May 17, 2004

Lawyers advise companies to wait for SCO outcome, warn of open source risk

Author: Jay Lyman

They have no doubt that in the end, Linux will live on and the intellectual property issues around it will be resolved when the SCO Group lawsuits have finally settled. But corporate IP attorneys are reluctant to tell anyone not to worry about the Utah company's infringement claims and the highlighted risks of using open source.Two attorneys with Boston-based Wolf, Greenfield and Sackswrote in the New England In-House Magazine for lawyers this week that while "no corporate counsel wants to be known as the handwringer who paid for licenses that are later proved to have been unnecessary," there is significant risk of "cost and disruption of defending a suit with such complex issues" for those who start or continue using Linux.

New England In-House Magazine is a quarterly publication affiliated with Lawyers Weekly.

Attorneys Ed Walsh and Steven Henry also write that because Linux is "one of the best-managed open source products, other open source products likely present a greater risk of legal or technical problems.

"And more of them are probably coming into your company than you realize," the lawyers wrote.

Walsh and Henry, like other legal minds who have followed the SCO case, offered little concrete advice for those contemplating or already using Linux, except for the counsel to keep doing what they're doing and keep watching the cases.

Walsh told NewsForge that after a lot of attention from the legal community following SCO's sending out letters last summer, the time has now come to take a hard look at the IP strings attached to Linux and open source.

"My sense is now is the time to move away from 'This is terrible!' and look at what does this mean and what can we learn from this," Walsh said. "Linux will be taken care of. That issue will resolve itself. The higher level thought is, open source presents kind of a unique risk that people haven't had to deal with before."

Why Linux is special

Walsh argues that because of its following, Linux differs from other open source projects and products. Evidence of that following is readily available in the broad, well-researched, well-funded and effective defense of Linux that has countered SCO's claims.

"Not all open source products have the huge following Linux has," Walsh said. "They don't have Linus Torvalds and his group to act as the gatekeeper. The big, major system types of things have a lot of people involved and that's where the model works. There are probably many examples of when you don't have that community doing that."

Walsh contended that routine and compressed code such as an FFT algorithm, which does not have the same support as the Linux kernel, is what he would be most worried about.

"You don't know the pedigree of the software, whether it's been vetted by the right people and kicked around enough to give you confidence that any problems have been dealt with," Walsh said.

Henry said since Linux has attracted a large developer base and a large, knowledgeable user base, any problems are quickly addressed once identified.

This is the basis for attorneys' belief that even with SCO courtroom success, any actual infringement findings will be quickly fixed and Linux will be fine. Henry, however, added that the broad following and use of Linux also makes it attractive to attackers.

"There have been assaults on Linux that a more niche open source development project might not attract," he wrote in an e-mail to NewsForge. "I am not aware of hacking attempts against other open source projects. However, there might be greater technical risk with other open source projects because they just don't have the carefully managed vetting process of a Linux."

In somewhat of a contradiction from the article for the lawyer publication, Henry went on to say that Linux may actually present more legal risk than other open source projects where the origin of the code is not a matter of contention.

"In terms of legal risk, we know that Linux was not written on a blank page," Henry said. "Thus, there are all the problems SCO has brought to light and maybe a lot more. Some other open source projects have a clearer history and authorship is less uncertain, so the copyright problems may be fewer."

Keep doing what you're doing

The attorneys echoed previous calls to inaction in their article, advising those contemplating a Linux or open source project or migration to hold off just a few more months.

"Corporate counsel have relatively few options," they wrote. "For those who have not yet adopted Linux, doing nothing may well be the best choice in the short term. The facts underlying the dispute are too much of a jumbled mess to make sorting them out on your own a viable option."

Walsh said if a company is feeling anxious or getting pressure to move to Linux or open source -- a likely possibility given the potential cost savings and productivity gains -- it should nevertheless continue to hold off.

"What's another five or six months?" he said.

It may be an eternity for many companies in a variety of industries, which must wait until a 2005 court date before the main SCO-IBM courtroom showdown even begins. Nevertheless, Walsh extended the sit-and-wait advice to those already using Linux as well.

"If you've already adopted it and already have liability if it goes bad for the open source community, do you alter your position by dropping Linux now, I don't think so," Walsh said. "It doesn't make sense either way to make any radical departure from what you're doing now."

Henry, who addressed the Licensing Executives Society in New York about open source IP on Friday, said to mitigate their risks, Linux and open source users need to exercise extreme care, including control over the open source products employees are allowed to use and a vetting of those products from a technical perspective as well as clearance of the associated licenses.

Henry added that indemnifications from open source vendors are uncommon and when present are typically limited, "leaving a lot of exposure to the adopter."

Same software process

Walsh also referred to licensing provisions that go along open source products and said they can be both confusing and constricting.

"Not all open source licenses are the same," he said. "There's a lot of different rules out there, some of which are restrictive, particularly for a commercial entity."

Henry -- who acknowledged that his law firm had been in discussions about a relationship with Black Duck, a code risk management company started by former Microsoft exec and software industry consultant Doug Levin -- agreed on the need for proper license evaluation.

"Software development companies need to be particularly vigilant that they understand the licenses for the open source code they adopt, and that they are willing to live with the consequences of those licenses, including in some cases accepting an obligation to distribute their own product open source and for free, disclosing to the world material that otherwise could be a valuable trade secret," Henry said.

Those using open source software, particularly those benefiting from it, are unlikely to harbor those kinds of concerns, counselor. However, the corporate attorneys are likely having a much stronger say in the software and services companies use and license in light of the SCO saga.

Walsh, who called the emergence of risk management solutions such as Black Duck or Open Source Risk Management "a wake up call to the fact that it's not just Linux and some (open source) is fine and some of it can hurt you," advised the same evaluation for open source as for other software use.

"Open source should undergo the normal evaluation of software in terms of what you can or can't do and is the vendor qualified and competent?" Walsh said. "Even if you're not paying out money, you should follow the same process."

Learning from the angst

Walsh and Henry, who said "the confusing situation should be sorted out in the next 18 months," urged corporate attorneys to take advantage of the educational opportunity in the SCO case.

"If the only impact on you of SCO's campaign is that it prompts you to educate your workforce and enforce good-practice policies with respect to open source software and IP rights or others, in general, the angst may all be worth it," they wrote.

Henry said it may still be too soon to tell what lessons will be learned, but he pointed out the matter may have already indicated a need for better open source administration.

"We can already see how difficult it is to track the authorship and, hence, the copyright interests in a complete code base that has had numerous contributors," Henry said. "So, one lesson for the management of an open source project may be that better administration of contributions can go a long way toward being able to establish copyright defenses such as independent creation."

Henry said the SCO suits will also teach us something about:

  • how the courts will administer complex license agreements covering software copyrights;
  • how they will deal with the functional aspects of code, which are not protectable by copyright;
  • and how they approach the expressive aspects of an author's contribution, which can be copyright protected.

"The case may tell us something about what sort of restrictions will be enforceable in copyright and trade secret licenses," Henry added. "It would not be surprising to me to see enterprises re-evaluating the cost-benefit balance for Linux, and I can foresee the potential for the business community to demand more indemnification."


  • Linux
Click Here!