Red Hat lawyer is right about indemnification not mattering. But for the wrong reasons

According to a new FAQ on Red Hat's Web site -- one that's primarily designed to spin the bilateral legal protection that Microsoft and Novell have assured to each other as a net positive for Red Hat -- the North Carolina-based distributor of open source software will now offer indemnification to its Linux customers. Does it matter?
Written by David Berlind, Inactive

According to a new FAQ on Red Hat's Web site -- one that's primarily designed to spin the bilateral legal protection that Microsoft and Novell have assured to each other as a net positive for Red Hat -- the North Carolina-based distributor of open source software will now offer indemnification to its Linux customers. Does it matter? According to Red Hat's deputy general counsel Mark Webbink, indemnification is not nearly as important as the Open Source Assurance Program that Red Hat already had in place.

Said Webbink:

As with any indemnification provision, if (a customer) were to get sued for intellectual-property infringement over code they got from us, the provision of the indemnification language kicks in. At that point, we step into their shoes.......We still think the earlier version of the Open Source Assurance was the far more critical thing, and we'll continue to stand behind that..

In my estimation, neither indemnification nor an assurance program will be enough to extract Red Hat from the legal pickle it could find itself in should a Microsoft lawyer turn up on Red Hat's doorstep. Here's why. 

Most people don't even have a clue what indemnification is or why it might matter to them. To be quite honest, I had no idea of its importance (or lack thereof, depending on your point of view and opinion) to Linux users (corporations included) until Sun's now CEO (but then COO) started sounding the warning bell about how little of it existed around Linux back in early 2003 (see: Unplugged interview: Sun software czar Jonathan Schwartz). In the context of how Sun was offering fully indemnified solutions such as Java's Desktop System (JDS), Schwartz said:

We like to see Linux vendors indemnify. If you can't stand behind your intellectual property, then what value are you bringing to your customers? Have you seen Red Hat's 10-Q filings recently? Look at how the risk factor section in its filings keeps growing. So, we'd like to see Red Hat indemnify along with HP and Novell.

SCO's lawsuit against IBM as over who "owned" what parts of Linux and, as such, who may owe who what amount of money, was the backdrop. But, in conjuntion with what Schwartz was saying, it was SCO's looming threat to sue end-users that had me fully-sensitized to the issue. Essentially, indemnification is a cloak of legal protection that shelters you, me, and the companies we work for from intellectual propety (IP) infringement suits that could be brought against us by someone claiming to own the intellectual property in the products we use. So, in the context of how Schwartz said he'd like to see Red Hat indemnify (above), a Red Hat offer of indemnification would theoretically shelter you from an SCO lawsuit. I used the word "shelter" because of how it implies a range of protection. A mud hut with a straw roof is a shelter. But so too is a bomb shelter. Just because a vendor offers indemnification doesn't mean you're totally safe. You have to look more closely (more on the that in a second). For a complete walkthrough of what indemnification is, see Protect Thyself 101: A primer on indemnification.

Eventually, not only did SCO sue Autozone and Daimler-Chrysler, it appeared to have twisted Robert Marsh's legal arm hard enough to make his company EV1server.net sign an actual license deal. Despite SCO's attempts to create the perception that those suits were about the intellectual property (IP) owner of Unix (and theoretically, some things that were in Linux) suing plain old users of Linux for the misappropriation of its IP (a ploy designed to scare the legal daylights out of other Linux users), both suits were really about some things entirely different. Not only that, it was just three weeks ago that Marsh revealed the EV1 license deal for the SCO PR scam that it truly was.

So, what's my point so far? It's one that I've long been making: When it comes to these sorts of circuitous third party IP infringement suits (where I use Red Hat Linux and then SCO sues me for using Red Hat Linux because it thinks its IP is in Red Hat Linux), they don't happen very often. That's because suing customers (or potential customers) isn't very good for business. Daimler-Chrysler and Autozone were not randomly picked organizations that, by virtue of their usage of Linux, may have been misappropriating SCO's IP. First and foremost, they were customers of SCO that SCO went after for license agreement violations. Those sorts of lawsuits happen all the time and are often justified. But, by trying to make it look as though any Linux user was at risk, the plan may have backfired. Now, based on the highly litigious position it has adopted, most people I've spoken to over the years won't go near SCO with someone else's ten foot pole, much less their own. 

But, just because suing customers is bad for business doesn't mean that customers are not at risk. A different kind of risk. A risk that neither indemnification nor something like Red Hat's Software Assurance can protect you for.

After Schwartz sensitized me to the whole indemnification quagmire, I did a deep deep dive on all of the legal protections being offered by IT vendors around Linux and open source. I titled the special report Managing the legal risks of Linux and it includes detailed a detailed analysis of the various forms legal protection that were offered at the time by HP, Novell, Sun, OSDL, Red Hat, and OSRM. While some of the exact protection details from each may have changed over the years, it still makes for great reading if you need to know what to look for in the protection programs that are currently offered. HP and Novell for example were offering indemnification at the time. But they were different forms of indemnification and they were for different classes of Linux users. But, now, with Red Hat's hand to indemnify seemingly being forced by both Oracle and the Microsoft/Novell deal, the larger question of whether it or any other protection that Red Hat has to offer matters.  

I think I've already dispatched the value of indemnification. As said earlier, even  according to Red Hat's current software assurance program:

The assurance program assures customers that if there is an intellectual property issue with Red Hat Enterprise Linux ("RHEL") or JBoss Enterprise Middleware Suite ("JEMS"), Red Hat will either (i) replace the infringing portion of the software, (ii) modify the software so that it becomes non-infringing, or (iii) obtain the rights necessary for a customer to continue its use of the software without interruption.

A careful study of last week's Microsoft-Novell deal reveals that the legal language revolves around patents and not copyrights. The two are incredibly different forms of IP with different legal implications to a company like Red Hat. If for example, the source code behind Linux's implementation (SAMBA) of Microsoft's SMB protocol is found to contain Microsoft-written source code, that would be a copyright infringement that Red Hat's "replace" or "modify" provisos might easily be able to correct for.

But if SAMBA violates a patent, that's a different issue altogether. Then, it doesn't matter whether the implementation of SMB is done with computer code or watermelons; it's still a violation of Microsoft's patent in which case, Red Hat may only be left with two options: (1) obtain the rights from the patent holder (per proviso iii) or (2) remove the functionality from the software altogether to prevent ongoing infringement. In either case, Red Hat's offer of indemnification is useless. For customers relying on SAMBA, the biggest risk is in being able to continue using it. So, for many customers, the aforementioned option 2 is not an option. But what about option 1?

Well, that depends. Last month, Red Hat filed a 10-Q with the SEC that amongst other sections, has one that's entitled RISKS RELATED TO LEGAL UNCERTAINTY. The first item in that section raises the possibility that the company could be found to infringe on third-party IP rights and repeats the three provisos found in its Open Source Assurance program. But what caught my eye was the following:

Although we cannot predict whether we will need to satisfy this commitment, satisfying the commitment could be costly and time consuming and could materially and adversely affect our financial results. In addition, our insurance policies may not adequately cover our exposure to this type of claim.

The 10-Q goes on to say:

Any ruling by a court that these licenses are not enforceable, or that open source components of our product offerings, may not be liberally copied, modified or distributed, would have the effect of preventing us from selling or developing all or a portion of our products.

Think about what the implications are if Red Hat can't cover its exposure or if it's reventing from selling or developing all or a portion of its products. 

Bear in mind that 10-Qs are required to be exceedingly verbose about any risk whatsoever, regardless of the odds. But Microsoft has been crystal clear in the past about protecting its IP and now that it has made nice with Novell, the big question is whether or not the legal gun turrets are swinging towards North Carolina and, if so, what exactly Microsoft has in mind. Between Microsoft's deal with Novell and its stand still agreement with Sun, an IP path has already been cleared for a legal offensive against Red Hat. Should Microsoft begin to apply pressure on Red Hat, it will probably do so on the basis of patent infringement with respect to  SAMBA, OpenOffice, and Evolution (for which Novell and Sun have now gotten legal hall passes) if not others. Should Microsoft's intellectual property claims be upheld by a court, here are some possible outcomes listed from worst to least harsh:

  • Microsoft seeks backpay for every copy of Red Hat that has been distributed and because Red Hat can't afford it. Red Hat declares bankruptcy and due to the judgement against it,  Microsoft becomes Red Hat's largest creditor and Microsoft assumes all of Red Hat's assets.
  • Instead of forcing the company into bankruptcy, which has all sorts of implications that go along with it, Microsoft acquires Red Hat at a greatly reduced price that stockholders would have no choice but to go along with if they want to ever see any of their money.
  • For some reason, Microsoft sees value in letting Red Hat survive on its own and hammers out a settlement that enforces some sort of royalty structure going forward, along with some back pay that doesn't drive Red Hat out of business.
  • Microsoft decides to be forgiving and tells Red Hat to remove the relevant functionality from all distributions of its software and to notify its customers that, for a fee, they can license replacement components from Microsoft.

Are there other outcomes? Feel free to comment below.  Will the sky fall on Red Hat? No one can say for sure. But the stage is set, the audience is in place, and the orchestra is unquestionably in the ready position, and the risk of something happening is unquestionably higher than some other randomly articulated risk item (in the name of 10-Q verbosity).

Back in September 2004, I wrote:

At this point, if I were Red Hat, and I knew that Microsoft's team now boasts ex-IBM-patent portfolio architect Marshall Phelps -- who could probably prove that OpenOffice infringes on a Microsoft patent or copyright -- and that the provisions of the stand-still agreement pave the way for Microsoft to seek " back pay" on all copies of OpenOffice distributed to date(a copy of OpenOffice is distributed with almost every copy of Linux), I would be worried -- very worried.

I still stand behind that assessment.

Disclosure: In the spirit of media transparency, I want to disclose that in addition to my day job at ZDNet, I’m also a co-organizer of Mashup Camp, Mashup University, and Startup Camp. Microsoft and Sun, both of which are mentioned in this story, were sponsors of one or more of those events. For more information on my involvement with these and other events, see the special disclosure page that I’ve prepared and published here on ZDNet.

Editorial standards