When I publish source code under an open source licence I make public only one part of a projectโ€™s know-how: the text of the program. The operational data, the build and deploy procedures, the domain knowledge and the experience accumulated in keeping it running in production all stay outside. These elements can stay covered by know-how protection, because that protection rests on the information being kept secret in fact, not on the copyright regime of the source.

I keep two things apart that are often confused: the licence under which I distribute the code, and the secret I may retain over everything the licence does not cover. They are two distinct legal planes. Whoever knows where the boundary runs releases with full awareness; whoever does not, through carelessness, ends up giving away information that remained lawfully protectable.

What the law means by know-how

The most precise working definition is the European one. Commission Regulation (EC) No 772/2004 on technology transfer agreements (art. 1) describes know-how as a package of non-patented practical information, the fruit of experience and testing, that is secret, substantial and identified:

  • secret, in the sense that the body of information is neither generally known nor easily accessible;
  • substantial, because significant and useful for the production of the contract goods;
  • identified, because described in a sufficiently complete manner to allow secrecy and substantiality to be verified.

At the international level the TRIPS Agreement (Trade-Related Aspects of Intellectual Property Rights, annexed to the agreement establishing the WTO, 1994), at art. 39, requires member states to protect undisclosed information against use by third parties in a manner contrary to honest commercial practices, on three cumulative conditions: the information is secret, has commercial value precisely because it is secret, and has been subject to reasonable steps to keep it so.

In Italy the protection rests on arts. 98 and 99 of the Industrial Property Code (Legislative Decree 30/2005), which recognise secret information as the object of an industrial property right, and on arts. 622 and 623 of the Criminal Code, which punish the disclosure of professional secrets and of scientific or industrial ones. The thread holding all these sources together is the condition of secrecy: lose that, and the protection falls away.

What an open source licence actually publishes

The Open Source Definition maintained by the Open Source Initiative requires, among other things, the availability of source code and the freedom to make derived works. The licence acts on the copyright in the code: it grants permissions of use, copying, modification and redistribution that copyright would otherwise reserve to the author. It does not, and cannot, act on information that does not appear in the code.

A strong copyleft licence such as the GNU General Public License v3 (29 June 2007) carries this principle as far as forbidding the distributor from imposing further restrictions on the rights it grants: whoever distributes a GPL-covered work cannot layer a confidentiality agreement on top to limit its redistribution. But the constraint concerns the distributed source and its derivative works, not the whole body of knowledge held by the person who wrote it.

Hence the most important operational distinction:

  • when I distribute a GPL binary I must make the corresponding source available, that is the code needed to build that binary. This becomes public;
  • everything not needed to reproduce the distributed binary can stay outside: the proprietary datasets the software runs on, the tuning configurations for a specific load, the operational runbooks, the test results that led to a given architectural choice.

The textbook case is so-called tivoisation, against which GPLv3 introduced explicit defences: a device distributes the licence-compliant source but blocks the execution of modified versions, accepting only firmware signed by the manufacturer. The source is public; the signing key โ€” the operational know-how that leaves control of the device to the manufacturer alone โ€” is not. GPLv3 responds by requiring the installation information, but the principle stays the same: publishing the code does not mean publishing everything needed to make it work.

The architecture of the residual protection

For someone keeping an open source project, protecting the residual know-how always rests on the same requirement โ€” reasonable steps to keep secret the information that stays outside the release โ€” and works on three fronts.

Towards employees and collaborators. Article 2105 of the Italian Civil Code imposes on the employee a duty of loyalty that forbids them to disclose and to use for competitive ends information about the organisation and production methods of the firm. The Court of Cassation (judgment no. 25008/2001, on the disclosure of industrial secrets under art. 623 of the Criminal Code) recognised the lasting reach of confidentiality clauses, which bind even after the relationship ends. The fact that the code is public does not release the employee from the duty over the parts that are not.

Towards third-party licensees. When know-how leaves the firm โ€” in a support, integration or dual-licensing arrangement โ€” the instrument is the licence agreement, which EU law distinguishes into pure know-how agreements and mixed know-how/patent agreements. The duty of confidentiality over the information received is part of the contract even without an express clause: without secrecy there is no know-how, and the contract takes this for granted.

On the technical perimeter of the release. Choosing which files to version-control and which to keep out of the public repository is the first safeguard. A private key, an internal endpoint or a calibrated parameter that ends up by mistake in the history of a public repository stops being secret: disclosure, even negligent, removes the condition of secrecy required by TRIPS art. 39(c) and by Reg. EC 772/2004.

Operational implications

Anyone releasing open source software should treat the boundary between published source and reserved know-how as a design decision, taken before the first public commit and not after. In practice:

  • map which information is needed to reproduce the distributed binary (this follows the licence) and which is not (this can stay secret);
  • do not version-control credentials, proprietary test data, production configurations: once in the public history, they are disclosed;
  • keep confidentiality clauses in employment relationships and in third-party contracts even for open projects, because they cover what the licence does not touch;
  • document the measures taken, because protection under art. 98 of the IP Code and TRIPS art. 39 presupposes being able to demonstrate the reasonable steps taken to keep the secret.

Limits

Secrecy is not an exclusive right. Unlike a patent, which protects even against someone who reached the same solution on their own, know-how is protected only against improper acquisition or use: lawful reverse engineering of a released binary, or the independent development of the same knowledge, remain legitimate. Once a piece of information becomes generally known or easily accessible โ€” through someone elseโ€™s publication or an inadvertent leak โ€” the protection ceases and does not come back.

One last caveat: the sources cited here set principles, not automatic outcomes. Deciding whether a specific piece of information is protected know-how, and whether a specific clause is effective, remains a case-by-case assessment that falls outside this technical note and calls for the opinion of those who handle the legal side.


https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32004R0772 https://www.wto.org/english/docs_e/legal_e/27-trips_04d_e.htm https://www.gnu.org/licenses/gpl-3.0.html https://opensource.org/osd https://www.noze.it/en/insights/know-how-proprieta-intellettuale/

Cover image: The metal vault holding the secret Coca-Cola formula, on display at the World of Coca-Cola in Atlanta โ€” photo by Mx. Granger, CC0 โ€” https://commons.wikimedia.org/wiki/File:Vault_of_the_Secret_Formula_at_the_World_of_Coca-Cola.jpg