In my posting about a DoD meeting I attended concerning open source acquisition, I mention “discussion about a couple of ‘corner cases’ where certain licenses had clauses, which could conflict with federal law.” There were two that came up in the meeting: one having to do with disclosure of confidential information and the other an apparent conflict between government regulations and the Apache license – the latter seems to be fading as an issue.
Here was the problem: In 1982 Congress passed the Antideficiency Act which prohibits federal employees from authorizing an expenditure that isn’t funded. Makes sense, but Wow! are there some big teeth in the law including suspension, fines or even imprisonment for an individual that violates it.
It’s not surprising, then, that the Army procurement officials are goosey about the ADA, and that they conferred with counsel when they came across this clause in the Apache License:
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.
The concern is that indemnifying others without the funding to back up any possible claims would be a violation of the Antideficiency Act. This came up in a specific procurement, and lawyers for the vendor argued back that the Army had no exposure as long as they only used the software and didn’t redistribute the software, which was extremely unlikely. According to recent discussion on the Apache legal list, “The Army, however, believes that any contingency indemnification obligation, no matter how unlikely, constitutes an ADA violation.”
Well, according to an article in Fierce Government IT, the Army has rethought its position. It seems that “since the likelihood of any government agency agreeing to indemnify a software user is as close to zero as possible, Army lawyers dropped their concern.”
Military sources go on, however, to caution that this should not be interpreted broadly to mean that all indemnification clauses are OK with the DoD.
Our data say that over 5% of the open source out there is under that Apache license (that’s over 30,000 projects). And further, the Apache web server is virtually a de facto standard. So, a lack of access to Apache licensed software was going to be a big impediment to the DoD. Bravo to the Army for rethinking and taking a stand on the side of open source software.
