April 5th, 2005
JBoss indemnifies. But does it really matter?
Read the fine print. Or, ask for it. That’s the moral of this blog.
InfoWorld has a story about an announcement from JBoss that the open source provider of J2EE-based application servers is strengthening its indemnification against intellectual property-related claims. As a side note, for a good icebreaker on indemnification, see ZDNet’s Protect Thyself 101: A primer on indemnification written by ace tech lawyer Joseph Rosenbaum (who also puts out a great tech law newsletter).
The InfoWorld story raises questions about how far certain solution providers can really go to assure you that you’ll be able to survive an intellectual property infringement suit should one be filed against you. For starters, the likelihood that end-users will be sued for the misappropriation of open source-related intellectual property is virtually nil. I say "open source-related" because when it’s commercial software, end-users get nailed all the time for "theft." Usually, the Business Software Alliance does the dirty work. To vendors, having the BSA be the heavy is a clean approach that disguises the way vendors sometimes sue end-users. Suing end-users, as it turns out, is really bad for business. The same is true for when the potentially misappropriated IP is open source-related, exacerbated by the fact that finding the smoking gun in such cases is significantly more complex given the legally untested and incredibly liberal nature of open source licenses.
This is why I believe the risk to end-users is minor. (Things are different if you’re a distributor, re-distributor, or a derivative-distributor of open source.) As such, although corporate attorneys regularly comb through software licensing agreements before allowing their businesses to engage a solution provider, end-user indemnification announcements appear to not only amplify, but prey on fear. Everybody is talking about the risk. Therefore, it must exist and because it does, I better seek refuge. This environment of fear, largely created by vendors, creates an opportunity for them to win your business by offering such refuge. So, it comes as no surprise that several vendors, and now JBoss, have stepped forward to say "we will go to the legal mat for you."
Technically, according to the story in InfoWorld, and another in eWeek, the new indemnification program consists of three components. Says the InfoWorld story, they will (1) defend customers on an unlimited basis if any complaints are lodged pertaining to infringement of copyright or software patents, (2) repair and replace any infringing code on an unlimited basis, and (3) provide damage coverage of as much as four times the value of a customer’s support contract, based on the company’s Gold and Platinum support levels. This third item is sort of like saying "if our defense of you (per component no. 1) comes up short, we’ll still help you out with the damages."
It’s nice to see that JBoss is offering something that a lot of companies will never need. It might put some pressure on its competitors to do the same (thereby perpetuating the myth). But, to the extent that JBoss — a very small company no matter how you look at it — is offering such an extensive indemnification program raises some questions as to whether or not vendors who promise indemnification can actually deliver on that promise. For example, taking the first "unlimited defense" component into consideration, if a vendor decided to sue a JBoss customer for IP infringement (again, I think this would be unlikely), then there’s a 500 percent probability that JBoss would also be named in that or another lawsuit as the co-conspirator that provided that solution to you. Not only would JBoss get sued. If the litigious IP-holder really had the proclivity to sue customers (or potential customers), then so too would a bunch of JBoss’ other customers (probably the ones with the deepest pockets). As a small company, just JBoss’ ability to sustain such a lawsuit is a good question to ask.
So, I asked. I asked JBoss’ vice president of services Brad Murdoch how big the company was from a revenue perspective. "We’re privately held. I can’t answer that." I asked Murdoch how much money JBoss had set aside in an escrow fund should the need to defend its customers arise. Murdoch could not answer that question, either. What Murdoch did tell me, however, is that JBoss’ indemnification backbone is not self-financed, but rather being underwritten by a third-party. Although my bet is on the only oufit I know that does this (Open Source Risk Management), Murdoch was equally unable to publicly indentify the underwriter. With all of this transparency (my attempt at sarcasm), it’s really hard to size up just how prepared JBoss is to sustain a serious infringement suit that might be brought against it, let alone you. That said, you as a JBoss customer (or potential one) are allowed to ask these same questions and, according to Murdoch, he’ll tell you (just not me). Rest assured you’ll need to sign an agreement of confidentiaility so you don’t come straight to people like me. Why all this confidentiality is needed, I don’t know. If JBoss is so confident it can withstand the hit, why not be a little more open about how it thinks it can do so?
On to the second point — that of code replacement or infringement. In open source circles, if you were to be sued for IP infringement, chances are it would be for one of two types of infringement: copyright or patent. Do you remember what I said about how the likelihood of end-users being sued for IP infringement is basically nil? Well, it’s niller (is that a word?) if it’s for copyright infringement. After all, if you’re a customer, you didn’t write the code. You took delivery of it from JBoss. You probably didn’t even look at it. And if you added to it or modified it in any "open source" way, then you just voided your indemnification anyway since JBoss can’t be responsible for any code you introduce (its underwriter, whomever that is, would never put up with that and Murdoch confirmed this). Unmodified, no judge in his or her right mind would hold you accountable for using the code and, therefore, no lawyer in his or her right mind would sue you for it.
So, now let’s look at patent infringement, which is an entirely different beast than copyright infringement. With patent infringement, it doesn’t matter what the code looks like, or what copyright is on it. Code is simply an implementation of a patent. This means that if a patent is being infringed on by a certain chunk of code, then there’s no way to rewrite the code in a way that doesn’t infringe on it. You could implement the patent in code, by folding paper, or with vegetables for all I care. It doesn’t matter. If one of them infringes on a patent, they all do. To the extent that the patent covers a feature in your software, the only choice JBoss or any other vendor has is to remove the feature or financially square up with the patent holder so that the feature may stay. So, the promise to repair or replace any infringing code is kind of useless to end-users. (As a side note, it might be helpful to JBoss’ partners who might be redistributing the code.)
When I questioned Murdoch on this point, he said "we will do whatever engineering is required in order for customers to be able to use the JBoss Suite." But if functionality has to be removed in order to comply with a patent infringement order, your attraction to the JBoss Suite may be greatly diminished. If JBoss realizes that the patent is critical to your attraction to its suite (as well as that of its other customers), then–to stay in business–it has no choice but to square up financially with the patent holder and the only way it can do that is eat the charge into its margins (which may prevent JBoss from sustaining its business) or pass the cost onto you. My advice? Make sure that if you really want the JBoss Suite, that you sign an enduring contract that protects you from any such price increases.
Finally, there’s the third point: the one where, if, after all of its attempts to put a legal-shield around you, an IP holder still manages to penetrate your legal perimeter and your company is held liable for damages, JBoss will cover you for some amount of those. This brings me back to my criticism of the first component: exactly how big of a hit can JBoss sustain — underwritten or not? With companies like Sun, Microsoft, HP, and Novell — all of whom are offering some measure of indemnification, at least you have a sense that when they say they’ll go to the mat for you (never mind whether you’ll ever need it or not), that they’ll have the resources to do it. But when a small, non-public company says it, too, will rise to your defense (if for some reason that’s a requirement for you), then make sure you know exactly what the mat looks like. As I said earlier, Murdoch promises he’ll answer such questions in private. Make sure you take him up on that promise and if he doesn’t deliver, be sure to drop me a line.
