1.
Dr. Hendrik Schöttle
Rechtsanwalt, Partner,
Fachanwalt für IT-Recht
2021
Legal Tech Add-On for OSS Compliance
FOSSmatrix

2.
1
osborneclarke.com
Hendrik Schöttle has been working as a lawyer since 2005, since 2007 in Osborne
Clarke's Munich office. He has worked several times in the legal departments of IT
companies within the scope of secondments. He also worked for several years as a
software developer at the Institute for Legal Informatics at Saarland University. His
practical experience and technical know-how benefit his clients in technology-
related consulting.
He is the author of numerous publications, co-author of several handbooks and
commentaries, including the Beck‘sche Handbuch IT- und Datenschutzrecht and the
juris Praxiskommentar zum BGB.
Hendrik Schöttle is a lecturer at the German Lawyers‘ Academy for the specialist IT
law course and regularly gives lectures on IT law topics.
He is a member of the board of BITKOM‘s Open Source Working Group, a member
of the Committee on Data Protection Law of the German Federal Bar Association
(BRAK), the Information Technology Working Group of the German Bar Association
(DAV) and the German Society for Law and Information Technology (DGRI).
Dr. Hendrik Schöttle advises on IT and data protection law.
Hendrik Schöttle was named one of the best lawyers in IT law in 2019 and 2018 by
both the Handelsblatt and Best Lawyers as well as by Wirtschaftswoche. A competitor
quoted in the JUVE Handbook 2019/2020 recommends him as a "top name in open
source”. He is listed in the Kanzleimonitor 2018/2019 and 2017/2018 as a repeatedly
recommended lawyer in IT law. The Kanzleihandbuch Legal 500 Deutschland
recommends him because of his “very good knowledge of IT, even when it comes to
exotic questions” and his “very quick understanding of technical details”. In 2015 he
was awarded the Client Choice Award by Lexology and the International Law Office
(ILO) in the category IT and Internet Law.
He has many years of experience in consulting, drafting contracts and negotiating
complex IT projects. His focus is on IoT, digitalisation and cloud computing. He
advises on software licensing models, especially open source software, and on data
protection law. His clients include internationally active technology groups as well as
renowned IT and e-business companies.
Contact
Dr. Hendrik Schöttle
Partner, Fachanwalt für IT-Recht
Germany
+49 89 5434 8046
hendrik.schoettle@osborneclarke.com
“Top name in
the field of Open
Source”.
Competitor, JUVE
Handbook
2019/2020

3.
2
osborneclarke.com
Why a License Matrix?
• Why a licence matrix when implementing Open Source Compliance?
– Common scanning tools often only compile licence texts and copyright clauses, but do not provide a
detailed and comprehensible overview of other licence obligations
– All the obligations of a licence must be
• scanned, evaluated and then
• be matched with own use.
– The interpretation of individual licences and their obligations is often controversial
– The binary representation of a result alone does not help in the case of controversial interpretations

4.
3
osborneclarke.com
Example: Use Case “ASP Use”
• Example: Use Case “ASP use”: Is making software available in the form of Application Service Provision
(ASP/SaaS) permissible?
– Many licences do not contain clear rules on this
– Usual solution: Many memos on individual licences. Unclear and no help for a quick overview of
compliance with obligations depending on the specific use case
• Our solution:
– Splitting the question into partial aspects and arguments for or against
– Weighting of the aspects with different score values and evaluation logic
– Calculation of the score values
– Clear presentation
– Comparison with application scenarios of the respective company

5.
4
osborneclarke.com
Example: Use Case “ASP Use”
• Example: Use Case “ASP use”: Is making software available in the form of Application
Service Provision (ASP/SaaS) permissible?
• We asked ourselves two questions:
− Is ASP use permitted under the relevant licence?
− If yes: does ASP use trigger the respective obligations of the licence?

6.
5
osborneclarke.com
Example: Use Case “ASP Use”
• Is ASP use permitted under the relevant licence?
− Does the licence text itself contain an explicit provision?
− Are there official statements from product owners or licence stewards?
− Is reference made to ASP Use Cases in the licence text?
− Do licence obligations tie in with ASP Use Cases?
− Was the licence created before ASP was known to be an independent form of use?
− Does the licence generally contain a far-reaching grant of rights of use?
− Is a right of public display or public performance granted?
− Are there known cases of software licensed under the licence and used in the form of
ASP?
− Are there any other facts that indicate a right of use?

7.
6
osborneclarke.com
Use Cases
License Assessment – ASP provision allowed?
ully Compliant
o Conflict 100
License does allow ASP provision.
Open Issue
To be clarified
50 Unclear, whether license allows ASP
provision.
50,00
Compliant
Conflict Unlikely
0 License does likely allow ASP
provision.
,00
ully Compliant
o Conflict 100
License does allow ASP provision.
Conflict
20 License s does likely not allow ASP
provision.
,00
Compliant
Conflict Unlikely
0 License does likely allow ASP
provision.
5 ,00
ully Compliant
o Conflict 100
License does allow ASP provision.
Open Issue
To be clarified
50 Unclear, whether license allows ASP
provision.
50,00
Compliant
Conflict Unlikely
0 License does likely allow ASP
provision.
,00
ully Compliant
o Conflict 100
License does allow ASP provision.
Conflict
20 License s does likely not allow ASP
provision.
,00
Compliant
Conflict Unlikely
0 License does likely allow ASP
provision.
5 ,00

8.
7
osborneclarke.com
Legal-Tech solution with two functions:
• Evaluation of licences, standardised, fully
documented and parameterisable with
percentage data for automatic further
processing
• Use Case Mapping against the respective
licenses with automated conflict checking
Our approach

9.
8
osborneclarke.com
Standardised assessment of
individual licensing obligations
By means of a predefined set
of options and an associated
evaluation metric and logic,
licensing obligations can be
clearly structured,
automatically evaluated and
compared.
1 AGPL .0 only
Medium Alert
Limited Use Case
Match
5 License does permit with restrictions
prohibiting distribution.
Permitted w
restrictions where
forbidden
Sections , 5 and .
The license can be understood as having tacitly excluded
certain methods of distribution by producing an
exhaustive list of obligations for distribution methods of
the source code for distributed binary forms which, for
Information
5
License does neither permit nor
require, but prohibit use in M
environment.
orbidden
explicitly
Section Para 5
Installation Infor
Installation Infor
includes authori
required to install
covered work . Th
2 altova eula
Limited Conflict 25
License does neither permit nor
require, but prohibit with exceptions
permitting distribution.
orbidden w
exceptions where
permitted
According to Section 1. a iv Sentence 2, licensee may
only distribute the restricted source code together with
licensees unrestricted source code in executable
ob ect code form.
Compliant
Conflict Unlikely
License does not contain any
stipulation on use in M
environment. As a consequence, this
is deemed permitted.
ot mentioned
A TL P Compliant
Conflict Unlikely
0 License does only implicitly permit
distribution. Permitted
implicitly
According to Para 1 Sentence 1, the software is fully in
the public domain. This includes the right to distribute it.
Compliant
Conflict Unlikely
License does not contain any
stipulation on use in M
environment. As a consequence, this
is deemed permitted.
ot mentioned
BS 2 Clause ully Compliant
o Conflict
100 License does explicitly permit
distribution. Permitted
explicitly
Section 1 explicitly allows redistributions of source code,
Section 2 explicitly allows redistributions in binary form.
Compliant
Conflict Unlikely
License does not contain any
stipulation on use in M
environment. As a consequence, this
is deemed permitted.
ot mentioned
5 CC0 1.0 Compliant
Conflict Unlikely
0 License does only implicitly permit
distribution. Permitted
implicitly
In Section 2, sentence 1, licensor first waives all rights to
the greatest extent permitted by law. Second, in Section
sentence 2, licensor grants a respective license to the
maximum extent possible, in case a waiver under
Section 2 should not be possible. This can both be
understood as respective grant of distribution rights.
Compliant
Conflict Unlikely
License does not contain any
stipulation on use in M
environment. As a consequence, this
is deemed permitted.
ot mentioned
CC B SA .0 ully Compliant
o Conflict
100 License does explicitly permit
distribution. Permitted
explicitly
Section 2.a.1.A. and B. refer to the sharing of licensed
material, which includes also the distribution of the
licensed material, according to the definition of share in
Section 1.k. Information
5
License does neither permit nor
require, but prohibit use in M
environment.
orbidden
explicitly
According to Section 2.a
the access to the license
measures. The CC wiki a
by the license steward of
M as being covered by
https: wiki.creativecomm
Google Chrome OS Adobe
Additional ToS 0 2020
Medium Alert
Limited Use Case
Match
5 License does permit with restrictions
prohibiting distribution.
Permitted w
restrictions where
forbidden
According to Section 1. a , distribution is only allowed in
form of a browser plug in. Additional conditions in
Section have to be complied with.
However, it is not clear whether licensor has mistakenly
simply forwarded terms that were only allowing
ully Compliant
o Conflict
100 License does explicitly require use in
M environment. equired
explicitly
Section 1. d requires tha
Chrome eader Software
P and EPUB document
Section 1. c , the software
P or EPUB documents
Google Chrome OS MPEG
Additional ToS 0 2020 Conflict
20 License does neither permit nor
require, but prohibit distribution.
orbidden
implicitly
License speaks of personal and non commercial use of
a consumer or other users. istribution is not mentioned
in license text.
Compliant
Conflict Unlikely
License does not contain any
stipulation on use in M
environment. As a consequence, this
is deemed permitted.
ot mentioned
Google ToS 0 2020
Conflict
0 License does neither permit nor
require, but prohibit distribution.
orbidden
explicitly Section Software in Google services , Para .
Compliant License does not contain any
stipula
10 OT L 201 ully Compliant
OSSmatrix
2020 Osborne Clarke
istribution is not understood as the mere resale of one single copy received which may be permitted under mandatory copyright laws anyway . Third
parties in the aforementioned sense are any legal entities or natural persons other than the distributor. A mere internal provision of copies within on legal
entity is not regarded as distribution. istribution is also given in case of offering the software for download to the public.
hile this Section . does only cover distribution by the initial recipient of the Software, a further subdistribution of any downstream recipients is covered
by Section . a. This enables to capture licenses which grant only a non transferable right to distribute software to one further downstream recipient, but
does not allow further subdistribution by this downstream recipient. See also Section . a.
ecessary Only licenses are accepted that require or permit distribution. All other licenses are refused.
This use case is usually chosen in very limited cases only, where all components will be distributed and will not be used internally which usually cannot be
excluded .
avoured All licenses are accepted. Licenses that prohibit the use within a M environment are highlighted bu
In this use case, a tendency towards licenses allowing the use within a M environment is expressed. However,
not mandatory, licenses prohibiting it are accepted as well.
The prohibition to use the software in a M environment can become critical in several cases. Some smartph
comprise M protection, which generally prohibits use of respectively licensed software within apps to the ex
measures. urthermore, embedded devices may be protected by M against manipulation of its firmware, pro
Some licenses make the prohibition of M measures sub ect to additional requirements, such as the GPL .0
case these requirements are not given, the use of M measures do not constitute an infringement of the respe
Some licenses prohibit the use of the software on a system with digital rights management M , which o
cryptographic signature. In this case, the user would not be able to run a modified version of the software on
licenses aim to prohibit. Thus, such licenses prohibit use of the software on such systems or require to prov
to execute modified versions on such systems.
To the contrary, some commercial licenses do explicitly require use of a M environment, e.g. in order to p
software.
The term distribution is understood as the creation of multiple copies of the software and their provision to third parties.
Permitted explicitly implicitly : istribution is permitted. It may however be sub ect to certain minor conditions and restrictions. This applies for most open
source licenses.
equired explicitly implicitly : istribution is required. This may apply for commercial licenses which do only cover distribution but not use for own
purposes, e.g. in case of distribution of software as part of embedded products.
orbidden explicitly implicitly : istribution is not allowed. or most commercial software its distribution is prohibited.
A Tag is set to explicit, in case the license contains an explicit clause on distribution. It is set to implicit if the tag can only be derived indirectly from the
license or its surrounding circumstances.
Features

10.
9
osborneclarke.com
Features
Full documentation
the individual steps to the
result found
The expert opinion in tabular
form: thanks to extensive
documentation, every step of
the assessment is
and thus the overall result is
also comprehensible.

11.
10
osborneclarke.com
Features
Parameterization
of individual factors,
therefore different
evaluations are possible.
Arguments can be
weighted differently at any
time. The result is
automatically recalculated.
In this way, your own risk
affinity/aversion can be
adjusted.

12.
11
osborneclarke.com
Features
Risk assessment with
percentages
not only yes/no, but
gradations in the
percentage range, which
can be further processed
and automatically
evaluated.
In this way, even doubtful
cases and grey scales can
be recorded, evaluated
and visualised.
ully Compliant
o Conflict
100 License does allow ASP provision.
Open Issue
To be clarified
50 Unclear, whether license allows ASP
provision. 50,00
Compliant
Conflict Unlikely
0 License does likely allow ASP
provision. ,00
ully Compliant
o Conflict
100 License does allow ASP provision.
Conflict 20 License s does likely not allow ASP
provision. ,00
Compliant
Conflict Unlikely
0 License does likely allow ASP
provision. 5 ,00

13.
12
osborneclarke.com
Features
Distinction between
three levels
• Abstract license
• Concrete software
• Concrete use case of
the software
Application
scenario of
concrete
software
Concrete
software
Abstract
license
GPL 2.0
Linux Kernel
Driver running in
kernel space
Application
software running
under Linux
Busybox
Stand-alone
installation
Self-written add-
on to Busybox

14.
13
osborneclarke.com
Best Practice | License Matrix | Our approach
Mapping
a separate use case
against the respective
licenses with
automatic check and
clear indication of risk
score values and
reference to individual
check sections

15.
14
osborneclarke.com
Features
License comparison
Quick overview of the main
differences between individual
licenses in direct comparison

16.
15
osborneclarke.com
Features | Summary
• Legal tech solution for license evaluation and use case mapping with the following features:
– Standardised assessment of individual licensing obligations
– Full documentation of the individual steps to the result found
– Individual factors can be parameterised, therefore different valuations are possible
(conservative approach vs. risk-taking approach)
– Risk assessment with percentages (not just yes/no, but gradations in the percentage
range, recording and visualising cases of doubt)
– Mapping of an own use case against the respective licenses with automatic check and
clear indication of risk score values and reference to individual check sections

17.
16
osborneclarke.com
What we do
1. Use Case Development: We create
customised use cases for you. Based on our
experience, we define how you handle the
software.
2. License check: You provide us with a list of
licenses (if necessary, we will assist you with
the creation). We check the rights and
obligations of the licences that apply to your
software.
3. Matching: We check your use cases for
conflicts with the rights and obligations of the
licences.
What you get
• Standard Package: Result of the use case
matching, which clearly shows the
compliance/non-compliance of the use cases
with licenses
• Extended Package: Additional, in-depth
explanation of the rights and obligations of the
individual licences with regard to the use cases -
a legal memo in table form
• Optional: Testing of specific software. This may
be necessary for the licensor to understand the
licence - this may differ from the general
understanding of the licence.
Our Offer

18.
17
osborneclarke.com
Advantages
• We start where the traditional tools stop: legal classification and evaluation of licences. More
than “ ust” creating a Bill of Materials and fulfilling information obligations
• Legally secure and fully documented - the memo of the external law firm in tabular form
• Synergies through more than ten years of experience and the use of existing content enable
efficient consulting

19.
18
osborneclarke.com
osborneclarke.com
18
Customers
DAX 30 Group
One of the
world's largest
automotive supplier
…

20.
19
osborneclarke.com
Osborne Clarke is the business name for an international legal practice and its associated businesses. Full details here: osborneclarke.com/verein *Services in India are provided by a relationship firm
1,850 26
Osborne Clarke International
270+
Partne
rs
675+
Business
Support
900+
Expert lawyers
Europe:
Belgium: Brussels
France: Paris
Germany: Berlin, Cologne, Hamburg, Munich
Italy: Brescia, Busto Arsizio, Milan, Rome
Netherlands: Amsterdam
Spain: Barcelona, Madrid, Zaragoza
UK: Bristol, London, Reading
Asia:
China: Shanghai
Hong Kong
India: Bangalore, Mumbai, New Delhi
Singapore
USA:
New York, San Francisco, Silicon Valley
International
Offices
Employees