| 1 |
(I think I need to have lots more IANAL disclaimers in every paragraph |
| 2 |
of this). |
| 3 |
|
| 4 |
I apologize for the late response, but giant threads on the mailing list |
| 5 |
have NOT been high on my priority list. I do have some answers for you, |
| 6 |
but also further points to make. |
| 7 |
|
| 8 |
Please read on for my inputs about examples of legal liability around |
| 9 |
the DCO, as well as how other organizations handle it. |
| 10 |
|
| 11 |
On Tue, Apr 09, 2019 at 08:46:00PM +0000, Gokturk Yuksek wrote: |
| 12 |
> Alec Warner: |
| 13 |
> > I think it is reasonable to try to pursue a more inclusive policy where |
| 14 |
> > identity is more flexible (as I discussed in a different message on this |
| 15 |
> > thread), but keep in mind the Council (and really a few key members) spent |
| 16 |
> > over a year working on the policy we have; so I'm not certain its a trivial |
| 17 |
> > change. You are free to dislike the policy we have and you are free to |
| 18 |
> > suggest we pursue a more inclusive policy, but at least here as a trustee |
| 19 |
> > who voted for it we made a deliberate choice here and barring some middle |
| 20 |
> > ground where we somehow understand that contributions to Gentoo are done in |
| 21 |
> > a low-risk way, we will continue to reject commits from obvious |
| 22 |
> > contributors. |
| 23 |
I would like this part to be heard and followed. I too have personal |
| 24 |
objections against publicly disclosing the identity of people who have |
| 25 |
genuine reasons to not have that public (In a very recent example, I |
| 26 |
have a coworker who can't contribute to open source anymore due to |
| 27 |
harassment from a ex-spouse). |
| 28 |
|
| 29 |
At the same time, the steps for another body to REALLY safely shield |
| 30 |
their identity are not trivial, and have not really been done in a |
| 31 |
sustainable manner before. |
| 32 |
|
| 33 |
I don't LIKE the real name requirement, and I will help pursue a better |
| 34 |
policy, but I also object to moving backwards, including the suggestions |
| 35 |
of grandfathering in existing developers. |
| 36 |
|
| 37 |
> > What I refuse to engage in is an incessant debate about the policy we have; |
| 38 |
> > please accept that we made it in good faith to reduce legal risk for the |
| 39 |
> > project and, if an alternative is presented that keeps risk low while |
| 40 |
> > accepting a broader set of contributions we will consider it in the same |
| 41 |
> > good faith. |
| 42 |
If there were some identity escrow service, that provided reliable |
| 43 |
pseudonymous identities, and it met the standards of law, while not |
| 44 |
exposing further liability issues, I would be VERY happy to use it and |
| 45 |
enable more contributions to Gentoo. This IS a hot field of business: |
| 46 |
https://securid.ca/ is one local Vancouver startup that I'm personally |
| 47 |
aware of looking at the concept (disclaimer: the CEO is a friend, and I |
| 48 |
have answered his questions about conceptual ways to protect privacy |
| 49 |
within the scope of court-demanded access to data). |
| 50 |
|
| 51 |
> I don't doubt people's good faith in proposing this policy and I'm sure |
| 52 |
> it's done with the best interest in mind. I apologize for not doing the |
| 53 |
> homework for the following question: did the Foundation pay for any kind |
| 54 |
> of legal counsel on this matter? |
| 55 |
As the Foundation treasurer, to the best of my knowledge, the Foundation |
| 56 |
did not pay for any legal counsel on this matter. I cannot state with |
| 57 |
certainty if any Council member or Trustee other than myself consulted |
| 58 |
legal counsel (and if they paid for the answer or not). |
| 59 |
|
| 60 |
While at a open source conference, I did informally consult two lawyers |
| 61 |
who specialize or previously specialized in the field of open source |
| 62 |
licensing. I "paid" each of them with a drink, at my own expense (cash |
| 63 |
to the bar, no paper trail), and got 3 different opinions. I did ask |
| 64 |
about a formal opinion, but they were NOT willing to issue a full formal |
| 65 |
opinion, as it didn't align with their interests at the time. |
| 66 |
|
| 67 |
IANAL, but I will summarize their informal opinions. They did also point |
| 68 |
me to written material that was superb: |
| 69 |
"Practical Guide to Software Licensing: For Licensees and Licensors", |
| 70 |
published by the American Bar Association, ISBN 978-1616328139 |
| 71 |
|
| 72 |
> I think one thing most of us struggle |
| 73 |
> with is that we are not lawyers. It would help to put people's mind at |
| 74 |
> ease if the Foundation consulted a lawyer that clearly explained: |
| 75 |
> |
| 76 |
> - What exactly is the legal liability being addressed here? |
| 77 |
To put a specific concern to words: |
| 78 |
- "A" is a legal entity, individual or corporate. |
| 79 |
- Work "X" is copyrightable work, with a COMPLETED copyright |
| 80 |
registration held** by "A", in the form of source code. |
| 81 |
- Work "X" has NOT been released publicly at all, esp. has not been |
| 82 |
released under an open source license by "A" |
| 83 |
- Entity "M" contributes work "X" to Gentoo, claiming terms (a) or (b) |
| 84 |
of the DCO. "M" could be identified, anonymous or pseudonymous (see |
| 85 |
below). |
| 86 |
- "A" discovers Gentoo distributing "X", and sues Gentoo for copyright |
| 87 |
infringement. |
| 88 |
|
| 89 |
** "Copyright held": This enters the debate of EU moral rights. Debate |
| 90 |
over the semantics of the term is not relevant to this point. |
| 91 |
** The copyright registration MUST be completed; there is caselaw |
| 92 |
|
| 93 |
What laws & regulations have been violated here? These are primarily |
| 94 |
civil infringements. |
| 95 |
This is NOT a complete list, only a potential list. |
| 96 |
- 17 U.S.C. § 504(c)(2); Gentoo is an "innocent" copyright infringer: |
| 97 |
https://www.law.cornell.edu/uscode/text/17/504 |
| 98 |
"infringer was not aware and had no reason to believe that his or her |
| 99 |
acts constituted an infringement of copyright" |
| 100 |
- 17 U.S.C. § 504(c)(2); "M" is a "willful" copyright infringer: they KNEW about the origin & |
| 101 |
license of the work. |
| 102 |
- 15 U.S.C. § 1125(a) (Lanham act, section 43(a), "False designations of |
| 103 |
Origin, False Descriptions, and Dilution Forbidden"): |
| 104 |
Both "Gentoo" and "M" have made false claims. |
| 105 |
- § 525. Liability For Fraudulent Misrepresentation |
| 106 |
http://blogs.kentlaw.iit.edu/perrittcivpro/fraudulent-misrep-rest525-html/ |
| 107 |
"M" has fraudulently misrepresented themselves under the DCO. |
| 108 |
- Negligent misrepresentation: |
| 109 |
This is where the anonymous/pseudonymous side comes back. Was Gentoo |
| 110 |
negligent by not verifying the identity |
| 111 |
|
| 112 |
Depending on how much preparation "A" does, their lawyers could start |
| 113 |
off just filing lawsuit against Gentoo for the above portions, and later |
| 114 |
amending the lawsuit to also include "M"; or naming "M" up-front. |
| 115 |
|
| 116 |
Gentoo could also file lawsuit(s) against "M". |
| 117 |
|
| 118 |
What could the outcomes be? It would come down to penalties as well as |
| 119 |
the damages suffered by "A" in the publication of Work "X". |
| 120 |
|
| 121 |
The one thing you can be certain of is that lawyers and the legal system |
| 122 |
will walk away being paid, and somebody else's bank account will be |
| 123 |
emptier! |
| 124 |
|
| 125 |
|
| 126 |
> - Have there been any precedent cases of copyright infringement |
| 127 |
> (constrained to the context of copyrighted ebuilds, or code of similar |
| 128 |
> nature) to make this a more realistic threat for the Foundation? |
| 129 |
In an open source context specifically, not that I'm aware of, or found |
| 130 |
in generous searching. |
| 131 |
|
| 132 |
In commercial software, YES, there have been lawsuits claiming copyright |
| 133 |
infringement via stolen source code. They sound like they have ALL been |
| 134 |
messy. |
| 135 |
|
| 136 |
> - In the case of a potential court case, how is the liability |
| 137 |
> distributed among involved parties? Would we be legally required to |
| 138 |
> track down the contributor (whose identity we may or may not have |
| 139 |
> confirmed yet)? |
| 140 |
Yes, the Foundation could be forced to disclose what we know, and/or |
| 141 |
share liability that could not otherwise be transferred. |
| 142 |
|
| 143 |
> The reason why I'm suggesting this is because I've talked to a friend of |
| 144 |
> mine, who is a software patent lawyer, about the DCO and GLEP. Their |
| 145 |
> first impression was that the DCO itself has no clause for requiring a |
| 146 |
> legal name, so signing it with a fake name may not violate the DCO |
| 147 |
> itself. So the (informal) conclusion is that as long as nobody sues you |
| 148 |
> for copyright infringement, there is no legal problem with using a fake |
| 149 |
> name to sign the DCO. I know it sounds very obvious but the point is |
| 150 |
> that legal people have a better grip of the situation than we do, and |
| 151 |
> the community is more likely to take their word and justification for it. |
| 152 |
They are correct: the DCO itself doesn't have any clause to that effect. |
| 153 |
This is why lawyers can be pedantic about the questions you ask. |
| 154 |
|
| 155 |
In the case of the kernel it's not the DCO specifically that prohibits |
| 156 |
pseudonyms or anonymous contributions, it's the tiny line of POLICY just |
| 157 |
below it: |
| 158 |
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst#n462 |
| 159 |
"using your real name (sorry, no pseudonyms or anonymous contributions.)" |
| 160 |
|
| 161 |
Similarly, GLEP76 is the equivalent Gentoo policy that requires real |
| 162 |
names. |
| 163 |
|
| 164 |
Many others have raised that the Foundation can/should/does accept |
| 165 |
contributions if the Foundation is itself aware of the real identity of |
| 166 |
the contributor. |
| 167 |
|
| 168 |
This DOES have a legal standing: |
| 169 |
The Berne Convention does state that anonymous & pseudonymous |
| 170 |
copyright is possible. It does not go into an implementation detail |
| 171 |
about how to achieve it. |
| 172 |
|
| 173 |
Copyright registration in many countries, even for anonymous & |
| 174 |
pseudonymous requires SOME identifying information: |
| 175 |
- US & Canadian law don't require the real name registering copyright, |
| 176 |
but they do require you to give a real address and pay registration |
| 177 |
fees. BUT... |
| 178 |
- Check out the form: https://www.copyright.gov/forms/formtx.pdf |
| 179 |
Section 2(a) NAME OF AUTHOR is optional |
| 180 |
Section 8 & 9, name and address ARE required. |
| 181 |
|
| 182 |
As such, while the registration itself is anonymous/pseudonymous, the |
| 183 |
government DOES know the identity of the copyright registrant. |
| 184 |
|
| 185 |
Other open source organizations DO accept it, but place disclaimers on |
| 186 |
it. Besides copyright assignments, CLAs, there are ALSO copyright |
| 187 |
enforcement agreements. |
| 188 |
|
| 189 |
The Software Freedom Conservancy has a very good example of this |
| 190 |
in the context of their Linux Enforcement Agreement: |
| 191 |
https://sfconservancy.org/docs/blank_anonymous-linux-enforcement-agreement.pdf |
| 192 |
"The parties acknowldege that Conservancy may be required to disclose |
| 193 |
Contributor's identity and participation in the Project in the context of |
| 194 |
litigation. Contributor hereby releases Conservancy from any liability |
| 195 |
associated with the disclosure of Contributor's identity in the |
| 196 |
context of litigation and/or any discussions related hereto." |
| 197 |
|
| 198 |
I believe that their Debian Copyright Enforcement Agreement |
| 199 |
https://sfconservancy.org/news/2015/aug/17/debian/ |
| 200 |
is available with similar language, but I have not been able to find a |
| 201 |
copy of that document. |
| 202 |
|
| 203 |
As dilfridge noted, the FSF also has a process for the work to be known |
| 204 |
under a pseudonym: the FSF publishes the pseudonym, but registers under |
| 205 |
the real name. |
| 206 |
https://www.gnu.org/prep/maintain/html_node/Copyright-Papers.html |
| 207 |
|
| 208 |
This only transfers accountability. The FSF does NOT accept anonymous |
| 209 |
contributions. The rest of that link suggests that the FSF also has a |
| 210 |
verification process in place that the FSF ensures they have sufficient |
| 211 |
legal standing for a copyright assignment, and THEIR process can require |
| 212 |
a copy of your employment contract. It doesn't specify if it includes |
| 213 |
asking for ID, but it doesn't rule it out either. |
| 214 |
|
| 215 |
The Foundation does know the identity of some past contributors who did |
| 216 |
not disclose their identity publicly at the time; some of these |
| 217 |
contributors later DID disclose their identity. This pretty much exists |
| 218 |
only in old email; and is probably a privacy and GDPR mess (I could |
| 219 |
assert it comes under something we are required to hold onto out of |
| 220 |
legal need right?) |
| 221 |
|
| 222 |
This comes back to what I said much earlier about an identity escrow |
| 223 |
service: the Foundation would not be the holder of the identity |
| 224 |
information (and probably shouldn't be). |
| 225 |
|
| 226 |
-- |
| 227 |
Robin Hugh Johnson |
| 228 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
| 229 |
E-Mail : robbat2@g.o |
| 230 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 231 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives