SOX and the GPL: no “special” risk, but ordinary one bad enough
Mar 15, 2006 — by LinuxDevices Staff — from the LinuxDevices Archive — 1 viewsThis guest column by Wasabi VP and General Counsel Jay Michaelson responds to a reaction from Free Software Foundation General Counsel Eban Moglen to a target=”new”>Wasabi whitepaper that discussed potential interactions between Sarbannes-Oxley (SOX) legislation and the GNU General Public License (GPL).
Wasabi is best-known for BSD-based embedded operating system stacks licensed under the BSD (Berkeley Software Distribution) license, a less restrictive alternative to the GNU GPL (General Public License) used by Linux. Unlike the GPL, the BSD license does not require modifications and enhancements to be contributed back to the community at large, a “feature” that has made the license popular in some commercial applications, while arguably limiting BSD-licensed software's technical progress and adoption rates, in comparison to Linux.
A “talkback” discussion thread linked at the end of Michaelson's column offers LinuxDevices readers a chance to voice their own opinions about GPL/SOX interactions, and about GPL v. BSD license issues in general.
We are pleased that FSF attorney Eben Moglen and his colleagues at the Software Freedom Law Center have issued a thoughtful response to our white paper, When GPL Violations are Sarbanes-Oxley Violations. As in our previous discussions with Mr. Moglen, we find ourselves in agreement with him, and find his arguments to be excellent support for our position that cheating on the GPL poses serious Sarbanes-Oxley risks for companies.
The SFLC's white paper makes four arguments in support of its claim that the GPL poses “no special risk” in regard to Sarbanes-Oxley (“SOX”):
- SOX only applies to companies obliged to report to the SEC (Securities and Exchange Commission), including public companies, and those with significant assets or shareholders.
- SOX reporting is required only for software licenses deemed “material.”
- Companies subject to SOX must bear the cost of full SOX compliance whether or not they use software distributed under GPL.
- Criminal liability under SOX is only triggered by intentional misconduct.
We agree with all four primary arguments, but there are some important nuances that the SFLC's paper omits. In order:
- SOX applies to public companies — but also has retroactivity periods. If a company wishes to become a public company within three years (and, honestly, even if it doesn't), it should not be lying to its shareholders now. As we said at the outset, if you're stealing a copy of Microsoft Office, or you're a lone hacker not sharing your code under the GPL, this doesn't apply to you. But if you are the CEO of an embedded OEM or other corporate Linux user who is cheating on the GPL, it does.
- SOX reporting is, indeed, only required for software licenses that are material. But if an embedded OEM is selling a product with software in it, isn't it material whether they own the software or not? Remember, if you violate the GPL, you don't have any right to distribute the covered software. So, going around and telling people that you own your product is untrue, and it is materially untrue if that's the heart of your business. Again, if you have a stolen copy of Office lying around, it's one thing — but if you are selling mass quantities of that stolen software, it's something else. Would Mr. Moglen say it's not “material” that someone trafficking in stolen goods doesn't lawfully own the goods they are selling?
- Yes, but so what. We certainly never claimed that GPL-using companies have a higher SOX burden than others. We just observed that they might be in violation more than others. As the FSF well knows, since it pursues over fifty GPL enforcement actions every year, the GPL is a lot more frequently violated than other software licenses. To be clear: any public company who doesn't rightfully own the goods they are selling, and tells their shareholders that they do, has SOX trouble.
- We think that cheating on the GPL is “intentional misconduct.” Doesn't Mr. Moglen?
Perhaps some of the confusion here came from some of the press coverage of the white paper, rather than the white paper itself. Sarbanes-Oxley is not a risk for mere users of Linux (as opposed to developers), private individuals (as opposed to companies), or those who fully comply with the GPL (as opposed to those who cheat). It is a risk for companies that cheat on the GPL, and make their money selling software they don't rightfully own.
Or perhaps some of the confusion has stemmed from Wasabi's own product line, which includes a GPL-free embedded operating system called Wasabi Certified BSD. It's certainly fair to observe that we have a stake in the game. But that doesn't invalidate our arguments; take a look at what we say and make up your own mind. In any case, Wasabi is not anti-GPL. Wasabi routinely develops software that is subject to the GPL and contributes it back to the Free Software Foundation. For example, sources contributed back to FSF can be found here and here. Our GNU suite for Intel XScale Processors can be downloaded here. We use Linux for some in-house work, and our Storage Builder line of products is compatible with Linux.
What we have noticed, over many years in the business, is that a surprising number of companies are unaware of the requirements of the GPL, and the consequences of cheating on it. We chose BSD as the basis for our embedded OS for a reason: because it allows people (and companies) to be free, not just software. Under the BSD license, Wasabi and its customers can keep code proprietary if they wish, for as long as they wish. That's why no one cheats on it, and why we don't need an enforcement arm prosecuting over fifty violations a year.
It's not that Linux poses any “special” Sarbanes-Oxley risk. It's that if you're a company, and you're cheating on the GPL, the ordinary one is bad enough.
About the author — Jay Michaelson is vice president and general counsel of Wasabi Systems. Prior to Wasabi, Michaelson founded and ran one of the first independent Internet consulting firms specializing in the non-profit and academic markets, with clients including Yale University and Tel Aviv University. He also worked for an Israeli law firm specializing in international technology-related transactions. Michaelson's work has been published in several newspapers and magazines, as well as law journals including the Yale Law Journal and the Duke Law Review. He received his J.D. from Yale Law School in 1997 where he was a senior editor of the law journal.
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.