The pending, well-publicized patent dispute between Trend Micro, Inc. and Barracuda Networks, Inc. is a good recent example of the fact that open source software ("OSS"), and "free" software generally, is not free of legal risks, including risks of litigation. Rather, litigation is a commonplace occurrence regardless of software development model, and OSS poses additional risks that need to be considered by companies and customers alike when developing, implementing, distributing, or using OSS.
Trend Micro v. Barracuda Networks
Trend Micro is a leading producer of anti-virus and Web security software, and the owner of a U.S. patent (the "'600 Patent") that scans email attachments and other content for viruses and other malicious software. Barracuda likewise develops and sells email and Web security applications.1 A number of Barracuda's enterprise products incorporate "ClamAV," an OSS toolkit that can be used on email gateways to scan messages for viruses. Trend Micro asserts that ClamAV infringes on its '600 Patent.
In September 2006, Trend Micro contacted Barracuda regarding the alleged infringement and sought to negotiate a license for the '600 Patent. When negotiations failed, Trend Micro demanded that Barracuda remove ClamAV from its products. In March 2007, Barracuda filed a complaint in U.S. Federal Court seeking a declaratory judgment that the '600 Patent is invalid and that neither its products nor the ClamAV software infringe the patent. In November 2007, Trend Micro filed a complaint with the U.S. International Trade Commission.2 In July 2008, Barracuda countersued Trend Micro in U.S. Federal Court claiming that Trend Micro infringes three of its patents, which Barracuda recently purchased from IBM in an effort to build an IP portfolio for defense.3 To further assist with its defense, Barracuda has called on the open source community to help uncover material proving that "prior art" existed in the context of anti-virus scanning on a firewall or gateway before the '600 Patent was granted to Trend Micro.
IP Protection And Enforcement: Everyone Must Play By The Same Rules
Despite efforts by Barracuda and certain members of the open source community to cloud the issues and characterize the dispute as a discriminatory attack on the open source community, the reality is that this is a typical patent infringement case pure and simple. Indeed, Trend Micro has been enforcing the '600 Patent for many years and has previously settled similar claims with several non-OSS companies. For example, in May 1997, Trend Micro initiated patent infringement actions against Symantec and McAfee for violating the '600 Patent.4 In both cases, the parties settled, and Symantec and McAfee have since licensed the covered technology from Trend Micro. Thus, far from representing a targeted assault on OSS, the Trend Micro cases - and the cases discussed below - instead underscore two essential marketplace realities: (1) intellectual property ("IP") rights are essential drivers of innovation and growth in the information technology ("IT") sector; and (2) the risk of IP litigation is present irrespective of software development model.
The Importance Of IP
On the first point, IP rights in software, as in other areas of industry, give developers like Trend Micro the incentive to invest in innovative IT solutions that provide customer value and enhance economic growth. Patented technology innovation, for example, accounts for over half the growth of the U.S. economy (and some studies suggest it may be closer to 80% of economic growth).5 Further, economists have found that the strength of a country's IP incentive and enforcement systems is the principal driver of innovation and economic growth across the globe.6
IP Litigation Happens Regardless of Software Development Model
On the second point, it is important to emphasize that there are no special IP rules or exemptions applicable to the open source community; rather, it is held to the same standards and faces the same litigation risks as proprietary software. The fact that Barracuda has attempted to invalidate Trend Micro's IP rights by seeking out prior art, and has purchased several patents from IBM in order to counter-sue Trend Micro - also for IP infringement - is evidence that both parties in this instance understand the need to adhere to the "rules of the game."
OSS Developers And Implementers Are Facing Increased IP Litigation And Enforcement Risks
The Barracuda case also highlights the fact that IP litigation and enforcement actions against OSS developers and distributors - both by proprietary software companies as well as by other members of the OSS community - are becoming more prevalent. For example, in June 2008, OSS leader Red Hat settled a patent infringement suit by Firestar Software, which contended that Red Hat's Hibernate product infringed Firestar's patent relating to a software method for facilitating access to a relational database.7 In August 2007, Network Appliance filed a complaint against Sun Microsystems seeking treble damages and an injunction for alleged patent infringement by Sun's OSS-based ZFS File System.8 Further, in October 2007, IP Innovation LLC filed a complaint alleging infringement of three patents by distribution of Red Hat's Linux System and Novell's SUSE Linux Enterprise Desktop and Server products.9
Other litigation involving OSS, some of which has actually pitted one OSS concern against another, stems from parties' alleged non-compliance with the restrictions in certain OSS licenses such as the General Public License ("GPL"). The Software Freedom Law Center ("SFLC") has been particularly active in filing such suits on behalf of its clients which include the Free Software Foundation. For example, in 2007 and 2008, the SFLC filed a series of enforcement actions on behalf of the creators of BusyBox, a set of Unix utilities licensed under GPLv2, against various IT companies, alleging copyright infringement for distribution of the BusyBox software or a derivative in firmware without making source code available as required by GPLv2.10 Most of these cases have settled, and often the defendant has been forced to undertake costly and burdensome actions that placed serious constraints on its business.11 And just this month the Federal Circuit reversed a District Court ruling and held that an OSS licensee that failed to comply with certain terms of the OSS license was liable for copyright infringement.12
In Europe, open source supporters are likewise aggressively pursuing OSS license violations. For example, a group called the gpl-violations.org project has reportedly enforced the GPL in over one hundred cases since 2004.13 Notably, on September 6, 2006, the gpl-violations.org project prevailed in court litigation against D-Link Germany GmbH regarding D-Link's allegedly inappropriate and copyright-infringing use of parts of the Linux kernel.14 It won another victory in Germany in which the court rejected the defendant's argument that it did not know OSS was installed in the router it was distributing.15
Some Unique IP Risks Of OSS
Due to the collaborative approach to OSS development, and the fact that it is not always possible to trace OSS code back to its origin, the open source community faces the potential for even greater litigation risks stemming from IP infringement.16
Adding to these risks is the fact that OSS is customarily licensed "as is," without adequate representations and warranties or sufficient indemnification that would protect against infringement suits down the road. Indeed, the American Bar Association Section of Intellectual Property Law's overview of OSS licenses notes that "[t]he typical license form does not include any intellectual property representations, warranties or indemnities in favor of the licensee" and that "[e]ven if such representations and warranties or indemnity obligations existed in open source license agreements, it would be difficult if not impossible to recover against the licensor for having licensed infringing code."17 As a result, firms, such as Barracuda, that incorporate OSS code into their products, networks, etc., generally bear all the risk that such code may infringe on the IP rights of others. Equally important, so do their customers.
By contrast, proprietary software licenses typically attempt to mitigate these concerns by including a customer warranty that the software will achieve a specified level of performance, and an indemnity that the vendor will defend and, if necessary, reimburse the user in the event of an infringement lawsuit alleging infringement by the vendor's products.
The known IP risks associated with the use of OSS have become of such concern that major OSS supporters, such as IBM, Philips, Sony, Red Hat, and Novell, formed the "Open Invention Network" (of which Barracuda is a member) to acquire and pool Linux-related patents in an effort to reduce the IP risk faced by customers using Linux.18 However, third-party analysts have concluded that OIN and similar efforts are insufficient to overcome the significant IP risks faced by Linux and other OSS. According to Gartner, "the creation of OIN does not address an issue of great concern to corporate users: If an enterprise or a community of open source software users is sued for using allegedly misappropriated code in a product, the user must possess an indemnification contract asserting a vendor's legal responsibility to defend the user against such infringement - or risk being subjected to the costs of defending against the legal action." Thus, while OIN or similar efforts - e.g., OSS insurance provided by organizations like Open Source Risk Management ("OSRM")19 - may limit certain OSS risks, they are not an adequate substitute for end-user IP indemnification that protects companies and their customers against a much wider set of contingencies and risks.
Conclusion
As the cases and discussion above show, OSS is not free of legal risks, including litigation. Rather, IP litigation happens regardless of software development model, and OSS presents risks - at times unique and significant risks - that need to be considered by companies or customers when they develop, implement, distribute, or use OSS. Efforts such as OIN and OSRM's OSS compliance insurance serve as an acknowledgment by the open source community that as OSS continues to become more commercial, it needs to address IP issues, not ignore them. Proprietary and OSS providers alike must step up and act responsibly by mutually respecting IP, which will lead to increased innovation and economic growth.
1http://edisweb.usitc.gov/edismirror/337-624/Violation/288481/343338/34d/91bbfd.pdf.
2http://www.usitc.gov/ext_relations/news_release/ 2007/er1221ee4.htm.
3http://www.barracudanetworks.com/ns/news_ and_events/index.php?nid=277.
4http://us.trendmicro.com/us/about/news/pr/article/20070124115911.html.
5 See Wendy H. Schacht, "Industrial Competitiveness and Technological Advancement: Debate Over Government Policy," The National Council for Science and the Environment, September, 2000, http://digital.l ibrary.unt.edu/govdocs/crs/permalink/meta-crs-1103:1). See also "Progress Report of the Department of Justice's Task force on Intellectual Property" (June 2006),www.usdoj.gov/opa/documents/ipreport61906.pdf ("Intellectual property is a significant source of the growth of the American economy and a key driver of global economic activity.")
6Robert J. Barro & Xavier Sala-I-Martin, "Technology Diffusion, Convergence, and Growth," Working Paper 5151, Nat'l Bureau of Econ. Research, Cambridge, MA (1995), in 2 J. of Econ. Growth 23 (1997), www.springerlink.com/content/j75547n5451 0230r/).
7 See http://www.press.redhat.com/2008/06/11/red-hat-puts-patent-issue-to-rest/ .
8 See Network Appliance v. Sun Microsystems, No. 9:07cv00206 (E.D. Tex. 2007).
9 See IP Innovation LLC v. Novell and Red Hat, No. 2:2007cv00447 (E.D. Tex. 2007).
10 See, e.g ., Anderson et al. v. Monsoon Multimedia, Inc . , No. 1:07cv8205 (S.D.N.Y. 2007) (settled); Andersen et al. v. Verizon , No. 1:07-cv-11070 (S.D.N.Y. 2007) (settled); Andersen et al. v. Xterasys Corp., No. 07-CV-10455 (S.D.N.Y. 2007) (settled); Andersen et al. v. High-Gain Antennas, No. 07-CV-10456 (S.D.N.Y. 2007) (settled); Anderson v. Extreme Networks, Inc . , No. 08-CV-6426 (S.D.N.Y. 2008); Anderson v. Super Micro Computer, Inc ., No. 1:08-cv-05269-RMB (S.D.N.Y. 2008); Anderson v. Bell Microproducts, Inc., No. 08-CV-5270 (S.D.N.Y. 2008); MDY Industries, LLC v. Blizzard Entertainment et al. , No. CV-06-2555-PHX (D. Ariz. 2008).
11 See , e.g., http://www.news.com/8301-13580_3-9808378-39.html.
12 See Jacobson v. Katzer , No. 2008-1001 (Fed. Cir. 2008), vacating and remanding No. 3-06 Civ. 1905 (N.D. Cal.).
13 See www.fsf.org/news/2007_free_software_awards .
14 See http://gpl-violations.org/news/20060922-dlink-judgement_frankfurt.html.
15 See Judgment, Landgericht Berlin 16 O 134/06 (Feb. 2006).
16For a more in-depth analysis of these and other risks posed by OSS, particularly in connection with mergers and acquisitions, see "Caveat Emptor: The Threat to Value from Target Company Use of Open Source Software," The M&A Lawyer (June 2008), 9-16.
17http://www.abanet.org/intelprop/opensource.html.
18 See http://www.washingtonpost.com/wp-dyn/content/article/2005/11/10/AR2005111000213.html.
19See http://www.osriskmanagement.com/pdf_articles/linuxpatentpaper.pdf.
Published September 1, 2008.