Government contractors that sell software to the federal government, either directly or indirectly through a reseller agreement, frequently attempt to preserve and protect their copyright and other intellectual property rights by incorporating commercial licensing terms from an End User Licensing Agreement (EULA) into their government contracts. Many in-house lawyers have been closely monitoring questions related to EULA enforceability because the inclusion of favorable terms in a EULA can have a tremendous impact on the rights and obligations of all parties to a contract with the government. Two recent cases from government contract tribunals evaluate the limits on the enforceability of EULAs incorporated into government contracts and show the ramifications of failing to completely understand their terms.

4DD HOLDINGS, LLC V. UNITED STATES

In 4DD Holdings v. United States,1the U.S. Court of Federal Claims recently unsealed an opinion ordering the government to pay US$12.7M in damages to a software developer for copyright infringement. This ruling, which determined that a U.S. Department of Defense (DOD) contractor made thousands of unauthorized copies of the plaintiff's software, highlights the risks to both the government and contractors, of misunderstanding software copyright requirements in federal contracts.

For many decades, the U.S. Department of Veterans Affairs (VA) has stored health records of military members across poorly connected databases, which has made it challenging for health care providers to access the records when needed. In an effort to address this issue, the DOD awarded a contract to Systems Made Simple (SMS) to create a single access point for providers that would easily allow them to access all VA health records regardless of the database in which they were stored. SMS used a commercial software suite called Tetra Healthcare Federator, owned by 4DD Holdings (4DD), to create this centralized database.

Tetra Healthcare Federator is a software suite consisting of four separate applications. Three of the applications, Tetra Services, Tetra Audit, and Tetra Snap Cache (collectively, "Tetra Healthcare"), are responsible for the main functionality of the software suite. Tetra Studio, on the other hand, is an internal programming tool that allows software engineers to adjust the Tetra Healthcare applications to the needs of the user. Importantly, these groups of applications are licensed in different ways. Tetra Healthcare is licensed on a "per core" basis, which requires users to have a separate license for each core of every individual computer upon which the software will be used. In contrast, Tetra Studio is licensed on a "per seat" basis, which requires a separate license for each individual user of the software.2

The government separately contracted with 4DD to license 64 cores of Tetra Healthcare and 50 seats of Tetra Studio, paying roughly US$1M in total licensing fees. In contracting for these licenses, the government signed a EULA supplied by 4DD, which expressly prohibited the government from making copies of the software. Discovery revealed that only two government employees were aware of the EULA; the employees admitted that they never informed SMS of the restrictions in place under the EULA.

Unaware of the EULA restrictions, SMS chose to use a software development method requiring software programmers to use "virtual machines" as part of their work. What the government failed to understand, however, and what SMS was not aware of, is that under the EULA, a separate license to use Tetra Healthcare software was needed for each use by virtual machines. By employing these virtual machines, SMS copied Tetra Healthcare tens of thousands of times across hundreds of thousands of cores. The court found that a government employee then proceeded to delete evidence showing the extent of the unauthorized copies, including copies of the software, data on laptops issued to SMS employees, and stored on servers with which those employees were working. As a result, the court heard testimony from experts on both sides, who attempted to retrace the government's footsteps to calculate the number of unlicensed copies of Tetra Healthcare that were ultimately created.

Normally, software developers like 4DD "design their software to alert them when a copy of their software is activated."3However, due to the security requirements of government networks, companies that contract with the government are sometimes unable to employ such tracking tools. For that reason, the government is responsible for self-reporting the number of licenses used, as was the case in 4DD Holdings. To assist with this process, 4DD created a tracking portal that government employees would use to request extra copies of the software, which would keep track of all licenses. Yet, not only did the government employee managing the tracking portal "never look[] at" the tracking portal, she also failed to monitor the number of licenses in use or the copies made of 4DD's software. The employee did, however, continue to request new licenses from 4DD, exceeding the agreed-upon number by at least 68 computer cores. This excess use eventually led 4DD to file a copyright infringement suit, ultimately revealing the extent to which the government had improperly copied 4DD's software.

In a previous ruling on the same matter, the court enforced the EULA against the government, despite the argument that the government did not authorize or consent to the full extent of SMS's copying of the software.4The court later determined in its second opinion that the government was liable for copyright infringement because "(1) the copies include[d] original software code, and (2) the copying exceed[ed] the scope of the license agreement."5The court also rejected the government's affirmative defense that 4DD previously had released the government of any infringement liability in a true-up negotiation that took place after 4DD learned of the initial infringement. In that negotiation, the government had conceded to only exceeding the number of authorized licenses by 168 cores, which the court held to be a material misrepresentation.

Turning to damages, the court determined the actual number of licenses by which the government and SMS had exceeded the EULA. Finding that the government had unclean hands (due to its unlawful conduct and material misrepresentation), the court found, despite conflicting expert testimony, that the government had created 47,030 unauthorized copies of Tetra Healthcare used across 290,334 cores, and 41,925 unauthorized copies of Tetra Studio used across 171,421 seats. Ultimately, the court awarded 4DD US$12.7M in damages resulting from the copyright infringement.

AVUE TECHNOLOGIES CORP. V. U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES

In another recent case involving the applicability of a EULA to a government contract, software company Avue Technologies Corporation (Avue) sued the U.S. Food and Drug Administration (FDA) claiming that the agency breached a EULA agreement and misappropriated its data. In this case, however, Avue did not hold a contract with the FDA, but instead sold its software, Avue Digital Services (ADS), indirectly through a reseller, Carahsoft Technology Corp., on Carahsoft's GSA Federal Supply Schedule contract. Avue and Carahsoft entered into a Master Subscription Agreement containing a EULA that limited the number of users of the ADS software.

Avue filed a claim at the Civilian Board of Contract Appeals (CBCA) claiming that the FDA misappropriated its data in violation of the EULA. The CBCA dismissed the claim, finding that the Master Services Agreement and EULA did not create a procurement contract between Avue and the FDA. According to the CBCA, the EULA was not a contract for "the acquisition by purchase, lease or barter, of property or services for the direct benefit or use of the Federal Government."6The CBCA found that Avue's EULA "lack[ed] core aspects of a CDA procurement contract."7Specifically, the government purchased ADS subscriptions from Carahsoft under a Federal Supply Schedule (FSS) contract, not directly from Avue under its EULA. The CBCA also explained that Avue's EULA did not alone obligate Avue to furnish any services unless such obligation was incorporated into a separate federal contract between Avue and the government. But because it was not, the EULA did not obligate the government to pay Avue directly for an ADS subscription. The CBCA therefore found that it lacked jurisdiction to hear Avue's claims under the Contract Disputes Act because the government's contract was with Carahsoft, not Avue. The CBCA explained that "[t]he scope of the license to end users may be considered an integral feature of Carahsoft's FSS offering of ADS, but the 'acquisition by purchase' of ADS occurs when an agency orders a subscription from Carahsoft, the schedule holder."8Thus, the CBCA concluded the EULA did not protect Avue, the software developer that did not contract directly with the federal government.

Avue has appealed this decision, and the central question of whether a EULA can be considered a stand-alone procurement contract, or related to a procurement contract by incorporation, to afford privity with the government to anyone other than the prime contractor––i.e., the reseller––is now a question for the U.S. Court of Appeals for the Federal Circuit to determine. Oral argument occurred in October 2023, and a ruling is expected this year.

LESSONS FOR CONTRACTORS LICENSING SOFTWARE TO THE GOVERNMENT

These cases demonstrate that it is critically important for software companies to ensure that their copyrights are protected from unauthorized use on the front end of the contract. Parties should make sure that the rights of the government and the rights of the software owner are clearly set forth in writing, expressly incorporating EULAs. Beyond this, however, any party licensing software to the government should carefully examine each of the IP clauses in the Federal Acquisition Regulation to ensure that the company understands both the licensing scheme and how the software will be used and by whom, and then negotiate any specific exceptions to the standard requirements.

Further, these cases highlight how crucial the issues of EULA enforceability and software license tracking are when licensing software to the government. As in 4DD Holdings, software owners may be able to recover damages if the plaintiff can prove that the government improperly made unauthorized copies in excess of what it licensed under the agreement. Software owners should implement a system to closely monitor the license and determine in writing a plan for holding the government accountable for tracking software license use.

Finally, for software companies that continue to sell to the government indirectly through resellers, regardless of the outcome in the Federal Circuit decision, the resellers have privity of contract to bring a direct claim against the government for violation of a EULA that was incorporated into the prime contract. Therefore, to avoid the CDA jurisdiction issue, the CBCA's decision in Avue Technologies reinforces that software companies should ensure that they have adequate language in their reseller agreements to require resellers to "pass through" or sponsor claims the software company may have against the federal government in the event of an intellectual property violation.

Footnotes

1. 4DD Holdings, LLC, and T4 Data Group, LLC v. United States,No. 15-945C, 2023 WL 8290926, at *4 (Fed. Cl. Aug. 22, 2023).

2. Per Seat License, PC Magazine, https://www.pcmag.com/encyclopedia/term/per-seat-license.

3. 4DD Holdings, LLC,2023 WL 8290926, at *3.

4. 4DD Holdings, LLC, v. United States, 143 Fed. Cl. 118, 130 (2019).

5. 4DD Holdings, LLC,2023 WL 8290926, at *11.

6. Avue Tech. Corp., CBCA No. 6360, 6627, 22–1 BCA, ¶ 38,024 (Jan. 14, 2022).

7. Id.

8. Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.