[Linux-aus] Fwd: StephenWalli: When are you going to sue your customers? (IP risk with OSS)
arjen at mysql.com
Thu Jan 27 10:28:05 UTC 2005
(an interesting article, I think - quite sensible)
When are you going to sue your customers?
By Stephen R. Walli
stephen.walli at gmail.com
A lot of noise is made about open source software (OSS) and intellectual
property (IP) and the risk inherent in large enterprises using OSS. The high
tech headlines are full of news of the SCO Group suit against IBM1, large
vendors like Microsoft offering unlimited indemnifications against IP suits
while claiming people will likely be sued over OSS2, and the like.
The rhetoric follows the logic:
* OSS developers may be trespassing on all sorts of patents.
* OSS developers obviously (sic) don't care about property.
* Customers using OSS therefore run the risk of patent infringement suits.
Intellectual property is distinct from the asset it protects, so lets
establish a few definitions. Intellectual property (IP) refers to a set of
legal tools that one uses to protect an asset. IP law typically covers the
ground of trade secret (how you legally protect an idea as a secret), patent
(how you publish an idea in a legally protected way so others cannot build
it), copyright (how you control the use of the "written" representation),
and trademark (protecting the way you identify the asset). Companies develop
assets that are packaged into products for sale to customers. These assets
may be real works of invention and innovation, or merely represent some
subjectively "better" level of business execution, packaging, and service to
the customer. Not every idea, process, and asset a company owns or develops
is necessarily "property" in a legal sense.
Some vendors are very advanced in their IP strategy. It is not simply the
case where "more patents faster" is a rule. Patents can be a little pricey
when you add up patent attorney fees and the defense of the patent over its
life. So one might want to choose how one is going to apply patent
protection to exactly which assets that make up a product for sale. Indeed
one might choose to aggressively publish some ideas to ensure no one else
patents in that space. In the end, it is a business decision not a technical
issue. The top ten list of patent award winners was published for 2004 from
the U.S. Patent and Trademark Office (USPTO)3. IBM tops the list again with
more than 3000 patents. If you guesstimate US$15,000 per patent for the
application and legal fees, this means they spent more than US$45,000,000
just obtaining the patents. This is the same company that also recently
"released" 500 patents for open source use4. It's a business decision.
The lag between application and issue of the patent in the U.S. is now on
the order of 18 months to two years. This means it is quite possible to ship
a product and not know for quite some time whether or not you are infringing
the claims of someone else's patents. If you're small, no one will probably
pay attention even if you are infringing. But if you're successful with your
product, you become visible and a potential target. The patent holder may
want their fair cut of the proceeds, or if the patent holder is a
competitor, they may want to simply prevent you from "making" and
"distributing" your wares. Software products certainly fall into this window
of risk with the speed that concept to shipping product happens in the
The interesting idea that may force patent reform isn't the fact that the
software industry with its time to market is in jeopardy, but that other
industries start to feel this pain. As the design-to-manufacturing time for
large items like automobiles shrinks within the window of lag time for
patents, other very large ticket items are going to begin to ship and have
to deal with the post distribution infringement problem.
Every day developers may be infringing the claims of other people's patents.
This has nothing to do with open source development methods or licensing. No
developer can actually be aware of it. Developers read the news and trade
journals, and then go to work. There are seldom warnings in articles about
pending patents. Debate rages on whether or not developers should ever
attempt to understand the patent infringement risk for the code they write.
With patents written in legal language and targeted as broadly as possible
(semantic shotguns instead of rifles) it would be almost impossible for a
developer to track the patents relevant to their work. And of course the lag
problem still exists, meaning even if the developer had the time and
training to review patents in their area of expertise, they cannot know
whether or not their work infringes someone's patent claims in any
meaningful time frame. And if it looks like a developer may have attempted
to study the problem, and perhaps misread or misinterpreted a patent's
claims, then they may be construed as having "willfully" infringed a
patent's claims by the court and that brings additional financial damages.
So when Linus Torvalds suggests that developers ignore patents5, he is not
some OSS mongering communist that believes intellectual property has no
value, but rather he's simply working with the reality the system presents
to him. Large software development companies shipping proprietary closed
source products also tell their developers to not investigate the patent
space for the same reasons. It would be interesting for the large vendors to
come forward to discuss their practices for developers around patent
investigation, rather than slinging useless rhetoric.
A number of vendors want customers to believe "intellectual property" is
important, especially things like patents. While most people have a
schoolyard understanding that plagiarism is "bad" which covers copyright
issues, patents are a different kettle of fish entirely which brings us to
the title of the essay. The question in the title is not a rhetorical one.
It is meant as a real question to the chief executives of the major vendors
to help customers best assess their business risk and to best understand
exactly what sort of relationship they have with their suppliers.
Legal IP tools are important for vendors and certainly relevant in
vendor-to-vendor discussions. The idea that customers care about patents,
however, would seem counter-intuitive. Consider the following: when you last
bought an automobile, did you pick the "Honda" over the "Toyota" because the
Honda had more patents in it, or more patents per ton of vehicle, or maybe
because Honda's intellectual property practices were "better" some how? Of
course not. You bought the product that met your needs. It may well have
even been the more innovative product by your own subjective measure, but
whether or not the manufacturer chose any number of legal tools to protect
the innovation wasn't part of your buying consideration. How the vendor's
business process works is of no interest to the customer beyond the actual
customer-vendor interface so to speak. Whether the vendor has a mature IP
strategy, applying for patents, trademarks, and copyrights appropriately,
choosing to keep some ideas trade secret protected, sharing selected IP with
partners or competitors through patent pools and cross licenses, or
aggressively publishing some ideas in the face of their competition is of
little interest to the customer. The customer only cares that the product
serves their needs and provides the value they paid for it.
Next scenario: you are happily driving your Honda when you receive a letter
from Toyota one day telling you that you're infringing their patents6. They
give you the choice to (a.) cease driving your Honda, or (b.) pay them a
license to their patents. You can essentially "pay twice" for the privilege
of driving your car, and for some small sum you can feel free of any
concerns that you are infringing Toyota's patent claims ever again. On this
vehicle. Or for your household. Or maybe it will be offered to you the
customer as an annual license calculated by the number of drivers in the
house and the number of Honda vehicles you own, pro-rated over certain uses,
unless the patent applies to certain other manufacturers as well. What do
you do? Do you even waste time calling your lawyer to figure this one out?
Or do you call the Honda dealership and tell them quite simply to "fix
this." Of course this assumes you don't also receive letters from General
Motors for their patents (frustrated that North Americans are buying foreign
vehicles), Daimler-Chrysler, and Hyundai, so you have the opportunity to
"license" your Honda vehicle from many companies and pay for it numerous
The reality, however, is that Toyota is not going to threaten to sue Honda's
customers. They would like the opportunity to switch those Honda customers
to Toyota's products, not upset them to the point that no Toyota dealership
ever gets a chance at that Honda customer again.
Toyota would have the infringement discussion with Honda directly if it
existed, indeed, it is their responsibility as the patent holder to defend
it appropriately. Vendors sue vendors over intellectual property claims.
Customers have even been known to sue their vendors in specific situations
when the vendor fails to deliver on the promise in a contract. Oddly enough
vendors never sue customers in any sort of broadly applicable way. There is
a really simple rationale behind this. Once a vendor sues a customer, they
have essentially told that customer they never want that customer's business
again. That might even be appropriate in a narrow situation where there
exists some sort of explicit dispute between exactly the two parties. If
however the dispute is over something like "patent infringement" that can
easily be applied broadly to many customers, then all the vendor's other
customers are put on notice that this vendor does not care about the
relationship and continued business. New potential customers can see that
this is a vendor that may attach law suits to the relationship, and will
quickly factor that into the risk analysis on the potential purchase. The
vendor's top salespeople will discover their phone calls stop getting
Intellectual property is important - but between vendors. Cross licenses,
patent pools, and simple licenses exist and are business as usual.
"Litigation is just another means of discussion."7
This of course leads to the discussion of enterprise indemnifications and
insurance. Open Source Risk Management, Inc. has a detailed white paper
covering ideas on risk mitigation and insurance, but more focused on
developers that modify the source and vendors, rather than enterprises that
simply use products based on the OSS projects.8 The major vendors are coming
forward with various sorts of indemnifications.
The idea that as an enterprise (not a vendor or developer) one might want to
buy insurance against such risk is interesting. One insures ones assets, not
one's liabilities. I insure my life and health as it relates to earning
power for the household. As my salary goes up over time, I might increase
that insurance. Likewise I insure my car, but as the value of the car
depreciates over time, I remove insurance from the vehicle as it relates to
replacement of the devalued "old clunker." I don't insure my children.
So what is the real risk of a vendor suing an enterprise customer? How
should one consider the risk of such a suit against the depreciating capital
cost of the computer systems investment made several years ago? Does the
vendor rhetoric around indemnification help or hinder the discussion? This
is one of those situations where Robert Lefkowitz may be right in his
statement that it's the accountants we need to fear in the OSS community,
and not the lawyers.9
In the Fall 2004, Microsoft made a very public promise of indemnification to
Microsoft customers for patent infringement cases against their products10.
This follows in the wake of the Fall 2003 Novell11 and HP12 indemnifications
against various IP infringement suits against Linux if you purchase the
systems from them. The Novell and HP statements were in reaction to the SCO
Group suit against IBM. When you think about it, the Microsoft promise of
indemnification to customers is a legal statement of business reality. Would
any vendor in the situation where a customer is sued by another company for
infringement for using the vendor's products not name themselves to the suit
as a co-defendant? Would the product vendor trust that a customer (and
likely an angry one at that) was the first line of defense against building
precedent in a court for the infringement? While in some cases a customer
may even have more money than the vendor as a legal target, one can bet that
the mainstream vendors (HP, Novell, Microsoft, etc.) will be more than
interested in running their own defense case. They might be subtle enough to
approach the customer on the receiving end of the suit to request the
customer goes it alone for other considerations, but even then, their image
as customer defender is probably more valuable. They would likely do
whatever it took to be named co-defendant in a real hurry. They want to be
primary defense for their own patents. The press value is high to be seen as
the defender of customers. They value that particular relationship and
probably want to continue to sell to that customer.
It's not that these corporate indemnification promises aren't good - but
they are redundant to any vendor worth its customers. You can bet the
corporate accountants and lawyers did the analysis against the value of the
company to its shareholders before making "open ended" promises.
But what about SCO Group? Isn't this a case where a vendor is suing
customers? I think logically they have declared themselves. Santa Cruz
Operation was a company with a product it sold to customers. They are no
more. Through all the business acquisitions and deals they have been
acquired by the Canopy Group and renamed to the SCO Group. The SCO Group
appears to be a litigious engine that is designed to sue another vendor for
damages, not unlike previous legal forays of some Canopy Group companies.13
SCO Group appears not to be in business to sell to customers, indeed they
can "sue a customer" to appear to put pressure on the primary lawsuit. The
Daimler-Chrysler and Autozone suits hit the news in March 2004.14 So far the
tactic has failed in relation to the primary suit. This is not a business
with customers, but a legal play to siphon money out of the system.
So as OSS continues to deploy and grow in enterprises, those companies will
need to consider the source of the technology they use, and their vendor
relationships, which is no different than any other technology shift in the
past decades. As for OSS developers and vendors themselves, David McGowan
may have said it best:
"If the F/OSS community wants to be in commercial space, community members
will have to learn to deal calmly with IP litigation. The F/OSS production
model will work where it makes sense, and it will not work where it doesn't.
It's really just that simple. Particular claims in individual suits-even one
against a flagship program such as the GNU/Linux OS-will not determine the
fate of the community. Such cases present factual issues that will get
resolved one way or another; they do not represent a crisis for F/OSS
production as a whole. Norm entrepreneurial rhetoric that plays off such
cases should be treated as entertainment. Enjoy it if you like it, take
inspiration from it if you must, but don't confuse it with the way things
actually get done."15
1 Cnet's archive over the past two years is at:
2 http://www.internetnews.com/ent-news/article.php/3438191, confirmed 20
3 http://www.uspto.gov/main/homepagenews/bak11jan2005.htm, confirmed 20
4 http://www.ibm.com/ibm/licensing/patents/pledgedpatents.pdf, confirmed 20
5 http://lwn.net/Articles/7636/, confirmed 20 January, 2005.
6 My apologies to Toyota. Someone needed to be the "bad guy" in the example.
Our household has been and remains happy Toyota and Honda customers. The
example also holds true regardless of whether one is a simple household or a
company with a fleet of vehicles.
7 McGowan, David, "SCO What? Rhetoric, Law, and the Future of F/OSS
Production", Version 1.2: 6/12/04, p.3, available at
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=555851, 20 January, 2005.
A thoroughly enjoyable paper on the subject of rhetoric as a tool for norm
confirmed 20 Jan, 2005.
9 Lefkowitz, Robert, "The Semasiology of Open Source", O'Reilly Open Source
Conference, Portland, OR, 28 July, 2004.
confirmed 20 January, 2005.
11 http://www.novell.com/licensing/indemnity/register/index.html, confirmed
20 January, 2005
12 http://www.hp.com/hpinfo/newsroom/press/2003/030924a.html, confirmed 20
13 http://www.forbes.com/2003/06/18/cz_dl_0618linux.html, confirmed 27
15McGowan, David, "SCO What? Rhetoric, Law, and the Future of F/OSS
Production", Version 1.2: 6/12/04, p.26, available at
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=555851, 20 January, 2005.
[end of forwarded item]
Arjen Lentz, Community Relations Manager
MySQL AB, www.mysql.com
MySQL Users Conference (Santa Clara CA, 18-21 April 2005)
Early registration until February 28: www.mysqluc.com
More information about the linux-aus