Reading the google groups discussion raises some interesting questions:
What prevents other open source projects from being taken down with a "management did not authorize this" notice? For example, what prevents Twitter from saying Bootstrap was released by a rogue employee, invalidating the open source license and rendering millions of websites in copyright violation?
What happens to the commits by other authors to the source tree? Do they own the copyright to their commits, even if they modify invalid open source code?
How does the open source community react when this happen? Do they fork and pretend the source code is legit open source? (from reading the discussion, it seems like many developers have already forked the code and encouraged others to work off it)
Perhaps there are reasonable solutions to these, but I'm interested to see how this story unfolds, since it may affect how people think of companies open sourcing code in the future.
It's highly questionable whether a company has the legal authority to retroactively revoke an open source license.
The legal doctrine of promissory estoppel is generally considered to protect open source licensees. If you license something for free, and people come to rely on that free licensing, they generally have a right to keep using it, even if you change your mind and try to revoke it later. You can, however, stop licensing the software to new parties.
Novus seems to be trying to get around this by claiming that the license was never valid to begin with, because it was issued by a rogue employee. However, I would argue that the doctrine of apparent authority applies here. That is, to a potential licensee, there was no reason to believe that the open source licensing was anything but company-sanctioned. (The rules for apparent authority are actually a bit more nuanced than that, but the main point is the same.) Thus, even if the employee did indeed act without authorization, I think Novus would still be bound by the license.
Novus seems to be on shaky legal ground, and I find its cease-and-desist questionable. Unfortunately, it would appear that the recipients of the cease-and-desist opted to comply rather than risk a fight. So the scary thing is not that companies can arbitrarily revoke an open source license--in fact, they can't. Rather, it's that a letter containing vague legal threats can have such a strong chilling effect.
It is a conundrum. If I were to hack into Microsoft and obtain the source to Windows 8, release it on github under the GPL - it seems highly unlikely that would be honored. Although if even one single person downloaded it under GPL then technically they should be able to distribute their own version under GPL.
It seems like if the code is considered "stolen" there must be some legal common sense. I would also imagine the longer the code stays as open source, the less likely you'd be able to claim theft. If you immediately took it down claiming copyright that would be one thing. If you knowingly left it up for a year, though, that would certainly be a different situation.
"It is a conundrum. If I were to hack into Microsoft and obtain the source to Windows 8, release it on github under the GPL - it seems highly unlikely that would be honored. Although if even one single person downloaded it under GPL then technically they should be able to distribute their own version under GPL."
While I think there is a lot of legal subtlety at play in the nv3d case, I think your case is a lot more clear cut. You never had the legal authority to make the Windows 8 source code GPL in the first place, so the code isn't GPL, no matter what the README you attached to it says and people continuing to distribute it would be in clear violation of copyright.
Your Windows 8 example is pretty clear cut, sort of like if I steal your car and resell it to someone else. Just because they bought the car doesn't mean they own it, it still belongs to the original owner though the person who bought it clearly has a legal case for restitution against the person who sold it to them without owning it.
Yeah, it probably wouldn't be honored unless the company did something to indicate they sanctioned your actions. Your second scenario, in which the company leaves it up for a year, may go a little ways towards creating apparent authority. However, if you had no prior connection to Microsoft, the court would probably say a reasonable person would not believe you had the authority. Even if you were a Microsoft employee, because it's Windows 8 in particular, the bar would be pretty high for showing that a reasonable person would actually trust the authenticity of this open source license.
1. Estoppel is only going to get you a very limited set of rights. It's highly unlikely a judge is going to find you have the same rights as the open source license, unless you were actually relying on all of those rights. You certainly would not be able to sublicense those rights further, except to those you had already. This is not the same as Novus's ability to "stop licensing the software to new parties", it means you would not be able to give others the rights you had gotten through estoppel.
In effect, estoppel mainly going to protect you from damages, not give you the right to use it as open source.
2. It certainly depends, but the apparent authority question is a lot closer than you make it out to be. There are plenty of cases in the US where "the nature of the transaction" should have caused one to question whether the employee had authority, etc.
Not just that, but in New York state, where Novus Partners is, the law is nowhere near like you make it out to be.
AFAIK, under New York State law, the apparent authority doctrine will hold a principal responsible for its agent’s actions as long as the principal clothed the agent with apparent authority. Novus Partners would have had to have done something explicit to make you believe this person had authority to open source.
See Hallock v. State, 64 N.Y.2d 224, 231 (1984).
“Essential to the creation of apparent authority are words
or conduct of the principal, communicated to a third party,
that give rise to the appearance and belief
that the agent possesses authority to enter into a
transaction,”
An agent can never “by his own acts imbue himself with
apparent authority,” Id.
“[T]he existence of ‘apparent authority’ depends upon a
factual showing that the third party relied upon the
misrepresentation of the agent because of
some misleading conduct on the part of the principal — not
the agent,” Id.
“Moreover, a third party with whom the agent deals may rely
on an appearance of authority only to the extent that such
reliance is reasonable,” Id.
The only communication I see from Novus Partners here is something saying "sorry, he had no authority". If there is something else, great, you may be right. If there isn't, i wouldn't say it's "highly questionable" whether they could do what they did.
Source: I'm a registered patent attorney and corporate IP lawyer who has been doing open source lawyering for many many years now.
"It's highly unlikely a judge is going to find you have the same rights as the open source license, unless you were actually relying on all of those rights. You certainly would not be able to sublicense those rights further, except to those you had already. This is not the same as Novus's ability to "stop licensing the software to new parties", it means you would not be able to give others the rights you had gotten through estoppel."--I agree 100%. My apologies to other readers if I implied the opposite. I do still think that estoppel would protect licensees themselves insofar as they had relied on the software in, e.g., the development of their businesses.
Your point about sub licensing is well taken and deserves further exploration. It would appear that, estoppel or not, those who are now rereleasing the software may be on shaky legal ground. As you said, estoppel would probably not give you the right to sublicense, which is effectively what these folks are doing.
"Essential to the creation of apparent authority are words
or conduct of the principal, communicated to a third party,
that give rise to the appearance and belief
that the agent possesses authority to enter into a
transaction"--Agreed. I was under the impression this had transpired in the present case. I'm not sure about New York, but in many jurisdictions a principal's failure to act (given some other criteria) can be enough. I was thinking that would come into play here. Naturally it would depend on the exact facts, of which I am uncertain.
I would also raise the question of jurisdiction. Novus may be in New York, but what of licensees in other states? They could potentially make the argument that their states' laws apply, because part of the "transaction," i.e. the downloading and licensing of the software, occurred there. Would this argument succeed? I dunno.
and people come to rely on that free licensing
there was no reason to believe that the open source
licensing was anything but company-sanctioned
What both these things seem to rely on, is the amount of time that has passed since the original open sourcing. It seems highly unlikely that they only discovered the open sourcing just now. If they had undertaken this action immediately after discovering the open sourcing, there would be no doubt that it wasn't company sanctioned and no-one would have come to rely on it.
I wouldn't find it terribly unlikely that non-technical managerial-level people within the company were unaware that certain code had been open sourced. I know that unless I make an effort to let other departments know about it, that no one at my company would have any idea we created, or even used, open-source code.
Estoppel in English law is a doctrine that may be used in certain situations to prevent a person from relying upon certain rights, or upon a set of facts (e.g. words said or actions performed) which is different from an earlier set of facts.
Estoppel could arise in a situation where a creditor informs a debtor that a debt is forgiven, but then later insists upon repayment. In a case such as this, the creditor may be estopped from relying on their legal right to repayment, as the creditor has represented that he no longer treats the debt as extant. A landlord may tell his tenant that he is not required to pay rent for a period of time ("you don't need to pay rent until the war is over"). After the war is over, the landlord would be "estopped" from claiming rents during the war period. Estoppel is often important in insurance law, where some actions by the insurer or the agent estop the insurer from denying a claim.
This smells like the whole Twitter Bootstrap thing a few weeks ago, but the bootstrap guys had enough pull to take the brand with them after they left Twitter.
> What prevents other open source projects from being taken down with a "management did not authorize this" notice?
Retracting an open-source product is a move without a lot of upside. What business goal is promoted by such a retraction? It seems like it will just generate controversy, tarnish the company's reputation, and lead to endless ownership fights with contributors.
In addition, I suspect that major open-source projects usually actually do have the approval of people who have the authority to make that decision.
> What happens to the commits by other authors to the source tree? Do they own the copyright to their commits, even if they modify invalid open source code?
My understanding is that a contributor (or his employer) owns the copyright to his own patches when they are written. Larger open-source projects often require contributor agreements before they'll accept patches; the contributor must legally give the copyright to the project as a condition of their patch being incorporated into the official tree. If there's no contributor agreement in place, the patches continue to belong to the contributor.
You can think of the pre-patch tree and the patch as two parent nodes of the patched version. Novus owns the pre-patch tree; the contributor owns the patch; the post-patch tree is a derivative work of both of them, and can only be distributed with permission of both owners.
The contributor's patches may be useless without the parent tree to patch against. But if the contributors own the copyright to their patches, they can still use that copyright to forbid Novus from using or distributing the patched child tree.
> How does the open source community react when this happen?
Read the Google group and see. My feeling of how they should react is by the contributors banding together and telling Novus the following:
We contributed patches to Novus based on the understanding that the patched software would be released publicly as open source.
As soon as Novus became aware of the situation, it made a clear, unambiguous statement that Novus is not, and never was, willing to agree to these terms.
Therefore, since Novus does not accept the terms under which we gave them the patches, we revoke all permission for Novus to use these patches, or any version of the software which includes them.
If the contributors do this, and Novus is using the project internally, then Novus will have to either (1) back down and say that they're okay with open-source after all, (2) spend engineering resources on proprietary reimplementation of the features the community gave them for free, or (3) live without those features. Only option (1) lacks significant cost and/or risk from Novus's point of view.
> Perhaps there are reasonable solutions to these
This suggests that the more contributors an open-source project has, the stronger it is against any one person or company claiming ownership in this way. The remaining contributors can band together in response and pull out their patches, leaving the proprietary project at a feature-poor, ancient version -- especially compared to people's still-fresh memories of the open-source version -- if not making it entirely nonfunctional. The contributors could even attempt to make their patches useful again with an independent implementation which presents the same interface as Novus's now-proprietary code. Or they could toss their patches and rewrite the library from scratch. It would presumably take much less effort because, while they can't re-use the proprietary code from the Novus version, it should be okay to re-use the design decisions and API that may have been a big reason that the Novus version was so successful.
My trust with nvd3 pretty much ended when they pulled their finance part of the library out few months ago without any notice. That tells me they are capable of doing it again in the future.
EDIT: Now that I thought about this more, since they pull out the finance part of the library before, it is very likely that they _did_ know about the library being open sourced. Makes it much harder to believable the story.
* Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
Irrevocable copyright, I love it. It will stay open source and hosted there.
Bob should not be all to blame. Novus is clearly handling this poorly.
EDIT:
I'll accept pull requests, and if anyone had issues, please repost them.
Thanks for your stand, Rob. If anyone doubts that Novus knew about this project, consider that it was hosted on the official company github account and was sitting there under an open source license for almost a year. Take a look for yourself in the job ad posted on HN in September: http://news.ycombinator.com/item?id=4463689 It's even referred to as "open-source" in the ad. I'm guessing that when Bob asked if he could build an open source library to use with company projects, his boss told him "sure, knock yourself out". But now his boss's boss, or maybe the CEO, sees how nice it looks and wants to put the genie back in the bottle.
Luckily, "un" open sourcing projects under Apache, BSD, MIT, GPL, etc. is not so easy.
The discussion thread is interesting - it is strongly implied that NVD3 was up publicly and widely used for ~9 months, and its open source release seemed to have been approved by management.
Are there any other notable examples where a project was 'open' for such a long period of time and then the company that claimed to own the copyrights tried to un-open it? It seems like there's a huge potential for nasty side effects when something like this happens. 9 months is long enough for lots of people to start relying on a library that's been released under a permissive license like Apache2 and then suddenly have the rug pulled out from under them because a vendor either did a terrible job of protecting their copyrights or decided to take their toys and go home.
Not just that, the company might actually integrate the ideas and development from others gathered during this 9 month oops period into its now conveniently closed source product.
Yes, I believe Interbase might fit this description
Borland open-sourced Interbase in 2000, but then bought it back in-house. The OS code was forked and became Firebird (aside - Firefox was originally called Firebird, but changed names after the name clash with Firebird db was realised)
I find it remarkable that the 'management' would want to do this. This make their company look ridiculously out of touch; by now LOTS of people have seen and edited this code themselves, and have copies; you can't put that genie back in the bottle.
They could have used this to their advantage by simply allowing it to stay open but requiring that their company/brand name be used in the project (like Twitter Bootstrap), thus allowing the company to be seen as a supporter of the open source community without much effort on their part. Now they look the exact opposite of that, by doing something that would require huge effort and resources to achieve/maintain.
NVD3 leaked memory terribly. For us creating and removing a small number of charts quickly ate memory in the tens of megabytes. While the code was readable, it was not a very efficiently written library. I also took issue with how it used a global shared function to throttle chart generation. This feature did not seem to work very well but I did not spend much time with it once I saw the memory footprint.
NVD3 is one of many chart libraries that placed more emphasis on design than robustness. Having gone through many charts I wonder if any of these developers have heard of the Profiles tab on web inspector.
Something like NVD3 can be used on a static page that isn't live updated for a short time. But a long living application will have problems.
In other words don't worry. NVD3 wasn't very good. Go look at the d3 basic chart examples on the d3 example's site. It is not hard to build graphs with d3. You don't need NVD3.
Having said this, I thought the NVD3 editor was pretty cool. Better than the actual library.
I don't really see how your comment is relevant. The important turn of events here is how a piece of opensource software can apparently be retroactively removed from the internet.
It doesn't matter if that piece of software was the best or the worst implementation in its field.
The opposite for this are which?, ie: For people with not enough experience could be good idea to know which ones are bad in this regard and wich ones are good.
I`m in the hunt for a chart library. So far, I think in Google chart and highcharts.
As I mentioned simply using d3 should be good enough. I have not found a chart library that cleans up after itself. You can take a look at the "basic charts" section: https://github.com/mbostock/d3/wiki/Gallery
flot is nice, at least for real time updates on charts. I'm building a websockets enabled realtime dashboard with flot, left it running last weekend, did not leak a bit.
Flot actually leaks quite a bit. We use flot at work and I had to hack the code to keep it from leaking. It doesn't leak as bad as NVD3, but it leaks. You will see it never surrenders the canvas element if you call shutdown on it if you check out memory snapshots.
The gray area here is their claim: That it was done without their approval.
If the company is the copyright holder, then the license that the code was released under was invalid from the start - regardless of it being out in the public.
Just because someone gets some Microsoft internal code and slaps an open source license on it and releases it to the public, that doesn't mean every company is now free to use the code without reprisal from Microsoft.
They're not "changing" the license - they're saying it never existed / was never valid in the first place.
Now, if they had done it officially - then yes, the best they could do was dual / re-license it. Being the copyright holder, they have the right to do this at any time. They could then stop work on the original open source licensed version and from that point on, internally, continue to develop their closed source version (minus the contributions to the open source fork).
The open source (older) version would continue to exist, separately, and continue to be free for use.
If someone has a business/product built on using nv3d and they come after them with a cease and desist / demand for money, the business in question could definitely take them to court over it and attempt discovery to find internal documents indicating whether it was truly approved or not - which would then either ratify or abolish the license once and for all.
As I understand it you're only bound by the open source terms included with the software at the time you started using it - - basically if you modify the code you're bound to release your changes if you redistribute the software. They cannot change the version you're already using retroactively.
Was the license ever valid though, if the copyright owner didn't issue it? If I stole a car, then signed a contract giving you the car for $1, then would you be able to keep the car?
No, you'd have to give them the car, because the rightful owners are denied a car by you keeping it. But be careful, licensing doesn't fall under traditional ownership/theft rules.
If the deal appears to be too good then you can be charged with handling stolen goods, which is a loophole closer for people palming off stolen items to friends for almost nothing. If you pay what is considered a going rate for an item that turns out to be stolen you are most likely not breaking the law, though of course that doesn't mean the property is yours or that you would be compensated for it's removal from your ownership. Note this is relevant to UK law, no idea about other jurisdictions.
I don't know the back story behind this, but I just want to say that this is by far the most respectful and reasonably-worded takedown request I've ever seen.
Funnily enough, while it is comes off as a very reasonable request linguistically, it is one of the most offensive takedown requests I've ever seen, given the backstory of this library.
I am very concerned that due to github relying on private repositories for revenue; it has been all too eager to comply with this very legally questionable take down request. Do we need an "open" github; that is truly on the side of open source software?
As someone that works on releasing open source products from a closed source company, this is scary reading. Suddenly, all of the checks and balances we have to hurdle seem reasonable.
"Please see Novus' official statement on nvd3 with an explanation, apology, and commitment to its permanent status as an open-source project. We know this was a shock and a major inconveniece, but we want to regain the community's trust and involvement. Please see the full statement at: http://nvd3.org/statement.html "
Please see Novus' official statement on nvd3 with an explanation, apology, and commitment to its permanent status as an open-source project. We know this was a shock and a major inconveniece, but we want to regain the community's trust and involvement. Please see the full statement at:
All of the comments seem to be very USA-oriented, but if one wants to learn a lesson from this we should also discuss other POVs. Does anyone know how would a similar case be handled in EU? Or just using a fork after the cease-and-desist - does estoppel and so on exist there?
Putting the specifics of this case aside, the whole question underlines once again the questionable sanity behind copyright and intellectual property. The corner cases like these are a signal that the copyright thinking isn't entirely in alignment with reality. With physical goods it's very clear: if an employee had gone rogue and given off a prototype device built by the company, any resale of that device would naturally be illegal (it's illegal to buy and sell stolen goods) and the device could eventually be returned to the company.
However, with bits, things are different. Bits can be copied, they can't be stolen, and bits aren't unique things whose possession can be controlled. Thus, the idea of copyright is to "own" the copyrighted works so as to control making copies of it. The company tried to assert that it owns the library and extrapolate from there that they could control the bits that represent copies of the library. But if the thing companies intend to control is the idea or "the works" instead of the physical bits then we're faced with another dilemma.
Consider if the leaked thing was a trade secret, which is an idea with no physical presentation. The trade secret was published without permission by a rogue employee and thus it wouldn't be a secret any longer, then how could the company possibly claim it could be restored somehow? How could anyone who had read about the trade secret explicitly unmemorize it? There are no physical copies or bits to destroy, the idea would simply live in peoples' minds and eventually travel to the company's competitors. The cat's out of the bag, what can you do.
I think that in this case, the only plausible view of what actually happened is just that. The culprit is the employee who should be liable for the damages if it turns out that he actually did publish the source code without a permission. (Based on the comments even verifying that is still uncertain.) Similarly, if an employee smuggles in GPLv3 code in to the company's codebase then the company can't just shrug that off, and must release their proprietary source code as GPLv3.
Both are quite harsh conclusions. It seems that for any company larger than a few dozen people would eventually bump into one of these two cases. Employees would have to require written permission from their managers to release source code. (What if their managers didn't have the permission to give that permission?) Companies would have to audit all new source code before adding it to their version control system. (Nearly an impossible task unless commit lag of months would be considered agile in their line of business.)
In practice, things don't work——neither way, as long as copyright is removed from the realm of bits, data, and software and the concept of intellectual "property" is disintegrated from the beginning. WHen companies stop relying on those delusions and base their business on things that actually work on real life, they are relieved of much suffering.
If you "copy" the bits that happen to open up access to my bank account, I'm not likely to use the word "copy", I'm going to say "stolen" and involve the police.
Similarly, if you "copy" the bits that I'm trying to monetize (they're a book, or a movie, or a computer program), I will also prefer the word "steal" and likewise involve the police.
Just because a low-level mechanism ("hey, we /copy/ bits, we don't destroy them! You still have them!") enables behavior on your part does not make that behavior ethical or lawful, nor does it imply that the notion that someone can control ownership of mere bits is bankrupt or delusional.
"Stealing" as applied to physical property involves two elements: it must be unauthorised by the owner, and it deprives the owner of the thing.
So I wouldn't define your password as stolen, just "known". As soon as the perp used it to take money from your account, then stealing has occurred.
"Stealing" is a very loaded word, which is why big media is desperate to frame their business problems using it. And in this case, I doubt many people would consider those who used NVD3 were guilty of stealing, given that a) they had been authorised to use it (as far as they knew), and b) they haven't deprived Novus of anything.
If you "don't read" my book, I'm going to call that "stealing". After all, if you had read it, I would have gotten $20, and I didn't get my $20, so you must have stolen something from me.
"Similarly, if an employee smuggles in GPLv3 code in to the company's codebase then the company can't just shrug that off, and must release their proprietary source code as GPLv3."
No, assuming the company was in violation of the GPLv3, they would probably need to stop using it, and potentially pay damages if sued by copyright holders, but would be under no compulsion to release their own proprietary source code. Unless, of course, they wanted to comply with the terms of the license and continue using it. However, the GPLv3 alone wouldn't even require that unless they were selling or making available copies of the software.
Do you really want to use a library with a questionable license in your project? Even if the source is widely available, it would be safer to consider it tainted.
I'm one of the 30 other individuals that acutally patched and commited changes for Bob to include in nvd3.js; I'm looking for contacts for the other 29 contributors. (Please contact me at using the feedback form on congocart.com or master-technology.com) I would like one of us (I'm willing to volenteer) to contact Mr. Qunibi of Novus partners in a position of consensuses from those who actually have code in the product.
My thoughts that would I believe be amicable (i.e. win/win) to both sides is that they can have our permission to take ALL of our changes closed source in the own future versions as long as we also (the community) may use the last release under the open source (Apache) license it has been under since shortly after it was released on there official novus github account and go our own separate way. I know my changes were really early to the library and some of my code may not even exist anymore (lol).
But I believe the cost for them to audit the whole library and rip out all of our changes and rewrite it all could be major -- I believe Bob could legally remove all of our code; but for the actual re-implementation Bob would have to hand it off to someone to do a fully clean-room version to make them legally safe from being sued. And that could be very costly in time and resources. Cost wise for them It might even be cheaper for them to ditch the last 6-7 months of changes and to just revert to the version before my patch/commit (which was issue #3 <G>). So I think we might be able to make this a win/win proposition if I can get the consensuses of the other 29 contributors.
What prevents other open source projects from being taken down with a "management did not authorize this" notice? For example, what prevents Twitter from saying Bootstrap was released by a rogue employee, invalidating the open source license and rendering millions of websites in copyright violation?
What happens to the commits by other authors to the source tree? Do they own the copyright to their commits, even if they modify invalid open source code?
How does the open source community react when this happen? Do they fork and pretend the source code is legit open source? (from reading the discussion, it seems like many developers have already forked the code and encouraged others to work off it)
Perhaps there are reasonable solutions to these, but I'm interested to see how this story unfolds, since it may affect how people think of companies open sourcing code in the future.