December 5, 2005

EULAs, indemnification, and user protection

Author: Bruce Byfield

End user licence agreements (EULA) are nobody's favorite reading. Users of free and open source software (FOSS), who are accustomed to licences that give no warranty and admit no liability, may be even less inclined to read EULAs than most computer users. Perhaps, though, we should start. Over the last few years, commercial GNU/Linux distributions have been wrestling with the question of whether users should be indemnified in the event that a third party patent is upheld -- and, in some cases, their answers are starting to appear in their EULAs. However, whether these varying answers offer better protection than the GNU General Public License remains unproven.

Until recently, EULAs in GNU/Linux have been short and to the point. As far as legally possible, they offer no warranty, and liability is never mentioned. Many non-commercial distributions and projects, such as the Debian Project, continue to be released under such licences. The idea of adding language about indemnification, says Branden Robinson, the Debian Project Leader, simply "hasn't been prominent on Debian's radar screen." He suggests that such language is probably unnecessary for non-commercial distributions, because they don't provide commercial service contracts. He adds, "Debian couldn't substantively back up an indemnification offer anyway."

Yet, slowly, some commercial distributions are taking a different route. In the last few years, indemnification has become an increasingly important issue in FOSS communities, largely because of the SCO-IBM case. Claiming ownership of Unix, SCO alleges that IBM has allowed copyrighted code to pass from System V Unix to GNU/Linux. Although no evidence has been released and the trial is not scheduled until February 26, 2007, the issues in the case have made both commercial and community FOSS participants reevaluate their practices. Hewlett-Packard, for example, has provided user indemnification specifically against SCO claims, but only on Hewlett-Packard hardware, and only if the source code remains unmodified. Similarly, Linux kernel developers have re-assessed the process for submitting patches. They now require contributors to sign a statement certifying that their submissions are original, and patches are signed off at each step of the acceptance process. Against this background, the inclusion of language about indemnification in EULAs was only a matter of time.

EULAs without indemnification language

Not all commercial distributions are including language about indemnification in their EULAs. The EULA for Xandros, the Debian-based distribution which is the direct successor to Corel Linux, has no specific language about indemnification or third party patents beyond the generic statement that "Xandros is also not responsible for claims by a third party." Nor, according to Steve Harris, Xandros's vice president of communications, has the issue ever been raised, either within Xandros or by its customers.

Linspire's EULA is equally general. However, Linspire is bundled with several pieces of proprietary software, and some of the third-party EULAs may contain language about indemnification and patents. The licence for Apple QuickTime, for example, "Disclaims all warranties and conditions with respect to the Apple software, either express, implied or statutory, including ... non-infringement of third party rights." The effect of such third-party licences is uncertain, although the Linspire licence does state that they "may expand or limit your rights to use certain software programs."

SUSE's EULA also lacks specific language, but for a different reason: Novell, the owner of SUSE Linux, has spelled out its patent policy in a separate document. As of January 14, 2004, Novell provides indemnification for all registered users of SUSE products with upgrade protection and service contracts. Including unlimited legal defense costs, whether from SCO or anyone else, and limited payment of damages, Novell's indemnification is identified by Daniel Egger, chief executive officer of Open Source Risk Management (OSRM), as "the most comprehensive coverage" offered by the commercial distributions mentioned in this article.

"Our EULAs don't bring up the topic of indemnity," says Bruce Lowry, directory of global public relations at Novell, "since we only offer it for our enterprise commercial customers who have a certain buying commitment to us." He adds that indemnified customers are further protected by Novell's "mutually assured destruction" policy against companies trying to enforce patents against SUSE -- a reference to the most common justification for the arms race between the United States and the Soviet Union during the Cold War. In other words, if a company tries to enforce patents against SUSE, Novell will use its own patent portfolio to make its own patent claims against that company's products.

EULAs with indemnification language

Other companies have added language about patents and indemnification directly to their EULAs. For example, in the EULA for Mandriva Linux 2006 (which apparently is not published on the Internet), Mandriva has taken concrete steps to avoid being entangled in any patent claims. The EULA disavows any liability for damages due to "financial loss, legal fees, and penalties resulting from a court judgment." This limitation applies "even if Mandriva S.A. has been advised of the possibility or the occurrence of such damage." It also applies to any packages in Mandriva Linux 2006 that might violate some country's laws about using or importing cryptography software.

Instead, liability is placed directly on the user with the following instruction:

WARNING: Free Software may not necessarily be patent-free, and some Free Software included may be covered by patents in your country. For example, the MP3 decoders included may require a licence for further usage (see www.mp3licensing.com for more details). If you are unsure if a patent may be applicable to you, check your local laws.

Gaƫl Duval, the co-founder of Mandriva, and Kadjo N'Doua, Mandriva's communications manager, point out that the current EULA was an attempt "to take all possible legislations into account. Assuming it is not possible, we had to write something as general as possible, in order to be compliant with as many local legislations as possible." The EULA was written with French, and -- to a lesser extent -- American law in mind, and may need to be revised, if the position of the European Commission on software patents changes.

Red Hat's EULAs take a different approach. Like Novell/SUSE, Red Hat has a separate indemnification policy. In Red Hat's case, this policy is called the Open Source Assurance program. The announcement of this program mentions the creation of the Open Source Now Fund to help registered and open source users defend against patent claims as well as a guarantee that software alternatives will be offered if necessary.

Details about how to apply to the Open Source Now Fund do not appear on the Internet, and Red Hat did not reply to requests to discuss such issues. However, judging from the fact that Red Hat EULAs do not mention any financial liability, the Open Source Assurance program apparently is a service rather than part of Red Hat's standard agreement with customers.

Instead, the EULAs focus on software guarantees. Section 6.1 states:

During the term or any renewal of this Agreement, if (a) any portion of the Software is found to infringe any third party intellectual property rights, and (b) Customer has registered the Software with Red Hat, then with respect to each Installed System for which Customer has paid, Red Hat will, at its expense and option: (i) obtain the right for Customer to continue to use the Software consistent with this Agreement; (ii) modify the Software so that it is non-infringing; or (iii) replace the infringing component with a non-infringing component.

Section 6.2 continues with standard language with the statement that Red Hat software is "Licensed 'As Is' without warranty of any kind." The same section also states that "In no event will Red Hat be liable to customer or any third party for any incidental or consequential damages." In other words, by clicking on the agreement, a customer agrees that Red Hat is not responsible if he faces any third party patent claims as a result of using Red Hat software. Red Hat may assist through the Open Source Now Fund, but it is not obligated to do so.

Remaining issues

In proprietary software, the restrictions on warranty and liability included in these EULAs would be unacceptable. However, given that distributions are collections of software, most of which are not written by the distributing company itself, the restrictions are logical. When writing EULAs, commercial distributions always have a difficult time balancing protection of their own trademarks, packaging, and proprietary software, if any, against the FOSS licences of the software they are bundling.

As OSRM's Egger points out, one of the major problems is the need to remain consistent with the GPL, the licence used by much of the software bundled in any GNU/Linux distribution. In particular, section 7 of the GPL states that having a patent claim upheld does not invalidate the licence. Rather,

If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent licence would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

Because of this section, language to restrict liability in EULAs may not be enough to allow a commercial distribution to go about its business if a patent were upheld. Possibly, too, Red Hat's commitment to providing alternative software might be seen as a restriction that technically violates the GPL, although the idea that someone might prosecute the company for it seems unlikely, except as a nuisance suit.

Another question is whether the new language appearing in EULAs gives either companies or their customers any more protection than the GPL. Ira Heffan, an intellectual property lawyer with Goodwin Procter in Boston whose specialties include FOSS licensing, suggests that it does not. At any rate, Heffan adds, the language is likely to affect individual users more than corporate ones. "Vendors," he says, "are always willing to negotiate these sorts of terms for large enough customers. An individual is not going to have the chance to negotiate these terms." Possibly, individuals may be better off with the loose licences of non-commercial FOSS projects, rather than restricting their rights by clicking past one of these commercial EULAs.

To date, no patent claim has ever been upheld against FOSS, and no individual or corporation has needed indemnification yet. This situation, while fortunate, makes guarding against the possibility difficult for both companies and users. Whether indemnification policies or EULA language is necessary, or which protection customers should look for, remains uncertain. In fact, when the variety of approaches to indemnification is compared to the standard language found in most EULAs, only one point is clear: Commercial distributions as a whole are still struggling to find the best approach to the issue.

Bruce Byfield is a computer journalist and course instructor who specializes in free and open source software.

Category:

  • Legal
Click Here!