Open source: Prepare for attack

Most legal observers discount the legal claims by SCO as illegitimate. But there are bigger challenges to contemplate than those from SCO. In fact, users face a convergence of issues that may ultimately lead to other claims being brought against Linux and open-source software.

For starters, consider the following:

•  A defective U.S. patent system that permits specious lawsuits and allows users to be sued for using software that they didn't create, as SCO has sued AutoZone.

• An open-source market that has become lucrative for the likes of IBM and Red Hat, though not for most of the independent open-source developers who create much of the software.

•  The inclusion of royalty-bearing patents into industry standards--for example, a proposed modification to the TCP/IP standard is covered by a Cisco patent.

As the commercial significance of Linux increases, proprietary software vendors, unable to compete on technical and economic grounds, will turn to the courts for competitive advantage. They see the absence of central ownership for Linux as a gap that allows them to pick off open-source developers individually, with little threat of a concerted rebuttal. Think of this as a "death by a thousand cuts" approach to stalling the free-software movement.

		Get Up to Speed on... Open source Get the latest headlines and company-specific news in our expanded GUTS section.

SCO showed us that even a ridiculous claim can create a disturbance and kite a plaintiff's stock to 40 times its previous value. So it was that SCO was able to finance its legal campaign. We must apply lessons learned from that litigation to the post-SCO world and prepare for the next attack--which may come from Microsoft or one of its proxies.

Copyright and trade secret laws present risks that we must manage--but software patents are easily the largest future risk to open source. Governments routinely award patents for noninventions, leaving their resolution to the courts. Yet, with the cost of defending a lawsuit running about $2.5 million per patent, it's hardly economical to resolve in court whether a patent represents an invention. Almost by default, the victory goes to the largest pocketbook, an obvious disadvantage to the individual open-source developer.

Rather than take on an expensive court battle, many prospective defendants have found it more economical to license technology that has an invalid patent, allowing plaintiffs to collect royalties for their noninventions. Standards bodies are increasingly including patented algorithms in Internet standards, potentially creating new fees for all Net users. But any patent royalty is a showstopper for open source. Since we don't charge royalties to our own users, open-source developers don't have the funds to pay royalties to patent holders.

Not everyone is at risk. The threat to smaller Linux users is minimal. You're not visible; you aren't wealthy--there is little incentive to go after you. However, high-profile, deep-pocketed corporate users of any software--not just open source--are at risk.

And individual free-software developers are at risk even though they don't have deep pockets. The courts can be used against them to restrain the creation and distribution of competitive free software. Since most open-source hackers can't afford a single day in court, such lawsuits, no matter how ridiculous, can be be effective against individual developers.

So, how can we defend ourselves?

First, we must turn back poor patent policies in the United States, as well as the ones that are being rammed down the throats of the European technology sector. We must make common cause with small and medium-size proprietary software developers, who stand to lose as much as open source does and who make up 80 percent of the tech economy.

We also must increase the confidence of enterprise users that our software will not put them at financial risk. Some proprietary vendors offer indemnities, saying they'll reimburse customers who are sued because of alleged infringement in Linux. But how many small and medium-size software vendors could actually afford to pay out such a claim? And the indemnities of large vendors require users to relinquish the freedoms of open source--like modifying code--in exchange for protection. Defense funds have also been created. But while notable, these will be easily sapped by just a few lawsuits.

Facing formidable legal opponents with limited defense funds and restrictive indemnities is no solution. Neither is pretending there is no threat. The entry of legal defense and insurance into the world of free software is a necessary consequence of the fact that our software plays a critical role for an ever-increasing commercial user community. We, in turn, depend on that community because it can best influence legislators to support our right to continue to develop and run open-source software. Both sides must protect each other.

What we need is a one-stop, collective defense entity for open source--one that is well-capitalized and vendor neutral; one with funding primarily from enterprise users, rather than vendors with their conflicted interests; and one involved with most of the existing open-source legal defense efforts, so that it can handle cases economically and with the greatest possible expertise.

We must take a proactive approach to risk mitigation and a vendor neutral approach to indemnification. Only with this concentration of resources will we have the power to prevail against deep-pocketed aggressors like Microsoft.

biography
Bruce Perens is a member of the board of directors at Open Source Risk Management, a company that sells insurancelike protection for Linux use. He is also a co-founder and director of Software in the Public Interest, an open-source development organization. He operates an independent consultancy and is a senior research scientist for open source at George Washington University's Cyber Security Policy and Research Institute.