Patent troll defense is costly and stifles innovation, and the license fees trolls demand can drive companies out of business. It’s not a matter of if, or even when patent trolls—companies that make money through litigation, rather than by making products—will target OpenStack. They already have. The question now is how will the OpenStack ecosystem protect itself against patent litigation? Should the foundation lead an effort to protect members, or should individual members and companies take that on themselves?

“Openstack has significant vulnerabilities, as a platform, to patent trolls,” said Kevin Jakel, CEO of Unified Patents. “There is a need for OpenStack to have some way to help protect the developers and others working on the platform.”

Since at least 2012, the OpenStack Foundation’s legal affairs committee has discussed creating a stronger intellectual property (IP) policy to protect OpenStack from patent litigation that could harm or destroy the ecosystem. In a June 2013 update to the foundation board, Alice King, Rackspace Vice President & Associate General Counsel at the time, presented three options: Make no changes to the current policy, which relies on the Apache 2.0 license terms for protection; adopt the Google Open Patent Non Assertion Pledge; or adopt an Open Invention Network (OIN)-style patent cross license.

By default, the foundation has chosen option #1: Make no changes. When developers contribute, they sign a contributor license agreement (CLA) based on the Apache 2.0 license . “If I contribute code to this project, I also contribute a patent license covering what I have contributed,” Van Lindberg, VP of Technology at Rackspace and a member of the legal affairs committee, told Datacenter Dynamics. In essence, developers’ innovations and contributions to the project share the protection the license affords. They lose the license if they sue.

Level Up: Promise Not To Sue

The next options King presented were stronger than a license; they added the element of a pledge. The Google Open Patent Non-assertion (OPN) Pledge is a promise to not sue users, developers, or distributors of open source software. The OPN Pledge, a predecessor to LOTnet, included just 10 patents related to MapReduce at the time. It has since been expanded to include many other patents. King lauded its ease of adoption and “broad defensive termination”—if anyone who has taken the pledge sues Google or its affiliates over any patent, not just those in the agreement, they are no longer protected by the pledge, according to King’s presentation. If LOTnet had existed at the time of the presentation, King might have recommended that instead.

Finally, the board discussed adopting a cross license agreement like that of the Open Invention Network (OIN). OIN is a defensive patent pool that protects the Linux ecosystem and now counts more than 1200 members. An OpenStack Foundation patent pool could cover not just Apache code contributors and licensors, but other OpenStack members, participants, and their patents as well. The license could be limited to only some, or expanded to include all elements of the OpenStack code, King said. The OpenStack license could be structured to survive if transferred, and be terminated if any licensee sued another over patents based on OpenStack code or over a distributed product.

Linux is now the platform most of the cloud is built upon, but ten years ago, its future was threatened by legal disputes. In 2003, SCO began legal maneuvers to counter the use of “tainted” products containing alleged SCO-owned code. At issue were copyrights, not patents, but over the years, legal battles continued. SCO wanted competitors and users both to pay them hefty license fees.

The Importance of Banding Together

OIN was formed in 2005 to protect Linux from being destroyed by litigation. The OIN is “essentially a lay down your arms, patent neutralization strategy,” said Keith Bergelt, CEO of OIN, in a recent interview. 80% of its more than 1200 licensees don’t own patents, but all members get a royalty-free license to use patents other members have included, as well as patents OIN purchases.

The original founding members, which fund OIN’s efforts, include three very active OpenStack Foundation members—IBM, Red Hat, and SUSE (originally Novell), plus NEC, Philips, and Sony. OpenStack LLC actually joined OIN in 2011, along with Rackspace, which takes a hard line against patent trolls, as did HP and Symantec. Oracle joined the OIN in 2007. In 2014, Oracle became a corporate sponsor of the OpenStack Foundation and announced plans to integrate OpenStack capabilities into several of its products.

Some members are worried that lawsuits may continue, though not necessarily by trolls. Three OpenStack companies—HP, Oracle, and Symantec—have essentially withdrawn from OIN by adopting what’s called a “limitation election,” withdrawing future patents from the protection of the OIN patent pool.

“Essentially it gives them more access to information they can funnel back to support their legitimate business activities, and also their intellectual property business,” Bergelt said. “It’s inconsistent with the tenets that underlie community and project participation.”

Bergelt has lobbied the foundation board since 2012 to encourage members to join the OIN, and to create its own license that would protect OpenStack ecosystem members. “The only reason not to join is to reserve rights to sue on the Linux system,” Bergelt said.

In December 2013, OIN followed though and broadened its organization’s defense to include OpenStack packages. The foundation applauded the move. Since then a few other OpenStack companies have joined, including, Aptira and UnitedStack. Just last week, the OIN board voted to include Icehouse and some Juno packages to its Linux definition.

But that protection is weakened by the limitation elections. HP, Symantec, and Oracle can pursue patent litigation on technology not covered by the window of time specified in their OIN agreements. Other prominent OpenStack members, such as EMC, VMware, and Cisco have not joined OIN.

In August 2013, Bergelt met with the OpenStack Foundation board. According to unofficial meeting minutes, he proposed a “a more formalized relationship with the Foundation, that members would be encouraged to join the OIN, that we’d do joint press releases and that there would be an ongoing direct relationship with the TC [technical committee] to ensure the system definition is regularly updated to include all OpenStack projects.”

Bergelt renewed his campaign again late last year, warning that OpenStack will be a target of trolls. “OpenStack should be meeting us halfway,” he said, “promulgating their own code of behavior, codified in some patent protection elements, whether cross licensing, defensive, or more something more comprehensive.”

After King’s presentation, Van Lindberg, who had just been appointed to the legal affairs committee, proposed another option: that OpenStack members get behind the OIN. “He went on to describe how a difficulty with this approach is that some members of OpenStack will never be members of the OIN because the OIN fundamentally see those companies as a threat to Linux,” according to the unofficial minutes. “He didn’t name these companies.”

Lindberg also proposed a patent indemnity program, in which OpenStack members and/or the foundation would contribute to a legal defense fund. “Van feels that patent trolls often go after some weaker companies and obtain a small settlement because that company feels it’s cheaper to settle than to defend, and that settlement sets a problematic precedent that the troll can then build upon,” according to the unofficial minutes. “An indemnity program would encourage members to fight patent trolls and avoid precedents being established which would set the entire community up for trouble.”

The board has discussed transferring OpenStack LLC’s license to the foundation, according to Lindberg. That doesn’t accomplish the goal, Bergelt said, because they don’t have the ability to convey the license to members. “Irrespective of any progress in OpenStack’s adoption of a formal patent policy, OIN will continue to include core OpenStack project functionality into its Linux System Definition and encourage any and all OpenStack member companies to sign OIN’s free license to insulate themselves from patent aggression in these essential cloud technologies,” Bergelt said.

Is OpenStack at Risk?

OpenStack code covers a lot of different functionality—compute orchestration, storage orchestration, and networking, patents for which are broad and difficult for patent judges to understand. In OpenStack, just as in the rest of the cloud computing world, the field is ripe for trolls to exploit.

Many large publicly traded organizations (which the trolls see as deep pockets) are major players in OpenStack. Many of these large organizations also happen to command vast patent portfolios. Some worry that beyond the patent trolls, OpenStack participants themselves may target each other. Just because they’re involved in an open source project doesn’t negate the fact that these companies are hardcore competitors, some of whom have sued each other over patents before. As mentioned above, Symantec, HP, and Oracle have opted out of OIN’s patent cross-license agreement.

And finally, OpenStack code is open and there is no legal review that takes place prior to code commits. It might be easy for trolls to find areas that can be classified as “infringement.” Member companies could do the same.

Proposed Changes to OpenStack License Agreements

Today OpenStack has a code contribution process that offers some level of protection. Every developer must sign a code contributor license agreement (CLA), but there is an ongoing discussion to change that to a Developer Certificate of Origin (DCO) approach, where nothing needs to be explicitly signed by a developer.

In July, the OpenStack Foundation Board of Directors discussed the pros and cons of changing to the DCO model. According to the Foundation, the Technical Committee agreed to make a recommendation to the board to adopt the DCO model. “This is ultimately a Board decision since it has legal ramifications, but the consensus on the TC is that the DCO will streamline contributions and offers advantages over the CLA,” Vishvananda Ishaya wrote in a Technical Committee update last October. Before the community votes whether to change to the DCO approach, which would require a change to the bylaws, the foundation board hopes to revise the current bylaws so that changes like this can be voted in with a majority of 10% of members voting, down from the 25% currently required. (Update: This revision was passed in last week’s election.)

Some wonder if the license change would make OpenStack more vulnerable to patent trolls. There has also been talk about the potential for unscrupulous organizations to simply observe OpenStack discussions and then file patents. This is particularly problematic since, under the Leahy-Smith America Invents Act, the U.S. has changed from “first to invent” to “first to file.” In essence it’s more important than ever to document inventions.

“There is no one silver bullet to solve this,” Jakel said. “The question is, can you buy your way out of this problem? There are too many patents that cover cloud technology. It would take an unbelieveable amount of money.”