What's New

Important Change to MongoDB’s Open Source License

Many of you may be using MongoDB’s open source Community Server database somewhere in your operations or products. A recent announcement and license switch by MongoDB may affect you, so please review the following carefully.

Old Reality: MongoDB under AGPL

Historically, MongoDB was licensed under the GNU Affero General Public License (“AGPL”). The AGPL is a version of the “Highly Viral” GNU General Public License (“GPL”) that reaches code you modify and then make available remotely through a computer network. While the viral reach of the AGPL is contested, MongoDB created a limited safe harbor for licensors who didn’t modify the licensed code and only linked to it through a mongodb.org-supported driver. (They did this through release notes and other clarifications issued to licensees.)

⇒ For background on “Highly Viral” and other open source license types, see Smithline Training’s Open Source Series.

New Reality: MongoDB under SSPL

Citing concerns about SaaS providers “test[ing] the boundaries” of the APGL and taking advantage of the value of MongoDB code “while contributing little or nothing back to the community,” MongoDB announced that all subsequent versions and patch releases of MongoDB will be made available under a new license called the Server Side Public License (“SSPL”). The SSPL is the AGPL with a new version of Section 13 (“Offering the Program as a Service”) aimed directly at SaaS providers.

Could the SSPL reach your proprietary SaaS code?

Under Section 13 of the SSPL, if you make the functionality of MongoDB or a modified version “available to third parties as a service” then you must release the source code to all programs that you use to make MongoDB or the modified version available as a service, including, without limitation, “management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software.”

This new language has several important implications:

  1. Modification no longer matters. Previously, if you did not modify the MongoDB code, you were (ostensibly) in the clear as a SaaS provider under the APGL. Under the new SSPL, that distinction no longer matters.
  2. Copyleft obligation may reach beyond “database as a service.” MongoDB states that their intent is to target companies who offer “MongoDB as a service” and the SSPL FAQ includes helpful language suggesting there is no copyleft obligation when using MongoDB as an internal database. While the examples the SSPL gives of covered services include those that “accompli[sh] for users the primary purpose of the Program [MongoDB]” or derive their value “entirely or primarily” from MongoDB, unfortunately the language of the SSPL is not so limited. Section 13 also states that the SSPL reaches any SaaS service that enables third parties to “interact with the functionality of the Program.”
  3. Source code release obligations are very broad. If your use of MongoDB triggers Section 13, you must release under the SSPL the source code for any of the management, API, monitoring, hosting, backup or other software you use with MongoDB. Given the potentially dire effects of this requirement, you should carefully re-assess your use of MongoDB in any context involving SaaS.

Does the SSPL change anything for software providers?

Except for Section 13 (which applies to SaaS), the SSPL is otherwise the same as version 3 of the GPL, which is Highly Viral. Therefore, while the new language in the SSPL does not change anything specifically relevant to software providers, use of MongoDB in any software that you distribute remains highly problematic.


Important Disclaimer:

The information contained in this post is provided for informational purposes only. It should not be considered legal advice or a substitute for legal advice, and does not create an attorney-client relationship between you and Smithline PC. Because this information is general, it may not apply to your individual legal or factual circumstances. You should not take (or refrain from taking) any action based on the information in this document without first obtaining legal counsel.

What's New

Welcome Reagan Haas!

We are pleased to announce that Reagan Haas has joined the firm as an Associate. Reagan joins us from Ropes & Gray. Reagan has a BA from Oklahoma State University and a JD from UC Berkeley School of Law. For more information about Reagan, please see her bio here.... MORE +

Loretta Lau Certified as EU Privacy Professional

Congratulations to our Associate Loretta Lau on becoming a Certified Information Privacy Professional on European Union data protection (CIPP/E) by the International Association of Privacy Professionals. Loretta’s full bio is here.... MORE +

Todd Smithline Speaking at Copyright Society on PUBG Case

Todd Smithline will be joining the Copyright Society of Northern California’s panel on “Copyright and Video Game Clones: Battle Royale of the Battles Royale” on Wednesday, December 5, 2018 at Kilpatrick and Townsend at Noon. More information here.... MORE +