Technology
Technology
What do the rises of AI and of source-available licences hold for the software world?
- Proprietary “source available” licences are increasingly replacing open source when pursuing and expanding commercial purposes.
- The EU's pending Cyber Resilience Act and the Product Liability Directive focus on IT security and product responsibility with extensive new obligations for software manufacturers.
- For open-source AI outputs, safeguards and requirements need to be implemented to ensure that works comply with IP and data protection regulations.
Rapid technological progress, particularly in artificial intelligence (AI), have meant open-source licences have been confronted with a range of new and emerging challenges – not only to the licence model itself but also to the contributions made to open-source projects and the output data generated when AI uses open source.
Free open source in decline
Open source refers to a type of software or technology that is freely available to the public to use, modify and distribute. It is typically developed by a community of developers who distribute their code along with the software. High-profile examples of open-source projects include the Linux operating system and the VLC media player.
In the last few years, open-source licensed projects have increasingly been replaced by proprietary source-available licences, under which the software source code remains available under certain conditions and can be used free of charge. This development is partly due to difficulties that existing licensing models face in addressing the latest technological advances such as trained AI models.
Examples of this move towards non open-source licences include HashiCorp’s licence for the Terraform software (infrastructure-as-code platform) and the Vagrant software's transition from the Mozilla Public License (MPL 2.0) to the specially created Business Source License (BSL 1.1).
Source-available licences
The source-available licence allows the copying, modification, redistribution, and non-commercial and commercial use of its source code under specific conditions. This offers enterprises control over how their source code can be commercialised. Fundamentally, source available and open source share similar qualities and can be used to lower the costs and speed up software development.
In practice, however, the project owners of source-available software still reserve special rights, such as the prohibition of certain "use cases" that are economically disadvantageous for the project owners or the exclusive commercial use of the code or contributions in the future. For example, project owners may set up restrictions that prevent cloud infrastructure providers from building a paid service out of their code.
Risks and pitfalls
As the source-available licences are often marketed under the branding "open source”, even though they do not meet the Open Source Initiative’s or Free Software Foundation’s criteria, there is a high risk of confusion between source-available and open-source software.
Source-available licences can also create a "vendor lock-in" situation where developers are unable to switch between technologies as they are not interoperable with other systems or products, resulting in reduced collaboration. Another typical pitfall is the difficulty in using relicensed projects where other conditions may apply after the relicensing.
While some providers are considering a licence change, others are still expressing their support for “genuine” open source and for the concerned open-source community which is taking a critical view of this development towards non-open source.
Copyright and licensed projects
An increasingly large number of companies are not only using open-source software but also actively contributing to it – with some maintaining their own open-source projects. However, questions arise from a legal perspective in terms of how the copyright of contributions should be addressed.
Typically, small contributions are not capable of copyright protection, but larger parts can be subject to it. Often, contributions are simply subject to the same licence as the main project (in this case, the inbound licence covering the contributions is the same as the outbound licence under which the project is made available to the public).
Many projects also use a so-called contributor licence agreement (CLA), which is concluded between the project owner of the main project and the individual contributor. Furthermore, in some cases, CLAs grant extensive rights to the contributions that go well beyond the rights and obligations provided for in the main project.
Understandably, CLAs are perceived with scepticism in the software community, with many members considering them to be contradictory to the concept of open-source software. It is important to look closely at the respective CLA before contributing to any open-source project under it and consider carefully what kind of CLA to use (if at all) when setting up a project.
Regulatory frameworks
EU-level legislation is pending that will have implications for open-source software: the Cyber Resilience Act (CRA) and the Product Liability Directive (PLD). Both focus on IT security aspects and associated product responsibility and are likely to introduce extensive obligations that must be met by software manufacturers; for example, when carrying out conformity assessments as well as drawing up technical documentation.
Legislation was still ongoing in December 2023, but both the CRA and PLD are expected to have an impact on the open-source software community. The legislative process has introduced numerous uncertainties for the community; it is unclear whether and to what extent open-source software and contributions to it fall within the scope of and could be subject to the CRA and the PLD.
The latest draft of the PLD has clarified, however, that microenterprises and small enterprises will be subject to its liability regime. Only certain commercial open-source software is likely to be subject to the PLD, which we believe will provide some relief for both the projects and contributors. Nonetheless, contributors and project owners should keep an eye on future developments to ensure they comply with the obligations once they are in force.
Open-source AI licences
Licence compatibility and information for open-source AI are a necessity. Open-source AI outputs are generated in a similar manner as open-source software; anyone can consult, use, modify and distribute the source code. This method of AI creation means that the output may be created by using several types of available open-source licences (for example, GNU, GNU GPL and Apache).
While collaboration in AI development is encouraged, it is important to ensure that the licence components used for the AI outputs are compatible. Permissive licences should be used rather than copyleft, as they are less restrictive and require fewer precautions when redistributing the resulting work.
It is now also possible to develop software via generative AI, in particular, using application programming interfaces developed by companies such as OpenAI. A developer can ask the AI generative to develop for them, and the AI generative will most likely use open-source software without considering the important legal questions; for example: what licences have been used? Have the licence conditions been respected? Does the code have to be redistributed? When a client entrusts software development to a developer company, multiple warranties are needed, particularly intellectual property (IP) warranties.
IP and data protection risks
The output data generated by an AI using open source may potentially be derived from patented or copyrighted works. It is, therefore, necessary for the open-source community to ensure not only that all contributors comply with the licensing requirements but also that they respect any third party prior IP rights.
Caution over data protection should also be taken given the large amounts of data needed to generate any AI output, in particular for foundation models. The collection of data may require the consent of all relevant parties and care must be taken to minimise the data collected.
The open-source community and developer companies will need to take note and address as many of these issues to reduce the regulatory burden of incoming AI governance rules from the EU.
Prepare for the AI Act
Political agreement was reached on the AI Act draft in December 2023, which creates a new three-tier obligation framework for AI systems. Although the impact of the AI Act on open-source AI is unclear, future software development will probably need to comply with this new regulatory framework, especially over copyright policy and the information obligation for training data. The agreed text has yet to be adopted, but companies should prepare to adjust their AI-related activities to comply with the AI Act as soon as the framework is adopted.
Authors
Dr Lina Böcker Partner, Germany lina.boecker@osborneclarke.com
Tim Schmetzer Associate, Germany tim.schmetzer@osborneclarke.com
Dr Hendrik Schöttle Partner, Germany hendrik.schoettle@osborneclarke.com
Beata Völker, LL.M. Associate, Germany beata.voelker@osborneclarke.com
Laurène Zaggia Counsel, France laurene.zaggia@osborneclarke.com