Dirk Riehle's Industry and Research Publications

The German Corona Warn App, a legally defective product?

By all measures, the German Corona Warn app is already a highly successful software product. However, from the perspective of open source license compliance, it is defective. Using open source code in your product requires that you fulfill the obligations of the open source licenses of that code, and the Corona Warn app does not do that. Let me explain.

Open source code may be free to use, but it comes with strings attached, which are its licenses. An open source license spells out (1) permissions (you are allowed to use the code for free, among other things), (2) obligations to fulfill to receive the permissions (like giving credit to the original authors), and (3) prohibitions (for example, you are not allowed to claim endorsement of your work by the original open source programmers).

Probably the most common obligation to fulfill (to receive the rights grant) is called attribution. It can be found in almost all open source licenses. Attribution usually requires that you provide the copyright statement of all involved authors of the original open source code.

According to the Corona Warn app’s legal notices (local copy as of 2020-06-30), it uses the open source library Java Hamcrest, among others. Hamcrest is licensed under the 3-Clause BSD License, which requires attribution (clause 1). The Hamcrest project wants to be attributed as a whole (not by individual developer), so the legal notices of any app distributing Hamcrest should include the text

Copyright (c) 2000-2015 www.hamcrest.org

exactly like this. This copyright notice is nowhere to be found in the legal notices of the Corona Warn app. Collecting these copyright statements and compiling them for a legal notices section of an app can be a lot of work, but it is required if you want to comply with the licenses of the code you are using. If you don’t, you are distributing a (legally) defective product. The Corona Warn app has some copyright statements, but most are missing.

Not all obligations are as easy to understand as attribution. For example, the JUnit library used by the Corona Warn app is licensed out under the Eclipse Public License 1.0. (I don’t understand why the developers say they distribute a testing framework in a production app, but this is not my point here). The EPL 1.0 license has the following obligations to fulfill for non-source code distributions (like download from an app store):

  • Provide disclaimer
  • Provide corresponding source code
  • Provide change notices , if any
  • Provide indemnification

In the legal notices, I did not see a disclaimer (of warranties, liabilities, etc.) on behalf of the developers of JUnit. This, however, is a hard requirement of the EPL 1.0 license.

Anyone who would like to see how to handle open source licenses correctly can get an idea by looking at the legal notices of any Android distribution. Google does a good job. The companies behind the Corona Warn app also have competent OSPOs (open source program offices) so it is the more confusing that the legal notices of the app are so shoddy. Let’s hope that they’ll fix it in an upcoming version.

If you are interested in learning how to correctly distribute products that contain open source software, I recommend you take a look at my one-day license-compliant delivery seminar and/or the corresponding license-compliant delivery handbook, which shows step-by-step how to fulfill the obligations of the most common licenses.

Subscribe!

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Navigation

Share the content

Share on LinkedIn

Share by email

Share on X (Twitter)

Share on WhatsApp

Featured startups

QDAcity makes collaborative qualitative data analysis fun and easy.

Featured projects

Open data, easy and social
Engineering intelligence unleashed
Open source in products, easy and safe