Open-Source Insurance

* * Beatles-Beatles writes to tell us that several insurance agencies have formed a partnership to offer open-source compliance insurance. From the article: " The insurance will cover up to $10 million in damages, including profit losses related to noncompliance with an open-source software license. The policy could, in some cases, cover the cost of repairing code that was found to infringe on open-source licenses such as the General Public License, which is used with the Linux operating system."

Cost?

[DraconPern]

So, just like other policies, how much will it cost? $100? $1 million? It's kind of point less to talk about the $10 million coverage when you don't know how much it will cost...

Re:Cost?

[bogado]

In efect, why not making an insurance to people who do illegal trading in the stock market? It is high risk business, and can be very lucrative. Or maybe another illegal trade, the drug market suffer from losses from aprehensions by the police, maybe there should be a insurance to help those people also.

I for one want a insurance aggainst the RIAA, MPIAA. They are known to make scapegoates and fine them for the loss of "millions of dollars". This insurance would be highly lucrative, since only a very small fraction of people do get to be fine and the market for it is huge (or at least RIAA and MPIAA have been saing so).

FUD?

[griffinn]

Much better to take on an insurance against SCO than this FUD disguised as "insurance".

GPL devel needs insurance?

[ejito]

Is the GPL (or other open source licenses) that complicated that you just can't hire (or task) someone to review your development practices to be in accordance?

Well, it's Lloyd's of London subdivision offering this (the same people who insure body parts), so it's probably more publicity than anything.

Re:GPL devel needs insurance?

[Crouty]

Mod parent up, ejito got the point.

Maybe it is targetted at people who absolutely want to keep any risks down to a minimum, including the risk of not reading / translating correctly / obeying the license.

Re:GPL devel needs insurance?

[Kjella]

I think it's more of an "employer vs company" problem. Employer lifts GPL code without license, company includes it in their code base, company gets sued by copyright holders. Statutory damages get nasty fast, so this is more like malpractice insurance for a clinic.

The moment it becomes willful and for commercial gain, it is a criminal offense. So if any company wants to try to use this to get away with copyright infringement, they'd better hide their tracks good because now they have an insurance company looking to get out of a claim.

Anyway, I'm sure there's the odd case of some minor penalties here and there, but I think this one is way ahead of the market. Why would you insure yourself against something that I don't know a single big case with millions in damages over an OSS product. Do you?

Re:GPL devel needs insurance?

[LordNightwalker]

On top of that, assuming these projects aren't open-source themselves -- how are OSS groups able to know that companies are stealing their code if OSS groups can't review the code itself?

Sometimes it's possible to deduce this from looking at the compiled code. Especially with libraries. Now I'm not an expert on the issue, but cases of closed source vendors getting caught in the act of including opensource portions in their product have been discussed often enough here on slashdot, so I find it odd that you seem to be unaware of this.

Then and now

[Flyboy+Connor]

Then: Big company thinks of stealing open source code for their products, but refrain because they are afraid of legal consequences.

Intermediate: Insurance company knows that no open source developer has the money to sue, even if they would be able to discover that their code had been stolen.

Now: Big company tajes insurance and starts stealing open source code, because they feel there is no legal risk anymore.

In the end: Open source developers get screwed once again and the only people getting rich over it are the lawyers. Nothing new here.

Re:Then and now

[PSVMOrnot]

"Now: Big company tajes insurance and starts stealing open source code, because they feel there is no legal risk anymore."

I think you need to add a line in there between Now and In The End. something like this:

Next: Someone finally sues Big company over the infringement, and Big company finds that due to some small print they aren't covered. (ie: a clause saying they can't knowingly be involved in infringing activity)

Insurance companies will try to avoid any sort of payout, even^H^H^H^Hespecially if they know they are blatently in the wrong.

(IANAL, but I was in insurance briefly)

Accidental?

[Anne+Thwacks]

Do they also offer insurance against "accidentally" selling your soul to the devil?

Any person in any corporation buying this should be subjet to instant dismissal. If you are a shareholder in a company that buys this, then you should sell your shares immediately, as it is clear proof that the management is corrupt or incompetent.

The Institute of Chartered Accountants should be expected to recognise it as a symptom of malpractice, and if auditors fail to recognise it as such, then the auditors are also guilty of malpractice.

Re:Accidental?

[Zog+The+Undeniable]

It's common to take out indemnity policies against the possibility of future legal action where all steps have been taken to try and resolve the issue beforehand. A real estate example would be where a new access road crosses a strip of land, the owner of which is unknown and cannot be traced after an exhaustive search. A policy is put in place to pay $m if the owner ever appears and wants paying for the "ransom strip" or threatens to build a wall along it.

Now if the buyers of the policy KNEW there was copyright SCO code in the software then no, they shouldn't expect the policy to cover them and I'm sure the T&Cs make that clear.

And yes, I am an auditor.

Re:Arabian Camel Trains

[mumblestheclown]

Sigh. Today's insurance companies also have to pay more if everybody's camel dies.

Insurance is about tranferrance of risk. You pay the insurance company to assume the risk for you.

Now that that's covered, tomorrow, we'll learn "how to tie your shoes" and "eating with a spoon."

Re:Silly

[BrainInAJar]

Yeah you can...

There are only a limited number of ways of solving certain problems, so if entire functions look pretty much the same, it wouldn't be too surprising (unless comments are the same too... then it's fishy)

Re:Arabian Camel Trains

[patio11]

If you never filed a claim under the camel system, you still didn't get your money back if *someone else* filed the claim. Now extend the camel system to cover 400,000 camels for a small insurance firm. And furthermore, one unlucky camel every year doesn't just get lost, he gets ordered by a judge into the custody of a third party along with 99 camels that that trader doesn't own, with the lawyer getting fourty of them on contingency fee, because the camel stamped on some idiot's foot after the idiot tried to fit him through the eye of a needle in a fit of curiosity.

This JUST happened?

[caenorhabditas]

I seem to remember interning for (ironically enough) an insurance company's IT department a few summers ago and hearing about how they took out liability insurance on pretty much all of the open-source tools they used. This even included things like Perl, where the chances of being sued are fairly small, just to be absolutely sure. Furthermore, it sounded like they'd been doing this for a while.

I suppose that their policies might not have covered the costs to get it into compliance and other such expenses. Still, I'm sure that huge companies like IBM have been careful to insure against such possibilites for years. It would be foolish for them not to.

How about EULA licence-violations?

[zcat_NZ]

What businesses REALLY need is insurance against Microsoft (and other BSA member companies) licence violations.

SERIOUSLY

Because for any reasonable-sized organisation it is very expensive to do a license audit, and almost impossible to be sure that you're completely in compliance. Many businesses have found that it's easier and cheaper to just buy a completely new set of licenses than try and figure out if the ones they already have cover everything they're running.

And because if you're not in compliance, even by just a little bit, you _will_ get hit with substantial fines which cost a LOT of money to fight that in court.

Re:How about EULA licence-violations?

[zcat_NZ]

There is a difference between Bill Gates and God.. .. God doesn't think he's Bill Gates.

Re:Arabian Camel Trains

[Kjella]

Really, you pay the insurance company to assume a small portion of risk, the rest of your payment goes to other larger insurance companies to re-insure the company you pay to, and anything left over goes towards litigation of claims and lawyers.

This isn't exactly new. If we keep it up with the OP, reinsurance would be bunch of camel trading groups getting together, so if one group got hit by horrible weather and many in their group died, they'd claim against the whole co-op. It has to work this way. Imagine being a south-asian insurance company without reinsurance when the tsunami hit, they'd have to file for bankrupcy immidiately and hardly anyone would get their claim. The rest? "Well you camel was old and weak" "You didn't treat that wound properly, it's your fault it got infected". There's alwsys trouble like that, and perhaps even insurance fraud (making sure it dies on a well-insured trip).

Around here there's no law against non-profit insurance companies, but all the major ones are commercial. I mostly prefer it that way, because they have the right incentive to make sure every claim is legitimate and that people pay according to the risk they contribute (every customer should be "profitable", on average). There are some bad with the good, but overall I think a non-profit company would be relying too much on honesty and solidarity to deal with people abusing the system.

Not as dumb as it sounds...

[Max+Nugget]

There is indeed such a thing as "accidentally" infringing on open-source code licenses. You see, while the individual developer who copies the code is usually aware of its legal incumberances, it would be quite easy for the corporation's management, board of directors, and shareholders to be unaware of the legal deathtrap the lowly developer employee is leading the company into. And lest we remember, it is the CORPORATION that would be found to have infringed the copyright, not the employee. The corporation would face responsibility for what its employee did. From this perspective, having insurance against such things might not be such a bad idea.

And by the way, I would wager to bet that a non-trivial percentage of employed developers are unfamiliar with the specifics (or fundamentals) of the GPL and other common licenses. Also, there are many scenarios in which miscommunication between employees and management could lead to unintentional use of open-source code. Who knows, maybe an employee is even deliberately trying to get the company into hot water.

Someone else here mentioned that this kind of insurance would make it easier for bigger companies to violate open-source licenses, since they'd be shielded from any legal damages. In response to that, allow me to introduce you to the phrase "Insurance fraud." Don't think for a second that these insurance companies won't be carefully pouring over company documents, correspondences, etc, to make sure the infringement was indeed "accidental" in whatever sense the word becomes defined as.

As someone else said, probably the only question is whether these companies can speculate the open-source-infringement-lawsuits world accurately enough to stay profitable. It seems to me that's easier said than done, but I do think the idea makes sense in theory at least.

Re:Not as dumb as it sounds...

[Max+Nugget]

A correction: I misinterpreted the point of a previous post, which said: (sorry for not replying directly to the thread, but my original post only mentioned the OP in passing)

Now: Big company tajes insurance and starts stealing open source code, because they feel there is no legal risk anymore.

In the end: Open source developers get screwed once again and the only people getting rich over it are the lawyers. Nothing new here.

I still disagree with that, though.

Firstly, if they intend to trick the insurance company into footing the bill for an intentional infringement, there is certainly a legal risk to a company in engaging in insurance fraud. If they intend to admit intentional infringement to the insurance company, then there was no point in purchasing the insurance, as it will be worthless.

Second, that the lawyers make more money as a result is insignificant in this case. Whatever the added lawyers' fees would be as a result of having this insurance package is presumably less than the amount of the infringement damages they would face without insurance, otherwise they'd have no incentive to buy the insurance. And it goes without saying that it's not a profit burden to the insurance companies, otherwise they wouldn't be in the business.

And I also don't see how this hurts open source developers. You assert that this insurance plan works in part because the insurance companies know open-source developers don't have the money to sue. Well, if they didn't have the money before the big company got this insurance, they don't have it now either. Nothing's changed from the OSD's point of view. I also doubt the presence of the insurance company would make it more expensive for the OSD to sue, in fact, it's more likely to lower the costs somewhat, and any infighting between the insurance company and the infringing company (over insurance fraud or other concerns) probably wouldn't cost the OSD much, since they wouldn't need to participate in that.

I don't see how this results in any change to the life of the open-source developers. It's just a safety net for the infringing businesses, and it won't give them carte blanche to start infringing anymore than they've already had/not had.

Silly?

[Savage-Rabbit]

Defending copyright infringement of any source code is ridiculous. You can't accidently copy a line from someone else's program to yours. Infringement is only deliberate.

That issue is not quite simple. Like the another poster pointed out you can end up with code that looks alot like an OSS implementation quite by chance simply because there is a very limited number of ways to solve a certain problem. Another way you could end up in trouble because of OSS could happen is if one of your developers decided to cut corners on a project and rips code from and Open Source project without telling you or if you merge with another company and find out that they have built Open Souce code into the application code that you acquired in the merger. If these developers strip off the comments and hide their tracks well it might not be obvious at all to you or your code reviewers that the code came form an OSS project. One other way you could get into troube over Opens Source software is if you produce a commercial application that links to Open Source libaries. From what I know it is not at all legally clear in some countries whether this quaifies your commercial application as a derivetive work. If somebody takes you to court over this and the judge rules an app that links to Open Source code is a derivative work you would be in trouble. In all of these cases (except perhaps the last one since it is still a legal gray area) it would be hard to accuse you of 100% evil and deliberate IP theft or infringement and I can see how an insurance that protects you during a resultant law suit and the subsequent repair work to get rid of the infringing code might come in handy if it isn't to expensive, especially for a startup company.

Re:Silly?

[bit01]

True however keep in mind that there are just as many ways to infringe on closed source software licenses.

Whether a license is for open source or closed source is irrelevant to the question of legality.

Some people might argue that because open source software is easier to get then infringement is much more likely. Other people might argue that because closed source software licenses are generally much more restrictive then infringement is easier and much more likely. Either is true to a certain degree so if you're going to argue for the need for insurance you should be arguing the need for insurance for all software licenses, and not just open source.

The fact that the insurance company is only offering the insurance for open source suggests to me that, apart from it being trendy, they think that they can maximise their profits. In other words their costs in this area, as compared to closed source insurance, are lower and is evidence for lower monetary risk when using open source software.

---

I'm not worried about the use of DRM. I'm worried about the abuse.

Yeah... No...

It wasn't too long ago that some source code for Windows was stolen/leaked, and all the major OSS players recommended to their devs that they AVOID IT AT ALL COSTS.

Not because they were worried that the devs would intentionally steal the code, but because they were worried that they'd read something clever, store it in the back of their minds, and then use something similar UNINTENTIONALLY to solve some OSS problem.

Why should the other way be any different?

Shit happens. That's why people buy insurance.