Redmond Negotiator

Patents, Patches and Patently Absurd Ideas

Microsoft's most recent patch Tuesday wasn't just about security, it also patched a licensing problem. Here's why you can expect to see more patches like this in the future, and why patches won't be the end of it.

• By Scott Braden
• 04/21/2006

Since I'm the licensing geek, the interesting part of this patch Tuesday is the ActiveX patch to Internet Explorer. It's not fixing a technical problem at all, but a licensing problem (more details here and here).

Basically, Microsoft's legal loss is causing pain for system administrators all over the planet.   I'm not throwing stones at Microsoft; my purpose is to point out something what YOU should be watching out for in all of your purchasing and vendor relationships -- not just Microsoft, and not just software.

You see, more and more of the products and services we (and our companies) buy and use contain a significant "intellectual property" component. Ask any lawyer; "IP" is one of the fastest-growing specialization areas in law.

And if you've been paying attention, you're aware of the building backlash against "patent abuse" and the lower-profile but more common threats of vendor copyright infringement. Here are some examples:

• The recent Blackberry/RIM fiasco.
• The whole SCO/IBM/RedHat/Novell/Linux lawsuit mess over who wrote what code and who owns it and who owes what royalties to whom. If you can keep all of this straight, you're probably a lawyer.
• IBM's "fat line" patent suit against Sun.
• Amazon's infamous "1-click" ordering process patent.
• Here's one trend you might have missed: Many companies are patenting business processes. (So what happens if you've outsourced a key function, and that outsourcer get sued, and the court issues an immediate "cease and desist" injunction?)

The list goes on and on, and continues to grow everyday as more companies and their IP attorneys realize that suing people and convincing a non-techie judge they're in the right is an easier way to get cash than by selling a better product or service.

My point is not to gripe about patent and copyright abuse, but to point out to you, the smart and aware reader, that:

1. Aggressive patenting and copyrighting (collectively, "IP") is a business strategy that more and more vendors are embracing.   You're only going to see more of these lawsuits, not less.
2. The vendors use this aggressive IP strategy for several reasons. For big players, it's simpler/cheaper to just patent or copyright everything that your labs or developers churn out, than to worry about what's truly new or unique. U.S. laws make it relatively simple for large companies to do this. More importantly, your IP collection becomes a source of revenue, because anytime a competitor gets big enough to be dangerous, you can slap a patent or copyright infringement lawsuit on them to distract their management, scare their investors, scare their customers, and drain their cash and key employees, while you continue to compete, sell or register new patents. And besides, even if your lawsuit is baseless, your patent is worthless or your copyright not truly protected, you can still win by forcing the other company to settle, or spend themselves out of cash, or scare off their customers.

So what's it mean to you, the customer? As you probably realized during the Blackberry mess, or maybe earlier during the SCO/Linux mess, lawyers go after the money, and if you're a big enough target you may get sued for using a product or service even though you only bought the thing -- you didn't design, produce or sell it.

Even if the lawyers ignore you, you may still be forced to abandon a product or service on short (or zero) notice if a court issues an injunction. This nearly happened in the RIM Blackberry case, leading CIO's all over the planet to sprout a few more gray hairs as they scramble to make backup plans and buy alternative equipment.

So, what should you do about it? Well, find ways to protect your backside, obviously.

Make sure your pre-purchase due diligence includes both a legal review of the contracts, looking closely at terms for "indemnification" by the vendor, but also doing a little digging to see if there are any suits pending that perhaps haven't made headlines yet. And also, in your vendor's business viability assessment, don't just look at their financials, but also consider their competitors in this and other markets.

For example, you may like a mid-sized vendor's solution for a certain business need.What other un-relatedproduct lines does the vendor offer? Do any of those compete with a vendor like IBM that has a history of aggressive IP protection? What are the chances that IBM (or whoever) will launch a lawsuit?  

Getting back to Microsoft, and giving credit where it's due, its volume licensing contracts have one of the most clear, fair and transparent indemnification clauses of any vendor out there. And you won't find many cases where Microsoft sues other vendors for IP infringement. Ask for the same from your other vendors.

Speaking of vendors, if you're using or considering open source software (including embedded kernels in things like network all-in-one appliances)…who's your vendor? Who will protect you against lawsuits resulting from open source IP infringement?

As long as you're checking out your vendors' IP safety nets, don't ignore your current, in-place products, vendors and contracts. When's the last time somebody did a legal risk assessment on your core business applications? How about checking all of your existing contractors and outsourcers for pending lawsuits? Remember business processes can be patented. And the Patent Office has granted some process patents for processes that would seem pretty obvious to anyone who's been around IT for long… but you or your outsourcer can still get sued anyway.

With any vendor or purchase decision, you always want to have a backup or disaster recovery strategy. Remember, "single point of failure" applies to vendor management as well as technology design.  

One more thing: Please do yourself a favor and bring together your business continuity/disaster recovery team, your corporate risk management team, your legal/vendor contracting team and your IT folks to all talk about this. I'd hate to see you be the one who gets fired, when really this is a multi-departmental, company-wide challenge.