Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Osborne Clarke - OpenChain - FOSSmatrix

Osborne Clarke - OpenChain - FOSSmatrix

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Osborne Clarke - OpenChain - FOSSmatrix

  1. 1. Dr. Hendrik Schöttle Rechtsanwalt, Partner, Fachanwalt für IT-Recht 2021 Legal Tech Add-On for OSS Compliance FOSSmatrix
  2. 2. 1 osborneclarke.com Hendrik Schöttle has been working as a lawyer since 2005, since 2007 in Osborne Clarke's Munich office. He has worked several times in the legal departments of IT companies within the scope of secondments. He also worked for several years as a software developer at the Institute for Legal Informatics at Saarland University. His practical experience and technical know-how benefit his clients in technology- related consulting. He is the author of numerous publications, co-author of several handbooks and commentaries, including the Beck‘sche Handbuch IT- und Datenschutzrecht and the juris Praxiskommentar zum BGB. Hendrik Schöttle is a lecturer at the German Lawyers‘ Academy for the specialist IT law course and regularly gives lectures on IT law topics. He is a member of the board of BITKOM‘s Open Source Working Group, a member of the Committee on Data Protection Law of the German Federal Bar Association (BRAK), the Information Technology Working Group of the German Bar Association (DAV) and the German Society for Law and Information Technology (DGRI). Dr. Hendrik Schöttle advises on IT and data protection law. Hendrik Schöttle was named one of the best lawyers in IT law in 2019 and 2018 by both the Handelsblatt and Best Lawyers as well as by Wirtschaftswoche. A competitor quoted in the JUVE Handbook 2019/2020 recommends him as a "top name in open source”. He is listed in the Kanzleimonitor 2018/2019 and 2017/2018 as a repeatedly recommended lawyer in IT law. The Kanzleihandbuch Legal 500 Deutschland recommends him because of his “very good knowledge of IT, even when it comes to exotic questions” and his “very quick understanding of technical details”. In 2015 he was awarded the Client Choice Award by Lexology and the International Law Office (ILO) in the category IT and Internet Law. He has many years of experience in consulting, drafting contracts and negotiating complex IT projects. His focus is on IoT, digitalisation and cloud computing. He advises on software licensing models, especially open source software, and on data protection law. His clients include internationally active technology groups as well as renowned IT and e-business companies. Contact Dr. Hendrik Schöttle Partner, Fachanwalt für IT-Recht Germany +49 89 5434 8046 hendrik.schoettle@osborneclarke.com “Top name in the field of Open Source”. Competitor, JUVE Handbook 2019/2020
  3. 3. 2 osborneclarke.com Why a License Matrix? • Why a licence matrix when implementing Open Source Compliance? – Common scanning tools often only compile licence texts and copyright clauses, but do not provide a detailed and comprehensible overview of other licence obligations – All the obligations of a licence must be • scanned, evaluated and then • be matched with own use. – The interpretation of individual licences and their obligations is often controversial – The binary representation of a result alone does not help in the case of controversial interpretations
  4. 4. 3 osborneclarke.com Example: Use Case “ASP Use” • Example: Use Case “ASP use”: Is making software available in the form of Application Service Provision (ASP/SaaS) permissible? – Many licences do not contain clear rules on this – Usual solution: Many memos on individual licences. Unclear and no help for a quick overview of compliance with obligations depending on the specific use case • Our solution: – Splitting the question into partial aspects and arguments for or against – Weighting of the aspects with different score values and evaluation logic – Calculation of the score values – Clear presentation – Comparison with application scenarios of the respective company
  5. 5. 4 osborneclarke.com Example: Use Case “ASP Use” • Example: Use Case “ASP use”: Is making software available in the form of Application Service Provision (ASP/SaaS) permissible? • We asked ourselves two questions: − Is ASP use permitted under the relevant licence? − If yes: does ASP use trigger the respective obligations of the licence?
  6. 6. 5 osborneclarke.com Example: Use Case “ASP Use” • Is ASP use permitted under the relevant licence? − Does the licence text itself contain an explicit provision? − Are there official statements from product owners or licence stewards? − Is reference made to ASP Use Cases in the licence text? − Do licence obligations tie in with ASP Use Cases? − Was the licence created before ASP was known to be an independent form of use? − Does the licence generally contain a far-reaching grant of rights of use? − Is a right of public display or public performance granted? − Are there known cases of software licensed under the licence and used in the form of ASP? − Are there any other facts that indicate a right of use?
  7. 7. 6 osborneclarke.com Use Cases License Assessment – ASP provision allowed? ully Compliant o Conflict 100 License does allow ASP provision. Open Issue To be clarified 50 Unclear, whether license allows ASP provision. 50,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. ,00 ully Compliant o Conflict 100 License does allow ASP provision. Conflict 20 License s does likely not allow ASP provision. ,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. 5 ,00 ully Compliant o Conflict 100 License does allow ASP provision. Open Issue To be clarified 50 Unclear, whether license allows ASP provision. 50,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. ,00 ully Compliant o Conflict 100 License does allow ASP provision. Conflict 20 License s does likely not allow ASP provision. ,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. 5 ,00
  8. 8. 7 osborneclarke.com Legal-Tech solution with two functions: • Evaluation of licences, standardised, fully documented and parameterisable with percentage data for automatic further processing • Use Case Mapping against the respective licenses with automated conflict checking Our approach
  9. 9. 8 osborneclarke.com Standardised assessment of individual licensing obligations By means of a predefined set of options and an associated evaluation metric and logic, licensing obligations can be clearly structured, automatically evaluated and compared. 1 AGPL .0 only Medium Alert Limited Use Case Match 5 License does permit with restrictions prohibiting distribution. Permitted w restrictions where forbidden Sections , 5 and . The license can be understood as having tacitly excluded certain methods of distribution by producing an exhaustive list of obligations for distribution methods of the source code for distributed binary forms which, for Information 5 License does neither permit nor require, but prohibit use in M environment. orbidden explicitly Section Para 5 Installation Infor Installation Infor includes authori required to install covered work . Th 2 altova eula Limited Conflict 25 License does neither permit nor require, but prohibit with exceptions permitting distribution. orbidden w exceptions where permitted According to Section 1. a iv Sentence 2, licensee may only distribute the restricted source code together with licensees unrestricted source code in executable ob ect code form. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned A TL P Compliant Conflict Unlikely 0 License does only implicitly permit distribution. Permitted implicitly According to Para 1 Sentence 1, the software is fully in the public domain. This includes the right to distribute it. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned BS 2 Clause ully Compliant o Conflict 100 License does explicitly permit distribution. Permitted explicitly Section 1 explicitly allows redistributions of source code, Section 2 explicitly allows redistributions in binary form. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned 5 CC0 1.0 Compliant Conflict Unlikely 0 License does only implicitly permit distribution. Permitted implicitly In Section 2, sentence 1, licensor first waives all rights to the greatest extent permitted by law. Second, in Section sentence 2, licensor grants a respective license to the maximum extent possible, in case a waiver under Section 2 should not be possible. This can both be understood as respective grant of distribution rights. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned CC B SA .0 ully Compliant o Conflict 100 License does explicitly permit distribution. Permitted explicitly Section 2.a.1.A. and B. refer to the sharing of licensed material, which includes also the distribution of the licensed material, according to the definition of share in Section 1.k. Information 5 License does neither permit nor require, but prohibit use in M environment. orbidden explicitly According to Section 2.a the access to the license measures. The CC wiki a by the license steward of M as being covered by https: wiki.creativecomm Google Chrome OS Adobe Additional ToS 0 2020 Medium Alert Limited Use Case Match 5 License does permit with restrictions prohibiting distribution. Permitted w restrictions where forbidden According to Section 1. a , distribution is only allowed in form of a browser plug in. Additional conditions in Section have to be complied with. However, it is not clear whether licensor has mistakenly simply forwarded terms that were only allowing ully Compliant o Conflict 100 License does explicitly require use in M environment. equired explicitly Section 1. d requires tha Chrome eader Software P and EPUB document Section 1. c , the software P or EPUB documents Google Chrome OS MPEG Additional ToS 0 2020 Conflict 20 License does neither permit nor require, but prohibit distribution. orbidden implicitly License speaks of personal and non commercial use of a consumer or other users. istribution is not mentioned in license text. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned Google ToS 0 2020 Conflict 0 License does neither permit nor require, but prohibit distribution. orbidden explicitly Section Software in Google services , Para . Compliant License does not contain any stipula 10 OT L 201 ully Compliant OSSmatrix 2020 Osborne Clarke istribution is not understood as the mere resale of one single copy received which may be permitted under mandatory copyright laws anyway . Third parties in the aforementioned sense are any legal entities or natural persons other than the distributor. A mere internal provision of copies within on legal entity is not regarded as distribution. istribution is also given in case of offering the software for download to the public. hile this Section . does only cover distribution by the initial recipient of the Software, a further subdistribution of any downstream recipients is covered by Section . a. This enables to capture licenses which grant only a non transferable right to distribute software to one further downstream recipient, but does not allow further subdistribution by this downstream recipient. See also Section . a. ecessary Only licenses are accepted that require or permit distribution. All other licenses are refused. This use case is usually chosen in very limited cases only, where all components will be distributed and will not be used internally which usually cannot be excluded . avoured All licenses are accepted. Licenses that prohibit the use within a M environment are highlighted bu In this use case, a tendency towards licenses allowing the use within a M environment is expressed. However, not mandatory, licenses prohibiting it are accepted as well. The prohibition to use the software in a M environment can become critical in several cases. Some smartph comprise M protection, which generally prohibits use of respectively licensed software within apps to the ex measures. urthermore, embedded devices may be protected by M against manipulation of its firmware, pro Some licenses make the prohibition of M measures sub ect to additional requirements, such as the GPL .0 case these requirements are not given, the use of M measures do not constitute an infringement of the respe Some licenses prohibit the use of the software on a system with digital rights management M , which o cryptographic signature. In this case, the user would not be able to run a modified version of the software on licenses aim to prohibit. Thus, such licenses prohibit use of the software on such systems or require to prov to execute modified versions on such systems. To the contrary, some commercial licenses do explicitly require use of a M environment, e.g. in order to p software. The term distribution is understood as the creation of multiple copies of the software and their provision to third parties. Permitted explicitly implicitly : istribution is permitted. It may however be sub ect to certain minor conditions and restrictions. This applies for most open source licenses. equired explicitly implicitly : istribution is required. This may apply for commercial licenses which do only cover distribution but not use for own purposes, e.g. in case of distribution of software as part of embedded products. orbidden explicitly implicitly : istribution is not allowed. or most commercial software its distribution is prohibited. A Tag is set to explicit, in case the license contains an explicit clause on distribution. It is set to implicit if the tag can only be derived indirectly from the license or its surrounding circumstances. Features
  10. 10. 9 osborneclarke.com Features Full documentation the individual steps to the result found The expert opinion in tabular form: thanks to extensive documentation, every step of the assessment is and thus the overall result is also comprehensible.
  11. 11. 10 osborneclarke.com Features Parameterization of individual factors, therefore different evaluations are possible. Arguments can be weighted differently at any time. The result is automatically recalculated. In this way, your own risk affinity/aversion can be adjusted.
  12. 12. 11 osborneclarke.com Features Risk assessment with percentages not only yes/no, but gradations in the percentage range, which can be further processed and automatically evaluated. In this way, even doubtful cases and grey scales can be recorded, evaluated and visualised. ully Compliant o Conflict 100 License does allow ASP provision. Open Issue To be clarified 50 Unclear, whether license allows ASP provision. 50,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. ,00 ully Compliant o Conflict 100 License does allow ASP provision. Conflict 20 License s does likely not allow ASP provision. ,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. 5 ,00
  13. 13. 12 osborneclarke.com Features Distinction between three levels • Abstract license • Concrete software • Concrete use case of the software Application scenario of concrete software Concrete software Abstract license GPL 2.0 Linux Kernel Driver running in kernel space Application software running under Linux Busybox Stand-alone installation Self-written add- on to Busybox
  14. 14. 13 osborneclarke.com Best Practice | License Matrix | Our approach Mapping a separate use case against the respective licenses with automatic check and clear indication of risk score values and reference to individual check sections
  15. 15. 14 osborneclarke.com Features License comparison Quick overview of the main differences between individual licenses in direct comparison
  16. 16. 15 osborneclarke.com Features | Summary • Legal tech solution for license evaluation and use case mapping with the following features: – Standardised assessment of individual licensing obligations – Full documentation of the individual steps to the result found – Individual factors can be parameterised, therefore different valuations are possible (conservative approach vs. risk-taking approach) – Risk assessment with percentages (not just yes/no, but gradations in the percentage range, recording and visualising cases of doubt) – Mapping of an own use case against the respective licenses with automatic check and clear indication of risk score values and reference to individual check sections
  17. 17. 16 osborneclarke.com What we do 1. Use Case Development: We create customised use cases for you. Based on our experience, we define how you handle the software. 2. License check: You provide us with a list of licenses (if necessary, we will assist you with the creation). We check the rights and obligations of the licences that apply to your software. 3. Matching: We check your use cases for conflicts with the rights and obligations of the licences. What you get • Standard Package: Result of the use case matching, which clearly shows the compliance/non-compliance of the use cases with licenses • Extended Package: Additional, in-depth explanation of the rights and obligations of the individual licences with regard to the use cases - a legal memo in table form • Optional: Testing of specific software. This may be necessary for the licensor to understand the licence - this may differ from the general understanding of the licence. Our Offer
  18. 18. 17 osborneclarke.com Advantages • We start where the traditional tools stop: legal classification and evaluation of licences. More than “ ust” creating a Bill of Materials and fulfilling information obligations • Legally secure and fully documented - the memo of the external law firm in tabular form • Synergies through more than ten years of experience and the use of existing content enable efficient consulting
  19. 19. 18 osborneclarke.com osborneclarke.com 18 Customers DAX 30 Group One of the world's largest automotive supplier …
  20. 20. 19 osborneclarke.com Osborne Clarke is the business name for an international legal practice and its associated businesses. Full details here: osborneclarke.com/verein *Services in India are provided by a relationship firm 1,850 26 Osborne Clarke International 270+ Partne rs 675+ Business Support 900+ Expert lawyers Europe: Belgium: Brussels France: Paris Germany: Berlin, Cologne, Hamburg, Munich Italy: Brescia, Busto Arsizio, Milan, Rome Netherlands: Amsterdam Spain: Barcelona, Madrid, Zaragoza UK: Bristol, London, Reading Asia: China: Shanghai Hong Kong India: Bangalore, Mumbai, New Delhi Singapore USA: New York, San Francisco, Silicon Valley International Offices Employees

×