Open Source Guy

,

From Permission to Contract: Dual Enforcement and Rising Risk in Open Source Licensing

Published by

Shuji Sado

on

While a previous article detailed the long-held view in the United States that Open Source licenses were not contracts but “unilateral permissions” — a perspective that gained legal validation in Jacobsen v. Katzer — the ruling in that very case was also a crucial step on the path toward recognizing Open Source licenses as legally enforceable contracts.  

This report will trace this long journey by examining the judicial reasoning in four landmark lawsuits. It will demonstrate how the establishment of licenses as enforceable contracts has reshaped the landscape of cross-border violation risks, analyzing the specific impacts on Japanese corporations and the broader Open Source community.  

  1. 1. The Historical Evolution of Open Source Licenses: From Unilateral Permission to Enforceable Contract
    1. Jacobsen v. Katzer (2008): Establishing License Violations as Copyright Infringement
    2. MDY v. Blizzard (2011): Defining the Scope of Copyright Infringement and Breach of Contract
    3. Artifex v. Hancom (2017): The Court’s Explicit Acceptance of License Contractuality and Monetary Remedies
    4. SFC v. Vizio (2022–Ongoing): Will Enforcement Extend to Third-Party Beneficiaries?
  2. 2. The Impact on License Violation Risks
    1. The Risks of Using Software with a Dual-License Strategy
    2. The Risk of Prosecution by Foreign Rights Holders in Their Local Jurisdictions
    3. The Risk of Cross-Border Litigation from End Users
  3. 3. A Message to the Freedom Community
  4. 4. Conclusion
  5. 5. References

Note: This article is an English translation of a post originally written in Japanese to explain the concept of a “license” that is often unfamiliar to a Japanese audience. While it assumes a Japanese reader, I believe it may also be useful for an English-speaking audience, especially U.S. citizens.

1. The Historical Evolution of Open Source Licenses: From Unilateral Permission to Enforceable Contract

For many years, the legal nature of Open Source licenses was dominated by the view that they constituted a “unilateral permission.” This perspective was rooted in the principles of Anglo-American contract law, which requires “consideration” — a bargained-for exchange of something of value between parties — for a contract to be legally valid. Because Open Source software is generally provided without monetary payment, it was long interpreted that its licenses failed to meet the requirements of an enforceable contract. Consequently, the prevailing “permission theory” held that a license was merely a unilateral declaration by the copyright holder to permit the use of their work under certain conditions.  

However, a series of landmark lawsuits beginning in the late 2000s has fundamentally altered this interpretation. Through these cases, a body of precedent has been built establishing that Open Source licenses are not mere permissions but possess a dual legal structure, enforceable under both copyright law and contract law. This means that a license violation can be pursued on two distinct legal grounds: as “copyright infringement” for deviating from the conditions of use set by the copyright holder, and as a “breach of contract” for violating the covenants (agreements) between the parties.  

This chapter will chronologically analyze four pivotal lawsuits to explain the process by which the legal status of Open Source licenses evolved from “permission” to “contract.”  

The 2008 decision by the U.S. Court of Appeals for the Federal Circuit in Jacobsen v. Katzer was the first and most critical step in establishing the legal enforceability of Open Source licenses. Before this ruling, the legal consequences of violating an Open Source license remained in a state of uncertainty.  

The case background is as follows: the plaintiff, Robert Jacobsen, developed software for controlling model trains, written in Java, and released it under the Artistic License. This license permits modification and redistribution of the software but requires compliance with certain terms, such as attribution to the original author and clear identification of modified sections. The defendant, Matthew Katzer, incorporated this software into a product for his business but failed to comply with the attribution requirements stipulated by the Artistic License. In response, Jacobsen filed a lawsuit seeking an injunction on the grounds of copyright infringement.  

The Court’s Decision

In the initial trial, the U.S. District Court for the Northern District of California ruled that a violation of the Artistic License’s terms was not a breach of a condition defining the scope of the license, but merely a breach of a covenant — a contractual promise. This distinction is critical: a finding of copyright infringement presumes irreparable harm, making injunctive relief more readily available, whereas a breach of covenant does not carry such a presumption. The district court thus denied the injunction. This decision was met with significant concern, as it threatened to severely weaken the enforceability of Open Source licenses.  

However, the Federal Circuit Court of Appeals overturned the district court’s ruling. It explicitly held that the terms of the Artistic License were not mere covenants but were “conditions” that defined the very scope of the copyright license. Therefore, any use of the software that did not comply with these conditions was an unlicensed use, falling outside the scope of the permission granted and thus constituting copyright infringement.  

This judgment was likely influenced by the growing recognition of the economic value of open source at the time. The appellate court noted that “consideration” for an Open Source license need not be monetary. It identified substantial economic benefits — such as attribution, community feedback, expanded market share, and enhanced reputation — as valid substitutes for financial payment. The court concluded that conditions like attribution requirements were essential for securing these economic benefits and were therefore legitimate interests protectable under copyright law. In essence, this ruling gave a judicial stamp of approval to the Open Source business model itself.  

Significance of the Ruling

The importance of the Jacobsen v. Katzer decision in the context of modern Open Source compliance cannot be overstated. First, it unequivocally established that a violation of an Open-Source license could constitute copyright infringement, providing a firm legal basis for licenses. This empowered Open Source developers to seek injunctive relief — a powerful remedy — against violators. It also created the legal foundation that underpins copyleft licenses, which depend on the ability to legally enforce control over the use of publicly shared source code.  

Furthermore, the ruling propelled the debate over the legal nature of licenses to a new level. By establishing that a license violation was copyright infringement, it drew greater attention to the contractual aspects of licenses. This decision served as the starting point for the complex and nuanced modern understanding of Open Source licenses as possessing a dual nature: that of a “conditional permission” and an “enforceable contract.”  

While the Jacobsen ruling established that Open Source license violations could constitute copyright infringement, the 2011 decision by the U.S. Court of Appeals for the Ninth Circuit in MDY Industries, LLC v. Blizzard Entertainment, Inc. drew a crucial boundary, clarifying that not every breach of a license term automatically amounts to copyright infringement.  

This lawsuit centered on the online game “World of Warcraft.” The defendant, MDY, sold a bot that automated gameplay, an activity explicitly prohibited by the plaintiff Blizzard’s Terms of Use (ToU). Blizzard argued that using the bot violated the ToU, which was part of the software license agreement, and therefore constituted an act of copyright infringement by exceeding the scope of the license.  

The Court’s Decision

The Ninth Circuit rejected Blizzard’s argument, introducing a standard known as the “nexus test” to determine when a license violation constitutes copyright infringement. The court held that “for a licensee’s violation of a contract to constitute copyright infringement, there must be a ‘nexus’ between the condition and the licensor’s exclusive rights.”  

The exclusive rights granted to a copyright holder under U.S. copyright law include the rights of reproduction, distribution, and creation of derivative works. The nexus test asks whether the violated license term directly restricts or conditions the exercise of one of these exclusive rights. The court examined the anti-bot provision in the WoW ToU and determined that it was a “rule of the game” intended to maintain fairness and user experience. It did not have a direct nexus to Blizzard’s exclusive rights of reproduction or distribution. Therefore, the court concluded that using the bot was a breach of the ToU contract (a breach of covenant) but did not constitute copyright infringement.  

From an Open Source perspective, this ruling refined the distinction between “conditions” and “covenants” introduced in Jacobsen by providing a more concrete analytical framework. For example, a violation of the GPL’s source code disclosure requirement or the Artistic License’s attribution requirement would be a breach of a condition directly related to the copyright holder’s exclusive rights (such as the right to create and distribute derivative works) and would thus constitute copyright infringement. In contrast, a clause prohibiting use for a specific purpose or, as in this case, banning cheating in a game, would not be directly related to those exclusive rights and would therefore be a breach of contract. It is also worth noting that in this case, a violation of DMCA §1201 was also found, demonstrating the existence of enforcement avenues beyond contract and copyright law.  

Significance of the Ruling

Although not directly an Open Source case, the MDY decision inadvertently strengthened the contractual aspect of Open Source licenses. By clearly delineating certain license violations as “not copyright infringement, but a breach of contract,” the ruling judicially affirmed that enforcement under contract law is a valid and independent legal remedy, separate from copyright law. If Jacobsen established copyright infringement as a powerful weapon, MDY limited the scope of that weapon while simultaneously highlighting the existence of another: breach of contract.  

This decision provided licensors with the legal foundation for a two-pronged strategy: depending on the nature of the violation, they could pursue injunctive relief based on copyright infringement, seek monetary damages for breach of contract, or employ both. This development led directly to the legal reasoning in the next landmark case, Artifex v. Hancom.  

Artifex v. Hancom (2017): The Court’s Explicit Acceptance of License Contractuality and Monetary Remedies

After Jacobsen opened the door to copyright infringement claims and MDY distinguished them from breach of contract, the 2017 case of Artifex Software, Inc. v. Hancom, Inc. decisively established the contractual nature of Open Source licenses. The court’s order in this case was groundbreaking: it explicitly recognized the GNU General Public License (GPL) as a legally enforceable contract and, crucially, delved into the methodology for calculating monetary damages for its breach. This case has become a central reference point for modern Open Source compliance practices.  

The plaintiff, Artifex Software, is the well-known developer of Ghostscript, which it distributes under a dual-license model: users can either comply with the obligations of the GPL, which include source code disclosure, or purchase a commercial license from Artifex. The defendant, Hancom, a South Korean software company, incorporated Ghostscript into its office suite product and distributed it without purchasing a commercial license and without fulfilling the GPL’s source code disclosure requirements. Artifex sued on grounds of both copyright infringement and breach of contract.  

The Court’s Decision

Hancom’s defense centered on the argument that no contract was formed because it had not signed the GPL and there was no “mutual assent.” The U.S. District Court for the Northern District of California unequivocally rejected this claim. The court found that a contract could be formed through implied consent and that Hancom’s actions – using the software – constituted an expression of its intent to be bound by the GPL. The court noted that the GPL’s text states that modifying or distributing the software signifies acceptance of its terms. Furthermore, Hancom’s decision to use Ghostscript without purchasing a commercial license, while publicly acknowledging it was licensed under the GPL, was deemed sufficient evidence of its agreement to the GPL as a contract.  

Even more significant was the court’s ruling on damages. Hancom argued that since the GPL is a “free” license, Artifex could not have suffered any monetary damages from a violation. The court disagreed, holding that the “price of the commercial license” offered by Artifex could be used as a reasonable basis for calculating damages. The court’s logic was that Hancom had the option to purchase a commercial license to avoid the GPL’s obligations. By choosing instead to enjoy the benefits of using the software for free without fulfilling its duties, Hancom deprived Artifex of the revenue it would have otherwise received. Therefore, the lost profit for Artifex was the commercial license fee Hancom should have paid, making it a valid metric for assessing damages.  

Significance of the Ruling

Although the Artifex case was settled after the district court’s order on September 12, 2017, and did not proceed to a final judgment, the reasoning in that order has fundamentally restructured risk assessment in Open Source compliance.  

First, it became one of the first instances where a U.S. court clearly affirmed that a major Open Source license like the GPL is a legally valid contract, even without a signature. This solidified the dual legal structure, confirming that license violations can be pursued not only as copyright infringement but also as a breach of contract. Relying on contract law opens up different statutes of limitations, choice of law provisions, and remedies, significantly expanding the legal options available to rights holders.  

The most revolutionary aspect of this case, however, was the court’s acceptance of a damages framework. It answered a difficult question: can a violation of a “free” license result in “paid” damages? The district court’s order explicitly permitted the use of commercial license fees in a dual-license model as a strong reference point for calculating damages. This transformed Open Source license violation risk from an abstract “business continuity risk” (e.g., product injunctions) into a concrete “financial risk” involving potentially substantial monetary damages – a far more serious concern for corporations.  

This ruling showed software developers using a dual-license strategy that their business model could also serve as a powerful legal enforcement tool. By establishing their commercial license price as the benchmark for damages, it created a strong economic incentive for compliance. Conversely, for users, the casual use of GPL-licensed software now carried the risk of incurring liability for damages equivalent to a high-priced commercial license.  

SFC v. Vizio (2022–Ongoing): Will Enforcement Extend to Third-Party Beneficiaries?

While the previous three lawsuits established the “enforceability” (Jacobsen), “scope” (MDY), and “contractuality and monetary remedies” (Artifex) of licenses, the ongoing case of Software Freedom Conservancy, Inc. v. Vizio, Inc. ventures into uncharted territory for the Open Source community by asking: who has the right to enforce a license?  

The plaintiff, the Software Freedom Conservancy (SFC), is a well-known non-profit organization that promotes free software. The defendant, Vizio, is a major manufacturer and seller of smart TVs. Vizio’s smart TVs incorporate numerous Open Source components licensed under copyleft licenses such as GPLv2 and LGPLv2.1, including the Linux kernel. These licenses require distributors of modified works to provide the complete corresponding source code upon request. The SFC alleges that Vizio has failed to fulfill this obligation and is therefore in breach of contract.  

The most distinctive feature of this lawsuit is that the plaintiff, SFC, is not the copyright holder of the software embedded in Vizio’s TVs. While litigation is typically a dispute between a licensor and a licensee, SFC is suing from the position of an “end user” who purchased a Vizio TV as a consumer. SFC’s legal argument is that the GPL is a contract intended to benefit not only the direct parties (licensor and licensee) but also all end users who receive the software. Therefore, end users are “third-party beneficiaries” of the contract and have a right to directly sue Vizio to demand the contractual benefit of receiving the source code.  

This lawsuit suggests that the right to enforce an Open Source license could extend beyond copyright holders to third-party beneficiaries. For better or worse, its outcome could shake the entire Open Source ecosystem.  

The Court’s Decision

The case has followed a fascinating procedural path. SFC initially filed in state court. Vizio had the case removed to federal court, which then ordered it remanded back to state court, where it is now proceeding in the Orange County Superior Court.  

Vizio’s strategy was to argue that SFC’s breach of contract claim was effectively a claim for a remedy under copyright law, which would be preempted by federal law, thus placing the case under federal jurisdiction. A federal copyright framework would likely weaken or nullify SFC’s claim for source code. However, the federal district court ruled that SFC was seeking specific performance of the “source code provision” obligation under the GPL contract as a third-party beneficiary. This was not a claim for a right equivalent to the exclusive rights under copyright law, but a separate contractual right. The court therefore remanded the case to state court. This series of events has, paradoxically, reinforced the contractual logic of the GPL established in the Artifex case.  

Although the case is still pending, with a trial scheduled to begin in October 2025, a critically important interim ruling has already been made. Vizio filed a motion to dismiss, arguing that SFC lacked standing to sue because it was not a copyright holder. The state court denied Vizio’s motion, finding that SFC’s third-party beneficiary claim was legally plausible. The judge suggested that “it may be essential for third parties like SFC to have the right to enforce the source code provision to achieve the GPL’s purpose.” The judge reasoned that individual copyright holders, who may be located far away, rarely have the financial incentive or resources to track down and sue every violator worldwide. Without granting enforcement rights to end users, the GPL’s source code disclosure obligation could become a dead letter.  

Significance of the Ruling

If this lawsuit ultimately concludes in favor of SFC, it will fundamentally transform the Open Source license enforcement model, with immeasurable consequences.  

Traditionally, license enforcement has been carried out by copyright holders. When assessing legal risk, corporations have typically considered a very limited set of potential plaintiffs, such as the Free Software Foundation (FSF) or specific software vendors. However, if SFC’s third-party beneficiary theory is upheld, the pool of potential enforcers could expand to include every consumer who buys a product, every researcher who analyzes it, every advocacy group, and even competitors. The number of potential plaintiffs could explode from a handful to millions.  

This would mean that for corporations, the nature of compliance risk would shift from a “risk of litigation from specific, known entities” to a “risk of unpredictable class-action lawsuits from a vast, unknown public.” The motivations for such lawsuits could also diversify, ranging from financial gain to ideological principles such as the right to repair, transparency, or the pursuit of freedom.  

While the final outcome of SFC v. Vizio is not yet clear, it is highly likely to force a fundamental reassessment of how corporations approach their engagement with open source.  

2. The Impact on License Violation Risks

The legal interpretations developed in the series of cases from Jacobsen to SFC v. Vizio have established that Open Source licenses possess two faces: a “conditional permission” under copyright law and a “bilateral agreement” under contract law. This dual legal structure has dramatically increased the risk of license violations in both quality and quantity.  

Previously, risk assessment for license violations was based primarily on copyright infringement principles. The greatest risk, as demonstrated in Jacobsen, was an “injunction” based on copyright infringement. This meant that the manufacturing, sale, and distribution of a product could be halted, representing a “business continuity risk” for a company, but not necessarily a direct financial loss. However, since the Artifex ruling, remedies under contract law have become a powerful option, creating a complex and severe set of risks for corporate users from three perspectives:  

  • Manifestation of Business Disruption and Damages Risk: In addition to the traditional risk of an injunction, the risk of direct monetary damages based on breach of contract has become a reality. In the case of dual-licensed software, this amount could be equivalent to a high-priced commercial license fee.  
  • Diversification of Legal Tactics for Plaintiffs: Plaintiffs can now choose to argue copyright infringement, breach of contract, or both, depending on the nature of the violation. This provides greater tactical flexibility in court, especially since in the U.S., a copyright infringement suit generally cannot be filed until a registration certificate is issued by the Copyright Office, a constraint that does not typically apply to contract claims.  
  • Explosive Growth in Potential Plaintiffs: As the ongoing SFC v. Vizio case shows, the right to enforce a license may expand from copyright holders to end users. This could result in an unpredictable and unmanageable number of potential plaintiffs scattered across the globe.  

The following sections will delve into how these risks specifically affect corporations, particularly Japanese companies operating in the global market.  

The Risks of Using Software with a Dual-License Strategy

The dual-license strategy is a common method for Open Source development vendors to build a sustainable business model. However, since the district court’s order in Artifex v. Hancom, this strategy has also become a powerful legal tool for imposing economic sanctions on license violators. This is because the court’s order showed that damages for violating a copyleft license like the GPL could be calculated based on the price of the corresponding commercial license.  

This legal theory is not a localized phenomenon unique to the United States. The February 2024 judgment of the Paris Court of Appeal in Entr’ouvert v. Orange clearly demonstrates that this risk is universal and transcends borders. The plaintiff, Entr’ouvert, offered an authentication library called Lasso under a dual GPL and commercial license. The major telecommunications operator Orange used Lasso in its portal development but failed to comply with its GPL obligations and did not purchase a commercial license. The Paris Court of Appeal found Orange liable for copyright infringement and license violation, ordering it to pay €500,000 in damages, €150,000 for moral damages, €150,000 in disgorgement of unjust enrichment, and €60,000 for costs.  

Particularly noteworthy in this ruling is the basis for calculating the damages: the amount awarded was nearly identical to the price of the commercial license for Lasso that had previously been quoted to Orange. This shows that the same logic applied in the Artifex case—that the commercial license fee the violator should have paid serves as the standard for the rights holder’s damages – has been adopted not only in a common law jurisdiction like the U.S. but also in a civil law jurisdiction like France.  

This provides an extremely important lesson for Japanese companies. In recent years, a wide variety of dual-licensed Open Source products are being used in software development within Japan. It is now highly probable that if a company, intentionally or not, fails to comply with its GPL obligations, it could face a lawsuit from the Open Source vendor seeking damages based on the commercial license fee.  

Those with some knowledge of Japanese law might argue that this is not new; under Japanese copyright law, referencing commercial license prices or standard royalties to calculate damages is consistent with the legal framework. Furthermore, the view that Open Source licenses like the GPL are contracts has always been dominant in Japan, making it straightforward to claim damages for breach of contract. From this perspective, the U.S. and French cases merely set precedents for what was already predictable. However, many Japanese companies have traditionally operated under the facile assumption that “free software means no financial damages.” The U.S. and European examples now provide compelling evidence that such a mindset is no longer tenable.  

In any case, Japanese companies must recognize that the cost of non-compliance has transformed from an abstract business risk into a concrete financial one.  

The Risk of Prosecution by Foreign Rights Holders in Their Local Jurisdictions

Discussions of license violation litigation risk in Japan have often vaguely assumed that such lawsuits would be filed in Japan under Japanese law. However, many of today’s most important Open Source software tools, including those with Source Available licenses, are maintained by U.S.-based companies or organizations. Based on the contract theory established in Artifex v. Hancom, it is entirely plausible that these U.S. entities could file a lawsuit against a Japanese company in their home state court, based on contract law. In fact, this is not just plausible; it is precisely what happened in Artifex v. Hancom, where the defendant, Hancom, was a South Korean company. The district court found it had personal jurisdiction because of Hancom’s sales, distribution, and support activities within the U.S. By framing a GPL violation as a breach of contract, it becomes easier to overcome the barrier that “U.S. copyright law generally does not apply extraterritorially.”  

Under the traditional U.S. theory of unilateral permission, the legal basis would be copyright law. In copyright matters, the applicable law is typically that of the jurisdiction where the infringement occurred. This means that for an infringement that took place in Japan, the lawsuit would, as a rule, be filed in Japan. However, if the license is also a contract, a claim can be based on contract law, allowing many U.S. companies to file suit in their home state courts, forcing the foreign defendant to fight on unfavorable ground. While some may hold the reckless view that a lawsuit from abroad can simply be ignored, Japan is a signatory to the Hague Service Convention. A summons from another signatory country will eventually be delivered, and failure to appear in court will likely result in a default judgment in favor of the plaintiff.  

Furthermore, while a lawsuit in Japan is unlikely to result in punitive damages, with compensation for lost profits generally not far exceeding the equivalent commercial license fee, a U.S. lawsuit presents different risks. Depending on the circumstances, particularly if claims of tort or unfair trade practices under state law are included, or if willfulness and malicious intent are proven, punitive or treble damages could be awarded under specific statutes (e.g., state consumer protection acts, the Lanham Act, or RICO). Additionally, the awarding of attorney’s fees and prejudgment interest on contractual debt could lead to damage awards of a magnitude rarely seen in Japan.  

Therefore, when using Open Source tools from foreign rights holders, especially those that also offer a commercial license, companies must be aware that in a worst-case scenario of non-compliance, they could be sued in the rights holder’s home jurisdiction and be forced to litigate under local laws that could result in substantial damages.  

The Risk of Cross-Border Litigation from End Users

The final frontier of Open Source compliance risk may be the expansion of potential plaintiffs to include a vast, undifferentiated public of end users. When the legal status of “license as contract” established by Artifex v. Hancom is combined with the “end user as third-party beneficiary” theory currently being tested in SFC v. Vizio, Japanese companies that use a significant amount of Open Source software from U.S. rights holders and offer products or services in the U.S. market will face a new kind of litigation risk, unprecedented in scale and nature.  

Consider this scenario: a Japanese automaker sells a new car model in the U.S. that includes an infotainment system running on a tool offered under a dual GPL and commercial license. According to the logic of Artifex, by selling (distributing) the car to a U.S. consumer, the automaker is deemed to have entered into a GPL contract with the tool’s developer. A condition of this contract is the obligation to provide the complete corresponding source code for the system upon request. Now, imagine a consumer purchases this car, wants to customize the infotainment system, and requests the source code from the automaker under the GPL. If, for some reason, the request is ignored or only incomplete code is provided, what happens next? If SFC wins its case against Vizio, that individual consumer, as a “third-party beneficiary” of the GPL contract, would have legal standing to sue the Japanese automaker in a U.S. court to demand the source code.  

This scenario illustrates the synergistic effect of the risks created by these two legal precedents, dramatically increasing the threat to Japanese companies on multiple fronts:  

  • “Localization” of Risk: Previously, the primary entities to be concerned about in a GPL violation lawsuit were specific organizations like the Linux kernel developer community or the FSF. For these entities to sue a Japanese company in a U.S. court involved considerable hurdles. However, if the Vizio legal theory is established on top of the Artifex logic, the plaintiff becomes a “local consumer” who can be found anywhere the product is sold in the U.S. The lawsuit would be filed in a local court under local law, effectively eliminating all geographical and legal barriers.  
  • “Democratization” of Risk: The pool of potential litigants would expand from a small group of expert organizations to the undifferentiated mass of the general public who purchased the product. Potential plaintiffs could include advocacy groups like SFC, individual developers, power users, or even activists advocating for the “right to repair,” each with different motivations and backgrounds. This would expose companies to the constant threat of being sued by an unpredictable party at an unpredictable time.  
  • “Asymmetrization” of Risk: The plaintiffs’ motivations could range from financial gain to ideological principles, such as the pursuit of freedom or the correction of a company’s compliance practices. This makes it difficult to resolve disputes with small settlement payments and may force the company to take a principled stand. Furthermore, the damage to a company in the event of a loss would be extensive, ranging from litigation costs to severe harm to its brand image.  

Thus, at the confluence of the legal streams flowing from Artifex and SFC v. Vizio, a very challenging litigation environment is forming for the many Japanese companies that are users of open source. Operating in this environment demands a sophisticated governance framework for managing legal risks, particularly those arising under U.S. law.  

3. A Message to the Freedom Community

The preceding sections have analyzed the risks from the perspective of corporations that use open source. But how does this situation look from the viewpoint of the original community?  

Jacobsen v. Katzer recognized that conditions such as attribution in Open Source licenses were legally enforceable under copyright law, making their violation an act of copyright infringement. Artifex v. Hancom made the GPL enforceable as a contract. And SFC v. Vizio has opened the possibility for entities other than the copyright holder to compel source code disclosure as third-party beneficiaries. This state of affairs is, in many ways, what parts of our freedom-seeking community have long desired. The fact that non-compliance carries legal risk provides a coercive force that may be a blessing for the maintenance of the Open Source ecosystem.  

However, the current situation also carries the potential for something to be lost.  

Simply because we have acquired the means of legal enforcement does not mean that resolving every issue through immediate litigation will have a positive impact on our community. If the third-party beneficiary theory is interpreted too broadly, it could turn anyone into a private attorney general, inviting arbitrary demands and non-consensual disputes. Taken to an extreme, this could lead to the avoidance of Open Source adoption or a reluctance to contribute to the community due to excessive legal costs. Therefore, the resolution of license violations should, as much as possible, rely on flexible remediation within the community. Indeed, the FSF itself, in its “Principles of Community-Oriented GPL Enforcement,” explicitly states that education should be prioritized, a position with which this author agrees.  

Furthermore, if contract theory becomes too dominant, it can be used to justify behavioral restrictions (such as terms of use) that fall outside the scope of copyright, under the rationale that they are part of a contract. This creates tension with the principle of non-discrimination in the “Open Source Definition,” a problem that is already becoming a reality in the licensing of AI models. Additionally, unlike copyright, which is governed by relatively uniform principles globally, the scope of contract law and third-party beneficiary rights varies significantly between jurisdictions. This increases the operational burden for global Open Source projects.  

Thus, it is important to recognize that these developments are not entirely positive for our community.  

One final point: while this article has focused on the establishment of the contractual nature of Open Source licenses in the U.S. and its impact, and while the theory that the GPL is enforceable as a contract from Artifex v. Hancom certainly poses a risk to many Japanese companies, there is another category of products whose usage risk is arguably growing even faster than that of GPL-licensed software. This is the risk associated with adopting products under so-called “Source Available” licenses, such as the Server Side Public License (SSPL) or the Business Source License (BUSL). Products under these licenses almost invariably employ a dual-license strategy, and unlike Open Source companies, their vendors do not need to be concerned with their reputation within the community. A slight downturn in business performance could be a strong motivator to resort to a litigation strategy.  

Moreover, under contract theory, the common Japanese practice of treating usage within a corporate group as “internal use” based on a greater than 50% controlling interest under company law is unlikely to hold up under the laws of many U.S. states, such as New York or California. There is a real concern that we will see cases where these differences in applicable law are exploited to file lawsuits in the U.S. seeking substantial damages. While one could argue that Source Available is not open source and therefore not our problem, many people will perceive a lawsuit brought by a company they consider close to our community as an action by one of our own. Our community must be prepared to uphold its principles and act in solidarity to address such situations appropriately as they arise.  

4. Conclusion

As detailed in this report, the legal status of Open Source licenses has undergone a dramatic evolution in less than two decades. Once considered a “unilateral permission” by copyright holders, with their legal enforceability in question, licenses have, through a series of landmark judicial decisions in the United States, come to possess a robust dual legal structure supported by both copyright and contract law.  

Jacobsen v. Katzer was the first milestone, establishing that a license violation could constitute copyright infringement and giving Open Source licenses “legal teeth” in the form of injunctive relief. MDY v. Blizzard delineated the boundary between copyright infringement and breach of contract, refining the dual structure. Artifex v. Hancom affirmed that the GPL is an enforceable contract and created a framework for financial risk by allowing damages to be calculated based on commercial license fees. And the ongoing SFC v. Vizio case suggests that the right to enforce a license may expand to end users as “third-party beneficiaries,” threatening to fundamentally change who can be a compliance plaintiff.  

As a result of the legal interpretations built up by these lawsuits, the risk of an Open Source license violation has been fundamentally transformed into something complex and multi-layered. The nature of the risk has shifted its center of gravity from business continuity risk (product injunctions) to direct financial risk (high-value damages). The source of the risk holds the potential to diffuse from a few copyright holders to a vast, undifferentiated public of end users. Furthermore, the geographical dimension of the risk has expanded from a domestic issue between developers and users to a cross-border problem where companies operating in the global market can be judged in foreign courts.  

This new risk landscape presents a serious management challenge, especially for Japanese companies that provide products and services globally. The era of treating Open Source compliance as a technical or legal issue handled by a fraction of the development or legal departments is definitively over. The use and management of open source must now be positioned as a company-wide strategic priority. To continue enjoying the benefits of technological innovation that open source provides, it is essential to correctly understand the weight of the legal responsibilities that lie on the other side.  

5. References

Wikipedia: Jacobsen v. Katzer
https://en.wikipedia.org/wiki/Jacobsen_v._Katzer  

Jacobsen v. Katzer https://wiki.creativecommons.org/images/9/98/Jacobson_v_katzer_fed_cir_ct_of_appeals_decision.pdf  

Jacobsen v. Katzer: Failure of the Artistic License and Repercussions for Open Source https://scholarship.law.unc.edu/cgi/viewcontent.cgi?article=1133&context=ncjolt  

Wikipedia: MDY Industries, LLC v. Blizzard Entertainment, Inc. https://en.wikipedia.org/wiki/MDY_Industries,_LLC_v._Blizzard_Entertainment,_Inc.  

MDY Industries, LLC v. Blizzard Entertainment, Inc. https://cdn.ca9.uscourts.gov/datastore/opinions/2011/02/17/09-15932.pdf  

MDY INDUSTRIES LLC v.
https://caselaw.findlaw.com/court/us-9th-circuit/1555898.html  

Artifex Software Inc. v. Hancom Inc.
https://www.govinfo.gov/app/details/USCOURTS-cand-3_16-cv-06982/USCOURTS-cand-3_16-cv-06982-2  

Justia: Artifex Software, Inc. v. Hancom, Inc. https://docs.justia.com/cases/federal/district-courts/california/candce/3%3A2016cv06982/305835/54  

Linux.com: Artifex v. Hancom: Open Source is Now an Enforceable Contract https://www.linux.com/topic/open-source/artifex-v-hancom-open-source-now-enforceable-contract/  

Software Freedom Conservancy v. Vizio Inc.
https://sfconservancy.org/copyleft-compliance/vizio.html  

Justia: Software Freedom Conservancy, Inc. v. Vizio, Inc. et al https://docs.justia.com/cases/federal/district-courts/california/cacdce/8%3A2021cv01943/837808/30/  

Free Software Foundation: The Principles of Community-Oriented GPL Enforcement https://www.fsf.org/licensing/enforcement-principles

こんにちは。

Shuji Sado

Open Source Guy

Let’s connect

JP Home: https://shujisado.com/

Join the fun!

Stay updated with our latest tutorials and ideas by joining our newsletter.

Recent posts

The Hidden Risks of NVIDIA’s Open Model License

Recently, regarding the open-weights AI model “Nemotron 3” released by NVIDIA, there are scattered media reports mistakenly describing it as open source. Because there is concern that these reports encourage ignoring the usage risks of the NVIDIA Open Model License Agreement (version dated October 24, 2025; hereinafter referred to as the NVIDIA License), which is…

The Current State of the Theory that GPL Propagates to AI Models Trained on GPL Code

When GitHub Copilot was launched in 2021, the fact that its training data included a vast amount of Open Source code publicly available on GitHub attracted significant attention, sparking lively debates regarding licensing. While there were issues concerning conditions such as attribution required by most licenses, there was a particularly high volume of discourse suggesting…

The Legal Hack: Why U.S. Law Sees Open Source as “Permission,” Not a Contract

In Japan, the common view is to treat an Open Source license as a license agreement, or a contract. This is also the case in the EU. However, in the United States—the origin point for almost every aspect of Open Source—an Open Source license has long been considered not a contract, but a “unilateral permission”…

Evaluating OpenMDW: A Revolution for Open AI, or a License to Openwash?

Although the number of AI models distributed under Open Source licenses is increasing, it can be said that AI systems in which all related components, including training data, are open are still in a developmental stage, even as a few promising systems have emerged. In this context, this past May, the Linux Foundation, in collaboration…

A Curious Phenomenon with Gemma Model Outputs and License Propagation

While examining the licensing details of Google’s Gemma model, I noticed a potentially puzzling phenomenon: you can freely assign a license to the model’s outputs, yet depending on how those outputs are used, the original Terms of Use might suddenly propagate to the resulting work. Outputs vs. Model Derivatives The Gemma Terms of Use distinguish…

Should ‘Open Source AI’ Mean Exposing All Training Data?

DeepSeek has had a major global impact. This appears to stem not only from the emergence of a new force in China that threatens the dominance of major U.S. AI vendors, but also from the fact that the AI model itself is being distributed under the MIT License, which is an Open Source license. Nevertheless,…

Significant Risks in Using AI Models Governed by the Llama License

Although it has already been explained that the Llama model and the Llama License (Llama Community License Agreement) do not, in any sense, qualify as Open Source, it bears noting that the Llama License contains several additional issues. While not directly relevant to whether it meets Open Source criteria, these provisions may nonetheless cause the…

The Hidden Traps in Meta’s Llama License

— An Explanation of Llama’s Supposed “Open Source” Status and the Serious Risks of Using Models under the Llama License — It is widely recognized—despite Meta’s CEO persistently promoting the notion that “Llama is Open Source”—that the Llama License is in fact not Open Source. Yet few individuals have clearly articulated the precise reasons why…