Slashdot Mirror
Open-Source Insurance
* * Beatles-Beatles writes to tell us that several insurance agencies have formed a partnership to offer open-source compliance insurance. From the article: " The insurance will cover up to $10 million in damages, including profit losses related to noncompliance with an open-source software license. The policy could, in some cases, cover the cost of repairing code that was found to infringe on open-source licenses such as the General Public License, which is used with the Linux operating system."
Defending copyright infringement of any source code is ridiculous. You can't accidently copy a line from someone else's program to yours. Infringement is only deliberate.
So, just like other policies, how much will it cost? $100? $1 million? It's kind of point less to talk about the $10 million coverage when you don't know how much it will cost...
Much better to take on an insurance against SCO than this FUD disguised as "insurance".
Is the GPL (or other open source licenses) that complicated that you just can't hire (or task) someone to review your development practices to be in accordance?
Well, it's Lloyd's of London subdivision offering this (the same people who insure body parts), so it's probably more publicity than anything.
Intermediate: Insurance company knows that no open source developer has the money to sue, even if they would be able to discover that their code had been stolen.
Now: Big company tajes insurance and starts stealing open source code, because they feel there is no legal risk anymore.
In the end: Open source developers get screwed once again and the only people getting rich over it are the lawyers. Nothing new here.
Any person in any corporation buying this should be subjet to instant dismissal. If you are a shareholder in a company that buys this, then you should sell your shares immediately, as it is clear proof that the management is corrupt or incompetent.
The Institute of Chartered Accountants should be expected to recognise it as a symptom of malpractice, and if auditors fail to recognise it as such, then the auditors are also guilty of malpractice.
Sent from my ASR33 using ASCII
The merchants in camel trains would each pool a little bit of money to cover the loss of any one trader's camel and goods. If no one lost any goods, the money was returned to each merchant. Today's insurance companies don't return your money if no one ever files a claim. What's up with that?
Software freedom...I love it!
It's about time lawyers get into some OS action. There's a lot of money to be made suing people who rip off OS. I don't think you really need insurence once greedy lawyers figure out how to win these types of cases.
open source insurance http://news.zdnet.com/2100-3513_22-5924112.html
+
underhanded C code http://www.brainhz.com/underhanded/
=
$$$$$$$$
Insurance works on the *cough* law *cough* of averages, different shocks affect different people so a single shock can be covered by the insurance company for far less than the cost of said shock. There is not enough diversification in something like this. If there are developments against the GPL or a very popular software pack gets into strife (openoffice or such like), then their are huge liabilities that the insurance company can't meet and everyone sinks. Just how does one determine the profit losses from the time spent compliancing software etc?
This is like Roland Piquewhateverr. This "Beatles" dude has two stories on the front page today. And I've seen more from him.
I seem to remember interning for (ironically enough) an insurance company's IT department a few summers ago and hearing about how they took out liability insurance on pretty much all of the open-source tools they used. This even included things like Perl, where the chances of being sued are fairly small, just to be absolutely sure. Furthermore, it sounded like they'd been doing this for a while.
I suppose that their policies might not have covered the costs to get it into compliance and other such expenses. Still, I'm sure that huge companies like IBM have been careful to insure against such possibilites for years. It would be foolish for them not to.
What businesses REALLY need is insurance against Microsoft (and other BSA member companies) licence violations.
SERIOUSLY
Because for any reasonable-sized organisation it is very expensive to do a license audit, and almost impossible to be sure that you're completely in compliance. Many businesses have found that it's easier and cheaper to just buy a completely new set of licenses than try and figure out if the ones they already have cover everything they're running.
And because if you're not in compliance, even by just a little bit, you _will_ get hit with substantial fines which cost a LOT of money to fight that in court.
455fe10422ca29c4933f95052b792ab2
They just need to raise enough money to send Tom Delay on an overseas golf trip, then they can get all the Republicans to vote yes on legislation making the GPL illegal. Then it will be very easy to insure against.
There is indeed such a thing as "accidentally" infringing on open-source code licenses. You see, while the individual developer who copies the code is usually aware of its legal incumberances, it would be quite easy for the corporation's management, board of directors, and shareholders to be unaware of the legal deathtrap the lowly developer employee is leading the company into. And lest we remember, it is the CORPORATION that would be found to have infringed the copyright, not the employee. The corporation would face responsibility for what its employee did. From this perspective, having insurance against such things might not be such a bad idea.
And by the way, I would wager to bet that a non-trivial percentage of employed developers are unfamiliar with the specifics (or fundamentals) of the GPL and other common licenses. Also, there are many scenarios in which miscommunication between employees and management could lead to unintentional use of open-source code. Who knows, maybe an employee is even deliberately trying to get the company into hot water.
Someone else here mentioned that this kind of insurance would make it easier for bigger companies to violate open-source licenses, since they'd be shielded from any legal damages. In response to that, allow me to introduce you to the phrase "Insurance fraud." Don't think for a second that these insurance companies won't be carefully pouring over company documents, correspondences, etc, to make sure the infringement was indeed "accidental" in whatever sense the word becomes defined as.
As someone else said, probably the only question is whether these companies can speculate the open-source-infringement-lawsuits world accurately enough to stay profitable. It seems to me that's easier said than done, but I do think the idea makes sense in theory at least.
Defending copyright infringement of any source code is ridiculous. You can't accidently copy a line from someone else's program to yours. Infringement is only deliberate.
That issue is not quite simple. Like the another poster pointed out you can end up with code that looks alot like an OSS implementation quite by chance simply because there is a very limited number of ways to solve a certain problem. Another way you could end up in trouble because of OSS could happen is if one of your developers decided to cut corners on a project and rips code from and Open Source project without telling you or if you merge with another company and find out that they have built Open Souce code into the application code that you acquired in the merger. If these developers strip off the comments and hide their tracks well it might not be obvious at all to you or your code reviewers that the code came form an OSS project. One other way you could get into troube over Opens Source software is if you produce a commercial application that links to Open Source libaries. From what I know it is not at all legally clear in some countries whether this quaifies your commercial application as a derivetive work. If somebody takes you to court over this and the judge rules an app that links to Open Source code is a derivative work you would be in trouble. In all of these cases (except perhaps the last one since it is still a legal gray area) it would be hard to accuse you of 100% evil and deliberate IP theft or infringement and I can see how an insurance that protects you during a resultant law suit and the subsequent repair work to get rid of the infringing code might come in handy if it isn't to expensive, especially for a startup company.
Only to idiots, are orders laws.
-- Henning von Tresckow
Also they are not random letters.
please type the word in this image: banged
random letters - if you are visually impaired, please email us at pater@slashdot.org
Yeah, people complained because they were too stupid to figure out the random letters.
It wasn't too long ago that some source code for Windows was stolen/leaked, and all the major OSS players recommended to their devs that they AVOID IT AT ALL COSTS.
Not because they were worried that the devs would intentionally steal the code, but because they were worried that they'd read something clever, store it in the back of their minds, and then use something similar UNINTENTIONALLY to solve some OSS problem.
Why should the other way be any different?
Shit happens. That's why people buy insurance.
You definately have a good point there... I have to wonder how the Google factor will contribute to this?
===
Google is contributing vast sums of money to the open source community and greatly diversifying their markets...
I have to wonder if Google put up some legal dough for open sourcers...
It makes them appear beneveolant to the open source community and hurts their eventual competition if they do start stealing code...
===
Likewise, perhaps they may be able to set some sort of investment precedent, since they are fronting a lot of money to the open source community... I am not sure on the laws there, however...
MoM++ - A Classic Expanded - [Master of Magic 1.5]
http://mompp.sourceforge.net/
So, when can we get insurance for accidentally violating the DMCA while trying to fairly use our hard-earned media?
There's no 'on' position on the Slacker switch!
The real question is what other things you can package with it, and if they give you a discount for buying a package. Obviously GPL insurance isn't enough.
For instance, do they sell giant robot attack insurance as well? I feel its important to be protected from the ever present threat of robots. And this is only one of the many kinds of insurance that I'll need from them.
I'm certianly also going to need spontaneous existence failure insurance for all my stuff, werewolf treatment insurance for if I get bit, and bunny attack insurance.
If they can't provide all this insurance to go along with my GPL compliance insurance, I don't think I can take them seriously.
Mod me down and I will become more powerful than you can possibly imagine!
You wrote: Insurance company knows that no open source developer has the money to sue
And that is why the American legal system has a contingency fee option. Yes, it is maligned in the press and by much of popular opinion. But yes, I am glad we have it.
Instead of requiring "the little guy" (in this case an open source developer) to have the cash himself to hire a legal team and pursue recourse in the courts, he can present his case to a firm that will represent him for a percentage of the recovery. This keeps the doors of the courthouse open to him, even though all litigation (contingency or not) is very expensive.
A common objection to a contingency arrangement is that the percentage for the lawyer (generally 20-40% I believe) is very high, perhaps even predatory. The response to that is that the recovery figure pays for the instant plaintiff's costs in addition to the costs of plaintiffs that the firm represents but who ultimately do not recover. After all, there is no such thing as a 100% certain case.
Remember, under a contingency agreement the firm eats the cost of litigation when unsuccessful. This is part of the reason why the "frivolous lawsuit epidemic" is over-exaggerated: a lawyer / firm is not going to take a case that they know is frivolous and that they will almost certainly lose. Lawyers may be blood-suckers, but they are blood-suckers with at least 7 years of advanced education. They are (generally) not stupid.
Do I think a contingency arrangement is perfect? No, of course not. But I have not yet seen a better arrangement proposed that deals with the practical realities of the cost of litigation and the fact that many of those who are harmed do not have their own resources with which to pursue recovery.
- Neil Wehneman
My legal education, in nifty podcast format
Suppose an organization made it a business objective to
* reward those who find GPL or other copyleft violations
* sign up copyright holders for limited power of attorney to handle said violations
* negotiate with the violater
* secure settlements monies
* pay themselves, the copyright holder, the finder, A portion to FOSS organizations......
There is a distinct possibility that lots of commercial code companies are thumbing their noses at copyleft licensing because they are under the impression that its to much work and to little return for those commie open sourcer to pursue them, people like Harold Welte for example (I dont consider him a commie open sourcer [well he might be, but thats not relevant to me]).
Sure the FSF pursues cases also. However their objective is to work with the company with their primary objective compliance with the license. The stated positions do not include obtaining any settlement money.
Times are achanging and for some people out there the gentle FSF approach is not what is called for.
Picture this:
START HERE
{
different opening scenarios:
CIO: Three month deadline
Eng: We can only do this if we rip off X Y Z codebases, GPL'd
OR
CIO: release our new linksys-like product
Eng: comply with GPL?
CIO: and help our competitors?
Eng: But we are violating the license!
}
CIO: And worse that happens?
Eng: We get enjoined or we release under GPL, if somebody comes after us
CIO: Whose likely to come after us?
Eng: FSF
CIO: Them? They will simply ask us to GPL, at which time we probably made our millions already. Go ahead, use the code.
Eng: People like Harold Welte?
CIO: Costs them more relative to their budget to pursue us than for us to defend. Eventually they will get tired and go away.
STOP HERE
An organization that used well publicised guidlines for how they approach violaters and that operated with a degree of transparency to the community would easily be able to obtain neccessary support -- that being the authorization to pursue violation by copyright holders.
I dont think any existing org should take on such a charter -- its a much to risky proposition. A new one that live or die on their own merits would be the way to go.
The Arabian camel trains were a form of self-insurance pool: the members agreed to pool losses, if any. You can be assured that they did not agree to pool their collective profits, however.
We have self-insurance pools today, as well. They function in much the same way: all members share proportionally in any loss, so if there are no losses, then nobody pays. The downside is that all members of the pool could simultaneously lose all of their assets in the event of a catastrophe.
We also have Mutual insurance companies today which are owned by the policyholders. If on a collective basis losses are less than expected, then each policyholder receives a dividend for their share of the company's profits. The goal of the Mutual comapany is to show a small profit at the end of each year, and to return that profit to the policyholders. The downside is that, in the event of a catastrophe, a Mutual company may more easily run out of assets, and be unable to pay all claims, or may have the right to "assess" the policyholders to recoup the shortfall.
Finally, there are the stock insurance companies, which aim to maximize profit, with the intent of distributing that profit back to the shareholders. The downside is that there's no chance of a "refund" in the event that you're loss-free, though you may qualify for lower premiums in the future.
If you'd like a return to the Arabian camel train model, your path is clear: simply find a group of individuals who agree with you, and pool your assets, with the agreement to share in any losses. If there are no losses, you'll get all of your assets back. If losses are catastrophic, you may lose everything.
It's all in your risk preference.
The cure for cancer is coming: Reovirus
Students (and everybody else) should be taught that its NOT a crime to borrow from your betters if you give attribution ('provenance' for software and/or other intellectual property.)
In those cases where you're supposed to do original work, like doctoral theses and the like, you're definitly NOT allowed to borrow.
But for the rest of us, who don't have any interest in being original in the first place anyway, we should be encouraged to provide attribution. Like paid for however much we saved our employer in original research money by not having to do/know it all ourselves, instead being able to cite examples. The total cost of a research project should/must be provided with any paper.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Of course, I believe it's stupid that an end-user should be sued because a software company uses infringing code. Really, it should be the company doing the infringing. Of course, we have SCO to thank for that business model.
It is not our abilities that show what we truly are... it is our choices.
"There are only a limited number of ways of solving certain problems, so if entire functions look pretty much the same"
Have you tried them all? Then why are you saying it like it's gospel?
Anyway I much prefer the BSD license exactly because I don't have to employ lawyers to decipher all the terms and gray areas that are the GPL (soon to get worse with GPL3). Nor take out insurance to protect users of my code against "oops!", or other potential landmines. Then I can plow all that saved money into creating more BSD code. Instead of increasing aspirin sales.
microsoft...
If you know how much it is going to cost you in the event you get busted, allowing for thios, you can determine how worth it, it will be to risk such an endevor.
Now if you can make the cost of getting busted reduced even further then you will have better opportunity to profit over this unfair (anti-trust was named that for a reason) practice expense to you (should you get caught).
Now, with all this, if you can gain 100 million in income in exchange for, at worst, a 1 million dollar cost (should you get busted) which way will you go?
To cheat or not to cheat?
This insurance is not only FUD but promotes dishonesty by providing an excuse level of disconnection from the responsibility of commiting a wrong intentionally.
And who pays for the pay out? (cause we all know it will happen, being busted)
The company doing the wrong has just limited their potential losses but the wronged party collects the insurance????
what are the differences in actually getting paid by court order vs. insurance claim?
company A steals code from coder B who then collects 100 million in insurance that company A only paid 1 million for...
Where does the other 99 million come from?
Who is really getting screwed here?
The concept of disconnection comes to mind such that totally disconnected parties pay higher insurance rates...
And what of fair competition? Where is the motive to be fair?
There shouldn't be insurance that protects the dishonest.
Or maybe someone should start selling murder insurance.
Insurance doesn't insure against willful bad acts. Like I have homeowner's insurance on my house which covers, among other things, fire. However if I deliberatly set fire to my house, they aren't going to give me anything, that's excluded.
I imagine GPL insurance is the same way. If you acidentally violate the GPL (which is possible, maybe an employee does it and you don't know, maybe the place you got the code form forgot to say it was GPL'd) they'll pay you what it costs to fix the mistake. However if you just rip off GPL code willingly, they'll probably say you are in violation of your policy and refuse your claim.
I guess I shouldn't be baffled about the level of ignorance Slashdot readers have about what this policy is all about and why companies insure things.
If a company built a warehouse and then decided to get the property insured, would that be evidence of some kind of criminal intent?
If an auto manufacturer buys insurance against wrongful personal injury claims, does that make it an evil company that's in the business of building cars that will injure people?
No. Businesses buy insurance the same way you buy health insurance. In an ideal world, neither you nor they will ever have to file a claim. But we don't live in an ideal world.
Look at the name of the company that developed this product, people. "Open Source Risk Management." The point is to mitigate business risks associated with open source in every way possible. When you reduce business risks you don't get fired. You get promoted.
Breakfast served all day!
Over time, IP infringement litigation will occur. This is not an actuarial risk, it is a mathematical certainty. Software patent holders have many tens of billions of dollars of market value at risk here, and as open source continues to gain traction in higher innovation categories (DBMS, AppServer, Web Services etc.) they have a fiduciary responsibility to shareholders to fight back with everything they can, including their IP portfolios. $10M of IP infringement insurance provides a token prize pot for these plaintiffs, but certainly does not address the IP infringement concerns of more conservative IT users who are exploring open source. Patent pools are a Potemkin solution here, designed to create transitory goodwill for the grantors without actually removing the concern. Using an IBM-granted patent from a pool in a product or service doesn't prevent another patent holder, or indeed IBM itself, from suing my customer for infringement in some part of my code. The end message to the customer is that the safe choice is the company than can afford the most lawyers.
Men, think in herds; it will be seen that they go mad in herds...
It has been quoted elsewhere that the cost is roughly 2 percent per million dollars of coverage. So, $2 million coverage would cost you about $40,000 per year. That money can be paid out in different ways under different circumstances, and each client is expected to negotiate a plan and premiums that best suit its own situation.
Note: I am not affiliated with any of these people or this insurance plan, but I have heard the full-length pitch.
Breakfast served all day!
I was hoping I would save a bunch of money on my car insurance by switching to gnuco.
Thank you to everyone for the healthy and extended discussion of Open Source Compliance Insurance. It's always exciting to see the level of energy and scrutiny that the Open Source community applies to new offerings. It keeps everyone honest :-))
I wanted to clarify and explain a few things about the offering, which BTW is officially underwritten by Kiln and sold by Miller; OSRM is not an insurance broker. We are an Open Source risk consultancy.
First, let me respond to the idea that insurance encourages infringement. That would imply that once the insurance is in place, you could do whatever you want, which isn't logical. From the insured's perspective, it's a little like saying that because you have homeowner's insurance, you're going to have a bonfire in your living room. Or that because you have auto insurance, you should just ignore all traffic signals. If people (and corporations) behaved this way, no underwriter would ever write a policy. In addition, if corporations are intentionally violating the license agreements, that is not an insurable event, and the policy would not pay them a dime. Hence, no incentive to infringe.
Bottom line: This insurance provides coverage for UNEXPECTED events, which is true for any insurance policy. Just like your homeowner's insurance provides coverage if a tree falls on your house.
OSRM's role is to help Kiln make sure they are taking on an acceptable level of risk, much like an insurance inspector might visit your hillside house to see if it was structurally sound (and not likely to slide into the ocean), before the underwriter wrote you a homeowner's policy, or similar to an insurance company checking your driving record before deciding whether to provide auto insurance.
We perform an on-site code scan and inspection to ensure current compliance with the GPL and other licenses. As the insured, you also need to commit to best practices going forward, such as having appropriate policies and agreements in place for Open Source use. We believe there is nothing to fear in knowing how your own and others' code uses or includes Open Source. If you haven't been keeping track to date, a scan from a Palamida-type product is useful. But a scan can't tell you what, if anything, you would need to CHANGE to come into full compliance -- which is a prerequisite to obtaining this insurance. That is OSRM's role.
Also, please understand that if an infringement event occurs, the client ONLY gets an insurance payment AFTER they have brought their software into full compliance. So, again, there's no incentive to infringe because you aren't going to get paid until you spend YOUR money to bring the software back into compliance. And obviously, you can only get reimbursed for what you spent.
The OSRM compliance review is a great way to give companies accurate information about what Open Source they have in-house, and an incentive to come into compliance (so that they can be insured against unexpected events), and the process helps establish bright-line standards for compliance.
Thanks! Karen Hiser, OSRM