Open source technology is simply an evolved class of licensing under which wider, more permissive rights are given to users. Crucially, access to source code is given enabling user support and development of the code. While the open source philosophy originated in California, with frankly a long-haired approach, the model is now effectively mainstream and competes with conventional closed source licensing models (the 2008 Sun/MySQL and Symbian deals demonstrate the popularity of open source).
Buying and selling open source businesses
Successful technology merger and acquisitions (M&A) is typified by a meeting of minds around value and risk. Some of the unique open source risks include:
- Control over intellectual property rights (IPR) - if the target's products contain third-party open source technology, it is virtually certain that there will be gaps in IPR assurance - open source licenses typically disclaim any IPR non-infringement warranties or indemnities.
- Licence non-compliance or lack of process - as a buyer, it is safer to have a working assumption that the target is unlikely to have a strong licence compliance process and, therefore, breach of licence terms or IPR infringement is more likely to be a material risk for a heavy user of open source.
- Copyleft: the notorious risk - open source is licensed under a range of publicly available licence types which are classed as open source licences because they share a range of characteristics. However, within this class, licences range from simple or benign (BSD) to viral (GPL v2/3). The GPL licence tends to be the most popular form but contains tough obligations. If the user distributes product that contains or is derived from GPL v2 code, this distribution must be done at no cost on the terms of the General Public License, Version 2 (GPLv2). So if you buy a business and want to combine the target's code base with your own, if the target code is GPLv2, this could force the buyer to licence its code at no cost on an open source basis - this is no legal theory, this happens.
Dealing with open source M&A risk
The conventional due diligence and warranty approach still works but also think about:
- does the target have an open source policy - is it followed?
- can it define the scope of its usage?
- what open source is present, can it be listed?
- has the target had any correspondence with the open source or free software "community" (who actively police open source licences)?
If there is a viral licence which could trigger a copyleft issue then it is vital this is analysed from a legal and technical perspective to see if the buyer's plans for that product are consistent with the open source licence obligation.
Code scanning - the new due diligence
Technical organisations such as Black Duck are now emerging to provide source code scanning services to identify open source and the associated licence terms. Once identified, a risk assessment can be carried out prior to the transaction closing. Code scanners provide an effective way of understanding the nature of core software assets in a target's business and this process sits well alongside traditional IP due diligence.
Making sense of open source
Open source is not inherently risky - it should be treated like any other diligence issue. Provided buyer and seller understand the issues pre-transaction and reflect this in the transaction terms, there is no reason why open source should negatively impact a transaction. However, as in-depth knowledge of open source seems patchy at present, there remains the possibility of problems for the ignorant buyer.