Post Syndicated from original http://ebb.org/bkuhn/blog/2022/03/30/neo4j-v-purethink-open-source-affero-gpl.html
[ A version of this article was also posted on Software
Freedom Conservancy’s blog. ]
Bad Early Court Decision for AGPLv3 Has Not Yet Been Appealed
We at
Software Freedom Conservancy proudly and vigilantly watch out
for your rights under copyleft licenses such as the Affero GPLv3.
Toward this goal, we have studied the Neo4j, Inc. v. PureThink, LLC ongoing case in the Northern District of California , and the preliminary injunction appeal decision in
the Ninth Circuit Court this month. The case is complicated, and
we’ve seen much understandable confusion in the public discourse about the status of the case
and the impact of the Ninth Circuit’s decision to continue the trial court’s preliminary injunction while the case continues. While
it’s true that part of the summary judgment decision in the lower court bodes badly for an important provision in
AGPLv3§7¶4, the good news is that the case is not over, nor was
the appeal (decided this month) even an actual appeal of the
decision itself! This lawsuit is far from completion.
A Brief Summary of the Case So Far
The primary case in question is a dispute between Neo4j,
a proprietary
relicensing company, against a very small company called PureThink, run by
an individual named John Mark Suhy. Studying the docket of the case, and a relevant related case, and
other available public materials, we’ve come to understand some basic facts and
events.
To paraphrase LeVar Burton, we encourage all our readers to not take our word (or anyone else’s) for it,
but instead take the time to read the dockets and come to your own
conclusions.
After canceling their formal, contractual partnership with Suhy, Neo4j alleged multiple claims
in court against Suhy and his companies. Most of these claims centered around trademark
rights regarding “Neo4j” and related marks. However, the
claims central to our concern relate to a dispute between Suhy and Neo4j regarding Suhy’s
clarification in downstream licensing of the Enterprise version that Neo4j distributed.
Specifically, Neo4j attempted to license the codebase under something they (later, in their Court filings)
dubbed the “Neo4j Sweden Software License” — which consists of a LICENSE.txt file containing
the entire text of the Affero General Public License, version 3
(“AGPLv3”) (a license that I helped write), and the
so-called
“Commons Clause” — a toxic proprietary license. Neo4j admits that
this license mash-up (if legitimate, which we at Software Freedom
Conservancy and Suhy both dispute), is not an “open source
license”.
There are many complex issues of trademark and breach of other contracts
in this case; we agree that there are lots of
interesting issues there. However, we focus on the matter of most interest to us and many FOSS activists: Suhy’s permissions to remove of the “Commons
Clause”. Neo4j
accuses Suhy of improperly removing the “Commons Clause” from the codebase (and
subsequently redistributing the software under pure AGPLv3) in paragraph 77 of
their third amended complaint. (Note that
Suhy denied
these allegations in court — asserting that his removal of the “Commons Clause” was legitimate and permitted.
Neo4j filed
for summary judgment on all the issues, and throughout their summary
judgment motion, Neo4j argued that the removal of the “Commons Clause” from
the license information in the repository (and/or
Suhy’s suggestions to others that removal of the “Commons Clause” was legitimate)
constituted behavior that the Court should enjoin or otherwise
prohibit. The Court partially granted Neo4j’s motion for summary judgment. Much of
that ruling is not particularly related to FOSS licensing questions, but
the
section regarding licensing deeply concerns us. Specifically, to
support the Court’s order that temporarily prevents Suhy and others from saying that
the Neo4j Enterprise edition that was released under the so-called
“Neo4j Sweden Software License” is a “free and open
source” version and/or alternative to proprietary-licensed Neo4j
EE, the Court held that removal of the “Commons Clause” was not permitted. (BTW, the court confuses “commercial” and
“proprietary” in that section — it seems they do not
understand that FOSS can be commercial as well.)
In this instance, we’re not as concerned with the names used for the software; as much as the copyleft licensing question — because it’s
the software’s license, not its name, that either assures or prevents users to exercise their fundamental software rights. Notwithstanding our disinterest
in the naming issue, we’d all likely agree that —
if “AGPLv3 WITH Commons-Clause” were a legitimate form of licensing — such a license is not FOSS.
The primary issue, therefore, is not about whether or not this software is FOSS, but whether or not the “Commons Clause” can
be legitimately removed by downstream licensees when presented with a license of “AGPLv3 WITH Commons-Clause”. We believe the Court held incorrectly by concluding that Suhy was not permitted to remove the
“Commons Clause”. “Their order that enjoins Suhy from calling the resulting code
“FOSS” — even if it’s a decision that bolsters a
minor goal of some activists — is problematic because the
underlying holding (if later upheld on appeal) could seriously harm
FOSS and copyleft.
The Confusion About the Appeal
Because this was an incomplete summary judgment and the case is ongoing,
the injunction against Suhy’s on making such statements is a preliminary injunction,
and cannot be made permanent until the case actually completes in the trial court. The
decision
by the Ninth Circuit appeals court regarding this preliminary injunction has
been widely reported by others as an “appeal decision” on the issue of what can be called “open source”. However, this
is not an appeal of the entire summary judgment decision, and certainly not an appeal of the entire case (which
cannot even been appealed until the case completes). The Ninth Circuit decision merely affirms that Suhy
remains under the preliminary injunction (which prohibits him and his companies from taking certain actions and saying certain things publicly) while the case continues. In fact, the standard that an
appeals Court uses when considering an appeal of a preliminary injunction differs from the standard for ordinary appeals. Generally speaking, appeals Courts
are highly deferential to trial courts regarding preliminary injunctions, and appeals of actual decisions have a much more stringent standard.
The Affero GPL Right to Restriction Removal
In their partial summary judgment ruling, the lower Court erred because they rejected an
important and (in our opinion) correct counter-argument made by Suhy’s attorneys.
Specifically, Suhy’s attorneys argued that Neo4j’s license expressly
permitted the removal of the “Commons Clause” from the
license. AGPLv3 was, in fact, drafted to permit such removal in this precise fact pattern.
Specifically, the AGPLv3 itself has the following provisions (found in AGPLv3§0 and
AGPLv3§7¶4):
- “This License” refers to version 3 of the GNU Affero
General Public License.
- “The Program” refers to any copyrightable work licensed under this
License. Each licensee is addressed as “you”.
- If the Program as you received it, or any part of it, contains a notice
stating that it is governed by this License along with a term that is a
further restriction, you may remove that term.
That last term was added to address a real-world, known problem with GPLv2.
Frequently throughout the time when GPLv2 was the current version, original copyright holders and/or licensors
would attempt to license work under the GPL with additional restrictions. The problem was rampant and caused much confusion among licensees.
As an attempted solution, the FSF (the publisher of the various
GPL’s) loosened
its restrictions on reuse of the text of the GPL — in hopes that would provide a route for
reuse of some GPL text, while also avoiding confusion for licensees. Sadly, many licensors
continued to take the confusing route of using the entire text a GPL
license with an additional restriction — attached either before or after, or both. Their goals were obvious and nefarious: they
wanted to confuse the public into “thinking” the software was
under the GPL, but in fact restrict certain other activities (such as
commercial redistribution). They combined this practice with proprietary relicensing (i.e., a sole
licensor selling separate proprietary licenses while releasing a (seemingly FOSS) public version of the code as demoware for marketing).
Their goal is to build on the popularity of the GPL, but in direct opposition to the GPL’s policy goals; they manipulate the GPL to open-wash bad policies rather than give actual rights to users.
This tactic even permitted bad actors to sell “gotcha” proprietary licenses to those who were legitimately confused. For example,
a company would look for users operating commercially with the code in compliance with GPLv2, but hadn’t noticed the company’s code had the statement: “Licensed GPLv2, but not for commercial use”. The user had seen GPLv2, and knew from its brand reputation that it
gave certain rights, but hadn’t realized that the additional restriction outside of the GPLv2’s text might actually be valid. The goal was to catch users
in a sneaky trap.
Neo4j tried to use the AGPLv3 to set one of those traps. Neo4j, despite the permission in the FSF’s GPL FAQ to “use the GPL
terms (possibly modified) in another license provided that you call your
license by another name and do not include the GPL preamble”,
left
the entire AGPLv3 intact as the license of the software — adding only a note at the front and at the
end. However, their users can escape the trap, because GPLv3 (and AGPLv3) added
a clause (which doesn’t exist in GPLv2) to defend users from this. Specifically,
AGPLv3§7¶4 includes a key provision to help this situation.
Specifically, the clause was designed to give more rights to downstream recipients when bad
actors attempt this nasty trick. Indeed, I recall from my direct participation in
the A/GPLv3 drafting that this provision was specifically designed for the
situation where the original, sole copyright
holder/licensor
added additional restrictions. And, I’m not the only one who recalls this.
Richard Fontana (now a lawyer at IBM’s Red Hat,
but previously legal counsel to the FSF during the GPLv3 process), wrote on a mailing list1
in
response to the Neo4j preliminary injunction ruling:
For those who care about anecdotal drafting history … the whole point of the section 7 clause (“If the Program as you received it, or any part of
it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that
term.”) was to address the well known problem of an original GPL
licensor tacking on non-GPL, non-FOSS, GPL-norm-violating
restrictions, precisely like the use of the Commons Clause with the
GPL. Around the time that this clause was added to the GPLv3 draft,
there had been some recent examples of this phenomenon that had been
picked up in the tech press.
Fontana also pointed us to the FSF’s own words on the subject, written during their process of drafting this section of the license (emphasis ours):
Unlike additional permissions, additional requirements that are allowed under subsection 7b may not be
removed. The revised section 7 makes clear that this condition does not
apply to any other additional requirements, however, which are removable
just like additional permissions. Here we are particularly concerned
about the practice of program authors who purport to license their works
under the GPL with an additional requirement that contradicts the terms
of the GPL, such as a prohibition on commercial use. Such terms can
make the program non-free, and thus contradict the basic purpose of the
GNU GPL; but even when the conditions are not fundamentally unethical,
adding them in this way invariably makes the rights and obligations of
licensees uncertain.
While the intent of the original drafter of a license text is not
dispositive over the text as it actually appears in the license, all this information was available to Neo4j
as they drafted their license. Many voices in the community had told them that provision in AGPLv3§3¶4
was added specifically to prevent what Neo4j was trying to do. The FSF, the copyright holder of the actual text of the AGPLv3, also publicly
gave Neo4j permission to draft a new license, using any provisions they like from AGPLv3
and putting them together in a new way. But Neo4j made a conscious choice to not do that,
but instead constructed their license in the exact manner that allowed Suhy’s removal
of the “Commons Clause”.
In addition, that provision in AGPLv3§3¶4 has little
meaning if it’s not intended to bind the original licensor!
Many other provisions (such as AGPLv3§10¶3) protect the users
against further restrictions imposed later in the distribution chain of
licensees. This clause was targeted from its inception against the
exact, specific bad behavior that Neo4j did here.
We don’t dispute that copyright and contract law give Neo4j authority to
license their work under any terms they wish — including terms that we consider unethical or immoral. In fact, we already pointed out above that
Neo4j had permission to pick and choose only some text from AGPLv3. As long as
they didn’t use the name “Affero”, “GNU” or
“General Public” or include any of the Preamble text in the name/body of
their license — we’d readily agree that Neo4j could have put together a bunch
of provisions from the AGPLv3, and/or the “Commons Clause”, and/or any other license
that suited their fancy. They could have made an entirely new license. Lawyers commonly do share text of
licenses and contracts to jump-start writing new ones. That’s a
practice we generally support (since it’s sharing a true commons of ideas freely — even if the resulting license might not be FOSS).
But Neo4j consciously chose not to do that. Instead, they license their software
“subject to the terms of the GNU AFFERO GENERAL PUBLIC LICENSE Version
3, with the Commons Clause”. (The name “Neo4j Sweden Software
License” only exists in the later Court papers, BTW, not with “The Program” in question.) Neo4j defines
“This License” to mean “version 3 of the GNU Affero General
Public License.”. Then, Neo4j tells all licensees
that “If the Program as you received it, or any part of it, contains a
notice stating that it is governed by this License along with a term that is
a further restriction, you may remove that term”. Yet, after all that, Neo4j had the audacity
to claim to the Court that they didn’t actually mean that last sentence, and the Court rubber-stamped that view.
Simply put, the Court
erred when
it said: “Neither of the two provisions in the form AGPLv3 that
Defendants point to give licensees the right to remove the information at
issue.”. The Court then used that error as a basis for its ruling
to temporarily enjoin Suhy from stating that software with
“Commons Clause” removed by downstream is “free and open
source”, or tell others that he disagrees with the Court’s (temporary) conclusion about removing the “Commons Clause” in this situation.
What Next?
The case isn’t over. The lower Court still has various issues to consider — including a DMCA claim regarding
Suhy’s removal of the “Commons Clause”.
We suspect that’s why the Court only made a preliminary injunction against Suhy’s
words, and did not issue an injunction against the actual removal of
the clause! The issue as to whether the clause can be removed is still pending, and the current summary judgment decision doesn’t address
the DMCA claim from Neo4j’s complaint.
Sadly,
the Court
has temporarily enjoined Suhy from “representing that Neo4j
Sweden AB’s addition of the Commons Clause to the license governing Neo4j
Enterprise Edition violated the terms of AGPL or that removal of the Commons
Clause is lawful, and similar statements”. But they haven’t enjoined
us, and our view on the matter is as follows:
Clearly, Neo4j gave explicit permission, pursuant to the
AGPLv3, for anyone who would like to to remove the “Commons
Clause” from their LICENSE.txt file in version 3.4 and other versions
of their Enterprise edition where it appears. We believe that you have full
permission, pursuant to AGPLv3, to distribute that software under the terms
of the AGPLv3 as written. In saying that, we also point out that we’re not
a law firm, our lawyers are not your lawyers, and this is not legal advice.
However, after our decades of work in copyleft licensing, we know well the
reason and motivations of this policy in the license (describe above), and given the error by
the Court, it’s our civic duty to inform the public that the
licensing conclusions (upon which they based their temporary injunction) are incorrect.
Meanwhile, despite what you may have read last week, the key software licensing issues in this
case have not been decided — even by the lower Court. For example, the DMCA issue is still before the trial court.
Furthermore, if
you do read the docket of this case, it will be obvious that
neither party is perfect. We have not analyzed every action Suhy took, nor do we have any comment
on any action by Suhy other than this: we believe that Suhy’s
removal of the “Commons Clause” was fully permitted by
the terms of the AGPLv3, and that Neo4j gave him that permission in that license. Suhy also did a great service to the community by taking
action that obviously risked litigation against him.
Misappropriation and manipulation of the strongest and most
freedom-protecting copyleft license ever written to bolster a proprietary
relicensing business model is an affront to FOSS and its advancement. It’s even worse when the Courts are on the side of the bad actor.
Neo4j should not have done this.
Finally, we note that the Court was rather narrow on what it said regarding the question of “What Is Open Source?”. The Court
ruled that one individual and his companies — when presented with ambiguous licensing information
in one part of a document, who then finds another part of the document grants permission
to repair and clarify the licensing information, and does so — is temporarily forbidden
from telling others that the resulting software is, in fact, FOSS, after making such a change.
The ruling does not set precedent, nor does it bind anyone other than the Defendants as to what
they can or cannot say is FOSS, which is why we can say it is FOSS, because the AGPLv3 is an OSI-approved
license and the AGPLv3 permits removal of the toxic “Commons Clause” in this situation.
We will continue to follow this case and write further when new events occur..
We were unable to find anywhere in the Court record that shows Neo4j used a Contributor Licensing Agreement (CLA) or Copyright
Assignment Agreement (©AA) that sufficiently gave them exclusive rights as licensor of this software. We did however
find evidence online that Neo4j accepted contributions from others. If Neo4j is, in fact, also a licensor of others’ AGPLv3’d
derivative works that have been incorporated into their upstream versions, then there are many other arguments (in addition to the one
presented herein) that would permit removal of the “Commons Clause”. This issue remains an open question of fact in this case.
1 Fontana made these statements on a mailing list
governed by an odd confidentiality rule called CHR (which was originally designed for in-person meetings with a beginning and an end, not
a mailing list). Nevertheless, Fontana explicitly waived CHR (in writing) to allow me to quote his words publicly.
![[Security Nation] David Rogers on IoT Security Legislation](https://blog.rapid7.com/content/images/2022/03/security_nation_logo-1.jpg){kind=logo}
![[Security Nation] David Rogers on IoT Security Legislation](https://blog.rapid7.com/content/images/2022/03/David-Rogers.png)
