Ask HN: Huge enterprise customer wants to see our source code
But then they got back to us with an odd request: they want to see our source code (likely upon completion of the PoC). Given that our core IP is our models and algorithms, we are reluctant to agree. Their justification is: "we want to see how your algorithms made their decisions."
We know that they have lots of resources and are building up internal data science team. And yet it was pointed out to me that their goal might not necessarily be to outright steal our IP, but rather to cover their bases. But we are still worried they might be "inspired" by the parts they see and get their internal teams to replicate across other sites or use cases. And we don't have the resources to litigate, nor any way of knowing they do this.
My questions: 1) Has anybody run into a request like this? How would you respond? 2) How likely do you think their goal is to genuinely "see what happens under the hood" as opposed to replicate in the future? 3) Are there any legal protections we can put in place to prevent them from not just copy-pasting our code, but also from "learning from it" or so?
292 comments
[ 0.19 ms ] story [ 291 ms ] thread1. Ask for a giant pile of money for the privilege.
2. Come up with visualization that answers their question without giving them access to source code. Presumably "how do we know we can trust results" is a common problem.
3. Walk away.
This way you get to jump straight to your exit, and can maybe also structure the deal so that you and your employees get jobs at the BigCo (if you want them). Feel free to set the selling price as high as you like -- they would want the deal more than you would, so you have a lot of leverage in the negotiation.
And if they balk? Hey, they asked for terms to see the source code, you gave them terms! It's not your fault if they don't like them :-D
And everyone here is going on about them wanting to buy the company or acquire licenses to the code. It's just bizarre.
What does "cover their bases" mean?
As them to explain what they are trying to achieve and find other ways to assuage their concerns.
The only legitimate thing is to have something in case you fail and they have "banked" on you. There is a legit way to solve that. basically if they want that tell them they should pay for an Escrow service - that will hold your code and they would receive it if you ever cease to exist. But it's important that they would need to pay those fees (they are significant.)
That should make them back down.
It's entirely unreasonable for them to demand access to source code.
Models are the output of the process. It's like going to graphic designer for work and them not giving you the PSD file. It's just not acceptable.
I have no idea what I'm talking about in this specific niche either... but does it normally go over well when you start a conversation that way?
It's just frustrating that this poor startup is going to make a monumentally bad decision based on people in here who have no zero clue what they are talking about.
>about: CEO at http://www.3scale.net
I'd venture to say there is at least some qualification to answer here. </sarcasm>
I also think it's reasonable to ask for a model so you can test and validate it yourself.
The government and large corporations apparently disagree, or Microsoft wouldn't have their Shared Source Initiative. And for any nay-sayers in the crowd, that should be all that need be known: Microsoft thinks it's okay, and they have a lot more to lose than you do.
The only legitimate thing is to have something in case you fail and they have "banked" on you.
Which might be the exact thing they're trying to avoid. If your "machine learning" algorithm amounts to a bunch of nested if statements, they'd probably rather not "bank on you" in the first place.
Microsoft made the decision to create Shared Source Initiative only after they were very successful and only after a very, VERY detailed cost vs. benefit analysis.
Furthermore, they are handsomely paid for it (e.g in order to be eligible, you need to pay for at least 10k Windows licenses as per https://www.microsoft.com/en-us/sharedsource/enterprise-sour...) and it's ultimately up to Microsoft to grant/deny access.
And since we're talking about Microsoft, in the early days they were infamous for pumping competition for technical information under the guise of due diligence and then crushing said competition by developing competing products.
The person who asked the question is clearly not at the "successful monopoly" stage as Microsoft but more in the "there are legitimate concerns someone might steal our core ip" stage.
National agencies such as FBI are not threat to MS to become competitor, unlike OP’s client.
No one gets the secret sauce. They pay for your results.
Because we paid for that model, it belongs to us. Just like how if I pay for an illustration I expect the PSDs.
What? They want "the PSD" before buying.
Regarding meeting them in the middle, I would put together a presentation that describes how your algorithm works at a high level. I'd do your best to split the balance between being transparent and focused on the customer, and not divulging what you consider to be differentiating parts of your implementation.
If you get push back for the above, I think you're dealing with either brain rape, or some pretty unprofessional contacts in your customer's organization. If it's the latter, you should do your best to navigate around those contacts.
We pointed to (one of many) conditions that said that escrow would be only released to customers who were in good standing with us -before- the escrow event (and that wasn't transferable, as in they couldn't settle accounts with trustees, acquirers or the like - similar to 'not being able to buy retroactive insurance').
The $50+bn company might even be the potential buyer, but under code escrow they just get it for free (less whatever was negotiated up front.)
Structure it as 1 year, 2 year, 10 year whatever the hell deal you want. If you are a $50BN company ( you aren't ) you simply fire that customer.
I would think the positive of a large client greatly outweighs the liability of the code escrow.
Unless they are buying your company and are doing due diligence.
The answer is a clear no. They can PAY YOU to make custom plots/charts/reporting or run queries if they want to understand what it does better. There is almost always a way to achieve any business goal without requiring source code.
The only case I can think of source code needing formal verification by a third party is if you're targeting drones to kill people or government jailing people. That doesn't sound like a commercial company in any event.
Microsoft, for example, gives source code access to paying enterprises and governments under the Shared Source Initiative specifically for security vetting and other auditing purposes.
OP: Consult a lawyer who specializes in these matters.
Not the parent, but I have done deals like this and I feel the need to counter your sentiment.
Sure, 3rd party security review, escrow, etc etc is normal.
However, this is a massive red flag for me:
>Their justification is: "we want to see how your algorithms made their decisions."
I mean this is straight out of an episode of "Silicon Valley". The OP's entire product value is in "how your algorithms made their decisions" and this is not something you want to expose to anyone unless perhaps they are about to acquire your company.
https://www.lockheedmartin.com/us/what-we-do/aerospace-defen...
http://www.corecivic.com/
In these situations it's best to ask yourself a simple question: what would Coca-cola do if they asked to see the formula.
If you hired a photographer would you expect the RAW files ?
I would.
We agreed to letting them audit the code with conditions.
1. The audit happened on our computers with someone from our team in control (me). I locked the computer when I wasn't physically there to watch what they did. 2. We removed the most sensitive part of the code and told them what it did. We kept the method signature. 3. All of the source code remained on my laptop and my laptop was never attached to their network. 4. We could tell them that we would not answer any question they asked. 5. They paid for expenses and time. It lead to a decent sized contract.
It lasted about 2 days for a medium sized Java application. They asked one or two questions I wasn't allowed to answer and took it well when I told them so.
I am not a lawyer but you can also ask for a non-compete and or a non-disclosure from their individual employees that will conduct the review. Get your lawyer on that before you do it.
It is up to you or your company to decide what to do. No one can tell you if it a good or bad decision for you. At least for me and my company, it worked out. As far as I know the auditing company never developed a competitor and was a customer of my company for a long time to come.
Doing what OP described is great: it lets their folks do the audit with no risk of you loosing "ownership". It shows you are both a good partner and value what you do.
Anecdote: We have released code under the Apache 2 License (our biggest project by far is https://github.com/sheetjs/js-xlsx) and we've been roped into negotiations because some companies tried to take shortcuts by copying our code without proper attribution.
I've gone 12 rounds with IP lawyers over these theoretical violations (static vs dynamic links). But I found it odd that I could never find a single case of significant liability due to infringement. The nature of damages is unclear and the landscape of counter-parties (with an incentive to sue) is amorphous. It seemed like worst-case, a proven infringer just had to re-write the offending module and make a $10k donation to an open source foundation. I've never knowingly infringed GPL and am not advocating that anyone should; it's just as I said, I found the legal community's focus on this area out of step with their otherwise well-measured calculations of risk and reward.
So, even if there never was a big payoff, the mere potential is a big red flag for the due diligence team (and leverage for negotiations as well). They can add indemnification clauses on contracts (they won't do that for a small company like the OP I guess).
That seems true with pretty much any legal area. But, it's not their job to calculate risk, it's their job to tell you what is legal. It's management's job to decide if they want to take the risk or take the legal advice.
See: https://en.wikipedia.org/wiki/Sergey_Aleynikov
Most GPL projects however don't have expensive, hateful, blood seeking lawyers behind them.
Is a license violation not equivalent to unlicensed use of code?
I mean, if you don't meet the terms of a license, you're not eligible to use the code under that license. That means you have no license to the code, and therefore are in breach of copyright, no?
How is that different from just using someone else's code outright - you're breaching copyright and you're not licensed, no?
If Goldman Sachs ever officially released the software it could be a copyright or license violation but this isn't the case.
The first consequence of this is that only the copyright holder has standing to sue you, not anyone else who thinks they have a right to your code because you violated the GPL terms. They’re just wrong.
The second consequence is that the only remedies for copyright infringement are an injunction and damages related to the copyrighted code. So a court could force you to stop distributing the copyrighted code, requiring you to either (1) remove the GPL code from your product and use a substitute, or (2) pay for a commercial license from the owner. But you would not be forced to release your proprietary code under a GPL license.
Regarding jail for civil cases, no. In the US, we eliminated debtors’ prisons many years ago.
https://sfconservancy.org/docs/2010-07-27_dj-opinion.pdf interesting read
Linking GPL code to incompatible code is against the license terms and since you can't copy/distribute the code without a license you violate copyright if you distribute that code. Nobody, not even the FSF, believes that this means that your code must be under the GPL at that point -- it's just the remedy that the GPL explicitly allows. Other remedies are usually possible from the copyright holder (usually just "stop infringing our copyright"), or imposed by a court.
IANAL, but the act of a user linking GPL code to incompatible code without distribution is not copyright infringement IFAICT. I believe the FSF also agrees with that. In fact the GPL specifically states that you may run the code for any purpose. This leaves a kind of grey area where you could write code that can link to GPL code, but that you leave the end user to do the final linking. In the extreme these are the so-called "binary blobs" in things like the Linux kernel. My understanding is that the FSF thinks that these are an infringement but that other people disagree. I don't think it's ever been tested in court.
Edit: I should point out that the reasoning for it being an infringement is that by intentionally writing code that can link to the GPL code, you are creating a derived work of the GPL code. Whether this argument holds water is anybody's guess and I would love to see it tested in court.
(TYFTC)
Except as I understand it, this is the position pushed by WordPress and other GPL CMS's (Drupal?).
They say that because a theme or a plugin uses WordPress's functions and these are GPL licensed, then you're 'linking' with it and your PHP code has to be GPL licensed too.
To me this is crazy, but no one has challenged it yet.
1: If you are in violation of the license, must you put your code under the GPL? The answer is definitely no. If you are in violation of the GPL you may license your code under the GPL to become compliant (though in V2 and below you also have to be forgiven by the copyright holder(s)). This is an option that you have in addition to the options you have for any other copyright infringement (i.e. going to court). You never have to relicense your code. It's just a way to avoid court. There are definitely people who misunderstand this point, but I don't think you'll find anybody in an official capacity at the FSF who doesn't agree with the above.
2: If you write code that complies with an API in an GPL project, do you need a license? Like I said near the bottom of my other post, that's the grey area. Some people will say yes and some will say no. The idea is that complying with the API necessarily means that you are creating a derived work and are therefore infringing copyright if you don't have a license.
Like you, I initially found this idea to be very strange. However, the Oracle vs. Google court case lends considerable credence to it. In that case Google was found to have infringed on Oracle's copyright by implementing a published API. The judge ruled that it was fair use, though. I suspect (IANAL, remember) that if this was ever ruled upon you would probably get a similar judgement. The situation is fairly different, though, so you never know.
Now, the reason you don't find people challenging this stuff is (I think) mainly because the copyright holders are clear how they stand on the issue. I don't know anything about it, but I'll take your word that this applies to WordPress plugins/themes. You can just go against their wishes, but it's kind of a jerk move. Will anybody sue you if you do it? Will you win a court case? Maybe, maybe not, but you will certainly upset a lot of people so why do it? With the Linux kernel and binary blobs, it's all good as long as you stick with certain APIs. People do it knowing that nobody is going to sue them. NVidia steps over the boundaries, gets yelled at by Linus, but still nobody sues them.
I mean, you can also look at the really weird interpretation of the AGPL that projects like Mongo DB have. Their attitude is way more liberal than the license seems to state (to the point where I frequently wonder if they have actually read the license). But who is going to complain? It's their code -- they can do what they like. They don't have to sue anybody if they don't want to.
An anecdote from 2001:
http://web.archive.org/web/20061106184219/http://docs.gnu-de...
Where do you work that attorneys generally make well-measured calculations of risk? And are you hiring?
Full disclosure: founder is a friend and all around great person.
You basically install a scanner on your machine, feed your sources into it, it hashes them line by line and sends hashes to the mothership for analysis. It then spits out the report that file X, line Y matches something in the open source package Z. At least that's how it worked a decade ago, when we had to do a pre-acquisition source code audit.
https://www.blackducksoftware.com/solutions/mergers-and-acqu...
When was the last time some user of Windows verified whether Microsoft Windows contains some piece of code that Microsoft shouldn't be redistributing?
https://www.computerworld.com/article/2580563/microsoft-wind...
And again in 2015:
https://www.petri.com/no-back-doors-microsoft-opens-windows-...
What would Microsoft say if a customer said "we need to see the source code for Windows, Outlook, Exchange and Office applications before we use them, just as a matter of license compliance"?
Either way, get the review done fast. As they say, time kills all deals.
Wow, I've never heard of this before - it sounds great!
Do you advertise this on your website, or is it just buried in the terms and conditions? I was just wondering how you might get across this info without worrying potential customers with the mere mention of collapse?
Most companies will dictate that you use an escrow provider from their "preferred suppliers" list.
So what our clients dictate is probably irrelevant to your needs.
Or is it more a case of, if we're collapsing, we'll put this in place?
No-one would trust that. If you are collapsing you aren't going to care enough, or the people who do/did both care and know what to include (source, build toolchain setup, documentation) have already gone.
It is surprising, given how important it could be, how little the clients bother to check that escrow updates are happening - so even if the contract says otherwise it could often come down to this!
> Are you actively syncing to a private Git repo?
Some do that, but in my experience it is more common to provide a snapshot (a full copy of the relevant parts of your repo(s) with supporting documents), with a new snapshot uploaded with each major or minor release. Sometimes it isn't released based but instead the client dictates escrow is updated "at least once per year or X months" which to my mind shows that part of the contract was written by a legal/admin person without a lot of technical experience.
Because nobody when they are dealing with a vendor is thinking about how to acquire them. They just want your product.
In addition, I'd love to help your confidence with getting used to the idea that saying no is ok. I remember being in this situation many times and feeling like if we said no we'd lose the client and maybe go out of business.
But truly, clients often ask for things that aren't very important to them and they will not mind being told that the answer is no.
The mistake you can make here is to blow up your no answer into a big deal.
The term I was given for how you should respond is "the principle of the simple explanation." People are totally ready to believe you, so just say no in the simplest way possible.
In the middle of some other response just include a line like:
"Re: source code access. No, our source code is proprietary and we don't share it."
Or even more simply "No, we don't share access to our source code."
E.g people are more likely to cut in line at the copier if you say 'can I cut in line, because I need to make a copy'. Even with an inane excuse like that (everyone else there also needs to make a copy) people are more likely to accept.
So your first example is likely the better one, even though the reason given is basically void of explanatory content.
For some it is more important, and they won't yield, but some proportion will doing something because the cost of doing it is low enough that there's no reason not to.
In that case giving a reason creates a cost in persisting in that you need to consciously think through whether or not it's worth arguing over, and if so what to respond. And sometimes that is enough that you'll just shift your focus to something else and not bother.
I have no doubt the effectiveness will vary greatly depending on type of action, and that it will vary greatly depending on other factors tied to why people wanted to carry out a given action in the first case, of course, but I also think people ask for or do a lot of things where they have not really made a conscious decision that they need it, just decided on a whim that there's no reason not to ask.
Especially with group dynamics involved, it might have been as simple as someone asking a question in a meeting ("do we need the source?" for example) and someone deciding "might as well ask for it, just in case", with nobody actually caring enough to defend it i you stand up to the demand. In that case the need is low enough that even a totally inane excuse for saying no might stand up even if it on the surface looks like a big, important question.
If you want someone to help specifically advise, guide you through the process, and potentially represent you in negotiations, feel free to get in touch and I can probably help.
By way of background, I primarily work with investors who are selling middle-market software companies to larger companies (over 80 or so personally and oversaw another 80 or so, over the last 3 years). I have a lot of insight and experience into contract negotiation from both sides of the table here. I've also worked for/with the big enterprise software players (SAP, Oracle, Microsoft, etc).
To me it’s clear that there are lots of possible scenarios with lots of possible “right” decisions. Without more info, i doubt anyone can give better advice than what’s on this forum.
Certainly a professional should be able to give better advice but only after they get more info on the specifics.
Good luck!
If they want to look at it badly enough they can buy it.
Have your people interacting with them be confident enough to tactfully state they will walk away from the PoC if that is a condition.
Coca-cola hasn't revealed theirs, why should you?
Ask more questions about if they are seeing things in the analytics results that don't look correct... that might be their concern if they are basing business decisions on your software.
It's not the secret sauce though. The models are the output.
The secret sauce is the engine that builds it and companies aren't asking for the source for that.
Personally, I wouldn't be scared of BigCo ripping you off. For the most part, large companies care a lot about staying on the right side of their contracts, and also it's generally really hard for a large company to out-innovate a startup. So I would be pretty surprised to see them steal your source (assuming you put in place an appropriate NDA etc.). EDIT: I'd be even more surprised to see them try to compete; the worst likely case is that they steal the source and stop paying you, not that they steal the source and get into the data analytics / ML business themselves.
However, I think that in the ML world, this "what the hell is the algorithm doing" question is a really common one, and it'd be super-worthwhile to invest in some sort of tooling to peel back the cover of the algorithm a bit. Validation of appropriate responses against future data is a real quagmire right now, to the point that some people are using ML to help find a solution, but then trying to re-implement the logic more traditionally once the ML algorithms figure out what to design for. I think there's something there, at least for a good subset of use cases.
Also, it's common for a large enterprise to require some sort of source code escrow if they do a big deal with a startup. Sounds like this is different than what they're asking for, since the source in escrow won't be available to them until the escrow conditions are triggered. Again, I wouldn't be concerned about signing escrow agreements, but I would make it a negotiation point, rather than a standard term.
We are generally not in the business of the services our vendors provide and don’t have the staff, expertise, incentives or instructional fortitude to compete.
That said, I’d never ask for a vendors source code (especially on a POC) unless I felt like an escrow situation was warranted if they went out of business.
If I were you I’d ask for
1. Something like a non-compete or exclusivity agreement. They will not replicate the functionality internally or work with another vendor.
2. A lot of money to see the source code. If they are trying to learn from what you have, then you are providing them with a material benefit you should be compensated for. Offer to throw in consulting services if their objective is to learn.
Bottom line, cover the risk that they steal your magic or otherwise benefit without you being compensated.
Apple borrowed ideas from Xerox. Microsoft were given source code for Mac in order to keep producing Office for it. Both Apple and Microsoft have copied UX elements off of each other.
But I don't recall Microsoft stealing Apple's code. Maybe copying some GUI elements at most...
As a user of data tools myself, I am generally suspicious of any black box model, and would like to understand the model well before using it. For instant if your model is a deep neural network, I'd like to know the structure of the network and the activation of the layers when I run my data through it.
If they're really interested about the guts of the model they will agree to a solution like that. Having the source code will certainly not help them understand this as it is highly unlikely that anyone will dig into this.
Note that asking for the source code is fairly common practice in finance cause people generally distrust black boxes (at a firm I worked for they specifically chose MySQL over some other tools because they had the ability of looking through the code if they needed to).
There is actually no point for them to look at your code...
You can agree to something where if you go bust, then you'll give them the source code.
Escrow arrangements are common to protect clients from software vendors going bust.
2) Likely they aren't trying to "steal" you IP. They stated their goal as them want to see how your algorithms made their decisions. So just answer as best as you can without giving away your trade secrets.
3) Yes, there is a way to do this with legal protection. Which would be to follow a clean room process. However, this is pretty expensive for a small company to do. So I wouldn't offer it.
Honestly, they are no experts, or they wouldn't need you, so them reading and interpreting your code is a patently ridiculous request.
However, there is a huge opportunity here, based on the fact this is new ground for you and them. If they are truly worrying about justifying later the decisions to be made, then you CAN agree to design a report based on whatever your engine is doing, that shows addditional useful data (i.e., not just the correct decision in each situation, but the likelihood of it being correct or expected return). Invent a middle-ground solution.
Then make them agree TO PAY FOR THIS REPORT AS PART OF THE CONTRACT.
1) The company is not going to acquire you nor will they sue you.
2) They absolutely want to replicate what you've done. It's not so that they can build their own startup and compete with you. It's because they genuinely want to understand how you got the results. Companies are increasingly basing their decisions on ML models and it's not acceptable for them to just "trust your black box". Especially since your model could be based off a misunderstanding of the data.
3) If you decide to say no then chances are they will walk away. Especially in the ML space companies are not going to let their core intellectual property be locked away in someone else's vault. They will simply not work with you.
4) The best way to handle this is simply to get them to sign a NDA or something equivalent that protects you in the case that a rogue employee decides to build a startup him/herself.
I am someone who works in ML for an enterprise company. For god sake give them the code and be grateful they are even doing a PoC with you.
Knowing the sorts of decisions that were made around what types of algorithms and features to use (obvious after a cursory examination of the code) would give them a huge leg-up in developing a similar model.
If it is the first, code escrow is very common. You should probably set this up as a gesture of goodwill even if they don't ask for it.
If it is the second, there are tools that you can run to ensure you don't (you should anyway - though the tools tend to be "enterprise software" and thus expensive for what they do). Once you are sure you are free from that type of them a lawyer can draw up legal indemnification documents.
If it is anything else, this is done - for an additional fee. 20 years ago a company sold us an OS, as I recall the price for source code was $100,000 on top of all other costs. My company refused to pay even though it would have saved far more money if we had been able to understand what the code was doing, and thus been able to integrate our code better.
I'm not sure what legal requirements were in place, but you should defiantly have a lawyer who knows this area of law create the agreement. Not just any lawyer, one with experience is worth paying for - find the lawyer first and pay him $200 to give a high end estimate of his costs to draw up the agreement - this is your minimum price for seeing the code. (which is to say you expect to make nothing after the lawyer is paid unless a second customer also wants source code)
Unlike most I wouldn't reject it. However it should be an additional expense, and it should be covered by some strong legal language.