KEMBAR78
Osborne Clarke - OpenChain - FOSSmatrix | PDF
Shane Coughlan, profile picture
Uploaded byShane Coughlan
PDF, PPTX444 views

Osborne Clarke - OpenChain - FOSSmatrix

This document describes a legal tech solution for open source software (OSS) compliance developed by Dr. Hendrik Schöttle. The solution consists of a license matrix that standardizes the evaluation of OSS licensing obligations and maps specific software use cases against the licenses to check for conflicts. Key features include full documentation of evaluation steps, ability to parameterize factors for different risk assessments, and percentage-based risk scoring to account for grey areas. The tool aims to provide a clearer overview of OSS compliance than traditional memo-based approaches. Dr. Schöttle's law firm helps clients implement the solution by defining customized use cases, checking applicable license rights and obligations, and matching use cases to licenses to identify conflicts.

Download as PDF, PPTX
Dr. Hendrik Schöttle Rechtsanwalt, Partner, Fachanwalt für IT-Recht 2021 Legal Tech Add-On for OSS Compliance FOSSmatrix
1 osborneclarke.com Hendrik Schöttle has been working as a lawyer since 2005, since 2007 in Osborne Clarke's Munich office. He has worked several times in the legal departments of IT companies within the scope of secondments. He also worked for several years as a software developer at the Institute for Legal Informatics at Saarland University. His practical experience and technical know-how benefit his clients in technology- related consulting. He is the author of numerous publications, co-author of several handbooks and commentaries, including the Beck‘sche Handbuch IT- und Datenschutzrecht and the juris Praxiskommentar zum BGB. Hendrik Schöttle is a lecturer at the German Lawyers‘ Academy for the specialist IT law course and regularly gives lectures on IT law topics. He is a member of the board of BITKOM‘s Open Source Working Group, a member of the Committee on Data Protection Law of the German Federal Bar Association (BRAK), the Information Technology Working Group of the German Bar Association (DAV) and the German Society for Law and Information Technology (DGRI). Dr. Hendrik Schöttle advises on IT and data protection law. Hendrik Schöttle was named one of the best lawyers in IT law in 2019 and 2018 by both the Handelsblatt and Best Lawyers as well as by Wirtschaftswoche. A competitor quoted in the JUVE Handbook 2019/2020 recommends him as a "top name in open source”. He is listed in the Kanzleimonitor 2018/2019 and 2017/2018 as a repeatedly recommended lawyer in IT law. The Kanzleihandbuch Legal 500 Deutschland recommends him because of his “very good knowledge of IT, even when it comes to exotic questions” and his “very quick understanding of technical details”. In 2015 he was awarded the Client Choice Award by Lexology and the International Law Office (ILO) in the category IT and Internet Law. He has many years of experience in consulting, drafting contracts and negotiating complex IT projects. His focus is on IoT, digitalisation and cloud computing. He advises on software licensing models, especially open source software, and on data protection law. His clients include internationally active technology groups as well as renowned IT and e-business companies. Contact Dr. Hendrik Schöttle Partner, Fachanwalt für IT-Recht Germany +49 89 5434 8046 hendrik.schoettle@osborneclarke.com “Top name in the field of Open Source”. Competitor, JUVE Handbook 2019/2020
2 osborneclarke.com Why a License Matrix? • Why a licence matrix when implementing Open Source Compliance? – Common scanning tools often only compile licence texts and copyright clauses, but do not provide a detailed and comprehensible overview of other licence obligations – All the obligations of a licence must be • scanned, evaluated and then • be matched with own use. – The interpretation of individual licences and their obligations is often controversial – The binary representation of a result alone does not help in the case of controversial interpretations
3 osborneclarke.com Example: Use Case “ASP Use” • Example: Use Case “ASP use”: Is making software available in the form of Application Service Provision (ASP/SaaS) permissible? – Many licences do not contain clear rules on this – Usual solution: Many memos on individual licences. Unclear and no help for a quick overview of compliance with obligations depending on the specific use case • Our solution: – Splitting the question into partial aspects and arguments for or against – Weighting of the aspects with different score values and evaluation logic – Calculation of the score values – Clear presentation – Comparison with application scenarios of the respective company
4 osborneclarke.com Example: Use Case “ASP Use” • Example: Use Case “ASP use”: Is making software available in the form of Application Service Provision (ASP/SaaS) permissible? • We asked ourselves two questions: − Is ASP use permitted under the relevant licence? − If yes: does ASP use trigger the respective obligations of the licence?
5 osborneclarke.com Example: Use Case “ASP Use” • Is ASP use permitted under the relevant licence? − Does the licence text itself contain an explicit provision? − Are there official statements from product owners or licence stewards? − Is reference made to ASP Use Cases in the licence text? − Do licence obligations tie in with ASP Use Cases? − Was the licence created before ASP was known to be an independent form of use? − Does the licence generally contain a far-reaching grant of rights of use? − Is a right of public display or public performance granted? − Are there known cases of software licensed under the licence and used in the form of ASP? − Are there any other facts that indicate a right of use?
6 osborneclarke.com Use Cases License Assessment – ASP provision allowed? ully Compliant o Conflict 100 License does allow ASP provision. Open Issue To be clarified 50 Unclear, whether license allows ASP provision. 50,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. ,00 ully Compliant o Conflict 100 License does allow ASP provision. Conflict 20 License s does likely not allow ASP provision. ,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. 5 ,00 ully Compliant o Conflict 100 License does allow ASP provision. Open Issue To be clarified 50 Unclear, whether license allows ASP provision. 50,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. ,00 ully Compliant o Conflict 100 License does allow ASP provision. Conflict 20 License s does likely not allow ASP provision. ,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. 5 ,00
7 osborneclarke.com Legal-Tech solution with two functions: • Evaluation of licences, standardised, fully documented and parameterisable with percentage data for automatic further processing • Use Case Mapping against the respective licenses with automated conflict checking Our approach
8 osborneclarke.com Standardised assessment of individual licensing obligations By means of a predefined set of options and an associated evaluation metric and logic, licensing obligations can be clearly structured, automatically evaluated and compared. 1 AGPL .0 only Medium Alert Limited Use Case Match 5 License does permit with restrictions prohibiting distribution. Permitted w restrictions where forbidden Sections , 5 and . The license can be understood as having tacitly excluded certain methods of distribution by producing an exhaustive list of obligations for distribution methods of the source code for distributed binary forms which, for Information 5 License does neither permit nor require, but prohibit use in M environment. orbidden explicitly Section Para 5 Installation Infor Installation Infor includes authori required to install covered work . Th 2 altova eula Limited Conflict 25 License does neither permit nor require, but prohibit with exceptions permitting distribution. orbidden w exceptions where permitted According to Section 1. a iv Sentence 2, licensee may only distribute the restricted source code together with licensees unrestricted source code in executable ob ect code form. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned A TL P Compliant Conflict Unlikely 0 License does only implicitly permit distribution. Permitted implicitly According to Para 1 Sentence 1, the software is fully in the public domain. This includes the right to distribute it. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned BS 2 Clause ully Compliant o Conflict 100 License does explicitly permit distribution. Permitted explicitly Section 1 explicitly allows redistributions of source code, Section 2 explicitly allows redistributions in binary form. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned 5 CC0 1.0 Compliant Conflict Unlikely 0 License does only implicitly permit distribution. Permitted implicitly In Section 2, sentence 1, licensor first waives all rights to the greatest extent permitted by law. Second, in Section sentence 2, licensor grants a respective license to the maximum extent possible, in case a waiver under Section 2 should not be possible. This can both be understood as respective grant of distribution rights. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned CC B SA .0 ully Compliant o Conflict 100 License does explicitly permit distribution. Permitted explicitly Section 2.a.1.A. and B. refer to the sharing of licensed material, which includes also the distribution of the licensed material, according to the definition of share in Section 1.k. Information 5 License does neither permit nor require, but prohibit use in M environment. orbidden explicitly According to Section 2.a the access to the license measures. The CC wiki a by the license steward of M as being covered by https: wiki.creativecomm Google Chrome OS Adobe Additional ToS 0 2020 Medium Alert Limited Use Case Match 5 License does permit with restrictions prohibiting distribution. Permitted w restrictions where forbidden According to Section 1. a , distribution is only allowed in form of a browser plug in. Additional conditions in Section have to be complied with. However, it is not clear whether licensor has mistakenly simply forwarded terms that were only allowing ully Compliant o Conflict 100 License does explicitly require use in M environment. equired explicitly Section 1. d requires tha Chrome eader Software P and EPUB document Section 1. c , the software P or EPUB documents Google Chrome OS MPEG Additional ToS 0 2020 Conflict 20 License does neither permit nor require, but prohibit distribution. orbidden implicitly License speaks of personal and non commercial use of a consumer or other users. istribution is not mentioned in license text. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned Google ToS 0 2020 Conflict 0 License does neither permit nor require, but prohibit distribution. orbidden explicitly Section Software in Google services , Para . Compliant License does not contain any stipula 10 OT L 201 ully Compliant OSSmatrix 2020 Osborne Clarke istribution is not understood as the mere resale of one single copy received which may be permitted under mandatory copyright laws anyway . Third parties in the aforementioned sense are any legal entities or natural persons other than the distributor. A mere internal provision of copies within on legal entity is not regarded as distribution. istribution is also given in case of offering the software for download to the public. hile this Section . does only cover distribution by the initial recipient of the Software, a further subdistribution of any downstream recipients is covered by Section . a. This enables to capture licenses which grant only a non transferable right to distribute software to one further downstream recipient, but does not allow further subdistribution by this downstream recipient. See also Section . a. ecessary Only licenses are accepted that require or permit distribution. All other licenses are refused. This use case is usually chosen in very limited cases only, where all components will be distributed and will not be used internally which usually cannot be excluded . avoured All licenses are accepted. Licenses that prohibit the use within a M environment are highlighted bu In this use case, a tendency towards licenses allowing the use within a M environment is expressed. However, not mandatory, licenses prohibiting it are accepted as well. The prohibition to use the software in a M environment can become critical in several cases. Some smartph comprise M protection, which generally prohibits use of respectively licensed software within apps to the ex measures. urthermore, embedded devices may be protected by M against manipulation of its firmware, pro Some licenses make the prohibition of M measures sub ect to additional requirements, such as the GPL .0 case these requirements are not given, the use of M measures do not constitute an infringement of the respe Some licenses prohibit the use of the software on a system with digital rights management M , which o cryptographic signature. In this case, the user would not be able to run a modified version of the software on licenses aim to prohibit. Thus, such licenses prohibit use of the software on such systems or require to prov to execute modified versions on such systems. To the contrary, some commercial licenses do explicitly require use of a M environment, e.g. in order to p software. The term distribution is understood as the creation of multiple copies of the software and their provision to third parties. Permitted explicitly implicitly : istribution is permitted. It may however be sub ect to certain minor conditions and restrictions. This applies for most open source licenses. equired explicitly implicitly : istribution is required. This may apply for commercial licenses which do only cover distribution but not use for own purposes, e.g. in case of distribution of software as part of embedded products. orbidden explicitly implicitly : istribution is not allowed. or most commercial software its distribution is prohibited. A Tag is set to explicit, in case the license contains an explicit clause on distribution. It is set to implicit if the tag can only be derived indirectly from the license or its surrounding circumstances. Features
9 osborneclarke.com Features Full documentation the individual steps to the result found The expert opinion in tabular form: thanks to extensive documentation, every step of the assessment is and thus the overall result is also comprehensible.
10 osborneclarke.com Features Parameterization of individual factors, therefore different evaluations are possible. Arguments can be weighted differently at any time. The result is automatically recalculated. In this way, your own risk affinity/aversion can be adjusted.
11 osborneclarke.com Features Risk assessment with percentages not only yes/no, but gradations in the percentage range, which can be further processed and automatically evaluated. In this way, even doubtful cases and grey scales can be recorded, evaluated and visualised. ully Compliant o Conflict 100 License does allow ASP provision. Open Issue To be clarified 50 Unclear, whether license allows ASP provision. 50,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. ,00 ully Compliant o Conflict 100 License does allow ASP provision. Conflict 20 License s does likely not allow ASP provision. ,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. 5 ,00
12 osborneclarke.com Features Distinction between three levels • Abstract license • Concrete software • Concrete use case of the software Application scenario of concrete software Concrete software Abstract license GPL 2.0 Linux Kernel Driver running in kernel space Application software running under Linux Busybox Stand-alone installation Self-written add- on to Busybox
13 osborneclarke.com Best Practice | License Matrix | Our approach Mapping a separate use case against the respective licenses with automatic check and clear indication of risk score values and reference to individual check sections
14 osborneclarke.com Features License comparison Quick overview of the main differences between individual licenses in direct comparison
15 osborneclarke.com Features | Summary • Legal tech solution for license evaluation and use case mapping with the following features: – Standardised assessment of individual licensing obligations – Full documentation of the individual steps to the result found – Individual factors can be parameterised, therefore different valuations are possible (conservative approach vs. risk-taking approach) – Risk assessment with percentages (not just yes/no, but gradations in the percentage range, recording and visualising cases of doubt) – Mapping of an own use case against the respective licenses with automatic check and clear indication of risk score values and reference to individual check sections
16 osborneclarke.com What we do 1. Use Case Development: We create customised use cases for you. Based on our experience, we define how you handle the software. 2. License check: You provide us with a list of licenses (if necessary, we will assist you with the creation). We check the rights and obligations of the licences that apply to your software. 3. Matching: We check your use cases for conflicts with the rights and obligations of the licences. What you get • Standard Package: Result of the use case matching, which clearly shows the compliance/non-compliance of the use cases with licenses • Extended Package: Additional, in-depth explanation of the rights and obligations of the individual licences with regard to the use cases - a legal memo in table form • Optional: Testing of specific software. This may be necessary for the licensor to understand the licence - this may differ from the general understanding of the licence. Our Offer
17 osborneclarke.com Advantages • We start where the traditional tools stop: legal classification and evaluation of licences. More than “ ust” creating a Bill of Materials and fulfilling information obligations • Legally secure and fully documented - the memo of the external law firm in tabular form • Synergies through more than ten years of experience and the use of existing content enable efficient consulting
18 osborneclarke.com osborneclarke.com 18 Customers DAX 30 Group One of the world's largest automotive supplier …
19 osborneclarke.com Osborne Clarke is the business name for an international legal practice and its associated businesses. Full details here: osborneclarke.com/verein *Services in India are provided by a relationship firm 1,850 26 Osborne Clarke International 270+ Partne rs 675+ Business Support 900+ Expert lawyers Europe: Belgium: Brussels France: Paris Germany: Berlin, Cologne, Hamburg, Munich Italy: Brescia, Busto Arsizio, Milan, Rome Netherlands: Amsterdam Spain: Barcelona, Madrid, Zaragoza UK: Bristol, London, Reading Asia: China: Shanghai Hong Kong India: Bangalore, Mumbai, New Delhi Singapore USA: New York, San Francisco, Silicon Valley International Offices Employees

More Related Content

PDF
Top 10 custom software development trends
byEmma Jhonson
 
PPTX
Inverted page tables basic
bySanoj Kumar
 
PPTX
Driver Configuration Webinar
byAVEVA
 
PPTX
Fundamentals of Language Processing
byHemant Sharma
 
PDF
13 concurrency
byjigeno
 
PPT
QTP VB Script Trainings
byAli Imran
 
PPTX
MongoDB Interface for Asterisk PBX
bySokratis Galiatsis
 
PPTX
Conditions In C# C-Sharp
byAbid Kohistani
 
Top 10 custom software development trends
byEmma Jhonson
 
Inverted page tables basic
bySanoj Kumar
 
Driver Configuration Webinar
byAVEVA
 
Fundamentals of Language Processing
byHemant Sharma
 
13 concurrency
byjigeno
 
QTP VB Script Trainings
byAli Imran
 
MongoDB Interface for Asterisk PBX
bySokratis Galiatsis
 
Conditions In C# C-Sharp
byAbid Kohistani
 

Similar to Osborne Clarke - OpenChain - FOSSmatrix

PDF
SFScon19 - Margherita Cera - Free Software Licensing
bySouth Tyrol Free Software Conference
 
PDF
Exploring Open Source Licensing
byStefano Fago
 
PDF
Don't Let Open Source be the Deal Breaker In Your M&A
byBlack Duck by Synopsys
 
PPT
Open Source File
byAbhishek Goel
 
PPTX
Do software developers understand open source licenses?
byDaniel Almeida
 
PDF
Strategies to Reap the Benefits of Software Patents in an Open Source Softwar...
byBlack Duck by Synopsys
 
PPT
Introduction To Open Source Licensing
byMark Radcliffe
 
PPTX
Pls 780 week 5
byMichael Germano
 
PPTX
Google v. Oracle
byDavid Opderbeck
 
PDF
Intellectual Property Issues in Open Source
byAndres Guadamuz
 
PPTX
UNHI Creative Works Symposium Session: Open Source Issues and Opportunities
byUNHInnovation
 
PDF
Legal interoperability: glocal perspective (LAPSI, Torino)
byFederico Morando
 
PDF
SFScon 22 - Margherita Cera - Derivative work and open-source license in M&A ...
bySouth Tyrol Free Software Conference
 
PDF
Source Code Licensing as an Essential Aspect of Modern Software Development
bydmgerman
 
PPT
I\'m Not an IT Lawyer: Why Does Open Source Matter to Me?
byJennifer O'Neill
 
PPT
JISC Legal National Stem Programme OER & Creative Commons Workshop Bath
byJISC Legal
 
PPTX
Legal-Considerations-for-Open-Source-Software-Creative-Commons-Licenses_Sprin...
byEmmaShort14
 
PPTX
Legitimacy of Open Source Softwares
byAntara Rastogi
 
PPTX
Copyright or Copy left by manoranjan, glc, tvpm
byAdvocate
 
PDF
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
bySonatype
 
SFScon19 - Margherita Cera - Free Software Licensing
bySouth Tyrol Free Software Conference
 
Exploring Open Source Licensing
byStefano Fago
 
Don't Let Open Source be the Deal Breaker In Your M&A
byBlack Duck by Synopsys
 
Open Source File
byAbhishek Goel
 
Do software developers understand open source licenses?
byDaniel Almeida
 
Strategies to Reap the Benefits of Software Patents in an Open Source Softwar...
byBlack Duck by Synopsys
 
Introduction To Open Source Licensing
byMark Radcliffe
 
Pls 780 week 5
byMichael Germano
 
Google v. Oracle
byDavid Opderbeck
 
Intellectual Property Issues in Open Source
byAndres Guadamuz
 
UNHI Creative Works Symposium Session: Open Source Issues and Opportunities
byUNHInnovation
 
Legal interoperability: glocal perspective (LAPSI, Torino)
byFederico Morando
 
SFScon 22 - Margherita Cera - Derivative work and open-source license in M&A ...
bySouth Tyrol Free Software Conference
 
Source Code Licensing as an Essential Aspect of Modern Software Development
bydmgerman
 
I\'m Not an IT Lawyer: Why Does Open Source Matter to Me?
byJennifer O'Neill
 
JISC Legal National Stem Programme OER & Creative Commons Workshop Bath
byJISC Legal
 
Legal-Considerations-for-Open-Source-Software-Creative-Commons-Licenses_Sprin...
byEmmaShort14
 
Legitimacy of Open Source Softwares
byAntara Rastogi
 
Copyright or Copy left by manoranjan, glc, tvpm
byAdvocate
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
bySonatype
 

More from Shane Coughlan

PDF
OpenChain Global Update @ Open Source Tech Day 2025
byShane Coughlan
 
PPTX
Standardization of open-source software ISO/IEC 5230:2020 and ISO/IEC 18974:2...
byShane Coughlan
 
PDF
Introduction to the European Union Cyber Resilience Act (CRA)
byShane Coughlan
 
PDF
SBOM Document Quality Guide - OpenChain SBOM Study Group
byShane Coughlan
 
PPTX
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
byShane Coughlan
 
PPTX
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
byShane Coughlan
 
PDF
The 3rd OSPO Summit - China (Beijing - 2025-06-12)
byShane Coughlan
 
PPTX
OpenChain Korea Work Group Meeting - 2025-06-16
byShane Coughlan
 
PPTX
OpenChain Tooling Work Group - 2025-07-02
byShane Coughlan
 
PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
byShane Coughlan
 
PPTX
In From the Cold: Open Source as Part of Mainstream Software Asset Management
byShane Coughlan
 
PPTX
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
byShane Coughlan
 
PDF
Open Chain Q2 Steering Committee Meeting - 2025-06-25
byShane Coughlan
 
PDF
OpenChain Webinar - AboutCode - Practical Compliance in One Stack – Licensing...
byShane Coughlan
 
PPTX
OpenChain China Work Group – Regular Meeting 3 – 2024-11-29 @ 14:00 to 17:30
byShane Coughlan
 
PPTX
OpenChain @ InnerSource Summit 2024 - 2024-11-20
byShane Coughlan
 
PPTX
OpenChain Korea Work Group Meeting #24 - 2024-11-26
byShane Coughlan
 
PDF
Compliance and Integrity in the Software Supply Chain with Software Heritage:...
byShane Coughlan
 
PDF
Fujitsu’s OSS standards conformance and AI Management System Standardization ...
byShane Coughlan
 
PPTX
OpenChain China Work Group Presentation @ OSCAR 2024
byShane Coughlan
 
OpenChain Global Update @ Open Source Tech Day 2025
byShane Coughlan
 
Standardization of open-source software ISO/IEC 5230:2020 and ISO/IEC 18974:2...
byShane Coughlan
 
Introduction to the European Union Cyber Resilience Act (CRA)
byShane Coughlan
 
SBOM Document Quality Guide - OpenChain SBOM Study Group
byShane Coughlan
 
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
byShane Coughlan
 
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
byShane Coughlan
 
The 3rd OSPO Summit - China (Beijing - 2025-06-12)
byShane Coughlan
 
OpenChain Korea Work Group Meeting - 2025-06-16
byShane Coughlan
 
OpenChain Tooling Work Group - 2025-07-02
byShane Coughlan
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
byShane Coughlan
 
In From the Cold: Open Source as Part of Mainstream Software Asset Management
byShane Coughlan
 
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
byShane Coughlan
 
Open Chain Q2 Steering Committee Meeting - 2025-06-25
byShane Coughlan
 
OpenChain Webinar - AboutCode - Practical Compliance in One Stack – Licensing...
byShane Coughlan
 
OpenChain China Work Group – Regular Meeting 3 – 2024-11-29 @ 14:00 to 17:30
byShane Coughlan
 
OpenChain @ InnerSource Summit 2024 - 2024-11-20
byShane Coughlan
 
OpenChain Korea Work Group Meeting #24 - 2024-11-26
byShane Coughlan
 
Compliance and Integrity in the Software Supply Chain with Software Heritage:...
byShane Coughlan
 
Fujitsu’s OSS standards conformance and AI Management System Standardization ...
byShane Coughlan
 
OpenChain China Work Group Presentation @ OSCAR 2024
byShane Coughlan
 

Recently uploaded

DOCX
What Is the Best BI Software Other Than Tableau.docx
byVarsha Nayak
 
PPTX
Moving Plone Blob Storage to S3 Object Storage - Plone Conference 2025
byAlin Voinea
 
PPTX
Oracle_AWS_Azure_GCP_Comparison_ModernTech.pptx
byVITS184D1
 
PDF
Driving Stress Detection Using Multimodal CNN with Nonlinear Representation o...
byPranjal Kumar
 
PDF
Ensuring Regulatory Excellence with Insurance Compliance Software
byInsurance Tech Services
 
PPTX
Declarative Process Mining with MINERful, Reloaded
byCecilia Iacometta
 
PPTX
Cyber-Security-Essentials (21AK1A0217).pptx
byGaganGagan44
 
PPTX
AI-Powered Intelligent Agents for Fraud Detection
byleolucus1995
 
PDF
Privacy-first in-browser Generative AI web apps: offline-ready, future-proof,...
byMaxim Salnikov
 
PPT
SAP ERP Training For Senior Managers.ppt
byBalanathanVirupasan
 
PDF
SAP & CTRM Testing Like Never Before
byZoe Gilbert
 
PDF
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
byNewFangledVision
 
PDF
The 50+ First-Timer: It’s never too late for Open Source!
byImma Valls Bernaus
 
PDF
The Rise of AI Agents: Powering the Next Industrial Era
byMaxim Salnikov
 
PDF
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
PPT
Lexical and Syntax Analysis top down parsers
bymjmansoori54
 
PPSX
Domain Centered Architecture for complex business domains
byRob Vens
 
DOCX
Best Tableau Alternatives for Data Analytics and Reporting.docx
byVarsha Nayak
 
PDF
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
PDF
ASTC Conference 2025 - Bridging the Gap!
byGareth Oakes
 
What Is the Best BI Software Other Than Tableau.docx
byVarsha Nayak
 
Moving Plone Blob Storage to S3 Object Storage - Plone Conference 2025
byAlin Voinea
 
Oracle_AWS_Azure_GCP_Comparison_ModernTech.pptx
byVITS184D1
 
Driving Stress Detection Using Multimodal CNN with Nonlinear Representation o...
byPranjal Kumar
 
Ensuring Regulatory Excellence with Insurance Compliance Software
byInsurance Tech Services
 
Declarative Process Mining with MINERful, Reloaded
byCecilia Iacometta
 
Cyber-Security-Essentials (21AK1A0217).pptx
byGaganGagan44
 
AI-Powered Intelligent Agents for Fraud Detection
byleolucus1995
 
Privacy-first in-browser Generative AI web apps: offline-ready, future-proof,...
byMaxim Salnikov
 
SAP ERP Training For Senior Managers.ppt
byBalanathanVirupasan
 
SAP & CTRM Testing Like Never Before
byZoe Gilbert
 
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
byNewFangledVision
 
The 50+ First-Timer: It’s never too late for Open Source!
byImma Valls Bernaus
 
The Rise of AI Agents: Powering the Next Industrial Era
byMaxim Salnikov
 
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
Lexical and Syntax Analysis top down parsers
bymjmansoori54
 
Domain Centered Architecture for complex business domains
byRob Vens
 
Best Tableau Alternatives for Data Analytics and Reporting.docx
byVarsha Nayak
 
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
ASTC Conference 2025 - Bridging the Gap!
byGareth Oakes
 

Osborne Clarke - OpenChain - FOSSmatrix

  • 1.
    Dr. Hendrik Schöttle Rechtsanwalt,Partner, Fachanwalt für IT-Recht 2021 Legal Tech Add-On for OSS Compliance FOSSmatrix
  • 2.
    1 osborneclarke.com Hendrik Schöttle hasbeen working as a lawyer since 2005, since 2007 in Osborne Clarke's Munich office. He has worked several times in the legal departments of IT companies within the scope of secondments. He also worked for several years as a software developer at the Institute for Legal Informatics at Saarland University. His practical experience and technical know-how benefit his clients in technology- related consulting. He is the author of numerous publications, co-author of several handbooks and commentaries, including the Beck‘sche Handbuch IT- und Datenschutzrecht and the juris Praxiskommentar zum BGB. Hendrik Schöttle is a lecturer at the German Lawyers‘ Academy for the specialist IT law course and regularly gives lectures on IT law topics. He is a member of the board of BITKOM‘s Open Source Working Group, a member of the Committee on Data Protection Law of the German Federal Bar Association (BRAK), the Information Technology Working Group of the German Bar Association (DAV) and the German Society for Law and Information Technology (DGRI). Dr. Hendrik Schöttle advises on IT and data protection law. Hendrik Schöttle was named one of the best lawyers in IT law in 2019 and 2018 by both the Handelsblatt and Best Lawyers as well as by Wirtschaftswoche. A competitor quoted in the JUVE Handbook 2019/2020 recommends him as a "top name in open source”. He is listed in the Kanzleimonitor 2018/2019 and 2017/2018 as a repeatedly recommended lawyer in IT law. The Kanzleihandbuch Legal 500 Deutschland recommends him because of his “very good knowledge of IT, even when it comes to exotic questions” and his “very quick understanding of technical details”. In 2015 he was awarded the Client Choice Award by Lexology and the International Law Office (ILO) in the category IT and Internet Law. He has many years of experience in consulting, drafting contracts and negotiating complex IT projects. His focus is on IoT, digitalisation and cloud computing. He advises on software licensing models, especially open source software, and on data protection law. His clients include internationally active technology groups as well as renowned IT and e-business companies. Contact Dr. Hendrik Schöttle Partner, Fachanwalt für IT-Recht Germany +49 89 5434 8046 hendrik.schoettle@osborneclarke.com “Top name in the field of Open Source”. Competitor, JUVE Handbook 2019/2020
  • 3.
    2 osborneclarke.com Why a LicenseMatrix? • Why a licence matrix when implementing Open Source Compliance? – Common scanning tools often only compile licence texts and copyright clauses, but do not provide a detailed and comprehensible overview of other licence obligations – All the obligations of a licence must be • scanned, evaluated and then • be matched with own use. – The interpretation of individual licences and their obligations is often controversial – The binary representation of a result alone does not help in the case of controversial interpretations
  • 4.
    3 osborneclarke.com Example: Use Case“ASP Use” • Example: Use Case “ASP use”: Is making software available in the form of Application Service Provision (ASP/SaaS) permissible? – Many licences do not contain clear rules on this – Usual solution: Many memos on individual licences. Unclear and no help for a quick overview of compliance with obligations depending on the specific use case • Our solution: – Splitting the question into partial aspects and arguments for or against – Weighting of the aspects with different score values and evaluation logic – Calculation of the score values – Clear presentation – Comparison with application scenarios of the respective company
  • 5.
    4 osborneclarke.com Example: Use Case“ASP Use” • Example: Use Case “ASP use”: Is making software available in the form of Application Service Provision (ASP/SaaS) permissible? • We asked ourselves two questions: − Is ASP use permitted under the relevant licence? − If yes: does ASP use trigger the respective obligations of the licence?
  • 6.
    5 osborneclarke.com Example: Use Case“ASP Use” • Is ASP use permitted under the relevant licence? − Does the licence text itself contain an explicit provision? − Are there official statements from product owners or licence stewards? − Is reference made to ASP Use Cases in the licence text? − Do licence obligations tie in with ASP Use Cases? − Was the licence created before ASP was known to be an independent form of use? − Does the licence generally contain a far-reaching grant of rights of use? − Is a right of public display or public performance granted? − Are there known cases of software licensed under the licence and used in the form of ASP? − Are there any other facts that indicate a right of use?
  • 7.
    6 osborneclarke.com Use Cases License Assessment– ASP provision allowed? ully Compliant o Conflict 100 License does allow ASP provision. Open Issue To be clarified 50 Unclear, whether license allows ASP provision. 50,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. ,00 ully Compliant o Conflict 100 License does allow ASP provision. Conflict 20 License s does likely not allow ASP provision. ,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. 5 ,00 ully Compliant o Conflict 100 License does allow ASP provision. Open Issue To be clarified 50 Unclear, whether license allows ASP provision. 50,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. ,00 ully Compliant o Conflict 100 License does allow ASP provision. Conflict 20 License s does likely not allow ASP provision. ,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. 5 ,00
  • 8.
    7 osborneclarke.com Legal-Tech solution withtwo functions: • Evaluation of licences, standardised, fully documented and parameterisable with percentage data for automatic further processing • Use Case Mapping against the respective licenses with automated conflict checking Our approach
  • 9.
    8 osborneclarke.com Standardised assessment of individuallicensing obligations By means of a predefined set of options and an associated evaluation metric and logic, licensing obligations can be clearly structured, automatically evaluated and compared. 1 AGPL .0 only Medium Alert Limited Use Case Match 5 License does permit with restrictions prohibiting distribution. Permitted w restrictions where forbidden Sections , 5 and . The license can be understood as having tacitly excluded certain methods of distribution by producing an exhaustive list of obligations for distribution methods of the source code for distributed binary forms which, for Information 5 License does neither permit nor require, but prohibit use in M environment. orbidden explicitly Section Para 5 Installation Infor Installation Infor includes authori required to install covered work . Th 2 altova eula Limited Conflict 25 License does neither permit nor require, but prohibit with exceptions permitting distribution. orbidden w exceptions where permitted According to Section 1. a iv Sentence 2, licensee may only distribute the restricted source code together with licensees unrestricted source code in executable ob ect code form. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned A TL P Compliant Conflict Unlikely 0 License does only implicitly permit distribution. Permitted implicitly According to Para 1 Sentence 1, the software is fully in the public domain. This includes the right to distribute it. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned BS 2 Clause ully Compliant o Conflict 100 License does explicitly permit distribution. Permitted explicitly Section 1 explicitly allows redistributions of source code, Section 2 explicitly allows redistributions in binary form. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned 5 CC0 1.0 Compliant Conflict Unlikely 0 License does only implicitly permit distribution. Permitted implicitly In Section 2, sentence 1, licensor first waives all rights to the greatest extent permitted by law. Second, in Section sentence 2, licensor grants a respective license to the maximum extent possible, in case a waiver under Section 2 should not be possible. This can both be understood as respective grant of distribution rights. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned CC B SA .0 ully Compliant o Conflict 100 License does explicitly permit distribution. Permitted explicitly Section 2.a.1.A. and B. refer to the sharing of licensed material, which includes also the distribution of the licensed material, according to the definition of share in Section 1.k. Information 5 License does neither permit nor require, but prohibit use in M environment. orbidden explicitly According to Section 2.a the access to the license measures. The CC wiki a by the license steward of M as being covered by https: wiki.creativecomm Google Chrome OS Adobe Additional ToS 0 2020 Medium Alert Limited Use Case Match 5 License does permit with restrictions prohibiting distribution. Permitted w restrictions where forbidden According to Section 1. a , distribution is only allowed in form of a browser plug in. Additional conditions in Section have to be complied with. However, it is not clear whether licensor has mistakenly simply forwarded terms that were only allowing ully Compliant o Conflict 100 License does explicitly require use in M environment. equired explicitly Section 1. d requires tha Chrome eader Software P and EPUB document Section 1. c , the software P or EPUB documents Google Chrome OS MPEG Additional ToS 0 2020 Conflict 20 License does neither permit nor require, but prohibit distribution. orbidden implicitly License speaks of personal and non commercial use of a consumer or other users. istribution is not mentioned in license text. Compliant Conflict Unlikely License does not contain any stipulation on use in M environment. As a consequence, this is deemed permitted. ot mentioned Google ToS 0 2020 Conflict 0 License does neither permit nor require, but prohibit distribution. orbidden explicitly Section Software in Google services , Para . Compliant License does not contain any stipula 10 OT L 201 ully Compliant OSSmatrix 2020 Osborne Clarke istribution is not understood as the mere resale of one single copy received which may be permitted under mandatory copyright laws anyway . Third parties in the aforementioned sense are any legal entities or natural persons other than the distributor. A mere internal provision of copies within on legal entity is not regarded as distribution. istribution is also given in case of offering the software for download to the public. hile this Section . does only cover distribution by the initial recipient of the Software, a further subdistribution of any downstream recipients is covered by Section . a. This enables to capture licenses which grant only a non transferable right to distribute software to one further downstream recipient, but does not allow further subdistribution by this downstream recipient. See also Section . a. ecessary Only licenses are accepted that require or permit distribution. All other licenses are refused. This use case is usually chosen in very limited cases only, where all components will be distributed and will not be used internally which usually cannot be excluded . avoured All licenses are accepted. Licenses that prohibit the use within a M environment are highlighted bu In this use case, a tendency towards licenses allowing the use within a M environment is expressed. However, not mandatory, licenses prohibiting it are accepted as well. The prohibition to use the software in a M environment can become critical in several cases. Some smartph comprise M protection, which generally prohibits use of respectively licensed software within apps to the ex measures. urthermore, embedded devices may be protected by M against manipulation of its firmware, pro Some licenses make the prohibition of M measures sub ect to additional requirements, such as the GPL .0 case these requirements are not given, the use of M measures do not constitute an infringement of the respe Some licenses prohibit the use of the software on a system with digital rights management M , which o cryptographic signature. In this case, the user would not be able to run a modified version of the software on licenses aim to prohibit. Thus, such licenses prohibit use of the software on such systems or require to prov to execute modified versions on such systems. To the contrary, some commercial licenses do explicitly require use of a M environment, e.g. in order to p software. The term distribution is understood as the creation of multiple copies of the software and their provision to third parties. Permitted explicitly implicitly : istribution is permitted. It may however be sub ect to certain minor conditions and restrictions. This applies for most open source licenses. equired explicitly implicitly : istribution is required. This may apply for commercial licenses which do only cover distribution but not use for own purposes, e.g. in case of distribution of software as part of embedded products. orbidden explicitly implicitly : istribution is not allowed. or most commercial software its distribution is prohibited. A Tag is set to explicit, in case the license contains an explicit clause on distribution. It is set to implicit if the tag can only be derived indirectly from the license or its surrounding circumstances. Features
  • 10.
    9 osborneclarke.com Features Full documentation the individualsteps to the result found The expert opinion in tabular form: thanks to extensive documentation, every step of the assessment is and thus the overall result is also comprehensible.
  • 11.
    10 osborneclarke.com Features Parameterization of individual factors, thereforedifferent evaluations are possible. Arguments can be weighted differently at any time. The result is automatically recalculated. In this way, your own risk affinity/aversion can be adjusted.
  • 12.
    11 osborneclarke.com Features Risk assessment with percentages notonly yes/no, but gradations in the percentage range, which can be further processed and automatically evaluated. In this way, even doubtful cases and grey scales can be recorded, evaluated and visualised. ully Compliant o Conflict 100 License does allow ASP provision. Open Issue To be clarified 50 Unclear, whether license allows ASP provision. 50,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. ,00 ully Compliant o Conflict 100 License does allow ASP provision. Conflict 20 License s does likely not allow ASP provision. ,00 Compliant Conflict Unlikely 0 License does likely allow ASP provision. 5 ,00
  • 13.
    12 osborneclarke.com Features Distinction between three levels •Abstract license • Concrete software • Concrete use case of the software Application scenario of concrete software Concrete software Abstract license GPL 2.0 Linux Kernel Driver running in kernel space Application software running under Linux Busybox Stand-alone installation Self-written add- on to Busybox
  • 14.
    13 osborneclarke.com Best Practice |License Matrix | Our approach Mapping a separate use case against the respective licenses with automatic check and clear indication of risk score values and reference to individual check sections
  • 15.
    14 osborneclarke.com Features License comparison Quick overviewof the main differences between individual licenses in direct comparison
  • 16.
    15 osborneclarke.com Features | Summary •Legal tech solution for license evaluation and use case mapping with the following features: – Standardised assessment of individual licensing obligations – Full documentation of the individual steps to the result found – Individual factors can be parameterised, therefore different valuations are possible (conservative approach vs. risk-taking approach) – Risk assessment with percentages (not just yes/no, but gradations in the percentage range, recording and visualising cases of doubt) – Mapping of an own use case against the respective licenses with automatic check and clear indication of risk score values and reference to individual check sections
  • 17.
    16 osborneclarke.com What we do 1.Use Case Development: We create customised use cases for you. Based on our experience, we define how you handle the software. 2. License check: You provide us with a list of licenses (if necessary, we will assist you with the creation). We check the rights and obligations of the licences that apply to your software. 3. Matching: We check your use cases for conflicts with the rights and obligations of the licences. What you get • Standard Package: Result of the use case matching, which clearly shows the compliance/non-compliance of the use cases with licenses • Extended Package: Additional, in-depth explanation of the rights and obligations of the individual licences with regard to the use cases - a legal memo in table form • Optional: Testing of specific software. This may be necessary for the licensor to understand the licence - this may differ from the general understanding of the licence. Our Offer
  • 18.
    17 osborneclarke.com Advantages • We startwhere the traditional tools stop: legal classification and evaluation of licences. More than “ ust” creating a Bill of Materials and fulfilling information obligations • Legally secure and fully documented - the memo of the external law firm in tabular form • Synergies through more than ten years of experience and the use of existing content enable efficient consulting
  • 19.
    18 osborneclarke.com osborneclarke.com 18 Customers DAX 30 Group Oneof the world's largest automotive supplier …
  • 20.
    19 osborneclarke.com Osborne Clarke isthe business name for an international legal practice and its associated businesses. Full details here: osborneclarke.com/verein *Services in India are provided by a relationship firm 1,850 26 Osborne Clarke International 270+ Partne rs 675+ Business Support 900+ Expert lawyers Europe: Belgium: Brussels France: Paris Germany: Berlin, Cologne, Hamburg, Munich Italy: Brescia, Busto Arsizio, Milan, Rome Netherlands: Amsterdam Spain: Barcelona, Madrid, Zaragoza UK: Bristol, London, Reading Asia: China: Shanghai Hong Kong India: Bangalore, Mumbai, New Delhi Singapore USA: New York, San Francisco, Silicon Valley International Offices Employees