How to Deal With Stolen Code?

greenrom writes "I work for a small company as a software developer. While investigating a bug in one of our products, I found source code on a website that was nearly identical to code used in our product. Even the comments were the same. It's obvious that a developer at our company found some useful code on the web and copied it. The original author didn't attach any particular license to the code. It's just 200 lines of code the author posted in a forum. Is it legitimate to use source code that's publicly available but doesn't fall under any particular license? If not, what's the best way to deal with this kind of situation? Since I'm now the only person working on this code, there's no practical way to report the situation confidentially. I'm new to the company, and the developer who copied the code is the project lead. Reporting him to management doesn't seem like a good career move. I could rewrite the copied code without reporting him, but since the product is very close to release it would be difficult to make a significant change without providing some justification."

Wrong! (At least outside US)

[Psionicist]

The United States is, as far as I know, the only country in the world where your work is not automatically copyrighted when published. I know for a fact that any code, text, images etc are posted from a European country it is automatically copyrighted, "(c)"-symbols or not. In Sweden for example it is actually discouraged to write "Copyright xyz" in your documents/works because it has no legal meaning and it confuses intellectual property law for the layman. So while you are probably correct if the copied code originates from somewhere in USA, the original poster's company is most certainly in violation of some intellectual property law if the code is from abroad.

Re:Uhhhhh

[morgan_greywolf]

Note that short code segments have often been found to be uncopyrightable. It varies from jurisdiction to jurisdiction, but it's often difficult to claim copyright to less than ~ 10K LOC outside the USA.

> 10,000 lines of code? You have to be kidding me. By that definition, there quite a few open source apps that aren't copyrightable.

Re:It's common sense

[Fierythrasher]

You're saying there's an implicit copyright in every web post, then? So this post I'm typing now, if someone put it in a newsletter, I could then sue them for taking my post which is my copyright? Moreover, again as I stated above, most code samples are found in online tutorials. They're THERE for the purpose of helping you code through a problem. They explain the code step by step and give you the code. Finally, there's only so many ways to code something. Given that I doubt you will find full programs online, what people are taking are usually subroutines at most, a few lines of code to accomplish a specific task at least. When parsing it down to that small of a step, how many ways to write it are there? From my own experience, how many ways are there to code a call to a specific Window handler in Access VBA? I had to look up 2 lines of code to do it, which I found in an online tutorial. Final thought: If you aren't intended to use the code, why is it that most sites have a disclaimer at the bottom that says "Not liable for any problems you have when using this code"

Re:Due dilligence and move on

[mr_zorg]

Sure, it might be copyrighted inherently, but clearly the public posting of source code in a self-help forum provides an implied license to use...

Then I'm glad I don't work for you

[postbigbang]

as is mentioned upthread, published works are owned by their authors by copyright in the USA,

I'd prefer an ethical behavior on the part of all of my employees; some do better jobs than others-- but ethics comes first. Our code is clean, was clean, will be clean, and adheres to the licensing and copyright strictures.

Dry-ripping/cutting&pasting code from any old website is beyond stupid, it's lax, possibly criminal, and well, you haven't vetted the code against standards and practices-- what if it blows up or creates a nice nugget of crap in otherwise vetted code.

I disagree with your practices. They put output over ethics, suggest unscrupulous use of code, violate standards practices, and create possible conflicts with other code. Swiping unknown code from a random website's bad practice.

Can forum "license" apply?

[vxir]

What if to join the forum something was buried in the agreement like "you agree that any code or comments that you post are released to the public domain for others to use and modify"?

I haven't checked for this sort of thing but if I was administrating one of these forums, I'd certainly have put something like this in the terms-of-use. After all, as many people have pointed out disallowing use of posted code runs counter to the purpose of the forum.

My question is whether a term like this in a use agreement can override the implicit copyright.

Re:Due dilligence and move on

[LiENUS]

So the worst case is that the copyright owner makes your company change the code at some point in the future. If you put the recommended comment in, your company will know (i) its not your fault and (ii) you were heads-up enough to look into the issue a little further when you noticed it.

Bad idea, the comment is enough to acknowledge that the company (or an agent on its behalf) knew that the ownership of the code was legally questionable and could be used to remove any protection that the company could have to claim permission to distribute the code. If the copyright owner decides to sue, best case scenario hes able to sue the company successfully, worst case scenario hes able to sue the person who wrote the comment acknowledging the muddied ownership of the code.

Re:Uhhhhh

[einhverfr]

IANAL, but I have had to deal with similar situations in open source projects.

On one hand, I have found that people who post code fragments online generally intend for people to copy and adapt their works. However, obviously you don't want to rely on this norm for protection, even if it was provided specifically as sample code.

The best option is to first make a good effort to contact the author of the code and express an interest in using the code. You may or may not want to discuss the whole situation with the author without feeling the situation out-- that might be an act of goodwill but it could also put your business more at risk. I would probably initially just state that you are interested in obtaining copyright permission to use this code in your application. See where that goes.

If you cannot contact the author I would suggest rewriting the code to be on the safe side.

Also note that there is a chance that you will get a response (like I have) stating something to the effect that "I don't know whether I even wrote the code anymore, but fwiw, go ahead." In that case, I would tend to avoid copying and pasting.

Re:Uhhhhh

[Anonymous Coward]

Simply posting something in a public place does NOT put it in the public domain

public domain: any work that is not copyright protected is considered to be in the "public domain", and includes materials created prior to 1922, works created for public use, government documents unless otherwise specified, and works whose copyright has expired.

Would this not fall under the category of "works created for public use"?

Re:You already know the answer

[petes_PoV]

You're about to learn what the business world is really like.

Or, depending on how the project lead is viewed in the company, this could be the fastest promotion you'll ever get.

Before you talk to anyone about this, do some discrete research about who might be sympathetic to your situation, who the lead's enemies are and think about just how much politics you want to get involved in

OT: Burning money

[Bloater]

Burning a $20 bill makes everybody (except you) richer. With a reduced money supply everybody else's dollar becomes more valuable. It takes a while to filter through to the labour market, but it does. That bill represent the wealth that you brought to everybody else so that one of them will give you something if you bring it to them. If you burn it instead, they still benefit from the work you did to earn that money, but now you won't be able to get them to give you stuff so they also get to keep the stuff and sell it to somebody else.

Re:Uhhhhh

[vux984]

The fact you're looking up code on the internet when your job would quite possibly make me feel as if you didn't understand basic coding, and were an incorrect fit for a particular agency.

I consider myself a pretty good coder, but when I recently was tasked with writing a wrapper to run a shell command and capture stdout, stderr, and redirect a file into stdin. I wasn't sure where to really start...

This MSDN article (which I found via google) went a long way towards covering the topic:

http://support.microsoft.com/kb/190351 [microsoft.com]

And that sample code proved invaluable. It easily saved me several hours. Code like that is very domain specific, and unless you've spent a lot of time around pipes and create process win32, it doesn't matter how good you are at understanding basic coding, or even advanced coding.

I'd managed to write a basic version of what I wanted using ANSI C's popen but was running into popen's limitations (like the dos box window flashing open). From reading I knew that CreateProcess in the win32 api gave me the control I needed to suppress the window, and this example REALLY helped me out.

Re:Uhhhhh

[Jerry Coffin]

A mere 200 lines probably constitutes "fair use", which is built into copyright law.

I doubt it. Fair use means convincing a court that the use you're making of the material is really fair. In many cases, that means writing something that's sufficiently different that the court believes you're not really competing directly with the original author -- for example, a book review that quotes a few lines from a book isn't likely to be used as a substitute for buying the original story. Quoting a few particularly telling lines can give a good idea of the book's topic and style, so doing so will generally be considered fair use. This case seems to be almost entirely different however -- it's not writing something new or original about that code, but simply using it as it was originally intended. Even when courts do look at the amount copied, they rarely look exclusively at just the raw amount involved -- they frequently look at both the percentage of the original that was copied, and the percentage that the copied material constitutes of the final work in which it is copied. If I copy 200 lines from War and Peace, it would generally be easier to justify than if the 200 lines being copied were virtually 100% of the original (which sounds like it might easily be the case here). Likewise, if I write a long book and copy one-liners from here and there as titles to chapters and such, it's easier to justify than if all I've done is paste in a single large quote from somewhere, and that's all I'm publishing.

Even though I doubt this would qualify as fair use, publishing exactly the same code under other circumstances might well be fair use. For example, if I was writing a book on coding style, and included all 200 lines of this snippet as an example, and wrote a line-by-line analysis of how it was written, that would almost certainly improve the chances of its being justified as fair use.

It is all about "intent."

[mlwmohawk]

If the original author posted the code to a forum as an example, without disclaiming any assumed or implied rights, then you are free to use it. The mere act of publicly posting the example is clearly an act that grants permission to use, however, you should look at the forum copyright policy as that may have further limitations.

Summary

[Jherico]

Based on the replies to this, there appear to be three basic camps of thinking, which can be summarized by the extremes.

Camp A people would fire someone for taking the time to worry about this because it happens all the time and you're never going to get caught, and the original author of the code probably meant it to be public anyway, even though its illegal.

Camp B people would fire someone for NOT taking the time to worry about this because its illegal, regardless of intent of the original author and if it came to light it would expose the company to bad press and possibly litigation.

Camp C people have no earthly clue how copyright law actually works and are speaking out of their collective asses. Sadly, these people would most likely reason along the same lines as Camp A out of ignorance rather than malice and simply behave the same way with the exception that they don't realize they're breaking the law.

The original poster can certainly decide what kind of person he is (probably B since he asked the question in the first place) and can probably make a guess about what kind of people his employers are (I'm guessing A, again since he had to ask). Then you have to decide what is more important, your job or your ethics. It is a slippery slope when you first start copying code. I had a friend who copied code once. Now he professionally eats babies. True story.

The fact is that all the commonsense notions about how copyright law works or should work don't take into account that copyright law is not written by individuals, but largely by companies like Disney and Warner Brothers (among others), companies that have a vested interest in maintaining control over a certain mouse and rabbit (among others), both of whom would now long since be in the public domain if not for the endless [wikipedia.org] succession [wikipedia.org] of copyright extensions lobbied for by said corporations. Originally (well, since 1909) copyright expired after 28 years, or 56 if you decided to renew it. And this was a copyright you had to explicitly register. In 1976, copyright became automatic and consisted of life plus 50 years after the authors death (or a static 75 years for 'work for hire'). In 1998 it became life + 70 and either 120 years after creation, or 95 years after publication, whichever is sooner. Its interesting to note the effect on Mickey Mouse. Created in 1928, MM would have left copyrighted status (though still been covered under trademark restrictions) in 1984. Because of the 1976 act, that was pushed to 2003. The 1998 act pushed that back to 2023 at the earliest. So look for another copyright law in 2018 or so.

Re:Uhhhhh

[Dretep]

AFAIK code is copyrighted at the act of creation, and simply by making it available

Damn, I've used copyrighted code in almost every programming lanugage I've learned. Who ever first created "HELLO WORLD!" must be quite wealthy!

Re:Uhhhhh

[turbidostato]

"If the author of the code posted it in a forum, I would personally call that implicit permission to use the code.Otherwise, why even post it? "

If the author of the song threw it in *a lot* of public mass media, I would personally call that implicit permission to use the song. Otherwise, why make it so public?

"As to the legality of downloading it, if it is showing in your browser window, you have already downloaded it."

As to the legality of downloading it, if it going out your speakers, you have already downloaded it.

Incorrect title. Plagiarized code, not stolen...

[NullProg]

While investigating a bug in one of our products, I found source code on a website that was nearly identical to code used in our product.

Was the bug within the copied code? Sometimes copyright isn't an issue with copied code. Its product quality.

The three instances of copied code I've found in our commercial product caused major headaches because the code got past QA and failed in the field. It didn't scale, had timing issues, etc.

In all three cases when I confronted the programmers they could not explain how "their" code worked. In all three cases I didn't have them fired. I made them fix it and apologize to the boss (who had to apologize to our customers).

As a result, I now have two decent programmers who write their own code. They ask for help when its needed instead of copying off of the internet.

Enjoy,

Re:Uhhhhh

[DarkMantle]

Remember the windows 2000 source code link. Most of the code in the TCP/IP stacks were from Novell. But did they have permission to use it? Who knows.
In this case though, I'd say public forum is public use. I've posted lots of code in forums as tutorials or tips. I'm not going to write a EULA or specify it must be GPL, LGPL, Mozilla Public License, EULA, BSD License, or make up my own. If I post it, and you find it useful, use it.

That said, if you have a really guilty conscience about it, they use the forum to contact the poster and see what he says. I'm sure he'll "say, yeah.. sure, whatever."

Re:OT: Burning money

[morethanapapercert]

That would be what? roughly 8% of all U.S. currency in circulation? (approximately *700B$ in circulation, B.G.'s net worth is roughly 56B$)
well, just because I am bored and want to have some fun with figures tonight:
56 Billion dollars U.S. is 3,000,666 cubic feet of paper weighing 1,120,000 lbs
(more than 500 feet long, 200 feet wide and 30 feet thick)
      Assuming we build some kind of furnace capable of burning paper with perfect efficiency at one pound per minute(I know, I know...)** it would take almost 78 days to burn it all, releasing 8,000 BTU's every minute. Again assuming perfect efficiency from heat into electrical power, it would produce over 8434 Kw/h, enough to supply almost my entire energy budget for the year. Given 24 hr operation and no delays in firing up and shutting down, over 1800 people would have their electricity provided for the year.***

*American Billion 1,000,000,000 (1E9) not the international Billion 1,000,000,000,000 (1E12)
**perfect efficiency is of course impossible, and short of some heavy duty forced air and very high temps, a pound of paper takes a lot longer than 1 minute to burn.
**what a wonderfully wasteful application of money. 56 billion could buy an awful lot more electricity than that.

Re:Uhhhhh

[Lumpy]

you are 100% correct. we stopped contracting indian firms for Coding on the cheap because every time we got something back more OSS code was shoveled in. They would even strip most of the comments. We had one product come back with most of ffmpeg embedded in it.

This happened so much we stopped doing out of house programming and went back to internal programmers. Yes we tried several different companies... I swear tow of them were the same company operating under different names. The code style, comments, etc were identical in style to the first company.

If you want your app to be sanitized and 100% your companies property, you MUST hire in house programmers and instruct them that they can not use any OSS, snippets, etc... Their bag of tricks they bring with them must ALSO be not used. Programmer X brings his bag of tricks and suddenly your app has some of the same code that 4 other companies have in their apps.

But there lies the problem. management wants unrealistic deadlines and 100% origional code. they cant have both so programmers slip in things they find to make the deadline. Maybe if management actually get's educated and understands that writing code takes far longer than they think then they can get what they ask for.

Re:Uhhhhh

[gallen1234]

I think the context matters. If some one posts a question on a forum, "How do I do x?" and some posts a reply, "This is how you do it . . ." then I think it's safe to assume that the code is going to be used.

Re:Uhhhhh

[rhendershot]

Regarding the OP, I'm siding with the "forget it and leave it be" camp. If you don't make a fuss, the only person that could get in potential trouble if it turned out to be rotten would be the guy who wrote it.

"Leaving It Be" isn't an option either. The OP found the problem in researching a bug. Since that needs to be fixed and since the forum post came up in his search it's possible that he'll need to use fixes from forum replies. It then becomes obvious that he perpetuated the original mistake (if there was one- as others have pointed out the code may have originated with the lead developer who posted to the forum as well as using some of his base code in the company project).

I think he has reason to be careful. It's not clear from the OP, greenrom, how old the code is. Even a few years ago there was much less attention paid to the ethics of using publicly posted code. Greenrom's management might very well be more concerned about this in today's climate than when the original decision was made.

I think he has reason to be concerned as well. One smell. Could there be two? Maybe there is a lot of code lifted by the lead developer. It's every associate's responsibility to act to protect the company. Not knowing that answer makes approaching the developer one-on-one a risky proposition. To protect himself the LD may well begin finding fault with greenrom's work in an effort to have him fired. Flank assaults like that are harder to fight than head-on attacks in some kind of audit or investigatory situation.

My action (given the brevity of information) and this is not legal or other type of advice, would be to email boss, Cc the lead, subject: need clarification for license. body: While researching for a bug fix I stumbled on code significantly similar to ours. Pls be aware that some fault may exist in at . ref: These code blocks are nearly identical.

Simple, factual and non-accusatory. No further explanation about what was being searched or the possible impact or anything else as that is a management problem. Also, managers tend to only read the first three sentences. btw- redundancy intended. Make sure the point is clear.

As to the poster who proclaimed some defect in the OP for having used the internet to help him fix the bug. That's just ridiculous. It's a HUGE time saver.