Ever since Cisco acquired Linksys in 2003, Cisco and the Free Software Foundation (FSF), a charity with a worldwide mission to advance software freedom, have been at odds over Linksys’ use of FSF-copyrighted open source software. After five years of attempting to negotiate a resolution, the parties are now heading to court. FSF, having never sued a licensee before for copyright infringement, is suing Cisco for monetary damages, litigation costs and injunctive relief – remedies that could shut down a company, such as Linksys, whose products are dependent on the use of open source software.

According to the complaint filed on December 11, 2008 by the Software Freedom Law Center, Inc. (on behalf of FSF) in the US District Court for the Southern District of New York (Compl., Free Software Foundation, Inc. v. Cisco Systems, Inc., Civ. A. No. 1:08-CV-10764 (SDNY Dec. 11, 2008)), FSF alleges that Cisco, through its Linksys division, violated United States copyright law by distributing, through the sale of various products, FSF-copyrighted programs, licensed under the GNU General Public License (GPL) and the GNU Lesser General Public License (LGPL), without satisfying the terms of these licenses. One such term, which is intended to promote software “freedom,” requires that companies provide the complete and corresponding source code for the open source software - and any derivatives - when distributing such software to users. According to FSF, while distributing FSF open source software in certain Linksys products (e.g., routers), Cisco failed to satisfy this requirement. Notably, after filing the complaint, an FSF representative acknowledged that source code can be found on the Linksys Web site, but argued that such code is “often incomplete or out-of-date.” (Brett Smith, More background about the Cisco case (Dec. 11, 2008)). In considering this statement, we observe that, in many circumstances (perhaps even in this case), determining the extent to which source code must be disclosed is often a complicated and problematic exercise. The line between programs that are considered derivative works, which require complete source code disclosure, and those that simply “interact” with open source code, which do not require such disclosure, is often quite blurry.

As this case demonstrates, the purchase of a company that uses open source software has its risks. Such risks, however, may be greatly mitigated by putting in place an appropriate due diligence plan. Such a due diligence program would establish formal procedures to gather vital information necessary to make educated choices about a target company. As a first step, purchasers are advised to become familiar with a target company’s open source policy. Such a policy should be in writing and should include a process by which a company can ensure compliance with its governing open source licenses. The policy should be flexible, practical and sensible without being overly intrusive to the company’s software development process, and the policy should be compatible with the purchaser’s own open source policy. Without such a policy, a purchaser should proceed carefully, as the lack of an effective policy may be indicative of existing open source compliance issues that outweigh the benefits of the acquisition.

In addition, a purchaser must also perform due diligence on the target company’s inbound code. This analysis should be done carefully to determine (i) how the inbound code is currently being used by the target company, (ii) how it is going to be used by the purchaser, and (iii) how it will interact with the purchaser’s existing code. This analysis is vital to ensuring that inbound open source code does not infect the purchaser’s existing proprietary code and to unveiling any open source compliance issues. While the use of open source software can be extremely beneficial to a company, an acquiring company should conduct a thorough analysis of a target company’s use of open source software to mitigate the possibility of later being sued for copyright infringement.

Arent Fox is currently monitoring the status of the FSF case. For more information, please contact:

Anthony V. Lupo
lupo.anthony@arentfox.com
202.857.6353

Rachel J. Richardson
richardson.rachel@arentfox.com
202.828.3423