Making the world safe for free software

A litigious blitzkrieg by the anti-Linux crusader the SCO Group has been enraging open-source developers for months. But SCO's attack has ignited its own counterreaction.

By Farhad Manjoo

April 15, 2004

In the summer of 2002, engineers at the Chrysler Corp.'s research and development facility in Auburn Hills, Mich., jumped on the Linux bandwagon. For several years, the company had been running computerized simulations of high-speed vehicle crashes on a network of expensive -- and, eventually, comparatively slow -- Unix mainframes; each crash test would take days to compute, eating into Chrysler's production cycle.

The company's IT department, with consultation from IBM, saw that a "cluster" of Linux machines could do the job faster, for less money. By replacing its Unix system with about 100 off-the-shelf IBM PCs running Red Hat Linux, Chrysler boosted the speed of each crash test by about 20 percent, while reducing maintenance costs by about 40 percent.

Chrysler's experience with Linux makes for a classic open-source software success story. By choosing the free, flexible operating system over a proprietary system, the company saved money and time; the story would make a good ad for Red Hat and IBM. And that's probably why the SCO Group -- the small software company in Linden, Utah, that has been Linux's biggest detractor during the last year -- decided to punish Chrysler.

SCO claims that Linux [ ] is actually an illegal derivative of the Unix operating system, which SCO says it owns. In a lawsuit filed on March 3, SCO accused DaimlerChrysler, Chrysler's corporate parent, of violating the terms of a Unix license Chrysler signed in the 1980s -- the violation, SCO suggested, stemmed from Chrysler's adoption of Linux in place of Unix. At the same time, SCO sued AutoZone, the giant car parts retailer, which uses Linux in each of its 3,000 stores; SCO claims that by using Linux, AutoZone is "willfully" infringing upon SCO's intellectual property.

To fans of Linux, SCO's latest moves are both silly and a little bit scary. The company's case is widely thought to be extremely weak. Of course, people say, SCO is never going to stop AutoZone and DaimlerChrysler from using Linux! But the scary part is that it might not matter much whether SCO's case is weak, because even frivolous lawsuits demand an (often expensive) defense. Consequently, some in the open-source community wonder whether SCO's case indicates a real cause for concern with free software.

"They sued AutoZone and DaimlerChrysler even though those companies didn't do anything wrong and acted in good faith," says Daniel Egger, a partner at the venture capital firm Eno River Capital. AutoZone and DaimlerChrysler simply purchased open-source software; they didn't write the code. But "because of a quirk in our legal system," Egger says, "you can be sued for using software when you did nothing wrong, just because some third party claims that they own part of that software or that the software infringes on their rights."

This is a problem, Egger says. Corporations take risks all the time, but they're not fans of unquantifiable risks. Companies don't want the free software they install today to become a hundred-million-dollar legal boondoggle five years from now. And that's why what the open-source world could really use, Egger says, is a financial mechanism to measure and eliminate the "risk" associated with using software like Linux. There's a word for such a complex-sounding system: "insurance." And if you're the IT manager at a big company and you're thinking of installing Linux, Daniel Egger would like to sell you some coverage.

Egger is the founder of Open Source Risk Management [ ], or OSRM, an innovative new firm that will soon begin offering insurance protection for Linux. At the cost of $30 per $1,000 of coverage, OSRM promises to defend Linux against all infringement claims, exactly the kind of suits that Chrysler and AutoZone are now facing. If SCO represents the biggest threat to Linux in its existence so far, then OSRM is a classic example of how the flexible open-source world reacts to every new threat -- by innovating a new, widely distributed, from-the-bottom-up solution.

Insurance is crucial for Linux, Egger says. Unlike proprietary software, the free operating system is vulnerable to third-party infringement claims. When large corporations buy applications from proprietary software firms such as Microsoft, they are usually sold rock-solid "indemnification" packages -- clauses that let the customer off the hook in the case of any legal question surrounding the software. But it's not the same for Linux, which was written by many developers all over the world and can't be guaranteed by a single firm. It wouldn't be fair to ask Red Hat, say, to indemnify you of any claims against Linux, Egger points out. "You would be asking them to guarantee something which they have no more knowledge of than you do," he says. "You're asking them to do something where they might be in the position of having to guarantee what their competitors wrote."

Egger believes that only a neutral firm can guarantee the legality of Linux, and only one that has strong ties to the developer community. In order to guarantee that Linux isn't infringing on anyone else's property, OSRM is inspecting the OS's code with the help of many developers. The firm is being advised by such open-source gurus as Bruce Perens [ ], and it has hired Pamela Jones, a paralegal who runs the popular Groklaw [ ] discussion site, to help with legal strategies. Jones is the pioneer of what she terms "open legal research" -- complex legal research done in the open, on the Web, by groups of people with varied expertise in law and code. During the past year, Groklaw has been the center of such research aimed at thwarting the SCO case; Jones and others on Groklaw plan to do similar work for OSRM.

It's these ties to the open-source community that make OSRM most interesting. The firm, says Bruce Perens, gives open-source developers a chance to stand by their work. "What we are saying is, for a very small amount per year we will put our money where our mouth is," Perens says. IT managers "will not have to defend this use to their bosses again."

There's no evidence, yet, that SCO's efforts against Linux have been effective. For several months, SCO has been asking corporate users of Linux to pay it for the right to use the free operating system -- but in the first quarter of the fiscal year, the company only managed to sell $20,000 worth of licenses for Linux, which suggests that most firms don't believe SCO's claim that it owns Linux. (In order to sell these $20,000 worth of licenses, SCO spent about $3.4 million on litigation during the quarter.) Meanwhile, the Linux market seems as strong as ever. Don Marti, the editor of Linux Journal, points out, for example, that the Linux server business experienced double-digit growth during the past year.

But Marti also says that he knows of some companies that are at least delaying plans to migrate from Unix to Linux, which is understandable considering SCO's attacks. Both AutoZone and DaimlerChrysler were once celebrated for their adoption of Linux; now they're being sued for it. If you were a large corporation thinking about Linux, wouldn't you wait until the dust settled?

Well, if you were a lawyer at one of those Linux-leaning corporations, one thing you might consider doing first is reading Groklaw. Groklaw was founded about a year ago by Pamela Jones, a paralegal and a techie who became intrigued by SCO's $5 billion case against IBM. SCO claimed that IBM engineers had secretly stolen code from SCO's Unix software and stuffed the code into Linux, making Linux an illegal copy of SCO's property. Jones, who was skeptical of this claim, began blogging about it. "I thought maybe, in my wildest scenario, a hundred people would ever read what I was doing, and I was thinking exclusively of a blog, not a Web site," Jones told Salon in an e-mail interview. "Blogs are more casual and have more leeway editorially. So I was just breezing along with panache, without a care in the world. It felt like I was writing 'Dear Diary, today SCO did thus and so.'" But as the SCO case heated up, Jones saw her site catapulted into the spotlight -- i.e., it was getting frequent links from Slashdot -- and the content morphed into something more than breezy blogging. Soon, she says, groups of people with expertise in various areas of the law and software development began offering her tips, and in a short time these readers began working together on Groklaw projects aimed at undoing SCO's case.

For example, in January, a group of Groklaw regulars published an exhaustive examination [ ] of a set of files in Unix System V called the Application Binary Interface; the team looked at the legal and technical history of these files, as well as SCO's role in their development, in order to determine whether SCO could reasonably sue others for using the ABI files. Their conclusion: "I think you will see from this article alone that if SCO is planning to sue anyone over the ABI files, unless there are facts we haven't unearthed, they seem to be leaning on a rickety bamboo reed."

"I couldn't do that definitive research without the community," says Pamela Jones. "I don't think IBM could either, for that matter. I believe we have established that there is no point in SCO pursuing the ABI files."

Jones has been praised by just about everyone in the open-source world for her efforts to undermine SCO. Linus Torvalds, the creator of Linux, has said [;jsessionid=E5I3JGWRKU%20Q22QSNDBOCKHQ?articleID=18402736&pgno=2 ] that Groklaw shows "how the open-source ideals end up working in the legal arena, too, and I think that has been very useful and made a few people sit up and notice." Bruce Perens calls Jones "paralegal to the world." Clay Shirky, the influential tech pundit, points out [ ] that "Groklaw may also be affecting the case in the courts, by helping IBM with a distributed discovery effort that they, IBM, could never accomplish on their own, no matter how many lawyers they throw at it."

About the only party not happy with Groklaw is SCO. The firm's CEO, Darl McBride, has publicly accused IBM of secretly funding Groklaw (Pamela Jones denies this [ ].) In an interview with Salon, Blake Stowell, a spokesman for the firm, dismissed the idea that Groklaw can be a source for well-researched insight into the SCO case; in his view, much of what goes on at Groklaw is unabashed SCO-bashing. "One of Groklaw's biggest roles is to provide an opinion," Stowell said. "I think they have been successful in having an awful lot of people come to their site to gain an opinion on things. But it's a very one-sided opinion, and if that's the only thing that people read to gain an opinion on things they're getting a very one-sided view." Stowell doesn't think that Groklaw has uncovered anything of lasting import legally. "I don't think they've influenced at all what we've done in our lawsuit," he said.

Reading through Groklaw, it's certainly easy to see Stowell's point. You'd be hard-pressed to find a pro-SCO word on the site, and, as on Slashdot or any other discussion board, "there's a lot of chatter and noise in the comments," notes Don Marti, of Linux Journal. But it's also true that readers of Groklaw often point to valuable primary sources of new information concerning complex legal controversies, Marti says, and for a lawyer looking into Linux, these resources are probably very helpful.

It's this aspect of Groklaw that attracted Egger, of OSRM. One part of establishing Linux's legality in order to offer insurance for it, Egger says, is sorting out the complicated legacy of Unix; Egger considered Groklaw the perfect forum to conduct this research. "The history of Unix is very tangled and confused," Egger says. Anybody who owns a bit of Unix can say, "There's something in Linux that is similar, so I'm going to sue!"

That's what SCO did, Egger says, "and if SCO can do this, there are about 30 other Unix product lines besides the ones that are in dispute in the SCO case, and we better find out what happened to those, who owns them and what happened to them." Through OSRM, Egger will fund part of Jones' work on building this "Unix timeline," but all of the information the project digs up will be given to the public domain, Egger says. The timeline project will also include the work of hundreds of volunteers who asked to help after Jones announced it on Groklaw. In an article to be published in a forthcoming issue of Linux Journal, Jones says that the volunteers include "most of the published historians of Unix and many of the people who actually contributed to Unix in the first place." She adds that one Groklaw reader has called her "the maintainer of the Linux anti-lawsuit kernel," which Jones says is a "good description of what our project is all about."

The core of the Linux operating system -- the "kernel" -- is made up of millions of lines of code written by programmers of varying ethical and professional obligations; it is not a piece of software designed to satisfy lawyers, as is probably the case with much of the code written at proprietary firms, but instead to satisfy developers. So how can OSRM ever be sure enough of what's inside Linux -- and of where it came from -- to offer insurance for the system? Egger says that the company has launched an extensive "certification process" of the operating system. The process is labor intensive, but, he says, not all that difficult.

"We look at the origin of the code and make sure it was written by reputable people," he says. "We make sure we know they weren't involved in litigation, and that the companies they worked for agree that they were authorized to contribute this code to Linux. So we look at who wrote the code and what documentation there is around that." OSRM also maintains a "huge database" of both proprietary and open code from other software, Egger says, and the company is comparing that code with the Linux code "to look for possible copying." The company has not yet completed its certification of Linux, but so far, Egger says, "I have not found anything that would cause me to be concerned -- it looks very, very clean." But Egger adds that if he did find something, "we wouldn't tell you -- we would just quietly work with the developers to fix it."

Egger considers this part of the process key to the success of OSRM. There are probably some in the open-source community who look askance at Egger's project; part of the business of selling insurance for a product, after all, is convincing customers that there's a risk associated with using that product, and many open-source developers don't think there's anything risky about using Linux. But Egger insists that he's not looking to profit from weaknesses in Linux -- and, indeed, he says he'll do everything he can to work with Linux developers to make the system safe from legal attacks. "We'll quietly identify places where better documentation, a better record will reduce the risk of future litigation," he says. "We call it 'papering the kernel.' We're engaged in these activities at a very high level. That's the value of insurance companies -- we're involved with the community in risk mitigation activities, in developing best practices for reducing exposure, and in proactive research." All of this, he says, makes Linux safer.

And slowly, fans of open-source software -- even the ones who think SCO's claims are bogus -- are coming around to the idea that Linux has got to be made safer from third-party infringement suits. Last year, Pamela Jones was somewhat skeptical of the idea that open-source software needed legal protection; now, she's changed her mind. "I haven't changed my mind about the strength of the GPL [ ], [GNU General Public License] which is what really protects you," she notes. "But I became convinced, when I saw the stock price shooting up, that there will be copycat SCOs. I know my business enough to know that it is pretty much inevitable. Nuisance lawsuits are a fact of life. How do you protect against that threat?" OSRM, she says, offered "a way for the community to fight and win against future nuisance lawsuits ... Nuisance lawsuits will come. So we must be realistic."

Then Jones added this analogy: "When you buy insurance for your car, is it because you don't trust the workmanship or have doubts if Ford had the rights to the machinery that built it? Or is it because you realistically know there are bad people in the world who might steal your car or your radio or scratch your windshield by throwing a rock at your car?

"It's the same with software. There's nothing dangerous about GNU/Linux software. What you need protection from is people, bad people."

Copyright 2004