LLW2018: The FSFE brings together top legal experts to debate about cross-cutting legal and licensing issues around Free Software
Following more than a decade long tradition, the FSFE once again led its annual Free Software Legal and Licensing Workshop (LLW) in 2018: a meeting point for world-leading legal experts to debate issues and best practices surrounding Free Software licences. This year we decided to bring the event back to its roots and emphasise the "Workshop" part in its original title: around 120 legal experts gathered for a 3-day conference in Barcelona, Spain with an unprecedented amount of parallel tracks and interactive sessions designed to dive into the most contentious topics in the legal world of Free Software.
Traditionally, the whole event is covered under the Chatham House Rule, enabling confidential discussions under fair terms for all the participants. However, the part of the conference not covered by Chatham House Rule (as explicitly stated by speakers) was reflected in a series of articles by Jake Edge from LWN.net, who wrote about the following discussions that had taken place during the LLW2018:
Marcus von Welser and Armijn Hemel gave an overview of the recent GPL compliance case in Germany, where Patrick McHardy claimed that the company Geniatech violated his copyright in Linux kernel. The regional court in Cologne (Germany), where the case was brought into action in 2017 initially granted McHardy the injunction and obliged Geniatech to stop from distributing any version of the kernel. Geniatech appealed the injunction on the grounds of being too broad and restrictive, as Patrick McHardy cannot be perceived as a co-author of Linux kernel, as he claimed. In fact, his contributions to Linux kernel under GPL v.2 could only be considered as adaptations under German copyright law which gives him right to claim the discontinuation of distributing kernel versions with his modifications only. According to Marcus von Welser, there are more than 100 officially released versions of the kernel that do not include any contributions from McHardy. By ordering Geniatech not to distribute any version of the kernel, the court was covering kernels that were not even part of the dispute with McHardy. After an oral hearing at the higher regional court of Cologne in March 2018, McHardy eventually withdrew his application for an injunction. The case shows that there is a need for a wider information exchange on how to build adequate legal defense strategies against copyright trolls.
Dirk Hohndel presented the challenges of compliance of container images. With containers being a hot topic, there are many issues with container images and their compliance, according to Hohndel. Primarily, it is a common practice to just copy a container image from random internet locations, ignoring licences. According to Hohndel, such practice is not only a security nightmare but also a "rabbit hole" in terms of identifying what is actually shipped in such containers. While it is already hard to figure out which packages are included in the build, it is even harder to fix any compliance issues after you have identified any. The version and which patches are applied are also difficult to determine. Beyond that, the licences under which those packages are distributed are not obvious. This is why it is important to train software developers about the pitfalls of the container build systems, according to Hohndel. Additionally, containers need to be built with good compliance practices in mind: for example, starting from a base that has known-good package versions, corresponding source code, and licences. Needles to say, the anti-pattern of installing container images from random internet locations has to be avoided.
Mike Dolan presented the Community Data Licence Agreement, a legal instrument to enable sharing relevant data for applications like machine learning, blockchains, and open geolocation, similarly to how Free Sofware licences work for software. The idea behind the CDLA is to share data openly using the knowledge acquired from decades of sharing source code. There are two types of agreements in CDLA inspired by copyleft and non-copyleft licences for software. Solely applying Free Software licences to data is not optimal, as there are fundamental differences between data and source code, and this is why a separate legal instrument is needed in order to address issues that are data-specific. For example, data can be perpetual and this is why it might be impossible to recreate the same conditions under which such data was gathered. That means the license under which such data is released may be critical to how it can be used decades or even centuries from now.
Participants were also updated about recent developments and the Appeal's court's reasoning in the on-going legal battle between Oracle and Google over latter's use of Java application programming interfaces (APIs) in its Android operating system. It is long-standing tradition to borrow APIs from different products in software development in order to ensure compatibility between programs. In short, an API allows two or more programs to speak to each other by using common specifications. Oracle brought a legal action against Google back in 2012 claiming its copyright violation over the use of APIs written in Java. In 2012, a district court ruled that APIs are not subject to copyright. That decision was overturned by an appeals court and returned to the same district court. In 2016, the jury ruled that Google’s use of the Java APIs qualified as permitted "fair use" under US law. Oracle appealed the jury decision, stating that Google copied former's APIs solely for commercial purposes, copied thousands more lines of code than necessary, as well as lured Oracle's customers from licensing Java SE to switching to Android because Google provided free access to it. In March 2018, the appeals court sided with Oracle and ruled that Google's use of Java APIs in question was not fair as a matter of law. While the case is far from over, as Google can further appeal the decision in the Supreme court, it may set a precedent for software development in general.
Artificial intelligence (AI) and automated decision making and its connection to Free Software in the 21st century was another topic for a debate during the conference. When it comes to generalisation of automated decision making, we need to look beyond a Free Software licence to meaningfully address all the issues affecting users' rights. In the workshop discussion, participants concluded that automated decision making raises points that are not easy to solve. In particular, we expect every automated decision that affects humans to be accompanied by a human understandable explanation of why this decision was made. For machine learning techniques, and in particular deep learning, there is little understanding on how to ensure that AI is explainable, and it is currently an active area for research. There are also challenges when it comes to transparency and accountability of decision making processes. In particular cases, this criterion is impossible to achieve, e.g. by providing full access to medical history of a population used to train certain algorithms.
In another interactive workshop session, the participants gathered to identify and address the common legal pitfalls for public procurement of Free Software. The participants first identified a few real-life cases on how Free Software procurement process can be regulated. A legal requirement to prioritise procurement of Free Software (like it is the case in Italy) is a good option for more Free Software in public sector in law and theory. However, the Italian case lacks the practical implementation, as the law does not foresee sufficient sanctions in case of non-compliance. Another case comes from town of Barcelona, Spain, where advanced policies and guidelines for procuring Free Software for public sector are adopted on the local municipality level. In case of Barcelona, the decision to move towards more Free Software in public sector is made by procuring public authorities themselves, rather than by a top-down legislative requirement. The downside of such a "soft law", however, is the uncertainty of positive procurement policies once the mandate of politicians runs out. There is, therefore, a need for a culture change in public administrations and a strong political will to change existing preconditions in public procurement.
The workshop would not have been possible without the generous support of all the event's sponsors. In particular, we would like to thank our Platinum Sponsors: Intel, Red Hat, and The Linux Foundation.