Monthly Archives: March 2013

Sourcing from the Crowd: The Netflix Crowdsource License

To address the flip-side of my previous post, this post looks at “crowdsourcing.”  While eager entrepreneurs attempt to lure funding from accelerators and VC firms, established companies are making open calls to the public in search of the next big idea.  First coined by Jeff Howe nearly 7 years ago, crowdsourcing “represents the act of a company or institution taking a function once performed by employees and outsourcing it to an undefined (and generally large) network of people in the form of an open call.”

With the growth of this relatively new form of outsourcing, this post attempts to inform the would-be participant (i.e., the member of the crowd) of the implications of her participation in such an event.  In particular, I will use the recent Netflix Cloud Prize Contest and its corresponding Terms & Conditions to highlight some of the crucial aspects related to the intellectual property license contained therein.

For starters, software developers should know their work is generally protected under U.S. Copyright Law.  When they develop original code they “own” the underlying work.  That code can then be lawfully used by others, but only to the extent the developer has granted a license to that user.  To put it simply, software licenses are copyright licenses. The key copyright license rights are:

  1. The right to reproduce
  2. The right to modify (also, the right to create derivative works)
  3. The right to distribute
  4. The right to publicly perform (also, the right to publicly display)
  5. The right to use (including install, download, etc.)
  6. The right to sublicense (i.e., the right to pass license rights on to third parties)

Looking now to crowdsourcing, and the Netflix Cloud Prize Official Rules in particular, here is how a software developer’s rights are affected by virtue of their submission to the contest.  The software developer (the “Participant”) grants the below license to Netflix, as the “Sponsor” of this crowdsourced project.  For ease of interpretation, I will address the license in discrete pieces, first, addressing the scope, and then addressing the specific rights licensed.

Participant (and all members of your team, if applicable) grant to Sponsor a non-exclusive, worldwide, royalty-free, perpetual, irrevocable, fully sublicensable (through multiple tiers) and transferable license, without additional consideration to you (or any members of your team, if applicable) or third parties, to […]

This licensing scope is very broad.  The software developer Participant is giving Netflix license rights that have no limitation in geography, volume (no royalty payment based on Netflix exercising its license rights), duration, or revocability.  More interesting, the license is “non-exclusive” and “sublicensable”.

Developers should interpret the non-exclusivity as a benefit to this otherwise one-sided transaction.  This means, that while Netflix has broad license rights, the developer still has the ability to license its software to other entities in the future.  Less appealing to the developer, however, should be the fact that they are agreeing to allow Netflix to sublicense the software.  This will allow Netflix to provide license rights to third parties without further consideration or negotiation with the developer.  Developers who participate in this contest that may wish to commercially exploit their software after participating in the crowdsourcing event, should consider whether a competitor would be able to license its software through Netflix where the developer herself would not enter into such an agreement with that competitor.

Continuing now to the actual rights licensed:

[…] to (a) reproduce, distribute, perform and display (publicly or otherwise), adapt, modify, edit, translate, make available to the public, make, sell, offer to sell, import and otherwise use and exploit (and have others exercise such rights on behalf of Sponsor, through multiple tiers) your Submission (the “Licensed Work”) and any ideas, trademarks, patents and other intellectual property accompanying, related to or embodied in the Licensed Work, and any materials embodying, incorporating or derived from the Licensed Work, in any format or media now known or hereafter developed; [and to] (b) create derivative works from and incorporate the Licensed Work into other works or into Sponsor’s or its designees’ products or services; […]

As subclauses “(a)-(b)” make clear, the software developer, as a condition of submitting her software in the contest, grants Netflix every license right under copyright law.  That is, the rights to use, reproduce, distribute, modify (create derivative works), and publicly display/perform.  Interestingly, albeit understandably, subclause “(a)” casts a wide net in order to remove all ambiguity by including within these rights all other IP rights (i.e., patent, trademark, and “ideas”) that are “related to” the participant’s software.

Like the scope of the license itself, these rights are expansive.  While developers would surely anticipate Netflix’s use and commercialization of their software, they may be less aware of Netflix’s right to create derivative software that leverages the developer’s submitted work.  This is true regardless of the developer’s initial intent for how the software would be used.  Software developers considering this contest must be prepared to relinquish full control over their design, code, and future manipulation of their product, regardless of whether or not they win the contest.

Finally, while somewhat beyond the scope of this post, it’s interesting to point out the final subclauses of this license, which include the following marketing rights and likeness rights:

[…] [to] (c) use the Licensed Work for Sponsor’s advertising and promotional purposes; and (d) except where prohibited by law, use the name, photograph, portrait, picture, voice, likeness, statements, and biographical information of you (and all members of your team, if applicable) for Sponsor’s advertising and promotional purposes, whether or not in connection with your Submission, in each case for the purpose of administering and promoting the Contest, any future Sponsor promotions, and/or Sponsor.

These rights, while not standard for general software licenses (other than distributor licenses), are a product of the crowdsourcing method.  This goes back to the original definition.  Crowdsourcing is a call to the public, a contest of sorts.  As such, the software developer participant grants Netflix the right to use the likeness of the developer to promote not only the software but the fact that the software was the product of a crowdsourcing event.  Most contests contain similar language in their rules of participation, so this should not be too surprising for participants; however, software developers should consider how comfortable they are with privacy matters and their inability to control how Netflix (should it choose to exercise this right) portrays the developer to the public.

Given the lack of restrictions on these rights or in the scope of the license, software developers should weigh the probability of winning the contest prize ($10,000) against the possibility that they could commercialize their software.  While participating in the contest will not preclude the developer from commercializing their software by licensing to other firms in need of SaaS widgets, their market is diminished by virtue of Netflix’s ability to exploit, in all manners, the developer’s software (and to sublicense that exploitation to others without the developer’s consent).  Of course, developers may perceive certain intangible benefits to the contest, such as those often associated with social networking, as tipping the scales in what might otherwise be an unattractive deal.  Certainly, that’s what the crowdsourcing movement has largely depended on.



Fund Me! Still Awaiting SEC to Act on Crowdfunding Law

If you are familiar with the Ostrich Pillow, then you’re definitely aware of the growing crowdfunding marketplace.  Today, companies such as Kickstarter are leading the way in providing platforms for connecting creative founders with the public.  According to the Crowdfunding Industry, as reported by techcrunch, crowdfunding platforms raised almost $1.5 billion and funded over one million projects in 2011.  So what is crowdfunding and what issues does it raise from a legal standpoint?

Crowdfunding is simply the process of obtaining funding for some project by appealing to the public.  Or, as a recent California Department of Corporations (DOC) bulletin put it:

Crowdfunding began as a way for the public to donate small amounts of money, often through social networking websites, to help musicians, filmmakers and other artists finance their projects. These types of crowdfunding are generally altruistic and contributors (who are not, strictly-speaking, investors) do not receive equity in the projects they are funding.

Sounds a lot like an IPO?  Well, not necessarily.  Currently, there are at least four types of crowdfunding platforms as identified by Suw Charman-Anderson of

  1. Lending: Funders receive income from their loan and expect repayment of original principal investment
  2. Reward: Funders receive a non-financial benefit, with projects often following a pre-sales model
  3. Donation: Funders expect no return, motivations are philanthropic
  4. Equity: Funders receive equity in the projects they back, earn revenue or profit-share

For the purposes of this post, it is the equity platform that is of greatest interest as it alone is the the subject of the JOBS Act.  Over a year ago, Congress passed bipartisan legislation known as the Jumpstart Our Business Startups Act (the “JOBS Act” or “Act”).   The Act is intended to “increase American job creation and economic growth by improving access to the public capital markets for emerging growth companies.”  The Act, in its entirety, can be found here.  When fully implemented, the Act will promote capital formation by enabling “emerging growth companies” to sell, through a portal registered with the SEC, up to $1 million in securities over a 12-month period to an unlimited number of investors, i.e. the crowd.  Furthermore, the Act lowers the burden of capital formation by exempting these crowdfund offerings from registration with state or federal authorities.  The Act attempts to balance these benefits that may encourage fraud by requiring the emerging growth companies to disclosure all material facts and risks associated with the investment.

Most importantly, the Act calls upon the Securities and Exchange Commission (SEC) to adopt rules and regulations implementing the Act.  And, until the SEC implements the Act through its rulemaking authority, this type of equity crowdfunding remains illegal.  To date, the SEC has yet to act, putting the agency nearly 4 months behind their deadline.

The entrepreneurs that I know are excited for this opportunity.  As are investors who want to be a part of something.  The appeal of the reward and donation type crowdfunding platforms seems to be largely one of community, similar to the underpinnings of social networking in general.  How else could a project like this ever get funding?

Certainly, there are legitimate reasons for the SEC to carefully craft rules to implement the Act.  Protecting the investing crowd from fraud is an important objective.  Similarly, ensuring the investing crowd have adequate and accurate information to make an informed investment decision is principle inherent to our public equity markets.  But these problems are by no means any reason for them to bury their heads in the sand.

Cybersecurity: Obama’s Executive Order

On February 12, 2013 President Obama issued an Executive Order (“EO”) entitled “Improving Critical Infrastructure Cybersecurity.”  The driving policy concern is “to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”  The EO aims to partner with owners and operators of critical infrastructure (“CI”) “to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.”

Here are the major takeaways in my opinion:

What is Critical Infrastructure?

The EO defines CI as,

Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

How will Critical Infrastructure be Identified?

While the definition of CI is helpful, it does not identify the specific private sector entities that will fall within its scope.  The EO provides a process for such identification.  Specifically, the EO directs the Secretary of Homeland Security (DHS) to create and apply objective criteria to determine whether a cybersecurity incident to a given private sector “could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  Based on the evaluations by DHS (in conjunction with applicable Sector-Specific Agencies), private sector entities found to be owning or operating CI will be confidentially notified and their participation in a “Cybersecurity Framework” program will be requested.

How will Critical Infrastructure Cybersecurity be Improved?

The strategy for improving cybersecurity articulated in the EO appears to be two-fold: (1) sharing intelligence information; and (2) establishing best practices.

  • Information Sharing.  The level of information that will be shared with private sector entities will turn on whether the entity is an owner or operator of CI (including any commercial service providers that offer security services to CI).  If the entity is not an eligible CI company but is nevertheless a target of a cyber threat, then the agency that discovered the threat will make timely production of a report to the targeted entity.  However, the EO specifically states that such report will only be produced at the unclassified level.  If, on the other hand, the entity is an eligible CI company and is the target of a cyber threat, then the Government will provide that entity with reports at the classified level describing the cyber threat and relevant technical information.
  • Best Practices.  Unlike the information sharing objective, the best practices objective is applicable only to CI entities.  To achieve this objective, the EO directs the creation of a Cybersecurity Framework to reduce cyber risks to critical infrastructure.  As envisioned within the EO, the Cybersecurity Framework will contain standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.  Specifically,

The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Cybersecurity Framework shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks.

While the specifics of the Framework have not yet been developed, the EO makes clear that its adoption by CI entities will be entirely voluntary.  However, the EO directs DHS to create an incentive structure designed to promote adoption of the Framework.

When will the Events Ordered under the EO Occur?

June 2013 – Attorney General, DHS, and the Director of National Intelligence to issue instructions to ensure the timely production of unclassified reports of cyber threats that identify a specific targeted entity (regardless of whether the entity is CI or non-CI). Instructions will also include process for the dissemination of classified reports to CI entities authorized to receive them.

June 2013 – DHS and DoD to establish procedures to expand voluntary information sharing program to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.

June 2013 – DHS, Secretary of the Treasury, and Secretary of Commerce to submit plans to incentivize participation in the Cybersecurity Framework program.

July 2013 – DHS to create and apply risk-based criteria to identify CI sectors.

October 2013 – Preliminary Cybersecurity Framework published by Director of National Institute of Standards and Technology (under Secretary of Commerce).

January 2014 – Sector-Specific Agencies must review the Preliminary Cybersecurity Framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks.

February 2014 – Final Cybersecurity Framework published by Director of National Institute of Standards and Technology.

May 2014 – Sector-Specific Agencies that determined current regulatory requirements insufficient must propose prioritized, risk-based, efficient, and coordinated actions to mitigate cybersecurity risks.

February 2015 – Sector-Specific Agencies, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements, and describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.