Copyright Licenses Are Key When Including Software in Standards

10/04/2022

The following article was co-written with Michele Herman of JustTech

Open source software and open standards have many similarities but the legal frameworks under which each are created have real and important differences. Nonetheless there is an increasing desire to combine the benefits of both open source and standards in the development of new interoperable software-based technologies. The good news is that the differences in legal frameworks can be reconciled by giving care to the rules under which standards are developed. One key area of attention to achieve this end involves the copyright rules under which open source elements of standards are made available.

Of course, many thousands of standards have been developed for decades that are intended to be implemented in software, particularly in order to achieve interoperability. Such standards generate multiple competing commercial implementations, some of which have been developed through open source software (OSS) communities, while other commercial implementations remain proprietary. Standards setting organizations (SSOs) and OSS communities also develop (or contract for the development of) software to enable more rapid deployment of standards-based solutions. Examples include standards compliance testing and product certification test tools, and even complete reference implementations to aid in interoperability testing.

The mere development and use of software by SSOs in these ways has for the most part not given rise to conflicts with traditional SSO patent policies that permit participants to license their essential patent claims (i.e., those patent claims that would be infringed by implementing the standard), on fair, reasonable and non-discriminatory (FRAND) terms. The intellectual property rights (IPR) policies of most (but not all) SSOs provide that FRAND terms may include reasonable royalties or other reasonable license fees. SSOs with such patent policies are referred to in this article as FRAND SSOs.

When open source and open standards merge. Today, many SSOs are going further and incorporating software into their standards. For example, for a given element, the standard may include both a traditional descriptive text section as well as a text section expressed exclusively as implementable code[1]. For some SSOs, the code text is provided for optional use, while for other SSOs the use is mandatory. In some cases, both SSOs and OSS projects may create complete code implementations, either as reference implementations or independent of any traditional standard. While there are obvious efficiency benefits to repurposing existing code in a product, there is also a desire to strive for a higher degree of assurance that the user has received the requisite licenses to the IPR in the code from those that developed the reference implementation.

When SSOs evolve to develop software, however, they typically run into a limitation in their traditional IPR Policies: those policies only require work group contributors to authorize the SSO to distribute a work product that is the sum of the contributions of (usually) multiple work group members. Once code is included, the SSO must also have the right to allow implementers and other downstream parties to copy, modify, and further distribute the software in standards-conformant products and services. This requires the addition of new license terms to the IPR Policy.

One set of rules or two? When this situation occurs, the question arises whether the same rules relating to IPR should apply to the entire standard, or whether separate rules should apply to the text and code sections. Understandably, most SSOs conclude that both participants in the development of the standard and users of their standards would prefer to have a single set of rules that applies to the entire standard, and also prefer that the set of rules that should apply are the FRAND rules they have traditionally applied to patents.

Notwithstanding their interest in having common policies that apply to both the text and the code portions of the standard, many SSOs are interested in putting in place collaborative processes for developing software that mirror the benefits and efficiency of traditional OSS communities. This desire often leads them to consider using one of the popular open source licenses such as the BSD 3, MIT or Apache licenses.

Tailoring the rules to fit the need. Those common licenses, however, are incompatible with FRAND SSO IPR policies, as they do not include economic terms with respect to patents (traditional SSO IPR polices do expect contributor copyright licenses to be free). FRAND SSOs may also wish to limit the degree to which code can be modified in pursuit of the goal of achieving interoperability. As a result, while those common licenses could be used as a starting point, they could not be used without modification, at minimum by adding text that states that the license grant is restricted to copyrights alone. SSOs that wish to limit modification rights (particularly with respect to reference implementations) would need to make more drastic revisions. Importantly, making changes to these common OSS license means that such modified licenses should no longer be referred to by their original names, because these modifications make material changes to their terms.

By adopting separate copyright rules for code, the SSO can carefully craft the rights conveyed to promote conformance with its standards which it cannot do when using licenses like the BSD, MIT or Apache. It is reasonable to expect that implementers will need to make modifications to the software in order to implement mandatory software, or even am entire reference implementation, into its standards-conformant products and services. The software license can be crafted to allow such modifications while prohibiting modifications that impede conformance with the standard or thwart interoperability among relevant products and services.

The authors have very similar practices involving standards, open source, and intellectual property licensing but our respective clients often have very different views on licensing and intellectual property rights policies. Notwithstanding some of our clients’ differing views, we agree that using separate copyright rules for code as described in this article is an effective approach for SSOs that wish to develop software within the legal guardrails of traditional SSO IPR policies.

[1] One definition of such text reads as follows: “Any combination of: text listings of commands to be interpreted or to be compiled, translated, or assembled into an executable computer program; text listings that describe data structures; text listings that specify an Application Programming Interface (API) used to interact with some executable computer service (including access from an executable computer program, library, or remotely via a telecommunications interface); binary data files; executable, object, or other intermediate executable code files; and text listings that describe the behavior of modeled devices or objects (e.g., XML, YANG, etc.).”

Department of Commerce Gives Industry What it asked for Regarding the Entity List

9/15/2022

The U.S. Department of Commerce Bureau of Industry and Security (BIS) added Chinese 5G technology giant Huawei to its Entity List more than three years ago. The immediate result was the spread of uncertainty and doubt among the hundreds of standards setting organizations (SSOs) in which Huawei participated as well as throughout the multitudes of U.S. companies who participated in those organizations. The reason was that the rules bar U.S. companies from disclosing a broad array of technology to Entity List companies, and that’s what can happen in standards working groups. Many SSOs either refused or failed to make adequate changes to their operations to fit within the vague exemptions available to avoid the concern. In consequence, many American companies believed they needed to drop out of SSOs creating the standards those companies most wanted to influence.

On September 9, following several prior BIS releases of interim guidance and the submission of ongoing comments and requests for relief from industry (many of which we facilitated), the Department of Commerce and BIS have finally released a new Interim Final Rule that provides virtually everything commenters have asked for, and in language that in most cases is clear and actionable. While complexities and nuances remain (e.g., relating to the type of technical work being undertaken) that will still require legal analysis, the good news is that the way is clear for most SSOs to allow any Entity List company to fully participate in standards development, as well as in related activities such as conformance assessment.

Eligibility Requirements

In order for a standard to be eligible for exemption under the new rule, all of the following must be true:

1) The technology or software must be designated as EAR99; controlled for AT reasons only on the Commerce Control List; or specifically for the “development,” “production,” and “use” of cryptographic functionality;

2) The “release” of technology or software must be made in the context of a “standards-related activity;” and

3) There must be intent to “publish” the resulting standard. If there is no intent to publish the resulting standard, then a license will still be required.

More specifically, the new, immediately effective Interim Final Rule:

Deletes the previous references to “standards” and “standards organizations,” each of which was linked to the OMB A-119 definitions that mapped in some cases to processes common to traditional SSOs but not consortia. Instead, the new rule refers to “standards-related activity,” focusing on the purpose of the exercise rather than the particular processes used to support that activity. Consortia may therefore no longer concern themselves with conforming to (for example) the ANSI Essential Requirements in order to ensure that they fit within an identified exception category.
Applies to all standards areas (earlier versions of the rule were said to be considering addressing only information technology standards).
Covers the entire Entity List and not just Huawei.
Covers traditional standards-related activities in addition to actual standards development, such as conformance assessment and certification testing.
Covers the development of various types of software created in support of standards work.
Exempts standards-related activity for EAR99 and Anti-Terrorism (AT)-controlled technologies and software, including in respect of certain types of cryptographic functionality.

Analysis Still Required

While overall the news is good, ambiguities remain. Some examples:

The Interim rule makes several references to insignificant risks associated with the release of “low-level technology” without addressing where the boundaries may exist for such technology.
Can a standard made available only to the members of an SSO be considered to be “published?”

Comments Requested

While the Interim Final Rule takes immediate effect, the Federal Register Notice announcing its effectiveness invites comments on the rule as released and also and poses four questions on topics where the Agency seeks further guidance (see the end of this post for the list). Comment periods may, but do not always, result in modifications to already released rules.

The Upshot

The upshot is that an SSO will want to do a careful review of all of its in-process and proposed work streams, as well as of its internal rules, to be sure they lie within the bounds of the new rule. But that aside, the long wait is over. SSOs that meet the requirements of the new Interim Final Rule can get back to the work they do best without spending scarce time on needlessly retooling their processes. And U.S. companies can once again help create the best standards possible to enable important new technologies to do their part in assisting the recovery of the world economy.

* * *

BIS Questions for Public Comment

Industries involved in standards development: BIS is requesting comments and additional information on whether the current scope of this authorization is adequate for the United States to retain its participation and lead in other areas that are important to the United States Government and industry, such as energy, artificial intelligence (AI), biotech, aerospace, and transportation. Does the current scope of the authorization hinder U.S. participation and leadership in standards development in industries where there is or may be participation by listed entities? Interested parties should provide specific examples of industries and commercial sectors which are or would be adversely affected by the current scope of the standards authorization as stated in this final rule.

Impact of other end use/end user controls: BIS is requesting comment on whether there are other provisions of the EAR that may negatively impact U.S. national security by limiting leadership and participation in standards-related activities, such as licensing requirements for other end use or end user-based controls listed in part 744 of the EAR. Commenters are asked to provide specific examples of how U.S. participation and/or leadership has (or will be) impacted by the limited application of this authorization to the license requirements in § 744.11.

Compliance burden: BIS is requesting comment from interested parties on industries and commercial sectors that are actively involved in standards development, including information on how they are affected by compliance burdens resulting from the changes promulgated in this and the previous rule.

International participation and scope of standards-related activities: BIS is requesting comment on whether the definition of “standards-related activities” promulgated in this interim final rule allows for full and open participation by U.S. companies in the development of standards. Are there aspects of the definition that should be better-defined or excluded?

Instructions for submission of comments can be found in the Addresses Section at the beginning of the CFR notice found here.

War and the Power of Standards

3/02/2022

The unleashing of unprovoked acts of violence against the people of Ukraine has both horrified and united much of the world against Russia. Even historically neutral Switzerland has condemned Putin’s aggression. And aid is flooding into the beleaguered democracy from around the world.

Why?

Not because the Russian Federation has breached any existing treaty, but because Putin has violated widely shared standards of conduct and decency. And while nations have the sovereign right to withdraw from written agreements, they are powerless to disavow an international consensus over what nations may and may not do. Or to avoid the consequences when they violate that consensus.

Standards vs. Laws

The superior power of standards over laws is rarely appreciated. Yet hundreds of thousands of standards manage everything from telecommunications to information technology to professional certifications to almost anything else we can imagine. And while these private sector developed standards are often referenced into law, a far greater number are followed entirely voluntarily. In other words, the enormous benefits of a thoroughly standardized world are achieved without the use of legislatures, police, courts, or prisons.

The source of this surprising behavior lies in the fact that standards are created through a system that requires consensus. That system incorporates rules that guarantee that all may participate, that every stakeholder can be heard, and that each concern will be fairly considered. This level playing field reassures relevant stakeholders that they have more to gain than to lose by helping develop standards, and then adopting them. In other words, the uptake of standards is based on trust and self-interest rather than compulsion and the threat of punishment.

But standards do not come into being only through formal organizations. They also arise from a public consensus over what behavior is justified and what is not. Those standards, as we are seeing today, can be more powerful than Security Councils, treaties, or prior political assumptions. In country after country, public outrage over Russian aggression has pushed governments and even sports federations to act in ways that might otherwise be against their political or economic best interests. Even corporations are voluntarily taking actions they would normally resist if required by pending legislation.

It is easy to imagine how Vladimir Putin might forget that standards hold more power than treaties. Like other autocrats living in the bubbles of their own authority, he has learned that standards can be flouted at home through the heavy handed means a police state can wield. But the ability to violate standards ends at an autocrat’s borders, and a strongman forgets that hard truth at his peril.

Standards and the Will to Defend Them

If the brave citizens of Ukraine have a hope for survival, that chance lies in the continuing power of standards to rally freedom loving people everywhere to Ukraine’s defense. But this war may well grind on and public interest may flag. The peoples of the world will need to remember that the defense of standards everywhere represents the best protection against enemies anywhere.

Through this lens and in no small way, the ultimate fate of Ukraine will help signal the path of our own futures. Standards do indeed have power, but only when backed by the sustaining will of those that believe in them.

Effectiveness of Voter Security Standard in Doubt – Or Is It?

2/19/2021

It’s been fifteen years since the federal best practices standard for voting machines was last amended. During the intervening time we’ve seen Russian interference in the 2016 elections and allegations of fraud in the 2020 contest. Clearly, strong standards are needed to bolster both the integrity of voting machines as well as the public’s confidence in their security. A new draft of the Voluntary Voting Systems Guidelines – the most used benchmark for voting equipment in the United States – is intended to address those needs. But, according to several articles (e.g., posted by the Bloomberg and the AP news services) that appeared in the week before the new Guidelines were to be adopted, a crucial change was made to the document that threatened to undermine both of these important goals.

There’s just one problem: according to the Election Assistance Commission (EAC), the body charged by Congress since 2002 with creating and maintaining strong voter security guidelines, there hadn’t been any change at all to the proposed amendments previously posted for public comment – only a clarification. After the articles appeared, the EAC issued a detailed rebuttal supporting their case. That response, however, received less attention in the press.

Leaving aside the kerfuffle over timing, the question remains whether the revised Guidelines has a crucial flaw. The back story goes as follows.

Continue reading →