ezine

20 Jun 2011

In our first article this month, 'Making Open Source An Asset, And Not A Liability, In Your Commercialisation Strategy', we discuss some of the basic types of open source licences, and steps to take to ensure that open source materials do not jeopardise the commercial exploitation of proprietary products.

One key issue that has been largely overlooked, and sometimes misinterpreted, is the scope of the new Copyright (Infringing File Sharing) Amendment Act 2011. Our second article, 'Full Stream Ahead - Are There Leaks in New Zealand's New Internet Piracy Law?', and the first of a series of articles about practical issues arising from the legislation, we consider what types of online infringement are covered, and whether the new regime might be out of date before it even comes into force.

A recent spate of security breaches affecting some major companies has brought the issue of data protection to the attention of many people. In the most recently reported security breach, as at the date of this ezine, information on over 1.2 million customers from Sega’s “Sega Pass” database was subject to unauthorised access. Other well-known companies and organisations are also reported to have suffered intrusions recently. New Zealand organisations that hold personal information may, as a result of these security breaches, have questions about the actions they should take when faced with a similar situation. In our final article, 'Privacy Leaks - Should You Tell or Should You Not?', we highlight the importance of having robust data protection policies and systems.

---

Making Open Source An Asset, And Not A Liability, In Your Commercialisation Strategy

The resurgence in acquisitions, IPOs and financing transactions related to software and technology companies provides a timely reminder of the value in monitoring use of open source materials. Lack of information about open source usage and the applicable licences can significantly reduce commercial potential. However, developers seeking financial and creative partners should not necessarily avoid open source materials. To the contrary - open source software has demonstrated its ability to help create new products and generate revenue, provided that developers monitor the specific sources they utilise, and use materials distributed under the correct types of licence.

Facilitating Innovation

In the three decades since the open source software movement began, its principles of collaboration and information-sharing have driven an enormous amount of innovation. Open source elements provide particular value to the small- and mid-sized companies that make up the backbone of New Zealand's technology industry. By utilising solutions already created by the open source community, developers can focus their attention on the specific aspects of a program or product in which they have particular expertise. Developers can then draw upon the accumulated knowledge of colleagues worldwide to test and improve their work.

The mobile phone game "Angry Birds", which has become a recent symbol of the creative and economic potential of small software developers, provides a recent example. The catapulting birds, collapsing bricks and rolling pigs that form the core of Angry Birds' game play are built upon the Box 2D physics engine, an open source program utilised by many developers on the Android, Apple iOS and other mobile application platforms. Relying on this existing, thoroughly-tested open source program to control the game's physics allowed Rovio, a relatively small developer in Finland, to focus its limited resources on the artwork, game play, storyline and humour that have made Angry Birds a huge success. The successful game allowed Rovio to close US$42 million in Series A venture capital financing in March, a process facilitated by Rovio's use of materials under open source licences that encourage, rather than hinder, commercialisation of proprietary products.

Open source usage extends far beyond small companies and the software industry. A recent Accenture survey of large enterprises in a variety of industries, including manufacturing, financial services, agriculture and healthcare, found that over 50% were "fully committed" to using open source in their business, and another 28% were experimenting with open source materials.

The question is no longer whether or not open source materials have been utilised - instead, the key issue is knowing what specific materials have been used, which licences apply to the various elements, and how each of those licences affect the commercial potential of the finished product.

Legitimate Concerns, And A Few Misconceptions

Developers, potential investors, collaborators and distributors frequently express concerns that the terms of open source licences can adversely impact the ability to commercialise products. Microsoft CEO Steve Ballmer summarised his view of these issues ten years ago, characterising the open source nature of Linux as "a cancer that attaches itself in an intellectual property sense to everything it touches. That's the way that the license works."[1]

Open source licensing practices have evolved since then. Many open source libraries are now distributed under licences that encourage users to create closed proprietary programs derived from the open source elements. However, several licensing concerns continue to discourage some investors and collaborators. One significant issue is that all of the major open source licences disclaim any representations and indemnities, requiring users to work with materials at their own risk.

Other concerns are based on misconceptions. These misconceptions include: (1) all open source materials are subject to the same general rules and licence terms; (2) open source materials must be distributed for free; (3) developers must disclose the source code of any new programs that incorporate existing open source materials; and (4) developers must permit third parties to modify, improve and distribute any new programs incorporating open source.

All Open source Licences Are Not Equal

A wide variety of different licences govern the many open source libraries. The Open Source Initiative currently lists at least 69 different types of approved licences. Each type of licence imposes different conditions upon the use and distribution of programs that incorporate the relevant open source materials.

The most popular early licences focused on advancing the creative and collaborative goals of the open source community, and contained terms that made it impractical to use open source materials in proprietary programs intended for commercial exploitation. However, an increasing number of open source libraries now utilise licences that permit developers to commercialise derivative works.

GNU and the GPL

Significant concerns remain for certain open source licences, including the most common free software licence, the GNU general public licence (GPL). Of the major open source licences, the GPL imposes the most significant impediments to the commercial exploitation of derivative works. The Free Software Foundation developed and administers the GPL, and has popularised the term "copy left" to refer to the structure and goals of the GPL, which was one of the first open source licences.

The GPL encourages collaboration and development among the open source community by making its software - and any works built upon its software - freely available for others to modify and utilise. To achieve this goal, the GPL imposes several licence terms that limit the ability of developers to exercise the exclusive rights that would otherwise be provided under intellectual property law. These terms include an obligation to publicly disclose the source code of any work distributed under the GPL, and to permit third parties to freely modify, utilise and redistribute any works distributed under the GPL.

Significantly, if a developer creates and distributes a new program that incorporates GPL open source materials, the GPL obliges the developer to incorporate and pass through the licence terms of the GPL - without modification - as part of the new work. The terms of the GPL will then pass through to subsequent users. As a result, any new works are "infected" with the GPL in the eyes of some potential collaborators, investors and partners.

Permissive Free Software Licences

Not all open source licences are as restrictive as the GPL, and many popular licences permit developers to utilise open source materials to create proprietary programs. For example, the "Zlib" open source licence governs use and distribution of the Box 2D physics engine used in Angry Birds. Under the terms of this licence, Rovio is not required to disclose the source code of Angry Birds publicly, as might be the case under some licences. Nor is Rovio required to permit the open source community to modify and improve Angry Birds. Instead, the licence politely requests the following very modest consideration:

"If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required."

Unlike the GPL, the Zlib licence (and dozens of similar open source licences) permits Rovio to impose its own highly protective licence terms on distribution of Angry Birds, including provisions intended to create and protect economic value. Because these types of licences permit users to impose different (and more business-friendly) conditions upon the distribution of derivative programs, they are frequently referred to as "permissive free software licences."

The most popular permissive free software licences are the Apache 2.0 licence, the MIT licence and the BSD licence. Each of these licences contain unique terms, such as the circumstances in which source code must be disclosed, requirements and restrictions on providing credit to contributors, inclusion of copyright notices, revocability, whether patent rights are included within the licence, prohibitions on bringing claims against the licensor, and other provisions.

The proliferation of dozens of different licences has made it more difficult to determine which licence applies to a particular piece of open source code, making it more challenging to ensure compliance with the applicable licence.

Knowing What You Have

The software and investor communities have become increasingly aware that accurate information about open source usage is highly relevant (and sometimes necessary) when assessing the commercial potential of products and businesses. As a result, it has become common for due diligence inquiries in technology transactions to specifically request this information. Companies planning to obtain financing, or whose eventual goals include a potential sale, merger or other strategic transaction, will benefit greatly by implementing procedures for monitoring open source usage. Conversely, lack of information can deter potential partners, fearful of committing limited resources to projects that may be "infected" by licence terms inconsistent with traditional commercialisation strategies.

Developers can take several actions to minimise the risks of using open source materials in ways that may harm future economic potential, or that may generate unexpected legal claims:

1. Develop familiarity with the different types of open source licence. As noted, some open source licences are far more business-friendly than others.
2. Establish a clear policy about open source usage. The lack of any policy about open source usage can be a red flag during a due diligence review, and may lead potential partners to assume that materials have been widely used under undesirable licence terms.
3. Encourage staff to self-report use of open source materials, and identify where those materials were obtained from. In reality, self-reporting usually generates under-inclusive results, but can help identify major issues before problematic open source materials become integrated into key products.
4. Conduct an open source audit. Several vendors offer auditing services, and automated scanning tools also exist. Although audits frequently lead to unexpected discoveries, it may be more desirable to discover this information yourself, and to learn about potential problems before products are launched, investors are solicited, or licensors assert legal claims.
5. If open source materials are discovered that are subject to the GPL (or other licences that make commercialisation difficult), it may be possible to re-engineer programs and systems to avoid the problematic materials, and to replace them with either proprietary materials or with materials from open source libraries that encourage commercial exploitation.

Please let us know if you have concerns about the use of open source software in your organisation, and want guidelines on how to investigate and manage the issue.

[1] Chicago Sun-Times, 1 June 2001.

Key Contacts

Earl Gray
Raphael Winick

Back to top

---

Full Stream Ahead - Are There Leaks in New Zealand's New Internet Piracy Law?

'Flight of the Conchords' star Rhys Darby's recently-announced involvement in a publicity campaign for the new Copyright (Infringing File Sharing) Amendment Act 2011 (Amendment) has caused yet another stir around the controversial new legislation. Although his well-known 'Conchords' character, Murray, is likely to have stronger feelings about sheep shearing than file sharing, the New Zealand Federation Against Copyright Theft (NZFACT) has selected the comedian to provide a more 'hip' and modern face for the new law. But perhaps the real joke, then, is that the law itself may be on its way to becoming out-dated before it even comes into force.

Contrary to widespread belief, the Amendment does not create any new prohibited acts in relation to copyright, but instead aims to curb online piracy by streamlining the enforcement process for rights-owners. However, it may be that the infringement method it targets is already becoming out-dated. Faster download speeds and lower data-hosting costs have resulted in a sharp rise in services that allow users to store content online and make it available to other people - either by downloading to their device or "streaming" through their internet browser (eg. YouTube). These services have been providing increasing numbers of infringers with a more efficient alternative to the complex and bandwidth-thirsty peer-to-peer file sharing networks. The shift towards streaming in online piracy has even been officially acknowledged by the US Government, which has recently indicated a desire to introduce stronger legislation to tackle the issue.

However, due to practical limitations and the particular drafting of the Amendment, it is unlikely that this more modern method of infringement is covered by New Zealand's new comprehensive enforcement regime. The Amendment may therefore leave copyright owners unsatisfied with the results of the two-year-long rethink of the earlier section 92A provision.

Legal Limitations

The activity around which the new enforcement regime is built is that of "file sharing" and is defined in the Amendment as follows:

"file sharing is where -

"(a) material is uploaded via, or downloaded from, the Internet using an application or network that enables the simultaneous sharing of material between multiple users; and

"(b) uploading and downloading may, but need not, occur at the same time."

At first glance, part (a) of the definition appears to describe peer-to-peer file sharing (P2P), where participants connect to each other using a network (via a "client" or simple software application) and jointly transfer files in small segments. P2P file sharing has a number of different implementations, including classic P2P software applications like now-discontinued favourites Napster and LimeWire, and the BitTorrent protocol. Classic P2P applications search for files on other devices connected to the network, while BitTorrent clients use .torrent index files and "trackers" to connect file sharers. In all types of P2P, the "sharing" tends to be "simultaneous", as the data travels directly from one or more uploaders to each downloader without being stored by an intermediary.

If pressed, though, a broader interpretation of part (a) can be found. For example, if the internet itself is considered to be a "network that enables the simultaneous sharing of material...", then any up/downloading using the internet could conceivably be covered (although this would rely on the somewhat bizarre reference to material that is up/downloaded "from the Internet using the internet"). Similarly, the user interfaces of sites like YouTube could technically be described as web-based "applications". In the latter case, the meaning of "simultaneous sharing" would also need to be stretched to refer to the simultaneous downloading of previously-uploaded material by more than one person, which does not appear consistent with the wording about enabling "simultaneous sharing...between multiple users". Overall, these broader interpretations are probably too great a stretch, and appear to be inconsistent with background materials for the Amendment (discussed below).

Part (b) of the definition is also not clear cut. One interpretation might be that (b) is intended to clarify and support the broad latter interpretation of part (a), namely that the definition covers situations where data is completely uploaded to an intermediary by one party and later downloaded by others (as would be the case for streaming and file-hosting services).

From a review of the materials considered by the Commerce Select Committee, which recommended changes to the Amendment during the parliamentary process, it appears instead that part (b) was added to clarify that an act of file sharing by a person does not need to involve simultaneous uploading and downloading by that same person (as is common in P2P file sharing systems). This clarification is only necessary for P2P systems, and could be seen as indicating that such systems are the focus of the definition, and thus the Amendment.

Indeed, the Select Committee's materials, many of which were prepared by the Ministry of Economic Development, contain explicit statements that the Amendment is not intended to cover streaming or file-hosting services, and indicate that it was designed to apply only to P2P file sharing. This view is also consistent with the addition by the Select Committee of the reference to "networks or applications" in the file sharing definition. As stated in the Explanatory Note to the then Bill, this addition was intended to "avoid inadvertently capturing activities such as emailing or downloading that did not involve file sharing".

Based on these secondary materials, and the degree of stretching required to interpret the definition as covering more than P2P file sharing, it is likely that the Amendment does not apply to infringement via streaming and file-hosting services. Nevertheless, the final wording of the file sharing definition is inherently ambiguous and will need to be tested before there is complete certainty over the scope of the regime.

Practical Limitations

Practical issues may provide a more significant limitation to effective implementation than the legal scope of the Amendment. In order to take advantage of the new regime, rights-owners must provide internet service providers (or "IPAPs" under the Amendment) with details of each infringement, including the internet protocol address (or IP address) of the infringer.

Because P2P networks are "decentralised", rights-owners (or the investigators they hire) can only obtain IP addresses of P2P infringers by actually participating in the "swarm" (the network of connections between various uploaders and downloaders of a particular file) and collecting the IP addresses of the participants.

Conversely, there do not currently appear to be any (legal) technical methods for obtaining information about infringers who stream content or download files from websites. The websites themselves may retain information about the users, but are unlikely to hand it over to rights-owners without a court order, and often take steps to prevent this from happening (such as placing their servers in countries with more-favourable laws or enforcement regimes). Seeking such an order would therefore require an initial (and likely complex) legal challenge by the rights-owner, thus defeating the purpose of the new streamlined regime.

Even if the Amendment is not limited to P2P infringement, these practical limitations may prevent the Amendment from being utilised effectively against the most current infringement methods. Nevertheless, a practical limitation that exists at the time of drafting should not have been a reason to limit the overall scope of the legislation, particularly when the legislation is intended to create a modern enforcement regime.

Implications

If the definition of file sharing in the Amendment is, as it appears to be, limited to P2P activities, the regime will provide no additional assistance to rights-owners in relation to the steadily-increasing practice of streaming or downloading infringing content from online file repositories. The Copyright Act 1994 does provide some partially-relevant provisions in section 92C, but these merely provide website operators with a "safe harbour" from liability if they remove the infringing content from their sites. The Act does not currently provide any additional practical remedies against file-hosting or streaming sites or their users, meaning rights-owners are limited to the standard (and often complex) process for copyright claims in the Courts.

From the other perspective, the main implication for everyday New Zealanders is that the Amendment, which has been somewhat demonised in the media, will either in scope or practice apply to only a small proportion of hardened infringers who use specialist P2P software. It will not, then, inadvertently catch teenage girls who watch fan-generated YouTube videos featuring Twilight movie clips with unauthorised Katy Perry soundtracks.

Overall, even though it is flawed and limited, the Amendment is a step in the right direction and will provide some additional enforcement options for content owners. However, the nature of online copyright infringement has shifted since the original section 92A was put on hold two years ago, and rights-owners may soon be asking themselves if Parliament's efforts to replace the broad s92A with a detailed regime were worth the wait. Perhaps Murray finally has a decent reason to call one of his famous "emergency band meetings".

Key Contacts

Earl Gray
James Kevany

Back to top

---

Privacy leaks - should you tell or should you not? 

A recent spate of security breaches affecting some major companies has brought the issue of data protection to the attention of many people. In the most recently reported security breach, as at the date of this ezine, information on over 1.2 million customers (names, birth dates, e-mail addresses and passwords but not financial information) from Sega’s “Sega Pass” database was subject to unauthorised access. Other well-known companies and organisations reported to have suffered intrusions recently include the International Monetary Fund, Citigroup, Lockheed Martin, Sony, and Epsilon, a data marketing firm (the Epsilon breach is reported to have affected over 50 major companies, including JP Morgan Chase, Hilton and Best Buy). In some of these attacks, hackers have gained access to credit card and bank account details, as well as personal information such as users' names and log-in information.

New Zealand organisations that hold personal information may, as a result of these security breaches, have questions about the actions they should take when faced with a similar situation. These breaches also highlight the importance of robust data protection policies and systems, to comply with the requirements of the Privacy Act 1993 (Privacy Act).

Handling a security breach incident

New Zealand does not currently have any specific data or privacy breach notification laws. However, the need for, and potential requirements of, such laws were discussed in the Law Commission's 'Review of the Privacy Act 1993' Issues Paper released in March 2010, as stage four of the Law Commission's review of privacy law. Submissions on the Issues Paper closed on 30 April 2010, but the Law Commission has not yet issued its report.

There is a broad movement around the world towards breach notification schemes. In the US, the Obama administration recently proposed a national data breach notification law, which would supersede the 47 separate state and District of Columbia regimes currently in place. In Europe, a breach notification regime for the telecommunications industry will come into force later this year. In Australia, the Australian Law Reform Commission has also recommended the introduction of mandatory data breach notification laws.

Despite the fact that there are no specific breach notification laws in New Zealand, the Privacy Commissioner has indicated that notification steps are a factor that could be taken into account when considering whether an organisation has complied with its obligations, under the Privacy Act's information privacy principle 5. Information privacy principle 5 requires the taking of all reasonable steps to protect personal information. The Privacy Commissioner released a set of voluntary privacy breach guidelines in 2008, and in the accompanying information paper commented that:

In some cases, quick and effective notification may prevent harm to the individual or provide an individual with the opportunity to mitigate harm. The Privacy Commission can receive complaints on breaches of the Information Privacy Principles. For a complaint to succeed, a complainant must show that a principle has been breached, and that they have suffered, or may suffer, harm as a result. If any individual harmed by a privacy breach is given the opportunity, through notification, to mitigate the effects, this may limit an agency's potential liability.

These privacy breach guidelines recognise four elements of managing a privacy breach:

1. breach containment and preliminary assessment;
2. evaluation of the risks associated with the breach;
3. notification; and
4. putting in place future prevention strategies.

The guidelines also emphasise the need for these steps to be taken quickly following a breach.

The full guidelines are available here.

New Zealand organisations that hold personal information should review these guidelines and establish a contingency plan (including a notification plan) to allow prompt action following a security breach.

Data protection policies

As noted above, information privacy principle 5 of the Privacy Act requires agencies to take all reasonable steps to protect personal information. An organisation that keeps its information protection policies and systems up to date with industry best practice will be much better placed to withstand a complaint that it has breached this principle. For example, encryption of data, separation of sensitive data into independent databases, and use of data loss prevention monitoring tools may be merited if inappropriate release of information held by the organisation could lead to significant risk to individuals' physical safety, reputation, or financial security.

In addition, information privacy principle 9 prohibits organisations from holding personal information "for longer than is required for the purposes for which the information may lawfully be used". New Zealand organisations holding credit card details should therefore have systems to ensure that, once credit cards have expired (and can therefore not be used for purchases), and are not needed for other legitimate purposes such as responding to transaction queries, the records are deleted (unless there is a legitimate reason behind their retention). More generally, data retention policies should set out the timeframes for which information should be retained, and there should be systems for deleting or destroying information that is no longer needed. Just because information can be stored (for example, because of cheap electronic information storage facilities), does not mean it should be stored.

Conclusion

The significant recent publicity regarding security breaches are a reminder for New Zealand organisations to take proper precautions in the way they store information, to properly consider how long it is necessary to store information, and to establish systems to deal with security breaches should they occur.

In addition, with a comprehensive review of the Privacy Act currently underway, and significant international momentum towards mandatory data breach notification laws, it seems likely that New Zealand will also move to a mandatory breach notification regime at some point over the next few years. 

Key Contacts

Karen Ngan
Averill Dickson

Back to top