Linux Today: Linux News On Internet Time.

More on LinuxToday

Editor's Note: Wondering About Open Source Insurance

Apr 02, 2004, 23:30 (13 Talkback[s])
(Other stories by Brian Proffitt)

WEBINAR: On-Demand

No-Size-Fits-All! An Application-Down Approach for Your Cloud Transformation REGISTER >

By Brian Proffitt
Managing Editor

The day after April Fool's Day is always like a hangover for me; the whole day is one big tension about which story I post as real/fake that turns into a fake/real article.

Luckily, I don't think I misjudged anything that went out on the feed yesterday, though in the spirit of total honesty, I must confess I spent a good chunk of Thursday morning screeching at the internetnews division that the Google/Gmail story was probably fake. I was wrong, it is a real product, and now I have earned the "Tin Foil Hat" award for the company this month. (Being the editor of the Linux channel, I think my colleagues would just as soon give me that award every month.)

Regardless, like every other reporter, I always look at a story coming out from some source and try to decide whether it's (a) newsworthy and (b) factual. As an editor with a small voice on this particular media outlet, I also have the luxury of deciding whether I like or dislike said events or statements, because I might have the opportunity to give my opinion on them.

So it was when I first heard about the open source insurance plans that are in the works from Open Source Risk Management. As I read more about it, it seemed an interesting concept. But something about it kept sticking in my craw. Insurance for open source seemed too much like a quick fix, too neat and tidy, and just a little too convenient for my tastes. At first, it was nothing definable, just a vague feeling of trouble on the horizon.

The more I thought about OSRM's plans, though, the more concrete my concerns became. It came down to these three problems.

First, I was concerned that having open source insurance in place would justify this whole goofy idea that end users can be sued for liability in using GPLed software. To me (and yes, I am not a lawyer) that whole notion seems ludicrous. Having insurance to protect people from what I judge to be a stupid tactic is even more, well, stupid.

Second, I was worried that the presense of insurance would just paint a big target on policy holders that would read "SUE ME" in giant nine-story-tall flaming letters. One of the parallels that has been drawn to this proposed OSS insurance is malpractice insurance. No one wants to be sued for malpractice, but eventually mistakes will get made.

Except that, for me, malpractice insurance is also one reason why medical costs are so high here in the US and why people tend to sue doctors for $X million because they know the doctor's malpractice insurance will either settle quickly or pay the amount, so that dog don't hunt.

Finally, there is the potential that some proprietary vendor (say, one located in the US Northwest) will use the presence of OSS insurance as an argument against Linux and open source software in one of those inevitable TCO or security studies. "Hey, if you use Linux, you'll need insurance, which will hit your bottom line." Or "Hey, if you use Linux, you'll need insurance, because you are likely to get sued." Or something to that effect.

These concerns have been with me for a few weeks now, and a couple of weeks ago, I decided to do something about it and clear the air with OSRM itself. I talked to Daniel Egger, Chairman and Founder of OSRM, about these very same issues, to give him a chance to explain things to me. (It should be noted that this interview is slightly dated--recent distractions with other online publishers have held this column off for two weeks. No mention of the open source seminars OSRM has announced this week was mentioned, since at the time, the announcement was still under wraps.)

Once we connected on the phone, I explained to Egger my dilemna and that I wanted him to have a chance to answer my concerns. He readily agreed, emphasizing first that to date, no formal insurance plan has been enacted by OSRM--it's all still in the planning stages.

To my first concern, Egger believes that the ability be insured is not necessarily justifying any legal action. From his point of view, "people are going to sue deep pockets," regardless of the pockets' insured status. His point is backed up by the DaimlerChrysler and AutoZone suits from The SCO Group: neither of these two end-users had insurance, and they were sued anyway.

If big enterprises (OSRM's target customer right now) have insurance or not, it does not increase their likelihood of being sued--the fact that they are big and wealthy is more than enough to attract litigants. Smaller firms, such as small to mid-size enterprises, will not be as attractive a target for litigants, so again, the insurance will likely not influence others to sue these SMEs.

"We are addressing the large commercial users," Egger said. "We think the risks [of being sued] are minor for small- and mid-sized users."

OSRM's protection is aimed at the larger users who are likely to be targeted for lawsuits anyway. By the common presence of OSRM amoung large enterprises who are using open source software, Egger hopes that his firm will not only provide traditional security blanket insurance services, but also create a common resource that should deflect all but the most unique open source legal issues.

"We are trying to provide a common defense for deep-pocket users," Egger explained. If Firm A is sued for a particular code infringement, for instance, then Firms B-Z will, through OSRM, be able to pool their resources to assist Firm A. When the case was finished, they would either be protected from the same litigant who went after Firm A or be able to change an actual infringement before that litigant can move on to them.

"This plan will reduce incentives for people to sue in the first place," Egger added. "One of the things we are doing it identifying common intellectual property issues that exist between companies." Once such issues are discovered, they can be defended as sort of a "reverse class-action suit."

To that end, OSRM is starting to heavily research areas where IP issues can arise, such as the early history of UNIX project being currently spearheaded by OSRM's Pamela Jones, who is also editor of Groklaw.

"We will fight like hell on the common issues," Egger said.

My second concern was tied into the first, and here Egger had a more simplistic answer. Open source insurance should not be able to paint a target on policy holders for the straightforward reason that in many jurisdictions, litigants are not required to reveal if they are insured for certain liabilities. Since OSRM's client base will not be public, the chances of a litigious witch-hunt are fairly small.

As for the TCO/FUD concerns, Egger is not worried.

"Remember," he said, "the price of insurance is already built into the code of proprietary software." This would hamper TCO arguments (though I am not convince someone won't try). Egger also believes that even with the added cost of open source insurance premiums, the overall cost of OSS will still be "dramatically cheaper" than that of propritary software.

Time will tell, of course, as to whether this plan for open source insurance will work. As Egger indicated, it is still in the planning stages, and they are looking for feedback from all parts of the community to clarify what their insurance will and will not do.

So if you have your ideas on the concept of open source insurance, now's the time to speak your mind.

Related Stories: