The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Volokh Conspiracy

Court Throws Out Libel Lawsuit Brought by Open Source Security

Bruce Perens' claimed that Open Source Security's license violates the GPL open-source license agreement; that's protected opinion, the court said.


From yesterday's decision in Open Source Security, Inc. v. Perens (N.D. Cal.):

This is a defamation lawsuit. The plaintiffs—Open Source Security ("OSS") and its CEO Bradley Spangler—make security software (called "patches") to fix security vulnerabilities in the open-source Linux Operating System. Open-source software like Linux is free software that anyone can modify, use, and share. The Linux software here is released under an open-source license that prevents users like OSS from imposing additional restrictions if they redistribute the software.

The defendant Bruce Perens—who is a respected programmer known for his founding of the Open Source Initiative—criticized OSS's business model for distributing its security patches on the ground that it violated the open-source license and thus potentially subjected users to liability for copyright infringement or breach of contract. The plaintiffs [sued, basically for defamation -EV]….

OSS's security patch is distributed under the trade name Grsecurity and uses "licensed work of the Linux Operating System kernel that is released" under an open-source license called the GNU General Public License, version 2 (variously, "General Public License", "GPL", or GPLv2). Section 6 of the General Public License forbids users who redistribute the Linux kernel from restricting its use:

Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein.

… Open Source Security sells its product to customers pursuant to a user access agreement called the "Stable Patch Access Agreement." The Access Agreement contains the following provision about redistribution:

"The User has all rights and obligations granted by grsecurity's software license, version 2 of the GNU GPL. These rights and obligations are listed at Notwithstanding these rights and obligations, the User acknowledges that redistribution of the provided stable patches or changelogs outside of the explicit obligations under the GPL to User's customers will result in termination of access to future updates of grsecurity stable patches and changelogs."

Thus, if a user redistributes the Grsecurity patch, OSS will terminate the users' access to future updates of the patches.

OSS alleges that this business model does not violate the GNU General Public License, which has the following provision:

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things….

On July 10, 2017, Mr. Perens updated [an earlier] blog post about Grsecurity [to read]:

Warning: Grsecurity: Potential contributory infringement and breach of contract risk for customers

It's my strong opinion that your company should avoid the Grsecurity product sold at because it presents a contributory infringement and breach of contract risk.

… Under their Stable Patch Access Agreement, customers are warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition….

Grsecurity's Stable Patch Access Agreement adds a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The GPL does not apply when Grsecurity first ships the work to the customer, and thus the customer has paid for an unlicensed infringing derivative work of the Linux kernel developers with all rights reserved. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.

As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity….

In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge. I am an intellectual property and technology specialist who advises attorneys, not an attorney. This is my opinion and is offered as advice to your attorney. Please show this to him or her.

The plaintiffs allege that the statements in the updated blog post are false because "the Access Agreement does not violate the [General Public License]" and they are "not aware of any legal authority holding" or "remotely suggesting" that Open Source violated the terms of the General Public License….

Here's the court's legal analysis, which sounds right to me:

Mr. Perens's blog posts are opinions and are not plausibly defamation…. The plaintiffs allege that Mr. Perens's blog posts were defamatory because they falsely state that the Grsecurity Access Agreement violates the General Public License. Mr. Perens counters, and the court agrees, that the blog posts are opinions about a disputed legal issue, are not false assertions of fact, and thus are not actionable libel.

In Costal Abstract [an earlier California case], Coastal sued First American Title for defamation under California law and false representation of fact under the Lanham Act based on First American's statement that Coastal—an escrow agent—had no license to engage in business as an escrow agent in California (a true fact) and was required to have that license under Cal. Bus. & Prof. Code section 17200 in connection with refinancing California property. The parties disputed whether Coastal's activities fell within § 17200. Id. The court first analyzed the statement under the Lanham Act and concluded: "[a]bsent a clear and unambiguous ruling from a court or agency of competent jurisdiction, statements by laypersons that purport to interpret the meaning of a statute or regulation are opinion statements, and not statements of fact." "In the present case, the correct application of § 17200 was not knowable to the parties at the time First American made the licensure statement. Thus, even if a California court ultimately concludes that § 17200does not require that a company in Coastal's position obtain an escrow license, the licensure statement as a matter of law could not give rise to a Lanham Act claim." The opinion statement also was not defamatory under California law because "the only claim of falsity concerns the statement or suggestion that California's statute applied to the activities of Coastal, which was (and apparently still is) a matter of opinion."

Similarly, Mr. Perens—who is not a lawyer—voiced an opinion about whether the Grsecurity Access Agreement violated the General Public License. No court has addressed the legal issue. Thus, his "opinion" is not a "fact" that can be proven provably false and thus is not actionable as defamation. Franklin v. Dynamic Details, Inc. (Cal. App. 2004) (defendant's emails—that the plaintiff infringed the third-party copyrights and breached a nondisclosure agreement—were not actionable as libel; they merely "expressed [the defendant's] understanding because they purported to apply copyright and contract law to facts"); Amaretto Ranch Breedables, LLC v. Ozimals, Inc. (N.D. Cal. 2013) (defendant's blog posts—that the plaintiffs infringed the defendant's copyrights—was not actionable because the post was an opinion that expressed the defendant's understanding of copyright law)….

Mr. Perens's opinion rests on facts that he disclosed: the Access Agreement. There is no suggestion of undisclosed facts that raise a concern about reliance on an expert's opinion. Wilbanks thus is distinguishable….