Analysis: Do software users need indemnification?
- 24 December, 2004 07:30
If purchasing software were as straightforward as buying a car, users would not have to think twice about the risk of intellectual property lawsuits.
Say General Motors (GM) claims it owns a patent on power steering and alleges infringement by Ford Motor. GM would have to sue Ford, not drivers who bought Ford cars, according to legal experts.
But software, unlike cars or most tangible consumer products, is licensed. Some software makers, particularly in the open-source market, where code is often contributed by noncommercial developers from all over the world, use licenses to limit their liability and exclude user protection from intellectual property lawsuits. This protection would otherwise be implied by law, experts said.
"People who buy software have less protection than people who buy cars," said Bruce Sunstein, a patent attorney at Bromberg & Sunstein. "The license terms have been designed to protect software vendors."
Underscoring a growing awareness of this issue on the part of users, Microsoft Corp. last week expanded its intellectual property indemnification program to cover most of its customers. Previously the company covered only so-called volume license buyers -- customers who buy its products in bulk. The Microsoft plan protects customers from exposure to legal costs and damages related to patent, copyright, trade secret and trademark claims. The protection has no financial cap.
With the expanded program, Microsoft is seeking to set itself apart from rivals, especially those in the open-source community.
Users are showing more interest in indemnification programs, particularly for Linux after The SCO Group, which claims that Linux includes some of its copyright-protected code, earlier this year threatened infringement lawsuits.
The type of protection offered by software indemnification programs varies widely. Vendors typically offer comprehensive protection for proprietary products, but not for open source software.
Novell offers SUSE Linux Enterprise Server 8 customers protection against copyright-infringement claims only. The protection is also capped and tied to restrictions such as the requirement to purchase a maintenance contract. Hewlett-Packard Co. (HP) offers indemnification for Linux products it sells, but only against SCO claims, and the buyer must sign a support contract and use HP hardware.
Linux vendor Red Hat does not indemnify customers, but promises to replace Enterprise Linux code for users if a court were to find that the product infringes a copyright.
IBM does not indemnify the Novell and Red Hat Linux products it sells.
Many Linux vendors can't match Microsoft's blanket indemnification because they don't have the financial means, experts said. The median cost to each party in a patent infringement suit with more than US$25 million at risk is $4 million, according to data from the American Intellectual Property Law Association.
"Red Hat is not nearly the size of Microsoft. It could never take on a limitless indemnification obligation for its users. It really would not be worth the paper it was written on if you had a substantial enough IP claim," said David Elkins, a partner at Squire, Sanders & Dempsey.
Another reason some users are getting more concerned about lawsuits is that there are a growing number of companies that acquire patents specifically to use the threat of lawsuits to extract money from companies, according to Dan Ravicher, executive director of the Public Patent Foundation.
At HP, indemnification is discussed in the "vast majority" of talks with customers who buy direct from the company, according to Martin Fink, vice president of Linux at HP.
However, while indemnification is a topic in sales discussions, the jury is still out on whether software buyers really need such protection.
"The chance that a corporation will find itself the unwitting target of a third-party IP (intellectual property) lawsuit ... is low. It's about the same chance that the average taxpayer gets audited by the Internal Revenue Service," Laura DiDio, senior analyst at The Yankee Group in Boston wrote in a recent report.
DiDio in her report praises Microsoft's indemnification program and argues that "low risk can still equal high cost." Microsoft offers DiDio's report for download on its "Get the Facts" Web site, part of a marketing effort by the software vendor that positions Windows as superior to Linux.
The risk of patent infringement lawsuits, however, is overstated and used to spread uncertainty in the marketplace, according to Lawrence Rosen, founding partner of Rosenlaw and Einschlag, and general counsel for the Open Source Initiative, a nonprofit group that manages and promotes the open source definition and certifies open source software licenses.
"I think indemnity now is a politically interesting term and people are using it for marketing purposes. So far it has not made much difference, I don't know of anyone who is actually seeking indemnification on open source software," he said.
HP has been offering indemnification for little over a year now, but less than 100 customers have signed up. The program is for customers who purchased Red Hat and SUSE Linux from HP or an HP reseller and run the software on HP hardware.
Still, Fink, vice president of Linux at HP, said the 100 customers in the program account for thousands of servers. "The customers who are signing up for this are large enterprise-class customers, so it is actually quite substantial to have these many customers signed up," he said.
But the marketing aspect is also important as HP competes against IBM, which does not indemnify its Linux customers. "It has really allowed HP to differentiate against IBM who has refused to step up to the plate," Fink said.
Microsoft gets three or four calls each month from customers who have been threatened with lawsuits, said Martin Taylor, general manager of platform strategy at the Redmond, Washington-based software company.
"Microsoft should not be in the position of assessing legal risk for people, but we are in the position to tell our customers that they don't need to worry about anything when deploying Microsoft technology," Taylor said.
One Microsoft customer said intellectual property protection is key.
"When we evaluate companies and software products, indemnification is one of the first things we look at," said Ken Meszaros, assistant vice president and infrastructure manager at LandAmerica Financial Group, a real estate transaction services provider. "It is important that the vendor is willing to stand up for the integrity of its products."
Indemnification essentially is the same as an insurance policy. Whether an organization needs such insurance depends on their risk of being sued, all experts agree. They don't agree on the degree to which users are actually at risk.
Chances of an end-user company getting sued depend on size of the company, its financial wherewithal, how widely the software in question is deployed, and the market capitalization of the vendor that provided the software, said Mark Webbink, deputy general counsel at Red Hat.
One point industry watchers have made is that open source users stand a higher risk of being sued because open source vendors make less of an attractive target. They are smaller than and not as wealthy as, for example, Microsoft, which is the target of many lawsuits.
"If the end user is a more attractive target than the vendor, that would potentially be a reason for a patent holder to go after them," Red Hat's Webbink said. Still, he sees Red Hat as a large commercial vendor, just like Microsoft and others. "Large commercial vendors, including Novell and Red Hat, provide a more inviting direct target than an end user."
HP, which sells more than just Linux products, is pretty straightforward. "If the customer's primary concern in their IT solution is intellectual property protection, then Linux and open source software may not be the right answer for them," Fink said.
Only the largest companies need indemnification, said Elkins, the intellectual property attorney. For smaller companies, indemnification is nice to have, but not necessary in most cases, he said.
This brings Microsoft's move to expand legal protection to smaller users into context, he noted.
"Microsoft is using its financial power to enhance its marketing advantage," Elkins said.