IBM should take care of software risks
COMMENTARY--IBM is giving its customers the blues by asking them to assume financial and legal risk with its open-source software--that's after those same customers have already shelled out hundreds of thousands of dollars for the code.
So far, Big Blue has refused to assume liability for its customers on intellectual property infringements for any of the company's applications or systems that are developed on open-source platforms. That's unfair to customers.
Indemnification against copyright infringement litigation has long been a part of information technology services and software contracts, until the advent of open-source platforms. Now, some companies, most notably IBM, have refused to assume liability for any application suite--such as WebSphere--that has been developed on an open-source platform or any application suite that uses open-source components.
IBM's argument is that, by their very nature, open-source platforms could be changed (by the customer, for example), leaving companies like IBM defending potential intellectual property liability claims for a platform or components they cannot control.
The recent SCO Group lawsuit has brought this issue to the forefront. Customers are now in the position of having to decide how much risk they are willing to assume if they purchase an application with open-source components.
In the extreme, customers that purchase software from companies that refuse to indemnify the customer against future legal action are intentionally entering into contractual arrangements that could put their businesses at risk.
In the worst-case scenario, a customer might spend two years developing entire suites of business applications and associated business processes only to be told a year later that there has been an infringement of copyrights and the customer must either uninstall the applications or pay huge fines and fees.
It's not just the customer that's at risk in these situations. Shareholders and business partners have sued companies (and the individuals in those companies) who knowingly make IT decisions that could put the company at risk.
Directors' and officers' insurance does not necessarily cover a company in such a situation. The business risk a company could incur by knowingly signing a software or IT services contract without appropriate protection against potential intellectual property infringements could be significant.
Let's take this situation back to reality a bit. What is the real risk of copyright infringement litigation being filed against the average company? Before the SCO lawsuit, the answer would have been slim to nonexistent, but that has now changed.
For the average company, the risks are still quite slim, in our opinion, that legal action would be filed for copyright issues that revolve around commercial off-the-shelf software. The sheer costs of such sweeping legal action would be tremendous, and frankly, small companies do not have the kinds of assets to make such litigation very profitable.
But we do believe that there is a real risk to the very large Global 1000 company with deep pockets. If legal actions were to be brought at all, they would likely be filed against a marquee company with a reputation to protect. After all, it is these companies that would likely pay substantial amounts of money to avoid protracted legal wrangling that could paralyze them. The size of a company and its associated assets does increase the risk profile.
Additionally, customers must review how much open source actually exists in the software they wish to buy or build. If large components of the customers' applications are dependant on open source, the risk profile would increase.
Finally, there is the issue of verification of authorship of the open-source platform itself. If a customer can validate the development history of the open-source platform, risks are obviously reduced. But it is extremely unrealistic to expect customers to perform such research (if this task could even be done) going back, in some cases, several years, to ensure that intellectual property is protected.
Recently, several companies--most notably Hewlett-Packard--have agreed to indemnify customers, with certain exclusions, against intellectual property claims on open-source platforms. Essentially, the companies have said they would indemnify the customer only on the version level of the open-source platform that was used in their software. In other words, if the customer makes any material change to the open-source components of the application, HP's responsibilities end immediately.
This is not only the right thing for industry giants such as HP to do for their clients--it is the only thing the company can certify. A company cannot reasonably be held responsible for changes made after its products were developed. But IBM's position of shifting the entire burden of liability onto the backs of their customers is not only unfair, it flies in the face of the benefit the company has long touted: that doing business with Big Blue is good for your business.
IBM must follow the lead of its competitors and offer some protection--to the extent that it can--to its customers in this area. IBM cannot expect its customers to pay hundreds of thousands--if not millions--of dollars, for software that could someday be useless--or worse, software that could be a ticking time bomb of legal liability.
We have heard from numerous IBM customers that the company's failure to offer some level of indemnification on software such as WebSphere has forced them to consider alternative solutions. This is certainly a viable approach if competitive options exist in the marketplace.
If customers choose to purchase either software or services from a company that refuses to indemnify the open-source platform or components, we have the following advice:
• First, we recommend companies immediately discuss this issue with qualified legal counsel. Companies should also assess the level of risk to which they are subject, and make their own decisions about what level of risk they are comfortable with incurring.
• Some customers may still purchase products from companies that refuse to offer indemnification. These companies should include contract language that specifies that if, at any time in the future, the company does offer indemnification to any customer, they too would be eligible for a new contract (without price or service changes) that offers them the same protection.
• Finally, our recommendation to IBM and other companies in the same situation: For open source to truly become a viable platform for the most important business applications, companies must find ways to assure their customers that it is not a ticking financial time bomb.
Sharing the risk with your customers is the right thing to do. If the customer changes the code, all bets are off; the customer knowingly assumes the risk of potential litigation that surrounds copyright infringement. Any company that uses open-source components has a responsibility to verify and validate the quality of that code, the content of that code and the "licensing" of that code--as is standard business practice for other IT software products.
Customers depend on companies to provide reliable, high-quality, feature-rich software applications. To provide anything less than that is impinging on the fundamental trust between companies and their customers.
biography
Julie Giera, a Forrester Research vice president, is an analyst in the IT Management & Services group. She joined Forrester through its acquisition of Giga Information Group and is a 27-year veteran of the IT industry.