What Is Open-Source Software, and How Are Fund Managers Using It? (Part One of Three)

February 21, 2019

TECHNOLOGY What Is Open-Source Software, and How Are Fund Managers Using It? (Part One of Three)

By Shaw Horton, Hedge Fund Law Report

Open-source software (OSS) is characterized (Jan. 18, 2018); and “Privacy Concerns, Third by licensing arrangements wherein copyright Parties and Drones” (Jan. 25, 2018). holders grant licensees the ability to freely change and distribute that software. Pursuant What Is Open-Source to those licenses, however, licensees must meet certain requirements or follow certain Software? restrictions. These obligations may be minimal, as is the case with permissive licenses, OSS is defined by five major elements, or onerous, as is the case with so-called explained Matt Savare and Bryan Sterba, “copyleft” licenses. OSS exists for virtually any partner and associate, respectively, at application, including artificial intelligence, Lowenstein Sandler and members of its database management and system security. technology practice group. They are: Its ubiquity means that fund managers can leverage OSS for all segments of their 1. free redistribution; businesses. 2. source code availability and the integrity of that code; This article, the first in a three-part series, 3. allowance of derived works; discusses the basics of OSS, actions 4. non-discrimination against persons, governments are taking to support it, relevant groups or fields of endeavor; and regulatory guidance and ways OSS is being 5. the distribution of a technology-neutral used by fund managers. The second article license that is neither specific to a will analyze the benefits of OSS, as well as product nor restrictive of other software. the disadvantages and risks that it presents. The third article will evaluate actions fund Open-source licenses come in two general managers can take to mitigate OSS risks, forms: permissive and copyleft. “You usually do including policies, procedures and controls to not have a choice between licensing software adopt; ways to deal with third-party vendors; under a permissive license or copyleft license,” and due diligence. said Ropes & Gray counsel Michael D. Kurzer, who represents clients on, among other things, See our three-part series on big data: “Its intellectual property, data privacy and OSS Acquisition and Proper Use” (Jan. 11, 2018); matters. “The owner who makes the code “MNPI, Web Scraping and Data Quality” available is the one who selects the license

©2019 Hedge Fund Law Report. All rights reserved. 1 for its application or library. There are a few only uses the library to help run or execute the examples of dual-licensing models – that is, program. There, the licensee may distribute where the owner of the code gives the licensee the work under different terms without the an option between the two – but that is much LGPL license applying to the derived work.” less common.” According to Sterba, because under the Permissive Licenses GPL mere interaction with a user through a computer network, with no transfer of a copy, Permissive licenses, such as the MIT License, is not viewed by the open-source community the 2- and 3-Clause BSD Licenses and the as a conveyance, many organizations use Apache License, contain minimal requirements copyleft materials through a software-as- and restrictions. “For example, the MIT a-service (SaaS) model, so the GPL licensed License simply requires licensees to include code sits “behind the wall.” Thus, organizations the copyright and permission notice,” noted avoid subjecting their source code to copyleft Savare. “The Apache License places limits on requirements. the use of trademarks and requires licensees to prominently disclose that they have In response, however, GNU released the Affero modified files.” General Public License (AGPL), which attempts to close the loophole by requiring licensees to Kurzer added that it is fairly simple to comply “prominently offer all users interacting with with the obligations under permissive licenses. [the program] remotely through a computer “In most cases, the requirement is just to network . . . an opportunity to receive include a copyright notice and a standard the [c]orresponding [s]ource” code. Code warranty and liability disclaimer. For instance, incorporated into a SaaS offering would still be if the OSS copyright is held by Oracle, you subject to copyleft issues. would have to reflect that.” See “What Fund Managers Should Consider Copyleft Licenses When Negotiating SaaS Agreements” (Dec. 20, 2018). On the other hand, copyleft licenses, such as the GNU General Public License (GPL) and the “A fair amount of OSS is licensed under one GNU Lesser General Public License (LGPL), of the various GPL licenses,” observed Kurzer. require licensees to distribute derivative works “I would say that the typical incidence of OSS under the same license and release complete being offered under one of the GPL licenses source code when making such distributions. is likely 10-15 percent, maybe more. For most The LGPL mainly applies to libraries. “Static commercial applications, it may be best to linking refers to situations where the licensee avoid incorporating GPL into proprietary code uses the library to build its program. In those if you are planning to distribute copies of the cases, the program is a derivative work of the resulting software.” library and must be redistributed under the LGPL,” said Sterba. “Dynamic linking, on the Offering software under a SaaS model reduces other hand, refers to situations where the the risks relating to the use of GPL, but licensee builds its program independently and not entirely, Kurzer added. “There are OSS

©2019 Hedge Fund Law Report. All rights reserved. 2 licenses, such as the AGPL and Reciprocal technical details on how to build, make, install, Public License, for which the copyleft or use the software, including dependencies”). obligations are triggered even when used in These recommendations can also be helpful the cloud, although these licenses are less for fund managers that wish to contribute common.” upstream to open-source projects, a practice that can provide several organizational See “How Hedge Fund Managers Can Protect benefits. Their Trade Secrets in Light of Recent NY Appellate Ruling” (Mar. 9, 2017); and our In addition, the European Commission (EC) two-part series on how hedge funds can published an OSS strategy in which it stated protect their brands and IP: “Trademarks and that it would place a “special emphasis on Copyrights” (Feb. 23, 2017); and “Trade Secrets procurement, contribution to [OSS] projects and Patents” (Mar. 9, 2017). and providing more of the software developed within the Commission as open source.” Governmental Support of In a subsequent study carried out for the EC, OSS entitled “The Economic and Social Impact of Software & Services on Competitiveness and Both the U.S. federal and state governments Innovation,” the authors recommended that are making a push to utilize OSS, including the EC “[s]upport [OSS] in all sectors of the blockchain, to a greater degree. “The federal economy,” including through the “exchange government, pursuant to Federal Acquisition of best practices between private and public Regulation Part 12, aims to use ‘commercial organizations.” The study assigned EC support items’ whenever possible,” said Savare. of OSS as having a “medium” economic impact. “Whenever it is technically advantageous, they The authors of the study argued that EC try to move away from software and systems support would “lower[ ] the risk of a vendor that are applicable for only governmental lock-in”; support co-innovation by creating purposes.” “standards that are very important for the development of emerging technologies and Indeed, the U.S. Chief Information Officer that help lower the total cost of ownership”; (CIO) and CIO Council published a source-code and enhance interoperability. The study policy that covers federal use of OSS. Under hypothesized that E.U. institutional use of a pilot program, all agencies must release at OSS would “provide relevant use cases, ensure least 20 percent of their “custom-developed long-term support, and secure high-level code” each year, prioritizing code that is quality control.” “potentially useful to the broader community.” When doing so, the CIO recommended Government Guidance on that agencies, among other things, engage with existing communities, utilize open OSS development practices, adopt a regular release schedule and adequately document source Nevertheless, “there is very little guidance code (e.g., by including information on the from the government or regulators on OSS,” status of software, license details and “relevant said Kurzer. “OSS is third-party software,

©2019 Hedge Fund Law Report. All rights reserved. 3 however, and there is plenty of regulatory standards are not comparable to the [m] guidance on the use of third-party vendors ember’s standards in a particular area with respect to compliance. You cannot or activity.” Additionally, the interpretive outsource compliance, and if you don’t notice explains that members should properly vet and diligence vendors, you will “consider adopting procedures to place have compliance issues.” appropriate access controls to their information systems and data upon third- For example: party service providers, and procedures to restrict or remove, on a timely basis, • In a 2016 IM Guidance Update on a third-party service provider’s access business continuity planning for to their information systems once the registered investment companies, the service provider is no longer providing SEC’s Division of Investment Management services.” noted that because “fund complexes • In the Financial Conduct Authority . . . outsource critical functions to (FCA)’s Handbook, SYSC 8.1, the FCA third parties, . . . they should consider noted that all Undertakings for Collective conducting thorough initial and ongoing Investment in Transferable Securities due diligence of those third parties, investment firms “must exercise due skill including due diligence of their service and care and diligence when entering providers’ business continuity and into, managing or terminating any disaster recovery plans.” arrangement for the outsourcing to a • In the 2015 Cybersecurity Examination service provider of critical or important Initiative Risk Alert issued by the SEC’s operational functions or of any relevant Office of Compliance Inspections and services and activities.” Examinations (OCIE), the staff noted that “[s]ome of the largest data breaches . . . See “Fund Managers Must Supervise Third- may have resulted from the hacking of Party Service Providers or Risk Regulatory third party vendor platforms.” Therefore, Action” (Nov. 16, 2017); “How Fund Managers SEC examination staff “may focus on firm Can Develop an Effective Third-Party practices and controls related to vendor Management Program” (Sep. 21, 2017); and management, such as due diligence with “Study Reveals Weaknesses in Asset Managers’ regard to vendor selection, monitoring Third-Party and Vendor Risk Management and oversight of vendors, and contract Programs” (Mar. 9, 2017). terms.” In addition, in OCIE’s 2018 National Exam Program Examination Ways Fund Managers Use Priorities, SEC staff indicated that they would prioritize vendor management OSS with respect to cybersecurity protection. • In a 2016 NFA Interpretive Notice, “Open source is present in almost every the NFA stated that members should single software package at this point,” said “perform due diligence on a critical Savare. “I don’t know of any industry that service provider’s security practices and doesn’t use OSS. It may be a small component avoid using third parties whose security of a larger piece of software, or it may

©2019 Hedge Fund Law Report. All rights reserved. 4 comprise the entire software itself.” • office suites e.g( ., Apache OpenOffice and LibreOffice); For example, a manager may license a third • encryption (e.g., GNU Privacy Guard and party’s trading platform. The trading platform OpenSSL); and itself may be proprietary, but it may include • firewalls e.g.( , iptables and Shorewall). open-source elements, such as the application program interface or connectors to the back- “Almost every new proprietary technology that end. “Many financial services companies, is developed by the software community will – however, are using pure open-source at a minimum – spawn a smaller open-source packages,” added Savare. “Some, for instance, project that mirrors its functionality,” said use Linux as their operating systems.” David St. John‑Larkin, partner in Perkins Coie’s intellectual property practice who regularly “One reason you may see OSS more in the handles open source and proprietary software hedge fund context is because they are more matters. “Some OSS is very mature – i.e., the leanly staffed, without large information projects are regularly improved and have technology departments and often with few well-structured review boards that receive in-house software developers. They don’t and issue revisions to the code. In particular, want to reinvent the wheel, and readymade we see this where there is a lot to gain across solutions are attractive,” said Kurzer. “They many different industries, including the also don’t necessarily have teams of lawyers security, database technology and search to look through all the licenses and code, and functions.” some may view OSS as easier to deal with because the licenses seem simpler than full “Blockchain is, by definition, open source, form commercial agreements. Additionally, regardless of whether it is public or there is no negotiating – you take the software permission-based” said Savare. “More and or leave it.” more financial services companies are using blockchain within their own systems and Open-source applications can be used for, processes, a phenomenon that is being aided among other things: by the fact that blockchain is an international protocol. It’s a burgeoning industry, and I’m • artificial intelligence and machine really bullish on it in the next five to ten years.” learning (e.g., TensorFlow and scikit- learn); According to Savare, cross-border transfers • accounting (e.g., SQL-Ledger and of money are a particularly relevant use case, GnuCash); with financial services firms relying on Ripple. • speech synthesis and recognition; “It may take days or weeks for traditional • database management (e.g., MySQL and international transactions to settle. Blockchain, PostgreSQL); however, facilitates this process in a fraction of • data mining (e.g., Orange and Weka); the time,” he noted. • enterprise search (e.g., Elasticsearch); • remote access (e.g., OpenVPN and In addition, entities are beginning to use Synergy); blockchain in governance and voting matters, • file management e.g.( , 7‑Zip); as well as with capitalization tables for

©2019 Hedge Fund Law Report. All rights reserved. 5 stock ownership. “The large banks are now members of consortia that are seeking to develop protocols and running beta trials on applications of the technology,” Savare continued. Companies are also moving successful financial technology blockchain applications to other verticals. For example, NYIAX, developed in partnership with Nasdaq, uses a blockchain back-end for bid matching in advertising technology.

St. John‑Larkin believes that the industry will also see more service-side development related to blockchain. “There are a lot of uses for blockchain outside of the virtual currency space. We are going to increasingly see open- source projects that integrate fundamental blockchain technologies not directly related to virtual currencies,” he opined. “Database technology is an interesting area for this application. Blockchain proposes a solution for tracking transaction records that occur at a very high volume. Therefore, it may be very valuable in creating a history of someone’s interaction with a database.” This may have strong applications in the medical field, or in instances where consumer or client information is kept en masse and there is a need to audit search histories.

See “How Blockchain Will Continue to Revolutionize the Private Funds Sector in 2018” (Jan. 4, 2018); and our three-part series on blockchain and the private funds industry: “Basics of the Technology and How the Financial Sector Is Currently Employing It” (Jun. 1, 2017); “Potential Uses by Private Funds and Service Providers” (Jun. 8, 2017); and “Potential Impediments to Its Eventual Adoption” (Jun. 15, 2017).

TECHNOLOGY What Are the Benefits and Risks of Using Open-Source Software? (Part Two of Three)

By Shaw Horton, Hedge Fund Law Report

Open-source software (OSS) can provide fund For a discussion of another growing managers with several benefits, including cost technology, see our two-part series on savings, increased customization and access implementing electronic signatures: Part One to a collaborative community that provides (Dec. 21, 2017); and Part Two (Jan. 4, 2018). extensive support. In addition, participation in open-source communities can help managers Benefits of OSS attract talent and hone technical employees’ skillsets. Cost Savings

Nevertheless, OSS does not come OSS is cheaper if used correctly, observed without risks. For example, under certain Matt Savare and Bryan Sterba, partner and circumstances, a manager may need to release associate, respectively, at Lowenstein Sandler its own proprietary source code, or it could and members of its technology practice group. find itself subject to breach of contract or “Like anything else, however, if you implement copyright infringement liability. OSS may also it incorrectly, you can fail miserably. This pose greater security risks than commercial means looking at the entire lifecycle of the software, which means that managers must product,” said Sterba. carefully assess the areas in which they seek to utilize OSS. Thus, managers must evaluate not only the licensing costs, but costs associated with This article, the second in a three-part series, customizing the software to their particular analyzes the benefits of OSS, as well as the needs, as well as integration, maintenance, disadvantages and risks that it presents. upgrade and support costs. The first article discussed the basics of OSS, actions governments are taking to support it, Customization and Development relevant regulatory guidance and ways OSS is being used by fund managers. The third article Open-source applications also enable greater will evaluate actions fund managers can take diversity, variety and customization. “Think to mitigate OSS risks, including what policies, of the Linux operating system. IBM has procedures and controls to adopt; ways to deal made that available as OSS, so numerous with third-party vendors; and due diligence. developers are building on it as a community,” remarked Savare. “This can lead to continuous

©2019 Hedge Fund Law Report. All rights reserved. 7 improvements, and it means that the product Greater Security exists past the lifespan of the original company or developer. Windows, on the other hand, “When thinking about security software in can only be modified by Microsoft or one of its particular, you want a product that has been vendors.” well-tested and well-vetted,” commented Perkins Coie partner David St. John‑Larkin. Indeed, in Jacobsen v. Katzer (discussed below), “That’s exactly what you get with OSS. There is the U.S. Court of Appeals for the Federal significant opportunity for people to test and Circuit (Federal Circuit) noted that, through debug the software across the world.” OSS collaboration, “software programs can often be written and debugged faster and at Talent Acquisition lower costs than if the copyright holder were required to do all of the work independently.” Participating in open-source communities may also help managers attract the best talent. “OSS is available 24/7 and is free. As long as “Younger generations are more willing to work you are reasonably mindful of the fact that you with open source than their predecessors,” said have to do your own work vetting the software, Sterba. the OSS community is collaborative and can offer wonderful crowd-sourced development “I don’t know whether OSS is necessarily work,” said Ropes & Gray counsel Michael D. being used to recruit talent. Rather, I think Kurzer. that managers decide to use OSS because they understand that it can allow them to, According to IRS guidance on the use of federal among other things, scale faster and develop tax information in OSS, “it is important to a competitive advantage,” Sterba continued. understand the organization residing behind or Attracting younger developers, therefore, supporting the continued development of the comes as an ancillary benefit, as managers application under consideration. Depending can draw from a larger pool of candidates and on the application and the organization that demonstrate that they are using products with stands behind it, there may be a tremendous which developers are familiar. amount of support for evaluating the software.” “A lot of organizations find benefit – both in For more on tax issues affecting private terms of supporting projects important to fund managers, see “New Tax Law Carries them and creating an outlet for engineers Implications for Private Funds” (Feb. 1, 2018); or developers to stay at the forefront of and “The Effect of 2017 Tax Developments on technological developments – in contributing Advisers to Private Funds: New Partnership upstream to open-source projects, rather Audit Rules, Tax Reform, Blockers, Discounted than being raw consumers,” remarked St. Gifting, Fee Waivers and State Nexus Issues” John‑Larkin. “Some of the most prolific and (Nov. 30, 2017). important projects may offer a way to train and keep the skillset alive for their technical staff.” St. John‑Larkin added that upstream contributions can be difficult to trace back

©2019 Hedge Fund Law Report. All rights reserved. 8 to organizations due to individual engineers else, then there has been no distribution contributing under their own names or under and the licensee has no obligations.” This is the guise of a subsidiary company. not the case for the Affero General Public License, Reciprocal Public License or similar “It can be risky adopting certain OSS with licenses, which are triggered even without a no assurance the software will have the distribution. same longevity as the project or product on which you’re working,” noted St. John‑Larkin. Distribution can include making a copy, making “Organizations that encourage their engineers software accessible at a link, or sending the to participate in the OSS community may software out to third parties in any way (for help mitigate this risk by ensuring there example, by placing the code into a mobile are sufficient resources and interest behind phone app that can be downloaded). Copyleft projects of interest to the organization.” licenses, like the GNU General Public License (GPL), impose the most onerous obligations on See “A Succession-Planning Roadmap for Fund licensees who have incorporated that OSS into Managers (Part Three of Three)” (Jun. 21, 2018); their proprietary code. “When you distribute “Ways Fund Managers Can Compensate and your software, the GPL, GPLv2, and GPLv3 Incentivize Partners and Top Performers” licenses include a requirement to share your (Dec. 14, 2017); and “How Hedge Fund source code and license it to the public under Managers Can Structure Deferred the same GPL license,” stated Kurzer. Compensation Plans to Retain Top Talent (Part One of Two)” (Jun. 22, 2017). If a licensee refuses to comply with those obligations, then it no longer has a license and Disadvantages and Risks of can be sued either under breach of contract or for copyright infringement. “The same is true OSS if you do not, for example, include copyright attribution or a disclaimer under a permissive License Restrictions license. Permissive licenses are very easy to comply with, however, so you generally do not If a manager incorporates OSS into its own hear of those kinds of issues,” noted Kurzer. proprietary software, it may have a duty to “Managers must realize that OSS licenses are release – or make open – that proprietary still legal agreements and that OSS is owned by source code, cautioned Sterba. The issue someone – it is not public-domain software. only arises, however, under copyleft or viral Managers must comply with the licenses.” licensing agreements and generally only in cases where an entity publicly distributes (i.e., Hedge funds themselves are not generally sells or licenses) the OSS. distributing software incorporating OSS. “I haven’t seen it, but that doesn’t mean it “In general, the obligations under OSS licenses doesn’t happen,” said Savare. “I’ve yet to have are only triggered upon a distribution of the a hedge fund come back to me and say that software,” remarked Kurzer. “For many OSS it is using OSS to roll out its own product for licenses, if you don’t provide a copy of your distribution. Instead, fund managers typically software incorporating the OSS to someone use the software for internal purposes.”

©2019 Hedge Fund Law Report. All rights reserved. 9 Therefore, whether the entire package, or property rights,” added Sterba. just a component of the package, is open- source, managers typically will not run into In Jacobsen v. Katzer, appellant Jacobsen made this issue because they are not using OSS in certain computer code publicly available a manner that would trigger some of these without a fee pursuant to an open-source problematic provisions in the licenses. Even so, license. Appellee Katzer allegedly incorporated it is important for managers to understand this some of the code into one of his software issue given the enormous risk associated with packages without following the terms of having to make proprietary code open-source. the license. Jacobsen sought a preliminary injunction. When a manager licenses proprietary software, vendors will typically include restrictions on, According to the Federal Circuit, copyright among other things, reproduction, reverse- owners who grant a “nonexclusive license engineering and modification. There are to use . . . copyright material[s] waive[ their] limited circumstances under which licensors right to sue . . . licensee[s] for copyright may allow modifications, such as the creation infringement.” On the other hand, if a license is of front-end interfaces, for example, where “limited in scope and the licensee acts outside the licensor does not provide any kind of the scope, the licensor can bring an action for developmental services, enhancements or copyright infringement.” The Federal Circuit other professional services. Nevertheless, found that the terms of the open-source according to Sterba, this is normally restricted license were conditions of, and not merely given that vendors are eager to acquire covenants to, the copyright license given that additional work. “Not only will the vendor users who download the “copyright materials charge a fee for creating these components, [are] authorized to make modifications and to but it will also often tell the licensee that distribute the materials ‘provided that’ [they] the vendor owns any enhancements, even follow[ ] the restrictive terms of the [license],” where those enhancements are specific to a including the inclusion of the copyright notice. particular client.” In the remanded case, the U.S. District “In rare instances where the vendor does Court for the Northern District of California permit a hedge fund to modify the software – (Northern District) ultimately held that for example, where the hedge fund has a very the state law claim was preempted by the specific or unique use – there will generally Copyright Act because the “breach of contract be further restrictions on the modifications,” claim alleges violations of the exact same noted Savare. “The licensor will not want the exclusive federal rights protected by Section licensee to disclose or sell those modifications.” 106 of the Copyright Act, the exclusive right to reproduce, distribute and make derivative Breach of Contract and Copyright copies.” To avoid preemption, state law claims Infringement must have an “extra element” that changes the nature of the claim. “Noncompliance with OSS license terms – whether copyleft or permissive – may lead to Later, in an April 25, 2017, order in Artifex infringement of an OSS licensor’s intellectual v. Hancom, the Northern District denied

©2019 Hedge Fund Law Report. All rights reserved. 10 the defendant’s motion to dismiss on the “substantial benefits” that “range far beyond basis that the plaintiff’s breach of contract traditional license royalties,” including claim was preempted by copyright law. generating market share by providing Plaintiff Artifex developed Ghostscript, a PDF components free of charge and increasing interpreter, and dually licensed it under the international reputation. GPL and a commercial license. Defendant Hancom, a South Korean company, integrated The court also rejected the defendant’s Ghostscript’s code into its own proprietary argument that the license terminated when products and failed to purchase a commercial Hancom “first released a product containing license or comply with the terms of the GPL Ghostscript without complying with the open- (i.e., it did not release the source code to its source requirements.” The court argued that proprietary product). The court argued that “because the source code or offer of the source the defendant failed to sufficiently explain why code is required each time a ‘covered work’ is the “GPL’s open-source requirement is not the conveyed, each time Defendant distributed a required extra element.” product using Ghostscript there was arguably an ensuing obligation to provide or offer to The court also denied the defendant’s motion provide the source code.” Moreover, Section to dismiss on the basis that the plaintiff failed 8 of the GPL provides, as long as certain to allege that the defendant committed a conditions have been met, for “reinstatement predicate act in the U.S. Hancom argued of the license until notice of termination by the that “because it is a South Korean company copyright holder.” the [c]ourt must draw the inference that all the predicate acts – the copying, integrating Savare noted that the cases demonstrate the and incorporating of [p]laintiff’s software – need for robust OSS compliance, along with occurred in South Korea.” The court, however, customary regulatory compliance. “Open- argued that “[t]here are no facts alleged . . . source errors can lead to lawsuits, but it that would prohibit the inference that at least can also undermine the value of a manager’s some infringement occurred in the [U.S.]” business,” he explained. Fortunately, according to St. John‑Larkin, “a cottage industry In a subsequent order denying Hancom’s has developed, which helps organizations motions for summary judgement, the evaluate the source code and resolve court held that while it cannot “impose the copyright infringement or alleged copyright terms of the commercial license” on the infringement.” defendant, a jury can “use the value of the commercial license as a basis for any damages Security Risk determination.” The court also held that, under California law, plaintiffs may seek unjust In addition, OSS can lead to practical security enrichment or disgorgement as a measure risks. Heartbleed, an OpenSSL security of damages for free licenses. The court cited bug, was a particularly infamous example Jacobsen, noting that the “lack of money of an open-source weakness. The bug was changing hands in open-source licensing introduced into the software in 2012 and only [does not preclude] economic consideration.” publicly disclosed and patched in 2014. The Jacobsen court noted that there are

©2019 Hedge Fund Law Report. All rights reserved. 11 According to heartbleed.com: The IRS, in its guidance on the use of federal tax information in OSS, noted additional This weakness allows [hackers to steal] security risks associated with the use of OSS, information protected, under normal including that it may be difficult to ascertain conditions, by the SSL/TLS encryption whether the developers of open-source code used to secure the Internet. . . . The follow security best practices or a “mature Heartbleed bug allows anyone on the development methodology,” or have sufficient Internet to read the memory of the systems “security programming skills and vulnerability protected by the vulnerable versions of testing expertise.” Moreover, OSS developers the OpenSSL software. This compromises “may be slow to respond to identified flaws,” the secret keys used to identify the service and OSS may not always integrate robust providers and to encrypt traffic, the encryption modules. names and passwords of the users and the actual content. This allows attackers to See our three-part series on how fund eavesdrop on communications, steal data managers should structure their cybersecurity directly from the services and users and to programs: “Background and Best Practices” impersonate services and users. (Mar. 22, 2018); “CISO Hiring, Governance Structures and the Role of the CCO” (Apr. See “ACA Compliance Group Clarifies 5, 2018); and “Stakeholder Communication, Misconceptions Commonly Held by Fund Outsourcing, Co-Sourcing and Managing Third Managers With Respect to Cybersecurity” Parties” (Apr. 12, 2018). (Apr. 16, 2015). Other Issues “The security risk is greater with OSS because, by its very nature, the entire world can see Additionally, the IRS explained that OSS and know some of the code you have in your may not receive the same level of support software. Hackers do not have the same level of as proprietary software because it “may access to most commercially licensed software not be backed by a vendor.” Furthermore, it code,” said Kurzer. may be more difficult to train staff on the implementation and maintenance of OSS. There are ways this risk can be mitigated before using OSS, Kurzer advised. Specifically, “Blindly adopting open source is a recipe for fund managers should look at whether there disaster. At some point, there will be legal are known vulnerabilities that have already conflicts, technical conflicts or both,” said been exploited or shared on the internet and St. John‑Larkin. Most large entities now implement policies and procedures designating have compliance officers who are tasked an individual to not only monitor for security with collecting all the license information issues, but to think through how the code will and version information, and with being the be used. “Will the code be used in a vulnerable custodians. “Managers must take care to area? You may not necessarily want to use it memorialize, in some form within the next to the crown jewels, but you may not be company, what OSS is being used, where it as concerned with less sensitive areas of your is being used and what version is being used,” business,” he said. he added.

©2019 Hedge Fund Law Report. All rights reserved. 12 “It is also possible that someone could write OSS code that implicates privacy issues, but that typically hasn’t been an issue that we’ve encountered,” continued Kurzer. “Anyone who uses OSS has to realize that this doesn’t absolve them of their own obligations to comply with privacy laws and data security laws.”

See “How Fund Managers Can Navigate the E.U. General Data Protection Regulation and the Cayman Islands Data Protection Law” (Aug. 9, 2018); and “How the GDPR Will Affect Private Funds’ Use of Alternative Data” (Jun. 14, 2018).

TECHNOLOGY How Fund Managers Can Mitigate the Risks of Open-Source Software (Part Three of Three)

By Shaw Horton, Hedge Fund Law Report

Although open-source software (OSS) poses “Will Inadequate Policies and Procedures Be a number of risks, fund managers can take the Next Major Focus for SEC Enforcement several steps to mitigate those risks. Managers Actions?” (Nov. 30, 2017). should, for example, develop robust policies, procedures and controls regarding, among Policies, Procedures and other things, the download and use of OSS, which may include the use of a committee to Controls sign off on the introduction of new software. Additionally, managers should ensure they “Sometimes traders may get too eager and receive certain representations and warranties download software from the internet without when dealing with software developers who reviewing all the terms and conditions,” opined integrate OSS into proprietary products. Bryan Sterba, associate in Lowenstein Sandler’s Finally, managers must conduct appropriate technology practice group. “This software is due diligence not only of OSS vendors, but of free or cheap, and it is easily downloadable. the software itself. This can come back to bite people because they don’t know what they are signing up for. This article, the third in a three-part series, They don’t realize that they are agreeing to a evaluates actions fund managers can take binding contract.” to mitigate OSS risks, including policies, procedures and controls to adopt; ways to deal “In these cases, we may talk to the vendor with third-party vendors; and due diligence. and tell them that they are better off letting The first article discussed the basics of OSS, the manager out of the contract for a fee,” actions governments are taking to support it, explained Matt Savare, Lowenstein Sandler relevant regulatory guidance and ways OSS partner and member of its technology practice is being used by fund managers. The second group. “Nevertheless, managers should article analyzed the benefits of OSS, as well as have strict protocols in place to avoid these the disadvantages and risks that it presents. situations in the first place.”

For more on developing policies and Unfortunately, many managers lack stringent procedures, see “A Checklist for Evaluating practices surrounding the above scenario. Employee Disciplinary Policies and Procedures “Everything should go through procurement or of Private Fund Managers” (Mar. 22, 2018); and the legal department,” Savare continued. “You

©2019 Hedge Fund Law Report. All rights reserved. 14 must have a lawyer who understands software individual or committee that signs off on the licensing look at it – even those click-through introduction of new software. agreements that may seem innocuous – or else there could be problems.” In addition, managers should delineate how new code is reviewed and vetted, and create Managers should implement strict protocols specific stop signs, restricting the use of even where no licensing fee exists, cautioned certain code entirely, for example in the form Savare. “Software can still have costs in, of a blacklist. “Managers may also want to among other things, bugs, malware and poor mitigate risk by conducting a report on their interoperation. Thus, technical protocols existing code to get a firm grasp of where they should also be strict, with scans for viruses and already stand,” Kurzer advised. “A manager may malware.” also choose to create a policy restricting the use of OSS altogether, but that is rare.” OSS policies should also address developers’ participation in OSS communities or “What you want to avoid is a procedure that development, noted Sterba. “These policies requires everything to grind to a halt, for must be approached very carefully, however, example by requiring a lawyer to be involved given that developers may hesitate to join in every step. That gets very expensive, and managers that have policies that appear overly firms do not typically have the resources for hostile toward OSS.” that,” explained Kurzer. “I advocate for a risk- based approach – a manager should assess “The decision to use OSS is sometimes made its areas of greatest concern and elevate by the engineers out of habit,” said Ropes & resources accordingly. If we’re talking about Gray counsel Michael D. Kurzer. “If there’s the crown jewels, then that’s something that no structure in place, then they utilize this may require a high level of approval.” On the software to make their job easier. There’s often other hand, low-risk areas should garner lower no interaction with lawyers before it used.” resource allocations. Kurzer noted that the Kurzer noted, however, that he does speak same approach should apply to compliance directly with companies and individuals who with licenses or other regulatory issues. “The are seeking to start a company or fund about bottom line is that there is no ‘one-size-fits-all’ the risks that OSS presents. “Nevertheless, approach.” among all of the things that start-ups have to worry about – including limited resources and See “Key Elements of Electronic running out of money – this seems pretty low Communications Policies and Procedures for on the list.” Hedge Fund Managers” (Nov. 12, 2010).

“It is difficult to find an organization that isn’t already using OSS in some capacity. Those that do must get on top of it as quickly as possible and adopt comprehensive policies,” Kurzer continued. Managers must create an approval process within the organization, he added, which may include the designation of an

©2019 Hedge Fund Law Report. All rights reserved. 15 Representations and A licensee-friendly provision with a proprietary software vendor may, for example, include the Warranties: Dealing following language, said Savare: With OSS in Proprietary Schedule [A] lists all Open Source Products Materials used by [Vendor] in any way and the applicable license for each item, “Companies should set clear expectations and describes the manner in which such about whether third-party developers may Open Source Materials were used (such integrate OSS into proprietary products,” description shall include whether (and, if suggested David St. John‑Larkin, partner in so, how) the Open Source Materials were Perkins Coie’s intellectual property practice. modified and/or distributed by [Vendor]). “If a company permits OSS integration, the [Vendor] is in compliance with the terms company should ask developers to clearly and conditions of all licenses for the Open identify what OSS is used. Part of that Source Materials. Other than as specified conversation will center on the representations on [Schedule to agreement,] [Vendor] has and warranties that the company will need.” not (i) incorporated Open Source Materials This conversation may govern whether a into, or combined Open Source Materials company utilizes OSS. with, any [Vendor] owned intellectual property or products; (ii) distributed Open When licensing software, a manager should Source Materials in conjunction with any seek third-party representations, warranties [Vendor] owned intellectual property and indemnities. “In a lot of contexts, however, or products; or (iii) used Open Source software vendors will seek to provide software Materials, in such a way that require, as without a warranty or that is subject to the a condition of use, modification and/or terms and conditions of other parties,” said distribution of such Open Source Materials Sterba. “This can apply to any thirty-party that other software incorporated into, plugin, and I always resist this. When I receive derived from or distributed with such the contract, I ask them, ‘How am I supposed Open Source Materials be (A) disclosed to know what those terms and conditions are? or distributed in source code form; (B) I don’t have a deal with them; I have a deal with be licensed for the purpose of making you.’” derivative works; or (C) be redistributable at no charge. Instead, Sterba said he tells vendors that they must stand by their software and warrant any “Open Source Materials” means software third-party components the same as they or other material that is distributed as do their own. “This does not always work, “free software,” “open-source software” or however,” opined Savare. “I’ve had clients who under a similar licensing or distribution have walked away from using certain software terms (including, but not limited to, the because the other side was unreasonable in GPL, LGPL, Apache License and MIT relation to third-party software. It doesn’t License). happen often, but it is possible that OSS and All managers should also receive a third-party issues can blow up a deal.” representation that any software does not

©2019 Hedge Fund Law Report. All rights reserved. 16 include viruses and that the software does not to malfunction or to damage or corrupt infringe a third party’s intellectual property, data, storage media, programs, equipment, said Savare. “Getting hit with a demand letter or communications, or otherwise can be a nightmare.” For instance, Savare interfere with operations (all of the above typically includes the following representation collectively Disabling Devices). [Vendor] in licensing agreements: shall remove any such Disabling Devices, and make any corrections necessary to fix [Vendor] has and shall take all reasonable any problems directly caused by any such steps to test all software and work Disabling Devices, at no additional cost to product for Disabling Devices (as defined customer. below). [Vendor] shall not install into any computer, or include in any of the “I often ask for approval rights over open services, software, or work product, source,” said Sterba. “If they aren’t willing to any software or computer code that (i) give that, I include language requiring the is designed to disrupt, disable, harm, or licensor to represent and warrant that any otherwise impede in any manner, including licensed materials don’t contain any open- aesthetical disruptions or distortions, source code obligating the licensee to make the operation thereof, or any other code available to others or otherwise subject associated software, firmware, hardware, the licensee to obligations not expressly set computer system or network (sometimes forth in the agreement.” referred to as “viruses” or “worms”); (ii) would disable or impair in any way the Due Diligence of OSS operation thereof based on the elapsing of a period of time, the exceeding of an Vendors authorized number of users or copies, or the advancement to a particular date or “Some software products are dual-licensed,” other numeral (sometimes referred to as said St. John‑Larkin. “That is, a vendor may “time bombs,” “time locks,” or “drop dead” offer – for substantially the same software – devices); (iii) except as expressly approved either a free license on an as-is basis with no in advance and in writing by customer, representations or warranties, or a commercial is typically designated as “open-source license where the vendor stands behind software” and/or distributed under any certain representations and warranties.” license approved by the Open Source Initiative as set forth in www.opensource. Regardless, “due diligence of OSS vendors is org or similar licensing or distribution necessary,” observed Savare. “No one should terms; or (iv) would permit access by license an open-source program that he or she vendor or any third party to cause such has never heard of. Similarly, a manager should disablement or impairment (sometimes not license an open-source program until it referred to as “traps,” “access codes,” or has conducted a deep dive into the code.” “trap door” devices), or any other similar harmful, malicious, or hidden procedures, In many ways, licensing OSS is no different routines, or mechanisms that would cause than licensing proprietary code – after the services, software, or work product all, a developer can place bugs into either.

©2019 Hedge Fund Law Report. All rights reserved. 17 Therefore, when using any third-party for the application . . . is available. This may code, Savare recommended that managers include the use of a third-party vendor that understand who the licensor is; properly scan specializes in supporting this application but the code; and – before deploying the code in is separate from the primary development a live environment – reasonably ascertain that organization.” Managers that intend to pursue no malware, viruses, trapdoors or backdoors the adoption or further integration of OSS exist. This means examining the code in a more cautiously may also wish to follow that test environment before installing it onto a approach. production environment, he continued. See “Current Trends in Operational Due “The biggest risk for hedge funds, which are Diligence and Background Checks” (Nov. governed by the Gramm-Leach-Bliley Act and 3, 2016). See also our two-part series “Key Regulation S-P, is preserving privacy and data Considerations for Hedge Fund Managers security. These regulations require managers in Evaluating the Use of Cloud Computing to implement commercially reasonable physical Solutions”: Part One (Oct. 18, 2012); and administrative and technical safeguards for Part Two (Oct. 25, 2012). nonpublic financial or personal information,” continued Savare. Although larger entities and quantitative fund managers will have chief technology officers Thus, when licensing OSS – whether that and a host of other technology personnel software is physically installed on a manager’s involved in the process, smaller managers will hardware or used as a service on the cloud – it likely have to engage third-party consultants is critical that a manager investigate whether to assist in evaluating vendors. Very few fund the vendor conducts background checks on managers have large information technology its employees, whether there is oversight staffs and instead only have one or two experts over who has access to data and whether the in-house. vendor scans software before installation. “It is really easy to infect a network,” opined “Open source is in almost everything, and it can Sterba. “Vendors can plant security holes be easily addressed, including through scans and gain access to highly sensitive data.” In from vendors like Black Duck,” Sterba said. “It’s addition, managers should ask about a vendor’s rare for managers to ask law firms for technical data protection policies; ask for references; advice, but they do ask if we’ve dealt with and interview its chief technology and chief certain vendors before – either for software or privacy officers. These policies are particularly for professional services. Chances are that we important because many security testing have and we’ll know about not just their quality, tools do not detect open-source security but the terms that they would accept.” vulnerabilities, remarked Savare. See our three-part series on quantitative The IRS recommended that federal agencies investing: “Dispelling Myths and wishing to utilize OSS pursue a “conservative Misconceptions” (Aug. 9, 2018); “Regulatory approach” – that is, “seek organizations that . . . Action, Guidance and Risk” (Aug. 23, 2018); provide assurance[s] that a secure development and “Special Risks and Considerations” lifecycle is employed and that software support (Sep. 6, 2018).

©2019 Hedge Fund Law Report. All rights reserved. 18 Due Diligence of OSS when they try to commercialize that software, i.e., by offering it to third parties to gain an How can an organization evaluate the quality extra stream of revenue.” of OSS itself? Kurzer recommended that managers look at, among other things: See “The Importance of Exercising Due Diligence When Hiring Auditors and Other • message boards or other public forums Vendors” (Jun. 21, 2018); and “Perspectives on to see whether others have pointed out Operational Due Diligence From an Investor, issues; Consultant and Manager” (Nov. 9, 2017). • release logs; • the number of commits; Portfolio Companies • the number of bugs fixed per version, as well as the amount and severity of open “Issues also arise when private equity firms buy bugs per version; or sell portfolio companies. That is a typical • the vitality of the community; and scenario when a company finds out about all of • the frequency of updates. its open-source problems,” said Kurzer.

“In addition, companies have normal check- “A private equity firm may buy a three- or in processes when installing code to the code four-year-old company with a proprietary base, so they should be doing this on open- software platform,” Kurzer explained. “One of source code like they would do with any new the reasons that company was able to grow code,” added Kurzer. “There is no easy way so quickly was because it relied so heavily on to tell if code infringes on some other third- open-source code to build the platform. It may party software. So, the engineers have to be not have complied with many of the licenses, honest about where the code is taken from and however.” consider the risks.” Kurzer recommended that firms conduct a Ultimately, some of the process is simply scan and figure out the risks piece by piece. intuition- or judgement-based, Kurzer opined. “We may advise that the firm see whether the “People who create software will have a sense problematic open-source code can be replaced for whether the code looks well-written or and how many distributions have been made. poorly written. If it’s poorly written, it may It can then figure out what can be done to contain more vulnerabilities or bugs, and it remediate past distributions.” may require additional work. As a result, it is more of a technical diligence than legal For more on private equity funds, see diligence.” “Anatomy of a Private Equity Fund Startup” (Jun. 22, 2017); “Private Equity in 2017: How “Unfortunately, I don’t think smaller funds are to Seize Upon Rising Opportunity While engaging in much of this diligence at all. When Minimizing Compliance and Market Risk” they start to develop their own proprietary (Jun. 8, 2017); and “SEC Enforcement Director platforms, they may lean heavily on open- Highlights Increased Focus on Undisclosed source code,” noted Kurzer. “Issues arise, not Private Equity Fees and Expenses” when they use the software internally, but (May 19, 2016).