Through one of my current projects I’m enjoying the access to a bunch of lawyers who are keen to work on legal issues and open questions around open-source soft- and hardware.
If you have anything in mind on which you would like a short precise answer or even a legal assessment, please feel free to drop it here in the thread.
I’ve also reached out to other communities (OSEG and OSI²) and will draft bundled legal questions from all responses. The results of the legal consultancy will be published under open-source licenses, of course; potentially in the form of a little handbook, depending on the nature of questions we will get here.
Here’s an example: Scientists trying to foster the public money, public code/hardware/science principle in public institutions (in Germany) are sometimes faced with a variety of legal obstacles, of which some may be just pure misconceptions (wrongly expressed as a blocker though), but others are more tricky. The institute being potentially held liable for the published hardware plans for instance is just a misconception, not an actual legal issue. Using public money directly for open-source developments (without a grant that ensures this on a contractual basis) however bears a potential breach of budgetary law, tax and donation law and potentially other legal domains as well. Essentially, anti-corruption laws (and the like) do not consider the case of open-source. Consequently, “giving exploitable developments out for free” may be considered e.g. as a unlawful subvention of companies. While I personally heavily disagree in this point, transfer offices in research facilities usually prefer a conservative perspective and can act as a blocker. An in-depth clarification in this point might help to steer these conversations and hopefully changing the institute’s policy on open-source.
That said, let the collection of legal issues begin!
(and feel free to forward this to other communities/projects/initiatives as well; you can also CC me via mail in this regard: martin.haeuer@jura.uni-halle.de)
A specific issues that has cropped up a few times relates to NDAs (Non Disclosure Agreements).
As an open source project we are approached by companies that wish to collaborate or understand how the project can fit in with their business. However, the initial way many companies interact is by first sending over a mutual NDA to sign. The whole point of such a contract is that it is drafted to be mutual, i.e. both parties secret information is protected.
This obviously doesn’t work well between an open source project and a business as the open source project often has to the best approximation no secret information to share. Moreover, any information it gets it struggles to act on in the spirit of its project if that information is tied to an NDA. This is often problematic because standard NDAs are incredibly broad covering any inventions and ideas whether or not they are patentable. The worry here is that any suggestion a company makes in a call is now off limits to the project, even if the suggestion is “too obvious” for a patent.
This all being said, simply refusing to sign an NDA also isn’t helpful. There is plenty of information it make sense to keep secret. For example if a company let you know about an upcoming unannounced product launch which they want to be able to integrate with your project, it is perfectly understandable that they wouldn’t want that information made public.
Another thing that becomes problematic, is that often signing a contract that is interpreted specified to be under another countries’ law can massively increase the cost of insurance (US and Canadian law especially).
It would be really nice to have a template NDA for Open Source projects that specifically outlines a much smaller subset of things which are covered by an NDA, but also explicitly covers the fact that the open project will be openly working on their project and as such any technical information shared with the project will need to be discussed openly for the open project to function.
I feel this is a difficult balance to strike but if it was done well it would allow businesses to share certain business information under an NDA, while also guaranteeing that the Open Project can still function. The onus of what technical information to share is also shifted from the Open Project having to decide what information they have they can discuss openly, to the business having to decide what information to openly share with the open project.
What we don’t have is a lawyer who can help write it. I suppose this doesn’t fall into the category of “short and precise answer”
Maybe this should be around MTAs. FreeGenes have Open source MTAs. AddGene has mostly close source MTA but it also have Open MTAs.
As for the NDA and Open Source combo sounds like an oxymoron to me.
I’m not sure I fully understand the points and I can see 2 scenarios:
Let’s say a company does not send a NDA to an OpenSource partner. All is fine. No new NDA produced by the OpenSource partner is needed.
Let’s say a company sends a NDA to an OpenSource partner. The OpenSource partner can read the agreement and agrees only the the points that do not contradict the OpenSource. No new NDA produced by the OpenSource partner is needed.
I certainly agree in principle, but as mentioned above there are things which it would be wrong to disclose. And getting that in writing builds trust.
As for the situations you mention:
The problem here is you can’t sign only the parts you want to of a legal document, you sign it or you don’t. To only agree to the points that don’t contradict open source you would need only those points in the document. This is the document I would like to get drafted.
This way in scenario 2 when they send me an NDA I can say “unfortunately that NDA is incompatible with Open Source, we have this cut-down agreement, can we use this instead?” If they say no they want their full NDA then it’s an impasse where what they want is incompatible with Open Source, if they say yes then everything is good.
So, what you mean is create a list of things that can be in an NDA and don’t break the Open Source tenants or spirit. That would be kind of hard.
But, with that list one could preempt an NDA by clearly stating during initial talks " we want this to be OS so these are the only acceptable things in a NDA".
IMHO discussing legal issues without a lawyer is not an activity that is likely to yield acceptable results.
Thanks for this! We had this situation at OSEG a couple of times, but could - yet- always negotiate our way around it. But I see how the problem scales with the attention for a given open-source project.
I like this approach. Since “NDA” is a very delicate term in the open-source world I’d suggest finding a new term for this untypical form of an NDA. LNDA maybe (similar to GPL → LGPL)
Anyhow, I have someone in mind who could do that. His official start will be in February, but I’ll ping him just now to get a first opinion
Thanks for the detailed, yet compact description! Let’s see what we can do here
This project will be ongoing for ~3 years. However, I’m wrapping up the first batch of legal questions to distribute them to matching lawyers. Once the first issues are resolved, I’ll queue in more issues.
So: There’s no defined deadline (other than the project end itself), but the sooner we get a question, the earlier we can start working on it
Thank you @Moe, I think this can be very useful. I read in your original post:
The institute being potentially held liable for the published hardware plans for instance is just a misconception, not an actual legal issue.
Last year I was contacted by somebody designing roofs, walls and other pieces of construction kit. They were concerned about exactly this kind of liability. It would be good to have some authoritative reference on this matter that we could point to. There may be dependencies on jurisdiction and the disclaimer text in the open hardware licence you use, and that would also be useful to include in the analysis.
Sounds good! Do they operate in the EU?
Please feel free to forward them to me, so we can have a deeper look on their case. martin.haeuer@jura.uni-halle.de
There is a legal analysis about to be published from Bucerius Law School Hamburg on precisely that issue (at least that’s what they promised a couple of months ago ). Once I have it, I can also link it here
Question:
Would person P located in country A executing an Open Source protocol on a remote robot in country B be liable if the protocol does not follow legislation in A or B?
is the operation based on a commercial agreement? → then normal liability constrains apply (product liability etc.)
is the operation non-profit, but done by an expert?
is the operation exclusively private?
as a general rule of thumb: the open-source aspect doesn’t make a significant difference in liability questions. the only major difference is the possible “wrongful act” (as it’s called in Dutch/EU legislation) when distributing open technologies. Anything that could be considered a public threat so to say. design files for pipe bombs, for instance. Or a car that burns down in 3 of 5 cases
Part1: I developed a series of OpenSource biology protocols and DIY devices that will be executed by global students at the HTGAA.org MIT course. I just finished a presentation today with the students and I attached it here for clarity.
There were about 200-300 students in practically every country of the world. Here is an example of Open Source protocol that I wrote for this: https://www.protocols.io/view/accessible-bacterial-culture-x54v9rwbpv3e/v1
Part2 - completely different is that some of the students will execute protocols on some locally hosted robots. Those protocols involve organisms that are perfectly fine in North America but will be sometimes prohibited in the student’s country. For instance EU requires one to submit an application to work with bacteria while North America does not.
So I guess is all non profit and one could argue that is done by an expert or under expert umbrella.
(Attachment HTGAA - Bootcamp Accessible protocols updated.pdf is missing)
Hi @Moe hope you’re still accepting questions! Here’s a few from me in two categories:
For all of these questions, I’d like to know how the answer might differ based on jurisdiction.
Liability
If I publish open source software or hardware, what kinds of legal liability do I have over what other does with it?
How much does it matter that open source licenses typically include disclaimers for liability, e.g. “no warranties of any kind”, etc.?
Is there a difference between software and hardware?
How much does selling make a difference for liability?
What if I created the open source software or hardware, but it is someone else unrelated to me who actually sells it? Do I still have any liability?
Attribution
Open source licenses typically require downstream users to provide attribution (without implying endorsement). How much attribution is enough? Do I just follow what the license says (which is sometimes unclear!) or are there other rules around attribution?
Here’s my question: Last year Opentrons added a EULA to their software for running their liquid handling robots. Not only is the EULA in their code repository on github, you also have to click “I agree” when you run the software. Previously the software was under the Apache 2 open source license. It still appears to be under that license but now the EULA is added on top.
My question is: Can I still re-use the source code in my own project under the terms of the Apache 2 license without agreeing to the EULA? If so, what prevents me from forking the entire codebase and simply removing the EULA again? If I can’t use it under the Apache 2 license without agreeing to the EULA then can the codebase really be said to be open source and is this EULA not in violation of the Apache 2 license itself?
You’ll meet Lucas (from FSFE) and me at FOSDEM and then let’s discuss some first ideas
). Once I have it, I can also link it here