she said. With regard to remediation, Copenhaver advocated "winning the right hearts and minds before charting a course of action. You should also avoid mandating a course of action advocated by lawyers alone," she said. The most difficult issue companies face after such a code review is code that has been distributed to third parties and the question of what their obligations are to notify third parties, she said. But before doing that, they need to fully understand the way the third party uses and redistributes the code as well as the third partys obligation to install updates. "A noisy withdrawal does not benefit anyone. Thorough preparation is extremely important and the focus going forward has to be on compliance," she said. Both open-source and proprietary software companies are now also providing IP and patent indemnification, from Microsoft Corp. and Hewlett-Packard Co. to Red Hat Inc. and Novell Inc. Companies also need to evaluate existing procedures, both the formal and informal ones, as well as identify opportunities to capitalize on good things and procedures that are already in place, Copenhaver said. "Common approaches usually involve developers identifying open-source projects they would like to use, with someone like the general counsel then evaluating the appropriateness of that project for the company. "But an ideal process really enables a company to embrace open source. It sets the proper tone for compliance and reduces the time and cost of development. It also identifies issues early in the development cycle, facilitates the efficient engagement of legal counsel in the review process and efficiently tracks compliance all the way through to product ship," she said. Check out eWEEK.coms for the latest open-source news, reviews and analysis.
Peter Galli has been a financial/technology reporter for 12 years at leading publications in South Africa, the UK and the US. He has been Investment Editor of South Africa's Business Day Newspaper, the sister publication of the Financial Times of London.

He was also Group Financial Communications Manager for First National Bank, the second largest banking group in South Africa before moving on to become Executive News Editor of Business Report, the largest daily financial newspaper in South Africa, owned by the global Independent Newspapers group.

He was responsible for a national reporting team of 20 based in four bureaus. He also edited and contributed to its weekly technology page, and launched a financial and technology radio service supplying daily news bulletins to the national broadcaster, the South African Broadcasting Corporation, which were then distributed to some 50 radio stations across the country.

He was then transferred to San Francisco as Business Report's U.S. Correspondent to cover Silicon Valley, trade and finance between the US, Europe and emerging markets like South Africa. After serving that role for more than two years, he joined eWeek as a Senior Editor, covering software platforms in August 2000.

He has comprehensively covered Microsoft and its Windows and .Net platforms, as well as the many legal challenges it has faced. He has also focused on Sun Microsystems and its Solaris operating environment, Java and Unix offerings. He covers developments in the open source community, particularly around the Linux kernel and the effects it will have on the enterprise.

He has written extensively about new products for the Linux and Unix platforms, the development of open standards and critically looked at the potential Linux has to offer an alternative operating system and platform to Windows, .Net and Unix-based solutions like Solaris.

His interviews with senior industry executives include Microsoft CEO Steve Ballmer, Linus Torvalds, the original developer of the Linux operating system, Sun CEO Scot McNealy, and Bill Zeitler, a senior vice president at IBM.

For numerous examples of his writing you can search under his name at the eWEEK Website at


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel