Lawsuit Rings Open-Source Bells But Linux Plans Remain

By Maria Trombly | Securities Industry News | August 11, 2003

Last year, NYFIX started hosting a FIX trading platform in-house in its data centers. And the company had a choice of using the Solaris or the Linux operating system. Eventually, it came down to money. "We would have spent five times as much on a Solaris server than a Linux blade server," said John Knuff, VP of network engineering.

Part of the reason was the price of the operating system itself-Linux is free. But even a bigger cost savings was the fact that Linux could run on the Intel platform, while Solaris required proprietary hardware.

"Our decision was based on the best operating system and price performance that could be offered to clients," he said.

Then, this past spring, a little company based in Lindon, Utah sued IBM, claiming that it owned the rights to some of the underlying code now found in Linux. And it wanted IBM to pony up $3 billion in damages-and all end-users to start paying licensing fees. SCO, formerly known as Caldera International, was immediately countersued by IBM. Leading Wall Street Linux distributor Red Hat, based in Raleigh, N.C., also joined in, asking a federal court to rule that Linux doesn't infringe on SCO copyrights.

What's an end-user to do?

Knuff, for his part, is standing firm. NYFIX isn't paying license fees to SCO, he said, and isn't changing course about this or future Linux implementations.

Reuters has made a big bet on Linux this year, releasing its flagship RMDS (Reuters Market Data System) on that platform. And the SCO lawsuit isn't making the company rethink its decision just yet. According to Casey Merkey, program manager for RMDS on Linux, Reuters has decided, after consulting with its lawyers, not to pay the SCO licensing fee. Neither is Reuters postponing or delaying new Linux implementations.

"We are keeping an eye on the situation," he said. "If it goes to trial, it will be the first time that GPL [General Public License] will be tested in a court of law and it will be a benchmark by which open source IP is governed in the future. It may well turn out to be something that changes the way we all do business."

He added that RMDS is built 100 percent on code proprietary to Reuters, with no open-source components to create possible rights problems later on. He hasn't seen a lessening in interest in RMDS on Linux since the lawsuit was filed, he said. In fact, interest has grown from just the largest firms to financial institutions of all sizes. "Everyone assumes now that Linux is here and here to stay."

That includes NYFIX, said Knuff.

"You can look at multiple lawsuits between multiple companies right now, and a lawsuit doesn't mean you should make a directional change," he said. "I'm not sure what will happen, but we're ready to deal with it."
For example, he said, the applications NYFIX currently runs on Linux could run on several platforms. "We can change course if necessary at any time," he said.

One possible solution is to run Solaris on the Intel platform, or, in generic terms, x86, an option that only became available very recently, said Sheldon Monteiro, VP of technology with Sapient's Financial Services industry group. Many customers don't even know that Solaris is available on x86, he said.

However, even taking into account different hardware possibilities, Linux is still cheaper than Solaris and other proprietary operating systems because of the licensing costs. "Most of the Wall Street firms that we have talked to, have some kind of Linux pilot project somewhere in the organization," he said. "The cost drivers are simply too significant for them not too consider it. Which is why, when I look out on the marketplace in general, I haven't seen people stop dead in their tracks."

According to John Loiacono, VP of the operating platforms group at Sun Microsystems, the Solaris operating system is free of intellectual rights issues as far as SCO is concerned. "Over the past 10 years, I've bought my license rights to the code as it relates to SCO," he said, adding that the license is now all paid for and Sun no longer makes any payments to SCO.

And Sun will guarantee that customers aren't going to have any intellectual property rights problems, SCO generated or otherwise, with Solaris, Loiacono said. However, he could not extend the same guarantee to the Linux-based offerings the company also ships. "If people ask me to indemnify Linux, I cannot do that," he said. "The Linux I have is Red Hat and SuSE. I can't indemnify a product I don't own the rights to."

In fact, this issue of indemnification is a big problem for open source in general, said intellectual property rights attorney Michael Overly. Overly is the author of the recently published "The Open Source Handbook" and a partner with the e-business and information technology practice of Chicago-based law firm Foley & Lardner.

"Open-source software [intellectual property rights concern] is a component of every single deal we do," he said. "We will raise it with the vendor, we will discuss it. Every contract we do, open source is discussed. And every organization ought to move it to the top of their list."

Firms aren't so worried about the SCO lawsuit that they're canceling or delaying Linux implementations, he said.

owever, they have become more wary of the use of open source in general, he said. "No one has established that SCO has any rights to anything," he said. "That is the subject of the lawsuit. But there are many open-source products that are popular on Wall Street that all have the same problem as Linux-at any time, someone can file a lawsuit that said, I own that and I want to charge a license fee.'"

The reason, he said, is that individuals who contribute pieces of code to open-source projects may not actually own the rights to that code, and there is no procedure currently in place to solve this problem. "Software developers like IBM, Microsoft and Sun have incredible procedures in place when they develop software to make sure they have the rights," Overly said. "That's what they do for a living."

But when programmers get together on a volunteer basis to develop open-source code, there usually isn't anyone managing the ownership of the code. "You have a group of people who don't know how to do that," he said.
Another rights problem with open-source code is that companies who donate pieces of code lose the rights to that code. "Merrill Lynch has many patents," Overly said. "Fidelity had many patents. If I hook up some of my own intellectual property to an open-source project, I may have just committed my own intellectual property to the open source movement."

Finally, even commercial applications often have open-source code components, Overly said, and buyers might end up liable for rights violations when they didn't even know they were using open source software. "I would say that 70 percent of financial services companies are not aware of what open-source software is being used in their organization," he said. "And a lot of companies would be surprised to find out that a lot of commercial applications they pay millions for are in a large component open source software."

But there are steps that companies can take to protect themselves, he added. "One thing that Wall Street customers are doing is becoming more strident and saying they want indemnity against these types of claims," he said. "We have asked for these protections [for Linux] but, in general, Red Hat and IBM will refuse to provide those protections because they didn't write the software to begin with. But IBM and Red Hat are deriving profits from reselling Linux and many people argue, including myself, that they should provide indemnity and protect users from these lawsuits. They are still considering whether to do that."

In a recent case, a broker-dealer was about to license a piece of commercial software, at a price of a couple of million dollars, Overly said. "We put in a clause that said, The vendor warrants there is no open-source software' in the contract," Overly said. The vendor refused to approve the clause-it turned out there were more than 20 open-source applications that were included in the software. The vendor had originally hoped to avoid all responsibility for anything going wrong with those open source products.

The contract was revised to protect the customer against any infringements in the open-source code.

But what about cases in which the vendor refuses to indemnify an open-source product, or cases in which no vendor is available because the firm is downloading free code directly from the open-source community?

A firm has to be able to justify that the cost benefits and other advantages of using an open source product, rather than a commercial alternative if one is available, outweigh the potential risks. "If there's a commercial product, that's not particular costly, maybe we can go with that," Overly said. "Otherwise, there are some hard questions that need to be answered. Is there a business case for this risk? In some cases, the benefit is that there's no other place to get the software, so the decision is made to accept the risk for that particular software."

For example, if the case is finally decided in favor of SCO, a firm might need to replace the Linux operating system, or have a budget for paying the license fees.

And what will those licensing fees be? Well, SCO has already put out a price sheet.

According to Chris Sontag, SCO's VP of licensing programs, for Wall Street firms using Linux version 2.4 or above, there's an "introductory price" of $699 per single CPU, with a volume licensing option also available at a lower cost. Since only versions 2.4 or above have the problematic code, he added, companies can also opt to switch to an older version of Linux, or another operating system altogether.

Can't users simply wait for the open-source community to rewrite the offending lines of code? Many experts think that this is what will happen. "Very recently, there was some code that was discovered to be in Linux from some other proprietary product," said Naresh Sharma, a senior analyst at research firm Progressive Strategies. "Within two or three days, it was gone."

But SCO is taking steps to protect its case against this simple solution by refusing to divulge the offending code in advance. Although the company has identified over a million lines of code that it considers to be "derivative works" based on the Unix source code that it owns-and thus protected by copyright law-there are also pieces of code that are direct word-for-word copies, warts and all.

"We have chosen not to reveal that," Sontag said. "Otherwise, people will feel that if they just replace those lines of code, all that is taken care of. Until the damage that has been caused has been corrected, it doesn't make sense for us to identify those lines of code."

One problem that SCO faces in presenting this suit is that it itself until recently distributed a version of Linux. IBM and other critics have argued that this undermines the company's case. "Copyright law specifies that you can't accidentally transfer a copyright from yourself inadvertently," Sontag said. "You have to do it with a legal contract with signatures of both parties. And the [Linux] GPL itself specifies that you have to explicitly assign your copyrighted work over to Linux GPL. That was never done. We were not even aware that our legal copyrighted material was in Linux. As soon as we became aware of the problem, we suspended distribution of Linux."

There's also another problem with SCO's case that might doom it, said Sharma. "The allegation it has against IBM is against code that IBM has developed on IBM's own time and released as open source," he said. "And if IBM gets too much heat from this, then they might opt to just buy SCO out."