Practical Technology

for practical people.

Open-Source Insurance Provider Finds Patent Risks in Linux


SAN FRANCISCO—On Monday, OSRM, a provider of open-source consulting and risk mitigation insurance, announced that the group has found that there are 283 issued, but not yet court-validated, software patents that could conceivablly be used in patent claims against Linux.

Thats the potential bad news for Linux developers and users. The good news is that the Linux kernel contains no court-validated software patents. For those who are seriously concerned about the risks, OSRM (Open Source Risk Management)will be offering a litigation insurance policy starting in 2005.

OSRM began offering copyright infringement insurance to Linux users in April 2004.

Patent attorney Dan Ravicher, leader of the OSRM patent study and executive senior counsel to the Free Software Foundation, added that only about “half of software patents stand up in court.”

Of those 283 issued patents, Ravicher continued, “about a third are held by organizations or companies that are seen as Linux friendly: IBM, HP, Novell, Red Hat, etc. At the same time, though, 10 percent of these patents are held by Microsoft.”

Ravicher also points out that, “This is not a doomsday scenario. This number of potential patent concerns is typical for a software product of the size and complexity of Linux.”

OSRM wont publicly say what the specific software patents are that potentially affect Linux because it “would put the whole developer community at risk.”

Thats because of what he describes as the “Catch-22 of patent law … Patent law is meant to popularize technology, but at the same time if you look at software patents as a developer, you put yourself at more legal risk.”

“Current U.S. patent law creates an environment in which vendors and developers are generally advised by their lawyers not to examine other peoples software patents, because doing so creates the risk of triple damages for willful infringement,” explained Daniel Egger, chairman and founder of OSRM.

“This studied ignorance leaves the field open to those who would spread fear and disinformation. It also means that only a vendor-neutral entity, like OSRM, has the freedom and incentive to assess the true risks.”

So what can developers and users do?

According to Ravicher, they have five possible approaches.

First, he suggests advocating for “patent policy reform.” Because as it is now, “Its ridiculous.” But, while this would be the best, comprehensive answer, “it will take a while-years-if ever before the laws are reformed.

Next, if you already suspect theres a specific patent that might be a problem for Linux, start looking for prior art to get the patent overturned if its holder tries to take it to court.

There is already a public project, Grokline, which is working on “creating a history of Unix and Unix-like code with the goal of reducing, or eliminating, the amount of software subject to superficially plausible but ultimately invalid copyright, patent and trade secret claims against Linux or other free and open source software.” Grokline is directed by Pamela Jones of Groklaw, the well-known SCO litigation news site, and receives support from OSRM.

You can also be ready to design around existing patents. This can only be done on a case by case basis and again its something of a Catch-22 since you can only design around it, said Ravicher “after the threat is upon you.”

In such cases, however, its not enough to show that you immediately acted to take care of the patent issue. Ravicher explains, “The rule is that you must have an attorney state that, in their expert opinion, youve taken such action.” Such letters, Ravicher continued from qualified attorneys run around 20 to 40 thousand dollars.

Finally, Ravicher says “You can simply pay for a patent license so long as you do so in a way that doesnt conflict with the GPL.”

Many people, he adds think that patent licenses almost always conflict with open source licenses but thats not the case. “Some patent licenses are compatible with GPL and some patent-holders are willing to expressively say that in their licenses.

The problem with most of these solutions continued Ravicher is “that theyre one-shot, case-by-case answers. There is no immediate and comprehensive solution.”

In response, OSRM will be expanding its risk mitigation and insurance offerings to cover this quantifiable risk.

“Patents pose a financial risk to corporate Linux users-just like they do to corporate users of almost any software-because, whether or not a patent is truly infringed, it costs $3 million dollars on average to defend a patent lawsuit,” said Ravicher. “This heavy cost of proving even weak patents invalid could fall on unprepared end-users, who, until now, have often been forced to pay settlements to avoid risking millions on litigation. Orems new patent insurance gives such end-users another way to address the issue, as it is a direct competitive alternative to licensing or litigating.” Ravicher summed up his findings.

Specifically, OSRM will be supplying patent-infringement defense insurance for Linux developers and users. At first, this program, which will roll out in 2005, will only be available for the Linux kernel, but OSRM will it extend it to more open-source programs over time. The insurance, which caps out at $5 million, will pay for a legal defense and for damages.

“The most important message to take away, based on Orems proprietary research and quantitative models and the best independent legal analysis available to us, is that the core of the Linux operating system appears to be a normal, insurable patent risk for the businesses that use it. And, based on our hands-on work with many different types of customers, we have found the total cost of ownership of using Linux to still be dramatically lower than proprietary alternatives for customers that add in the cost of effective risk-management,” said Egger.

“What it boils down to is that Linux has patent risks; but they can and will become conventional insured risks, just an everyday cost of doing business. OSRMs whole mission is to make the issue of Linux liability simple, routine, and manageable.”

A version of this story first appeared in eWEEK.

Leave a Reply