Buying protection

• Article 3 of 16
• LinuxUser & Developer, June 2004
• View a PDF of the original article ~ 1.1MB

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

Imagine being bankrupted and put out of business. It’s a terrifying thought for many companies. As well as simply the fear of failure and the humiliation, there’s the little matter of all those hundreds or thousands of hard-working employees forced into unemployment through no fault of their own. But how much worse to be bankrupted not for anything you’ve done wrong or because of some Act of God, but because of something you bought in total innocence from a perfectly reputable company?

SCO – the name is enough to trigger both nausea and venom in equal amount from even the most civilised GNU/Linux user – has raised such a fear in the minds of companies around the world. The self-proclaimed “owner of the Unix operating system” has an ever-changing ongoing lawsuit against systems giant IBM. Originally, that rested on one main allegation: parts of the Linux kernel contain Unix code that IBM illegally gave to the open source community. If IBM had been the only target of SCO’s suit, few people would have been worried. But SCO argues that since the binary version of its code is inside practically every Linux kernel installed on computers worldwide, Linux users are using stolen property and should pay SCO a licence fee for every machine on which they’ve installed the kernel – and they’ll sue anyone who refuses.

To hammer the point home, SCO sent letters to over 1,500 corporate Linux users and filed lawsuits in the US against car manufacturer DaimlerChrysler and car parts specialist AutoZone. Now, even though SCO no longer alleges that IBM transferred code into the Linux kernel, it is continuing with its suits against DaimlerChrysler and AutoZone, maintaining that someone did. And they’re just the beginning.

“Lots of companies are taking a kind of ‘wait and see’ approach because the perception in the market is that if the IBM case is settled, then there’s still time to discuss,” says Gregory Blepp, vice president of SCOSource. “We are taking the firm position of saying the IBM case and the customer-usage of Linux are two completely different cases The problem with IBM is a breach of contact; but we have contacted customers, saying they are using software that uses our intellectual property. We have contacted 1,500 customers globally, formally stating we have a problem with the software which is being used out there in the market and requesting compliance with our intellectual property rights.” SCO is offering the lucky recipients of their letters the chance to settle by buying a licence for each server or desktop equipped with a Linux kernel or they “may need to see us in court”, says Blepp.

Naturally, this is frightening some bigger organisations and companies away from deployments based around GNU/Linux. Forrester, an independent technology research company, polled 36 North American companies in May this year to see how the SCO suit was affecting their views of GNU/Linux. Thirteen of those companies said they were concerned about the legal questions surrounding GNU/Linux (including the SCO/IBM suit), with those not using GNU/Linux slightly more concerned than those that do.

This, of course, worries those groups that would like to see GNU/Linux and open source software adopted in the enterprise. They’ve been looking at ways to end the fear, uncertainty and doubt caused by SCO and the most common solution so far chosen is indemnification. And if that just happens to give them a chance to get ahead of the others in the market, all the better for them.

On paper, indemnification is similar to insurance; it differs mainly in terms of who can provide it (not just insurance companies, which need to abide by certain financial reporting restrictions and so on). A software indemnity will typically say that if the user is sued by a company for some kind of intellectual property problem, the indemnifier will cover some or all of the costs. But like many insurance policies, the devil is in the details.

For instance, indemnities can stipulate that the GNU/Linux distribution has to be running on a specific vendor’s hardware; it has to have been bought from a specific company; the indemnifier has to have audited your code or you must not have changed it in any way; you have to have spent a certain amount of money with the company or taken out support and maintenance contracts with it; only certain kinds of lawsuits might be covered; you might have to agree to hand over your legal defence to the indemnifier; you might have to change your working practices; there may be an upper limit on how much the indemnifier is willing to pay out or which parts of your total costs are covered (is it just your legal defence or does it include expenses or damages if you lose the case?); or the indemnifier may only offer to replace “bad” code with new code.

Currently, there are few companies offering indemnification of customers of GNU/Linux, although indemnification is more common in the closed source/proprietary world.

“If you look at things like consumer software, they’re likely to provide limited or no indemnity,” says John Salmon, a partner at law firm Masons. “With more specialist software to a more limited market which is expensive, some would expect some further indemnity.”

“When you pay to use someone’s software, you want to be sure you’re entitled to use this thing – that it’s not ripped off from some third party. You’re paying for the right to use this, so you want to make sure it’s a valid right,” adds Simon Halberstam, a partner at Sprecher Grier Halberstam. “When I advise my clients, I advise them to demand an intellectual property indemnity. I’d find it very difficult to advise clients to go through with a contract if they didn’t get that comfort. With open source, it’s a different environment though; although it would be desirable to get an indemnity, it’s understandable if I don’t get it because I’m getting such a good deal anyway: it’s unreasonable to expect the owner to take on liability for that as well.”

However, closed-source indemnities are not as ubiquitous as might be thought, even in the enterprise software world. HP, for instance, while it does offer an indemnity policy for end-users running Red Hat and SuSE Linux users on its hardware, doesn’t offer an indemnification on its other products. “Our indemnity programme is basically targeted at an issue in the market [the SCO lawsuit],” explains HP’s worldwide Linux marketing director Efrain Rovira. “It’s very specific as to the need: I can’t recall any time we’ve needed to do this in the past.”

Notably, open source champion IBM is an indemnification-free company. It refuses point-black to indemnify its GNU/Linux-using customers, arguing that: it would be impossible to put in place a sensible indemnification policy that is in keeping with the spirit of open source; since no single company provides it, users understand that there are no warranties or indemnities that come with Linux; and even that since the claims that have been alleged by SCO against IBM “have no basis”, no indemnification is needed.

The company has received a lot of abuse for this failure to indemnify. “IBM is being hypocritical,” accuses Sun president and chief operating officer Jonathan Schwartz. “If the issue is a non-issue, why don’t they indemnify their customers? And if they don’t need to indemnify, why do you have the world’s largest patent litigation team inside IBM suing the bejesus out of the entire industry?”

IBM is at least consistent, since none of its open source code is indemnified, including its highly popular WebSphere application server, and neither is AIX, its closed-source Unix operating system. And IBM doesn’t have its own GNU/Linux distribution and doesn’t install it onto servers or desktops: it relies on third-parties or end users to add the operating system to its hardware, so can happily argue it shouldn’t have to indemnify a product it doesn’t actually sell.

IBM also raises another major issue that other companies have had to grapple with: it didn’t develop Linux by itself and doesn’t know for sure where all the code comes from – how can it take the risk of indemnifying its customers against possible copyright infringement when it doesn’t know for sure there isn’t some other company’s code illegally embedded in Linux?

For companies such as Novell, it’s a balance of risks. Novell automatically indemnifies users of all its closed source software since, “We developed it, we have control over it, we know the engineers who developed it and we have the engineers with appropriate agreements that transfer the intellectual property rights to Novell,” says Nitin Maru, vice president of legal affairs for Novell EMEA. But its open source indemnification is comparatively limited in scope. “On the open source side, you never know: the risks are greater. What we’ve taken is a calm and measured approach, balanced against the risk to Novell and the duties we have to our shareholders against our duties to the open source community and what is needed out there to push open source further and further into the enterprise.”

This lack of control over open source developments and the possibility that more companies may try to repeat SCO’s stock-price-raising lawsuit – one with perhaps greater chances of success or maybe even a stronger case – means that Novell is one of the few companies that have been willing to go out on a limb and indemnify customers of an open source product against any copyright suit that might emerge. And it thinks it has a competitive advantage in doing so.

“I strongly believe it has given us an advantage,” maintains Maru. “It’s been proven in several customer situations. I’ve had emails from two or three customers looking at different distributions, and while there were other areas that interested them, a key differentiator was the fact they would get indemnity from Novell.”

Other companies agree that indemnification is definitely proving attractive to some customers. JBoss’s European general manager Sacha Labourey says that companies are interested in talking with the firm because of the indemnification it now offers on its open source application server. “We had some different opinions inside the company at some point, but now the result is clear. Large companies do care about indemnification.” HP’s Rovira says his company’s policy is “of great value and a leading differentiator for our sales people,” while Forrester’s survey of North American companies showed that 27% of them would be interested in an indemnification programme.

But how much of this is marketing hype, cashing in on the fears of end-users that SCO has raised? Does anyone really need an indemnification policy or is it just a tool to get companies to buy from one vendor rather than another?

Certainly, UK users appear to have little to fear at the moment. “Check your licence agreement and see what it covers, but as far as the UK user in concerned, sit and wait and see what happens,” advises Masons’ Salmon. “There’s no certainty SCO will win the case and there’s no certainty there’ll be any case at all in the UK or they’ll try anything in the UK.” That’s not to say people shouldn’t be commercially sensible, he adds: “When buying any software, whether open source or not, you’ve got to look at what the licence agreement is and see what protection it provides.” And developers using open source software should look to their existing professional indemnity (PI) policies. “A lot of developers will have their own PI policy that will cover all of this: most will have an insurance policy for infringing copyright.”

Bruce Perens, a long-time open source developer, co-founder of the Open Source Initiative and a member of the OSRM board of directors, says that vendor-provided indemnification policies aren’t for everyone. “Pretty much every business of a certain size has a liability policy. They know they will be liable in some way, from time to time, so insure themselves against those risks.” He also points out that an indemnification policy might not be ensure the end-user isn’t out of pocket from lawsuits. “I surmise that a lot of the companies that claim to offer indemnities would go bankrupt if forced to pay those claims. Most of them do not have an insurance policy that covers their payment of those claims.”

Nevertheless, with insurance premiums still sky-high since 9/11, many organisations with insurance policies are looking to their suppliers for indemnification, if only to avoid an increase in their premiums.

Another important issue for the UK is the question of legal costs, which is likely to discourage suits against end users. “It’s a very litigious environment in the US,” says Novell’s Maru. “The primary difference is that if you lose the case here, you pay the other party’s costs. If SCO sued IBM in Europe and lost, they would be paying all of IBM’s costs. In the US, they don’t have to do that, so there is great incentive to sue people.” In the UK, unless the person suing you has a good case, it’s unlikely they will sue you, particularly if the chances of getting money out of you is small.

“It’s unlikely the end user will be the target; it’s likely to be the company that ripped off the code that’s the target,” elaborates Simon Halberstam. “If you sue, you’re less likely to get the damages you want, and it’s less likely you’ll be able to put together a strong legal case since the end-user will be able to say, ‘I was unaware of this and I used it in innocence’. If you get a judgement, the damages are likely to be reduced substantially since they were innocent of what they were doing.”

Forrester analyst Richard Fichera also points out that even if SCO wins its suits and comes after large companies with plenty of assets, these companies still have plenty of options. “To the best of our knowledge, there have been no cases of end-users being held liable for vendor infringement on a widespread basis in the history of the computer business. And if SCO is planning to build a business (which is arguable), it eventually must start behaving like one. Regardless of the legal situation, a business is not built by threatening to sue prospective customers that have alternatives.”

What concerns many organisations more than a lawsuit, however, is the thought of having to migrate from GNU/Linux to another platform. Migrations typically cost hundred of thousands to millions of dollars and this cost has stopped many corporations moving from Windows or Unix to GNU/Linux in the past. Companies considering a move away from Windows or Unix are more concerned by the thought of spending money on two migrations than they are on the thought of a relatively unlikely copyright suit: it is, after all, one thing to violate copyright in innocence because of something a supplier did; it is quite another to carry on using that software after it’s been proven in court that it contains stolen property, particularly to big corporations concerned about the bad press they will get as a result, so they would have to migrate away from GNU/Linux in such an event.

It might be, despite the scorn heaped on it by other vendors, that Red Hat’s Open Source Assurance Programme is genuinely what a prudent large enterprise wants: the guarantee that the enterprise can carry on using software even after it has been found to violate copyrights. If you peel away the indemnification hype surrounding many of the policies available, you’ll find that the likes of Novell will also guarantee that they’ll change the software to make it legally unproblematic – they just prefer to focus on their indemnification policies.

With SCO the only company currently threatening open source users, the case for indemnification seems weak at the moment. But SCO is not the only snake in the garden. Kenneth Brown, president of the Microsoft-funded Alexis de Tocqueville Institution, is alleging that a survey he has conducted has shown that open source software is “often taken or adapted without permission from material owned by other companies… to this day, we have a serious attribution problem in software development because people have chosen to scrupulously borrow or imitate Unix.” Even if SCO’s suit is unsuccessful, it’s likely that some companies that saw SCO’s stock-price leap in response to its ongoing legal proceedings will consider copyright suits, particularly if Brown can support their arguments.

“The main question is how society will evolve,” argues JBoss’s Labourey. “We’ve seen the growth of legal issues all over the place, and it was much less of a problem 15 years ago.” More copyright suits are likely in the future, maintains Labourey.

At the moment, indemnities are mostly designed to differentiate their providers in the marketplace and to reassure larger companies that open source is enterprise-ready and is not a risk. While they offer some protection, they often overlap with existing policies, are unlikely to be ever used, are not available to smaller customers and may provide little coverage if the worst happens – an unlikely event in any case. But those same accusations can be levelled at any form of insurance. With the chances of future SCO-like lawsuits occurring by no means unlikely and a SCO win not totally out the question, the issue comes down, as with any insurance policy, to risk: the worst will probably never happen, but if it did, could you afford it?

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages