Theres a wonderful scene in Neil Gaiman and Terry Prachetts novel Good Omens in which a Crowley, a devil, reads an end-user license agreement (EULA) and then sends it on to his fellows in hell with a one-word memo attached: “learn.”
If youve ever read a EULA closely, you have to love it since your typical one guarantees absolutely nothing up to and including that the product will even run. The same is true of most software indemnification clauses.
Recently though, thanks to the SCO vs. Linux fuss, indemnification has become a hot button issue for many corporate software buyers. So lets go over exactly what indemnification is, what it isnt and what kind of guarantees are actually out there for any software.
Indemnification clauses and contracts are a kind of insurance policy. The software vendor is agreeing to compensate you for some potential loss or damage resulting from your proper use of their software. Note that I say “proper” use. If you dont use the software in exactly the way the indemnification clause spells out, youre as unprotected as a naked baby.
GPL software, like Linux, doesnt come with any such indemnification clause. Most software doesnt. For example, if you buy a five-user package of Microsoft Small Business Server 2003, youre not going to get any indemnification protection. This isnt a knock on Microsoft—most proprietary software companies, including IBM, dont offer such protection either as a matter of course.
Its not just box software either. To cite a December 2003 Aberdeen Group study, Computing without Indemnification and Warranty Contract by Bill Claybrook, the following is the indemnification policy from Microsoft governing a companys right to access the Microsoft OEM System Builder Web site: “Company agrees to indemnify, defend, and hold Microsoft, Microsoft Licensing, GP, their suppliers, and all of their officers, directors, owners, agents, and information providers (collectively, the “Indemnified Parties”) harmless from all liability and costs incurred by the Indemnified Parties in connection with any claim arising out of any breach of the Agreement by Company or any Site User, including without limitation, reasonable attorneys fees. Company shall cooperate as reasonably required by Microsoft in the defense of any claim. Microsoft reserves the right to assume the exclusive defense and control of any matter otherwise subject to indemnification by Company.” In short, good luck guys, youre on your own!
Now what you can do, especially if youre a big IT buyer, is to arrange a deal for indemnification protection. Or, even if youre only buying a dozen copies of a program, you can still ask. Many software companies will offer some kind of minimal intellectual property (IP) indemnification protection if you ask for it.
Im not sure though how much help indemnification really will be. IP indemnification clauses tend to be extremely narrow. For example, Suns “Linux” indemnification only covers the Java Desktop System, not the underlying Linux operating system. Hewlett-Packard does cover the operating system but only if youre running it on HP machines, and it only defends against SCO lawsuits. Novells policy appears to be the broadest, but it only covers SuSE Linuxs newest enterprise offering, not its older systems or “personal” operating systems.
Although, Im picking Linux examples, theres nothing unusual about these kinds of restrictions. Theyre quite typical of IP indemnification clauses.
If youre really worried about being sued by SCO, you should look into IP insurance. This is a very small, very specialized area of insurance, and youll need an expert. In all likelihood, your ordinary business insurance broker will not be able to help you. At least one organization, Open Source Risk Management (OSRM), is getting ready to offer what theyre calling comprehensive vendor-neutral open-source insurance: Free Software and Open Source Risk Management (FORM).
Other companies, like Black Duck Software Inc., will soon be offering source code auditing programs that, in theory, will automatically detect proprietary and open source code. In both cases, though, these organizations products sound to me like theyll be more useful to software developers and not software users.
So what can you do? What should you do? Im not sure you, as a Linux or any program user for that matter, really have that much to worry about. Aberdeen was unable to find a single example of a software vendor suing an end user for an IP infringement in a third-party program. Im no lawyer, but with 10 years in the IT business and then 15 as a writer about IT, Ive never heard of any such suit either.
Of course, SCO tells us that theyre going to change that in the next few weeks with the first such suit. But lets get real. How much of a threat is that really?
SCO has yet to prove anything to anyone. Besides, how many lawsuits can SCO file? No, I just cant see SCO IP litigation as a serious threat, and since no one else has ever even made such a suit, I dont think most companies need IP indemnification.
Now, if youre a software developer, its a different story. But, as a CIO, if you can get IP indemnification from your vendor for Linux, or any other product for that matter, go for it so long as it doesnt cost much of anything. It cant hurt, it might… maybe… help someday.
Discuss This in the eWEEK Forum
eWEEK.com Linux & Open Source Center Editor Steven J. Vaughan-Nichols has been using and writing about operating systems since the late 80s and thinks he may just have learned something about them along the way. Be sure to check out eWEEK.coms Linux and Open Source Center at http://linux.eweek.com for the latest Linux news, views and analysis.