New study analyzes Sarbanes-Oxley risks associated with Linux

Many companies using Linux for embedded applications may be unwittingly violating the Linux license and even breaking federal securities laws. "When GPL Violations are Sarbanes-Oxley Violations," is the first in a series of legal studies conducted by Wasabi Systems, analyzing the common misperceptions and risks associated with Linux and its license, the GNU General Public License. Future studies will look at the GPL implications of Loadable Kernel Modules and how upstream GPL violations impact VARs and end users.

"Linux is a powerful operating system," says Wasabi Systems' General Counsel Jay Michaelson. "But if companies violate the license, the consequences can be more severe than they think."

According to Michaelson, the problem lies with the requirement of the Sarbanes-Oxley Act, passed in 2002, that companies disclose ownership of intellectual property to their shareholders. Michaelson says dozens of companies are discovered each year to have violated the terms of the GPL, and if they are public companies, they are violating Sarbanes-Oxley. "If companies are violating the GPL, they don't have the right to use that software," asserts Michaelson. "And if they don't have the right to use the software, they're violating federal law if they claim that they do."

The extent of this problem remains unclear. The Free Software Foundation, which is the primary enforcer of the GPL, reports that it pursues several dozen enforcement actions each year. In the past, such violators were merely required to release their code to the public. Now, Michaelson says, "Sarbanes changes the picture completely. For public companies, violating the Linux license is now a matter of federal securities law."

The study can be found here.