Open Source Risk Management, the first and only vendor-neutral provider of open-source risk mitigation and coordinated legal defense services, recently certified the Linux kernel as free of source code that could provide a basis for meritorious copyright infringement claims. After a six-month process of examining the individual software files in the Linux kernel and tracing their origins, OSRM found no copyright infringement in Linux kernel versions 2.4 and 2.6. As a result, OSRM offers clients legal protection against copyright litigation for those versions of the kernel.
“We decided to go straight to the heart of the matter and evaluate whether we could defend the Linux kernel,” said Daniel Egger, founder and chairman of OSRM. “We determined that we can; and we will. Our clients will receive legal protection equal to, if not beyond, what they receive with proprietary software licenses.”
Along with others in the open-source community, Egger believes lawsuits like SCO’s are legally weak. But the company argues that the business issue for Linux users is that even cases without merit cost significant time and money to defend. This is not about bad software, Egger maintains. OSRM’s legal protection is offered for a fee of about 3 percent of maximum desired coverage — a price the company argues is comparable to intellectual property defense insurance rates.
OSRM’s method for providing protection differs in important ways from that of an insurance company. OSRM proactively works with clients to assess and mitigate their risks, then helps implement a set of practices for mitigating legal risks around their use of open source. However, unlike insurance companies, which provide funds for hiring lawyers, OSRM itself hires and provides specialized lawyers for its clients. These lawyers are chosen from OSRM’s panel of intellectual property defense litigators, all of whom have experience with open-source legal issues.
To find out more about open-source insurance — one of the latest developments in the ongoing IBM-SCO saga — LinuxInsider turned to Egger for an exclusive interview.
LinuxInsider: For starters, can you tell us a little about your background and what led you to OSRM?
Daniel Egger: My background is a mix of legal, software and investment experience — a combination of experiences that both led to my initial interest in this issue and also set me up to be able to address it. I graduated from Yale Law School in 1992 and spent some time clerking in the Federal District Court, and then began working with software startups. In 1996, I joined Eno River Capital, an early-stage venture capital firm, where I am currently the Managing Partner.
When I heard about the SCO lawsuits, having both a legal and software background, I decided to check out their legal documents. As I did, it became immediately clear that their legal claims are weak, bordering on ridiculous. But what also became clear is that even a weak suit can create confusion and fear. So I started thinking about how open source could protect itself against future claims.
LI: Why is open-source insurance necessary?
Egger: Open source is facing a convergence of three issues that allow for and even foster frivolous litigation like SCO’s.
Most problematic is the U.S. legal system. OSRM was created not because there is a flaw with open source, but rather a flaw in the legal system. The U.S. legal system allows lawsuits against innocent third parties — in SCO’s case, against users like DaimlerChrysler and AutoZone who had nothing to do with actually creating Linux but were being sued for merely using it. That would be akin to getting sued for the engine in your car. End users are being hit with the cost of defending themselves even though the lawsuits raised against them have no merit. Even a frivolous lawsuit costs money to defend.
Secondly, big money. Open source did nothing wrong, but what it did do was something valuable. Linux is the fastest-growing operating system in the world and has become a multibillion-dollar market. And, historically, in innovative new markets that become valuable to the overall economy, this type of litigation excitement has ensued — opportunistic plaintiffs, instead of seeking a piece of the growing pie by working directly with the innovation itself, turn to the courts to wring out money from those who are driving the innovation. This happened with the shipping industry, with trains, and many other emerging markets.
Lastly, opportunistic plaintiffs are trying to turn open source’s unique strength into its unique vulnerability — its decentralized ownership. Because there is no single entity that owns open source, there also is no one legal defender users can turn to. So plaintiffs like SCO are trying to pick off users one by one — knowing that individual users faced with an expensive lawsuit are more likely to pay a much smaller fee simply to settle the case rather than pay the estimated $3 million it costs to defend oneself against a patent lawsuit.
SCO is taking a “death by a thousand cuts” approach to stalling Linux — something that any of the 30-plus other owners of various strains of Linux could also do, or a more formidable opponent like Microsoft.
LI: So how did these reasons translate into starting up this organization?
Egger: Given this set of circumstances, I recognized that other industries address this issue through insurance. I researched whether other insurance companies were covering this risk and found none willing to do so. Then I went to the community to garner their opinions about the issues, and whether an insurance-like structure was necessary and appropriate. I talked to the recognized leaders of the community, got some great advice and discovered that they were not only comfortable with the idea, but thought it was necessary. Bruce Perens said it best. When we told him about our ideas, his response was that this is the next necessary step for open source to be ready for business.
LI: How do the logistics of the program work? That is, if a company wants to be insured, how would they go about doing it?
Egger: Before I answer that, a fairly important clarification — what we offer is indemnification and legal expertise; we’re not officially an insurance company, although what we do has similar effect. That said, OSRM has two functions — risk mitigation and best practices for using open source — and then the indemnification offering. It’s important that clients looking to purchase indemnification first diminish their risk to the lowest level possible. Similar to how auto insurance companies check your driving record, they’re looking to see if your level of risk is an insurable risk. We’ll do the same; we’ll offer consulting services and best practices to help companies do this type of risk mitigation.
After that is complete, they can purchase indemnification for around 3 to 5 percent of the maximum amount they would like covered. So, for example, if they want a $100,000 policy, it would cost $3,000. That’s a price comparable to similar intellectual property offerings and is low enough that, even with it, the total cost of ownership of using open source remains dramatically lower than proprietary offerings.
LI: Are you insuring anything beyond the kernel at this point? And what about incremental kernel updates, like 2.6.6 released recently?
Egger: We have begun by offering indemnification for copyright claims against the Linux kernel and are next working on patent certification. We plan then to move on to the other commercially pervasive technologies, such as the Apache server and MySQL database. Also, if a client is interested in customized indemnification for their specific code set, we can work on a one-on-one basis for individual companies as well.
LI: Given all the advantages of open-source software, it still invites skepticism from proponents of proprietary software in the face of corporate audits. Wouldn’t it be simpler, these proponents of proprietary software might ask, simply to use closed source?
Egger: No, it would not be. The benefits of open-source software still significantly outweigh proprietary software. Open source getting legal protection is not a barrier. It’s simply the natural evolution of a maturing product that has become hugely economically valuable. And, in fact, we think that it will increase the comfort level of corporate legal counsel and executives.
LI: You announced recently that Bruce Perens has joined OSRM. If I recall, he has spoken out against the necessity for this kind of insurance and indemnification. How were you able to convince him to come aboard?
Egger: I don’t recall him speaking out against this. In fact, he spoke to this issue at LinuxWorld last January; and, as I mentioned, when we introduced the idea of OSRM to him, his response was that it is the necessary next step to make open source ready for business. He was supportive from the beginning because he had already recognized that software patents are the biggest risk open source faces.
LI: What do you say to leaders in the community — like Richard Stallman and Eric S. Raymond — who might argue that this kind of insurance is counterproductive?
Egger: I spoke with both Richard and Eric as well as Eben Moglen and many others before initiating the company. I knew that a company like this could never succeed without the support of the community. So if I hadn’t gotten their support and buyoff from other key leaders, I would not have started the company.
Richard Stallman, Eric Raymond and the other community leaders we spoke with were very comfortable with the idea then and have been since we launched the company. In fact, when we told Richard and Eben Moglen about it, their response was that they anticipated the need for something like this when they first began working on FOSS.
LI: As far as we can tell, you’re the only company offering this kind of insurance, even though several companies have stepped up and offered direct indemnification to their users. Do you foresee any competition in this area?
Egger: I do not expect competition from open-source vendors — simply because only a vendor-neutral entity could do what we are doing. A handful of vendors like HP, Red Hat and Novell offer partial indemnification. But there are three problems.
First, vendor indemnification requires you to give up the benefits of open source in exchange for legal protection, meaning that if you modify, fix, share code and so forth — all the great reasons you bought open source — your indemnification is voided. Also, they only indemnify the code they themselves market and support. So if you used several different kinds of open-source software, you’d have to buy piecemeal coverage.
And the current indemnification offerings come with significant limitations. You have to use specific hardware, there is no coverage beyond copyright, et cetera — which, to be clear, is very reasonable. No one could reasonably expect them to cover code they didn’t sell or write themselves. Given this, only a vendor-neutral entity can certify across the entire code base — and do so without requiring users to give up the great benefits and flexibility of open source.
LI: What happens if IBM wins against SCO? Will OSRM become unnecessary? Or will you work on other open-source IP issues?
Egger: This is not about SCO. Not at all. SCO raised the issue, but SCO’s lawsuits appear to date to be fundamentally frivolous, and [SCO] will almost certainly lose. However, given the three circumstances I raised earlier — the flawed legal system, significant monetary value of open source and lack of centralized defense — the issue does not disappear when SCO disappears.
The primary issue moving forward will be patents. Linus Torvalds at Brainshare, Jeremy Allison in a recent article and Bruce Perens at LinuxWorld all have pointed out that software patents present the biggest threat to open source moving forward. But there are no patent claims in SCO’s lawsuits. So what they’re all saying — and OSRM, too — is that we have a long-term issue on our hands that needs to be addressed — through risk mitigation, indemnification and ultimately by serious lobbying for change in the flawed U.S. legal system.
LI: Can you talk a little about the ROI of open-source insurance? Insurance, many argue, is a necessary evil. What’s the real necessity here? And does that necessity balance the costs?
Egger: What offerings like OSRM’s allow companies to do is price-in the risk; not just the risk of infringement, which is very low, but the risk of fighting off expensive lawsuits, which is very high. Instead of an unknown risk — which, to corporate legal counsel and CEOs, is a potentially scary risk and perhaps one they would deem not worth taking — it is a quantifiable risk. Proprietary vendors price indemnification into their software as part of the total cost.
Assuming that 3 percent of an open-source IT project budget goes to legal protection, open source still presents the most compelling total cost of ownership for many situations. What this legal protection will do is extend the areas in which open source is the best alternative.
Open source will be superior not only in overall price and performance, but now also in legal protection. So now you have all the strengths of open source and can be sure that, even when you’ve smoked out all the hidden costs, a Linux system is still less expensive.
LI: Given the challenge Linux faces among the technically challenged, such as typical home users, and against the dominant vendors, such as Microsoft, do you worry that open-source insurance is going to add another layer of complexity to the world of Linux? And therefore another barrier to adoption?
Egger: No, I don’t. This is a product aimed at sophisticated enterprise users that are integrating and customizing large systems and have “deep pockets” and substantial financial exposures. Individuals and mom-and-pop users have, in our opinion, nothing to fear and do not need legal protection from OSRM or anyone else, because they are already “judgment proof.” No one will make money by suing them.
LI: Anything else you’d like to add?
Egger: OSRM is going to defend future lawsuits vigorously on behalf of its clients. If competitors of Linux think they can slow down adoption through litigation, they are wrong. They just encourage the emergence of intermediaries like OSRM who can deal with the hassles more efficiently and economically than individual companies can. Three years from now, a lawsuit against Linux will not make headlines, will not scare anyone and will be resolved quietly with zero impact on Linux adoption.