Fear, uncertainty and Linux

SCO claims IBM and Linux have ripped off its old program code. Linux advocates say that's bunk. Nothing will become clear until SCO shows its hand in court.

By Farhad Manjoo

Published August 18, 2003 7:36PM (EDT)

"There is perhaps not the same level of interest in this case as in that of the O.J. Simpson trial," says Gordon Haff, a technology analyst who's been closely following the multibillion-dollar lawsuit that the SCO Group, a small Utah software firm, filed against IBM in March. Cable news networks are not clamoring to cover every development in the complex contract dispute. "I do not expect to see it on Court TV anytime soon," Haff says.

But in open-source software circles, SCO's suit has achieved trial-of-the-century status. SCO owns the copyrights to decades-old Unix code, and it has accused IBM of secretly stuffing this code into Linux, thereby making Linux "an unauthorized derivative of Unix." To fans of Linux, SCO's claims seem at once preposterous and dangerous, and the lawsuit has set the community buzzing: The press (embodied by the likes of Slashdot and Linux Journal) is all over it, the pundits are in high gear, everyone believes himself an expert on the issue, and, like the best celebrity trials, the whole thing keeps getting curiouser and curiouser.

On Aug. 5, SCO made its boldest claim yet: Because the company believes that everyone using Linux is illegally using SCO's technology, the company released a price list detailing how much money Linux users should pay SCO if they want to continue using their beloved open-source OS without facing any legal troubles. SCO wants $199 for every desktop computer running Linux and $699 for every server (though that price will rise to $1,399 in October).

According to SCO, these prices are reasonable -- Linux is, after all, a pretty good operating system. "We compared Linux to our Unixware product," says Blake Stowell, a company spokesman, referring to SCO's Unix-based server system. Since Unixware sells for $1,400, SCO determined that a Linux server at $700 would be a steal.

But wouldn't Linux users balk at paying hundreds of dollars to use an operating system they'd long believed was free? SCO is unmoved by this question. To the people who thought they could get a good operating system for nothing, "I guess all I can say is, if it sounds too good to be true, it probably is," Stowell says.

According to SCO, many major corporations have expressed interest in buying its Linux licenses, and one firm, a Fortune 500 company that SCO says "recognizes the importance of paying for SCO's intellectual property," even purchased licenses for its Linux servers. Blake Stowell says that terms of the deal prevent SCO from naming the company or disclosing how much money it paid, but he notes that SCO considers the amount "significant -- it was not a small number." He adds that he's confident that the company will soon announce more sales, and "hopefully we'll be able to name some of those companies." On Thursday, SCO announced that during the third quarter of 2003, it made more than $7 million from its efforts to license its Unix code.

News that SCO has made some money selling rights to its code failed to convince many of its critics that the company has a valid case against Linux. "I think it's amusing that they were willing to put out a press release for one licensee, and on top of that it's a licensee who's ashamed of doing business with SCO," says Don Marti, the editor of Linux Journal.

Marti and other critics see the licensing announcement as just one more rhetorical escalation by the company -- just about every week, SCO puts out statements crowing about another apparently trivial "development" in its case, an effort designed, open-source advocates say, to garner ever more public attention for its claim that using Linux is illegal and somehow dangerous. This is particularly galling to Linux devotees since, in their view, SCO has not publicly provided any real evidence of infringing code in Linux.

In the first few months after SCO filed its case, many large firms selling open-source software seemed to be staying out of the imbroglio; even IBM was not very vocal in its defense of Linux. But on Aug. 6, IBM filed a forceful countersuit in the SCO case, charging SCO with violating IBM's own software patents and with causing unnecessary harm to IBM's Unix and Linux businesses.

In an argument that many others in the open-source community have long been making, IBM also noted that because SCO had itself once sold a version of Linux under the GPL (General Public License) for open-source software, it had explicitly disclaimed any rights to all code in Linux. (On Thursday, the Wall Street Journal reported that SCO's lawyers plan to argue that the GPL violates copyright law and is therefore invalid.) On Aug. 4, Red Hat, the top Linux company, also filed suit against SCO. The company claimed that SCO's public comments had damaged Red Hat's business, and it asked a judge to issue a declaratory judgment stating that Red Hat's products do not infringe on any of SCO's copyrights.

The lawsuits -- both the SCO-IBM case and Red Hat's separate suit -- are destined to be long-term affairs, and to the extent that SCO is successful at creating actual uncertainty in the marketplace regarding the legality of Linux, the worries are going to linger. So far, according to almost every reliable expert on the matter, Linux users don't seem to be very nervous. But if SCO keeps up its rhetorical war -- and especially if a few more big firms decide to pay SCO off just to make it go away -- Linux could face some problems in the marketplace. Risk-averse corporations, especially, might think twice about using the system.

"It really wouldn't make sense for a company to rip out its Linux servers and put something else in right now," says Gordon Haff, the tech analyst who contrasted this case with the O.J. trial (Haff works at Illuminata, a research firm in New Hampshire). "But if they're thinking of a Linux rollout a year from now and they're also considering alternatives like Windows and maybe Solaris and others, then they might consider this small risk associated with Linux."

Can IBM, Red Hat and other Linux firms successfully combat SCO's claims in the media? Foes of open-source software -- with Microsoft taking the lead -- have long been saying essentially what SCO says now: If Linux seems too good to be true, maybe it is. Maybe there's a catch to it. Maybe using it could land you in trouble. And maybe paying for your operating system is not such a bad idea after all.

It is not quite true, as SCO's opponents say, that the company has refused to provide any proof of its claims. Since June, SCO has been offering to show its code to anyone willing to sign a strict nondisclosure agreement requiring them to keep what SCO presents confidential. But by many accounts, this provision has greatly limited the number of qualified people who can see the code.

According to Ian Lance Taylor, one developer willing to sign the NDA, the contract prevents the signer from revealing anything you see in SCO's presentation, even code that you previously knew about. People who work on Linux, then, would not be able to sign the NDA, "as it easily could prevent them from ever again working on the kernel," Taylor wrote in an account of his visit to SCO's headquarters that was published in Linux Journal in June.

Taylor's article, which was cited in many blogs and discussion sites, has become proof to some people that SCO is blowing smoke. Chris Sontag, a vice president at SCO, showed Taylor two source files -- one he claimed was from SCO's Unix code, and one from Linux. "The identical portions of the code were highlighted," Taylor wrote. "There were indeed substantial similarities in the code: very similar comment text, the same variable names, the same algorithm. There also were some differences, but it seemed quite plausible that both pieces of code came from the same source." But SCO refused to show Taylor a "revision history" of the files, meaning that it was impossible for him to tell which code appeared where first. Was the code in the Linux file taken from the Unix file, or was it the other way around?

Taylor noticed another chink in SCO's argument: "The code is fairly trivial -- the kind of stuff I wrote in school," he wrote in Linux Journal. "The similar portions of the code were some 80 lines or so. Looking around the Net, I found close variants of the code, with the same comments and variable names, in sources other than Linux distributions. The code is not in a central part of the Linux kernel. The code does not appear to have been contributed to Linux by SCO or Caldera. The code exists in current versions of the Linux kernel." (Taylor also added that "SCO's example unsettled me by what it implies. Although in itself trivial, it does suggest that some Linux contributors may have been careless about copyright infringement. That is unfortunate.") In an interview, Taylor said that SCO told him there were many more examples of infringing code, but he wonders, he said, "why they wouldn't lead with their best stuff."

When asked about reactions like Taylor's, Blake Stowell, of SCO, gave a puzzling answer. Many of the people who have been unimpressed by SCO's presentation "have not been developers," he said, and they may not have understood the importance of what they were seeing. (Taylor, in fact, is a developer.) Stowell then pointed to several technology analysts who had seen the code and came away thinking that SCO could possibly have a case -- but none of these people are developers.

One analyst Stowell cited was Laura DiDio, of the Yankee Group. DiDio, a personable woman who has been covering technology for decades, first as a journalist and then as an analyst, says that one of her strengths is that "I call it as I see it -- I have no qualms about criticizing any vendor." And when it comes to companies who have bet their fortunes on Linux and other open-source software, Didio says she sees much to criticize.

"The thing about Linux is, you can talk about a free, open operating system all you want, but you can't take that idea of free and open and put it into a capitalist system and maintain it as though it is some kind of hippie commune or ashram," she said in a phone interview from her home in Massachusetts. "Because if you can do it like that, at that point I'm like, 'Pass the hookah please!'"

DiDio did not sign an NDA to see SCO's code -- doing so is against the Yankee Group's policy -- but she says she did give the company her word that she would not violate the terms of the agreement. It is not clear whether she was shown the same code that Taylor was shown, but she was slightly more impressed by what she saw. "It appeared as though the Unix System V code" -- that is, SCO's code -- "complete with the developer notes had been copied and pasted right into Linux," she said. "OK now, that said, that is not empirical proof of anything. It's just what it looked like to me, and they showed us snippets of things, so I can't state with absolute certainty what it meant. But what I came away thinking was that if this is what it appeared to be, then SCO has a credible case."

Taylor and DiDio did not react especially differently to SCO's presentation; they both say that what they saw did not either prove or disprove SCO's case, and they only appear to differ in which side they're more willing to accord the benefit of the doubt. At the very least, it can be said that SCO's case is not cut and dried -- but neither, it seems, will IBM's case be a slam dunk.

But DiDio makes an additional argument: If SCO is right, she says, then Linux customers all over the world could be in hot water. Why, then, aren't IBM, Red Hat and other Linux vendors addressing this apparent risk with their customers? She notes that "neither IBM nor Red Hat are offering their customers any indemnification" -- that is, insurance against the lawsuits threatened by SCO or, for that matter, any other company that might come along at some point to claim that Linux might be infringing on a copyright. "Why is the world's No. 1 computer company not willing to offer any type of indemnification for Linux? Why are they not saying so publicly? They're afraid that they could lose, and so if they lose that would be a very big payout." What does it say about Linux if the big companies who sell it aren't willing to warrant that it's legal?

Red Hat, despite repeated requests, was not available for comment on the SCO case. When asked about indemnification, Trink Guarino, a spokeswoman for IBM, said that because Linux is an open-source program, "no single company provides it, and users understand that there are no warranties or indemnities that come with it, and that no single company can indemnify it." Guarino also sent Salon an internal memo that IBM's executives recently sent to its sales team. The letter tells salespeople that they should inform customers that SCO's case is baseless and that they have nothing to fear from Linux. "Make no mistake, SCO will continue to look for ways to create fear, uncertainty and doubt -- FUD, not facts, remains the focus of SCO's efforts," Bob Samson, an IBM vice president, wrote. "As the lawsuit continues, understand that the industry will resolve it. In the meantime, if you get questions, as always, send them to this ID or contact your local counsel."

But if IBM truly believed that SCO's case was FUD, Laura DiDio wonders, why isn't it telling its customers that it will assume any legal risks they incur in using it? DiDio notes that this is a standard practice for proprietary operating system sales. "If Linux is going to take its place as an enterprise server and desktop operating system alongside Unix and Windows and Netware and Apple Macintosh, it has got to be certified ready and worthy not just from a technical standpoint but from a business standpoint," she says.

What DiDio does not note, though, is that indemnification, like any form of insurance, costs money. Part of the reason proprietary operating systems cost as much as they do is that the companies you purchase them from pay for this insurance and then they pass the cost on to customers. And for software released under the GPL, indemnification might cost more -- not because open-source software carries any measurably greater risk, but because, in a highly technical, actuarial sense, the risks associated with open-source software might just be harder to calculate, says Gordon Haff. If IBM and Red Hat refuse to indemnify their customers, they're not necessarily saying they believe their customers are at risk; "they're saying that there are unknowable things in the world -- including potential intellectual property issues -- and for them to stand up and offer a potentially open-ended indemnification would be fiscally irresponsible," he says. "I think executives and lawyers get very nervous about indemnification clauses."

That may be a reasonable explanation for why Linux comes without indemnification, but it is not one likely to satisfy folks who might be just a bit wary about using the free OS when, every day, SCO is calling it illegal. If you keep using Linux and then, contrary to all expectations, SCO wins big in court, could you find yourself owing SCO a great deal? How much will you be liable for if you simply ignore SCO?

"I'm confident you'll owe nothing," says Lawrence Rosen, the general counsel of the Open Source Initiative. Under several theories of law, even if SCO wins against IBM, it will not be able to recoup money from users of Linux, he says.

For one thing, Rosen says, if IBM pays SCO its damages, then SCO is, in a legal sense, no longer damaged -- and can't claim money from anybody else. "There's a principle in the law that says that you can't double dip for your damages," Rosen says. "Lets suppose that you get into a three-car pileup and you sue one driver and he pays you out in full. Are you entitled to sue the other car? No. That would be paying twice for your damages."

If SCO proves and wins its case, then you, as the buyer of Linux, will have essentially purchased stolen goods -- though you believed it to be legitimate. Can someone sue you for using a product that you believed was legal but that later turned out to be stolen? That's unlikely, Rosen says. "This is unlike the big debate that's going on in music," he says. "Remember, you're not an infringer just because you played a piece of copied music -- you're an infringer because you copied it or distributed it. With Linux, you're typically just using it, not selling it or copying it. If I'm just using it, how am I infringing?"

Rosen's position seems logical, and if you're using Linux, there appears to be little to fear. SCO can't get you just for running an operating system, even if it insists that it can, and even if IBM won't indemnify you against its lawsuits.

But there is still a risk for Linux, Rosen says: It's that, in the apparent uncertainty created by SCO and others, people just don't know whom to believe. "I think that's the real problem of the SCO lawsuit is that it raised all these concerns," he say. "A company or a product has to deal with fear -- fear exploited by its enemies, its competitors. This fear has to be explained away by the company. What we have to do is tell people, 'Look, software is written by human beings and human beings do things -- and we are undertaking a process to minimize risks.'"

The question for Linux is, can people overcome the fear?

Farhad Manjoo

Farhad Manjoo is a Salon staff writer and the author of True Enough: Learning to Live in a Post-Fact Society.

MORE FROM Farhad Manjoo

Related Topics ------------------------------------------

Copyright Intellectual Property Linux