Startup to Offer Open Source Insurance

ThePretender writes "From the Infoworld article, 'Open Source Risk Management LLC (OSRM), a startup company that last month hired Pamela Jones, editor of the popular Groklaw.net Web site, as director of litigation risk research, plans to soon begin offering insurance policies to companies using open source software but fear that they may be sued, according to a company spokeswoman'. What's next - Developers having to pick up 'code malpractice' insurance? Egads." Might as well get some alien abduction insurance while you're at it.

Job Security?

[shystershep]

Doesn't sound like a place I'd want to work. What happens when SCO gets swept back under the rug? I realize that some businesses may want the security of having this, but I would think that a more general insurer would be able to take care of that. This seems way too specialized for a niche that I'm not convinced exists, or, if it does, that will last.

Re:Malpractice Insurance

[Zorak Man]

I'm no legal expert, but couldn't all of this be avoided with a proper disclaimer in the licence for the software?

What about closed source companies?

[AndroidCat]

Why just open source companies? If Microsoft screws up, they're not exactly going to be backing you up if you delivered a product using their software. (In the EULA, their liability is usually limited to what you paid for their software or $10.)

This sounds like a company that's gone parasitic on FUD.

Why Price Might be High/Low

[4of12]

I'd be interested in what price this insurance sells for.

On the one hand, I would expect it to be cheap inasmuch as many of the legal attacks so far appear to be without merit.

OTOH, with only a small number of underwriters willing to write policies, they could charge interested customers what the market will bear with few suppliers.

And, in some cases, customers may feel that they're getting so much value from their open source software deployments that they'd be willing to pay more than some might expect.

Will they indemnify us against SCO?

[djh101010]

The company I work for got "the letter" from SCO, and we have now had a second linux-based project shot down due to SCO's FUD working. This is frustrating, to say the least, when the appropriate technical situation is being held hostage by SCO.

If we could buy insurance against the near-zero chance that SCO could be successful, we might be able to get these projects going in the direction that makes technical sense, and stop worrying about (insert rant about McBride and company here).

Re:Malpractice Insurance

[Dan512]

There was a requirement for "Errors and Omissions Insurance" for a utility company gig I worked in 1998. It was $1100.

Good alternative to SCO license

[weopenlatest]

I don't see why there is such a negative response to this post. I would bet that many if not most of the companies who paid SCO licensing fees would have opted for this deal instead, had it been available, leaving SCO with a lot less money for frivolous lawsuits. In fact, it wouldn't just take money away from SCO--it would give it to the other side. Any company offering open source insurance would have a huge financial interest in fighting a company like SCO, giving the open source movement some much need legal muscle. If insurance like this got more popular, it could seriously weaken SCO's business model.

Re:It's a good idea

[John Hasler]

> Look at the broader picture. All that stuff out
> there on sourceforge. Someone in some cubicle at
> some business decides some obscure project is
> useful, and starts using it.

What bearing does that have on buying Free Software from a respectable company such as Red Hat or IBM?

> If the code was open source though, who do you
> go after?

Whoever made and distributed the unauthorized copies.

> The people profiting from it - the end user.

The end user is not liable unless he can be proven to have known about the copyright infringement in advance. Copyright regulates copying, not use.

> Makes absolute sense. In fact, it was the lack
> of this sort of protection that has kept the
> company I work for away from OSS.

Silly. The risk is exactly the same for closed-source.

How about vendor bankruptcy insurance?

[Animats]

As a business decision, it now looks dangerous to buy an SCO-licensed product. Where's your protection if SCO goes under? Do you have source code? Do you have source code escrow? Do you have insurance against vendor bankruptcy?

It's a very real issue. Misery is being dependent on software from a failed vendor.

Look at SCO's stock chart. [yahoo.com] The stock has dropped from 19 to 8.75 in the last three months, and it's dropping almost every day now. [yahoo.com]

How would you know they could pay?

[astrashe]

Don't insurance companies have to have assets to back their policies?

How would you figure out how much money would be necessary to back these policies? If you believe that the risk is zero, and they don't need money, then the business becomes a confidence scheme. If you believe that the risk isn't zero, you need something to back it up.

On top of that, if you insure people against auto accidents, or serious diesease, you can assume that everyone won't get hit at the same time. But if it turned out that running linux exposed you to liability, then all of the policy holders would have to be paid off at once. In other words, there's no way the premiums would be able to cover it.

I'm not an actuary or an insurance expert, so maybe I don't understand what's going on. But it doesn't smell right to me.

Warning: BLATANT PLUG

[cleetus]

This summer I had the opportunity to work for BlackDuckSoftware.com [blackducksoftware.com]. Black Duck has built software to help developers (from individuals to large corporations) manage their use of open source software. Essentially, the software enables firms to track the usage of open source code, determine conflicts (if any) and suggest methods of compliance. It takes into account methods of combining code, whether the code is for internal use or public distribution, any number of other considerations that involve open source license compliance. It is able to deal with code licensed under *all* of the certified open source licenses [opensource.org] as well as many other proprietary licenses.

While it is not insurance, and does not provide any kind of indemnification, it is a damn good management tool. Its goal is to allow companies to make use of open source code in such a way that full compliance is facilitated, and to avoid any uh-oh moments that happen after code is commerically released.

I worked on the development of the license interpretation module. It involved reading (and re-reading) 50+ licenses and parsing their terms such that compatibility determinations and compliance requirements could be generated for every possible combination of license, code, distribution, concatenation, link, modularization, etc. of a software product. It was exhausting (and sometimes tedious) work, and it certainly made it easy to tell which licenses were written by lawyers, which by coders, and which were written with input from both. It gave me new understanding of why unenlightened legal departments sometimes shy away from open source. Nonetheless, the reality is these licenses exist, are in use today, and are all valid until some court says otherwise. Licensors (i.e. coders in the community) have every right to expect their terms to be adhered to.

Being a geek myself, and a law student, it was pretty gratifying to see that a company wanted to build a product that helped managers to understand and not fear the open source phenomenon. Further, I think the product will really help firms stay fully compliant when they decide to use open source code. And that, in the end, is all our community can ask for.

cleetus

A couple of reasons

[DaveAtFraud]

Regular readers of Groklaw have a pretty good idea what PJ thinks of SCO's chances with their various lawsuits. I see a couple of different reasons why PJ and Bruce Perens would both (RTFA) be in on this:

1) Our dear friend Darl has made threatening noises with regard to Groklaw being on the side of whoever SCO is suing this week (e.g., IBM, Red Hat, Novell, Autzone, etc.). OSRM may provide PJ and the rest of the Groklawyers with a corporate vehicle to continue doing exactly what they've been doing without fear that Darl can go after PJ (in particular but also anyone else who contributes) in some sort of malicious (big $ personal lawsuit) way. SCO has amply demonstrated that their response to anyone who opposes them is to file a lawsuit (See SLAPP).

2) You will note that the first activity of this insurance company doesn't seem to be trying to sell an insurance policy. Its to offer a class "...on how best to mitigate the risk of using open source software". Any bets that a lot of that class will be on how to file the right paper work to legally tell SCO to go find an alien who can probe them until the existing SCO litigation is cleared up including deciding if SCO really does own the copyrights to UNIX? (Maybe Darl should look into that alien abduction insurance.)

Re:What about closed source companies?

[kfg]

This sounds like a company that's gone parasitic on FUD.

Nothing sells better. Just watch TV ads for a while, or walk down the isles of a supermarket, particularly the drug/personal care isles.

It's all sold by sex and fear, and fear of not getting sex. The heartbreak of psoriasis. The social outcasting of dandruff. The horror of your whites not being white enough.

What will the neighbors think?

Most people live by FUD while pursuing their lives of quiet desperation, and most companies at least parasitically prey on that fear. Some of them subsist on it entirely, even going so far as to create fears, through marketing campaigns, that had never previously existed, and which their product "solves."

KFG

How do you draw the line?

[zurab]

However, the end user *is* liable for patent infringement.

Here's a hypothetical scenario:

- You buy a jar of mayonnaise made by Kraft
- Kraft gets sued by SCOMayo (whatever) for infringing on one of their patents on how to make mayonnaise that stays fresh for up to 12 months and loses
- SCOMayo now sues everyone who ever bought and stored the patent-infringing mayonnaise from Kraft and demands additional $6.99 for every jar of mayonnaise purchased?

IANAL, so I don't understand how this works. Can SCOMayo sue individual people and sandwhich shops, fast foods and restaurants for patent infringement? If so, maybe they should start selling indemnification insurance at the supermakets as well for an extra $0.99 per item ($0.88 at Wal-Mart)?

On a more technical side, would this mean that because I own 3 nVidia video cards I may get sued by ATI and I need insurance just in case? Where and how is this line drawn, if there is one?

Re:Good idea in my mind!

[Kphrak]

That's somewhat of a ridiculous comparison. If you're going to compare OSS and closed source methodologies, you should not do the equivalent of comparing a teen garage band with the New York Philharmonic. A better comparison would be "enterprise" closed source, versus open source that has a lot of manpower behind it.

The open source that tends to get used the most is the stuff that has a strong userbase and active developers. The 14-year-old-written "this is l33t so I wrote it, visit my blog d00d!@!@!!" kind of software is occasionally useful if you need something to do a small, handy thing on your workstation, but rarely gets used heavily in production -- even by workplaces using open source.

More likely, the software written is by some post-graduate or a group of programming enthusiasts who are interested in the program concept or have found it useful and decided to help improve it. Most of the GNU software, MailScanner [mailscanner.info] (an extremely flexible virus/spam gateway), and the Linux kernel itself, is written in this manner. Many of them release designs and papers, something which the companies you're speaking of often keep in-house and hidden from the public.

Now to my personal mistrusts. I personally mistrust software that's probably written by someone with a passing familiarity with Visual Basic, who does not speak my language and does not document the program properly. If you wonder what I mean, try installing some of that "bonus software" that comes with your inkjet, scanner, or CD writer on your system and you'll learn a painful lesson. Not all software written by a company is good, or even has a reasonable design behind it -- and sometimes, even with a reasonable design it's still programmed badly.

Alien Abductions Incorporated

[jonesvery]

Okay, I've got to mention it...

Why spend the money on alien abduction insurance when you could just invest it in an AAI Abduction Experience [alienabductions.com] and find out whether you'd actually like being abducted by aliens?

Can't beat the company motto: If they won't contact you, contact us!

...and hey, if I start getting traffic to it again, maybe I'll get around to updating the site again one of these days... :)

Eben Moglen talked about this very thing

[hetairoi]

in his speec at Harvard awhile back.

Full text here [groklaw.net]

"If you are thinking about working in the law of free software, and gosh, I hope you are, one of the things you might want to be thinking about working on is the software conservation trusts that are going to be growing up around this economy in the next five years. I'll help you make one, or you can come to work in one of mine. We're going to need to spend a lot of time doing work which is associated with trustees. We're going to be spending a lot of time making sure that things are put together and they are built well. And we are going to be doing that on behalf of a third-party insurance industry which is going to be growing up, is growing up before our very eyes now, which is learning that it really cares how the free software is assembled."

Re:Open Source's legal record

[Anonymous Coward]

I've yet to hear of a major open source project exposing a company that decided to use them to liability through the project's use of illegal code, like Apache swiping code from someone else, say.

Don't think it doesn't happen the other way around, either. We actually had a employee who incorporated some GPL code into a proprietary codebase. Stripped off the headers, so he obviously had some idea about what he was doing. Fortunately, some comments he left in the code tipped us off. We caught it just before we went into our release cycle, so a couple of more weeks and we would have shipped a GPL-violating product.

This was in a company that used (and still uses) OSS extensively, where we were all pretty well educated on various license issues, and the (now ex-employee) should have known better than to try this sort of thing.

We later found that co-workers of his were using our products to start a consulting buisiness catering to competetors, too - and operating the whole thing out of one of our remote offices. We decided that the GPL code was done out of simple laziness, thought it did cross our mind that a competetor might have "funded" that code ending up in our products, just so they could spread some FUD.

"Public Liability" and "Professional Indemnity"

[quinkin]

I'm not sure on US law, but in Oz it is "Public Liability" and "Professional Indemnity".

They are two distinct areas of insurance. Public is to protect you if a visitor (non-employee) trips over in your office and breaks a leg. Professional is for when you fsck up (as parent said - data loss, etc).

That said, when I was establishing my IT company it was astounding how many traditional insurance firms would outright refuse to insure us. They wouldn't demand overzealous premiums, but flatly refuse to insure IT startups.

There is more than enough demand for this, if Pamela can keep them afloat (she's got the skills) then it will benefit us all.

Insurance sucks, but not as much as being sued...

Q.