The First Steps Toward Open Source Insurance Taken
by Timothy Prickett Morgan
The hardest thing for proponents of the open source programming model to fathom is that the lawsuits between The SCO Group and IBM are only going to be the beginning. From here on out, any company that has a vested interest in supporting the proprietary software licensing model that has by and large defined the software industry is going to attack open source on patent, copyright, and intellectual property grounds. Open Source Risk Management wants to help prepare customers for this eventuality and to cushion the economic and legal blows that open source users might face in the coming years.
Vendors have been unwilling to offer wholesale indemnification to open source programs that they distribute or support. While Open Source Development Labs--the consortium that steers the development of the Linux kernel--has put up money for a legal defense fund (backed by IBM, Novell, and others), and Hewlett-Packard and Red Hat have offered their own very tightly constrained indemnities for Linux, this is not enough. What the open source community has needed from day one is a means to verify that no stolen code, which may be covered by copyright and/or patents, ends up in any part of the open source stack. The open source community has relied on the simple principle of honesty to assert this in the past. And being open, the code is subject to verification. This is one of the things that actually makes open source better than closed source: we can check the code and see if someone has borrowed things that they should not have.
It is ironic, of course, that the biggest proponents of proprietary software--the vendors with their own operating systems and middleware stacks, and you know them all by name so I am not going to bother rattling them off--would probably cringe if they were forced to the same level of code scanning as you find in the open source community. Heaven only knows how many "ideas" have been borrowed or how many derivatives have been created that might nonetheless break the complex rules of copyrights, patents, and intellectual property as it relates to software. People who want to sell software in glass houses should be very careful about the stones they throw around. All kinds of panes could get broken. Now that I think about it, to be fair, all current and past proprietary programs should be put through such code checking, just as open source programs should be. What is good for the penguin is good for the geese that lay golden eggs.
OSRM, which was formally announced last week, is taking the first step toward providing third party code scanning for open source programs to look for any potential legal issues. The company has developed what it calls the VSearch risk assessment algorithms that can look at a stack of open source programs that any company is using and tell them point blank what kinds of legal vulnerabilities there might be in the code and then outline an economic plan that helps them mitigate against these risks. In a sense, OSRM is building the actuarial tables that describe the risks of using open source software. This is a great service, and it is a starting point for other companies to actually provide insurance.
New York-based OSRM says that it plans to offer an "insurance-like" indemnification package, and says further that it reckons that insuring companies against potential legal problems as they use open source programs is a $1-billion business. Now that it is doing the assessments, it could turn out that insurers and re-insurers create a pool that offers real insurance. But more importantly, OSRM is offering specific indemnifications for modified open source programs. Just like an IBM, a Microsoft, or an Oracle will warranty and indemnify its customers for the exact programs that they use as manufactured by their programmers, OSRM will look at your exact code--which can be lightly or heavily customized open source--and then provide assessments and indemnifications based on your specific configurations. This is a powerful offering, and the fact that Pamela Jones--the driving force behind the Groklaw site, which has been tracking all the legal shenanigans in the Unix and Linux bases since May 2003 and which started the Unix Timeline Project in February 2004 to map out all the pieces of code that were created for some 30 different variants of Unix in the past three decades--has joined OSRM means it is credible and serious. This timeline is going to be a critical piece of evidence in the continuing lawsuits. In fact, it may even spawn some more suits if people start checking source more carefully.
By the way, Black Duck Software, which was founded at the end of 2003, offers an eponymous tool that can detect proprietary and open source code in your own solution stack and tell programmers and managers the potential intellectual property risks they face as they mix such code. If you use an open source program as part of your application, Black Duck will, for example, tell you if your licensing terms to your customers violates the GNU General Public License.
The big question in all of this, of course, is what the risk assessment and indemnification/insurance will all cost. While freedom is a great thing, particularly when it comes to creating software, if the hassle and cost is too high, companies will take the past of least resistance and cost. That much we can be sure of.