"Intellectual Property (IP) is one of the least understood and most poorly managed assets of most organizations and may represent either the single largest revenue opportunity - or the most significant drain on profitability."
The TIM Lecture Series provides a forum that promotes the exchange of knowledge between university research and technology company executives and entrepreneurs. Readers outside the Ottawa area who are unable to attend the lectures in person are invited to view upcoming lectures in the series either through voice conferencing or webcast.
On June 18, 2008, Mahshad Koohgoli, CEO of Protecode, delivered a presentation entitled "Practicing Safe Software: Good Software Record". This section provides the key messages from the lecture. Mashad's lecture discussed the drivers behind establishing software IP (intellectual property) pedigree as well as the preventive and corrective methods of detecting and managing external IP in a project.
Problem Statement and Issues
Section one of the lecture focused on good record keeping as an essential part of quality software development. Code contamination is not a problem that is unique to open source software (OSS) as commercial code can also contain IP contamination and can contaminate code. Without records, nobody really knows what is in the software product. Keeping good records on what goes into software is essential; doing it manually is impractical and painful. Large and small companies alike suffer from lack of records and IP uncertainties.
Doubts about IP cleanliness in software have commercial consequences. If there is uncertainty, it is much harder to convince customers to purchase and the company's value decreases in the event of a merger or acquisition (M&A). Very little contamination can result in serious problems. For example, in Veritas vs. Microsoft, 56 lines were rewritten from C to C++ with two lines remaining verbatim. Moreover, license compatibility is a key challenge. It is not sufficient to say that component 1 and component 2 have clean IP as the licenses for both components need to be compatible. Enforcement is occurring in the marketplace. German courts aggressively go after GPL violators and the US has seen many high profile cases. However, most cases are still resolved quietly without going public.
IP contamination is still occurring even though software processes have improved. For a long while there were no automated software-content record keeping solutions. There is a need for software governance. You can't leave it to the developers to know what is important to record--policies are important. Don't leave it to the lawyers to fix as this is always too late and too expensive. For developers and even their managers, it is difficult to interpret licensing terms for both commercial and OSS. Indemnification affects scale. Very large companies assume it as a risk of doing business. Many company's margins are so low, they can't provide indemnity and therefore miss out on some business opportunities.
Know what is in your product--what you don't know can hurt you. Open source philosophy has its merits, and we must still respect the IP of open source creators who choose to retain copyright and to use strict licensing terms. IP has significant value.
Why is this a problem now when software has been around for over 50 years? It is a combination of very competitive business practices, more efficient software processes, and the ease of finding and incorporating external code. Moreover, a lot of the new creativity isn't building from scratch, but from combining existing modules. There is a business opportunity in automated record keeping tools for both lawyers and companies who wish to resolve IP violations.
Risk of IP contamination may be overblown due to the difficulty and cost of finding violations and pursuing litigation. In Canada, you'll be fined for the defendants' costs if you lose the lawsuit.
Solutions
The second half of the presentation discussed the types of IP tracking solutions. Corrective solutions analyze the finished software. With these, you can't detect what you can't identify; that is, the template must be in your database in order to detect it in your code. Therefore, corrective solutions need large and thorough IP databases to work reasonably well.
Record keeping and detecting and creating records of external content should be transparent to developers, unless the company policy dictates otherwise.
Bill of materials (BOM) provide information about the software components, including information needed to enforce policy and perform due diligence. The software supply chain is anchored around the BOM. Software is usually seen as an art, but it is evolving into a manufacturing process. BOM may also be useful in secure software assurance.
With regards to existing products rather than greenfields, some companies don't want to know what is in current code and instead have a clearly defined point where record keeping begins. Others want to annotate older code.
Is recycled code released as OSS a problem? A company's problem is anything that violates their policy.
Most IP violations are unintentional. An employee can make fraudulent records, but record keeping retains the trail. Many employment contracts contain clauses against plagiarism.
Legal advice is always needed to assess a company's particular IP risk and liabilities. Good record keeping helps the legal process.
Mahshad finished the presentation with a quick tour of his product from Protecode. Protecode automatically makes records of the content that ends up in software, and can automatically check the content against the policies. Automated software-content record keeping is unobtrusive and transparent to the developer.Protecode can make records as code is created/imported or traverse and identify an existing software branch in the firm's repository. It allows you to define a record keeping policy by: i) acceptable licenses; ii) minimum size of code to be analyzed; and iii) corresponding actions for violations and unknowns.
Recommended Resources