Last week, OpenAI rolled out ChatGPT Team, a flexible subscription structure for small-to-medium sized businesses (with two or more users) that are not large enough to warrant the expense of a ChatGPT Enterprise subscription (which requires a minimum of 150 licensed users).  Despite being less expensive than its Enterprise counterpart, ChatGPT Team provides for the use of the latest OpenAI models with the robust privacy, security and confidentiality protections that previously only applied to the ChatGPT Enterprise subscription and which are far more protective than the terms that govern ordinary personal accounts. This development could be the proverbial “game changer” for smaller businesses, as for the first time, they can have access to tools previously only available to OpenAI Enterprise customers, under OpenAI’s more favorable Business Terms and the privacy policies listed on the Enterprise Privacy page, without making the financial or technical commitment required under an Enterprise relationship. 

Thus, for example, ChatGPT Team customers would be covered by the Business Terms’ non-training commitment (OpenAI’s Team announcement states: “We never train on your business data or conversations”), and by other data security controls, as well as Open AI’s “Copyright Shield,” which offers indemnity for customers in the event that a generated output infringes third party IP.[1] Moreover, under the enterprise-level privacy protections, customers can also create custom GPT models that are for in-house use and not shared with anyone else.

As noted above, until now, the protections under the OpenAI Business Terms were likely beyond reach for many small and medium sized businesses, either because of the financial commitment required by OpenAI’s Enterprise agreement or because of the unavailability of the technical infrastructure necessary to implement the OpenAI API Service. In the past, such smaller entities might resort to having employees use free or paid OpenAI products under individual accounts, with internal precautions (like restrictive AI policies) in place to avoid confidentiality and privacy concerns.[2]

As we’ve seen over the last year, one generative AI provider’s rollout of a new product, tool or contractual protection often results in other providers following suit. Indeed, earlier this week Microsoft announced that it is “expanding Copilot for Microsoft 365 availability to small and medium-sized businesses.” With businesses of all sizes using, testing or developing custom GAI products to stay abreast with the competition, we will watch for future announcements from other providers about more flexible licensing plans for small-to-medium sized businesses.

On December 19, 2023, AI research company Anthropic announced that it had updated and made publicly available its Commercial Terms of Service (effective Jan 1, 2024) to, among other things, indemnify its enterprise Claude API customers from copyright infringement claims made against them for “their authorized use of our services

ChatGPT has quickly become the talk of business, media and the Internet – reportedly, there were over 100 million monthly active users of the application just in January alone.

While there are many stories of the creative, humorous, apologetic, and in some cases unsettling interactions with ChatGPT,[1] the potential business applications for ChatGPT and other emerging generative artificial intelligence applications (generally referred to in this post as “GAI”) are plentiful. Many businesses see GAI as a potential game-changer.  But, like other new foundational technology developments, new issues and possible areas of risk are presented.

ChatGPT is being used by employees and consultants in business today.  Thus, businesses are well advised to evaluate the issues and risks to determine what policies or technical guardrails, if any, should be imposed on GAI’s use in the workplace.

In today’s digital age, the question isn’t whether there is open source software being used in a company’s products, but how it is being used and what license governs its use. Open source is ubiquitous.  Despite its widespread use over the past decade, the provisions of open source licenses have been interpreted by only a handful of U.S. and foreign courts.  Open source-related disputes do not usually reach court as open source advocacy groups that enforce open source license provisions often work out a resolution between the parties without litigation.

However, one recent open source dispute has reached the courthouse. As discussed below, a new case filed in California state court could test the enforcement of one of the most common family of open source licenses, the GNU General Public Licenses or “GPL.” If the plaintiff is successful, the case could have the effect of expanding enforcement of GPL licenses under the rubric of consumer protection and allow a broad range of parties to bring claims under the GPL as third party beneficiaries of those licenses.

Last week, the Software Freedom Conservancy, Inc. (“SFC”) filed a complaint against smart-TV manufacturer Vizio, Inc. (“Vizio”) alleging a failure to comply with the GNU General Public License Version 2 (“GPLv2”) and GNU Lesser General Public License Version 2.1 (“LGPL v2.1”) (collectively, the “GPL Licenses”).  SFC alleges that, over the last four years, Vizio distributed smart TVs that included executable versions of Vizio’s “SmartCast code.  The SmartCast code, it alleged,  contained modifications to the Linux kernel and other code obtained by Vizio pursuant to the GPL Licenses.  SFC asserts that Vizio did not release the corresponding modified source code (as enhanced, modified or otherwise altered by Vizio) or accompany their smart TVs with a written offer to supply such code upon demand, as is required under the GPL Licenses. (Software Freedom Conservancy, Inc. v. Vizio, Inc., No. 30-2021-01226723 (Cal. Super. Orange Cty Filed Oct. 19, 2021)).

In a narrowly drawn, yet significant decision, the Supreme Court reversed the Federal Circuit and ruled that Google LLC’s (“Google”) copying of some of the Sun Java Application Programming Interface (API) declaring code was a fair use as a matter of law, ending Oracle America Inc.’s (“Oracle”) infringement claims over Google’s use of portions of the Java API code in the Android mobile platform. (Google LLC v. Oracle America, Inc., No. 18-956, 593 U.S. ___ (Apr. 5, 2021)).  In reversing the 2018 Federal Circuit decision that found Google’s use of the Java API packages was not fair use, the Supreme Court, in a 6-2 decision (Justice Barrett did not take part in the case) found where Google reimplemented the Java user interface, taking only what was needed to allow outside developers to work in a new and transformative mobile smartphone program, Google’s copying of the Sun Java API was a fair use as a matter of law. This decade-long dispute had been previously dubbed “The World Series of IP cases” by the trial court judge, and like many classic series, this one culminated in a winner-take-all Game 7 at the highest court.

Oracle is one of the most notable Supreme Court decisions affecting the software and technology industry in recent memory since, perhaps, the Court’s 2010 Bilski patent opinion, its 2012 Jones decision on GPS tracking, privacy and the Fourth Amendment and its 2005 Grokster decision on copyright inducement in the peer-to-peer network context, and certainly the most notable decision implicating fair use since its well-cited 1994 Campbell decision that expounded on the nature of “transformative” use. It was no surprise that this case attracted a stack of amicus briefs from various technology companies, organizations, and academia. In the months following oral argument, it was difficult to discern how the Court would decide the case – would it be on procedural grounds based on the Federal Circuit’s standard of review of the jury verdict on fair use, on the issue of the copyrightability of the Java API packages, directly on the fair use issue, or some combination.  The majority decision is a huge victory for the idea that fair use in the software context is not only a legal defense but a beneficial method to foster innovation by developing something transformative in a new environment on top of the functional building blocks that came before. One has to think hard to recall an opinion involving software and technology that referenced and applied the big picture principles of copyright – “to stimulate artistic creativity for the general public good,” as the Supreme Court once stated in a prior case – so indelibly into the fair use analysis.

The decision is also notable for the potential impact on copyright’s “transformative use test.” By considering Google’s intent for using the Java API code, the Court’s discussion of what constitutes a “transformative” use appears to diverge somewhat from recent Circuit Court holdings outside the software context.  The decision may redirect the transformative use analysis going forward, or future decisions may cabin the holding to the software context.

As reported last week, it appears that a state-sponsored security hack has resulted in a major security compromise in widely-used software offered by a company called SolarWinds. The compromised software, known as Orion, is enterprise network management software that helps organizations manage their networks, servers and networked devices. The software is widely-used by both public and private sector companies.

The exposure, in the form of “spyware” inserted into one or more updates to Orion, is significant. According to an alert issued by the Cybersecurity and Infrastructure Security Agency (“CISA”), it is common for network administrators to configure Orion with pervasive privileges, which would allow it to bypass firewalls and other security measures, thus making it an enviable target for hackers. CISA categorized the SolarWinds attack as presenting a “grave risk” to government agencies and private entities.

The attack had been ongoing and undetected since perhaps March 2020 (or earlier, and certainly planned out for years). SolarWinds’s SEC filings last week estimated that about 18,000 of its customers may have downloaded the malware-laden software update for Orion.  However, the number of organizations impacted may be even higher.  Orion may be part of a larger infrastructure implementation or managed service provided by third party service providers.  And as a result, even entities that do not have a direct relationship with SolarWinds may need to investigate potential impacts.

It is important to note, however, that even though a business may have the malicious code integrated into their network, they may not yet have suffered an actual breach or intrusion.  “Luckily,” this actor seems to have taken great pains to remain concealed, and as a result, it appears that the perpetrators had not yet had an opportunity to invoke their ability to invade every impacted network in all potentially impacted cases.

While we are far from learning all of the various ways in which this backdoor was exploited, early anecdotal evidence suggests that these attackers were very interested in pivoting into other systems, including cloud-based systems, such as Office 365, that may not have any direct connection to a SolarWinds installation.  While the disabling of the so-called Orion “Sunburst backdoor” and the confiscation of the original domain name that was receiving communications from the attacker should stop further data loss from the initial entry point, it will not stop further incidents if the attacker has already established persistent access within the network. Thus, it is important to note merely because an affected organization may have closed the initial vulnerability, it should not declare itself as contained too quickly as the hackers may have surreptitiously achieved persistent access beyond the Orion entry point.

There are two sobering consequences from this recognition.  First, if an organization determines that it installed the corrupted version of Orion, an organization’s investigation may need to be very broad in nature.  Second, organizations may need to consider whether previous breaches that were resolved this year might, in fact, have had something to do with this issue that was undiscovered at the time of detection.  Accordingly, it may be necessary to revisit prior incidents thought long resolved.

In what could be prove to be an important decision within the context of scraping of “public” data, in a recent case the Eleventh Circuit reversed a lower court’s dismissal of trade secret claims relating to the scraping of insurance quotes. (Compulife Software, Inc. v. Newman, No. 18-12004 (11th Cir. May 20, 2020)). The appellate court agreed with the lower court that while Compulife’s insurance quote database was a trade secret, manually accessing life insurance quote information from the plaintiff’s publicly web-accessible database would generally not constitute the improper acquisition of trade secret information.  However, the court disagreed with the lower court in finding that the use of automated techniques to scrape large portions of the database could constitute “improper means” under state trade secret law.  In reversing the lower court’s dismissal of the trade secret claims, the appeals court stressed that “the simple fact that the quotes taken were publicly available does not automatically resolve the question in the defendants’ favor.”   Even though there was no definitive ruling in the case – as the appeals court remanded the case for further proceedings – it is certainly one to watch, as there are very few cases where trade secrets claims are plead following instances of data scraping.

In an innovative initiative in the battle against the Coronavirus, the newly-formed Open COVID Coalition (the “Coalition”) launched the Open COVID Pledge (the “Pledge”), a framework for organizations to contribute intellectual property to the fight against COVID-19. Pursuant to the Pledge, rightsholders can openly license intellectual property to facilitate the development of tools and technologies to counter the COVID pandemic. These would include the manufacturing of medical equipment and testing kits, as well as the development of software, AI and biotech solutions to contain and end the virus. Many major technology companies and other organizations have signed on to the Pledge.

The Coalition created a form of license which participants may to use to fulfill the pledge.  Under the license, the Open COVID License 1.0 (“OCL”), the pledgor grants a “non-exclusive, royalty-free, worldwide, fully paid-up license (without the right to sublicense)” to exploit the IP (other than trademarks or trade secrets) in products, services and other articles of manufacture “for the sole purpose of ending the ‘COVID-19 Pandemic’ (as defined by the World Health Organization, “WHO”) and minimizing the impact of the disease, including without limitation the diagnosis, prevention, containment, and treatment of the COVID-19 Pandemic.” The term of the OCL is retroactive to December 1, 2019 and runs until one year after WHO declares the end of the pandemic. Under the OCL, the pledgor “will not assert any regulatory exclusivity against any entity for use of the Licensed IP” in accordance with the license grant, and agrees to not seek injunctive or regulatory relief to prevent any entity from using the licensed IP. As with some traditional open source licenses, the licensed IP is granted without any warranties and the license is suspended if the license threatens or initiates any legal proceeding against the pledgor. Lastly, all copyright and related rights granted under the OCL are deemed waived pursuant to the Creative Commons 1.0 Universal License (public domain dedication).

In early February 2020, before most of us were truly aware of the implications of COVID-19, a well-respected IT consulting group predicted a $4.3 trillion global spend on information technology in 2020. Drivers of the projected activity included cybersecurity, outdated infrastructure, mobile accessibility needs, cloud and SaaS transitions, and on-premises technology requirements.  In late 2019, another well-respected consulting group had predicted that, in 2020, “[t]here will be increasing opportunities for technology vendors and service providers to grow their businesses, and for technology buyers to innovate and upgrade their infrastructure, software, and services.” In fact, as 2020 began, many deals for technology development, implementation and related services were signed and technology providers, consultants and related service providers (collectively referred to in this post as “vendors”) and their customers were busy building, implementing and testing new systems.

Then came COVID-19. Most people in the United States and in many other parts of the world are now working from home. Capital markets are volatile. The global economy came to a screeching halt and recessions are forecast.  As a result of these and other factors, many deals that were humming along nicely are now facing significant and unanticipated challenges. For example:

  • In many cases, neither the vendor nor the customer community is “in the office.” While it is not uncommon for software developers to work remotely, many important aspects of a complex implementation – e.g., hardware installation, software testing and user training – are most effective when done on site. Obviously, given the work-from-home and no-travel environment that we are in, this is not possible.
  • Key individuals from both the vendor and customer community may be less available, either due to their own illnesses or due to pressing family issues or other concerns related to the pandemic.
  • Some customers may experience significant and unanticipated financial distress, and as a result, the payment obligations associated with the initiative may become particularly burdensome for them. Vendors may also be facing similar financial distress.
  • Due to the downturn in the business climate resulting from the pandemic, the business volume assumptions on which the ongoing initiative was based may no longer be realistic.

This blog post is intended to suggest a practical approach that both technology vendors and their customers might take to find amicable solutions to challenged deals.

As part of the response to the outbreak of COVID-19, many organizations are working on contingency and business continuity plans that include an all-employee “work-from-home” scenario.  If it becomes necessary to implement such a plan, all employees of the organization will access the organization’s networks and systems remotely. Unfortunately, many organizations that are testing these plans are discovering that that their remote access technologies may not be able to handle, without significant degradation in performance, the volume of activity this will generate.  Indeed, given the complex host of business applications and collaboration tools that many businesses employ, many entities may not be fully ready for their entire workforce to access their systems remotely without first checking in with their vendors and IT personnel.

This is understandable. Except for the case of those businesses that always operate “virtually” — without any fixed offices — most organizations build their remote access infrastructure (including the related telecommunications, security, videoconferencing, collaboration and other software tools that are involved in remote access) based on an assumption that only a portion of an organization’s employees will use remote access at any given point in time.  For example, contractual service level commitments (in which vendors promise certain levels of performance of their systems) often assume a simultaneous user base being a subset of all employees of the organization.  Further, SaaS-based services that are priced based on a specific number of “simultaneous users” may not anticipate all, or substantially all, of the company’s employees using the service at the same time.

Organizations should be reviewing their agreements with the myriad set of vendors that provide software related to remote access. These reviews should evaluate what commitments, if any, are included in those agreements that may be helpful in what may be this unprecedented “100% work-from-home” effort.  To the extent contractual deficiencies or other issues are identified, early engagement with vendors can be helpful.  For example, in the event service level commitments appear insufficient to meet anticipated demand, an early discussion with the vendor may result in an increased allocation of the vendor’s resources to that customer.  And while some SaaS service agreements priced by the number of simultaneous users may allow customers to exceed simultaneous user limits (with a premium true-up at a later date), others impose hard blocks on usage in excess of contract limitations.  To the extent these issues are identified in an agreement, customers are best served by engaging with the vendor in advance – to avoid premium true-ups or interference in service.