Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2010-11-02 10:38:33Format, images and links may no longer function correctly. Corporations continue to acquire eDiscovery technology as they slowly convert from reactive fire drills to proactive business processes. The majority of early eDiscovery processing and hosting platforms available to service providers carried a relatively high per GB license cost. This model drove many service providers to develop their own software to remain competitive when prices suddenly dropped from $2,000 per GB down to the current $400-600 per GB. Now many of these providers have packaged their toolboxes into commercial software and are trying to convert service customers to software sales. All of this gives buyers an overabundance of choices when creating an RFP. It certainly keeps me busy with briefings and demos of new products every week. An offhand remark from a savvy CTO sent me digging into the potential pitfalls of some current open source General Public Licenses that work on a Copyleft or pay it forward model.
You see, virtually all of these ‘home grown’ eDiscovery applications rely on either licensed (also known as being OEM’d) or open source software components. dtSearch was the most common indexing engine licensed until Apache Lucene and Microsoft FAST came onto the market. When these technologies were sold as a service, the provider was responsible for managing and complying with all licensing requirements. The name ‘open source’ does indeed mean that the providers can incorporate the code into their software without having to pay any license fees. However, in 2007 the Free Software Foundation published the GPLv3 and Affero GPLv3 that added new requirements. We call the GPL license ‘copyleft’ because the primary requirement is that derived works of the original source code can only be distributed under the same license terms. The idea is to protect the open nature of the projects and keep them growing.
As I understand it, the critical changes added to the GPBv3 effectively require the software developer to ensure that the customer of any derivative work can modify and update the incorporated open source components. This effectively requires them to publish their versions if they sell or distribute copies of the derivative works. This clause came from the manner in which Tivo distributed a locked down version of Linux on their boxes. If you want open source projects to keep growing, users have to be able to incorporate and create changes.
So how does this relate to bringing eDiscovery technology in house? Any time that you purchase software, you should understand the outside components that it depends on to function. Global corporations have purchasing requirements to make sure that the company does not inadvertently violate license or patent rights. This same diligence should be applied to eDiscovery technology purchases. Your RFP should require providers to declare all OEM’d or open source components embedded into the application. When being briefed on applications, I frequently ask providers if they are in compliance with the open source GPL requirements and if they have published their modifications. Very few have been able to affirm their compliance on the spot.
So is this a tempest in a teapot? Well yes. As of today, I have not heard of any broad license enforcement actions. But the open source issue is very closely related to patent enforcement, which has been ramping up over the last several years. If you are relying on technology for your civil, criminal or regulatory discovery compliance, they you want that software to be untarnished by potential licensing liabilities. Approximately 42% of the 260,000 open source projects on SourceForge.net are listed under the GNU GPLv2, including the Linux kernel. Only 8% are listed exclusively under GPLv3, but this does include some key Linux components. The Affero GPLv3 covers the same provisions for cloud based technology. The key here is to be an informed buyer and to kick the tires before you purchase. As the hard questions and do not take fuzzy answers when it comes to the foundation of your defensible process.