By Brian Proffitt
Managing Editor
The day after April Fool’s Day is always like a hangover for me;
the whole day is one big tension about which story I post as
real/fake that turns into a fake/real article.
Luckily, I don’t think I misjudged anything that went out on the
feed yesterday, though in the spirit of total honesty, I must
confess I spent a good chunk of Thursday morning screeching at the
internetnews division that the Google/Gmail story was probably
fake. I was wrong, it is a real product, and now I have earned the
“Tin Foil Hat” award for the company this month. (Being the editor
of the Linux channel, I think my colleagues would just as soon give
me that award every month.)
Regardless, like every other reporter, I always look at a story
coming out from some source and try to decide whether it’s (a)
newsworthy and (b) factual. As an editor with a small voice on this
particular media outlet, I also have the luxury of deciding whether
I like or dislike said events or statements, because I might have
the opportunity to give my opinion on them.
So it was when I first heard about the open source insurance
plans that are in the works from Open Source Risk Management. As I
read more about it, it seemed an interesting concept. But something
about it kept sticking in my craw. Insurance for open source seemed
too much like a quick fix, too neat and tidy, and just a little too
convenient for my tastes. At first, it was nothing definable, just
a vague feeling of trouble on the horizon.
The more I thought about OSRM’s plans, though, the more concrete
my concerns became. It came down to these three problems.
First, I was concerned that having open source insurance in
place would justify this whole goofy idea that end users can be
sued for liability in using GPLed software. To me (and yes, I am
not a lawyer) that whole notion seems ludicrous. Having insurance
to protect people from what I judge to be a stupid tactic is even
more, well, stupid.
Second, I was worried that the presense of insurance would just
paint a big target on policy holders that would read “SUE ME” in
giant nine-story-tall flaming letters. One of the parallels that
has been drawn to this proposed OSS insurance is malpractice
insurance. No one wants to be sued for malpractice, but eventually
mistakes will get made.
Except that, for me, malpractice insurance is also one reason
why medical costs are so high here in the US and why people tend to
sue doctors for $X million because they know the doctor’s
malpractice insurance will either settle quickly or pay the amount,
so that dog don’t hunt.
Finally, there is the potential that some proprietary vendor
(say, one located in the US Northwest) will use the presence of OSS
insurance as an argument against Linux and open source software in
one of those inevitable TCO or security studies. “Hey, if you use
Linux, you’ll need insurance, which will hit your bottom line.” Or
“Hey, if you use Linux, you’ll need insurance, because you are
likely to get sued.” Or something to that effect.
These concerns have been with me for a few weeks now, and a
couple of weeks ago, I decided to do something about it and clear
the air with OSRM itself. I talked to Daniel Egger, Chairman and
Founder of OSRM, about these very same issues, to give him a chance
to explain things to me. (It should be noted that this interview is
slightly dated–recent distractions with other online publishers
have held this column off for two weeks. No mention of the open
source seminars OSRM has announced this week was mentioned, since
at the time, the announcement was still under wraps.)
Once we connected on the phone, I explained to Egger my dilemna
and that I wanted him to have a chance to answer my concerns. He
readily agreed, emphasizing first that to date, no formal insurance
plan has been enacted by OSRM–it’s all still in the planning
stages.
To my first concern, Egger believes that the ability be insured
is not necessarily justifying any legal action. From his point of
view, “people are going to sue deep pockets,” regardless of the
pockets’ insured status. His point is backed up by the
DaimlerChrysler and AutoZone suits from The SCO Group: neither of
these two end-users had insurance, and they were sued anyway.
If big enterprises (OSRM’s target customer right now) have
insurance or not, it does not increase their likelihood of being
sued–the fact that they are big and wealthy is more than enough to
attract litigants. Smaller firms, such as small to mid-size
enterprises, will not be as attractive a target for litigants, so
again, the insurance will likely not influence others to sue these
SMEs.
“We are addressing the large commercial users,” Egger said. “We
think the risks [of being sued] are minor for small- and mid-sized
users.”
OSRM’s protection is aimed at the larger users who are likely to
be targeted for lawsuits anyway. By the common presence of OSRM
amoung large enterprises who are using open source software, Egger
hopes that his firm will not only provide traditional security
blanket insurance services, but also create a common resource that
should deflect all but the most unique open source legal
issues.
“We are trying to provide a common defense for deep-pocket
users,” Egger explained. If Firm A is sued for a particular code
infringement, for instance, then Firms B-Z will, through OSRM, be
able to pool their resources to assist Firm A. When the case was
finished, they would either be protected from the same litigant who
went after Firm A or be able to change an actual infringement
before that litigant can move on to them.
“This plan will reduce incentives for people to sue in the first
place,” Egger added. “One of the things we are doing it identifying
common intellectual property issues that exist between companies.”
Once such issues are discovered, they can be defended as sort of a
“reverse class-action suit.”
To that end, OSRM is starting to heavily research areas where IP
issues can arise, such as the early history of UNIX project being
currently spearheaded by OSRM’s Pamela Jones, who is also editor of
Groklaw.
“We will fight like hell on the common issues,” Egger said.
My second concern was tied into the first, and here Egger had a
more simplistic answer. Open source insurance should not be able to
paint a target on policy holders for the straightforward reason
that in many jurisdictions, litigants are not required to reveal if
they are insured for certain liabilities. Since OSRM’s client base
will not be public, the chances of a litigious witch-hunt are
fairly small.
As for the TCO/FUD concerns, Egger is not worried.
“Remember,” he said, “the price of insurance is already built
into the code of proprietary software.” This would hamper TCO
arguments (though I am not convince someone won’t try). Egger also
believes that even with the added cost of open source insurance
premiums, the overall cost of OSS will still be “dramatically
cheaper” than that of propritary software.
Time will tell, of course, as to whether this plan for open
source insurance will work. As Egger indicated, it is still in the
planning stages, and they are looking for feedback from all parts
of the community to clarify what their insurance will and will not
do.
So if you have your ideas on the concept of open source
insurance, now’s the time to speak your mind.