If you were wondering what the answer was to the recent Wasabi FUD about the GPL and Sarbanes Oxley, here it is, from the Software Freedom Law Center, "Sarbanes-Oxley and the GPL: No Special Risk". When I first read the Wasabi paper, I had two reactions: 1) Man, some BSD folks fight dirty, and 2) I wish I was qualified to answer their anti-GPL FUD. I knew enough to know it was FUD, but I didn't feel I could personally write an answer. I'm really glad someone has.
Eben Moglen points out there has never been a case where criminal charges were ever brought against a GPL user for violating the SOX Act. Ever. For that matter, the paper explains that it is unlikely it ever would happen because to be criminally liable under the Act, there has to be intentional misconduct. The paper also "points out that SOX generally applies only to public companies and that disclosure in a company's SEC reports is not necessary if a company’s use of the license is immaterial to its business. It also states that companies that must comply with SOX bear the full cost of SOX compliance regardless of the licenses of the software they choose," as the press release puts it.
You might as well read the entire press release, which is
here and I'll reproduce it below. Shame on Wasabi for floating FUD. Peter Galli at eWeek has a story on the entire shameful episode and the response now by the Software Freedom Law Center:
Wasabi Systems has created a Web site that contains a licensing guide that includes a section on how the Sarbanes-Oxley Act "has changed the open source landscape by making GPL violations a federal crime."
Wasabi Systems has also posted a white paper to its Web site titled "When GPL Violations Are Sarbanes-Oxley Violations," which says that the SOX (Sarbanes-Oxley) Act requires public companies to provide truthful disclosures of information, including ownership of intellectual property.
However, the latest Software Freedom Law Center white paper maintains ... these issues were reviewed and it was found that there is in fact no special risk for developing GPL'd code under SOX.
"Under most circumstances, the risk posed to a company by SOX is not affected by whether they use GPL'd or any other type of software. Arguments to the contrary are pure anti-GPL FUD [fear, uncertainty and doubt]," the paper says.
OSDL gave seed funding to set up the Center, if I recall. I know you join me in saying thank you to OSDL for doing so. If by any chance you'd like to read the Sarbanes-Oxley Act itself, here you go [PDF].
March 7, 2006
Software Freedom Law Center Addresses Erroneous Interpretation of Sarbanes-Oxley as Applied to the General Public License
NEW YORK, March 7, 2006 – The Software Freedom Law Center (SFLC), provider of pro-bono legal services to protect and advance Free and Open Source Software (FOSS), today announced it has published a white paper on its position regarding alleged General Public License (GPL) violations in relation to the Sarbanes-Oxley Act (SOX). The paper, titled “Sarbanes-Oxley and the GPL: No Special Risk,” is available at: http://www.softwarefreedom.org/publications/Sarbanes-Oxley.html.
“Recent discussions regarding the GPL and SOX have been wrought with false information and have prompted the SFLC to issue its position on the topic,” said Eben Moglen, chair of the Software Freedom Law Center. “It is our job at the SFLC to provide the best legal advice and resources to our clients. This paper will help users of the GPL, from developers working on FOSS projects to CIOs working at Fortune 500 companies, to clearly understand there is no new need for concern. The fact remains that no criminal charges on the basis of violating the SOX Act have ever been brought against a GPL user.”
The SFLC paper defines the realistic impact of a GPL violation as it could be applied under SOX. The SFLC paper points out that SOX generally applies only to public companies and that disclosure in a company's SEC reports is not necessary if a company’s use of the license is immaterial to its business. It also states that companies that must comply with SOX bear the full cost of SOX compliance regardless of the licenses of the software they choose. Lastly, the paper explains that if SOX applies to a GPL violation, it is not likely that a company or developer would be criminally liable, since the Act cannot be criminally violated without intentional misconduct.
“The idea that a GPL violation could result in jail time is unreasonable,” said Karen Sandler, attorney at the Software Freedom Law Center. “You take away this unlikely threat, and the argument is reduced only to compliance, and GPL compliance is remarkably simpler than that of alternative licenses.”