The first time I heard the word "indemnification" as it pertained to Linux was just over one year ago at last year's LinuxWorld in New York City. It was close to two months before SCO fired its first litigious shot at IBM. I was eating dinner with Jonathan Schwartz, Sun executive vice president, and some other journalists. SCO had already started rattling its saber and threatening litigation, and indemnification was among the many topics that Schwartz wanted to cover during the meal. Schwartz asked how enterprises at this point could move forward with their Linux plans if the solution provider were not willing to indemnify its customers from liability. In comparing IBM to Sun, Schwartz spoke of IBM's failure to indemnify customers while drawing attention to the x86-based version of Solaris for which Sun was promising indemnification.

Meanwhile, with the backing of IBM, Intel and MontaVista Software, the Open Source Development Lab (OSDL)--employer of Linux kernel patriarchs Linus Torvalds and Andrew Morton--has established a separate legal defense fund with the intention of helping "some Linux customers that come under litigation from SCO," according to Stuart Cohen, OSDL executive director.

IBM was the first and largest company to be sued by SCO, but it has yet offer indemnification of any kind to customers. In addition to its contribution to the OSDL defense fund, IBM helped bankroll Novell's acquisition of SuSE, a move that amounts to an indirect indemnification play if you believe my  analysis.

For Linux customers, the highly fractured response on behalf of Linux community has resulted in more questions than answers. For starters, what is indemnification, when do you need it and are all forms of it created equal? If they're not created equal, what are the differences, are there any strings attached for those being indemnified and what are the alternatives? Could indemnification result in a false sense of security when it comes to other forms of legal exposure? How can companies like HP and Sun, which don't have their own distributions of Linux, offer indemnification? Even stranger, how is it that HP can offer indemnification on a version of Linux that even its distributor (Red Hat) won't indemnify?

This raises the question of what happens when an HP customer running Novell's SuSE Linux must invoke its rights to indemnification. Which of the two indemnification agreements takes precedence in addressing the customer's needs? Finally, does IBM's and Red Hat's failure to offer indemnification amount to a lack of confidence in their legal standing versus SCO that enterprises must take seriously when selecting Linux distributions and solution providers. Or, is it a sign that real indemnification is impossible to achieve, therefore rendering the three existing programs as less than they're cracked up to be? Or, is it as they have maintained in their public statements, that the claims don't warrant extraordinary indemnification measures.

		Special Report: Managing the legal risks of Linux  The SCO legal train: Know your options  Protect Thyself 101: A primer on indemnification  Novell's protection: Covers more than SCO  HP's protection: SCO-only, but no dollar limit  Instead of indemnification, consider insurance  Defense funds: Taste great, but less filling  Is Red Hat the canary in SCO’s coal mine?  What did SCO buy--Unix or the Brooklyn Bridge?

What is indemnification?
According to Joe Rosenbaum, a partner with the international law firm ReedSmith and head of the firm's ecommerce group, indemnity is when one party holds another party harmless in the event that, as a result of a contract that exists between the two, a third party brings a claim against one or both of the original two parties. "Unlike with a breach of contract," said Rosenbaum, "when you offer someone indemnity, you are acting as if you are the insurer with respect to third party claims. If SCO is that third party and it sues you, the company that's holding you harmless will stand between you and SCO as a shield. It's as if they are saying, 'I will hold you harmless. I will pay for your lawyers and I will absorb any damages you sustain as a result of entering this contract with me.' "

In his detailed explanation of indemnification for mortals, Rosenbaum outlines the ideal indemnification contract and the indemnity-related questions that any company should be asking their IT solution providers. The bottom line? If you've been accepting solutions from your providers without using your buying power to establish indemnification, you are putting yourself at unnecessary risk. For the many savvy IT shops (GE is rumored to be one), such negotiations are par for the course.

When do you need indemnification?
As far as I can tell, the best time to get indemnification is the point at which you are acquiring a solution that involves the use of intellectual property that doesn't belong to you. Imagine, for example, buying a car and finding out a couple of years later that the inventor of the windshield wiper was suing you for the misappropriation of the patent. Wouldn't you want the company that sold you the car to accept responsibility for the claims?

Unfortunately, just about everybody using or supplying Linux-based solutions was operating under the assumption that being sued for the misappropriation of intellectual property was impossible. With companies like IBM, Dell, and Oracle heavily promoting Linux as a viable low-cost alternative to other operating systems, few people thought to ask, "If you're so sure this won't subject me to some form of legal risk, can you put that in writing?" For many of you who deployed a Linux-based solution sans indemnification, should you seek protection now or wait? And, if you should wait, what threshold must be crossed before you take steps to mitigate your risk?

For many, the answer to these questions has to do with the likelihood that SCO might succeed in its legal endeavors. It's like basing the decision to get collision insurance for your car on the likelihood that you're going to get into a fender bender while traveling down a desolate stretch of highway.

Overwhelmingly, users of Linux have dismissed the SCO lawsuit as unfounded and ridiculous, seeing no need to seek legal shelter. If you're in that group, the question you must ask yourself is whether you reached that conclusion based on your own study of the merits of SCO's claims or based on the opinions of others who you assume are well informed. In researching the issues and in writing my subsequent explanation of it (in as layman's terms as possible), I learned two things.

First, these issues are far more complex than most people realize. They're not just about the simple cutting and pasting of a few copyrighted lines of code from one program to another. If it were, I could understand where it might be easier to brush off SCO's lawsuit as frivolous. As it turns out, in addition to the aforementioned cutting and pasting of code, the legal questions are also about who owns Unix, to what extent they own it, and precisely what rights are afforded to the owner (or owners, as it may turn out to be).

Secondly, the noise level coming from both camps--those in favor of SCO (pretty much just SCO and its shareholders) and those who oppose--overwhelming favors SCO's opposition. SCO is a tiny company in Utah, with opposition that includes some of the largest companies in the world, millions of Linux users, and the leaders of the cultish open source movement. As a result, the opposition's message often drowns out SCO's. I'm not saying that the opposition is wrong, but, short of understanding the merits of the case, a lot of people are siding with SCO's opposition because its bigger, louder, and consists of voices that many people find to be credible.

If you take some time to study the case, however, I think you'll find that SCO's claims are not as easy to dismiss as some people would lead you to believe. Could those claims eventually be dismissed? Absolutely. I'm just not sure that it's the slam-dunk that SCO's opponents and water cooler discussions make it out to be. If you're sizing up your chances of being sued based on a misunderstanding of the cases or the out-of-balance noise levels, you could be making a mistake. I've spent the last several weeks probing the various participants in this open source legal morass, trying to filter out the noise in an effort to offer you my analysis of the situation.

Red Hat: A canary in SCO's coalmine?
One of the leading indicators in this legal tangle centered on Linux is Red Hat. The company's unique position as a public company whose success is almost entirely dependent upon it's ability to continue distributing Linux under the GNU General Public License (an ability that SCO's lawsuits call into doubt) makes it the canary in SCO's coal mine. As a public company, Red Hat is required by law to publicly disclose any market risk that presents a material threat to the company's business. A review of the company's quarterly 10-Q filings with the Securities and Exchange Commission reveals an increasing concern over SCO's legal actions, the risks they pose, and Red Hat's options and the potential consequences should the outcome favor SCO.

In an interview with News.com's Charles Cooper, Red Hat CEO Matthew Szulik cited the reason that Red Hat sued SCO in August 2003 (at a time when SCO hadn't yet sued Red Hat) as "seeing the sacrifice at Red Hat and in the open-source development community, it finally got to a point where we just said enough was enough."

I'm not buying that explanation. Red Hat was seeking a declaratory judgment that Red Hat had not infringed on SCO's copyrights or trade secrets. According to lawyers I spoke with, company's that haven't been sued don't altruistically seek declaratory judgments absolving them of wrongdoing because "enough is enough." They do it because they see a looming risk as a material threat to their business. Although Red Hat's 10-Q's don't reflect the board's inner most perceptions of that risk as a material threat until its January 2004 disclosure, my guess is that the lawsuit in August reflects some earlier insecurities over the situation.

As the canary, Red Hat's lawsuit and 10-Q's are not the only data point for IT managers to consider when sizing up the validity or threat of SCO's claims. As a distributor, Red Hat's failure to offer indemnification to its customers sticks out like a sore thumb. If Red Hat were as sure of the frivolousness of SCO's claims as it seems to be, then it would put some serious skin in the game by indemnifying its customers.

The same goes for IBM. Instead, IBM is offering nothing and Red Hat is offering protection in the form of a defense fund for developers and a promise to replace infringing code. Neither one, in my estimation, puts any skin in the game because the developers the fund is designed to protect aren't going to be sued. If code is found to be infringing, the solution from SCO's point of view won't be as simple as replacing it. Announcements of defense funds and promises to replace infringing code are precisely the sort of noise that I was citing earlier that may be unjustifiably be swaying opinion and lulling users of Linux to a false sense of security.

In my analysis of Red Hat's precarious position, I suggest that IT executives take note-- the Red Hat canary may have just coughed up a dust ball.

Don't confuse SCO with the RIAA
As I said previously, in gauging the risk to you or your company in attempting to determine the likelihood of being sued, another issue to understand is whom SCO is targeting with lawsuits.

In terms of end users, SCO has been clear that it is only interested in large enterprises that have been extracting significant value out of its alleged intellectual property without proper compensation . In addition, SCO has also said that it hasn't ruled out certain individuals, such as Linus Torvalds and Andrew Morton, who may have played a role in overseeing the development of the Linux kernel. For other businesses, consumers and developers who use Linux, SCO has its legal guns aimed elsewhere.

So, why not randomly pick (independent of size) on Linux users the way the RIAA (Recording Industry Association of America) has picked on music downloaders? If the court sides with SCO on its ownership of Unix and the rights that ownership affords, one of the potential outcomes of SCO's legal pursuits could be the inability on behalf of anyone to distribute Linux under the GNU General Public License. In that worst-case scenario, distributing any version of Linux without a license from SCO or 100 percent clean room-developed code would be illegal. In other words, users may end up getting away with the free use of Linux for a while, but over the years they'll be weeded out through the upgrade cycle (either upgrades to SCO-licensed versions of Linux or upgrades to alternative operating systems).

As a side note regarding the clean room issue, there are two companies with the resources to address that issue on a timely basis. The first is IBM. If I had to guess, the company has its best talent working on a verifiable, clean room implementation of the Linux kernel. The second company is Novell, which recently affirmed its commitment to open source. Of the many companies in the maelstrom, Novell is one of the few with its own operating system (NetWare) that could be turned into an open-source based substitute for Linux.

Things turn for the worse when...
Another technique IT managers can use to determine the point at which it would be prudent to seek some form of protection is to follow the milestones of the cases. Today, as the cases stand, SCO has its interpretation of several issues--who owns Unix, to what extent they own it and precisely what intellectual property rights (IPR) accrue to them by virtue of that ownership.

SCO's opponents have a different interpretation of all of those issues. What remains to be seen is the court's interpretation. Right now, with those issues hanging in limbo, it will be difficult for SCO to successfully sue end users of Linux. Virtually all of the SCO-detractors that I've spoken with raise one great point: How can SCO sue enterprises using Linux for the misappropriation of its intellectual property if it hasn't established beyond a shadow of a doubt that it owns the intellectual property in question?

That said, even while it waits for a ruling from the court, SCO may launch a few lawsuits at some enterprises with poster-child deployments just to rattle some nerves. But, as SCO spokesperson Blake Stowell told me, "Anyone who gets sued now probably knew they were going to get sued because we tried to negotiate with them first." At the very least, that statement probably restricts SCO's short list to the 1500 companies it originally sent letters to in May of 2003. The magic question is, if you weren't on that list or you haven't already been contact by SCO, when should you start seriously looking for shelter?

My answer? Probably on the day that a judge announces that he agrees with SCO's interpretation of what it acquired from Novell. If the court finds in Novell's favor that SCO has very limited rights to the Unix intellectual property, there will be a collective sigh of relief (although, depending on the extent of those limited rights, SCO may still continue to pursue some of its cases).

If, on the other hand, the court finds that SCO owns Unix to the extent that SCO says it owns it (and all the rights that go with it), a lot of people will be scrambling for cover. Things might go a little haywire on Wall St. as well. It's at this point you should start evaluating your options.

Who's protecting whom?
Clearly, if you believe you need protection, you should arrange for it before you get sued. It is for this reason that I'll rule out the two defense funds as dependable options. Finally, before summarizing each of the credible forms of protection, you must realize that the point at which legal protections come in handy is the point at which you get sued (not necessarily just by SCO).

It's worth stating that there are a couple of ways to actually avoid getting sued altogether. This may be a really good option if you work for an image-conscious company that avoids the legal limelight like the plague. One is to simply to pay SCO $699 per server for a perpetual license or $149 per server for an annual license. According to SCO's Stowell, "The license that we are offering to commercial end users of Linux is called the SCO Intellectual Property License. The end user is provided with a license that allows them to run SCO's intellectual property as it is found in Linux in binary form only. This license is meant to apply to any version of Linux (based on the 2.2 kernel and later) that is being run in a commercial environment."

A major advantage of going this route is that it is Linux distribution neutral-- you don't have to change a thing about your configuration. All you have to do is write a check.

Another option to minimize the chances of being sued is to run another operating system, especially one that includes indemnification. It should be noted, however, if you were previously a Linux user, going this route won't help you to avoid a lawsuit altogether. SCO could come after you for "back pay" (compensation for the period of time that you benefited from Linux), but it is a less likely scenario.

Alternatives to Linux that come to mind (and whose license is in good standing) are HP's Unix (HP-UX), Apple's OS X, Sun's Unix (Solaris) and FreeBSD, a version of Unix that, due to a 1993 settlement between AT&T and Berkeley got a hall pass to be free. Of the four Unixes, the latter two are available on the Intel architecture. As far as HP-UX is concerned, Intel's recent announcement regarding its AMD64-compatible Nacona hybrid puts a question mark over the future of all of HP's operating systems. By virtue of SCO's revocation of IBM's Unix license (and Novell's subsequent re-invocation of the same), IBM's AIX has a different question mark over it. Nonetheless it's a question mark. And then, there's always Microsoft's Windows and Novell's NetWare.

When it comes to Linux indemnification, only three companies have so far gone public with such a program: HP, Novell and Sun. It should be noted that in all three cases, you must stick with the binary distributions offered by those companies. In other words, no kernel modifications or self-compiled versions.

Determining which indemnification program is better is like comparing apples and oranges. Each is targeted at different types of users and all have specific requirements to qualify. As I found in my interview with Efrain Rovira, worldwide Linux marketing director at HP, the indemnification program devised by HP applies to anyone (consumer to enterprise) who buys a distribution of Linux from HP (HP offers most of the popular distributions) and runs it on HP gear. HP will go to the mat for you in terms of legal defense if you get sued and there's no limit to the damages it will pay in the event that that defense is lost. The program can only protect you from a suit by SCO, and there's a financial obligation to join--a cost that users of Linux might not otherwise pay.

HP did not set the program up because it was convinced that SCO has no case. HP set the program up, according to Rovira, because the lawsuit created the need for indemnification, which in turn created another potential revenue stream for HP.

Unlike HP's program, Novell's program --as Novell spokesperson Bruce Lowry puts it--involves no additional costs above and beyond what enterprises normally pay for a SuSE Linux support contract. Lowry argues that this makes it free. SuSE Linux Enterprise Server 8.0 is the only distribution covered by the program, but the indemnification is agnostic to system manufacturer. If you haven't guessed by now, Novell's program targets very large enterprise Linux installations. Evidence of this is how Novell will go to the mat for you in terms of defense (like HP), but caps the damages that it will cover in the event that that defense is lost at 125 percent of the cumulative fees paid to Novell or $1.5 million, which ever is less. For businesses with just one or two servers, the total coverage doesn't amount to much.

Novell is the only distribution provider offering indemnification. It is doing so on the basis that it retained the necessary intellectual property rights when it sold Unix to SCO. As mentioned earlier, it remains to be seen whose interpretation of that sale the judge endorses.

Finally, Sun is offering indemnification, but not for Linux running on its Intel or AMD-based servers such as the Sun Fire V60x and V65x servers that are preconfigured with Red Hat Enterprise Linux. Instead, Sun is indemnifying users of its Java Desktop System: a desktop-targeted suite of productivity applications combined with a desktop version of Novell SuSE's Linux. When compared with SCO targets for legal action, this form of indemnification doesn't offer a lot of additional protection.

Users of the JDS can add applications if they want, and the cost of entry is the same as if they were just licensing JDS--$100 per seat or $50 per seat if you're also a user of Sun's Java Enterprise System (JES).

If SCO did come after those users (unlikely), Sun would, like HP and Novell, go to the mat for you on the defense. In terms of damages covered in the event that defense is lost, Sun has placed no limitation on the damages covered.

Finally, as with HP, another company, has seen the way SCO's legal actions can give birth to a new revenue opportunity. The new offering, which I discuss in detail, is from a new company called Open Source Risk Management (OSRM). Rather than indemnification, OSRM is planning to provide open source insurance. OSRM CEO Daniel Egger calls it "an extended warranty." OSRM is not officially in business yet, and needs a few more customers in order to get one of the major insurance underwriters on board, according to Egger.

The key selling proposition is that OSRM goes where no other indemnification goes. It insures you for using any open source software on any system. It doesn't matter who sues you and, unlike the three indemnification programs, you can play around with and recompile the source code. It covers end users for a range of legal costs that indemnification doesn't and the limitation on those costs has to do with what premium you're willing to pay.

Premiums run about 3 percent of a policy's value, and there is a deductible. If you compare OSRM's insurance to the $1.5 million maximum damages covered by Novell, the annual out of pocket cost would be about $45,000 (chicken scratch for most big IT budgets), and the coverage is wider and broader by a long shot. It's also about the same amount of money it would take to cover 300 servers under SCO's $149 per server per year license. But SCO's license doesn't protect you against other lawsuits the way OSRM's insurance will.

How much is your job worth to you?
When you think about it, there's a business risk associated with every decision you make. It's usually either financial or legal in nature. As you look at the various forms of protection (Linux alternatives, licenses from SCO, indemnification, open source insurance, and defense funds), weigh the total cost of protection versus the risk of being sued by SCO (or maybe someone else).

Likewise, as a user of Linux, protecting yourself from an SCO-law suit could easily be a waste of money. Virtually all of the forms of protection listed in this special report are reasonably priced when you consider the potential harm if you have no protection and are successfully sued by SCO.

Most companies using Linux (not including embedded Linux-based appliance makers, which could have more significant risk) could easily bury the cost of protection in their IT budget without anyone batting so much as an eyelash. But, you can't bury the damages in the hundreds of thousands or millions of dollars, or the pink slip that goes with them.

Basically, you have one question to ask yourself: How much peace of mind do you have now and how much more are you willing to spend for a little extra?

You can write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.