Goldman Sachs case; can open-source software be stolen?
- — 27 August, 2009 12:57
Arrested last month for stealing cutting-edge trading software from his former employer, Goldman Sachs Group Inc., programmer Sergey Aleynikov offered up an interesting defense: he was only trying to download open-source software.
According to a report published Sunday in the New York Times, Aleynikov told FBI investigators that he had inadvertently taken about 32 MB of proprietary Goldman Sachs while taking open source code that can be used freely by anyone.
Aleynikov, a high-level developer for Goldman Sachs, was arrested by the FBI on July 3 on charges of stealing computer code that automates the firm's high-volume trading on stock and commodities markets.
Aleynikov, who is now free on bail, told the FBI he had not used the code at his new job nor given it to anyone else, according to the Times story. The complaint does not include such charges.
The case raises many intriguing questions, such as what exactly is the 'secret sauce' behind the high-speed trading software that some experts told the Times is used by Wall Street firms to generate huge revenues -- some $8 billion this year.
Experts also say the software could be giving the large trading firms an unfair advantage over regular investors.
Observers also wonder why Aleynikov didn't simply download the unnamed open-source code from any of its free repositories rather than from Goldman Sachs systems. And programmers and open-source users are left wondering whether Aleynikov can be found guilty of stealing the code that belongs to the programming community.
Actually, he can, according to legal and open-source experts who cite the terms and conditions of the General Public License (GPL), which is used to govern the use of about two-thirds of open-source software..
"This is a common misconception," said Brett Smith, license compliance engineer at the Free Software Foundation (FSF), which oversees use of the GPL.
Though the FSF has long argued that all software and source code should be free -- just today, it launched a campaign against the "sins" of Microsoft's proprietary Windows 7 operating system -- the terms of the GPL does include some restrictions.
For example, the GPL states that companies that modify open-source software for internal use aren't required to share code changes with the open source world, said Smith.
"You never have to provide the source code to an upstream developer or the general public if you don't want to," he said.
The GPL does require the sharing of source code if the developer or his or her employer plans to distribute the software, either by giving it away for free or even selling it, Smith said.
"People get the impression that you're not allowed to distribute GPL-licensed software for a fee," he said. "We're pretty happy for you to make money on it."
Nonetheless, Smith did contend that the GPL is the strictest open-source license when it comes to code-sharing requirements.
The MIT and BSD licenses, for example, "have no ongoing obligations," according to Andy Updegrove, a Boston lawyer who represents several open-source organizations.
"So if the [Goldman Sachs] code in question was under these, then this guy would not have had any right to the code nor would he be likely to have had a public repository to turn to find Goldman Sach's altered version."
So Goldman Sachs likely was not required to share any of its modified open-source code, and thus its aggressive moves to make sure none of it comes to light is unsurprising. "I've never heard of" a Wall Street firm donating source code back to a project, Smith said.
And having worked in a highly-competitive industry that depends of the top-secret software to generate billions in profits, Aleynikov probably should have known better, says Daren Orzechowski, a New York-based intellectual property lawyer with White & Case LLP.
"I've worked with a lot of financial institutions and large corporations," he said. "I'm sure that a person with this type of position (Aleynikov was a Goldman Sachs vice-president earning some $400,000 a year who left to make $1.2 million at his next job, according to the Times) would have signed a number of agreements that would have made it very clear that everything that he works on and touches while working for the bank is the property of the bank. The IP laws in the U.S. would back that up."
Updegrove added: "To the extent that the identical code was available elsewhere, he used poor judgment taking the code from a Goldman Sachs server. To the extent he took any altered code based on open-source code that Goldman Sachs had not already contributed back to the project, I see no reason why this would not run afoul of his contractual obligations to Goldman Sachs, just as would normal proprietary code."
On the other hand, the downloading of the code has not yet damaged Goldman Sachs' business. And Securities Industry News reported earlier this month that the bank is likely to settle with Aleynikov to make sure that it can minimize the amount of information they would have to reveal about their trading platform.
Orzechowski recommends that programmers in highly-competitive industries like securities trading talk to their company's lawyers about how to use and document their use of open-source software.
"There are ways to develop apps that are isolated modules so that you won't trigger the viral [code-sharing] provisions of open-source software," he said.