19

Let's say Person A creates some code and licenses it under a GPL license. If someone (we'll call them Person B) then creates code which derives from Person A's code, but fails to obey the terms of the license and mark their modified code in a GPL compliant fashion, they're at fault and can be held accountable for that.

However, what happens if Person B, prior to being held accountable, tells a new person, Person C, that they can use their code with no restrictions? Person B is at fault for disobeying the license they were presented with, but Person C had no reasonable way of knowing that the code Person B gave them permission to use wasn't actually theirs to give permission for.

What happens to Person C's code in this situation? Are they forced to obey the terms of the license that were not at all communicated to them because of Person B's breach of the license? Or are they somehow exempt from it because they weren't presented with the correct license? What rights does Person A have, and what rights does Person C have?

This is an actual situation I'm dealing with, and I'm not sure how to proceed.

MadHatter
  • 48,547
  • 4
  • 122
  • 166
Charybdizs
  • 191
  • 1
  • 3
  • 2
    Your question describes a situation, which is similar to the mimemagic issue, which happened in 2021. The situation has to be cured, which causes sometimes more, sometimes less chaos. – Martin_in_AUT Sep 14 '23 at 05:28
  • 1
    @Martin_in_AUT mimemagic appears to be an interesting case since it essentially forces existing versions of Rails under GPL which in turn puts many projects using Rails under GPL as well, presumably. (That the violating mimeagic versions have been made inaccessible does not fix the Rails versions using them -- it only means you cannot rebuild them from source, but existing binaries are still in violation, iiuc.) What a mess. – Peter - Reinstate Monica Sep 14 '23 at 07:45
  • 1
    @Peter-ReinstateMonica Rails did not switch to GPL, they fixed the problem by removing mimemagic from their code base. Old versions (with the license issue) don't seem to be available any more. – Martin_in_AUT Sep 14 '23 at 09:00
  • 1
    @Martin_in_AUT Yes, so now Rails is in compliance. But my point is: There are installations of the old, non-compliant versions out there, and potentially sites or other derived work using it which, by association, are non-compliant as well. They believed they were using Rails under the MIT license but they were wrong, much like in this question. – Peter - Reinstate Monica Sep 14 '23 at 10:28
  • 3
    @Peter-ReinstateMonica: Just to be clear, Ruby is an interpreter language; there are no compiled binaries involved. Also, GPL compliance isn't required for using GPL code, only for distributing it, so old applications that are still running a retracted Rails version aren't vulnerable to this licensing issue either. (They're probably vulnerable to dozens of unpatched security holes by now, though.) That said, distributing an app that included an old bundled version of Rails would indeed violate the GPL. This isn't how Rails apps are normally distributed, but in principle it could happen. – Ilmari Karonen Sep 14 '23 at 13:06
  • 1
    Person C has not agreed to a license to A's code, so they are not bound by the terms of one. But neither do they enjoy the benefits of one -- in particular they do not have the right to make copies of A's code, including that in B's derivative, nor the right to distribute copies of their own derivative. – John Bollinger Sep 16 '23 at 14:35
  • @IlmariKaronen "GPL compliance isn't required for using GPL code, only for distributing it, so old applications that are still running a retracted Rails version aren't vulnerable to this licensing issue" - applications (or rather users of those applications) are protected, but whoever distributed them this version is still liable. – Dmitry Grigoryev Sep 18 '23 at 07:20
  • @DmitryGrigoryev: True, but simply ceasing distribution upon being made aware of an unintentional GPL violation is usually enough to avoid liability. (GPL 3 makes this explicit.) Also, for context, it may be worth noting that Rails is a web application framework. In particular, this means that end users don't normally possess or run Rails apps directly; they just access a website on some server that runs Rails. And unlike the AGPL, the GPL doesn't require website operators to license or distribute their source code to end users. – Ilmari Karonen Sep 18 '23 at 08:25

3 Answers3

25

From a software licensing standpoint, C has been in violation of A's licence terms throughout, although hitherto (s)he did not know it. Whilst ignorance of the law excuses nothing, A would have to be pretty hard-hearted to do more than point this out (and to B also). But once C has been clearly informed, (s)he must not continue to distribute this code in violation of the GPL. To do so would be knowingly to violate A's copyright.

Organisations like the Software Freedom Conservancy deal with this sort of situation all the time, and the general community principle is always to bring about compliance, rather than to seek any kind of compensatory remedy. So as long as C brings him/herself into GPL compliance, the matter is very likely to end there. If (s)he doesn't wish to, then as long as (s)he ceases distribution, again, the matter is likely to end there. But there is no legal basis for your idea that C is permanently exempted from A's licence by B's error, and if C continues to distribute in violation, A will be entitled to take action.

There may be grounds for C to make some kind of tortious claim against B; we can't say more because that will depend on jurisdiction and the particulars of the case, and moreover is off-topic for this site.

MadHatter
  • 48,547
  • 4
  • 122
  • 166
  • 2
    Perhaps worth noting that with the GPL v3, if C brings themselves into compliance within 30 days the matter must end then? – Philip Kendall Sep 14 '23 at 08:14
  • Consider it noted! – MadHatter Sep 14 '23 at 10:05
  • 7
    I feel that the principle that "ignorance of the law excuses nothing" is not applicable here: C knows the law, but he has been misinformed. If B mislicensed his code with (e.g.) MIT license, one can hardly expect C to - on no grounds - doubt the legitimacy of the license and check for similar work. Of course, A is still the copyright holder and has a right to request B (and C as a consequence) to re-license or remove the work or other measures. – Marco Capitani Sep 14 '23 at 13:44
  • @MarcoCapitani you're entitled to think that, but my feeling is that if you're going to use somebody else's work in your own, the onus is on you to establish that you have a right to do so, and you'd better be sure you're asking the right person. – MadHatter Sep 14 '23 at 13:57
  • 5
    "C has been in violation of A's licence terms" is not really accurate. C is in violation of the copyright on A. C didn't accept any valid contract granting a license, and can't violate a contract that doesn't exist. – Ben Voigt Sep 14 '23 at 15:09
  • @BenVoigt I see your point, but I think you split hairs. I agree with you that C has no right to distribute his/her code until (s)he obtains a valid licence from A. Whether you describe this situation as "C had no licence from A" or "C failed to behave as required in order to avail him/herself of the licence offered by A" is really rather a philosophical point, to my mind. – MadHatter Sep 14 '23 at 15:24
  • 15
    For stolen goods, most jurisdictions rule that if C purchased them in good faith, they have not committed a crime but must still return the goods to A. I agree that it is not ignorance of the law but just ignorance of the facts. – jpa Sep 14 '23 at 16:22
  • @jpa I'd agree with that; very well put. – MadHatter Sep 14 '23 at 20:50
  • 5
    @jpa: That's for physical goods. The rule for copyright is, you either have a valid license, or you infringe the copyright. For example, US law distinguishes between willful and non-willful infringement, implying that both can give rise to liability. So C infringes A's copyright and is potentially liable. Everything else is a matter of how much grace A is willing to extend to C under the circumstances. – Kevin Sep 16 '23 at 01:36
3

What rights does Person A have, and what rights does Person C have?

Person A can sue Person B and Person C for copyright infringement if they can formulate a reasonable damage claim. For instance, if A is offering their software for free under GPL and for $20 under a proprietary license, they could sue B or C for $20 times the number of copies B and C have distributed. If A is not making any money with their software, claiming damages becomes hard/impossible in most countries.

Person C could sue Person B for any damages that A claims from them, plus additional expenses to remove B's code from their software. However, if B has distributed their code under a typical permissive license such as MIT, they would have included a disclamer which frees them from responsibility towards C. Only if C can prove B's malicious intent they could sue them for fraud.

C had no reasonable way of knowing that the code Person B gave them permission to use wasn't actually theirs to give permission for.

This is unlikely to hold in court as a defence. Assuming A have published their GPL software on the Internet, C could have used an open-source scanner to find out the origin of the code they received from B.

Dmitry Grigoryev
  • 1,362
  • 10
  • 20
  • 4
    A can sue C for copyright infringement. C never agrees to A's licensing terms, so it's extremely unlikely that any action for contract violation would succeed. (If you're worried about that, ask an actual lawyer, which I'm not) – Ben Voigt Sep 14 '23 at 15:11
  • "if B has distributed their code under a typical permissive license such as MIT" They haven't actually done that, as they had no right to do so. They may have appeared to do so. – Ben Voigt Sep 14 '23 at 15:12
  • 2
    I don't know much about the conversation here, but do you have to do a search? Is it negligent to not just trust the license you were told? – Azor Ahai -him- Sep 14 '23 at 21:33
  • @AzorAhai-him- You don't have to, but it's due diligence in the sense that C is ultimately responsible for the software they distribute. If A can prove that this non-compliant distribution caused them damages, they will be able to get a compensation from C, not from B. – Dmitry Grigoryev Sep 15 '23 at 11:35
  • The first point is spot on, thanks. Regarding the second one, if the court decides that the code was delivered from B to C without any contract/license and without any indemnification, the result will be the same: C cannot claim anything from B for something they got for free. – Dmitry Grigoryev Sep 15 '23 at 11:47
  • What country are you talking about with "they could sue B or C for $20 times the number of copies B and C have distributed"? In the U.S. there are statutory damages up to $150,000 per work. – Jason Goemaat Sep 15 '23 at 19:13
  • 2
    @JasonGoemaat: C is not liable for willful infringement, so under 17 USC 504, statutory liability is capped at $30,000 per infringement, but is likely to be significantly lower in practice since C had reason to believe that they had a valid license (and so the court will likely use its discretion to impose a lower statutory damage amount). I agree that $20 is way too low, since the minimum is $750. – Kevin Sep 16 '23 at 01:38
  • @JasonGoemaat Statutory damages will likely not apply to such a case, unless A has registered their work with the US copyright office, something that is seldom done for free software. – Dmitry Grigoryev Sep 18 '23 at 07:12
  • @DmitryGrigoryev Registration is required for any suit. – Jason Goemaat Sep 20 '23 at 00:02
  • @JasonGoemaat No, registration is only required if you want to sue for statutory damages. If you publish a photo and I steal it, you can still sue me for actual damages. – Dmitry Grigoryev Sep 20 '23 at 06:46
  • @DmitryGrigoryev In what jurisdiction? Not in the United States – Jason Goemaat Sep 20 '23 at 14:30
  • @JasonGoemaat: From Wikipedia: "Under 17 U.S.C. § 412, statutory damages are only available in the United States for works that were registered with the Copyright Office prior to infringement, or within three months of publication. " – Dmitry Grigoryev Sep 22 '23 at 08:45
  • @DmitryGrigoryev Read the previous section, 411: "no civil action for infringement of the copyright in any United States work shall be instituted until preregistration or registration of the copyright claim has been made in accordance with this title" – Jason Goemaat Sep 22 '23 at 17:23
  • @JasonGoemaat You can register a claim any time. What you can't do is register your work with the Copyright Office when it's convenient for you to apply for statutory damages. – Dmitry Grigoryev Sep 25 '23 at 11:12
  • @DmitryGrigoryev I don't understand what you're saying. If you file a suit for copyright infringement and you have not registered your copyright, the defendant can get it dismissed because registration is a requirement, whether you are claiming statutory damages or not. – Jason Goemaat Sep 25 '23 at 17:29
  • @JasonGoemaat No, check out this question. You can still sue for actual damages even if your copyright is not registered. – Dmitry Grigoryev Sep 27 '23 at 08:46
  • @DmitryGrigoryev I don't know if you're a troll or not. The law I linked to states pretty clearly that you have to have registered in order to file suit, no matter what type of damages you are asserting. Everything else reliable I've seen on the subject (including this with a quick google search) supports my interpretation. One sentence in an answer by Joe Q. public on a website does not alter the clear text of the law. – Jason Goemaat Sep 27 '23 at 18:23
  • That case even held that actual registration or denial was required, not just the application for registration. – Jason Goemaat Sep 27 '23 at 18:24
3

C, who did not know about the license offered by A, could not have agreed to it and is not bound by it. However, without a license from A to do so, C has no right to make and distribute copies of A's copyrighted work, or B's derivative based on A's work. So avoiding the license A offers doesn't help C at all.

Ben Voigt
  • 162
  • 7