An Answer to the Indemnification FUD

GROKLAW ^ | 16 August 2003

[ShadowAce]

There has been quite a chorus of frogs in the pond calling out, indemnification, indemnification, indemnification. Red Hat's CEO says his customers have not been asking for it, but SCO's McBride says we GNU/Linux users need it and so he has taken it upon himself to lobby on behalf of other companies' customers:

"'For the first time in the history of the industry, we have a major operating system platform that's being pushed on end users and at the same time the users take it, they're being told 'Buyer beware -- you own all the inherent intellectual property risks with this product,' said Darl McBride, SCO's chief executive."

I'm pretty clear he doesn't have a soft spot in his heart for Linux lovers, so that couldn't be his motivation, do you think, a paternal concern for us? The lovely and tireless Ms. DiDio also repeatedly says we want indemnification, and we absolutely, positively must have it. She is, as usual, wrong. Corante asks this intriguing question:

"Before this 'indemnification' FUD gets spread too thickly by analysts like Laura DiDio, I'd like to pose a question: Will the analysts firms be willing to cover losses by their customers if they follow faulty advice? Will the Yankee Group spot a company license fees for Sun systems or Microsoft systems if they choose proprietary systems, and it turns out SCO has no case?"

When MS. DiDio's company offers me indemnification, as Corante suggests, I'll follow her advice. Nah. Joke. Joke. No doubt IBM could safely follow her advice, with full indemnification. If they get snookered by following her advice to indemnify, why she can reimburse them for their losses in full. I notice Sun is offering to indemnify users of Solaris only, but not Mad Hatter, RedHat, or SuSE users, though it ships with each product. Do Ms. DiDio and McBride and the rest say Sun needs to step up to the plate and indemnify right away? No? Yet IBM uniquely must, must, must do this right way, croak the frogs, despite the fact that no Linux customers are lining up asking for it.

Red Hat's CEO Szulik has set up a legal fund. That's the equivalent of indemnification, of course, for developers and commercial entities that distribute GPL software and nonprofit organizations, the parties most likely to be sued over software. So that covers them. Oh, says, McBride, but what about end users? They are left out in the cold. SCO is being "nudged" to go after end users, he said recently, because of Red Hat and IBM's actions.

First, I'm not sure how much nudging it takes to get SCO to sue you, considering its CEO has said from the beginning that his hero is the RIAA. I wonder if he's noticed how they are doing lately in the courts? Second, if I may suggest it, he isn't actually compelled to rape and pillage the Linux community, assuming he is truthful when he says MS isn't behind all this and if we also assume he hasn't sold his soul to the Devil, as the saying goes. But assuming free will, rape and pillage are basically in the options column, not on the must-do list.

Excuse me for talking sensibly in Wonderland and pointing this out, but the fact is, Microsoft has never, until the SCO case came along, indemnified individual users, only business customers. I don't know of any other software company that does either. For that matter, MS and other proprietary software folk lobbied like mad to pass UCITA for the exact purpose of making sure that they never had to pay a dime to any customer except what they had paid for the software, no matter what happened, even if the software caused them millions in losses due to viruses and worms made possible by insecure MS code or any other reason. Read your EULA. Read UCITA. You'll see they disclaim everything they can think of. Then the kitchen sink.

Even in business, only the big guys can negotiate decent indemnification, and not even always then. Read the AT&T contract terms in the contract SCO attached as an exhibit to its Complaint, if you want to see a company running from indemnification as fast as its little legs can carry it:

How much did MS pay you over the years for any losses sustained from Code Red or blue screens of death or this week-end's mess-up, or any of the endless annoying and costly malware their flawed code makes possible? I know I didn't collect anything. And you didn't either. End users have always been left out in the cold. We've acclimated.

Furthermore, everyone seems to agree that MS is offering it now because they've figured the odds are they'll never have to pay out anything significant under their new terms either. For sure, I can't find any evidence that they have ever paid out on such a claim, for an individual or a business. If you didn't buy from them directly, and most of you didn't, you probably can't sue them anyway, much as you'd like to probably, every time you have to reformat your hard drive. Again. I have concluded, therefore, that they must have made the change so they could say they have indemnification and GNU/Linux doesn't. A noble move, indeed.

So what is this really all about? Naturally, when your enemy, or any of its croaking frogs, tells you to do something, it's a good idea to run sharply in the opposite direction. PJ's rules to live by. So, here I am, an end user and I am saying I don't want IBM or Red Hat to offer indemnification.

Let's look first at the reasons why SCO might like to have IBM and Red Hat et al offer indemnification, and let's see if they have my best interests at heart, or yours, or if they wish to gain an advantage for themselves.

First, if IBM or Red Hat offers indemnification, especially now, then SCO has entities with deep pockets to sue, and they only have to sue two parties. They could sue IBM because there was a contract. IBM doesn't sell GNU/Linux software, so exactly why does SCO want them to indemnify software it didn't write and it doesn't sell? So they can nail them to the wall, folks. If they have to sue each and every individual end user, that's literally millions of lawsuits.

And the simple truth is, it isn't worth suing me and you, because we have no money. You have to be able to win more than it costs to bring the action, or there's no point. Lawyers won't normally even take a case, unless the math works out from day one. McBride didn't even think it'd be worth suing Linus Torvalds, and he makes a good living. So that is their first reason for craving indemnification. Why would GNU/Linux users wish to make it easier and potentially more lucrative for SCO to sue IBM and Red Hat? They don't need any encouragement, I'm thinking.

Next, it costs money for a company to offer indemnification. You have to quantify the risk, and then get the customer to pay enough to cover it. Otherwise you go out of business. End result? GNU/Linux will no longer have the competitive cost benefit it currently enjoys. You think SCO and MS et al would like that or not? In their minds, because money is apparently their god, they think people are switching to GNU/Linux because it's free or low-cost. So I believe that is another reason they wish to push indemnification, to make it no longer free or low-cost. As it happens, a recent survey shows that price is not the main reason people are flocking to GNU/Linux software. SuSE's CEO gave some details recently:

"Think about what CA [Computer Associates] just did. They did a survey with their customers about why customers are deploying Linux. [Customers] named five reasons: performance, reliability, scalability, security and total cost of ownership, which came in fifth. What does this mean? Everybody is talking about total cost of ownership, and no doubt this is very important, because all of us have to reduce IT budgets. But customers named four other reasons. These reasons are strategic reasons why to deploy Linux. ... This is a competitive advantage to Windows because this is not something you can get with [Windows]."

So, the joke's on SCO. All that effort and expense, and having to put together and coordinate the indemnification chorus, not to mention having to hang out with frogs, and they've misidentified why people love this software in the first place.

And here's the main reason I don't want indemnification, because it would destroy the GNU/Linux development model.

Free software is an entirely new kind of development model, one that MS is trying to ape sorta, kinda, pretend-to-but-not-really recently. Its Shared Source program means they acknowledge there is something good about opening the code. Customers are demanding it, so even MS knows it has to move in that direction, even kicking and screaming. Governments overseas are demanding to see the code, because they don't trust MS. Go figure. Rather than lose them to GNU/Linux, MS creaked open the safe just a crack and let them peak inside at their proprietary code.

But while they want the benefits of openness, simultaneously they are trying to kill it off. Whether deliberately and cunningly or just because of bumbling along, they will kill it with indemnification. Here's why. Many free software and open source coders are individuals, not companies. Volunteers. How are they going to indemnify anybody? Obviously, they can't. Who will indemnify their code? They can't afford to. Even if they signed such a contract, what can you realistically expect to get from them? Lots and lots of free code, maybe, for the rest of their lives. But you have that already, for free.

Exactly, croak the frogs. It's dangerous to have these unknowns coding for you. First of all, they're not unknown to the maintainers of the code base, but if it's so dangerous, how come people all over the world are running to get it because of performance, reliability, scalability, and, may I stress, security? It's the vigor and strength of GNU/Linux that anyone in the world with talent and skills to offer can improve the code. It's just a fact that any time barriers to entry go down, creativity and innovation go up. Don't believe me? Think of the internet. It was built using the open process. When the NE just suffered the big blackout of 2003, I could still connect with my PDA by 56K and sure enough, the internet was still there, humming right along, unlike my cell phone. Cell phones are proprietary, and don't they show it?

The internet was swell until corporations got involved and tried to figure out how to squeeze every last screaming dime from us, and started shutting down its openness and erecting annoying toll booths and putting surveillance equipment every 5 feet until a lot of people got fed up and left (or went GNU/Linux to get some air). That's part of what caused the dot.com bust, in my opinion, the annoyance factor. They killed the golden goose from greed. Greed doesn't seem to help any situation you find yourself in, does it? So what is the answer to the "problem" of indemnification? Here it is:

Openness is its own indemnification.

Red Hat's CEO Matthew Szulik said that recently himself:

"Matthew Szulik . . .says that openness is the only protection users need. He says anyone can see -- and remove, if necessary -- any offending code."

That isn't total protection, actually, because you could still be liable for infringement that occured prior to realizing there was infringing code and getting it pulled out, but it's the next best thing. As for the rest, well, that is what the Red Hat legal fund is designed to cover.

And do you really believe the indemnification proprietary companies offer provides total protection? Let's take a look. I have been looking around for an example of the indemnification that proprietary companies offer. Well, I found a contract. You'll never guess whose. Caldera. It's on Findlaw. Note that the link doesn't actually resolve to the contract. Findlaw has arranged that if you click on a link to an inside page, in this case http://contracts.corporate.findlaw.com/agreements/caldera/software.html it resolves to the home page instead. So you can see their ads, I suppose. Exhibit A.

But if you click on Corporate, then choose Utah, then search for Caldera Navarre, you'll find the contract. A 1998 Caldera contract. Look what they offered Navarre Corporation, the other party to the contract, in the way of warranty and indemnification for their proprietary software -- I have emphasized some parts, mainly the ones that made me laugh:

"COMPUTER SOFTWARE DISTRIBUTION AGREEMENT

"This Agreement is made and is effective as of the December 14th day of 1998 by and between Navarre Corporation ("Navarre") of 7400 49th Avenue North, New Hope, Minnesota, 55428 and Caldera Systems, Inc. ("Vendor") of 240 West Center St. Orem, Utah 84057.

"The Parties have agreed as follows: . . .

"8. WARRANTIES, EXCLUSION OF CONSEQUENTIAL DAMAGES

"8.1 Neither party shall, under any circumstances, be liable to the other for consequential, incidental, indirect or special damages arising out of or related to this Agreement or the transactions contemplated herein, even if such party has been appraised of the likelihood of such damages occurring. This Section 8.1 does not apply to the infringement of intellectual property and shall not limit the remedies for such infringement.

". . .8.2 Except as provided otherwise in Section 9, in no event shall the aggregate liability of vendor for all claims (Regardless of the form of action, whether contract, warranty, tort, product liability and/or otherwise) relating to a product exceed the amount paid to vendor under this agreement for the product.

"8.3 Vendor makes no warranty to Navarre not expressly set forth in this agreement. All implied warranties, including the implied warranties of noninfringement, merchantability and fitness for a particular purpose are disclaimed and excluded by Vendor.

"9. INDEMNIFICATION

"9.1 In the event that a Product infringes any patent, trademark, copyright or trade secret of a third party not affiliated with Navarre, Vendor shall indemnify Navarre against any amounts, including damages, attorneys' fees, and cost, awarded by a court of competent jurisdiction to the third party because of such infringement, provided that: (i) Navarre promptly gives notice to Vendor of any claim against Navarre alleging such infringement, (ii) Navarre allows Vendor to control the defense and settlement of such claim, (iii) Navarre fully cooperates with Vendor in connection with the defense and settlement of such claim, and (iv) if requested by Vendor, Navarre ceases all use, distribution and sale of the infringing Product and returns all infringing Product units on hand to vendor. If Navarre is enjoined from continued sale of any infringing Product or if Navarre ceases sale of any Product at the request of Vendor under (iv) above, then Vendor shall (at its expense and option): (a) obtain the right for Navarre to continue to sell the infringing Product, (b) modify the infringing Product to eliminate the infringement, (c) provide substitute noninfringing Product to Navarre under this Agreement, or (d) refund to Navarre that the amount paid under this Agreement for the infringing Product upon its return to Vendor. Vendor has no other obligation or liability in the event of infringement. Vendor has no obligation of indemnification or to defend or hold harmless relating to infringement. Vendor shall not be liable for any costs or expenses incurred without its prior written authorization. Vendor shall have no obligation of indemnification or any liability if the infringement is based upon (a) any altered, charged or modified form of the Product not made by Vendor, or (b) the Product in combination with anything not provided by Vendor, or (c) any process in which the Product is used in a manner not contemplated by the Product's documentation or is used together with anything not provided by Vendor, or (d) the laws of any country other than the United States of America or its states.

"9.2 Navarre's Liability -- If Navarre modifies the Product or its packaging and such modification results in a claim, suit, or proceeding brought against the Vendor on the issue of infringement of any patent, trademark, copyright, or trade secret, Navarre shall indemnify Vendor against and defend and hold Vendor harmless from any such claim, suit, or processing."

So, what do you think? Feeling cozy and safe? This indemnification is better than the openness of GNU/Linux and the Red Hat legal fund? Are they kidding? With Linux, nobody can tell you that you must return the product or stop using it or wait for the vendor to replace it or parts of it. If there is infringement, whether patent or copyright-related, you can rip out the offending code yourself and move on. Or just take a nap, and voluteers, like Santa's helpers, will do it for you and leave it for free under the tree.

I knew indemnification was the new FUD, and just because Ms DiDio said it was needed it, I was mightily sure I didn't want it. But now I also don't want it because you get virtually nothing for your money. Look at these terms. People pay for such a flawed offering because with proprietary software, you can't fix it yourself. With GNU/Linux, you can. Problem solved. And you don't have to spend a dime unless a problem actually arises.

Of course, no one can insure against greedy companies willing to ruin everybody else's life just to line their own pockets. Not even Mutual of Omaha would insure you for against the SCO's of this world. The solution to that problem lies elsewhere. SCO is the poster child for "IP value in the internet age", all right, and how do you like it? Think maybe some legal tweaking might be in order so companies like Ride-'em Cowboy Black Hat SCO doesn't have so much room to rape and pillage and shoot up the rest of us law-abiding citizens in the Wild, Wild West of IP Country?

[ShadowAce]

Tech Ping

[rdb3]

The Penguin Ping.

Wanna be Penguified? Just holla!

Click and find out!

Got root?

[demlosers]

bump...for later read

[WL-law]

Good article, and I generally agree, but there are some errors by the author in understanding the indemnification language in the excerpted contract.

I knew indemnification was the new FUD, and just because Ms DiDio said it was needed it, I was mightily sure I didn't want it. But now I also don't want it because you get virtually nothing for your money. Look at these terms.

The contract language, it's true, strongly limits the protection as between Caldera and their customer (i.e., the two contract parties), but the language requires Caldera to fully, and presumably without limit, indemnify the customer with regard to any damages owed to the 3rd party (the initiator of the infringement action).

So the indemnifcation has more 'value' than the author here admits.

[Coral Snake]

The Coral Snake Ping.

Calling all Anti Commies and Anti Pirates

Arron's Rod, America!!!

[Golden Eagle]

If there is infringement, whether patent or copyright-related, you can rip out the offending code yourself and move on.

Well, unfortunately, you can't just "move on" because there's that little issue known as damages. Since your Linux vendor gave you the software - without any protection at all - they can testify in court that they aren't liable, and would be correct. So, indemnification is important, especially if you have a lot of users.

[Coral Snake]

If you saw my first post here I desided to be the "pinger"
for our little group as I think my screen name critter draws the most attention of the four. By the way Mr McBride
and Mr. Sauntag have started releasing some of the stolen code outside the NDA. I read about that here.

http://zdnet.com.com/2100-1104_2-5065286.html?tag=fdfeed

[Golden Eagle]

"We're fighting for the right in the industry to be able to make a living selling software".

Not much hope for that if you follow Mr. Stallman, who insists EVERYTHING must be free.

[TheEngineer]

I knew indemnification was the new FUD...

I'm an occasional Linux user, and it would never occur to me to ask for indemnification from any of the struggling Linux companies. But the cheapskates in "the community" obviously have an insatiable demand for free stuff from the likes of RedHat, Mandrake, SuSe, etc.

So who's beating this dead horse? Other Linux proponents, no less.

The Canadian article that this unknown author referenced was by a Linux proponent:

For a start, the Linux community should move quickly on the following issues:

- Anyone who packages Linux in their products should indemnify their customers from any intellectual property issues. This would remove a significant part of the FUD (fear, uncertainty and doubt) factor that arises whenever lawsuits are launched. System suppliers would be leaving themselves open to legal attacks but the alternative, exposing the end user to such attacks, is the greater evil.

So, basically, the so-called 'FUD' is a self-inflicted wound as far as I'm concerned.

[TheEngineer]

ShadowAce, I didn't see an author listed for this article. Who wrote it? Also, is this an actual article from a newspaper?... Or is it the musings of an anonymous nobody on some blog?

[gore3000]

One thing that bothers me about this case is that SCO is threatening people BEFORE THE ISSUE HAS EVEN GONE TO COURT. Now, that seems putting the cart before the horse. It also tells me that SCO does not believe very much in its case and is really playing front man for Microsoft. Linux has gotten too good and is becoming a threat.

[Nick Danger]

little issue known as damages. Since your Linux vendor gave you

Yeah, this indemnity thing sure is a problem. Or at least, so say the Microsoft wives. You and your snake buddy can't talk enough about the scary liabilities that might be ours if we use linux.

Hello? There was a major software snafu this week that has caused several hundred millions of dollars in damage.

I notice that you and your snake haven't mentioned that, nor has the ubiquitous Ms. Didio, who never tires of telling us how awful it is that IBM won't indemnify its linux customers.

So, tell us, who will the first to collect on this magnificent indemnification program offered by Microsoft? Hundreds of companies lost days of productivity, all because Microsoft still hasn't figured out how to keep the damned worms from taking over the machines.

Don't tell us this was a surprise. These things happen every few months now. Thousands of people were idled by this one. Is Microsoft going to step up and pay for this, or what? If not, when are they going to start?

To hear all the noises from the Microoft wives, only linux customers have to worry about damages from software because the other guys all indemnify their customers.

Yeah, sure they do. As usual, it's just another way for Muchkins to spew FUD, throw mud, and repeat the same talking point over and over again. When the trouble actually comes, and IT managers are forced to spend hundreds of support hours to bail their companies out of the mess that's been created, the Great Indemnifier is nowhere to be found. It was all talk, and no dollars. Instead he's standing there pointing at linux. "Booga booga! Watch out for that linux! Something bad might happen if you touch that!"

As Charles Cooper put it on ZDNet,

To its credit, Microsoft did issue a patch for this latest worm after it was uncovered by a group of Polish hackers and independent security consultants a couple of weeks ago. However, I'd do a hard stop right there.

If this were the exception rather than the rule, I would agree that the customer should be held responsible for making sure the latest fixes were downloaded onto a company's computers. But after two decades' worth of Swiss cheese software security, the world's biggest supplier of operating system software has run out of excuses. It took scientists less time to map the human genome.

Businesses, which rely on the assumption that Microsoft operating systems will stand up to attacks, might have assumed the statute of limitations on making lousy software ran out with the last of the Internet sock puppets. Users should be so lucky.

Be sure to tell us once again about the damages that linux might cause. Everybody needs to be warned about those linux damages. There's just no telling how much damage one might suffer from running linux. Meanwhile, out the real world, there is real damage, and real closed offices and real cellphone networks knocked out by yet another chunk of sloppy code from those Other Guys. And if anybody brings up all this "indemnity" talk they've been spouting, they are just gonna laugh. It'll be just like one of those El Cheapo homeowner's policies where as soon as something actually happens, you find out that down in the fine print it says you're not covered.

[Golden Eagle]

There was a major software snafu this week..

Yes, there was, and I fully support you seeking out the hackers for the full damages. "Chinese X Factor" was the original unit that posted the flaw, I believe.

So, tell us, who will the first to collect on this magnificent indemnification program offered by Microsoft?

Microsoft has long refunded one's money if necessary, there are scams posted on the internet about how to do it even if you're not deserving. Concerning "protection from liability", I never had to pay for Stacker, for Netscape, etc. Microsoft was found guilty by a court, but I was indemnified from any personal liability. But if 'Linux' loses in court, you have no one protecting you from damages if your user base is using Unix code illegally. The concept is simple, actually - you want protection, you gotta pay, which 99% of Linux users never have, not a dime, to anyone. No protection then, simple. Don't like it? Quit paying your taxes to the government too then.

[Nick Danger]

he concept is simple, actually - you want protection, you gotta pay,

OK, so what is Microsoft's program for paying for all these damages caused by its negligence? Can companies whose computers were knocked out by this thing send the repair bills to Microsoft, or are you just trying to ram home a talking point about 'linux' and 'damages' while waving off the very real damages that happened to thousands of companies this week?

I know what I'm going to get back from the Microsoft wives... "it's the hackers, it's the criminals, it's the Chinese. You shoulda downloaded and installed the patch on your 20,000 seats." It's all arm-waving hoo-hah about how Microsoft is not responsible... and the customers are going to eat their own damages. But everybody needs to watch out for that linux because Red Hat is not protecting its customers from damages.

Everybody got a real good lesson this week in what all the "indemnity" talk from µsoft and its talking bugles is actually worth. Zero.

[Golden Eagle]

OK, so what is Microsoft's program for paying for all these damages caused by its negligence?

I really don't see "negligence" as a fault of Microsoft in this case. The flaw took advantage of something that has existed since Windows NT, so it has been fine for what, six or seven years before these hackers were able to crack it? Then very soon after Chinese X-Factor posted it to the internet, Microsoft provided a patch, WEEKS before the actual worm hit.

Hardly qualifies as "negligent". You want riteous justice? Go after Chinese X-Factor, and whoever else helped them create the worm. I really don't understand why you keep protecting them instead.

[Dominic Harr]

"We're fighting for the right in the industry to be able to make a living selling software".

Yeah, and I got a friend convinced the Cowboys are going to win the Super Bowl this year.

Of course, to most observers, you're both one bucket shy of a full well.

This game will be played on the field of the Court Room. You have made some amazing predictions that you can tell no one believes. You've managed to garner even *less* support than Pat Buchannan, which is hard to do indeed. You back apparent shysters in the name of 'Americanism', aiding and abetting what seems to be fraudulent conduct while wrapping yourself in the flag -- one of the most pathetic behaviors I've ever heard of.

You turn a blind eye, won't even acknowledge the massive evidence of fraud and stock pumping you're enabling and supporting.

That alone marks you and your purpose. And explains the lack of support for your position.

[jammer]

Nick, the REAL FUD is in the peoples' brains at Microsoft. I say that as one who not only doesn't [yet] use Linux, but who uses MS exclusively. The more the Microsofties talk, the more I am convinced of two things: (1) MS is powering the suit, along with the P.R., and (2) MS is scared s***less by Linux.

These folks give John the Baptist a run for his money in being ardent proponents. Except in this case, the motivation is pure fear.

[Nick Danger]

But if 'Linux' loses in court, you have no one protecting you from damages

That's "what if," which means it's FUD. We don't need to speculate about the Great Indemnifier's potential to cause damage. We all saw it last week. Hundreds of millions of dollars' worth of actual damage caused by Microsoft's continuing negligence. No "what if's" about it.

Microsoft has long refunded one's money if necessary

Oh do tell us again how linux needs to be indemnified. Is that your final answer? Hundreds of million of dollars in actual, not potential damages, and sit you sit there with a straight face and tell us that Microsoft will "refund our money" but that linux is a big problem? How do you sleep at night after peddling such bald-faced crap in public?

People spend a lot of money on Microsoft products. When exactly is all this indemnification we keep hearing about supposed to take place? It's all hot air, isn't it? You posit hypothetical court losses for linux and tell us people should be scared. But given actual it-just-happened damage from Microsoft products, you tell us that the indemnity story is that they'll give us our money back. Go peddle your FUD somewhere else.

[Nick Danger]

Go after Chinese X-Factor, and whoever else helped them create the worm. I really don't understand why you keep protecting them instead.

Because I am hanging you from your own hook. You're the guy who tells us that an actual weasel who sneaks purloined code into linux is irrelevant — we have to worry about Linus Torvalds and the whole system of open source development and hold Red Hat and everyone else accountable.

The minute something untoward happens to a Microsoft product, it's time to play, "Blame the individual weasel."

How do you sleep at night after trying to sell such bald-faced crap in public?