Costs of no or poor open source governance

When talking with companies about the use of open source, sooner or later we end up discussing the problem of license compliance. This is perhaps the most prominent aspect of open source governance for companies getting started with using open source. It can be surprisingly difficult to coherently explain the cause and effect chains that create the potentially high costs of not properly governing your open source engagement!

So here then is my take at teasing it apart.

Let’s assume that a company included Copyleft-licensed code in one of their products and that the company conveniently ignored the consequences of such use. (The initial consequences would be the provision of the necessary compliance artifacts, for example, copyright notices, disclaimers, offer to source code, etc.) Let’s also assume that somehow this became apparent, for example, by a developer of the company asking a question about the Copyleft-licensed code as it pertained to its use in the company’s product.

If a copyright holder with standing to sue now asks for the source code and gets brushed off, they may threaten with a lawsuit. The immediate costs of such a threat are the incurred legal costs, reputation loss, and wasted management attention.

Should the copyright holder proceed to file a lawsuit, the costs to the company will immediately be more legal costs, more reputation loss, and more wasted management attention. In addition, each lawsuit has the potential to reveal strategic product information to the interested public, which is usually highly undesirable.

Out-of-court settlement

Threats of lawsuits or actual lawsuits are often settled out of court by an agreement between the involved parties, here the plaintiff and the company.

An out-of-court settlement creates more legal costs, reputation loss, and wasted management attention. In addition, it usually creates more financial costs, primarily in the form of license fees or other payments to the plaintiff (assuming their case is convincing). Finally, the actual situation needs to be healed so there are now compliance costs, discussed separately below.

Loss of lawsuit

Should the parties not settle out-of-court but proceed to a trial and should the company lose, yet more legal costs, reputation loss, and wasted management attention is incurred. Worse, the license fees and potential punitive damages are likely to be higher than in an out-of-court settlement. But the real problem is that being convicted of infringing the plaintiff’s rights here might mean significant product revenue loss due to a necessary product recall and sales stop. Also, later product releases will be delayed, incurring more potential revenue loss. Compliance costs also follow, and the company faces an increased risk of more lawsuits (where there is one fire, there may be many).

Compliance costs

Whether settled out-of-court or convicted by court, the company will have to become license compliant. The two basic ways are to replace the Copyleft-licensed component with a non-Copyleft component (either an alternative open source one or a proprietarily-licensed one) or to stick with the Copyleft-licensed component and act in accordance with the license. If the company were to replace the component, they would face the rework costs and the licensing fees for the new component, if any. If they were to stick with the Copyleft-licensed component, they would face the labor costs of creating all necessary compliance artifacts and processes. Along with this compliance costs might come intellectual property loss, not only in the form of the loss of the exclusive access to the now open source code, but also by way of a free patent rights grants, if any were used. Finally, even more information about the company’s product will be revealed to the public.

That’s it! I skipped some of the less tangible aspects like loss of goodwill with the community etc. Also, this is only a small part of what constitutes good open source governance. Get in touch if you would like to learn more about our research activities in this space.

Finally, please note that I am not a lawyer and none of this content is to be construed as legal advice. However, I welcome any feedback you might have!

2 thoughts on “Costs of no or poor open source governance”

    1. Oh, I agree. And in fact, under most circumstances, open source is a great deal, much better than any. But you do have to pay in some form or another. You just need to understand how to pay 😉

Leave a Reply