Business users worry that open-source could mean open season for lawyers

1 January 1970

Shawn Henry, a software engineer, swivels around in his chair, squints at his computer screen and punches up a long list of software code files that document his company's latest headache.

These are files for a coming release from Service Integrity, a company based in Newton, Massachusetts, selling software that helps businesses mine their data for customer leads. Each file highlighted in a bright color represents a match with known "open-source" code covered by a license.

And each match represents a potential problem that Service Integrity must resolve.

Henry calls up a pair of windows crammed with identical lines of code. He quickly picks out an open-source file that is using borrowed code that can be traced to a popular Web site devoted to macabre puzzles.

"Uh-oh," he says, shaking his head in recognition. "Deadly Room of Death. This is something we don't want in our product."

Similar scenes are playing out at many U.S. software companies and other businesses as engineers frantically search their files for something they hope not to find: open-source components.

The improper use of open-source components, in the worst-case scenario, could subject companies to costly litigation from parties like SCO Group of Lindon, Utah. SCO says it owns intellectual property in the Linux open-source operating system and has set off alarm bells in executive suites by suing International Business Machines and three other Linux-using companies over the past year.

"It's almost like you've got to be a lawyer now to develop software," said Jothy Rosenberg, chief executive and chief technical officer of Service Integrity, who this month ordered a 24-hour scanning of his company's Sift 3.5 software during a "code freeze" before its introduction.

"In this day and age, anybody building a commercial piece of software has got to do this. It's like buying insurance on your building."

There are no hard numbers on how much U.S. businesses are spending to prevent themselves from possibly infringing on open-source licenses. While few say that the problem rises to the level of the "Y2K" problem - adapting numerous programs to display four-digit numbers for years after 1999 - many say it has become pressing and costly. Some liken it to the Sarbanes-Oxley financial reporting requirements that have rattled executives at publicly traded companies. And the problems are related, in that Sarbanes-Oxley requires public companies to value their software and assess their litigation risks.

Open-source software is freely available to use, distribute and modify, but it is subject to large and small restrictions set forth in dozens of open-source licenses. Some companies, like Avid Technology, which makes digital film editing machines, have sought to avoid license conflicts by banning open-source software. Others have persisted in using open-source code but have purchased scanning software or set up search engines to hunt for license conflicts they can resolve through proper identification or attribution.

The most serious conflicts, highlighted with red bars in the Black Duck protexIP software used by Service Integrity, involve code covered by the so-called General Public License. Under that license, anyone who acquires and modifies open-source code must make their modified versions freely available to the public.

Depending on how many files of code are covered and what is in them, such a requirement can sometimes be a major impediment for a proprietary software company.

Among the scariest aspects of the problem is that many business executives do not know whether open-source code is in their software, or they mistakenly presume that they have none. Either way, they could be setting themselves up for a lawsuit.

Software developers working on "value-added" applications routinely borrow pieces of open-source code as building blocks for such functions as encryption, security or platform interfacing.

Offshore programmers for American companies have become especially adept at grabbing lines of open-source code and mixing them with proprietary code in progress.

"There are corporations that literally don't know what lurks in their code," said Douglas Levin, president and chief executive of Black Duck Software, a start-up company. Black Duck developed its scanning software partly by assembling a giant repository of open-source code, employing a young team of "spiders" to sift through Web sites looking for open-source lines and patterns.

Black Duck was one of the first companies to recognize the opportunity. But others - law firms, consultants, software developers and technology service companies - also are moving to capitalize on the jitters that have been spreading in the business world. Optaros, a consulting start-up, is offering to provide its clients with open-source audits, examining how they use the software and advising on licenses.

Levin estimated that the market for all companies addressing open-source litigation risks could total $500 million by 2005.

"There are a lot of challenges for companies working with open-source software, but they're manageable," said Robert Dezmelyk, president of LCS Telegraphics, a software services company that may branch into the area of license conflicts. "Open-source is here, and companies have to deal with it, just like you have to deal with snow in New England."

Open-source has been around for two decades as a favorite tool of computer scientists and technology-minded college students, but it only recently has moved into the business world.

IBM's decision to support Linux in 1999, partly as a counterweight to the dominant Windows operating system sold by its rival, Microsoft, brought open-source software into corporate data centers, where it has gained momentum among users of large servers, the machines that form the backbone of business computer networks.

But the corporate love affair with open-source cooled in March 2003 when SCO sued IBM for more than $1 billion, alleging that it had introduced into Linux proprietary code misappropriated from SCO. And SCO has since sued DaimlerChrysler, AutoZone and Novell, the company that sold SCO the source code and patents from the Unix operating system that was a model for Linux.

About 1,500 other Linux-using companies received warning letters from SCO. Businesses fear that SCO's flurry of lawsuits may be a sign of trouble to come.

"What SCO has done is to throw down the gauntlet," Scott Nathan, a lawyer, said. "If SCO is successful, there are going to be copycats."

Nuisance suits related to open-source could prove a worrisome distraction for companies that have belatedly embraced the technology as a cost-saving measure.

"If you're Wal-Mart and you have embedded Linux in every cash register, you might be seen as a deep pocket" by litigious SCO copycats, said Thomas Carey, an attorney with the Boston law firm Bromberg & Sunstein.

Much of the rush among software start-ups like Service Integrity to shield themselves from lawsuits is being driven by the venture capital firms that finance them.

"If we violated something and get sued, their investments would vaporize like that," Rosenberg, the chief of Service Integrity, said.