Some Linux Users Violate Sarbanes-Oxley 233
Goyuix writes "According to the IT Observer, publicly owned companies who are using Linux, could be violating the federal securities laws as part of Sarbanes-Oxley. The article goes on to say that companies are required to "disclose ownership of intellectual property to their shareholders." How are these companies supposed to really list out all the IP owners if they were to install a full desktop or server environment - there could be literally thousands of parties listed! What are the current Fortune 500 companies doing, as many of those use Linux in one form or another?" update several people have pointed out that this is about companies who are violating the GPL, not everyone.
GPL violators are at risk (Score:5, Informative)
Re:Not just Linux (Score:1, Informative)
What article did the OP read? (Score:5, Informative)
Article Title Misleading (Score:5, Informative)
Which makes sense.
I.e., if you claim to have the right to use Linux for your product, but you aren't complying with the license, you might be violating Sarbanes-Oxley.
I am a SOX IT auditor (Score:5, Informative)
Re:What article did the OP read? (Score:4, Informative)
Yes there is. The article says:
It does go on to say:
But that doesn't negate the first statement and the article never explains the connection between the two statements.
Poor headline (Score:4, Informative)
Come on people, let's pay attention to the article. Contrary to the poster's headline, nothing in it even hints that using Linux would violate Sarb-Ox. Sarb-Ox is supposed to make investing a bit safer by forcing companies to audit their practices and disclose potential problems.
If someone is building products on GPL code (like, say broadband router/NAT boxes based on Linux) then they are supposed to disclose that tidbit to their investors. The important part is that they don't own all of the intellectual property for that product and investors should know since that could change the company's value. If they fail to disclose the data, then they have violated Sarb-Ox.
Re:What article did the OP read? (Score:3, Informative)
By violating the GPL, you invalidate your license. Considering that the code is only offered under the GPL, if you invalidate your license, then you have no permission to use it at all. Distribute, or use, because you just simply don't have a license anymore.
Re:Poor headline (Score:4, Informative)
Re:GPL Violation == Sarbanes Oxley Violation (Score:3, Informative)
Wrong.
A corporation is required to account for intangible assets that the company owns, and timely and accurately report the acquisition cost, book value, and sale value, if any, in aggregate as part of its normal financial reporting. Refer to SOx sec 302 and FASB statements 141 and 142. SOx requires that existing financial reports be more accurate, not more detailed, in general. Those assets will be reported in categories, as part of particular transactions, or both, but not item by item in most corporate financial reports. IBM does not list the value of the individual patents held in its portfolio in its reports to investors, and I can fairly confidently say that it never will. GPL software is no different in that respect.
GPL software is different in that it should not even be an issue in most cases because it has no intrinsic acquisition cost, no book value, and no sale value. If a corporation pays for GPL software, they are almost certainly paying for a SERVICE supporting the GPL software, which is an expense, not an asset. Remember all those "You really can make money off GPL software" discussions that have cropped up on Slashdot over the years? This point alone makes the SOx argument almost laughable.
The issue is not whether a company has violated the GPL, but whether a corporation knows that is has violated the GPL and failed to account for the potential liability, artificially inflating the value of the corporation. This information is not necessarily even going to be public, as it can be lumped into a litigation reserve along with every other potential liability associated with identified assets. Assuming that there is no pending or probable litigation, you are not going to find a corporate report that identifies the separate 'potential liability' associated with, say, products liability suits over Tickle-Me-Elmo dolls as well. It's the same reporting detail issue described above.
Remember, SOx is about accuracy and certification -- it's requires that corporations display an accurate external appearance, not provide a CAT-scan like view of the entire workings of the business. You are not gaining additional transparency, you are supposedly gaining assurance that the corporation is not lying about the gross and net numbers under the existing reporting style. If there's no accounting irregularity, the software compliance issue is almost meaningless to SOx (although still important to operations).
Re:GPL violators are at risk (Score:3, Informative)
I have released a good amount of software under an open-source license, but not the GPL. I require that no one can make commercial use of my software.
Then what you are doing is not open source, and should not be called such. Please read the actual Open Source Definition [opensource.org], specifically point 6, rather than just assuming, "Well, I'm not one of those godless commies or smelly hippies from GNU, so I must be Open Source instead of Free Software."
Do what you want to do with your own IP; that's cool. It's your right. But you are misrepresenting yourself if you claim what you're distributing is open source. Can you identify the license you used on the list of Open Source licenses [opensource.org]? No? Then why are you calling it Open Source?
Re:What article did the OP read? (Score:3, Informative)
By violating the GPL, you invalidate your license. Considering that the code is only offered under the GPL, if you invalidate your license, then you have no permission to use it at all. Distribute, or use, because you just simply don't have a license anymore.
This is incorrect. From the GPLv2:
The FSF's position is that running a program doesn't require a license, only copying, distributing or modifying it does. It's possible that a court would disagree, since there are some rulings to the effect that since the act of running a program involves making an ephemeral copy of it (from disk to RAM, usually), running a copyrighted program without permission (a licence) from the copyright owner is infringement. In the case of GPL software, however, the fact that the license under which the software is distributed explicitly specifies that anyone is allowed to run it, and that it's not necessary to agree to the license in order to run it, an infringer could argue that the intent of the copyright holder was clearly to allow unlicensed ephemeral copies needed to run the program, thereby implying a license with no strings attached.
IANAL, but my reading is that a company who violates the GPL loses the right to copy, modify and distribute, but can still use the software.
Re:Not just Linux (Score:5, Informative)
This really seems to apply to companies that incorporate Linux into a product. Well known examples include Tivo and the Linksys WRT54G (v4 and below). In such a case, Linux is an important part of those companies' product portfolio and thus and important factor in assessing the tangible and intangible worth of that company. For the companies that only use Linux in operational capacities, it wouldn't have any impact unless SCO wins. (yea, right)
Put another way: ownership of a patent on a hammer is important for a tool maker, but not for the construction company that uses it.
Re:Not just Linux (Score:3, Informative)
One, the GPL is a license, not a contract, and violations of it fall under (federal) copyright law, not contract law (and violation of the GPL could quite likely fall under criminal copyright infringment, although such a case has never been pressed). But thats not what he's talking about - he's talking about needing to report your IP ownership under Sarbanes-Oxely, and both failing to report that and lying in it are violations of (federal) securities law. So if you're violating the GPL (note that this doesn't cover normal use, but people who're distributing products based on Linux and the like), then your SOX statements will be either incomplete or false (or truthful, but that'd be stupid. I guess it's kinda like how your IRS tax forms say you have to declare embezzled or other illegal income), so it's not just some unwashed hippies suing you that you might have to worry about, but nasty feds coming down on you for SOX violations.
Re:explain to me again (Score:2, Informative)
Here's a semi-realworld example that probably violates several laws as well as the GPL; I'm going to assume that Taiwan has similar laws.
Some small company in Taiwan (let's call them Edimax) decides to make a cheap wireless access point. They shop around and find a very nice, very cheap wireless chipset. Technical details are only available under an NDA but that's OK, they make hardware and don't plan to give out that kind of details anyhow. They want a nice web interface, firewall and NAT features, etc, as cheaply as possible they base it on some 'free' embedded Linux code. A few months and quite a lot of design and programming time later they have a product shipping. It works well and it's really, really cheap to build so Edimax's investors are making lots of profit, and therefore happy.
But along comes the nasty FSF and points out that they can't ship the product unless they release the source code, complete with the modifications they made to get their cheap wireless chipset working. Oops, they signed an NDA and aren't allowed to distribute that source code which leaves them with only one option. They have to redesign the product from scratch (using BSD, which they probably should have chosen from the beginning) or kill the product line completely. Either way, the product is no longer as cheap and profitable as it was.
The investors are no longer happy.