Open Source Code in Mergers and Acquisitions

12.10.2010

The use of open source code is growing every day, and in some sectors the use of such code has exceeded all reasonable expectations. As always, such “new” phenomena provide both opportunities and challenges. The latter includes the many pitfalls that open source code generates in business takeover situations.

Open source code means that the source code to a computer program is publicly available (most of the time on the Internet), and that third parties are allowed to use that source code under a license that fulfills certain criteria. The most widely used open source license is called GNU General Public License (hereafter “GPL”).

When an open source code has been implemented into a software program, the license agreement imposes certain conditions upon the owner of that software program. For example, the GPL states that if the software is fully or partly based on an open source code, and you distribute that software, then the receiver of that software is entitled to also receive the full source code to the software and to use it in accordance with the GPL. This means that the GPL has a “virus effect” – it has an inherent ability to propagate.

Not all open source licenses contain this requirement. For example, the BSD License and the Apache License do not have that same “virus effect”. However, such other open source licenses do contain other clauses imposing various obligations upon the person or company using the open source code,  i.a. about notices that one must, and notices that one must not, give when distributing the software.

Today software based partly or fully on open source code includes much more than software programs which are designed to be run on general purpose computers (PC, laptop, Mac etc). Such software is also to be found in computer related hardware, such as modems, printers etc. Open source software is even to be found in cars, telephones, audio systems, GPS navigators etc.

Now to the tricky part. When a company considers buying another company, and that target company is in some manner distributing software, then it is extremely important to know (1) whether or not the software is fully or partly based on open source code and (2) if so, what obligations this entails. Unfortunately, not everyone who distributes software is aware that open source code has found its way into their code. This can happen by accident or perhaps a software developer has taken a shortcut by using open source code without telling.

Cisco Systems bought the Linksys group in 2003. The price was USD 500 million. Later it was revealed that one of Linksys’ broadband routers had a built in chip with software partly based on open source code. For that reason it was demanded that Cisco publish the source code in their product, and in July 2003 Cisco complied and published the code. This was useful not only to Cisco’s competitors. Since the public now knew how the router worked, it was found out how the router could be manipulated and in fact be turned into a router with the same functionality as routers costing ten times more. Cisco’s possibility of product differentiation was impaired. The loss has been estimated to be in the tens of millions.

There are also other problems when distributed software (or hardware containing software) that are based on open source code without this being known and documented. For example, some of the open source code licenses are simply incompatible. This means that if the software includes different open source code regulated by different licenses, then you might find yourself in a position where it is inherently impossible to comply with both licenses. As an example, the Apache License (as of 2007) is considered to be incompatible with GPL versions one and two. Such predicament will obviously represent a huge problem.

So, how does a potential buyer of another company deal with this risk connected to open source code? The first action is of course to ask the target company if any of its products includes open source code. However, as the Cisco case shows, this might not be enough. Open source code may have found its way into the company’s software without the company knowing. It is therefore advisable to include a source code review as part of the Due Diligence work that is common in business takeover situations.

Advokatfirmaet Grette co-operates with a third party service provider that has software and databases which enable the company to scan source code in order to identify bits and pieces that stem from open source code. This is a hugely beneficial service to buyers who are in a business takeover situation. However, we also recommend sellers to consider obtaining such services before entering into a process of selling a company. If the seller identifies previously unknown elements of open source code, this can be rectified before it becomes a problem.