Open Source Software: how to avoid its perils in M&A?

Open Source Software (OSS) has become widespread in modern software development. Not only have projects such as Mozilla Firefox, Linux or the Apache HTTP Server become a programmer’s favorites, but nowadays even as much as 90% of a newly developed application’s source code tends to consist of OSS. This important technological development must be carefully considered when entering into a M&A deal.

How OSS can complicate your M&A deal

Legally speaking, OSS is licensed under terms that ensure everyone can use, change and redistribute the software to anyone without the payment of fees. Cost-saving benefits, an easy access to and the increasing quality of OSS lead developers and businesses alike to adopt OSS instead of relying on proprietary-fee based software.

It is most likely that a technology company becomes a target in a M&A deal because of its software. If that was developed using OSS, there are a few potential risks that a purchaser of a technology company may need to take into account:

1. Tainting – An OSS license may state that any software that includes or is derived from OSS code must be entirely licensed under the terms of the OSS license, which means it shall also freely be used, changed and distributed. It could be even possible that an obligation to make the source code available to others is also included. In practice, such provisions will create major difficulties for licensing the target’s software under a proprietary license to customers for a fee, and thus possibly prevent license revenue.
2. Infringement protection – Infringements on patents of proprietary software containing OSS will also be harder to remedy, as many OSS licenses are phrased in such a way that their free licensing is protected by a covenant not to sue for patent infringements.
3. Patent License Grants – Many OSS licenses include patent license grant provisions, which might force the target to grant patent licenses to others when using OSS. If the target’s patents are subject to such a patent license, their value can be much lower.
4. Loss of License/Infringement – Legal issues may arise if the target company does not comply with the legal obligations of the OSS licenses they use. In the event of breach, a OSS license may in some cases even automatically terminate. A further use of OSS components by the target company could then constitute a copyright (or even patent) infringement, leading to potential financial losses from damages and legal costs.

It goes without saying that the target company’s value for the purchaser can be heavily reduced, or even eliminated altogether, by these risks.

Learn from Cisco: avoid underestimating OSS consequences

When technology conglomerate Cisco acquired the networking company Linksys in a $500 million deal, it failed to discover that some Linksys software products contained OSS. A copyright infringement action was brought by the OSS license’s owner against Cisco for not disclosing the source codes of the distributed Linksys software products that included OSS. In the end, a settlement agreement was reached between the parties, and Cisco agreed to release the source code of the Linksys software products to the public, as it had found that re-engineering the software source code instead would be too costly. Consequently, Cisco did not generate any license revenue from the Linksys software products it had acquired.
 
Let OSS due diligence help you

The Cisco example proves how crucial it is to conduct a careful and thorough OSS due diligence to avoid legal and financial risks. In this process the following elements should be assessed:

1. If a written OSS policy exists and if it is complied with. In most cases this will not be the case, as a 2015 survey showed that only 27% of companies possess such a formal OSS policy.
2. The OSS components used in the target’s software should be determined. Frequently, the target will have no idea what OSS it is using. Here, an open source code audit will be necessary which involves a scan of the target’s software code to determine the origin of certain aspects of the software. It will expose which part of the code is original, proprietary development, and which part consists of third-party OSS components.
3. The licenses of OSS components must be thoroughly reviewed to uncover any legal or business risks which could arise when using or commercializing the target’s software.
4. The way OSS components are used must be understood, since the obligations and issues that arise with OSS licenses vary by use case. For instance, an OSS component in a standalone tool constitutes a much smaller risk than if it is compiled with proprietary software. Similarly, the distribution of software with OSS components will more likely result in a license infringement than when it is used for internal purposes only.

While most of the OSS due diligence can be carried out by lawyers, often the involvement of an open source audit company may be required, because it can examine elements of the OSS which do not appear from the data room documents, but can only be discovered after analyzing the software products’ open source code.

Use remedies to eliminate OSS risks

All these elements could influence the target’s value. Therefore, it is crucial to remedy OSS risks as soon as they arise. In some cases, switching to an OSS code with a more permissive license may solve the issue. But Cisco proved that sometimes replacing OSS components with a newly written proprietary code will be too costly. Occasionally, distribution of the proprietary software will remain possible when the recipient is instructed to download the OSS component separately.

However, these actions will only prevent future legal issues, not past liability. While such past liability might be avoided in an asset purchase, its presence will be a challenge to be addressed in a share purchase. Early on, it might even prove useful to contact the copyright owner of the OSS component to negotiate a mutually agreeable release and waiver of past liability.

Most importantly, the transaction documents should also encompass all possible OSS issues, which could for instance be done as follows:

1. The term ‘open source software’ should be sufficiently defined to cover all relevant elements;
2. The transaction agreement should contain a list of all the OSS found during the due diligence and include a representation by the target that this list is accurate, complete and includes all used OSS, all governing licenses and all use cases;
3. Additional representations should state that (1) the target has not made, and is under no obligation to make, available the source code for any proprietary software, (2) it has not used any OSS in a way that required it to grant a patent license to anyone, (3) it has complied fully with all OSS license obligations and is not in breach of any of them, and (4) that none of the licenses used have been terminated;
4. Specific indemnities may be used to remedy breaches or non-compliance of software related to these representations;
5. Warranty indemnity insurance may be useful if the seller wishes to cap its exposure at a legal level, or insists on a shorter claim period than the purchaser is willing to accept in view of the OSS risks.

If any remedial actions that the target must take are identified, these could also be included in the provisions of the share purchase agreement, and eventually even made a closing condition.  

OSS: a peril to be acknowledged and treated with care

It should be concluded that OSS can have a major impact on M&A deals, possibly even resulting in a no-deal if the target’s software turns out to lack any commercial value due to the use of OSS components. A thorough OSS due diligence must therefore be conducted and all necessary remedies must be included in the transaction documents. In short: be aware of the increasing risk of OSS and prepare for it sufficiently in order to avoid that OSS becomes your proprietary source of problems.

Steven De Schrijver is a partner at Astrea, specialized in corporate/M&A and IT law.

Steven assisted many large foreign technology companies on their Belgian acquisition. In addition, he closely follows new developments and innovations in the technology sector and focuses on delivering bench-mark advice with respect to new legal problems that arise as a result of these new developments and innovations. As a result of his sector-specific expertise, he advises some of the largest technology companies in the world as well as innovative entrepreneurs on a day-to-day basis on a variety of commercial and information technology law matters.

Steven can be contacted on +32 2 215 97 58 or by email at SDS@astrealaw.be