software intellectual property management
DESCRIPTION
TRANSCRIPT
Managing Software Intellectual Property
in Legal Transactions
Protecode WebinarJune 25, 2009
Mahshad Koohgoli, CEO, Protecode Inc, [email protected], Tel: +1 613 721 5936 x 222
Agenda
Open source and other 3rd party content
Legal challenges
Software Intellectual Property (IP) management flow
Software record keeping
Automated solutions
3
Where Did That Code Come From?Where Did That Code Come From?
““Open Open SourceSource
SoftwareSoftwareCompanyCompanySoftwareSoftwareCompanyCompany
Software Software VendorVendorSoftware Software VendorVendor
Development Development OutsourcerOutsourcerDevelopment Development OutsourcerOutsourcer
Chips, Chips, Sub-sytems, Sub-sytems,
SuppliersSuppliers
Chips, Chips, Sub-sytems, Sub-sytems,
SuppliersSuppliers
Development Development OutsourcerOutsourcerDevelopment Development OutsourcerOutsourcer
DevelopmenDevelopment Outsourcert OutsourcerDevelopmenDevelopment Outsourcert Outsourcer
Service Service ProviderProviderService Service
ProviderProvider
Software Software VendorVendorSoftware Software VendorVendorSoftware Software VendorVendorSoftware Software VendorVendor
Chips, Chips, Sub-sytems, Sub-sytems,
SuppliersSuppliers
Chips, Chips, Sub-sytems, Sub-sytems,
SuppliersSuppliersChips & Chips &
Sub-systemsSub-systemsSupplierSupplier
Chips & Chips & Sub-systemsSub-systems
SupplierSupplier
SoftwareSoftwareCompanyCompanySoftwareSoftwareCompanyCompany
ProductProductCompanyCompany
ProductProductCompanyCompany
Service Service ProviderProviderService Service
ProviderProviderService Service ProviderProviderService Service
ProviderProvider
End-End-UserUserEnd-End-UserUserEnd-End-UserUserEnd-End-UserUserEnd-End-UserUserEnd-End-UserUser
Software is embedded in almost everything these days…Software is embedded in almost everything these days…
Shouldn’t we haveShouldn’t we havea “Certificate ofa “Certificate of
Software IP-Cleanliness”?Software IP-Cleanliness”?
““Open Open SourceSourceOpen Open
SourceSource
Example: Cell Phone
4© Copyright 2008 Protecode Inc. Proprietary
Software IP Problem – an illustrationSoftware IP Problem – an illustration
OutsourceCompany
OwnCommercialOpen
Source Firm’sCode base
Load Build
Due Diligence:Do we know what is in
our software?
End Product
Unknown external IP =Unknown external IP =Time & $$$ Resources Time & $$$ Resources
to fixto fixOrganization
Salesor
M&A activities
Customer IP $$$ Conditions
on Buyingor on M&A activities
5© Copyright 2009 Protecode Inc. Proprietary
Software Content Records
Nobody knows what is in the software
Good software development practices have evolved– Code management systems,
– Bug tracking systems
Software IP management requires– IP policies
– Content records
– Policy compliance records
Manual record keeping is painful and impractical– Deters from development
– Developer churn
– Elapsed time
6© Copyright 2009 Protecode Inc. Proprietary
Software Development Practices
Access to code is easy– Open Source repositories, web sites
– Code Search Engines
Open source is here and everywhere
Good developers know where to find code!– New generation growing up with culture of cut & paste, rip & burn
Outsourcing and contracting is common
Developers carry code from organization to organization and project to project
Code contamination is prevalent
7© Copyright 2009 Protecode Inc. Proprietary
Open Source Software
The challenge …
It is not free All code is associated with a license. License terms vary (~80 OSI-approved
license to date) License terms are difficult to interpret Licenses may not be compatible
No pedigree information How was it evolved, and from what?
It is not tracked No record keeping Who owns IP over what areas? Possibility of disclosing ALL software IP
The Good…
Hundreds of millions of lines of code available. On Anything.
Enables fast development, short introduction intervals
Increases code re-use
Good quality and security Very large ecosystem Peer reviews
Industry is using it already
Challenges of Using External Code
Understanding risks and benefits of using external code
Failure to comply with obligations– Business risk, injunction, damage claims, loss of sales, etc
– Potential loss of strategic proprietary IP
– Impacts on valuations
Establishing operational balance between risks and benefits– Working with all stakeholders
– Establishing policies and procedures
– Monitoring and verification
– Enforcing policies
May 13, 2009 8© Copyright 2009 Protecode Inc. Proprietary
9© Copyright 2009 Protecode Inc. Proprietary
Needs Expert Interpretation and fit with business
Example: Sun Binary Code Distribution License Agreement– 7 page document
– Sun grants you a … license …[to] distribute the Software, provided that … and (vi) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software
Needs Expert Interpretation and fit with business
Example: Sun Binary Code Distribution License Agreement
– 7 page document
– Sun grants you a … license …[to] distribute the Software, provided that … and (vi) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software
Interpreting Open Source Licenses
Sun Microsystems, Inc. Binary Code License Agreement for the JAVA SE DEVELOPMENT KIT (JDK), VERSION 6http://java.sun.com/javase/6/jdk-6u6-license.txtTaken from “Clarifying the IP Trail” by Janet Campbell, Legal Counsel and Manager of Intellectual Property, Eclipse Foundation Inc.
Legal Samples
10© Copyright 2009 Protecode Inc. Proprietary
Software IP Management Flow
1. Clear software IP policies– Aligns goals of the research organization with those of industry– May be per project, per department or organization-wide– What is acceptable– What to do in case of unknown, or violations
2. Establish a baseline, for existing content
3. Ensure knowledge of content that is commercialized
4. Operationalize IP management
Setting up IP Policies
Sound IP policy Input from Legal, Business and Technical management Consistent with corporate goals Clear, and enforceable Track compliance through life-time of project
Clarity: what is allowed and what is restricted Effective list of approved software vendors List of acceptable external-content licenses with info on their obligations:
Attribution Re-distribution Restrictions
Security restrictions, export distribution considerations
Enforceability: measures to be taken if… If code violates permissible license If code is unknown
11© Copyright 2009 Protecode Inc. Proprietary
IP Policy Capture
Allowable or prohibited licenses
IP attributes of significance
Action in case of violation
12© Copyright 2009 Protecode Inc. Proprietary
May 13, 2009 13© Copyright 2009 Protecode Inc. Proprietary
Extra charts•from before•or for consideration
Sample Obligations
IP Management Solutions
14© Copyright 2009 Protecode Inc. Proprietary© Copyright 2008 Protecode Inc. Proprietary
Manual Automated
Preventive
Corrective Due Diligence Service Companies
Education, Ethics
Use pre-approved code
AcademicCommercialCommercial
CommercialCommercial
15© Copyright 2009 Protecode Inc. Proprietary
Automated Corrective Solutions
Uses databases for code identification Large databases of open source or academic code Can also consult internal legacy code
Automatically lists identifiable external content
Reduces analysis time
Systems may also provide: Capabilities to establish corporate IP policy Notifications in case of IP policy violations
Attributes Detection depends on identification
Accurate content detection requires very large, up-to-date databases
Policy violations require corrections After-the-fact corrections take time & effort Best to run analysis regularly (eg weekly using automated scripts)
16© Copyright 2009 Protecode Inc. Proprietary
Automated Corrective Solution (Protecode Enterprise IP AnalyzerTM)
Report Example & Interpretation
17© Copyright 2009 Protecode Inc. Proprietary
18© Copyright 2009 Protecode Inc. Proprietary
Automated Preventive Solutions
Integrated into Code development tools and processes Installed at developer workstation
Detect and log content as it enters the project
Identify content against a database of known code (e.g. open source)
Check content against a set of policies
Take appropriate action in case of violation or unknown
Automatically create a software bill-of-materials (sBoM)
Attributes: Automated content record generation
Makes detection independent of identification
Can automatically resolve nested IP and pedigree seepage
Detected policy conflicts addressed in real-time at minimal cost
Real-time IP Management(Protecode Developer IP Assistant TM)
20
Why Preventive Solutions?Why Preventive Solutions?
Early detection is cost-effective No delays, no resource wastage, No higher management involved
Fixing problems is costly Project delays, Resource costs & frustration
Automated Prevention, integrated into development environment
© Copyright 2009 Protecode Inc. Proprietary
Economics of IP Management
ProtecodeComplete Portfolio for Software IP Management
Developer IP Assistant
Build IP Analyzer
Enterprise IP Analyzer Analyses existing code portfolioestablishes pedigree baseline
Analyses code that is part of a load-build operation before commercialization
Real-time IP Management - analyses code while it is developed
Expert, full service scanning, analysis and reporting of enterprise code portfolio. IP Audit Service
IP Audit Service
Expert analysis of software portfolio, customised to the client need
Protecode support before, during and after IP analysis
From Small (100 files) to very large (> 100,000 files)
Typically 24 hour process for ~10,000 files (100 person company)
Audit performed either– At client’s site
– At Protecode site
Summary
Software contamination is prevalent– Access to code is easy, and managed Open Source adoption is rarely
in place
Without records, nobody really knows what is in their software– Manual record keeping is impractical and mostly impossible
Total software IP management consists of 1. IP Policy definition
2. Establishing a baseline for existing code
3. Ensuring clean IP for any software that leaves organization
4. Operationalizing IP management as part of software development
Unobtrusive automated IP management solutions are available to assist operational and legal staff
Questions
Software Intellectual Property Management
Protecode IP Audit Service(Full service with expert use of Protecode IP AnalyzerTM)
Date and time 25© Copyright 2008 Protecode Inc. Proprietary
Quick, low cost and accurate for establishing the IP and other attributes of code portfolio
Manual Solutions
May 13, 2009 26© Copyright 2009 Protecode Inc. Proprietary
Manual Due Diligence Involves several experts
Requires Preparation, Document Reviews, Conferences, Analyses, etc
Usually outsourced to commercial software analysis firms
BUT Expensive, Time Consuming, Inaccurate (relies on insufficient records)
Manual Preventive Solutions Some prohibit use of Open Source
Some rely on perennial education do not use certain external content
Some rely on establishing policy firewall need education & enforcement
BUT Reduces development flexibility & still does not produce accurate records
May 7, 2009 27
Summary: IP Cleaning Stages & ImpactsSummary: IP Cleaning Stages & Impacts
1 3 2
Project timeline
DURINGDURING
0
NEVER
Project planning
Periodic monitoring
Real-time prevention
External due diligence
Internal organization
Necessary, but Not sufficient
Very expensive After-the-fact
Correction Expertise & tools help
Resources required Expensive After the fact Automatic tools help
Automatic process in IDE
Least costs On-time Full assurance Less expensive
Code scanning tools Some correction Timely Assurance
4 2
AFTERAFTERBEFOREBEFORE
Legal Environment
Players (research, commercial) have different objectives
Professors and students know the code– High churn environment
Few, if any, records available on the origins of the code
No clear IP policies in place for project, or organization
Often no systematic approach to software IP management
Discovery Strategy Prototype or Proof of Concept
IndustrialInnovation Ship to Market
Research Organization Commercial Organization
29© Copyright 2009 Protecode Inc. Proprietary
Recap: Software IP Management Requirements
IP policies In line with organizational goals Acceptable licenses (fit firm’s business model) Acceptable suppliers Action to take in case of ambiguity or violation
Accurate records Keep track of code components in a project
Open Source Outsourced code Commercial Internal legacy
Code component attributes IP attributesIP attributes: licensing obligations, copyright ownership Static AttributesStatic Attributes: Who brought in, what and when, function, stability, security,
export control, where it is used Value attributesValue attributes: how many times used/reused, contribution to products, to
revenue, how many updates in last five years
ConclusionsConclusions
Software development food chain is intricate with many contributors to the finished product
Intellectual property management requires good record keeping
Manual record keeping is impractical
Corrective solutions provide an IP snapshot of the existing portfolio– Automated corrective solutions can analyze thousands of files rapidly, accurately
and economically
Preventive solutions are most effective– Ensuring what is not acceptable does NOT get into the organization in the first place
Automated preventive solutions – operationalize IP management, – are unobtrusive, and – create a bill-of-materials of software as code is developed.
© Copyright 2009 Protecode Inc. Proprietary
Legal Activities Involving Software
Software ownership– Current and previous researchers
– Open source
– Commercial code
– Cut & paste from web
– Outsourcer/contractor• Background vs foreground IP
Rules around external software– License terms– Academic/non-for profit use– Software for evaluation– Non-commercial license– …
Challenges