OSRM Says Linux Might Violate Hundreds of Patents

by Timothy Prickett Morgan

Many people in the Linux community have been waiting for the other shoe to drop in the intellectual property and copyright lawsuit that has been raging between the SCO Group and IBM for the past year and a half. At the LinuxWorld trade show last week in San Francisco, Open Source Risk Management announced the first independent patent review of the Linux kernel, and that review indicates that it could start raining shoes.

The key word there is could. Here's the deal. OSRM hired Dan Ravicher, a patent attorney who is the founder and director of the Public Patent Foundation and senior counsel to the Free Software Foundation, to review the code in the Linux 2.4 and 2.6 kernels. The good news is that the Linux kernels do not, according to Ravicher, violate any court-validated software patents. (Meaning those software patents that have been tested and upheld in the battle of the courtroom.) A set of attorneys from the pillars of the commercial IT sector might have a different opinion, since patent law is one of those slippery areas of life. But suffice it to say that a software patent expert says that Linux is clean. But not squeaky clean. According to Ravicher, the Linux kernels could potentially violate 283 software patents that have been issued but not validated in the courts.

OSRM probably had wished that there were some patent violations in Linux, since it would certainly help its cause in selling risk assessment and insurance-like indemnifications to protect users of open source software (including but certainly not limited to Linux) from possible litigation. Companies like OSRM benefit from the uncertainty surrounding the intellectual property in open source software, but they would benefit even more so from some concrete violations and pending litigation.

As we reported in March , OSRM was formed to provide third-party code scanning for open source programs to look for any potential legal issues and to offer indemnification insurance for such programs. A few weeks later, OSRM gave the Linux kernel a clean bill of health after doing code comparisons, and then launched its indemnification and legal protection insurance. The assessment by Ravicher seems to confirm what its own code-comparisons revealed, and it is more surprising in light of the fact that U.S. patent law requires the payment of triple damages for willful infringement of patents. If you know you are violating someone else's patent, it is much worse to be in a position of being shown to know before the initial court documents are filed. Ironically, with the publication of the 238 potential software patent violations that Ravicher has documented and the widespread PR that OSRM got at LinuxWorld last week, it would be hard for anyone to say that they were no aware of potential violations.

The 238 patents lurking inside Linux that could be enforced by the parties in control of those patents is a serious matter, and one that companies like OSRM stand to benefit from, much as the antivirus and firewall software makers have profited nicely from the mayhem and pandemonium that ensues from viruses, Trojan horses, and other hacks. Ravicher says that 98 of the 238 patents are owned by corporations such as Cisco Systems, Hewlett-Packard, IBM, Intel, Novell, Oracle, Red Hat, Sony, and others. He says that 27 of the patents are also claimed by Microsoft, and a big chunk of the remaining patents are held by individuals who have little or nothing to lose from making legal threats against either commercial Linux distributors or their customers.

Earlier this year, OSRM created what it calls VSearch risk assessment algorithms that can look at a stack of open source programs that any company is using and tell them what kinds of legal vulnerabilities there might be in the code and then outline an economic plan that helps them mitigate against these risks. OSRM is, in effect, building the actuarial tables that describe the risks of using open source software. This week, OSRM said that the Linux kernel is clean and that the risks are small enough that it is not (for there is no certainty in the courtroom) that it will start offering insurance. The price of the insurance is set at 3 percent of the maximum amount of coverage a company wants to have. For instance, for $1 million in coverage, companies have to pay a $30,000 annual insurance premium. OSRM is covering both Linux 2.4 and Linux 2.6 kernels. OSRM has been limiting the number of policies it is underwriting, but says that it will offer combined copyright and patent insurance for Linux by the end of 2004. This insurance coverage gives Linux shops a single point of contact to deal with all of the potential patent and copyright issues.

In May, OSRM established the Open Source Legal Defense Center, which it based in Washington, DC. The center has been set up to assist the 1,500 companies who have been threatened by lawsuits by the SCO Group with litigation because they are using Linux in production environments. Corporate membership costs $100,000 a year, which entails companies to talk to each other and to have access to intellectual property lawyers acquainted with the ins and outs of open source and proprietary software. True to the open source community, the center is trying to spread the costs of lawyers and other legal resources across members so they don't have to spend a lot more money cultivating these resources themselves. The center is also offering, for $250 a year, protection for programmers who contribute to Linux. That fee provides programmers with $25,000 good toward legal costs if they are named in a future Linux lawsuit.

Nick Donofrio, the guy at IBM in charge of its technology and manufacturing operations who gave one of the keynotes last week at LinuxWorld, sort of said that IBM would look the other way in regards to potential patent violations in Linux. (I would think that this sort of behavior would legally undermine IBM's attempts to show due diligence in defending its intellectual property, but I am no lawyer.) "I can assure you that IBM has no intention of asserting our patents against the Linux kernel," he emphatically declared, adding "unless, of course, we are forced to defend ourselves." Uh huh. If I were the Linux community, I would want to see a more formal contract in writing from IBM--especially that last part.