June 4, 2004

Linux customer indemnification: Vendors take diverse approaches

Author: Mary E. Tyler

Since the SCO Group began threatening to sue organizations that run
Linux, some commercial Linux vendors have stepped forward to assure
customers that they would protect their interests should the court
find in SCO's favor. While it's still an open question whether anyone
will ever need such indemnification, major vendors Novell,
Hewlett-Packard, and Red Hat have programs in place to protect their

According to Yankee Group analyst Laura DiDio, there are
plenty of industries interested in open source solutions that are
required by law or best practices to be indemnified -- medical, legal,
government. If Linux is to move forward as a commercial
solution, to make real inroads into the Windows base, it has to offer
customers the same protections.

Most commercial software vendors provide indemnification for
copyright infringement claims in one of two ways. The software
developer may take over
liability, litigate the case, and pay damages if it loses; or the
developer may help the company litigate the case, offering resources
and in some cases funds.

Before the commercialization of open source solutions and the
SCO suit, indemnification wasn't an issue. Today, open source software is sometimes indemnified and sometimes not, based on the nature of its development and ownership or lack of the same.

According to a Letter to SCO on GrokLaw, a
site that covers SCO's legal actions, Linux doesn't need to be
indemnified like commercial software. "I don't think anyone needs
indemnification, if the possible risk of being sued is acceptable to
them. I still believe the GPL is your protection and the open
methodology of the Linux kernel," says Pamela Jones of Groklaw.

However, the reality is that that risk
is unacceptable to most businesses large enough to be targets of a
copyright infringement lawsuit. Even Jones admits, "[S]ome
companies, particularly large ones, are accustomed to
indemnification. If they want it, they should be able to get it,
because being distracted by a lawsuit is not a small thing. If it's
important to them to avoid the hassle of lawsuits, then
indemnification is the answer."

According to Brain Ferguson, an attorney and partner in
intellectual property law at the Washington, D.C., office of McDermott Will & Emery, large companies
are the primary targets for infringement suits. There are several
reasons for this. Large companies are bigger targets. They have more
seats, more machines, and are more likely to infringe egregiously.
They are more likely to have the expertise on staff to know that they
are infringing -- acting willfully. "Proving willful infringement is a
sure trip to higher statutory damages," says Ferguson. "Statutory
damages are capped at $150,000 (per act of infringement); they can be
much lower. It depends." With thousands of seats, the fallout from a
copyright suit is potentially huge. Because of this, large companies
demand indemnity.

A copyright infringement lawsuit is no joke,
especially for a smaller company. Intellectual property law is
specialized, confusing, and very, very expensive to litigate. The
average small-town lawyer lacks the expertise to fight
a copyright infringement claim. The price tag starts at two to three
times the $200 per hour the local attorney charges. It's a hollow
victory to successfully defend an infringement case and go out of
business paying the legal fees. That's why it's crucial to know where
the buck comes to rest.

Major vendors leap into the fray

With most commercial software, the buck stops with the company
that develops the product. Because Linux is not developed by one
monolithic company, large Linux distributors have stepped into the
vacuum. HP and Novell offer
indemnification for their Linux products, and each company has its own
set of restrictions. Red Hat's solution isn't traditional indemnity,
but rather a warranty. IBM, locked in a battle of briefs with SCO,
has remained both exceptionally quiet (they wouldn't return calls
from NewsForge) and exceptionally defiant. As far as IBM is
concerned, indemnification of Linux is completely unnecessary.

Launched in January 2004 as Novell completed its acquisition of
SUSE, Novell's indemnification
is aimed solely at its enterprise
customers. "The criteria are set such that it will only apply to
large customers," explains Novell Director of Public Relations Bruce
Lowry. "An enterprise with upgrade protection and a support contract
can ask for and get indemnification." Novell does not indemnify
individual users or small business customers. Novell places a cap
on damages of $1.5M or 125% of the value of the customer's total
Linux purchases. According to Lowry, this is only a cap on damages
that Novell will pay, not a cap on legal fees. Novell's
practice is to take over litigation of customer's copyright suits,
but it has not yet had to do so for Linux.

There is much confusion over Novell's prohibition on modifying
Linux. Contrary to popular belief, it does not prevent users from
installing and using programs on top of Linux. "It's an operating
system, so there are things that run on top of it," says Lowry. "Of
course users can install third-party products on top of SUSE." There is
still the question of modifying the source. After consultation with
Novell's legal department, Lowry states, "under our indemnification
program, a modification only voids the indemnification if it's the
modification itself that caused the infringement. So it's not the
case that any modification to the code voids the indemnification."

HP's indemnification
, first out of the gate, is fairly straightforward. It
requires customers obtain Linux from HP, run it on HP hardware, and
have a Linux software support agreement with HP. It provides
indemnification and legal defense only for claims by SCO, according
to Jeffrey Wade, HP's manager for worldwide
Linux marketing/communications. HP does not have a cap on fees or
judgment payouts. The HP plan appears to require that customers use
unmodified binaries in order to qualify, but when pressed, Wade
admits, "HP will not cover modifications, but will cover the balance
of the unmodified code."

Red Hat has taken a completely different tack, a two-pronged
approach. First, Red Hat started the Open Source Now Fund,
a legal defense fund for open source developers. According to Red Hat
spokesperson Leigh Day, this fund will cover (or assist in covering)
the costs of defending a copyright infringement claim for qualifying
open source developers.

Second, Red Hat provides what it calls Open Source
to its Enterprise subscribers (again, individual
desktop users are out of luck). This isn't indemnification in the classic
sense. "It's a warranty," says Day. "If there is code found to be
infringing on the valid intellectual property rights of another, Red
Hat will replace that code." According to Day, this is significant
because Red Hat is fixing the problem, enabling uninterrupted use of
its Linux. However, Red Hat will not pay the cost
of defending an infringement suit, nor does it take into account
paying any damages for previous infringement. "But," Day adds, "Red
Hat is very confident that we are not
infringing on the intellectual property rights of others." With
estimates as high as 46% of the Linux market, perhaps Red Hat can
afford to be confident. Or perhaps it's the other way -- with that
much exposure, Red Hat can't afford to be too confident.

The future is not really clear. If
the SCO lawsuit succeeds, there could be trouble. Even if it doesn't, there is always a possibility that some other
copyright holder somewhere might choose to sue. Even if that ends up
being so unlikely as to be zero risk, there is still the issue of
companies demanding indemnification because they are used to being
indemnified or required by law to use indemnified software.

Indemnification is part of the reality of the software business even though it's never been part of the open source ethos. As open source matures
in the commercial market, dealing with the issue of indemnification will be one of open source's growing pains.

Click Here!