Security Blankets

Turning Crow

I see David Berlind has been asking for my opinion on Microsoft's new non-assert covenant. Keeping in mind that (a) Kim didn't send me an e-mail to tell me about it, let alone an advance review copy like Andy Updegrove, and (b) I have been in a meeting all day where my boss kept shutting the lid of my laptop each time I tried to go online, here are a few off-the-cuff comments.

To be clear (and to encourage Kim to send me a review copy next time!), I think this is a welcome step from Microsoft that I've been calling on them to take for quite some time. Eve Maler has a good analysis, and this seems to be a generally OK covenant document in the same spirit as the covenants Sun has issued around ODF, SAML and Web SSO. Kim Cameron is to be congratulated both for this specific outcome and for the (undoubtedly difficult) process of pushing Microsoft to this point.

However, it does contain three issues that I'd like to see addressed:

  1. First is the phrase "necessary claims". Whenever I see this phrase my lawyer alarm goes off as it immediately involves a judgement call which is the subjective right of the patent holder. It comes accompanied by the question "was our patent really necessary for this implementation? Surely you could have done it this other way and thus not needed it. It's actually not necessary so here's the invoice." I'd like to see that phrase replaced with language to indicate that no patent claims will be made against source code implementing the standard, with no necessity test involved.
  2. Second, the phrase "to the extent it conforms" is worrisome. Just as with the earlier language around Office 12 XML, it leaves open the question of who is the arbiter of conformance. It also means that open source is placed under a FUD cloud; development is carried out in public so partial and non-conforming implementations are sure to exist. I'd like to see this replaced with language to indicate that the good-faith intent to implement the standard is sufficient to gain coverage.
  3. Third (and most complex to explain) is the asymmetry of the patent peace. The patent grant is limited to necessary claims as I mentioned in 1 above, yet the cancellation of that grant is triggered:
    If you file, maintain or voluntarily participate in a patent infringement lawsuit against a Microsoft implementation of such Covered Specification, then this personal promise does not apply with respect to any Covered Implementation of the same Covered Specification made or used by you.
    That means that while Microsoft only grants me "necessary claims" I have to effectively grant them cover on all claims, necessary or not. That asymmetry has to be corrected.

I assume Microsoft will look into all of those, and it's on that basis I'm sending Kim a virtual handshake of congratulations. Let's hope they go back and apply them in the other areas where we are all in doubt, like CallerID and Office 12 XML.

One more thing to note is a rare error by Andy Updegrove. He says IBM was first with a patent non-assert covenant, but I don't agree. IBM made a public grant of 500 specific patents. While that's a fine gesture, it does not give software developers much in the way of a freedom from FUD as they have to analyse and then implement the patented ideas in order to gain protection (and the grant was only to open source developers as I recall). Software patents contain little that's useful to a programmer, so a list of patents is pretty much useless.

Sun's ODF covenant pioneered the idea of a blanket covenant, where the patents are not enumerated. This is absolutely key for open source developers. A list of standards where there's a guarantee that there will be no litigation is very useful. It means a developer can implement secure in the knowledge that those most likely to hold patents - the companies who co-developed the standard - covenant never to attack implementations of the standard.

Microsoft is now following suit. This is what open source needs - freedom from fear of attack, not the donation of unintelligible patents. It's time that became a requirement software standards bodies placed on their participants. To set that direction, we now need IBM to endorse and issue blanket covenants too - how about it, Bob?


did you see my analysis. i make the point about ibm though far less elegantly. i think you have to say what it is that you're safe not to worry about.

Posted by james governor on September 13, 2006 at 10:39 PM PDT #

[Trackback] Bob Sutor has responded to the question (indirectly anyway - he was responding to the same question raised by David Berlind at ZDNet) I raised in my post about Microsoft's open specification promise.

Posted by On IT-business alignment on September 14, 2006 at 01:40 AM PDT #

Post a Comment:
Comments are closed for this entry.

Thoughts and pointers on digital freedoms and technology markets. With a few photos too.


« July 2016