GPL: Riskier Under Sarbox?

By Peter Galli  |  Posted 2006-03-13 Print this article Print

Law center nixes fearmongering.

Users of the gnu general Public License have no need to worry about Sarbanes-Oxley.

Thats the upshot of a white paper published by the Software Freedom Law Center on March 8. The paper dismisses recent claims that the GPL violates the Sarbanes-Oxley Act.

The SFLCs white paper follows those from the legal department at embedded-systems seller Wasabi Systems. Wasabi has posted online a licensing guide with a section on how SarbOx "has changed the open-source landscape by making GPL violations a federal crime."

Wasabi has also posted online a white paper, titled "When GPL Violations Are Sarbanes-Oxley Violations," that says SarbOx requires public companies to provide truthful disclosures of information, including ownership of intellectual property.

While some have argued that corporate executives face increased risk of criminal liability under SarbOx if their companies develop and distribute GPL-licensed code, the latest white paper from the New York-based SFLC maintains that these issues were reviewed and that there is no special risk for developing such code under SarbOx.

"Under most circumstances, the risk posed to a company by SOX [Sarbanes-Oxley] is not affected by whether they use GPLd or any other type of software," the paper says.

Eben Moglen, the centers chair, said the recent discussions regarding the GPL and SarbOx prompted the SFLC to issue its position on the topic.

Moglen said the white paper will help all GPL users to clearly understand "no criminal charges on the basis of violating SOX have ever been brought against a GPL user."

The white paper also defines the realistic impact of a GPL violation as it could be applied under SarbOx, pointing out that the legislation generally applies only to public companies and that disclosure in a companys Securities and Exchange Commission reports is not necessary if its use of the license is immaterial to its business.

In addition, companies that must comply with SarbOx bear the full cost of compliance, regardless of the software licenses they choose, the white paper says. The paper also explains that if SarbOx applies to a GPL violation, it is not likely a company or developer would be criminally liable, since only intentional misconduct is liable for prosecution—an unlikely scenario for issues surrounding a well-established and broadly used license.

"The idea that a GPL violation could result in jail time is unreasonable," Karen Sandler, an SFLC attorney, said in a prepared statement.

The Gpl and Sarbanes-Oxley

* SarbOx applies only to companies that file periodic reports with the SEC.

* If a companys reliance on a software license is not material, and it reasonably believes that harm from a license violation is not substantial, the company is not required to disclose the reliance in its periodic reports.

* Companies subject to SarbOx must bear the cost of full SarbOx compliance, whether or not they use "GPLd" software.

* The SarbOx provisions impose criminal liability on executives who "knowingly" or "willfully" falsify their companys certification for SarbOx compliance, whether the software is GPLd or not.

Peter Galli has been a financial/technology reporter for 12 years at leading publications in South Africa, the UK and the US. He has been Investment Editor of South Africa's Business Day Newspaper, the sister publication of the Financial Times of London.

He was also Group Financial Communications Manager for First National Bank, the second largest banking group in South Africa before moving on to become Executive News Editor of Business Report, the largest daily financial newspaper in South Africa, owned by the global Independent Newspapers group.

He was responsible for a national reporting team of 20 based in four bureaus. He also edited and contributed to its weekly technology page, and launched a financial and technology radio service supplying daily news bulletins to the national broadcaster, the South African Broadcasting Corporation, which were then distributed to some 50 radio stations across the country.

He was then transferred to San Francisco as Business Report's U.S. Correspondent to cover Silicon Valley, trade and finance between the US, Europe and emerging markets like South Africa. After serving that role for more than two years, he joined eWeek as a Senior Editor, covering software platforms in August 2000.

He has comprehensively covered Microsoft and its Windows and .Net platforms, as well as the many legal challenges it has faced. He has also focused on Sun Microsystems and its Solaris operating environment, Java and Unix offerings. He covers developments in the open source community, particularly around the Linux kernel and the effects it will have on the enterprise.

He has written extensively about new products for the Linux and Unix platforms, the development of open standards and critically looked at the potential Linux has to offer an alternative operating system and platform to Windows, .Net and Unix-based solutions like Solaris.

His interviews with senior industry executives include Microsoft CEO Steve Ballmer, Linus Torvalds, the original developer of the Linux operating system, Sun CEO Scot McNealy, and Bill Zeitler, a senior vice president at IBM.

For numerous examples of his writing you can search under his name at the eWEEK Website at


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel