Do You Need Open-Source Indemnification?

The idea that companies and individuals might risk lawsuits for running applications that infringe on copyrights or patents gained popularity when SCO began threatening to run down Linux end users in retaliation for secret (SCO refused to detail them) upstream IP violations.

The story was (and still is) that since open source licenses explicitly declaim liability for SCO-style attacks, and since most open source software projects don’t have the resources to pay on lawsuit judgments anyhow, open source software is riskier for companies than proprietary software would be.

Unless, of course, your open source software provider was an IT titan with a big sack of patents (and lawyers) slung over its back.

Is open source software indemnification a necessary defense for a real threat, or isn’t it?

While gathering support contract pricing information for my Ubuntu 8.04 review, I noticed a somewhat surprising item listed among the benefits of paying Canonical for a Linux distribution the company gives away for free:

Protect your business against IP infringement claims

The Ubuntu Assurance from Canonical covers your business for claims of intellectual property infringements arising from your use of Ubuntu. The Ubuntu Assurance is included in Canonical Support contracts for eligible customers. This offering is designed to safeguard your business and make deploying Ubuntu even easier through warranties from Canonical and an indemnification offering.

The legend that companies and individuals might risk lawsuits for running applications that infringe on copyrights or patents gained popularity when SCO began threatening to run down Linux end users in retaliation for secret (SCO refused to detail them) upstream IP violations.

The idea was (and still is) that since open-source licenses explicitly declaim liability for SCO-style attacks, and since most open-source software projects don’t have the resources to pay on lawsuit judgments anyhow, open-source software is riskier for companies than proprietary software would be.

Unless, of course, your open-source software provider was an IT titan with a big sack of patents (and lawyers) slung over its back. During the early days of the phantom SCO menace, Sun was quick to point out that it offered indemnification for this sort of thing, and even appeared to bolster SCO’s claims by paying the company for expanded rights to some of the Unix IP over which SCO (wrongly) asserted ownership.

Red Hat responded to the SCO business by challenging the infringement accuser to prove its claims, and by assuring customers that direct lawsuits for running Red Hat-distributed software were a threat too remote to worry about.

Since then, Red Hat appears either to have bought its own line about the unlikelihood of infringement lawsuits, or to have bent to customer demands for protection, because the Linux leader now pledges to indemnify its fee-paying customers.

Novell has taken a lot of heat for its deal with Microsoft, which many view as having legitimized vaguely-defined infringement threats to open-source software. Red Hat and Ubuntu 8.04 have maintained their distance from such a deal, but does the fact that Red Hat and Canonical both offer its customers indemnification for those sorts of threats further legitimize them?

In other words, is open-source software indemnification a real threat, or isn’t it?

I recently came across a great Q&A on the topic at RedMonk’s Web site. In the final analysis, Stephen O’Grady’s answer is a definite maybe:

Q: Is it safe to say, then, that you are skeptical of the value of indemnification?

A: Yes. I don’t dismiss it, of course, because larger enterprises are right to lower their attack surface through such mechanisms. But it is not–to me–a feature worth either paying a premium for or altering a buying decision about.

Historically, the probability that you will require indemnification is minimal, and the future prospects are low in an environment that tends to favor vendors settling such matters amongst themselves.

Considering that open-source software and processes are serving an increasingly prominent role in the IT industry landscape, and that actual lawsuits against open-source end users haven’t been materializing, I don’t think that companies or individuals running open source without service-fee-based indemnification are in any particular danger.

Maybe I’m wrong–if I get served for running Linux without an annual service contract, I’ll be sure to write about it.