Tech firms engage open source compliance to spur end user confidence
Having signed up to conformance standards organisation OpenChain, in-house counsel at Arm, Western Digital and a tech company say they are reducing open source licensing risk to make themselves competitive as suppliers
Tech companies are adopting licensing conformance standards to make traditional non-tech businesses more comfortable with open source use and to become more competitive as suppliers, according to in-house counsel.
As more companies seek to enter – or extend their share of – connected products markets with inventions such as smart medical devices and modules for driverless cars, software is becoming an increasingly important commodity in global supply chains.
More and more businesses are striking deals with software suppliers or companies with suppliers; but many end users have demonstrated caution over potential new partners’ use of open source code, with some stipulating that products should be completely free of open source tech.
These companies are fearful that a piece of software with third-party rights and restrictive licences attached might be incorporated into an end product and force them to put lucrative and otherwise proprietary code back into the open source space.
Patent Strategy revealed in July that car companies such as Volvo are just starting to become more accepting of suppliers using open source but that, until recently, they had been stipulating (and many still do) that components should be free from open source code.
Part of the reason these automotive companies have relaxed their restrictions is that they have become more accepting of software supplier arguments that open source helps drive forward tech development, and they have got better at conducting their own risk assessments.
The open road
But as part of tech firms’ efforts to drive acceptance of open source technologies to make it easier for them to take advantage of the open source space, many have signed up to licensing conformance standards bodies that ensure businesses are taking certain risk-mitigating measures.
It was announced in August, for example, that Arm and the Western Digital Corporation had become compliant with the OpenChain specification, an open source conformance initiative launched by the Linux Foundation.
“With open source, there is often a rush to get code available and not enough effort to determine the terms that code is being made available under,” says Luke Culpepper, principal counsel at Arm in Texas. “That was a problem everyone recognised, and OpenChain came along to solve a big part of it.”
Being a part of this community and standard, he adds, allows Arm to leverage the open source space while enabling end users to feel safe in the knowledge that the company, and other conformant businesses in the supply chain, have done all they can to mitigate licensing risk.
Sami Atabani, director of third-party IP licensing at Arm in the UK, adds: “We often see demands from customers in the supply chain for OpenChain conformity. And if one link in said supply is not conformant, customers will often ask why that is the case.”
Alan Tse, associate general counsel at Western Digital in California, adds that for tech companies in this day and age, it is important to understand how to use open source if you want to be competitive in the tech space and as a supplier.
“Conformance with OpenChain shows we want to be a part of the open source community and that we are serious about following the rules,” he says.
The head of IP at a tech company – also a member of OpenChain – says this initiative does indeed give companies greater comfort that their suppliers are managing open source licences in the right way.
“It is a reasonable and commercially-oriented initiative that has been created to address this gap and the needs of the product company to ensure the supply chain is doing a good job with its legal obligations and due diligence.
“Auto companies, for example, are very bullish on OpenChain because they get their components from thousands of suppliers and they are used to having to ensure their suppliers are complying with legal and other requirements so the end product is safe.
“OpenChain is another way in which they are interfacing with their suppliers and ensuring they are meeting their requirements.”
OpenChain is now looking to set up an ISO standard for open source compliance in supply chains.
Many of the companies that have conformed with the OpenChain specification already had many of the necessary processes in place. The specification assumes that a company does not have a programme and so starts with basic improvements, such setting up a documented and published open source guidance for employees to refer to.
There are more advanced elements of the specification, such as setting out how a business should manage its supply chain in respect of open source code and vet some of the products it pushes out.
“It is largely about ensuring you have the right processes and people in place who are responsible for identifying the legal obligations contained within open source and that the business is conforming with those obligations,” says Tse at Western Digital.
He adds that there is a resource challenge there because there is always a need to spend time and resource establishing a new compliance regime, and the IP department needs to sell that to the company.
“There will always be competitors who have chosen not to have those additional steps and there is that trade-off of implementing this regime at the expense of speed and not being able to compete on that level with businesses that are taking shortcuts,” says Tse. “So, it is important to have agreement on a new policy from within.”
In terms of those new processes and initiatives that companies have to introduce as part of their OpenChain conformance, Atabani at Arm says the ability to formalise and document the use of open source code is perhaps the most important.
When Arm uses open source in one of its products, for example, it will use a tool to list all the third-party IP contained within said product. That information can be easily communicated to customers up the supply chain when needed and is more easily accessible as a result.
“We have always taken IP management very seriously, but OpenChain has provided the initiative to adopt policies, processes and tools to help the company manage that flow of licence information,” he says.
By identifying all the licences attached to a piece of open source code, he adds, the company can also ensure that it, and other links in the supply chain, conform with the provisions of those licences.
But of course, a supply chain conformance project works best when everyone in the chain is compliant. Culpepper adds that the next stage in its compliance journey is to encourage other companies Arm works with to sign up to OpenChain and dealing with open source properly.
“It is great we are conformant but it will be better when other companies we interact with become conformant too because it will increase the confidence we have in open source compliance – not just in what we consume and the projects we are involved in.”
Software is becoming more important in global supply chains and leveraging open source opportunities is becoming increasingly important to software suppliers. As such, the days when an end user could simply restrict their suppliers from using open source are coming to an end.
But the risks associated with the open source space are still there; and as software firms want to speed up the rate of open source acceptance among traditional non-tech companies, the OpenChain specification and conformance initiatives like it are a good way to do that.