Court erred in Neo4j source license ruling, says Software Freedom Conservancy

If decision is upheld, this 'could seriously harm FOSS and copyleft'

A US federal district court decision in California favoring database biz Neoj4 is incorrect and imperils free open-source software, according to the Software Freedom Conservancy.

Neo4j Enterprise Edition (EE) was at first offered under both a paid-for commercial license and for free under the GNU Affero General Public License, version 3 (AGPLv3). In May 2018, version 3.4 of the software was put under AGLv3 plus additional terms from the Commons Clause license, which is not an open-source license and explicitly says as much in its documentation.

The viability of Neo4j's AGPLv3+Commons Clause license is what's at issue, because taken as a whole, the AGPLv3 includes language that says any added terms are removable. That view has been rejected in court – which accepts Neoj4's right to craft custom terms and to resolve contradictions in those terms – and the Software Freedom Conservancy believes the court erred.

As The Register reported last month, Neo4j and its Swedish subsidiary have been pursuing legal claims, filed in 2018 and 2019, against several companies that sold what was marketed as an open-source licensed version of Neo4j EE under the name ONgDB – allegedly in violation of terms in the concatenated AGPLv3+Commons Clause license and Neo4j's trademarks.

The Graph Foundation, one of the defendants, in February 2021 settled with Neo4j, agreeing that it would stop calling specific versions of ONgDB, forked from Neo4j EE, a "100 percent free and open source version" of Neo4J EE.

In May 2021, US District Court Judge Edward J. Davila, who is overseeing Neoj4's case against PureThink and iGov – both run by John Mark Suhy to sell ONgDB – granted Neo4j's motion for partial summary judgment [PDF]. The ruling declared the defendants could not infringe Neo4j's trademark and could not claim that ONgDB is open source software. In effect, the district court said you can't call non-open-source software open source.

The defendants, PureThink and iGov, challenged that ruling – the case continues to be litigated – though in February the US Court of Appeals for the Ninth Circuit affirmed the district court's decision specifically with regard to the lower court's partial summary judgment, including the point about only calling open-source software open source.

open source

Open-source developers under corporate pressure to adopt less-permissive licenses, Percona CEO says


The Open Source Initiative, which oversees the Open Source Definition and the licenses based on the OSD, applauded the appeals court decision. So too did Bruce Perens, who created the Open Source Definition in 1997. Both welcomed the court's acknowledgement that it's false advertising to claim a license is open source when it's not.

But on Thursday, Bradley Kuhn, policy fellow and hacker-in-residence at Software Freedom Conservancy, took issue with the district court's partial summary judgment and the Ninth Circuit's endorsement of it. He said he'd agree that the defendants ought not say their software is under a free and open source (FOSS) license if the AGPLv3+Commons Clause combo were valid. But he argues the two licenses can't co-exist as published by Neo4j.

"We believe the court held incorrectly by concluding that Suhy was not permitted to remove the 'Commons Clause,'" wrote Kuhn in a blog post. "Their order that enjoins Suhy from calling the resulting code 'FOSS' is problematic because the underlying holding (if later upheld on appeal) could seriously harm FOSS and copyleft."

Their order that enjoins Suhy from calling the resulting code 'FOSS' is problematic because the underlying holding (if later upheld on appeal) could seriously harm FOSS and copyleft

Kuhn, who created the Affero clause in the AGPLv1 and co-drafted v3, says that the AGPLv3 contains a clause that explicitly allows the removal of terms added to the AGPLv3, something Suhy's companies argued but the judge rejected.

The AGPLv3 license says, "If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term."

The judge, citing his prior ruling against The Graph Foundation, says [PDF] the terms of the AGPLv3 "prohibit a licensee from imposing further restrictions, but do not prohibit a licensor from doing so." And he argues that "it would be contrary to principles of contract and copyright law to interpret these provisions as limiting Neo4J Sweden’s exclusive right to license its copyrighted software under terms of its choosing."

"It's just wrong," Kuhn told The Register in a phone interview. He agrees that Neo4j has the right to set its own licensing terms but points out that the company specifically chose the full text of AGPLv3. And in making that choice, he argues, they can't selectively ignore the AGPLv3's terms when they specifically state their software is "subject to the terms of the GNU AFFERO GENERAL PUBLIC LICENSE Version 3, with the Commons Clause."

"Neo4j defines 'This License' to mean 'version 3 of the GNU Affero General Public License,'" he wrote in his post. "Then, Neo4j tells all licensees that 'If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term.' Yet, after all that, Neo4j had the audacity to claim to the court that they didn't actually mean that last sentence, and the court rubber-stamped that view."

Perens in an email agreed with Kuhn's interpretation.

"The license of Neo4J Enterprise Edition has the Affero GPL v3 license (AGPLv3), a license with very strong share-and-share-alike terms, but these weren't good enough for Neo4J Inc, which added a license term called the 'Commons Clause,' which says 'you can't sell it.'"

But the AGPLv3, said Perens, includes a passage that allows the removal of added restrictions.

"So Neo4J also gave anyone permission to remove the Commons Clause from Neo4J and use it as if it's just under the AGPLv3 license," he said. "Which is what the defendant did. The judge said he couldn't. Now, an appeals court may get to reverse that decision."

Alan Bean (pic: NASA)

NASA advised to study up on what open source, free software, and permissive licenses actually mean


Paul Berg, a software licensing consultant who has worked for Amazon and Microsoft, among others, told The Register in an email that Kuhn in his post raises salient points.

"A core issue under contention that I see here is that Neo4j is releasing a product they own under proprietary licensing terms with an unconventional license," he said, adding that the license text "obscures those terms rather than explicitly stating them."

"They are doing this by including the whole of the text of a well-known open source license, yet adding confusing and seemingly contradictory terms which conflict directly with the stated intent of the drafters of the open source license," he continued.

Berg argues that by structuring their license this way, they benefit from association with free-and-open-source software without actually offering the implied assurances.

"This causes some users of their product to begin designing and building their own systems under these false assumptions only to realize after committing to their design that the software is not open source," he argued. "This often results in insurmountable late stage migrations to another technology or accepting Neo4j's costly alternative licensing, a sales conversion tactic. One which is severely disadvantageous to the user if the software and of negative utility."

Berg, pointing to the Log4shell incident, said there's a growing need in the tech industry for developers to integrate third-party dependencies under unambiguous licensing terms in a way that minimizes supply chain disruption.

Software, he said, "should include clear knowledge of origin, clear licensing terms, and transparent security information. Regardless of current law or existing license text, this is the aim we should strive for and prioritize as an industry instead of trading that for misleading branding and Ill-gotten sales." ®

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022