1 |
(I think I need to have lots more IANAL disclaimers in every paragraph |
2 |
of this). |
3 |
|
4 |
I apologize for the late response, but giant threads on the mailing list |
5 |
have NOT been high on my priority list. I do have some answers for you, |
6 |
but also further points to make. |
7 |
|
8 |
Please read on for my inputs about examples of legal liability around |
9 |
the DCO, as well as how other organizations handle it. |
10 |
|
11 |
On Tue, Apr 09, 2019 at 08:46:00PM +0000, Gokturk Yuksek wrote: |
12 |
> Alec Warner: |
13 |
> > I think it is reasonable to try to pursue a more inclusive policy where |
14 |
> > identity is more flexible (as I discussed in a different message on this |
15 |
> > thread), but keep in mind the Council (and really a few key members) spent |
16 |
> > over a year working on the policy we have; so I'm not certain its a trivial |
17 |
> > change. You are free to dislike the policy we have and you are free to |
18 |
> > suggest we pursue a more inclusive policy, but at least here as a trustee |
19 |
> > who voted for it we made a deliberate choice here and barring some middle |
20 |
> > ground where we somehow understand that contributions to Gentoo are done in |
21 |
> > a low-risk way, we will continue to reject commits from obvious |
22 |
> > contributors. |
23 |
I would like this part to be heard and followed. I too have personal |
24 |
objections against publicly disclosing the identity of people who have |
25 |
genuine reasons to not have that public (In a very recent example, I |
26 |
have a coworker who can't contribute to open source anymore due to |
27 |
harassment from a ex-spouse). |
28 |
|
29 |
At the same time, the steps for another body to REALLY safely shield |
30 |
their identity are not trivial, and have not really been done in a |
31 |
sustainable manner before. |
32 |
|
33 |
I don't LIKE the real name requirement, and I will help pursue a better |
34 |
policy, but I also object to moving backwards, including the suggestions |
35 |
of grandfathering in existing developers. |
36 |
|
37 |
> > What I refuse to engage in is an incessant debate about the policy we have; |
38 |
> > please accept that we made it in good faith to reduce legal risk for the |
39 |
> > project and, if an alternative is presented that keeps risk low while |
40 |
> > accepting a broader set of contributions we will consider it in the same |
41 |
> > good faith. |
42 |
If there were some identity escrow service, that provided reliable |
43 |
pseudonymous identities, and it met the standards of law, while not |
44 |
exposing further liability issues, I would be VERY happy to use it and |
45 |
enable more contributions to Gentoo. This IS a hot field of business: |
46 |
https://securid.ca/ is one local Vancouver startup that I'm personally |
47 |
aware of looking at the concept (disclaimer: the CEO is a friend, and I |
48 |
have answered his questions about conceptual ways to protect privacy |
49 |
within the scope of court-demanded access to data). |
50 |
|
51 |
> I don't doubt people's good faith in proposing this policy and I'm sure |
52 |
> it's done with the best interest in mind. I apologize for not doing the |
53 |
> homework for the following question: did the Foundation pay for any kind |
54 |
> of legal counsel on this matter? |
55 |
As the Foundation treasurer, to the best of my knowledge, the Foundation |
56 |
did not pay for any legal counsel on this matter. I cannot state with |
57 |
certainty if any Council member or Trustee other than myself consulted |
58 |
legal counsel (and if they paid for the answer or not). |
59 |
|
60 |
While at a open source conference, I did informally consult two lawyers |
61 |
who specialize or previously specialized in the field of open source |
62 |
licensing. I "paid" each of them with a drink, at my own expense (cash |
63 |
to the bar, no paper trail), and got 3 different opinions. I did ask |
64 |
about a formal opinion, but they were NOT willing to issue a full formal |
65 |
opinion, as it didn't align with their interests at the time. |
66 |
|
67 |
IANAL, but I will summarize their informal opinions. They did also point |
68 |
me to written material that was superb: |
69 |
"Practical Guide to Software Licensing: For Licensees and Licensors", |
70 |
published by the American Bar Association, ISBN 978-1616328139 |
71 |
|
72 |
> I think one thing most of us struggle |
73 |
> with is that we are not lawyers. It would help to put people's mind at |
74 |
> ease if the Foundation consulted a lawyer that clearly explained: |
75 |
> |
76 |
> - What exactly is the legal liability being addressed here? |
77 |
To put a specific concern to words: |
78 |
- "A" is a legal entity, individual or corporate. |
79 |
- Work "X" is copyrightable work, with a COMPLETED copyright |
80 |
registration held** by "A", in the form of source code. |
81 |
- Work "X" has NOT been released publicly at all, esp. has not been |
82 |
released under an open source license by "A" |
83 |
- Entity "M" contributes work "X" to Gentoo, claiming terms (a) or (b) |
84 |
of the DCO. "M" could be identified, anonymous or pseudonymous (see |
85 |
below). |
86 |
- "A" discovers Gentoo distributing "X", and sues Gentoo for copyright |
87 |
infringement. |
88 |
|
89 |
** "Copyright held": This enters the debate of EU moral rights. Debate |
90 |
over the semantics of the term is not relevant to this point. |
91 |
** The copyright registration MUST be completed; there is caselaw |
92 |
|
93 |
What laws & regulations have been violated here? These are primarily |
94 |
civil infringements. |
95 |
This is NOT a complete list, only a potential list. |
96 |
- 17 U.S.C. § 504(c)(2); Gentoo is an "innocent" copyright infringer: |
97 |
https://www.law.cornell.edu/uscode/text/17/504 |
98 |
"infringer was not aware and had no reason to believe that his or her |
99 |
acts constituted an infringement of copyright" |
100 |
- 17 U.S.C. § 504(c)(2); "M" is a "willful" copyright infringer: they KNEW about the origin & |
101 |
license of the work. |
102 |
- 15 U.S.C. § 1125(a) (Lanham act, section 43(a), "False designations of |
103 |
Origin, False Descriptions, and Dilution Forbidden"): |
104 |
Both "Gentoo" and "M" have made false claims. |
105 |
- § 525. Liability For Fraudulent Misrepresentation |
106 |
http://blogs.kentlaw.iit.edu/perrittcivpro/fraudulent-misrep-rest525-html/ |
107 |
"M" has fraudulently misrepresented themselves under the DCO. |
108 |
- Negligent misrepresentation: |
109 |
This is where the anonymous/pseudonymous side comes back. Was Gentoo |
110 |
negligent by not verifying the identity |
111 |
|
112 |
Depending on how much preparation "A" does, their lawyers could start |
113 |
off just filing lawsuit against Gentoo for the above portions, and later |
114 |
amending the lawsuit to also include "M"; or naming "M" up-front. |
115 |
|
116 |
Gentoo could also file lawsuit(s) against "M". |
117 |
|
118 |
What could the outcomes be? It would come down to penalties as well as |
119 |
the damages suffered by "A" in the publication of Work "X". |
120 |
|
121 |
The one thing you can be certain of is that lawyers and the legal system |
122 |
will walk away being paid, and somebody else's bank account will be |
123 |
emptier! |
124 |
|
125 |
|
126 |
> - Have there been any precedent cases of copyright infringement |
127 |
> (constrained to the context of copyrighted ebuilds, or code of similar |
128 |
> nature) to make this a more realistic threat for the Foundation? |
129 |
In an open source context specifically, not that I'm aware of, or found |
130 |
in generous searching. |
131 |
|
132 |
In commercial software, YES, there have been lawsuits claiming copyright |
133 |
infringement via stolen source code. They sound like they have ALL been |
134 |
messy. |
135 |
|
136 |
> - In the case of a potential court case, how is the liability |
137 |
> distributed among involved parties? Would we be legally required to |
138 |
> track down the contributor (whose identity we may or may not have |
139 |
> confirmed yet)? |
140 |
Yes, the Foundation could be forced to disclose what we know, and/or |
141 |
share liability that could not otherwise be transferred. |
142 |
|
143 |
> The reason why I'm suggesting this is because I've talked to a friend of |
144 |
> mine, who is a software patent lawyer, about the DCO and GLEP. Their |
145 |
> first impression was that the DCO itself has no clause for requiring a |
146 |
> legal name, so signing it with a fake name may not violate the DCO |
147 |
> itself. So the (informal) conclusion is that as long as nobody sues you |
148 |
> for copyright infringement, there is no legal problem with using a fake |
149 |
> name to sign the DCO. I know it sounds very obvious but the point is |
150 |
> that legal people have a better grip of the situation than we do, and |
151 |
> the community is more likely to take their word and justification for it. |
152 |
They are correct: the DCO itself doesn't have any clause to that effect. |
153 |
This is why lawyers can be pedantic about the questions you ask. |
154 |
|
155 |
In the case of the kernel it's not the DCO specifically that prohibits |
156 |
pseudonyms or anonymous contributions, it's the tiny line of POLICY just |
157 |
below it: |
158 |
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst#n462 |
159 |
"using your real name (sorry, no pseudonyms or anonymous contributions.)" |
160 |
|
161 |
Similarly, GLEP76 is the equivalent Gentoo policy that requires real |
162 |
names. |
163 |
|
164 |
Many others have raised that the Foundation can/should/does accept |
165 |
contributions if the Foundation is itself aware of the real identity of |
166 |
the contributor. |
167 |
|
168 |
This DOES have a legal standing: |
169 |
The Berne Convention does state that anonymous & pseudonymous |
170 |
copyright is possible. It does not go into an implementation detail |
171 |
about how to achieve it. |
172 |
|
173 |
Copyright registration in many countries, even for anonymous & |
174 |
pseudonymous requires SOME identifying information: |
175 |
- US & Canadian law don't require the real name registering copyright, |
176 |
but they do require you to give a real address and pay registration |
177 |
fees. BUT... |
178 |
- Check out the form: https://www.copyright.gov/forms/formtx.pdf |
179 |
Section 2(a) NAME OF AUTHOR is optional |
180 |
Section 8 & 9, name and address ARE required. |
181 |
|
182 |
As such, while the registration itself is anonymous/pseudonymous, the |
183 |
government DOES know the identity of the copyright registrant. |
184 |
|
185 |
Other open source organizations DO accept it, but place disclaimers on |
186 |
it. Besides copyright assignments, CLAs, there are ALSO copyright |
187 |
enforcement agreements. |
188 |
|
189 |
The Software Freedom Conservancy has a very good example of this |
190 |
in the context of their Linux Enforcement Agreement: |
191 |
https://sfconservancy.org/docs/blank_anonymous-linux-enforcement-agreement.pdf |
192 |
"The parties acknowldege that Conservancy may be required to disclose |
193 |
Contributor's identity and participation in the Project in the context of |
194 |
litigation. Contributor hereby releases Conservancy from any liability |
195 |
associated with the disclosure of Contributor's identity in the |
196 |
context of litigation and/or any discussions related hereto." |
197 |
|
198 |
I believe that their Debian Copyright Enforcement Agreement |
199 |
https://sfconservancy.org/news/2015/aug/17/debian/ |
200 |
is available with similar language, but I have not been able to find a |
201 |
copy of that document. |
202 |
|
203 |
As dilfridge noted, the FSF also has a process for the work to be known |
204 |
under a pseudonym: the FSF publishes the pseudonym, but registers under |
205 |
the real name. |
206 |
https://www.gnu.org/prep/maintain/html_node/Copyright-Papers.html |
207 |
|
208 |
This only transfers accountability. The FSF does NOT accept anonymous |
209 |
contributions. The rest of that link suggests that the FSF also has a |
210 |
verification process in place that the FSF ensures they have sufficient |
211 |
legal standing for a copyright assignment, and THEIR process can require |
212 |
a copy of your employment contract. It doesn't specify if it includes |
213 |
asking for ID, but it doesn't rule it out either. |
214 |
|
215 |
The Foundation does know the identity of some past contributors who did |
216 |
not disclose their identity publicly at the time; some of these |
217 |
contributors later DID disclose their identity. This pretty much exists |
218 |
only in old email; and is probably a privacy and GDPR mess (I could |
219 |
assert it comes under something we are required to hold onto out of |
220 |
legal need right?) |
221 |
|
222 |
This comes back to what I said much earlier about an identity escrow |
223 |
service: the Foundation would not be the holder of the identity |
224 |
information (and probably shouldn't be). |
225 |
|
226 |
-- |
227 |
Robin Hugh Johnson |
228 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
229 |
E-Mail : robbat2@g.o |
230 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
231 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |