Hacker, open source advocate, venture capitalist, company man, pundit: Bruce Perens has worn a lot of hats over the past few years, building up a unique combination of hacker credibility and business know-how. These days, when he’s not fielding press queries about the ongoing dispute between The SCO Group and the Linux community, Perens spends his time speaking about Linux and open source software and providing consulting services for technology companies. On May 1, Perens was appointed to the board of directors of Open Source Risk Management, (OSRM) a 15-person start-up based in New York that offers professional services, and even indemnification against lawsuits, for users and developers of open source software. Perens, one of the founders of the Open Source Initiative, spoke to Robert McMillan about OSRM, Linux indemnification, and how the SCO lawsuits may eventually change the world of proprietary software.
It seems that SCO’s lawsuits have generated a lot of interest in the legal community in open source software and open source licenses. To what extent do you think SCO’s actions have created a boom market for lawyers?
Bruce Perens (BP): It has created a market. I wouldn’t call it a boom market. All they are doing is contract work and due diligence.
But suddenly everyone using Linux seems to be thinking about legal liabilities.
BP: That is why Open Source Risk Management has stepped up to address this question.
OSRM seems to be capitalising on this.
BP: I want to be very careful about that, because OSRM is not capitalising on fear, uncertainty, and doubt (FUD).OSRM is going around and talking about what the real risks and benefits are.
Do you think people were misguided to think of open source software as “free” when it first came on the corporate radar?
BP: Not at all. I think that open source is still free software, in both freedom and price. There is still no reason why your enterprise business cannot get its software at zero cost.
But isn’t the price of indemnification against potential lawsuits now a necessary cost?
BP: I am not promoting that everybody go out and buy an indemnification policy from OSRM. I am promoting that large businesses look at their software risk. A good deal of what OSRM does is not providing indemnification, it is managing risks in other ways.
So what kind of enterprises don’t need indemnification now?
BP: Frankly, I think that unless somebody is asking you to purchase indemnification or indemnify your business, that you may well have a conventional liability policy for your business. Pretty much every business of a certain size has a liability policy. They know they will be liable in some way, from time to time, (for matters that have) no connection with open source. They insure themselves against those risks. Now, the biggest role I see for OSRM is working with conventional insurance companies that offer blanket liability policies, not just open source indemnification, to make sure the open source component of that is reasonable. But if look at large companies, there aren’t companies of a reasonable size that don’t carry liability insurance.
Companies such as Novell and HP are offering indemnification to their Linux customers. Would you recommend any of those policies?
BP: I cannot recommend any company-based indemnification at this time. I think that if you are indemnified by a company, the first thing you should ask that company is, “Let me see the insurance policy that covers you if you have to pay out this indemnification, because I want to know that you can pay a claim, or multiple claims, that are as large as the damages I might have to bring to you.”
I surmise that a lot of the companies that claim to offer indemnities — and this is not limited to open source; we’re talking for the most part about proprietary software manufacturers — a good many of them offer some sort of claim to indemnify their customers regarding infringement of their products — most of them would go bankrupt if forced to pay those claims. Most of them do not have an insurance policy that covers their payment of those claims.
What effect do you think OSRM is going to have on Linux users in the next year?
BP: I think that we are poised to offer better coverage of open source risk, both in terms of risk management and in terms of risk assurance, than is available for proprietary software today. This is not poised to fix a problem with open source. This is set to make open source do something better than anyone in the proprietary world.
Are there examples of proprietary software customers who have had to pay for IP (intellectual property) violations?
BP: I think many people in the proprietary world will take a cue from SCO and that we are approaching a very bad time regarding software patents. We have an overload of improperly issued, invalid, non-invention software patents that will be prosecuted aggressively against people who can’t really afford to defend themselves.
The problem is worst for the open source developer, but it is also a problem for small and medium-sized businesses. If the open source developer gets sued, he probably can’t afford to be in court very long. He’ll probably have to settle. In the one example I have of this so far, the developers signed their copyrights over to the plaintiff and signed a covenant that said they wouldn’t develop similar software.
The problem is that (US law) says you can be sued under patent law for certain activities, including use. So legally, a patent holder can sue the purchaser of a product for patent infringement in the product. It could be that a judge might throw that sort of case out, we don’t know yet.
With small users, I don’t think there’s a problem. I don’t think they’re visible enough. The problem will be for software developers and the problem will be for larger businesses that make use of software.
Unless we have changes in the laws, what we are really setting up is a system where only the largest companies can do business in software and there is a discriminatory tariff against smaller companies.