I had a chance to talk with Daniel Egger, a private equity investor at Eno River Capital and the Chairman of Open Source Risk Management (OSRM). OSRM currently offers enterprise end users advice, training and certification to help mitigate potential liability exposures associated with the use of free and open source software. But OSRM is in final preparations to offer comprehensive vendor-neutral free software/open source insurance, a project called Free Software and Open Source Risk Management (FORM).
I have, as you know, issues with indemnification as currently offered, and I've been looking for a workable alternative, some way to handle corporate demand for protection from nuisance law suits without damaging all that is precious about free/open source software and most particularly a method that doesn't in any way conflict with the freedoms of the GPL or interfere with the development process.
Here is the interview I did with Daniel, in which he explains his organization's vendor-neutral alternative. I asked him to explain how the FORM project will work. If you have followup questions, feel free to post them.
1. PJ: Novell has just announced they will be offering indemnification, but I understand you feel you have a better idea. Tell us about your project, please.
Egger: Well, we should acknowledge the value of what Novell is doing to help GNU/Linux succeed. It's great to see Novell, IBM, Intel, and others start to acknowledge by their public actions that it's unrealistic to expect most end users of GNU/Linux systems to be able to cope with legal harassment and frivolous lawsuits on their own.
I’m approaching this whole problem from a belief that what’s commonly called "intellectual property defense insurance" is a present and future business necessity in our litigious system. Widely held insurance is the time-tested remedy for the kind of issues the Free Software and Open Source communities are wrestling with right now, because it eliminates the incentive for opportunistic plaintiff’s lawyers to make unsubstantiated demands and pick off the most vulnerable, uninsured end-users, for whom it will always be much cheaper to settle than to fight. So Novell’s willingness to take serious steps toward coordinating and funding collective defense with an insurance-like offering should be very appealing to end-users.
That said, anyone who knows the history of Unix knows that commercial vendors unintentionally fragmented Unix and actually destroyed its best virtue -- its compatibility -- in a misguided race to add differentiating features of their own. It’s quite possible, if competing vendors offer insurance bundled only with their own “brand” of GNU/Linux or with their own services, treating indemnification as just one more tool in their selling process, that this fiasco will repeat itself with GNU/Linux. And no vendor could or should risk insuring code distributed by other vendors – so with vendor-based indemnification you’ve got messy fragmentation, no matter what.
To avoid these pitfalls, FORM’s long-term approach is to offer comprehensive intellectual property defense insurance that is vendor-neutral, consistent with the Open Source development process and the philosophy of the GPL, and which will cover not only SCO and other copyright claims but patent claims and “novel” future claims against the expanding Free/Open Source code-base. Think of it as “shadow indemnification” that puts current and future Free/Open Source code on an equal footing with proprietary software from a risk-management point of view, minimizing total cost of ownership without jeopardizing the freedoms that make Gnu/Linux so cool. The core idea is to offer insurance for Free Software & Open Source itself – the code, the process, the GPL.
2. PJ: While I'm not surre of all the details yet, I understand Novell says they will be offering limited indemnification, somewhat like HP's indemnification. However, with HP, there are restrictions on what you can do with your Linux code. Also, HP only indemnifies you against SCO, I understand. How does your plan differ?
Egger: First I want to say I respect HP for taking a leadership role on indemnification last fall – without Martin Fink and others taking some courageous first steps toward insurance for end-users, we might not be having this discussion about next steps so soon. It was no doubt hard to buck the counter-argument that indemnifying customers against SCO only dignified their claims, or what some have called their shakedown.
But the idea the GNU/Linux lawsuits will stop with SCO – that’s ostrich thinking. Once open source became important to large commercial enterprises – impacting billions of dollars in corporate buying decisions each year – it became fair game for plaintiff’s lawyers, forever. That’s the U.S. legal system. SCO is just the first of many plaintiffs, some sincere, some cynical, that will sue or credibly threaten to sue GNU/Linux end-users, over patent violations, over copyrights, even over security breaches, over laws that don’t even exist yet, you name it, out into the future. The most effective remedy for end-users is comprehensive, vendor-neutral intellectual property defense insurance. If you think SCO is the last, or even the most important, legal threat against GNU/Linux, I have some lovely dot com stocks for you -- at 1999 prices.
Second is the issue of restrictions on what you can do with your Linux code. This involves damage to both the total cost of ownership arguments for commercial uses of GNU/Linux and to the more fundamental values of freedom protected by the GPL.
The business risk for enterprise end users is “lock-in.” If you can’t switch vendors later in order to get support, patches, applications, custom modifications, whatever you want, from whomever charges you the least and does the best job, because you risk losing your critical insurance policy if you do, then one of the key Total Cost of Ownership arguments for Open Source begins to erode.
More fundamentally, the freedoms expressed through the Free Software development process will be damaged in subtle but real ways if individuals must ask permission of a third party before writing new code or running new code, or worse yet are limited in where they could get downloads from, in order not to lose their critical insurance. Richard Stallman rightly calls these kind of potential insurance-driven limitations “obnoxious.”
3. PJ: What limitations on modifications would you foresee in your insurance plan? what could you do? what couldn't you do?
Egger: The rights of end users to modify source code is the critical issue where the “rubber meets the road” and where current vendors’ positions break down.
Our goal is to impose no restrictions on developers beyond the GPL. But of course FORM needs to have an opportunity to study, review, and certify each line of source code before indemnifying it. The solution is that if you modify your code base by introducing new code not yet FORM-certified, everything but the modifications remains insured. And the modifications will be certified as quickly as possible if widely distributed.
But, if you, as the end user, want to insure a piece of code that you have modified for your own use without distribution, or that is currently distributed only to a very small subset of the community, you may need to pay us to review and certify it specifically for you before we can insure it. As with any underwriter, we seek to align all parties’ incentives and avoid moral hazard. We’ve had a very supportive dialogue on just these issues directly with Eben Moglen, General Counsel of the Free Software Foundation, to make sure that the approach we’ve developed is fully consistent with the GPL.
This key commercial issue is also what we have explored with the Open Source Risk Management Working Group, where we have solicited private input from CIOs and General Counsels who are some of the largest commercial GNU/Linux users in the world. We will continue to refine the risk-management offerings in discussions with end users over time. Interested parties can find our schedule of face-to-face meetings at our web site.
4. PJ: If SCO sues a commpany or there is some copycat lawsuit, how would your program protect? How is it different from current indemnification?
Egger: Technically, what we offer today is also indemnification, not insurance. We don’t want to offer something different from what we think vendors should offer. Rather, we want to level the indemnification playing field between proprietary and open and between various GNU/Linux vendors. We certainly hope the end-user market will evolve to the point where we can manage comprehensive indemnification programs for vendors like Novell, Red Hat, HP, with economies of scale and with less risk, than if they did it all in-house. It's in no one’s long-term interest to have an indemnification arms race between various “flavors” of Linux – but offering better indemnification than you can get with proprietary software is fine with me.
From an end users’s point of view, receiving a demand letter, or other credible threat of future litigation, would trigger the indemnification. After a small deductible, you would get your legal defense, software liability, software replacement, and some business interruption costs paid up to a pre-agreed cap. Our current modeling suggests that we can offer $10 million in aggregate coverage per end-user with our planned capital reserves. But if you need more coverage than that, give me a call.
5. PJ: What would be covered?
Egger: Like insurance, it will cover legal defense, liability, software replacement, and some business interruption expenses, for those areas where your code-base is certified by FORM. Types of claims covered will include federal claims – copyright & patent – and state claims that are often considered pendant “IP” claims, including unfair competition and trade secret claims. It will also cover some more novel claims typically covered by “E & O” rather than “IP” insurance – security breaches, loss of information, etc. And it will of course cover SCO, as well as new claims.
6. PJ: Who would offer it?
Egger: OSRM, at www.osriskmanagement.com. Or do you mean who would ultimately carry the underwriting risk? OSRM will carry insurance, and reinsurance from some of the best-known underwriters in the world will stand behind that. We plan to exceed industry-standard capital reserve levels for these kinds of risks by a healthy margin – while simultaneously generating excellent returns for our investors. This is possible because pricing and underwriting even modest amounts of software IP risk capacity remains a highly specialized undertaking with few active competitors participating – and insuring Free and Open Source Software is a HUGE market.
7. PJ: One of the things that troubles me about current indemnification programs is the worry that small developers and companies will get frozen out, that because they can't afford to offer indemnification, no one will use their products. I also worry that the cost of indemnification will erode one of Linux's selling points, its low cost. Can you address my concerns?
Egger: Its a big risk with vendor-based indemnification -- what's their incentive to bother at all at any price? But I don't think that should be a problem at all for our vendor-neutral approach.
Certification of non-kernel type code, like sourceforge projects, is not intended to be burdensome or expensive, just not zero cost - as a way of prioritizing requests and use of finite scanning bandwidth by FORM. FORM makes its money from the premiums themselves - which are fixed as a percentage of maximum coverage.
I'm guessing now, but no more than $1,000 max. to cover the processing costs of scanning a typical specialized application's source. So no truly useful code should get buried because the cost of certifying it is too high.
Also, there is no "penalty" for using non-reviewed code -- it doesn't cause you to lose any coverage you already have - so it's still free.
7. PJ: Why is this better, in your view? Is it possible to have a "free as in freedom" indemnification?
Egger: FORM’s offering is better in the same way that free and open source software is better than proprietary, binary-only software. Vendors may deny that comprehensive coverage is necessary, or, contrariwise, attempt to offer ever-more generous indemnification terms on their own piece of pie, but a vendor-neutral, GPL-cherishing approach will win out over time. The simple reason is that indemnification for free and open source software that is not “free as in freedom” will never succeed in harnessing the near unlimited risk-identification and risk-mitigation capabilities of the motivated Free Software and Open Source communities. The collective knowledge and influence of these people is the “secret weapon” that makes a low-cost, high-limit, broad coverage indemnification offering possible. Groklaw itself demonstrates the power of this community to declaw almost any conceivable plaintiff-monster out there through collective pursuit of the truth. I’d be happy to answer more questions later.
PJ, do you ever sleep?
PJ: As a matter of fact, I do. As in, right now. Thanks, Daniel, for answering my questions.