Monthly Archives: November 2009

Updating Contract Language for the 21st Century

GPL, WordPress and Themes

I saw an intriguing post the other day by Jennifer Schiffer on WordPress, themes and the GPL. She linked to a video of Matt Mullenweg (one of WordPress’ lead developers) who was talking about why WordPress was a GPL product (short answer: they didn’t really have a choice because WP is based on b2, which was GPL) and, more specifically, was talking about why themes and plugins are also then GPL.

The truth of the matter is that the GPLv3 is a very restrictive license, in as much as it’s also a harbinger of freedom. The GPL was written in a way to specifically retain the freedoms it grants through successive iterations of a particular product, or its add-ons. This means that if you like a GPL product, develop a derivative work, a modification, a plug-in or any other type of add-on, the resulting work is also going to be covered by the GPL (you do not have a choice in this).

“You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License.” – Section 10 of the GPL

This means that unless the WordPress GPL (yes, they’re specific by product… you can ADD restrictions if you want… so no 2 GPL’d products are necessarily identically licensed – we’ll talk about this in a minute) allowed for a theme developer to restrict the distribution of a theme, a theme developer isn’t allowed to add that restriction on their own. Your development on a GPL product inherits the license of the original product.

Inheritance is a powerful concept because it creates license congruity, ad infinitum, for all downstream works of the original code. It would be extremely difficult to manage license compliance if WordPress had one license, but a plug-in had a different one.

But there’s apparently a wonderful new theme available for WordPress called Thesis. Its developer sells two several different versions of the theme (selling under the GPL is fine). The problem comes to light when you look at the options:

Personal: one site only; footer link must remain intact; can’t re-sell theme or modifications
Developer: can create multiple sites and must pay Thesis developer for each site deployed; can remove footer link; can’t re-sell theme or modifications

And these options are problematic because they violate the GPL v2 under which WordPress is licensed. Specifically, Section 2, which states, in part:

“You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.”

and Section 6:

“Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients’ exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.”

(Note that v2 and v3 of the GPL are vastly different animals… and v2 was actually more in the realm of “free as in free beer” than v3, which touts freedom as “free as in free speech, not free beer”.)

So, in fact, the Thesis theme, as a WordPress derivative work, is bound to the GPLv2 license that WordPress is licensed under. As such, even the sale of the theme is a problem, as are the one-site-only restrictions and the “can’t re-sell” restrictions. Note: the footer link restriction is probably fine, as it could qualify as the attribution allowed under the GPL. Additionally, it could be argued that the fee charged is for the “physical act of transferring a copy” as allowed by Section 1 of GPLv2, but even then, the remainder of the unauthorized restrictions are still problematic.

But who is going to do anything about this violation? Who has the right to enforce the license? WordPress? The folks at b2 (WordPress’ predecessor)? Any particular end user? Technically, it’s the folks at WordPress who have the right to enforce their license upon theme and plug-in developers. They have the ability to potentially even sue to prevent a rogue developer from violating their license with WordPress [though I’m guessing that a theme developer is going to try to argue that a theme isn’t a derivative work or a modification]. But this is inherently difficult. So instead, WordPress is taking a slightly different tack. They’re going to create a Theme Page on the main WordPress website which only lists themes that follow the GPL (by the way, all derivatives have to be GPLv2 licensed, as the WordPress license doesn’t allow for newer versions of the GPL to apply). I’m guessing that Thesis won’t be listed.

Who can audit?

3 Replies

I posted the question on Twitter the other day: “How does the SPA have the authority to audit software license use? In thousands of licenses I’ve never given them that right.”

I was looking for some insight that I might have missed. In the world of contracts, your license actually will specifically state who has the ability to audit your license usage (if they have the right at all). And in the world of law, the term “standing” is used to show who actually is allowed to raise a particular issue (via the courts, etc). So the SPA/BSA/SIIA (SIIA is their current incarnation) (or any other third-party “enforcer”) wouldn’t have the legal right to ever come in and audit your software license use unless there’s language in the license that allows for such audit.

Even general audit language is probably safe to prevent the SIIA from knocking on your door one day. Typical audit provisions include:

explanation of who can come to audit (it usually says that the vendor has the right to audit)
time-frame of any audits (I typically am very clear to limit audits to 1 time per calendar year)
notice for audits (even bad audit language usually says that the vendor has to notify the licensee of the intent for an audit)
who besides the vendor can come audit (if 3rd parties are allowed, I limit to a “big-four” accounting firm and have NEVER been challenged on this limit)

The result is that even with not-so-favorable audit language, I simply don’t see how the SIIA has any right to come and perform an audit, let alone try to sue a licensee for license violations (again, any license that has “no third-party beneficiary” language in it could be used to very clearly show that the SIIA doesn’t have any rights with respects to the license).

Additionally, it’s been suggested that there are two other routes to allow such an audit: the “source” (the licensee’s employee who reports a violation) and the potential for an assignment of audit rights. As for the source person, unless they’re also the person in the company who can allow someone to come in, that individual probably doesn’t have internal authorization to allow the audit to happen – so I find this unlikely. The assignment of audit rights potential does exist, and contracts that have poor assignment language could potentially allow the vendor to assign their rights to someone else (and, in fact, it appears that the SIIA attempts to use an assignment of rights in this manner). So it’s conceivable, but I’ve never seen the language used in that way.

At the end of the day, the lesson is this:

Have strong audit language which clearly states who can perform the audit, on what time basis they can audit and what the results would mean (ie: usually you don’t have to pay any form of penalty unless usage exceeds 10% of the licensed quantity – but you’ll always have to pay for the difference in usage). Include notice provisions and be very clear about whether the vendor can outsource their auditing… many will use large auditors, which is fine, but you don’t want Andy’s Audit Shack to be performing the audit. Lastly, if you’re maintaining any kind of uber-confidential information (like SSN’s, bank account numbers, etc), then I would also be clear about what kinds of auditing tools can be used to complete the audit, as many vendors like to install their own auditing software onto your network.
Have clear assignment language which prevents EITHER party from assigning the agreement without the other party’s consent (not to be unreasonably withheld, if you so choose): “Neither party may assign or otherwise transfer this Agreement or any of the rights hereunder, without the prior written consent of the other, which consent will not be unreasonably withheld or delayed.”.

OK – so you’ve done the prior two things and the SIIA comes knocking (physically or with a letter requesting/demanding an audit). What do you do? Simple. Deny them access – in writing. They’ll threaten, similar to the Big Bad Wolf, to huff and puff and to blow your house down. But if you’ve got things properly documented, the SIIA simply doesn’t have the legal right to audit. It doesn’t matter whether the vendor they’re supposedly auditing for is a SIIA member. It doesn’t matter if they claim to have permission. (Oh, and interestingly enough, if they name names and tell you which vendor sent them to you, I would check your license agreement with that vendor because many vendors like to include confidentiality restrictions which prohibit either party from even identifying the other.)

Now, regardless of everything I’ve just told you, I also firmly believe that you should always be 100% compliant with your contractual obligations. So use some form of license management tool to know that you’re only using what you’re licensed to use.

Software Licensing Handbook now available as an eBook

LicensingHandbook Archive

Licensing, negotiation and contracts. Who knew it could get interesting?