Thomas C. Carey on NDAs and the GPL
We discussed the SCO, NDA show and tell proposal with Thomas C. Carey via e-mail from 23 May to 28 May 2003. He is a programmer turned lawyer and now is a partner at Bromberg & Sunstein where he chairs the firm's Business Practice Group. His law practice includes licensing and transferring software, technology and other knowledge-based content, and lots more.
We asked Tom Carey what sorts of legal traps people or companies might get themselves into if they enter into NDAs (Non Disclosure Agreements) with SCO-Caldera in order to see the source code that SCO-Caldera claims is SCO-owned Unix code, which is in the Linux kernel, GNU/Linux OS, or Linux distributions? We also asked Tom if a person or company should and/or can be required to enter into an NDA with SCO-Caldera before SCO-Caldera will tell a person or company where that person or company is supposedly infringing on SCO-Caldera Unix copyrights?
Thomas C. Carey: In looking at the issues presented by an NDA, the devil is in the details.
First, SCO is not without good reason in asking for NDAs from the people to whom it may show the allegedly infringing Linux code. As you know, the entire lawsuit against IBM is founded on theft of trade secrets and breach the confidentiality provisions of the UNIX license, not on copyright or patent infringement. If SCO were to release UNIX code without requiring an NDA, it would open itself up to an argument that it had destroyed its trade secrets by releasing them, thereby making the lawsuit moot.
You have probably seen the reply from Jack L. Messman, CEO of Novell, to Darl McBride of The SCO Group, in which he wonders "whether the terms of the nondisclosure agreement will allow Novell and others in the Linux community to replace any offending code. "Specifically," he asks, "how can we maintain the confidentiality of the disclosure if it is to serve as the basis for modifying an open source product such as Linux? And if we cannot use the confidential disclosure to modify Linux, what purpose does it serve?"
This argument points out a potential trap that an NDA might present, and assumes the worst about the terms of the NDA that SCO may seek to present. It is a valid argument, with a dose of posturing.
A typical NDA is short, sweet and vague, leaving the details for later on the optimistic assumption that everyone will know what it means. This is usually sufficient. But when the stakes are large, the parties negotiate the terms of the NDA in detail, so as to cover contingencies such as the one described in Mr. Messman's letter.
That is, the NDA could expressly permit the Linux-using party to modify the Linux code so as to delete any infringing code. If SCO is really looking to make sure only that Linux does not infringe, it will offer an NDA that allows Linux users to delete the offending code (and to replace it with non-infringing code).
The fact that the discussion between SCO and Novell is taking place so publicly, however, suggests that these players are not looking for an amicable resolution of the matter, but instead are both seeking to make political hay out of their situations. SCO may not even now feel comfortable that it has found all potentially infringing code, and may be stalling for time while it continues to research the question.
SCO's allegations have already escalated dramatically since it brought its lawsuit against IBM. As you know, SCO originally said that the lawsuit was not a general attack against Linux. We now know that it was. Furthermore, SCO is now talking about patent infringement. This is potentially much more problematic, because it may not be possible to simply code around the patents.
SCO has several hurdles to clear in making out a patent infringement claim. First, patent protection doesn't last forever, and UNIX has been around long enough for any original patents to have expired.
Second, Novell claims that it has not transferred its UNIX patents to SCO. If this means that SCO is a mere licensee (one among many), SCO's standing to sue to enforce the patents is quite suspect.
Third, SCO has released a Linux version under the GPL. This license requires that SCO's Linux "to be licensed as a whole at no charge to all third parties under the terms of this License." Thus, the GPL contains an implied patent license.
This last point may be less damaging to SCO than the Linux community would like. If, for example, Red Hat were to release a version of Linux that is not derived from SCO's version, then it is not clear at all that Red Hat would have a license to SCO's patents, and SCO could sue Red Hat for patent infringement. [This assumes that SCO has valid patents, and that Red Hat infringes them, two very unproven propositions].
Novell's Jack Messman on SCO NDA-Scam
In a statement published on Novell's Web site on 28 May 2003, Novell Chairman, President, and CEO Jack L. Messman stated that SCO does not own the Unix copyrights and patents. As Tom Carey points out, Jack Messman also addresses SCO's NDA-scam. Messman states:
As best we can determine, the vagueness about your allegation is intentional. In response to industry demands that you be more specific, you attempt to justify your vagueness by stating, "That's like saying, 'show us the fingerprints on the gun so you can rub them off.'" (Wall Street Journal, May 19, 2003) Your analogy is weak and inappropriate. Linux has existed for over a decade, and there are plenty of copies in the marketplace with which SCO could attempt to prove its allegation.
We are aware that you recently offered to disclose some of the alleged Linux problems to Novell and others under a nondisclosure agreement. If your offer is sincere, it may be a step in the right direction. But we wonder whether the terms of the nondisclosure agreement will allow Novell and others in the Linux community to replace any offending code. Specifically, how can we maintain the confidentiality of the disclosure if it is to serve as the basis for modifying an open source product such as Linux? And if we cannot use the confidential disclosure to modify Linux, what purpose does it serve?
Remember that under the Linux kernel and GNU/Linux licensing, the GNU GPL (general public license), any modifications to the code must be made openly and under the GPL. Moreover, the kernel maintainers must approve any patches to or changes in the official, kernel.org Linux kernel. If Novell or some other company proposes a patch to or a change in the Linux kernel, it is going to have to explain to the kernel maintainers why the kernel maintainers should accept the patch or change. An NDA could interfere with that.
