Slovenia’s COVID-19 tracing app - an OSS compliance view

Slovenia

In a letter dated 23 June 2020, the Slovenian Ministry of Health asked the Ministry of Public Administration to develop a tracing application for the SARS CoV-2 virus responsible for the disease COVID-19. The Slovenian government decided to avoid re-inventing the wheel and instead ordered the Ministry to develop an application based on the German model. In other words, the Slovenian version should function like the “Corona-Warn-App”. We of course hope that the software for our local version will be more compliant than the German application, since legal fact-checkers raised several red flags about it soon after its launch in relation to the inconsistencies in its open-source software licencing obligations.

Open source and compliance

Software developers who use open-source software (OSS) sometimes make the misguided assumption that because OSS is freely available it is also free of licencing obligations. But the term “open source” refers to the freedom to use the software and not freedom from the costs associated with using it.[1] Unlike commercial licences, under which users pay for the rights to use or distribute software, OSS programs are governed by their own licencing conditions which foresee strict contractual licencing conditions,[2] as for example the content of the licence texts or other information, even including the obligation to provide a copy of the new developed software itself.

One might still wonder what the fuss is all about: If the initial software is free, then the end software should be free too, right? Companies have adopted a wide variety of business models to solve the problem of how to  profit from OSS. These strategies exploit users’ willingness to purchase either additional software features under commercial licences (so called dual licencing arrangements), or purchase additional services related to the OSS. Bearing this in mind and the stipulation of some OSS licences, such as the GNU General Public Licence v 2.0 (GPL-2.0), that the usage and distribution rights terminate upon breach of the licence obligations, it becomes clear why an OSS compliance policy should be in place.

OSS Case law

While initially disregarded as something out of the fringe-law box, OSS licence litigation cases have gained notoriety in recent years. In the 80s and 90s such cases were mainly settled out of court, until the 2004 German court decision that missing licence text and missing source code is a breach of the GPL-2.0 obligation and can lead to injunctive relief measures[3]. Four years later, the U.S.-based decision in Jacobsen v. Katzler[4] considered the ability of a copyright holder to control the future distribution and modification of the work where the copyright holder had offered it free for public use.[5] The Court of Appeals established that these licence terms are enforceable copyright conditions and sided with Jacobsen. Since Katzler had failed to comply with the required copyright notices of the software, he was violating the licence. Katzler was required to pay $100,000 to Jacobsen and was not allowed to reproduce any of its material. Nowadays court cases requesting compensation for damages due to OSS violations reach or even surpass the $100 million mark.[6]

What does all this mean for the Slovenian government and the developer?

Keeping in mind everything I’ve said so far, it should be clear that the Slovenian government, as the contracting authority, should be aware of the OSS licencing issues and provide the necessary safeguards. Imagine my surprise, then, when the procurement notice published by the government doesn’t even touch upon licencing or copyright requirements. ‘Why?’, you may ask. Well, there are only a few possible answers - either the government believes that the developer will start anew without OSS, which could lead to a future vendor lock-in situation (in case of necessary upgrades, updates or other services), or the government simply believes that the developer will seek to comply with the licencing requirements on its own. This would require that the developer has set up internal policies and procedures for the involvement of OSS in development projects to detect risks and handle them properly. To summarize the necessary policy steps which would have to be taken:

  1. The developer will have to identify all OSS components appropriately during the development process.
  2. All the OSS contractual conditions of the OSS components then need to be reviewed. This is to ensure that the OSS contractual conditions do not intervene with the agreement concluded between the government and the developer (and the use of the application in general).
  3. Should an analysis highlight that the agreement with the government and the OSS licence conditions do not comply, then the easiest solution would be to find technical alternatives to using the OSS in question.
  4. Once the application has been developed, the formal requirements will have to comply with underlying licensing obligations, this includes the inclusion of correct licence texts, an appropriate offer of the source code etc.

I’m not really sure which of the above two possibilities I prefer, both are pretty naive. There is of course a third option; namely, the government is not aware of the issue.

Conclusion

In addition to the application’s data protection issues and general tracing uncertainties, we can only hope that the government and developers will, without compromise, comply with the licencing obligations. A possible cease and desist letter due to licencing violations could not only lead to a temporary ban on the use of the application, but also trigger additional costs for the government, which in times like these would be money more wisely spent elsewhere.


[1] Edmund J. Walsh, Open Source Software Flexes Its Muscles, CORP. COUNS. MAG., June 1, 2008
[2] The Open Source Initiative (OSI) has approved various OSS licences, see here
[3] District Court of Munich I, Judgement of 19.5.2004 reference no.: 21 0 6123/04
[4] Jacobsen v. Katzer, 535 F.3d 1373 (Fed. Cir. 2008)
[5] In the case Katzler used code from Jacobsen's product to create commercial software. Jacobsen sued for copyright infringement because Katzler didn’t comply with the requirements of the artistic licence in order to utilize the code.
[6] The $100 Million Court Case for Open Source License Compliance, available here.