INDUSTRY ANALYSIS
Ancient Lessons and Open-Source Insurance

Sometime around 5,000 years ago, Chinese merchants learned to spread their cargo over several ships so that if one were lost, they would not lose their entire shipment. It was the birth of what we now call the insurance industry.

Before too long, the concept spread. Phoenician ship owners on the hook for safe delivery agreed among themselves that if one of their members lost a ship, the others would kick in to cover the loss.

Twenty ship owners might agree that if any one ship were lost, they would each turn over 5 percent of their cargo to the losing ship owner.

On the other hand, if one ship owner had a fleet of 20 ships, he could split the risk over his own ships and not need an insurance agreement with other ship owners. This is what we now call being self-insured.

Of course, some small ship owners whose risk of loss might by limited to the day's catch didn't bother with insurance at all.

Eventually the process was outsourced. Ship owners simply paid premiums to an insurer and were paid by the insurer when a loss occurred. This saved them the trouble of having to figure out how many ship owners should join them, what losses were appropriate and so on.

Open-Source Software Insurance

Some things never change. We have a lot more software patents today than we did 5,000 years ago, but the insurance market for the use of software is based on the same categories the Phoenicians used: insured, self-insured and uninsured.

One company offering insurance specifically against patent and copyright infringement claims stemming from the use of open-source software is Open Source Risk Management (OSRM).

OSRM offers insurance covering enterprise Linux users. According to Daniel Egger's presentation at LinuxWorld last week, OSRM doesn't plan to offer its program to very large entities, which will remain self-insured, or very small entities, which will remain uninsured.

Open-source software insurance makes sense. It aggregates risk that can be spread over many participants, much like proprietary software vendors aggregate their customer's risk by agreeing to defend their customers against claims of copyright and patent infringement.

Copyright infringement can be easily avoided through independent development. If there is no copying, there is no infringement. The definition of copying is sometimes fuzzy, but code developers can consciously decide how many chances they want to take, and very conservative developers can avoid all but the spurious copyright claims.

Patent infringement is different, because independent development is not a defense. As a result, software insurance is more critical for offsetting patent risks than copyright risks.

Mitigating Risk

Insurers like to find ways to mitigate risks because that reduces claim payments. OSRM proposes several steps to help mitigate the threat of patent litigation to open-source users.

In particular, it advocates patent reform to allow easier challenges or reviews. It also suggests not issuing patents that do not represent inventive concepts.

Additionally, OSRM recommends negotiating licenses from patent holders, building up records of prior art to more easily challenge patents, and designing around the patents that block open-source software.

Interestingly, many of the risk-mitigation measures OSRM offers customers will also benefit noncustomers, whether they are self-insured, uninsured or insured by some other company.

It's like a health plan with many members living near a polluting power plant. The health insurer might find ways to pressure the plant operator to clean up its output, thus improving the local air quality and the health of local residents. Everyone in the area benefits, regardless of whether they obtained health insurance from that company.

If an open-source software insurer were to build up prior art and invalidate particular patents, those patents could not be applied against anyone. If an open-source-compatible license were negotiated, it could likewise help anyone, insured or not. Because of the nature of open-source software, if the insurer proposes a design and its customers start using it, that design would likely propagate to noninsured parties as well.

Not for Everyone

OSRM's software insurance will not come cheap. For example, according to its Web site, open-source indemnification comes at an average annual cost of 3 percent of maximum desired coverage. That is, $1 million in coverage would cost $30,000.

While I would recommend insurance to anyone who can find an affordable policy that provides the required coverage, being uninsured against patent infringement might be acceptable. Most businesses today operate without patent-infringement insurance, or have a policy loophole that allows the carrier to dispute coverage.

In many cases, patent infringement does not become a problem for very small businesses, as the royalty base would not warrant a big fight. Businesses need to be aware of the risks and change strategy when they get big enough or noticeable enough to attract greater scrutiny.

Large businesses can remain self-insured and can take advantage of their own set of risk mitigations. For example, they can apply pressure on their suppliers to extend indemnity for infringement of software provided by the suppliers. And they can negotiate better licenses with patent holders than individuals can.

Playing Defense

If large users of open-source software have large patent portfolios, some of those patents might cover popular open-source software that those companies use.

Under some proposals (and some actual implementations, such as can be found in Red Hat (NYSE: RHT) licenses), patent holders who are users and producers of open-source software grant licenses to others for the use of the software they produce, with a clause that allows them to revoke the licenses to anyone who asserts patents against them.

At the LinuxWorld conference, Perens proposed that open-source licenses should include mutual software patent defense terms so that "if one open-source developer is sued for patent infringement, all of the licenses of open-source software used by the plaintiff terminate." That might be a good strategy, but the adept plaintiff could assign the patents to an entity that does not use open-source software, so any such mutual defense terms would have no effect.

Another practical step is to convince Linux-friendly companies to act on their promises to provide indemnification and contractual waivers.

An OSRM patent survey identified a number of patents that might have claims to cover Linux. OSRM further noted that some Linux vendors, such as IBM (NYSE: IBM) (with about 60 patents on OSRM's list), would opt not to assert its patents against the Linux kernel unless it is forced to defend itself.

We can learn a lot from the Chinese and the Phoenicians. Defending yourself against threats, mitigating your risk, and cutting your losses are valuable business concepts that still apply today, no matter what kind of insurance coverage you have.