FOSS Software and SAAS

Summary [updated 25 March 2008]

This is something of a theoretical argument, and one which is unlikely to see the light of day in court (if only because the court rooms in the Sydney registry of the Federal Court have no windows). The thrust of the argument is that the manner in which a SAAS model is implemented using FOSS might determine whether or not the implementation is legal/licensed. Conversely it may provide a means for businesses to “monetize” open source applications if they control sufficient copyrights (although probably not possible with software under GPL v3). In short, it may be that recent “innovations” in copyright law have indirectly harmed open source models by shifting the ground underneath them.

Note on Application to Closed Source

This argument will probably also apply more or less unchanged to closed source programs, although in that case the licensor has flexibility to expressly customise the licence to cover end users. This may not be a practical option for FOSS licensors.

Note on Commercial Application [Added 25 March 2008]

If this argument is correct, then another consequence is that those projects which control the copyright of the software will be able to exclude or charge others (ie competitors) from providing SAAS for the software. Indeed, it may be the case that anyone who has copyright in part of the software can prevent its use under a SAAS model. Assuming the community thought this was inappropriate, a business doing this would then run the risk of being blackballed.

Argument

The legislative background is (section references to the Copyright Act (Cth) 1968):

1. it’s illegal to make a reproduction in a material form (s 31(a)(i)) of a substantial part (s 14(1)) of a literary work (which includes a computer program (s 10));
2. subject to an exception, a reproduction in a material form can include reproductions made (including made in memory) in the course of running the program. While ultimately a question of fact in each case, historically judges have refused to say that a reproduction in memory of a computer program while it is running is an infringement by reason that, because the copy could not ordinarily be reproduced from the memory, if it was a reproduction it was nevertheless not in a material form, thus not an infringement under s 31(a)(i); However, (as part of the AUSFTA – s 186 of the US Free Trade Agreement Implementation Act No 120 of 2004) the definition of material form has been changed so the capability of reproduction no longer counts and a copy of the program in RAM is now fair game for an infringement argument; and
3. the exception (s 47B(1)) says that the normal running of a program is not an infringement if certain conditions are met. Those are – the reproduction is “incidentally and automatically made” as “part of the technical process of” running the copy (s 47B(1)(a)); and “the running of the copy is done by, or on behalf of, the owner or licensee of the copy” (s 47B(1)(b).

So the relevant questions are:

1. when a customer fires up their browser and logs on to an instance of a piece of SAAS are they running a copy of the program (or do they otherwise run such a copy); and, if so,
2. are they doing so “by, or on behalf of, the owner or licensee of the copy.”

They key words are “licensee of the copy“. That is, of the copy which is being run, not of any old copy. Typically the end user of the program will not have received a copy of it. Most FOSS licences trigger the commencement of the licence from the time that the person receives a copy – so while the service provider may be assumed to be properly licensed, the end user is by assumption not a licensee (in any event the particular copy which is being run is probably licensed to the service provider rather than the end user). Therefore, if the end user is not a licensee, then unless they are running the software on behalf of the service provider (or some other licensee of the copy) they’re not within 47B.

To be on the safe side therefore a service provider who is using FOSS ought to consider having program instances which run independent of its customers. That is, the customer ought not to be the person who initiates or perpetuates the running of a copy of the program. Rather, it should be the service provider (since they are the licensee of the copy in question) who runs the copy (it will then be run “by… the… licensee of the copy.”

If the end user is in fact the person running the copy of the software, and it is not running it “on behalf of” the relevant service provider (presumed to be the licensee) then they won’t get the benefit of section 47B and will therefore run the risk of infringement of section 31(a)(i). If there is in fact an infringement by the end user, the service provider is also likely to be liable for authorizing the infringement (s 13(2) and a number of cases).

Counter arguments

As I mentioned, it’s not a glory (ie “a nice knock down argument”). You might argue that:

1. the end user has received a copy of the software (constructively) when the service provider loads it up ready for them to run. If so, this may cause other problems in licences which have provision of a copy as a trigger event for other consequences (such as the supply of the source code);
2. when the end user runs the program “it’s really” the licensed service provider who is running the copy or it is run on their behalf;
3. that when the programs are run there is not in fact a substantial reproduction occurring (this would be a question of fact);
4. the relevant licence does in fact extend to cover the particular end user. Licences which are structured as a grant from the original licensor to the recipient of a copy are unlikely to meet this exception;
5. when a licensee is licensed in respect of one copy, they are automatically licensed in respect of all other copies (including those they haven’t received) (nb: question of fact);
6. honestly, who’s going to sue anyway?

Conclusion

If it does turn out to be a problem, it would not be appropriate to lay the blame at the feet of the licenses (or their drafters). Rather, it is a consequence of inadequate thought being given to the expansion of copyright law, creating problems which were not foreseen when the relevant licences were created. Since judges were doing something comparatively sensible by requiring that a copy must be able to be reproduced for it to be in material form this would not previously have been an issue. However, the AUSFTA has changed that. While there is a provision which attempts to preserve the sanity of the system, it has not anticipated the constantly evolving models in the technology sector.

Note on GPL v3 [Added 25 March 2008]

GPL v3 is different from most FOSS licences in that it defines its permissions implicitly by reference to the copyright law (through the terms “conveying” and “propagating”). As the copyright law changes, GPL v3 is automatically updated to track those changes. Other FOSS licences which are restricted to permitting specific actions (eg “reproduction” or “use”) will be adversely affected by changes in the copyright law. For example, the addition of a rental right for computer software in the late 90s probably has the practical effect of limiting the scope of those licences – when they were drafted there was no rental right, no one bothered to anticipate it in the licence. However, since it hasn’t been anticipated in the licence, the commercial rental of such programs is probably in doubt.

In general therefore this nature of the GPL v3 would recommend itself to those licensors looking for resilience against legislative or judicial changes to the copyright law. Unfortunately, in this case the implicit referencing may not get the licence all the way there. The lynchpin of the argument is when and how does a person become licensed. GPL v3 has a similar structure to that mentioned above. That is, that the licence is effective upon receipt by the prospective licensee of a copy of the software.

That said, the right to “propagate” expressly permits licensees to authorise third parties to run the program. In practical terms GPL v3 probably does preserve the right to run the GPLed software in an SAAS model. Under the law the end user will probably not have a licence (since they will not have received a copy). However, the service provider will have a licence and that licence permits what would otherwise be a secondary infringement (eg authorisation). Thus the copyright owner might sue end users, but the service provider would not be unlikely to be able to be sued (and who’s going to be silly enough to sue end users?).

Should Record Companies be Liable for their Artists?

Apparently a rapper in the US is being sued for assulting some chap. The interesting aspect of the case is that the plaintiff’s attorney is arguing that the record companies behind him are responsible for his actions (quoting the attorney from the report I saw in the SMH):

“There has to be a consistency between what you are and what you are selling. This lawsuit is saying the companies are the ones that put up the money to perpetuate this behaviour.”

The SMH apparently hypothesised on the attitude of the record company to the suit:

It is believed lawyers for the record companies will argue Rhymes is not an employee and not under their direct control.

This would seem, at least at first glance, a perfectly reasonable and rational argument. Except that I can’t see that any record company could possibly argue it. Their heart would simply not be in it. And if you’re heart’s not in it, it’s a hard time to sound convincing.

The fact that their heart wouldn’t be in it can be deduced from observing the general issue of principle taken on secondary infringement in copyright cases. Indeed, over the past 10 years or so we’ve seen a rash of cases and specific legislation supported by record companies (among others) which has the practical effect of extremely extending the understanding of “authorization” under the various Copyright Acts around the world. Some things for which people have been found secondarily liable include:

• providing links to infringing MP3s (at first instance one poor schmuck employed to host the sites was found liable because they ought to have known the Australian law on authorization of infringement – overturned on appeal, but no doubt after incurring substantial legal fees);
• providing a service with non infringing uses which didn’t sufficiently limit infringing uses;
• actively promoting the fact that something might have infringing uses (despite the thing having substantial non-infringing uses) (argued on a demurrer I think, so no actual finding of infringement);
• locating a photocopier next to shelves of books in a library.

The list would go on. In any event, copyright law has plenty of precedents where someone with less connnection to an infringer than between a record company and an artist have nevertheless been found liable. Surely, as a point of principle, no record company could suggest they ought not similarly be liable?