Saturday, August 16, 2003
An Answer to the Indemnification FUD
There has been quite a chorus of frogs in the pond calling out, indemnification, indemnification, indemnification. Red Hat's CEO says his customers have not been asking for it, but SCO's McBride says we GNU/Linux users need it and so he has taken it upon himself to lobby on behalf of other companies' customers:
"'For the first time in the history of the industry, we have a major operating system platform that's being pushed on end users and at the same time the users take it, they're being told 'Buyer beware -- you own all the inherent intellectual property risks with this product,' said Darl McBride, SCO's chief executive."
I'm pretty clear he doesn't have a soft spot in his heart for Linux lovers, so that couldn't be his motivation, do you think, a paternal concern for us? The lovely and tireless Ms. DiDio also repeatedly says we want indemnification, and we absolutely, positively must have it. She is, as usual, wrong. Corante asks this intriguing question:
"Before this 'indemnification' FUD gets spread too thickly by analysts like Laura DiDio, I'd like to pose a question: Will the analysts firms be willing to cover losses by their customers if they follow faulty advice? Will the Yankee Group spot a company license fees for Sun systems or Microsoft systems if they choose proprietary systems, and it turns out SCO has no case?"
When MS. DiDio's company offers me indemnification, as Corante suggests, I'll follow her advice. Nah. Joke. Joke. No doubt IBM could safely follow her advice, with full indemnification. If they get snookered by following her advice to indemnify, why she can reimburse them for their losses in full. I notice Sun is offering to indemnify users of Solaris only, but not Mad Hatter, RedHat, or SuSE users, though it ships with each product. Do Ms. DiDio and McBride and the rest say Sun needs to step up to the plate and indemnify right away? No? Yet IBM uniquely must, must, must do this right way, croak the frogs, despite the fact that no Linux customers are lining up asking for it.
Red Hat's CEO Szulik has set up a legal fund. That's the equivalent of indemnification, of course, for developers and commercial entities that distribute GPL software and nonprofit organizations, the parties most likely to be sued over software. So that covers them. Oh, says, McBride, but what about end users? They are left out in the cold. SCO is being "nudged" to go after end users, he said recently, because of Red Hat and IBM's actions.
First, I'm not sure how much nudging it takes to get SCO to sue you, considering its CEO has said from the beginning that his hero is the RIAA. I wonder if he's noticed how they are doing lately in the courts? Second, if I may suggest it, he isn't actually compelled to rape and pillage the Linux community, assuming he is truthful when he says MS isn't behind all this and if we also assume he hasn't sold his soul to the Devil, as the saying goes. But assuming free will, rape and pillage are basically in the options column, not on the must-do list.
Excuse me for talking sensibly in Wonderland and pointing this out, but the fact is, Microsoft has never, until the SCO case came along, indemnified individual users, only business customers. I don't know of any other software company that does either. For that matter, MS and other proprietary software folk lobbied like mad to pass UCITA for the exact purpose of making sure that they never had to pay a dime to any customer except what they had paid for the software, no matter what happened, even if the software caused them millions in losses due to viruses and worms made possible by insecure MS code or any other reason. Read your EULA. Read UCITA. You'll see they disclaim everything they can think of. Then the kitchen sink.
Even in business, only the big guys can negotiate decent indemnification, and not even always then. Read the AT&T contract terms in the contract SCO attached as an exhibit to its Complaint, if you want to see a company running from indemnification as fast as its little legs can carry it:
How much did MS pay you over the years for any losses sustained from Code Red or blue screens of death or this week-end's mess-up, or any of the endless annoying and costly malware their flawed code makes possible? I know I didn't collect anything. And you didn't either. End users have always been left out in the cold. We've acclimated.
Furthermore, everyone seems to agree that MS is offering it now because they've figured the odds are they'll never have to pay out anything significant under their new terms either. For sure, I can't find any evidence that they have ever paid out on such a claim, for an individual or a business. If you didn't buy from them directly, and most of you didn't, you probably can't sue them anyway, much as you'd like to probably, every time you have to reformat your hard drive. Again. I have concluded, therefore, that they must have made the change so they could say they have indemnification and GNU/Linux doesn't. A noble move, indeed.
So what is this really all about? Naturally, when your enemy, or any of its croaking frogs, tells you to do something, it's a good idea to run sharply in the opposite direction. PJ's rules to live by. So, here I am, an end user and I am saying I don't want IBM or Red Hat to offer indemnification.
Let's look first at the reasons why SCO might like to have IBM and Red Hat et al offer indemnification, and let's see if they have my best interests at heart, or yours, or if they wish to gain an advantage for themselves.
First, if IBM or Red Hat offers indemnification, especially now, then SCO has entities with deep pockets to sue, and they only have to sue two parties. They could sue IBM because there was a contract. IBM doesn't sell GNU/Linux software, so exactly why does SCO want them to indemnify software it didn't write and it doesn't sell? So they can nail them to the wall, folks. If they have to sue each and every individual end user, that's literally millions of lawsuits.
And the simple truth is, it isn't worth suing me and you, because we have no money. You have to be able to win more than it costs to bring the action, or there's no point. Lawyers won't normally even take a case, unless the math works out from day one. McBride didn't even think it'd be worth suing Linus Torvalds, and he makes a good living. So that is their first reason for craving indemnification. Why would GNU/Linux users wish to make it easier and potentially more lucrative for SCO to sue IBM and Red Hat? They don't need any encouragement, I'm thinking.
Next, it costs money for a company to offer indemnification. You have to quantify the risk, and then get the customer to pay enough to cover it. Otherwise you go out of business. End result? GNU/Linux will no longer have the competitive cost benefit it currently enjoys. You think SCO and MS et al would like that or not? In their minds, because money is apparently their god, they think people are switching to GNU/Linux because it's free or low-cost. So I believe that is another reason they wish to push indemnification, to make it no longer free or low-cost. As it happens, a recent survey shows that price is not the main reason people are flocking to GNU/Linux software. SuSE's CEO gave some details recently:
"Think about what CA [Computer Associates] just did. They did a survey with their customers about why customers are deploying Linux. [Customers] named five reasons: performance, reliability, scalability, security and total cost of ownership, which came in fifth. What does this mean? Everybody is talking about total cost of ownership, and no doubt this is very important, because all of us have to reduce IT budgets. But customers named four other reasons. These reasons are strategic reasons why to deploy Linux. ... This is a competitive advantage to Windows because this is not something you can get with [Windows]."
So, the joke's on SCO. All that effort and expense, and having to put together and coordinate the indemnification chorus, not to mention having to hang out with frogs, and they've misidentified why people love this software in the first place.
And here's the main reason I don't want indemnification, because it would destroy the GNU/Linux development model.
Free software is an entirely new kind of development model, one that MS is trying to ape sorta, kinda, pretend-to-but-not-really recently. Its Shared Source program means they acknowledge there is something good about opening the code. Customers are demanding it, so even MS knows it has to move in that direction, even kicking and screaming. Governments overseas are demanding to see the code, because they don't trust MS. Go figure. Rather than lose them to GNU/Linux, MS creaked open the safe just a crack and let them peak inside at their proprietary code.
But while they want the benefits of openness, simultaneously they are trying to kill it off. Whether deliberately and cunningly or just because of bumbling along, they will kill it with indemnification. Here's why. Many free software and open source coders are individuals, not companies. Volunteers. How are they going to indemnify anybody? Obviously, they can't. Who will indemnify their code? They can't afford to. Even if they signed such a contract, what can you realistically expect to get from them? Lots and lots of free code, maybe, for the rest of their lives. But you have that already, for free.
Exactly, croak the frogs. It's dangerous to have these unknowns coding for you. First of all, they're not unknown to the maintainers of the code base, but if it's so dangerous, how come people all over the world are running to get it because of performance, reliability, scalability, and, may I stress, security? It's the vigor and strength of GNU/Linux that anyone in the world with talent and skills to offer can improve the code. It's just a fact that any time barriers to entry go down, creativity and innovation go up. Don't believe me? Think of the internet. It was built using the open process. When the NE just suffered the big blackout of 2003, I could still connect with my PDA by 56K and sure enough, the internet was still there, humming right along, unlike my cell phone. Cell phones are proprietary, and don't they show it?
The internet was swell until corporations got involved and tried to figure out how to squeeze every last screaming dime from us, and started shutting down its openness and erecting annoying toll booths and putting surveillance equipment every 5 feet until a lot of people got fed up and left (or went GNU/Linux to get some air). That's part of what caused the dot.com bust, in my opinion, the annoyance factor. They killed the golden goose from greed. Greed doesn't seem to help any situation you find yourself in, does it? So what is the answer to the "problem" of indemnification? Here it is:
Openness is its own indemnification.
Red Hat's CEO Matthew Szulik said that recently himself:
"Matthew Szulik . . .says that openness is the only protection users need. He says anyone can see -- and remove, if necessary -- any offending code."
That isn't total protection, actually, because you could still be liable for infringement that occured prior to realizing there was infringing code and getting it pulled out, but it's the next best thing. As for the rest, well, that is what the Red Hat legal fund is designed to cover.
And do you really believe the indemnification proprietary companies offer provides total protection? Let's take a look. I have been looking around for an example of the indemnification that proprietary companies offer. Well, I found a contract. You'll never guess whose. Caldera. It's on Findlaw. Note that the link doesn't actually resolve to the contract. Findlaw has arranged that if you click on a link to an inside page, in this case http://contracts.corporate.findlaw.com/agreements/caldera/software.html it resolves to the home page instead. So you can see their ads, I suppose. Exhibit A.
But if you click on Corporate, then choose Utah, then search for Caldera Navarre, you'll find the contract. A 1998 Caldera contract. Look what they offered Navarre Corporation, the other party to the contract, in the way of warranty and indemnification
for their proprietary software -- I have emphasized some parts, mainly
the ones that made me laugh:
"COMPUTER SOFTWARE DISTRIBUTION AGREEMENT
"This Agreement is made and is effective as of the December 14th day of 1998 by and between Navarre Corporation ("Navarre") of 7400 49th Avenue North, New Hope, Minnesota, 55428 and Caldera Systems, Inc. ("Vendor") of 240 West Center St. Orem, Utah 84057.
"The Parties have agreed as follows: . . .
"8. WARRANTIES, EXCLUSION OF CONSEQUENTIAL DAMAGES
"8.1 Neither party shall, under any circumstances, be liable to the other for consequential, incidental, indirect or special damages arising out
of or related to this Agreement or the transactions contemplated herein,
even if such party has been appraised of the likelihood of such damages
occurring. This Section 8.1 does not apply to the infringement of
intellectual property and shall not limit the remedies for such
". . .8.2 Except as provided otherwise in
Section 9, in no event shall the aggregate liability of vendor for
all claims (Regardless of the form of action, whether contract,
warranty, tort, product liability and/or otherwise) relating to a
product exceed the amount paid to vendor under this agreement for the
"8.3 Vendor makes no warranty to Navarre not
expressly set forth in this agreement. All implied warranties,
including the implied warranties of noninfringement, merchantability and
fitness for a particular purpose are disclaimed and excluded by
"9.1 In the event that a Product infringes any patent, trademark, copyright or trade
secret of a third party not affiliated with Navarre, Vendor shall
indemnify Navarre against any amounts, including damages, attorneys'
fees, and cost, awarded by a court of competent jurisdiction to the
third party because of such infringement, provided that: (i)
Navarre promptly gives notice to Vendor of any claim against Navarre
alleging such infringement, (ii) Navarre allows Vendor to control the
defense and settlement of such claim, (iii) Navarre fully cooperates
with Vendor in connection with the defense and settlement of such claim,
and (iv) if requested by Vendor, Navarre ceases all use, distribution
and sale of the infringing Product and returns all infringing Product
units on hand to vendor. If Navarre is enjoined from continued sale of
any infringing Product or if Navarre ceases sale of any Product at the
request of Vendor under (iv) above, then Vendor shall (at its expense
and option): (a) obtain the right for Navarre to continue to sell the
infringing Product, (b) modify the infringing Product to eliminate the
infringement, (c) provide substitute noninfringing Product to Navarre
under this Agreement, or (d) refund to Navarre that the amount paid
under this Agreement for the infringing Product upon its return to
Vendor. Vendor has no other obligation or liability in the event of
infringement. Vendor has no obligation of indemnification or to defend
or hold harmless relating to infringement. Vendor shall not be liable
for any costs or expenses incurred without its prior written
authorization. Vendor shall have no obligation of indemnification or any
liability if the infringement is based upon (a) any altered, charged or
modified form of the Product not made by Vendor, or (b) the Product in
combination with anything not provided by Vendor, or (c) any process in
which the Product is used in a manner not contemplated by the Product's
documentation or is used together with anything not provided by Vendor,
or (d) the laws of any country other than the United States of America
or its states.
"9.2 Navarre's Liability -- If Navarre modifies
the Product or its packaging and such modification results in a claim,
suit, or proceeding brought against the Vendor on the issue of
infringement of any patent, trademark, copyright, or trade secret,
Navarre shall indemnify Vendor against and defend and hold Vendor
harmless from any such claim, suit, or processing."
So, what do you think? Feeling cozy and safe? This
indemnification is better than the openness of GNU/Linux and the Red Hat legal fund? Are they kidding? With Linux, nobody can tell you that you must return the product or stop using it or wait for the vendor to replace it or parts of it. If there is infringement, whether patent or copyright-related, you can rip out the offending code yourself and move on. Or just take a nap, and voluteers, like Santa's helpers, will do it for you and leave it for free under the tree.
I knew indemnification was the new FUD, and just
because Ms DiDio said it was needed it, I was mightily sure I didn't
want it. But now I also don't want it because you get virtually nothing for
your money. Look at these terms. People pay for such a flawed offering because with proprietary software, you can't fix it yourself. With GNU/Linux, you can. Problem solved. And you don't have to spend a dime unless a problem actually arises.
Of course, no one can insure against greedy companies willing to ruin everybody else's life just to line their own pockets. Not even Mutual of Omaha would insure you against the SCO's of this world. The solution to that problem lies elsewhere. SCO is the poster child for "IP value in the internet age", all right, and how do you like it? Think maybe some legal tweaking might be in order so companies like Ride-'em Cowboy Black Hat SCO doesn't have so much room to rape and pillage and shoot up the rest of us law-abiding citizens in the Wild, Wild West of IP Country?