Linux’s Patent Risk

Open Source Risk Management (OSRM) announced today that it had
found 283 issued, but not yet court-validated, software patents in the Linux kernel.

The findings are the result of a thorough Linux patent review sponsored by OSRM, a firm that
provides risk mitigation and insurance offerings to the open source community. The review however did not find
a single patent infringement that had currently been court validated.

“By saying that these 283 patents could cover Linux means that [patent holders] have claims that could be
infringed by practicing the Linux kernel,” Dan Ravicher,
founder and executive director of the Public Patent Foundation and senior counsel to the Free Software Foundation,

“When patents get tested in court, the court finds them invalid about
half of the time, so the court doesn’t just accept the patent office’s decision,” Ravicher said.

The review looked at 2.4 and 2.6 kernel versions of what is commonly referred to as the “plain vanilla kernel,”
which is the publicly available kernel from The plain vanilla kernel is
rarely included in mainstream distributions like
Red Hat
and others that provide additional features. Though Ravicher was quick to mention that they’d be happy if asked to
review other flavors of the kernel.

OSRM claims that a third of the 283 issued patents are held by Linux-friendly corporations like Cisco, HP, IBM,
Intel, Novell, Oracle, Red Hat and Sony. The others are held by groups that may not be as friendly to Linux,
such as Microsoft. Ravicher identified Microsoft as the holder of 27 of the
patents, which he says have not been court tested.

“None of the 283 that I’ve identified are actually being litigated so far as I know, but the extent to which
Microsoft is asserting its patents through means other than litigation is indeterminable,” Ravicher said. “In many
cases, there could be confidentiality agreements in place that prohibit us and the public from knowing exactly what
Microsoft is doing and how they are trying to go out and assert their patents.”

OSRM, however, is not going to reveal any hard specifics on the 283 patents. Ravicher explained that being
aware of the particulars of a patent could potentially expose a developer to risk.

“There’s what I call a perverse rule in patent law that says if you are aware of a patent and then later [are] found to
have infringed on it, the court can punish you for willful infringement by tripling the amount of damages awarded
against you,” explained Ravicher. “If you can say you weren’t aware of it, then the court can’t claim that you
acted willfully because you didn’t have knowledge.

“That’s the reason we’re not going to tell people what these 283 patents are,” he continued. “If we told people, we’d create
exposure, which we’re trying to avoid.”

Linux’s patent risk has been acknowledged for some time. In fact, Ravicher points to the GPL license under which
the Linux kernel itself is distributed. It was written in 1991 and illustrates the fact that the community
has always been worried about software patents.

Having 283 patents does not imply a doomsday scenario, Ravicher said. “That’s no more patents
than what potentially covers any other product that’s as successful and as widely used as Linux.
This isn’t a surprise result; it’s completely typical and manageable and something that OSRM is providing the solution
to solve.”

OSRM’s new patent insurance products are targeted at protecting users with comprehensive policies that protect
against what Ravicher believes to be the biggest problem with the 283 patents.

The biggest problem is not that claims may be asserted meritoriously, Ravicher said.
The larger issue is the cost of defending against a potential patent
infringement claim, which runs on average $2 million to $4 millions dollars.

News Around the Web