RE: Request for CWE: Improper Licensing (UNCLASSIFIED)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

RE: Request for CWE: Improper Licensing (UNCLASSIFIED)

Wheeler, David A
> From: Hood, Jonathan W CTR USARMY RDECOM AMRDEC (US)
> [mailto:[hidden email]]
> I wanted to add another data point to this: suppose that there's a project
> that falls under DFARS Regulation 252.227-7014
> (https://www.acq.osd.mil/dpap/dars/dfars/html/current/252227.htm#252.2
> 27-7014), but the new contractor tries to use the software commercially.
> This could have been "exploited by an attacker" by suing the program, legal
> confiscation, or a fielding stay injunction.

I agree with the general problem of improper licensing enabling a legal attack.
So yes, this is a legitimate issue in general.

However, while I am not a lawyer, I've had to deeply delve into
DFARS Regulation 252.227-7014 & talk to a lot of lawyers. I believe that
in that *specific* case there is often no problem.
DFARS Regulation 252.227-7014 is the most common "data rights" clause when
the US Department of Defense (DoD) pays for custom software development.
By *default*, this results in the contractor getting the copyright (with no copyright
Restrictions on its use) and the US government getting
unlimited rights (essentially the same rights as a copyright holder).
Every lawyer I've discussed this with has agreed that after that point,
there's no limitation under copyright that prevents the contractor or government
from using it in other circumstances.

There may be patents (which is covered by patent law), trademarks still apply
(but you can just rename if needed), you still can't release classified or controlled
Information, and of course export control laws
*might* still restrict distribution, but none of those are specific to 252.227-7014.
The bigger problem is that those are just the *default* rules in 252.227-7014.
People can modify that clause, and some organizations make those modifications
as a matter of course.  Modifications of the clause can indeed prevent commercialization,
but it does NOT happen just because 7014 was invoked.

More detail is in "Publicly Releasing Open Source Software Developed for the U.S. Government"
(Software Tech News), by David A. Wheeler (who's he?), available at:
https://www.csiac.org/journal-article/publicly-releasing-open-source-software-developed-for-the-u-s-government/

If anything, the problem isn't 252.227-7014; it's 252.227-7014 with permitted modifications to it.

> Real-world examples:
> • ReactOS: https://en.wikipedia.org/wiki/ReactOS#Internal_audit
> • MySQL AB:
> https://www.theregister.co.uk/2002/11/21/mysql_nusphere_settle_gpl_con
> tract/
> In both of these cases, the integrity of the software was allegedly tainted,
> and availability of the software (ReactOS through their website, and MySQL
> through NuSphere) was demonstrably compromised.

Those are better examples, I think.

> Perhaps an "Unauthorized use of software" CWE  would cover the
> multitude of issues behind the licensing. It has a tangible behavior (using
> unauthorized software), a specified resource (the software, involved
> patents, licensing, and/or policies), a violation of desired properties
> (written permission to use the software), and several exploitation paths:
> • lawsuit
> • confiscation
> • DMCA takedown

It's probably "Unauthorized use or distribution of software".
Merely *distributing* software can run afoul of copyright, since distribution
creates a copy.

--- David A. Wheeler