chevron-down Created with Sketch Beta.
September 20, 2011 Articles

Vendor Indemnification on the Open Range

By David Swetnam-Burland and Stacy O. Stitham

When it comes to intellectual property protection, do businesses get what they pay for when they use open-source software? Cost considerations and the ability to tinker at will with licensed software may make open source an attractive option for any company in the market for an operating system, web server, or software —as may the romantic notion that software development should be an open range for exploration and innovation. However, for an online business defending a patent infringement claim based on its use of an open-source product to develop its website, the open-source solution may look less attractive with each passing settlement demand or bill for attorney fees.

By no means do we intend to suggest that the open-source solution is a bad choice for a cost-conscious, growing operation; indeed, there are many reasons to recommend it. Nor do we have any desire to take a position on the comparative merits of open-source software as contrasted with software solutions offered by established vendors that charge for their services. However, for any company weighing its options, we do hope to prompt careful consideration of the intellectual property ramifications of adopting open-source technology. As e-commerce firms become a growing target of increasingly expensive patent lawsuits, open-source software may come with costs that don't appear on the label.

As-Is Software
Open-source software is commonly defined by the 10 criteria listed on the website of Open Source Initiative at (last visited May 25, 2011), but it boils down to just what the name implies—an opening of the source code to one and all, allowing distribution and redistribution that includes, in most instances, modifications and derivations under the same terms as the original license. The relatively free-ranging distribution mechanism—which allows users to adopt source code under an existing license that was created without any input from current or potential users for code that may or may not have been modified and software that the user can implement alongside other applications—is problematic from the standpoint of intellectual-property protection because the very freedom of this "free" software breeds legal uncertainty that can cause headaches for the user long after adoption.

While open-source software licenses come in all shapes and sizes, they share at least one thing in common. Using software developed by another brings exposure to potential allegations of intellectual-property infringement, which increasingly involve patent-infringement claims relating to e-commerce activities. While any software license—proprietary or open source—carries with it some risk of an infringement claims, open-source licenses more frequently come packaged "as is" with respect to indemnification for third-party claims and warranties of title. For instance, both Red Hat, Inc., and the Apache Software Foundation, two of the major players in the open-source field, include disclaimers of warranties strongly suggesting that, should a patent owner come calling with a demand letter or complaint of infringement, it is the licensee who may be left to answer the door and the patent owner's questions.

Red Hat's Enterprise Agreement contains not only a limitation of liability and disclaimer of damages, but also a disclaimer of warranty that reads, in relevant part, as follows:


Red Hat, Red Hat Enterprise Agreement (last visited May 25, 2011).

Apache's current license is only slightly less emphatic:

7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON–INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.

Apache Software Foundation, Apache License, Version 2.0 (last visited May 25, 2011).

With such take-it-as-it-comes language governing the incorporation of open-source products and services into a business, it is worth a moment's pause prior to implementation to consider that the thriving e-commerce operation or other web-based operation of a business may someday be confronted with a patent-infringement lawsuit based on its use of an Apache HTTP server or a Red Hat Linux operating system. What's more, there is a distinct possibility that neither Apache nor Red Hat will ride to the rescue of a user with whom they may never have had any direct contact. It appears that open-source providers are becoming aware of this concern, as Red Hat now offers customers with valid subscriptions an "Open Source Assurance"—including a promise that it will defend and indemnify such customers—which it makes available to subscribers under a separate "Open Source Assurance Agreement." Red Hat, Open Source Assurance (last visited August 11, 2011).

Because software modification by the end user is not only possible but encouraged by the nature of open-source licensing and use, and because open-source products will likely be used along with a host of other software or computer products, there is a strong likelihood that, when it comes time to figure out who will be responsible for the costs of defense, damages, or both, the buck will stop with the e-commerce business. As demonstrated by a recent Supreme Court opinion and two recent orders of the Federal Circuit Court of Appeals, the law of patent infringement based on the conduct of multiple actors is evolving rapidly, which leaves businesses that are contemplating open-source software in a double bind. By choosing an open-source solution, they may be "purchasing" potential patent infringement liability without vendor protection in a legal landscape that is changing by the minute and in not entirely predictable ways. See Global-Tech Appliances, Inc. v. SEB S.A. [PDF], No. 10–6 (May 31, 2011) (induced infringement); Order, Akamai Techs., Inc. v. Limelight Networks, Inc. [PDF], 2009-1372, -1380, -1416, -1417 (Fed. Cir. Apr. 20, 2011) (ordering rehearing en banc on joint infringement standard); Order, McKesson Techs., Inc. v. Epic Sys. Corp. [PDF], 2010–1291 (Fed. Cir. May 26, 2011) (same).

Of course, a proprietary license is no saving grace. But with a provider of proprietary software, at least the customer may have a better chance of negotiating a license face-to-face with a vendor and securing more favorable indemnification language up front as part of the purchase and sale process, especially if the customer is a business with some size or clout in its industry. Unlike the decentralized open-source software, where there is often no single authority or locus of responsibility for any given product, proprietary software usually has a clearer ownership structure and pedigree, as well as a client representative designated to take the customer's calls when a demand letter or lawsuit falls into the customer's lap. That said, depending on the size of the business or the type of product it is purchasing, the business may have no more leverage in negotiating a proprietary software license than it would an open-source license. The only way a business can reach an informed decision on this point is to consider the issue beforesigning up for the software or service.

Case Study
In 2004, in connection with its consideration of insurance for open-source products, the insurance firm Open Source Risk Management (OSRM) conducted an analysis of the risks posed by Linux and concluded that it potentially infringed 283 patents. Press Release, Open Source Risk Mgmt., Results of First-Ever Linux Patent Review Announced, Patent Insurance Offered by Open Source Risk Management [PDF] (Aug. 2, 2004). At the time, the identified patents had not been litigated and the claims within them not yet tested against Linux end users. Seven years later, however, the insurance industry's cries seem more prescient than pessimistic. One month before this article was written, a jury in a federal court in the Eastern District of Texas awarded Bedrock Computer Technologies, Inc., millions in damages for Google's infringement of a Linux kernel patent. Bedrock has sued Linux users, from AOL to Yahoo!, and there are fears that the Google verdict will have reverberations for other Linux end users. This is not to say that distributor Red Hat has sat on its hands while its flagship product has been maligned; indeed, it has sued Bedrock seeking to invalidate the patent in suit. But, as in similar e-commerce disputes, patent holders are demonstrating a willingness to target the successful users of open-source software, and there is no certainty that open-source distributors can or will step up to defend their products in every case or in cases involving software that has undergone a set of transformations over time.

Sunnier Skies
As noted at the outset of this article, however, we have not come to bury the open-source model but rather to point out a potentially hidden cost of the freedom that comes with such a model. For the enterprising business looking to adopt open-source software yet is still concerned about the risks of intellectual-property-infringement actions, all is not doom and gloom. Careful examination and assessment as well as pre-adoption of the likely risks of any particular open-source product under consideration (such as the Apache web server or Linux operating system) will help any business make an informed decision about which software products to integrate into its operations.

And should a company find itself with an open-source solution on hand that arrived prepackaged with a hidden, and unwelcome, side of litigation, the first avenue of potential relief may still be the specific vendor or distributor of the product. Assuming there are deep enough pockets and a strong enough motive, such a vendor may be prevailed upon to step forward and defend its product (à la Red Hat in the Bedrock litigation). Open-source purveyors have a strong business interest in defending their business model and in showing the business world that they have nothing to fear from opening their operations to open-source software or services. Customers of sufficient size or in sufficient numbers may be able to make a strong case to open-source firms that defending customers is good business in a market where less tech-savvy businesses might otherwise see proprietary software licensing as a safer bet.

Furthermore, open-source software customers have the option of purchasing intellectual-property insurance through third-party vendors. For example, OSRM claims on its website that it is "the exclusive risk assessor on the world's first insurance facility to cover the specialized risks faced by enterprises that include or rely upon elements of Linux and other Open Source software in their commercial products or IT infrastructure." See Open Source Insurance, Open Source Risk Management (last visited May 31, 2011).

Finally, it is worth noting that the very factor that makes open source so difficult to pin down when it comes to warranties—its mutable and modifiable source code—may be useful in permitting (or even encouraging) design-arounds of patent-infringement claims, thereby minimizing damages in cases in which litigation is inescapable.

Like everything else, open-source software carries both pros and cons; and the extent to which a business decides to integrate or use open-source products in its operation remains, in essence, a business assessment. With up-front consideration of the potential negative intellectual-property ramifications of adoption—including analysis of license terms and product risk, assessment of the vendor in question, and consideration of whether or not to purchase insurance—a business can be sure that it is walking into a licensing decision regarding the merits of open-source software with open eyes.

Keywords: litigation, intellectual property, open-source software, patent infringement

David Swetnam-Burland and Stacy O. Stitham – September 20, 2011

Copyright © 2011, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).