Eben Moglen’s open source legal services firm, Software Freedom Law Center, has hit out at suggestions that users of the GNU General Public License are at any additional risk of criminal liability under the Sarbanes-Oxley Act.
The center was set up in February 2005 by Moglen, who is professor of law and legal history at Columbia Law School and general counsel for the Free Software Foundation, to provide legal services to open source software projects and developers.
It has been moved to issue a paper on SOX and the GPL in order to counter reports indicating that companies using GPL-licensed software, such as the Linux operating system, might be breaking federal securities laws.
Recent discussion regarding the GPL and SOX have been wrought with false information and have prompted the SFLC to issue its position on the topic, said Moglen, SFLC chairman.
While the SFLC did not pinpoint the reports it considered to be erroneous, a recent study from network storage software vendor Wasabi Systems Inc, appears to have raised concerns. The Wasabi report was released in January with a statement that many companies using Linux for embedded applications many be unwittingly violating the Linux license and even breaking federal securities laws.
Norfolk, Virginia-based Wasabi’s argument was that SOX requires public companies to disclose certain information, including intellectual property ownership. Thus, if a company is violating the GPL, executives who do not disclose the cheating are violating the Sarbanes-Oxley Act, because they are not truthfully disclosing that they do not lawfully own their intellectual property, the Wasabi report argued.
Even companies which comply with the GPL may be violating the Sarbanes-Oxley Act if they do not adequately comply. Even if an executive thinks the company is complying, s/he may still be breaking the law if adequate control measures are not in place, it added.
SFLC has dismissed such a suggestion. There is in fact no special risk for developing GPL’d code under SOX. Under most circumstances, the risk posed to a company by SOX is not affected by whether they use GPL’d or any other type of software. Arguments to the contrary are pure anti-GPL FUD.
It should be noted that Wasabi, which uses both GPL- and BSD-licensed software, pointed out that its concerns related specifically to OEMs that modify Linux code within embedded systems without releasing their modifications, as opposed to companies simply running emmbedded Linux.
However, SFLC maintained that either way, the issue was not specific to the GPL and should be considered as part of ongoing compliance liability review. The dangers of accidental criminal liability under SOX are no greater for GPL’d software than for non-GPL’d software, its paper stated.
While GPL compliance can be an important part of… analysis and compliance with SOX, risks associated with the use of GPL software should be considered in the full context of securities law compliance. In the end, contrary to what others may argue, there is in fact no additional SOX liability or risk for using GPL software, it concluded.