The GPL open source license does not increase legal risk to companies that are
governed by the Sarbanes-Oxley Act of 2002 (SOX), according to the Software
Freedom Law Center (SFLC).
In fact, the GPL may well be on track to actually
improving its applicability for usage concerning SOX compliance, thanks to
proposed new additions in the draft of the GPL version 3 license.
Embedded software maker Wasabi Systems has alleged in a pair of
whitepapers that violations of Linux’s GPL license are, for public companies, violations of U.S. Securities Law, whether the executives of the violating company are aware of any violations.
The SFLC argues in a whitepaper called “Sarbanes-Oxley and
the GPL: No Special Risk” that there is in fact no additional risk to SOX-regulated companies and that arguments on the contrary are “pure antiGPL FUD”
Eben Moglen, chair of the SFLC and one of the authors
of the GPL, wrote in a statement that there is no new need for concern for
users of GPL-licensed software.
“The fact remains that no criminal charges on the basis of violating the SOX
Act have ever been brought against a GPL user,” Moglen stated.
The SFLC paper contends that for an enterprise that files Securities
and Exchange Commission (SEC) reports, they don’t necessarily have to disclose
particulars of license usage in a filing if the usage of the license is
deemed to be immaterial to the business.
The paper also notes that SOX-mandated companies bear the cost of compliance with SOX no matter what
software licenses they use.
Potential violations of the GPL may well pose less financial risk than
violations of proprietary software licenses.
“Historically, GPL violations have not triggered massive lawsuits for
damages the way that violations of proprietary license agreements have,” the
SFLC’s paper states.
“The primary enforcer of the GPL is the Free Software
Foundation (FSF), who has never used a GPL violation as the basis to go to
court to seek a large damage award or enjoin software distribution.”
“The FSF’s stated policy is to ensure compliance, not to prevent software
distribution or to seek damages.”
The SFLC’s paper also notes that, ” the dangers of accidental criminal
liability under SOX are no greater for GPL’d software than for nonGPL’d
“While GPLv3 isn’t final. We anticipate that it will include a 60-day cure
provision, which would make the possibility of getting caught up in an
accidental SOX violation even more remote,” SFLC attorney
Karen Sandler told internetnews.com.
A Wasabi Systems spokesperson was not immediately available for comment. It
should be noted that Wasabi’s Certified BSD product competes against
The stakes for embedded Linux players are high, as the market according to
one analyst group is worth at least $100 million dollars a year and is still growing.