My Visit to SCO

by Ian Lance Taylor

This essay describes my visit to SCO on June 17, 2003, to discuss SCO's claim that Linux infringes on its intellectual property rights. I visited the SCO office in Lindon, Utah, for about one hour. I spoke with Chris Sontag, Senior Vice President, Operating Systems Division, and with Blake Stowell, Director of Public Relations. In order to speak with them, I signed a non-disclosure agreement.

The short version of this essay is SCO's claims are unproven, as I expected would be the case before I went. The amount of information SCO was willing to show me was extremely limited, and it did not by itself prove that SCO's claims were true nor that its claims were false.

Background

I won't give the full background here, as it is well covered elsewhere, such as on Karsten Self's page. The short version, as of June 17, 2003, is SCO has sued IBM, alleging that IBM took work that was the intellectual property of SCO and incorporated it into Linux (when I say "Linux" in this essay, I mean specifically the Linux kernel, not a complete distribution). SCO is the current owner of Unix, which originally was developed by AT&T. SCO, which used to be named Caldera, purchased the rights to Unix from a different company named SCO, which has since changed its name to Tarantella. Along with Unix, SCO purchased a number of contractual agreements, including one with IBM. SCO is alleging that IBM has violated that contract.

SCO also sent a letter to some 1,500 commercial users of Linux distributions, warning them that Linux may be an unauthorized derivative of code owned by SCO. That is, SCO alleges that Linux actually to some extent is owned by SCO and may not be distributed under the GPL. The letter further claims that users of Linux may have legal liability because of this.

SCO said it would provide evidence that Linux is a derivative of Unix to independent analysts. With the help of Don Marti, Editor in Chief of Linux Journal, I contacted SCO and offered to be one of those analysts. SCO agreed, subject to my signing the NDA and traveling to its headquarters in Lindon, Utah.

SCO's legal case is complicated by the fact that when SCO was named Caldera it was itself a Linux distributor, and it may have distributed, under the GPL, the code which it now claims to own. It also complicated by allegations that SCO has incorporated Linux code under the GPL into UnixWare. These issues may indeed cause SCO's legal case to founder, but not in the way I would prefer it to founder.

Why Did I Go?

I took the trouble to visit SCO because I care about what happens to free software in general and Linux in particular. The SCO claims have put a cloud over Linux. I have heard speculation from business acquaintances that the free versions of Linux will be shunned by corporate IT users, who will be unwilling to take the legal risk of using it. I don't think that would be good for Linux or for free software.

I remember the AT&T case against BSDI and the University of California, which arguably stalled BSD development for a few years. Indeed, it arguably was the root cause of Linux's popularity, because Linux development was not stalled. SCO's case against IBM is in some ways a reprisal of the AT&T case, and I fear that it has a similar potential to stall Linux development.

SCO was willing to speak only with people who signed a Draconian non-disclosure agreement (NDA), one which essentially permitted SCO to declare any information it provided to be confidential, regardless of whether the signer already knew it, and which offered no circumstances under which that information could be revealed. Most Linux developers are unable to sign such an NDA, as it easily could prevent them from ever again working on the kernel. Similarly, employees of any company that works with Linux cannot sign such an NDA.

I have never contributed to the Linux kernel myself. However, I have worked with free software for over 10 years, including acting as a maintainer for projects owned by the Free Software Foundation. I have plenty of personal knowledge of how free software development works. I currently am not employed by anybody, but simply working as a contractor on work not related to Linux.

Thus, I felt going in that I was in a good position to sign the NDA and to analyze the information that SCO presented to me. While SCO easily could have made it impossible for me to contribute to the Linux kernel, it had no reason to do so. In any case, I had no particular plans to do any kernel work.

Before going to meet SCO, I asked three times if it would be willing to change the NDA. I suggested that SCO should change the NDA to permit the disclosure of information when legally required by a court and to permit the disclosure of information when SCO specifically agrees to it. I also suggested the NDA should be changed so that information I already knew before meeting could not be treated confidential. The only response I received was SCO forwarded my suggestions to its counsel.

As it turned out, SCO actually showed me very little confidential information.

Preliminaries

As mentioned above, I met with Chris Sontag and Blake Stowell. Chris Sontag did almost all the talking. In general, below I say "SCO says" and so forth, but Chris Sontag was the one who actually was talking.

Chris Sontag showed me a series of PowerPoint (I assume) slides and talked about them. I took notes on my laptop. He listened to my questions and tried to answer them. He did not show me anything beyond his planned presentation, despite my requests for some additional information. This presentation was not the same as the one described by The Inquirer. This one was divided into three main topics: SCO owns Unix, SCO vs. IBM and Linux is tainted.

SCO Owns Unix

SCO argues it purchased full rights to Unix from the old SCO, which purchased the rights from Novell. The Unix patents still are owned by AT&T, but SCO has purchased the right to use them. There was a dispute with Novell over copyright ownership, but SCO claims this has been resolved and SCO does indeed own the copyrights.

In general, SCO claims to have purchased all rights to all versions of Unix System V and all prior versions of Unix, which were developed by AT&T.

My concerns are with free software, not the actual ownership of Unix. I believed at the start of the lawsuit that SCO owned the rights to Unix, and I suppose I still am willing to believe that. I think that any legal issues here clearly are a matter of the purchase contract between Novell and the original SCO, and it should be more or less straightforward for the new SCO and Novell to settle them.

The main issue of interest to me is whether rights to early versions of Unix have been weakened by the wide spread distribution of source code, including the publication of the Lions book and the fact that, until recently, the new SCO was distributing Unix source code for free on its FTP site.

SCO vs. IBM

SCO is suing IBM for breach of contract, unfair competition, tortious interference and misappropriation of trade secrets. SCO is now the owner of the contract that IBM originally signed with AT&T (I assume, but maybe some later owner) to develop AIX. That contract requires derivative works remain part of AIX. It also requires IBM to maintain confidentiality of sources and derivative code. Derivative works are allowed "provided resulting materials are treated as part of the original software products."

SCO has a list of about 20 IBM engineers who are, it claims, using AIX methods in Linux. SCO claims that some of these engineers literally are looking at AIX source code as they discuss Linux issues and making recommendations based on the AIX code.

SCO claims this is inappropriate because everything built on top of AIX or using methods developed in AIX is really a derived work of Unix. As we talked, I realized this is a key part of SCO's argument. SCO claims that anything built on top of Unix is itself a derived work of Unix. I will discuss this further below.

SCO said that besides IBM, Sequent has contributed code to Linux which is derived from Unix. Sequent is now a subsidiary of IBM.

SCO also claims that some of the derivative works IBM contributed to Linux include NUMA, RCU, JFS, SMP, performance measurement and improvements, serviceability, scheduler improvements, LinuxPPC 32 and 64 bit support, logical partition support. Sontag moved on to the next slide before I typed down the rest of the list.

I asked specifically about JFS, because I know that was originally developed for OS/2. SCO claims that JFS was originally developed for AIX, then ported to OS/2, then ported back to AIX; the port back to AIX was the basis for the Linux port. Chris Sontag said this was straight from the JFS web page. I just checked, and the JFS web page does not entirely agree. There IBM says that while JFS was first developed for AIX, the development for OS/2 was a new effort; the Linux port was based on the OS/2 work, not the port back to AIX. Using SCO's expansive definition of derivative work, arguably the development on OS/2 was based on the original AIX development, as some of the same people may have worked on it and used their experience with the AIX code.

Again, despite all this discussion, the whole issue of SCO vs. IBM was not the reason I was there. If IBM did indeed breach its contract, I suppose it should pay some appropriate penalty. I've been around the computer world too long to think that IBM is on the right side of every issue. However, SCO's presentation did not show me any clear evidence that IBM did indeed breach its contract. Obviously, IBM has contributed code to Linux, but it is not at all clear to me that such code is a derivative of Unix.

Linux is Tainted

Here, we come to the meat of the issue: has code clearly derived from Unix been incorporated into Linux? Unfortunately, SCO was willing to show me only one example. I was shown a source file Sontag said was from SVR4, which was compared to a source file from Linux. The identical portions of the code were highlighted. There were indeed substantial similarities in the code: very similar comment text, the same variable names, the same algorithm. There also were some differences, but it seemed quite plausible that both pieces of code came from the same source.

SCO refused to show me the revision history of the Unix file. I pointed out this made it impossible to judge the order of derivation; SCO agreed, and said it was a matter of discovery for the court case. SCO said it is confident the code had not appeared in BSD and was developed internally at AT&T and successors.

The NDA I signed prohibits me from saying anything that would help identify the code in question or anything about how it got into Linux (I discuss the issue of secrecy further below). SCO did not permit me to type the code, but I was told the Linux file name, and I have a good memory for such things in any case.

Here is what I think I can say about the code I saw. The code is fairly trivial--the kind of stuff I wrote in school. The similar portions of the code were some 80 lines or so. Looking around the Net, I found close variants of the code, with the same comments and variable names, in sources other than Linux distributions. The code is not in a central part of the Linux kernel. The code does not appear to have been contributed to Linux by SCO or Caldera. The code exists in current versions of the Linux kernel.

Also, oddly, my recollection of the code SCO showed me is not precisely the same as any version I found in any Linux distribution. The differences were in parts of the code that were different from the Unix code. The copyright statement at the top of the file also appeared to be different, though probably not consequentially. However, because I was not permitted actually to type the code, my memory could be playing tricks on me here.

If this is SCO's only example of Unix code appearing in Linux, I very much doubt there is any real legal liability for Linux users. If the code is indeed derived from Unix, which is unproven, it is roughly equivalent to typing in some code from a basic computer programming text without permission. While I hesitate to predict the actions of the legal system, it is very difficult for me to believe that any judge actually would award damages on the basis of this code.

Naturally, SCO says many other examples exist, and it has found at least 10 to 20 specific examples of direct copying. SCO said there was much more derivative code. It claims there are cases in which copied code intentionally was obfuscated and rearranged to hide its origin. I commented I felt such a scenario would be difficult to prove, and indeed I sincerely doubt that anybody would bother.

SCO said that only in the last month or two has it really started analyzing Linux kernels for cases of copying. SCO claims it steadily is finding more cases and that all of this will come out in court.

It's difficult to know what to make of this type of argument. SCO showed me something that appears suggestive but that also apparently is inconsequential. SCO claims to have much more evidence, which I was not shown. It's tempting to conclude this is SCO's best case and it has no strong evidence. After all, if SCO can make its case to somebody like me, then it is in a stronger position for extracting revenue by licensing Linux to customers who are scared of lawsuits. But SCO may have other plans.

I admit that SCO's example unsettled me by what it implies. Although in itself trivial, it does suggest that some Linux contributors may have been careless about copyright infringement. That is unfortunate.

My Questions

After the presentation was over, I asked a few questions. I asked SCO when it expected to go to court. The answer was document discovery and depositions have begun. No court dates are set.

I asked why SCO sent letters to commercial users of Linux distributions, but I was not given a satisfactory answer. SCO said the letter was to make Linux users aware that it believes Linux is tainted and contains unauthorized intellectual property. The letter was to tell the Linux users they may have some liability and should seek advice from counsel. SCO said Linux users then could go through the same process of discovery that SCO presently is going through--but, of course, the users can't, because they don't have the Unix sources. My guess is the letters were to set themselves up for Linux licensing.

I asked whether SCO has any plans to license the Unix code to Linux users, to remove the liability. SCO said it has no current program. It hopes to come up with something in which noncommercial use and educational use would be free, but for commercial use it wants some remuneration. SCO said it hadn't come up with a plan because it still is trying to figure out the scale of the problem. SCO hopes to have some sort of solution by as early as July.

SCO commented that Linux has no mechanism that ensures ownership of the IP which goes into it. It said most Linux developers are honorable, but some commercial entities are bending the rules for their own benefit.

I asked about the lawsuit between AT&T and BSDI. That lawsuit was not ended by a judgment, it was settled between the parties, and the settlement was in large part confidential. SCO, which I presume is the legal inheritor of the AT&T side of the settlement, claims some aspects of the settlement have not been enforced but would not describe it further. SCO has not yet looked into whether, in its opinion, the free BSDs legally are derivative of the Unix sources. I assume if SCO can get a handle on the Linux situation, it'll go after the free BSDs next.

I paused for a while, trying to think of my next question, and Chris Sontag said he had another meeting to attend and left.

Blake Stowell asked me what I would do if I owned some proprietary code, and it was being used by other people without permission. I said that Unix had been widely distributed for many years, had been published in books and was not, after all, actually written by anybody at SCO. I said I didn't think that was easily compared to more conventional situations. Incidentally, Blake Stowell worked at Lineo and joined Caldera in 2001. He agreed that the company had radically changed since that time.

That was the end of the meeting. The rest of this essay discusses a few relevant topics in more detail.

Derivative Works

The key to SCO's case against IBM appears to be an expansive notion of derivative works. SCO basically is arguing that any code developed on top of Unix is a derivative work of Unix. It is arguing that the contract with IBM, which SCO now owns, makes clear that any work derivative of Unix must remain confidential.

SCO is using a very extensive notion of derivative work. When I made that objection, SCO said it was for the court to decide. It is true that, so far as I know, no court has ever ruled on whether one piece of software is derivative of another. The question is whether a court would rule that even software entirely developed by IBM, such as JFS, is a derivative work of Unix because it was developed as a component of a Unix system. I think we can all agree that Unix with JFS is a derivative work of Unix; the question is whether JFS by itself is a derivative work.

In general, the issue is where the boundary lies between derivative works and independent works. All programs run on Unix use a Unix API; do they therefore become derivative works? Presumably not. However, when writing a program that runs on Unix, I might look at Unix source code if I have access to it; does that make my program a derivative work? It seems, from SCO's comments, that it might claim this is so.

I am not a lawyer. However, I hope the courts will not accept SCO's broad definition of derivative work. I think it would be dangerous for free software and for software development in general. Software thrives by extending work done by others. If adding a component to an existing piece of software means the component is owned by the owner of the existing software, then few people will add components. That would not be good for anybody.

It's worth noting that if a court does accept such a broad notion of derivative work, it will weaken SCO's defense against the allegations that Linux code was copied into UnixWare. That would seem to put SCO on the horns of a dilemma; I don't know how it plans to resolve it.

Secrecy

I asked a couple of times why SCO was being so secretive about everything. The answers were not particularly convincing. SCO said it was keeping its evidence secret because it is part of a legal action. The evidence will be presented in court. SCO doesn't want it to be tried in public before it is tried in court.

SCO said the Unix code always has been provided under confidentiality agreements, despite its wide distribution. It said that until the parties go to court, it doesn't want the Linux community to remove the code in question. SCO thinks it's more than changing a few lines of code. As noted above, it feels large chunks are derivative. It argued that even a full replacement would be in part based on the prior effort, and thus would itself be derivative, at least under the terms of the IBM contract.

My guess is SCO would prefer not to have to reveal any of its evidence. My guess is it would prefer to settle with IBM and to use the spectre of liability to get licensing revenue from Linux users. After all, in court SCO might lose. The current situation, in which it makes people feel nervous, is better for SCO. I don't know if I'm right, and if I am right I don't know how it will play out.

Chris Sontag appeared confident when he spoke to me. However, my sense is SCO knows it has a weak hand, one it is playing as strongly as it knows how. I expect SCO to keep upping the pressure in the press, to announce a Linux licensing scheme and to hope to start getting more revenue.

IBM and Patents

IBM is a past master of the IP extortion strategy. For example, see this Forbes article about IBM's shakedown of Sun in Sun's early days. For SCO to attack IBM using IP is somewhat like trying to eat a live tiger.

If IBM starts to feel nervous about this suit, it will unleash its patent portfolio. SCO is certain to be violating a number of IBM patents. Unless some preexisting patent agreement exists between SCO and IBM, SCO surely will lose against IBM's countersuit.

However, for IBM to unleash its patent portfolio against Unix would not be a good thing for free software. After all, Linux probably violates a number of those patents as well. Once the beast is awakened, who knows when, or if, it will go back to sleep. The best hope in such a case is that IBM will recognize the danger of killing the goose with the golden eggs and lay off on its own accord.

It's worth noting that the people running SCO and their lawyers may not appreciate the power of software patents. In my experience, few people outside the profession understand the degree to which every program of any scope violates patents. The software industry today survives only through an unstated agreement not to stir things up too much. We must hope this lawsuit isn't the big stirring spoon.

SCO Says They Are Not Against Linux

One of the last things Chris Sontag said before he left is SCO is not against Linux. SCO likes Linux. SCO wants to get to the point where Linux can move forward.

This may be a deep misunderstanding of the free software process. If Linux becomes encumbered to the point where commercial users must pay a fee, I expect that many independent developers will stop working on it. Linux development will slow down and may eventually stagnate. The people in charge at SCO may not understand that.

On the other hand, Chris Sontag's statement may simply have been cynical and manipulative--the sort of thing that people say to make malicious statements appear fair and open minded, as in "Joe is a bloodthirsty cannibal, but I like him as a person".

Red Hat and SCO

I can't help thinking that as of this writing SCO has a market cap of around $130 million and Red Hat has nearly $300 million in cash and investments. Even at an inflated price, Red Hat could afford to buy SCO and free up Unix once and for all. Live the dream.

Linux Copyrights

I am not a Linux maintainer. But I would like to suggest that this case make the Linux maintainers take the issues of copyright paperwork seriously.

First, I think all Linux contributors should consider their own contributions. Is there any chance that they have contributed code that is copied directly from Unix or any other non-free source? Here I'm not talking about SCO's expanded sense of derived work; I'm talking about direct copying, such as may (or may not) have occurred in the one example SCO showed me. Any such directly copied code should be rewritten in a different fashion, perhaps by somebody else.

Similarly, I think all Linux maintainers should consider the code for which they are responsible and convince themselves that the contributors did not do any direct copying. I personally doubt that anybody is intentionally copying non-free code into Linux. But mistakes can happen.

Removal of any copied code, if there is any, won't affect the lawsuit against IBM, but it may affect legal liability concerns for Linux users.

My next suggestion is that Linus and the Linux maintainers form a foundation to hold copyright declarations for Linux. Linus has made clear in the past that he does not want all the Linux copyrights held in the same place. While that means there is no single party who can be sued about a GPL violation, my impression is Linus thinks that is an advantage.

However, perhaps it would be okay to require all significant Linux contributors to sign papers stating they own the code they contribute and to require their employers to also sign papers. This would be along the lines of the paperwork used by the Free Software Foundation, but it wouldn't actually be a copyright assignment.

Such paperwork would not eliminate the possibility of a mistake, nor the possibility of malicious code insertion. But I think it would make such occurrences considerably less likely. It would force people to think about the issue. It also might permit moving any legal liability for copying from Linux users to Linux contributors, which would be good for users. The increased risk for contributors might make them more careful, though hopefully not too careful.

It would be necessary for somebody to monitor accepted contributions and make sure that copyright declarations are signed by all new contributors before each release. It would be unreasonable to expect Linus or the other central maintainers to do this work.

I would be willing to help set up such a foundation, although I don't think my help is required. The FSF started requiring copyright assignments in the wake of the threats from Unipress over the Gosling Emacs code. Perhaps the SCO lawsuit means Linux needs to start tightening up its IP processes. In an ideal world this would not be necessary, but unfortunately we must all live in this world.

Notes on the Trip

My plane from San Francisco left 90 minutes late. I arrived in Salt Lake City well after midnight and got lost driving to the hotel. The next morning, I locked my keys in the car. Fortunately, Avis repair service showed up in 25 minutes with a new key, but I was then 20 minutes late getting to SCO. Rather than look like a total idiot right off the bat, I told Blake Stowell that I "had trouble with my rental car." He was very nice about it.

My plane leaving Salt Lake City that afternoon hit a seagull shortly after take off. We returned to the airport. After landing, the pilot told us the windshield now had a small crack, and the plane wasn't going anywhere. After disembarking, we were able to look back at the plane--a rather gory sight. I have enough travel experience that I immediately used my cell phone and booked a seat on the next flight out. When that plane left, two hours later, there was still a long line of people trying to get to San Francisco that day.

All told, on the trip I spent about $350, plus 25,000 frequent flier miles, plus 24 hours away from my family. Free software has given me a lot over the years, and I can afford it. If you want to contribute in support of my trip, please make a donation to the Free Software Foundation, the Electronic Frontier Foundation or Amnesty International.

Thanks

Odd though it may seem, I would like to thank SCO for taking the time to talk to me. The people I spoke with had to know when I came in that I would not be on their side. But they played fair, were polite and took me seriously. I'm sure both Chris Sontag and Blake Stowell had better things to do than humor some random free software developer.

This essay received helpful comments from David Henkel-Wallace and Karsten Self.

Load Disqus comments