Insurance for Linux users: why is it needed?

When a start-up firm called OSRM (Open Source Risk Management) announced two months ago that it planned to offer standard product liability insurance to Linux users and developers, many in the Linux community wondered why. For some, such coverage appeared to be an unwarranted admission that there was something wrong with Linux. Sure, vendor specific indemnification of users was appearing, but IBM itself, the first target for SCO’s absurd legal claims, denied the need. As recently as the last LinuxWorld Conference and Expo, IBM’s Jim Stallings, general manager for Linux at Big Blue, was quoted as saying, “The claims that have been alleged [by SCO] against IBM [have] no basis, so indemnification is not needed.” NewsForge recently interviewed OSRM’s founder and CEO, Daniel Egger, to gain his perspective on the issue.

Egger is not new to software nor to the law. He’s not only a graduate of Yale Law School, but has founded a successful commercial software startup as well. Strictly speaking, you might say Egger is an “outsider” from the point of view of the Linux/free software community. But if you do, you have to admit that he is a very well-informed and well-connected “outsider.” In February, Linux legal luminary Pamela Jones of Groklaw fame joined the firm to do — what else — legal research. Bruce Perens has recently accepted a position on OSRM’s board of directors.

A lightly edited transcript of the interview with Daniel Egger follows. Nothing of substance was changed or removed.

Barr: Where did the idea for the organization (OSRM) come from?

Egger: Like a lot of people, I had not thought about the risks of using Linux until the SCO suits happened. Because I was a lawyer and a litigator, I thought it would be interesting to look at their legal papers. I got ahold of them and I was struck by how weak their argument was right away. But I was also struck by the huge amount of fear and concern and uncertainty that their claim had caused.

It occurred to me that what we are dealing with here is a a kind of structural vulnerability in the legal system, where you can sue end users for copyright or patent infringement who have been acting completely in good faith, and have no reason to know that anyone might think they are infringing anything. Then they are faced with the cost of defending themselves, even if the suit had no merit. And that seemed to me the kind of problem that in other areas gets resolved by insurance.

So I started looking to see if there were insurance companies that were willing to cover this kind of risk, and what I found was there was no one currently willing to underwrite this risk. It seemed to me that there was a huge market there to give people confidence that if they got sued by a frivolous lawsuit, or potentially by a lawsuit that had some merit, that they’d have lawyers behind them, and they would have the resources of an insurance company. That seems to me to be a natural fit with the general commercial acceptance of Linux.

I started asking people in the community whether they would be comfortable with a program of indemnification around Linux and other open source code. I talked to Richard Stallman, and I talked with Eben Moglen. I talked with Dan Ravicher, Bruce Perens, Eric Raymond, and of course, Pamela Jones, whom I have gotten to be quite good friends with now, and asked everyone’s advice. What I got back was that we might get some concerns, that you know, “Why do we need insurance if we’ve done nothing wrong?”

But that once people understood that insurance is just as much to discourage frivolous lawsuits as to pay off meritorious, then they would understand that this was in the long-term interest of free software. And that’s pretty much how it’s played out.

Barr: What is the goal? Is it to make money selling insurance?

Egger: We do not sell insurance. We act as kind of an intermediary. We provide the information about the risks that make the risks insurable. So we’re providing services to the insurance companies on the one hand and to companies that want to minimize their risks on the other hand.

What we offer, what OSRM in the U.S. offers, is indemnification on our certification. So if we find, for example, that there is no copyright infringement that we can find in the kernel, that means that we believe the risk is low enough that it is insurable. And then we can find insurance companies that will get behind that risk.

Barr: So if I own a used car lot here in Austin, and maybe a couple of others around the state, and I’ve installed Linux for lots of good reasons at each location, but I’m worried about SCO, what is it that I ask you to do?

Egger: Let’s back up for a second, because if you are a small company, with a few servers, you really don’t need what we’re offering. No one is going to come after small users because they don’t have deep pockets. Where this becomes important and necessary is for medium-sized and large corporations that have deep pockets already and make a tempting target for a plaintiff’s lawyers. You don’t really have anything to fear if you are not worth suing.

Barr: OK, let me rephrase that. I am McDonald’s, and I have started replacing all my SCO cash registers with Linux-based boxes.

Egger: Yes, good for you. What took you so long?

Barr: And then I come to you…

Egger: What you would do is come to us and say, “Can you provide some way for us to get legal protection around copyright infringement claims against our use of linux?” That’s one of the things you might ask. And the answer there is there are some incremental steps that we can provide now, but there are more coming down the pike.

Because we are a startup we are just doing it one step at a time. The initial thing that we can do, because we have certified that there is no copyright infringement in the Linux kernel, we can go out and get insurance to back up our guarantee to you, so that if you were sued as an end user based on some infringement in the Linux kernel, we would defend you and we would cover that risk.

Barr: It seems something of a paradox, that by establishing that you don’t really have a legal risk, you create a market to insure against a legal risk.

Egger: The reality is that underwriters — that is, big insurance companies — don’t want to take on a lot of risk. They like to insure things that are not very risky. Giving them confidence that the risks are quite manageable is a very important part of what we do as a provider of risk analysis and information.

So you might say, “Gee, if the risk was low, why would I buy insurance?” The answer is that you buy insurance in many situations in life, not because the risk of doing something wrong is high, but the risk of people coming after you with frivolous claims is quite high. So if you have insurance in place and you get a demand letter from someone, say, then you’re not in the position of you either pay $50,000 for them to go away or you risk having to spend millions of dollars to defend yourself, you have an entity that stands behind you that provides an effective defense, and so you don’t have to worry about harassment and frivolous suits.

Barr: Are you successful? Are you matching those who need the insurance with insurers?

Egger: Yes, we are very successful in the initial stages. The biggest challenge that we face is not demand — there are plenty of companies that want coverage — it’s finding enough reinsurance capacity. So that’s the thing that I’m really focused on now.

Barr: Do you foresee the end for the need for the organization when SCO has gone away?

Egger: No, I think a very important point is that it’s not about SCO. SCO caused a lot of people — including me — to realize there was a vulnerability, but the real danger is in the future, primarily from patents.

Linus Torvalds himself said at a speech at Brainshare a couple of months ago that he thought the biggest risk to Linux in the next year is software patent litigation. And I agree with that, and [so do] a bunch of other people: Jeremey Allison said the same thing in an article I read, and Bruce Perens has been saying that for months and months. That kind of risk is not even addressed in the SCO suit; they didn’t bring any patent claims. But the same problem exists, which is if you’re an end user, and you get sued for patent infringement, the fact that you relied on the software in good faith and did nothing wrong doesn’t protect you from liability for the use of the software.

You can be faced with a very expensive lawsuit. The typical patent infringement lawsuit costs about $3 million to defend, and you have to provide that money yourself if you don’t have some kind of coverage like insurance. So it’s a situation where you really need a collective response. Otherwise individual companies can get picked off one by one, and have to settle even a frivolous claim.

Barr: Is there any interest in your organization in seeing the laws that allow such occurrences to be changed?

Egger: Yes, yes, yes! That’s a great question! Yes, I personally think that there are two problems. One is that the law of software derivative works is inconsistent in different jurisdictions and ambiguous, and that helps to create an atmosphere where SCO could stir up trouble. Eventually we need a Supreme Court ruling on what is a software derivative work. It’s not so much where the line is but having a clear one will be very helpful.

And then as far as patents, software patents, I’m not at all happy with the way the patent system has been granting software patents and the way that they are used now. I think that it is a big mess. I’m not advocating that software be put under some totally separate system like Jerome Reichman and others have recommended at various times in the past. We need to fix the process by which software patents are granted, to make it much more rigorous and really do a much better job of looking for prior art. Because a large number of software patents are issued that … to someone who is a developer it’s easy to think of prior art that was already doing this at the time the patent was applied for.