MS and Indemnification

Thursday, November 11 2004 @ 04:30 PM EST

Contributed by: PJ

I'm sure you've heard the news. Microsoft is offering its customers indemnification, across the board, except for embedded products. And you will never believe what a coincidence it is, but Laura DiDio has simultaneously come out with what Microsoft calls an independent report on how horrible Linux users have it without Microsoft's wonderful indemnification. Oh, and Jeffrey P. Kushan, an attorney at the law firm, Sidley Austin, has a paper for you too, in which he does his level best to terrify you on the subject of patent litigation.

Laura's paper is called, "Indemnification Becomes Open Source's Nightmare and Microsoft's Blessing", which just reeks of independence to me. She's got a little video you can watch too, on MS's Get the Facts page, which is a hard phrase to type with a straight face, with its 1984 overtones and all. I think we'd need to define the word "facts". Of course, you can only view it on Microsoft's media player. I hope the EU Commission reads Groklaw.

Her report is there for free as well, and her view is simple: no Linux vendor can offer the breadth of indemnification Microsoft can:

Corporations that use proprietary Microsoft Windows and Office software get the broadest, most comprehensive indemnification coverage in the industry because it’s bundled into the cost of the license. Corporations that use open source and Linux distributions receive only conditional, limited indemnification protection—or in some cases, none at all—because they don’t pay for the license. That leaves them with several options:

• Assume the risk and manage without indemnification

• Use the limited indemnification provided by the Linux vendor

• Purchase outside indemnification from a firm such as Open Source Risk Management (OSRM) at a premium, which will significantly add to the open source TCO.

Logic may not be Ms. DiDio's strong suit, but does she really think that the cost of the indemnification from Microsoft is actually free? Surely she realizes that whether it is "bundled" into the license or you pay for it directly, your indemnification will cost you something. The difference is, with Microsoft you don't get the choice of whether you wish to pay or not. Everybody pays now. Microsoft isn't a charity. With Linux, you can get indemnification if you want, but if you are in a low-risk category, you may decide you don't really need it. Lots of folks don't need it, as David Berlind points out in his article on Microsoft's announcement. Lots of Microsoft customers don't need it either, actually, but they will be paying for it anyway.

She doesn't mention that nobody in the Linux world needed indemnification until MS started sending money SCO's way. Neat trick. First, create an environment in which people will worry about needing indemnification from a Microsoft-funded attack. Then FUD about how you don't have any worries about your own product in comparison. Now, is that any way for a monopoly to behave?

Why now? Maybe because SCO's case is going down the toilet, and it was all about leading up to this marketing ploy? And they want their money's worth quick, before it's too late? How fascinating to remember that it was Ms. DiDio from the earliest days of the SCO story who sang arias about indemnification and how IBM needed to indemnify, blah blah. She is still singing that song in her report. This, I gather, is what it was all leading up to. Marketing for Microsoft.

Here's a little detail from Microsoft:

"'Microsoft's volume licensing indemnification commitment covers damages costs, in addition to legal defence costs,' said the Microsoft spokewoman. 'To truly stand behind its software, Microsoft pays for damages, settlement costs, and, if there were an injunction, Microsoft would either obtain for its end-users the right to use the software, fix or replace the infringing code, or, as a last resort, refund to the end-user the amount they paid for the software.'"

Refund the full amount they paid for the software? How can you resist a generous offer like that? Maybe we need to look at the fine print here. Let's take a look at Microsoft's offering in more detail:

Microsoft's Intellectual Property Commitment for End Users of Covered Software

1. Microsoft's commitment to defend infringement and misappropriation claims. This commitment covers any Microsoft software licensed for a fee for your end use, except for embedded (industry or task-specific) software. When we refer to "covered software" within this commitment, we are referring to those Microsoft software offerings only.

For any covered software, we will:

  • defend you against any claims made by an unaffiliated third party that the covered software infringes its patent, copyright, or trademark or misappropriates its trade secret, and

  • pay the amount of any resulting adverse final judgment against you (after any appeals) or settlement to which we consent.

Sounds good so far. But what is that "to which we consent" part? Ms. DiDio explains:

Microsoft’s new Volume License Indemnification provision provides full indemnification with no liability cap and outlines several specific remedies or actions the Redmond, Wash., software giant will take on its customers’ behalf, including:

• Removing the infringing code

• Replace the infringing code with compliant code

• Rewriting the infringing code to make it compliant

• Litigating on the customer’s behalf—if Microsoft feels there is no infringement

So, if they say there is no infringement, they'll fight your case for you. But if they are guilty and they know it, they'll maybe just remove the code and its functionality for you. That is one of the options they elect for themselves. So, if I get sued, who do I call?

You must notify us promptly in writing of the claim. You also must give us sole control over its defense or settlement. You agree to provide us with reasonable assistance in defending the claim. We will reimburse you for reasonable out-of-pocket expenses that you incur in providing that assistance. The claim might fall outside the scope of our commitment, but send it to us anyway. We may choose to treat it as if it were covered by this commitment.

So, I call Microsoft and then they take sole control of my legal claim. Hmm. Giving Microsoft sole control over my computer didn't work out so well for me. Maybe I need to think about this a bit. Sidley Austin, in their paper which I got from Microsoft's Get the Facts page says this:

"Consider as well who will control any litigation. An indemnity provision may state that the vendor has no obligations or liabilities unless it is 'given the sole right to control and direct the investigation, preparation, defense, and settlement of such a claim.' A user may find this lack of control unappealing and unacceptable, particularly if the user would prefer to settle quickly while the vendor is determined to litigate to the bitter end."

What are the limits, if any to this coverage? They say there is no pre-set cap, so what's the catch?

Our obligations will not apply to the extent that the claim or adverse final judgment is based on:

(i) your running of the covered software after we notify you to discontinue running due to such a claim;

(ii) the combination of the covered software with a non-Microsoft product, data, or business process;

(iii) damages attributable to the value of the use of a non-Microsoft product, data, or business process;

(iv) your altering the covered software;

(v) your distribution of the covered software to, or its use for the benefit of, any third party;

(vi) your use of our trademark(s) without express written consent to do so; or

(vii) for any trade secret claim, your acquiring a trade secret (a) through improper means; (b) under circumstances giving rise to a duty to maintain its secrecy or limit its use; or (c) from a person (other than us or our affiliates) who owed to the party asserting the claim a duty to maintain the secrecy or limit the use of the trade secret.

You will reimburse us for any costs or damages that result from these actions.

Anybody else see any loopholes here? How about (ii) and (iii)? If you use a firewall product with your Microsoft software, and you'd be nuts not to, that would seem to be a loophole. If you have a special application you like to use that doesn't come from Redmond, there's that loophole. Like to run an anti-virus application? Oops. Fell into the loophole, and it's a mighty big hole they've dug for you. Of course, you can't expect that they will cover someone else's product, but to say that if you use their software you are totally indemnified without limitation would be to forget the Timeline case. And notice that you aren't covered if you've altered the code. Unless you live in a 100% Microsoft world, I think you just fell down the loophole.

If we receive information about an infringement claim related to covered software, we may do any of the following, at our expense and without obligation to do so:

  • procure the right to continue its use; or

  • replace it with a functional equivalent, or modify it to make it non-infringing (including disabling the challenged functionality). If we do that, you will stop running the allegedly infringing software immediately.

So, you might have to quit using a certain piece of the software and lose that functionality altogether. That's understandable, but it's not exactly my idea of total indemnification. What if a court decides the software is infringing, and there is an injunction ordering you to stop using it while the trial goes forward or permanently?

If, as a result of an infringement claim, a court of competent jurisdiction enjoins your use of covered software, we will do one of the following, at our option:

  • procure the right to continue its use,

  • replace it with a functional equivalent,

  • modify it to make it non-infringing (including disabling the challenged functionality), or

  • refund the amount paid for the infringing software and terminate the license for it.

This commitment provides your exclusive remedy for third-party infringement and trade secret misappropriation claims.

Microsoft gets the election as to which remedy you must accept, and their choice includes refunding your money paid for the software as your full and exclusive remedy.

Like all legal agreements, a lot depends on how much you trust the other side of the bargain to play fair. Or as Mr. Austin so ably puts it, "Even the most favorably worded indemnity provision will not immunize an end user when a vendor has no intention of paying for any infringement caused by use of its software." We're talking Microsoft, people. Playing fair is their middle name, right? Mr. Austin suggests asking for "the vendor’s litigation history, including the number of indemnity demands, why they were made, who made them, and how they were resolved. Ask as well what the vendor does to ensure that its products do not infringe anyone else’s intellectual property . . . " Do you think that the nonstop barrage of lawsuits against Microsoft here and abroad is an expense the company just swallows on your behalf, and that its products' costs will not reflect their litigation history?

But what if they always did play fair, and they really do indemnify across the board, no caps, all expenses paid? Then what does Linux do? It will probably feel that it has to do something, because business types are not geeks, and all they want to know is a one-sentence promise that they are not at risk. Ms. DiDio says that "in specific vertical markets that are subject to heavy regulatory considerations such as healthcare, legal, government, insurance, finance and defense firms . . . indemnification may not be an option— it may be mandated by law."

There are two things I see. One is to continue the antiFUD campaign, pointing out that Microsoft does get sued all the time, so it needs to offer some indemnification. They've been paying out millions in settlements all over the place. Ms. DiDio says they paid out "$1.4 billion in 2003 alone on licensing third-party patent rights and settling lawsuits." This year, there have been more payouts, and there will be more in the future. RealNetworks and Burst are ongoing. Another is to correct Ms. DiDio, who claims no one offers protection if you modify the code:

Additionally, a major allure of Linux and open source software is the ability for developers, corporate and consumer customers to modify the core kernel. This is actually a double-edged sword. The upside of modifying the core code base is getting the exact functionality you want. The downside is that once the code is modified, none of the Linux software distributors or hardware OEM vendors will assume the risk and responsibility for indemnification: You are on your own.

That is simply not true. OSRM's coverage does allow for modifying the code. I hasten to disclose that, while I am not on the board of the company and have no personal stake in its success in that sense, I have been hired by them to work on a specific research project. That is how I know what they offer, of course, and someone has to correct her misinformation.

Do you see Linux paying anybody for anything? See infringement lawsuits left and right? I suppose it's possible, as Berlind notes, that this is all leading up to an infringement lawsuit that only Microsoft knows about, but so far, Linux software is probably the least litigated software on planet earth. The openness of the code plus the GPL are the best indemnification anybody could ask for when it comes to copyright claims. And that's the truth. But for business types and for those who are required to get indemnification of some kind and to deal with patent worries, what I think all the vendors should do is pool together. No single vendor can afford to cover the way Microsoft can. You have to have been an illegal monopoly to accumulate that kind of money, I guess. But together, it could happen. Protecting modification of the code is important.

Nobody asked me, but why not have all the vendors and all the companies and organizations that care about GNU/Linux systems set up a nonprofit organization to run an indemnification or insurance program, so that they can offer coverage equivalent to what Microsoft is saying they are offering? With the extremely low risk of Linux ever being found guilty of infringement -- as the SCO case so ably demonstrates -- does anyone see a down side?