A lot of noise is made about open source software (OSS) and intellectual property (IP) and the risk inherent in large enterprises using OSS. The high tech headlines are full of news of the SCO Group suit against IBM¹, large vendors like Microsoft offering unlimited indemnifications against IP suits while claiming people will likely be sued over OSS², and the like.

Intellectual property is distinct from the asset it protects, so lets establish a few definitions. Intellectual property (IP) refers to a set of legal tools that one uses to protect an asset. IP law typically covers the ground of trade secret (how you legally protect an idea as a secret), patent (how you publish an idea in a legally protected way so others cannot build it), copyright (how you control the use of the “written” representation), and trademark (protecting the way you identify the asset). Companies develop assets that are packaged into products for sale to customers. These assets may be real works of invention and innovation, or merely represent some subjectively “better” level of business execution, packaging, and service to the customer. Not every idea, process, and asset a company owns or develops is necessarily “property” in a legal sense.

Some vendors are very advanced in their IP strategy. It is not simply the case where “more patents faster” is a rule. Patents can be a little pricey when you add up patent attorney fees and the defense of the patent over its life. So one might want to choose how one is going to apply patent protection to exactly which assets that make up a product for sale. Indeed one might choose to aggressively publish some ideas to ensure no one else patents in that space. In the end, it is a business decision not a technical issue. The top ten list of patent award winners was published for 2004 from the U.S. Patent and Trademark Office (USPTO)³. IBM tops the list again with more than 3000 patents. If you guesstimate US$15,000 per patent for the application and legal fees, this means they spent more than US$45,000,000 just obtaining the patents. This is the same company that also recently “released” 500 patents for open source use⁴. It's a business decision.

The lag between application and issue of the patent in the U.S. is now on the order of 18 months to two years. This means it is quite possible to ship a product and not know for quite some time whether or not you are infringing the claims of someone else's patents. If you're small, no one will probably pay attention even if you are infringing. But if you're successful with your product, you become visible and a potential target. The patent holder may want their fair cut of the proceeds, or if the patent holder is a competitor, they may want to simply prevent you from “making” and “distributing” your wares. Software products certainly fall into this window of risk with the speed that concept to shipping product happens in the computing industry.

The interesting idea that may force patent reform isn't the fact that the software industry with its time to market is in jeopardy, but that other industries start to feel this pain. As the design-to-manufacturing time for large items like automobiles shrinks within the window of lag time for patents, other very large ticket items are going to begin to ship and have to deal with the post distribution infringement problem.

Every day developers may be infringing the claims of other people's patents. This has nothing to do with open source development methods or licensing. No developer can actually be aware of it. Developers read the news and trade journals, and then go to work. There are seldom warnings in articles about pending patents. Debate rages on whether or not developers should ever attempt to understand the patent infringement risk for the code they write. With patents written in legal language and targeted as broadly as possible (semantic shotguns instead of rifles) it would be almost impossible for a developer to track the patents relevant to their work. And of course the lag problem still exists, meaning even if the developer had the time and training to review patents in their area of expertise, they cannot know whether or not their work infringes someone's patent claims in any meaningful time frame. And if it looks like a developer may have attempted to study the problem, and perhaps misread or misinterpreted a patent's claims, then they may be construed as having “willfully” infringed a patent's claims by the court and that brings additional financial damages.

So when Linus Torvalds suggests that developers ignore patents⁵, he is not some OSS mongering communist that believes intellectual property has no value, but rather he's simply working with the reality the system presents to him. Large software development companies shipping proprietary closed source products also tell their developers to not investigate the patent space for the same reasons. It would be interesting for the large vendors to come forward to discuss their practices for developers around patent investigation, rather than slinging useless rhetoric.

A number of vendors want customers to believe “intellectual property” is important, especially things like patents. While most people have a schoolyard understanding that plagiarism is “bad” which covers copyright issues, patents are a different kettle of fish entirely which brings us to the title of the essay. The question in the title is not a rhetorical one. It is meant as a real question to the chief executives of the major vendors to help customers best assess their business risk and to best understand exactly what sort of relationship they have with their suppliers.

Legal IP tools are important for vendors and certainly relevant in vendor-to-vendor discussions. The idea that customers care about patents, however, would seem counter-intuitive. Consider the following: when you last bought an automobile, did you pick the “Honda” over the “Toyota” because the Honda had more patents in it, or more patents per ton of vehicle, or maybe because Honda's intellectual property practices were “better” some how? Of course not. You bought the product that met your needs. It may well have even been the more innovative product by your own subjective measure, but whether or not the manufacturer chose any number of legal tools to protect the innovation wasn't part of your buying consideration. How the vendor's business process works is of no interest to the customer beyond the actual customer-vendor interface so to speak. Whether the vendor has a mature IP strategy, applying for patents, trademarks, and copyrights appropriately, choosing to keep some ideas trade secret protected, sharing selected IP with partners or competitors through patent pools and cross licenses, or aggressively publishing some ideas in the face of their competition is of little interest to the customer. The customer only cares that the product serves their needs and provides the value they paid for it.

Next scenario: you are happily driving your Honda when you receive a letter from Toyota one day telling you that you're infringing their patents⁶. They give you the choice to (a.) cease driving your Honda, or (b.) pay them a license to their patents. You can essentially “pay twice” for the privilege of driving your car, and for some small sum you can feel free of any concerns that you are infringing Toyota's patent claims ever again. On this vehicle. Or for your household. Or maybe it will be offered to you the customer as an annual license calculated by the number of drivers in the house and the number of Honda vehicles you own, pro-rated over certain uses, unless the patent applies to certain other manufacturers as well. What do you do? Do you even waste time calling your lawyer to figure this one out? Or do you call the Honda dealership and tell them quite simply to “fix this.” Of course this assumes you don't also receive letters from General Motors for their patents (frustrated that North Americans are buying foreign vehicles), Daimler-Chrysler, and Hyundai, so you have the opportunity to “license” your Honda vehicle from many companies and pay for it numerous times.

The reality, however, is that Toyota is not going to threaten to sue Honda's customers. They would like the opportunity to switch those Honda customers to Toyota's products, not upset them to the point that no Toyota dealership ever gets a chance at that Honda customer again.

Toyota would have the infringement discussion with Honda directly if it existed, indeed, it is their responsibility as the patent holder to defend it appropriately. Vendors sue vendors over intellectual property claims. Customers have even been known to sue their vendors in specific situations when the vendor fails to deliver on the promise in a contract. Oddly enough vendors never sue customers in any sort of broadly applicable way. There is a really simple rationale behind this. Once a vendor sues a customer, they have essentially told that customer they never want that customer's business again. That might even be appropriate in a narrow situation where there exists some sort of explicit dispute between exactly the two parties. If however the dispute is over something like “patent infringement” that can easily be applied broadly to many customers, then all the vendor's other customers are put on notice that this vendor does not care about the relationship and continued business. New potential customers can see that this is a vendor that may attach law suits to the relationship, and will quickly factor that into the risk analysis on the potential purchase. The vendor's top salespeople will discover their phone calls stop getting returned.

Intellectual property is important – but between vendors. Cross licenses, patent pools, and simple licenses exist and are business as usual. “Litigation is just another means of discussion.”⁷

This of course leads to the discussion of enterprise indemnifications and insurance. Open Source Risk Management, Inc. has a detailed white paper covering ideas on risk mitigation and insurance, but more focused on developers that modify the source and vendors, rather than enterprises that simply use products based on the OSS projects.⁸ The major vendors are coming forward with various sorts of indemnifications.

The idea that as an enterprise (not a vendor or developer) one might want to buy insurance against such risk is interesting. One insures ones assets, not one's liabilities. I insure my life and health as it relates to earning power for the household. As my salary goes up over time, I might increase that insurance. Likewise I insure my car, but as the value of the car depreciates over time, I remove insurance from the vehicle as it relates to replacement of the devalued “old clunker.” I don't insure my children.

So what is the real risk of a vendor suing an enterprise customer? How should one consider the risk of such a suit against the depreciating capital cost of the computer systems investment made several years ago? Does the vendor rhetoric around indemnification help or hinder the discussion? This is one of those situations where Robert Lefkowitz may be right in his statement that it's the accountants we need to fear in the OSS community, and not the lawyers.⁹

In the Fall 2004, Microsoft made a very public promise of indemnification to Microsoft customers for patent infringement cases against their products¹⁰. This follows in the wake of the Fall 2003 Novell¹¹ and HP¹² indemnifications against various IP infringement suits against Linux if you purchase the systems from them. The Novell and HP statements were in reaction to the SCO Group suit against IBM. When you think about it, the Microsoft promise of indemnification to customers is a legal statement of business reality. Would any vendor in the situation where a customer is sued by another company for infringement for using the vendor's products not name themselves to the suit as a co-defendant? Would the product vendor trust that a customer (and likely an angry one at that) was the first line of defense against building precedent in a court for the infringement? While in some cases a customer may even have more money than the vendor as a legal target, one can bet that the mainstream vendors (HP, Novell, Microsoft, etc.) will be more than interested in running their own defense case. They might be subtle enough to approach the customer on the receiving end of the suit to request the customer goes it alone for other considerations, but even then, their image as customer defender is probably more valuable. They would likely do whatever it took to be named co-defendant in a real hurry. They want to be primary defense for their own patents. The press value is high to be seen as the defender of customers. They value that particular relationship and probably want to continue to sell to that customer.

It's not that these corporate indemnification promises aren't good – but they are redundant to any vendor worth its customers. You can bet the corporate accountants and lawyers did the analysis against the value of the company to its shareholders before making “open ended” promises.

But what about SCO Group? Isn't this a case where a vendor is suing customers? I think logically they have declared themselves. Santa Cruz Operation was a company with a product it sold to customers. They are no more. Through all the business acquisitions and deals they have been acquired by the Canopy Group and renamed to the SCO Group. The SCO Group appears to be a litigious engine that is designed to sue another vendor for damages, not unlike previous legal forays of some Canopy Group companies.¹³ SCO Group appears not to be in business to sell to customers, indeed they can “sue a customer” to appear to put pressure on the primary lawsuit. The Daimler-Chrysler and Autozone suits hit the news in March 2004.¹⁴ So far the tactic has failed in relation to the primary suit. This is not a business with customers, but a legal play to siphon money out of the system.

So as OSS continues to deploy and grow in enterprises, those companies will need to consider the source of the technology they use, and their vendor relationships, which is no different than any other technology shift in the past decades. As for OSS developers and vendors themselves, David McGowan may have said it best:

“If the F/OSS community wants to be in commercial space, community members will have to learn to deal calmly with IP litigation. The F/OSS production model will work where it makes sense, and it will not work where it doesn’t. It’s really just that simple. Particular claims in individual suits—even one against a flagship program such as the GNU/Linux OS—will not determine the fate of the community. Such cases present factual issues that will get resolved one way or another; they do not represent a crisis for F/OSS production as a whole. Norm entrepreneurial rhetoric that plays off such cases should be treated as entertainment. Enjoy it if you like it, take inspiration from it if you must, but don’t confuse it with the way things actually get done.”¹⁵

Notes

6 My apologies to Toyota. Someone needed to be the “bad guy” in the example. Our household has been and remains happy Toyota and Honda customers. The example also holds true regardless of whether one is a simple household or a company with a fleet of vehicles.

7 McGowan, David, “SCO What? Rhetoric, Law, and the Future of F/OSS Production”, Version 1.2: 6/12/04, p.3, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=555851, 20 January, 2005. A thoroughly enjoyable paper on the subject of rhetoric as a tool for norm entrepreneurs.

9 Lefkowitz, Robert, “The Semasiology of Open Source”, O'Reilly Open Source Conference, Portland, OR, 28 July, 2004.

14 http://news.com.com/SCO+suits+target+two+big+Linux+users/2100-1014_3-5168921.html

15McGowan, David, “SCO What? Rhetoric, Law, and the Future of F/OSS Production”, Version 1.2: 6/12/04, p.26, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=555851, 20 January, 2005.

When are you going to sue your customers?

Notes