software intellectual property management

Managing Software Intellectual Property

in Legal Transactions

Protecode WebinarJune 25, 2009

Mahshad Koohgoli, CEO, Protecode Inc, [email protected], Tel: +1 613 721 5936 x 222

Agenda

Open source and other 3rd party content

Legal challenges

Software Intellectual Property (IP) management flow

Software record keeping

Automated solutions

3

Where Did That Code Come From?Where Did That Code Come From?

““Open Open SourceSource

SoftwareSoftwareCompanyCompanySoftwareSoftwareCompanyCompany

Software Software VendorVendorSoftware Software VendorVendor

Development Development OutsourcerOutsourcerDevelopment Development OutsourcerOutsourcer

Chips, Chips, Sub-sytems, Sub-sytems,

SuppliersSuppliers


SuppliersSuppliers

Development Development OutsourcerOutsourcerDevelopment Development OutsourcerOutsourcer

DevelopmenDevelopment Outsourcert OutsourcerDevelopmenDevelopment Outsourcert Outsourcer

Service Service ProviderProviderService Service

ProviderProvider

Software Software VendorVendorSoftware Software VendorVendorSoftware Software VendorVendorSoftware Software VendorVendor


SuppliersSuppliers


SuppliersSuppliersChips & Chips &

Sub-systemsSub-systemsSupplierSupplier

Chips & Chips & Sub-systemsSub-systems

SupplierSupplier

SoftwareSoftwareCompanyCompanySoftwareSoftwareCompanyCompany

ProductProductCompanyCompany

ProductProductCompanyCompany

Service Service ProviderProviderService Service

ProviderProviderService Service ProviderProviderService Service

ProviderProvider

End-End-UserUserEnd-End-UserUserEnd-End-UserUserEnd-End-UserUserEnd-End-UserUserEnd-End-UserUser

Software is embedded in almost everything these days…Software is embedded in almost everything these days…

Shouldn’t we haveShouldn’t we havea “Certificate ofa “Certificate of

Software IP-Cleanliness”?Software IP-Cleanliness”?

““Open Open SourceSourceOpen Open

SourceSource

Example: Cell Phone

4© Copyright 2008 Protecode Inc. Proprietary

Software IP Problem – an illustrationSoftware IP Problem – an illustration

OutsourceCompany

OwnCommercialOpen

Source Firm’sCode base

Load Build

Due Diligence:Do we know what is in

our software?

End Product

Unknown external IP =Unknown external IP =Time & $$$ Resources Time & $$$ Resources

to fixto fixOrganization

Salesor

M&A activities

Customer IP $$$ Conditions

on Buyingor on M&A activities


Software Content Records

Nobody knows what is in the software

Good software development practices have evolved– Code management systems,

– Bug tracking systems

Software IP management requires– IP policies

– Content records

– Policy compliance records

Manual record keeping is painful and impractical– Deters from development

– Developer churn

– Elapsed time


Software Development Practices

Access to code is easy– Open Source repositories, web sites

– Code Search Engines

Open source is here and everywhere

Good developers know where to find code!– New generation growing up with culture of cut & paste, rip & burn

Outsourcing and contracting is common

Developers carry code from organization to organization and project to project

Code contamination is prevalent


Open Source Software

The challenge …

It is not free All code is associated with a license. License terms vary (~80 OSI-approved

license to date) License terms are difficult to interpret Licenses may not be compatible

No pedigree information How was it evolved, and from what?

It is not tracked No record keeping Who owns IP over what areas? Possibility of disclosing ALL software IP

The Good…

Hundreds of millions of lines of code available. On Anything.

Enables fast development, short introduction intervals

Increases code re-use

Good quality and security Very large ecosystem Peer reviews

Industry is using it already

Challenges of Using External Code

Understanding risks and benefits of using external code

Failure to comply with obligations– Business risk, injunction, damage claims, loss of sales, etc

– Potential loss of strategic proprietary IP

– Impacts on valuations

Establishing operational balance between risks and benefits– Working with all stakeholders

– Establishing policies and procedures

– Monitoring and verification

– Enforcing policies

May 13, 2009 8© Copyright 2009 Protecode Inc. Proprietary


Needs Expert Interpretation and fit with business

Example: Sun Binary Code Distribution License Agreement– 7 page document

– Sun grants you a … license …[to] distribute the Software, provided that … and (vi) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software

Needs Expert Interpretation and fit with business

Example: Sun Binary Code Distribution License Agreement

– 7 page document

– Sun grants you a … license …[to] distribute the Software, provided that … and (vi) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software

Interpreting Open Source Licenses

Sun Microsystems, Inc. Binary Code License Agreement for the JAVA SE DEVELOPMENT KIT (JDK), VERSION 6http://java.sun.com/javase/6/jdk-6u6-license.txtTaken from “Clarifying the IP Trail” by Janet Campbell, Legal Counsel and Manager of Intellectual Property, Eclipse Foundation Inc.

Legal Samples


Software IP Management Flow

1. Clear software IP policies– Aligns goals of the research organization with those of industry– May be per project, per department or organization-wide– What is acceptable– What to do in case of unknown, or violations

2. Establish a baseline, for existing content

3. Ensure knowledge of content that is commercialized

4. Operationalize IP management

Setting up IP Policies

Sound IP policy Input from Legal, Business and Technical management Consistent with corporate goals Clear, and enforceable Track compliance through life-time of project

Clarity: what is allowed and what is restricted Effective list of approved software vendors List of acceptable external-content licenses with info on their obligations:

Attribution Re-distribution Restrictions

Security restrictions, export distribution considerations

Enforceability: measures to be taken if… If code violates permissible license If code is unknown


IP Policy Capture

Allowable or prohibited licenses

IP attributes of significance

Action in case of violation



Extra charts•from before•or for consideration

Sample Obligations

IP Management Solutions

14© Copyright 2009 Protecode Inc. Proprietary© Copyright 2008 Protecode Inc. Proprietary

Manual Automated

Preventive

Corrective Due Diligence Service Companies

Education, Ethics

Use pre-approved code

AcademicCommercialCommercial

CommercialCommercial


Automated Corrective Solutions

Uses databases for code identification Large databases of open source or academic code Can also consult internal legacy code

Automatically lists identifiable external content

Reduces analysis time

Systems may also provide: Capabilities to establish corporate IP policy Notifications in case of IP policy violations

Attributes Detection depends on identification

Accurate content detection requires very large, up-to-date databases

Policy violations require corrections After-the-fact corrections take time & effort Best to run analysis regularly (eg weekly using automated scripts)


Automated Corrective Solution (Protecode Enterprise IP AnalyzerTM)

Report Example & Interpretation



Automated Preventive Solutions

Integrated into Code development tools and processes Installed at developer workstation

Detect and log content as it enters the project

Identify content against a database of known code (e.g. open source)

Check content against a set of policies

Take appropriate action in case of violation or unknown

Automatically create a software bill-of-materials (sBoM)

Attributes: Automated content record generation

Makes detection independent of identification

Can automatically resolve nested IP and pedigree seepage

Detected policy conflicts addressed in real-time at minimal cost

Real-time IP Management(Protecode Developer IP Assistant TM)

20

Why Preventive Solutions?Why Preventive Solutions?

Early detection is cost-effective No delays, no resource wastage, No higher management involved

Fixing problems is costly Project delays, Resource costs & frustration

Automated Prevention, integrated into development environment

© Copyright 2009 Protecode Inc. Proprietary

Economics of IP Management

ProtecodeComplete Portfolio for Software IP Management

Developer IP Assistant

Build IP Analyzer

Enterprise IP Analyzer Analyses existing code portfolioestablishes pedigree baseline

Analyses code that is part of a load-build operation before commercialization

Real-time IP Management - analyses code while it is developed

Expert, full service scanning, analysis and reporting of enterprise code portfolio. IP Audit Service

IP Audit Service

Expert analysis of software portfolio, customised to the client need

Protecode support before, during and after IP analysis

From Small (100 files) to very large (> 100,000 files)

Typically 24 hour process for ~10,000 files (100 person company)

Audit performed either– At client’s site

– At Protecode site

Summary

Software contamination is prevalent– Access to code is easy, and managed Open Source adoption is rarely

in place

Without records, nobody really knows what is in their software– Manual record keeping is impractical and mostly impossible

Total software IP management consists of 1. IP Policy definition

2. Establishing a baseline for existing code

3. Ensuring clean IP for any software that leaves organization

4. Operationalizing IP management as part of software development

Unobtrusive automated IP management solutions are available to assist operational and legal staff

Questions

Software Intellectual Property Management

Protecode IP Audit Service(Full service with expert use of Protecode IP AnalyzerTM)

Date and time 25© Copyright 2008 Protecode Inc. Proprietary

Quick, low cost and accurate for establishing the IP and other attributes of code portfolio

Manual Solutions


Manual Due Diligence Involves several experts

Requires Preparation, Document Reviews, Conferences, Analyses, etc

Usually outsourced to commercial software analysis firms

BUT Expensive, Time Consuming, Inaccurate (relies on insufficient records)

Manual Preventive Solutions Some prohibit use of Open Source

Some rely on perennial education do not use certain external content

Some rely on establishing policy firewall need education & enforcement

BUT Reduces development flexibility & still does not produce accurate records

May 7, 2009 27

Summary: IP Cleaning Stages & ImpactsSummary: IP Cleaning Stages & Impacts

1 3 2

Project timeline

DURINGDURING

0

NEVER

Project planning

Periodic monitoring

Real-time prevention

External due diligence

Internal organization

Necessary, but Not sufficient

Very expensive After-the-fact

Correction Expertise & tools help

Resources required Expensive After the fact Automatic tools help

Automatic process in IDE

Least costs On-time Full assurance Less expensive

Code scanning tools Some correction Timely Assurance

4 2

AFTERAFTERBEFOREBEFORE

Legal Environment

Players (research, commercial) have different objectives

Professors and students know the code– High churn environment

Few, if any, records available on the origins of the code

No clear IP policies in place for project, or organization

Often no systematic approach to software IP management

Discovery Strategy Prototype or Proof of Concept

IndustrialInnovation Ship to Market

Research Organization Commercial Organization


Recap: Software IP Management Requirements

IP policies In line with organizational goals Acceptable licenses (fit firm’s business model) Acceptable suppliers Action to take in case of ambiguity or violation

Accurate records Keep track of code components in a project

Open Source Outsourced code Commercial Internal legacy

Code component attributes IP attributesIP attributes: licensing obligations, copyright ownership Static AttributesStatic Attributes: Who brought in, what and when, function, stability, security,

export control, where it is used Value attributesValue attributes: how many times used/reused, contribution to products, to

revenue, how many updates in last five years

ConclusionsConclusions

Software development food chain is intricate with many contributors to the finished product

Intellectual property management requires good record keeping

Manual record keeping is impractical

Corrective solutions provide an IP snapshot of the existing portfolio– Automated corrective solutions can analyze thousands of files rapidly, accurately

and economically

Preventive solutions are most effective– Ensuring what is not acceptable does NOT get into the organization in the first place

Automated preventive solutions – operationalize IP management, – are unobtrusive, and – create a bill-of-materials of software as code is developed.

© Copyright 2009 Protecode Inc. Proprietary

Legal Activities Involving Software

Software ownership– Current and previous researchers

– Open source

– Commercial code

– Cut & paste from web

– Outsourcer/contractor• Background vs foreground IP

Rules around external software– License terms– Academic/non-for profit use– Software for evaluation– Non-commercial license– …

Challenges

software intellectual property management

Documents