Open source compliance insurance [LWN.net]

The folks at Open Source Risk Management have, for some time now, been working on indemnification insurance for free software. The idea behind this offering is that businesses which are worried about an SCO-style lawsuit can purchase insurance turning that risk into a regular, predictable business expense. This sort of service may well turn out to be a hard sell, however; SCO's experience seems unlikely to inspire many copycat acts. The risk of successful, copyright-based legal attacks against free software currently seems to be quite low.

Patents may yet prove to be a different story, though.

Meanwhile, OSRM, in conjunction with Kiln plc and Miller Insurance Services, has come up with a new idea: sell insurance to companies which fear GPL compliance problems:

Open Source Compliance Insurance will initially offer cover of up to $10 million for direct loss suffered by the insured following a finding of non-compliance with specific license agreements under which open source code is obtainable. The insurance will indemnify the insured for the loss of profits associated with the withdrawal or alteration of a product incorporating non-compliant code or the impaired valuation of an acquisition agreement exchanging open source software. In certain circumstances the policy would pay the costs to mitigate such losses including the expense of repair or replacement of code that is found to infringe upon the General Public License (GPL) or other Open Source licenses.

This is, in other words, a 180-degree change from the previous OSRM offering. The previously-offered indemnification policies addressed concerns that free software could be infringing on copyrights through the inclusion of proprietary code. Now, instead, we have insurance to benefit those who might just infringe the copyrights associated with free software. This situation is, certainly, more likely to come about; here's another quote from the press release:

Worldwide, more than thirty legal claims involving infringement of open source licenses have been brought against corporations in the last two years. In each case, plaintiffs have prevailed in enforcing their rights to restrict the use of their code.

This statement, certainly, is a strong statement in favor of the enforceability of free software licenses.

One might argue that this sort of insurance policy presents a moral hazard. A company which hopes to ignore the requirements of the GPL could ship a product without source, secure in the knowledge that, if somebody calls them on it, they can fall back on the insurance policy to mitigate their losses. The plan's fine print must certainly have language excluding deliberate acts of noncompliance, but proving that a specific infringement was willful could be a challenge.

Others might say that there should be no inadvertent infringement of the GPL; any such infringement constitutes, at best, an extreme lack of due diligence. Consider, however, the much-publicized cases where various wireless routers have used GPL code in noncompliant ways. In these cases, the final vendor - the one whose name is on the product - often has little knowledge of what software was used by the obscure, far-eastern supplier who actually made the product. As more GPL rulings are handed down, it seems likely that resellers will start asking more questions of their suppliers, but surprises still seem possible. This particular risk - being betrayed by a supplier - seems like a legitimate thing to insure against.

So OSRM and its partners might just find a market for this particular offering. If, in the process, they make businesses feel more comfortable about using free software in their products - and, perhaps, even helping with the further development of that software - it should be a good thing for the free software community as a whole.

(Log in to post comments)

Open source compliance insurance

Posted Nov 3, 2005 18:00 UTC (Thu) by BrucePerens (guest, #2510) [Link]

I'm a board member of OSRM.

A particular point needs to be made regarding this offering. Questionable behavior regarding the GPL and other licenses is not insurable, simply because that is purposeful behavior that is likely to generate a claim. Sorry, binary-only Linux kernel drivers are not insurable - they contravene the spirit of the license and probably the letter as well, and thus present an unacceptable risk.

Once you purchase a policy, you have a new party with legaly-binding rights to which you must justify your license compliance: the insurer.

This product should result in greater compliance. And thus, I think we can be reassured about the moral dimension.

Bruce

Open source compliance insurance

Posted Nov 4, 2005 1:43 UTC (Fri) by liamh (subscriber, #4872) [Link]

"In each case, plaintiffs have prevailed in enforcing their rights to restrict the use of their code."

It is my understanding that the GPL anyway (and I assume any other free software license) does not restrict the use of the code, only the copying. Yes, it's clear that's what they mean here; from a vendor's perspective, using the code is copying it into products for sale. But someone not familiar with these nuances might put the GPL on a par with typical proprietary shrink-wrap licenses, which do restrict the use (from a consumer's perspective) of the code.