Could Provisioning Services in the Cloud Lead to Big Fines?

By Jeff Vance

(Back to article)

Of all the perceived barriers to the widespread adoption of computing in the Cloud, the meddlesome issue of software licensing is rarely discussed. Leave it to legal, is the prevailing mindset, but licensing is no longer just a legal issue. Increasingly, to avoid violating detailed agreements, IT needs at least a cursory knowledge of the problem.

“The violation of agreements comes usually with large-scale enterprise seat licenses, but it is less of an issue than many people think―unless the underlying agreement only permits a copy of the software to be on a server (or servers) in the office of the company (that is, the licensee) or under the control of the company,” said James Roberts III, managing partner at The Global Capital Law Group.

Just from Roberts’ wording of the issue (and, yes, he’s a lawyer), you can already start to get a sense of the legal thicket you’re wading into as you embrace virtualized environments and new computing models. “The bigger issues arise with the data, especially when it is third-party data,” Roberts added.

How, exactly, do you craft a license to handle data you have the right to use but you don’t actually own? And what constitutes ownership of data, anyway? As a reporter, I deal with an issue related to this all the time: copyright law. If I’ve observed some fact from an analyst report or I’ve culled it from researching another publication, and I remember that fact later when I’m writing my own story and use it unattributed, am I violating copyright law?

The in-house, one-copy per server agreements present the same sort of trouble in today’s rapidly evolving business environment. Is a remote office with a VPN connection to headquarters violating the terms? A contract worker in another facility? An employee working from home for the day? Technically, these scenarios could all constitute violations.

“This issue first arose when people first started outsourcing. Hiring a third party is every bit as problematic, and that issue hasn’t really been tackled,” said Heather Meeker, chair of the IP/IT Licensing and Transactions Group for law firm Greenberg Traurig.

Licensing is already evolving, with the old shrink-wrap, perpetual licenses slowly but steadily being phased out. But what if you rely on legacy software? “The biggest risk is the legacy software where you just update the license year after year without any renegotiation,” said Meeker.

Are You at Risk?

According to Meeker, big companies must always worry about audits. Most software licenses have an audit clause within them. If the vendor believes you’re violating the agreement, they’ve already negotiated the right to audit you. Getting into legal disputes with your customers isn’t the best way to keep your customer base happy, so this threat is mostly confined to large enterprises (the operative word here being mostly).

“If you’re a big company, you should be worried,” Meeker said, “but you likely already have a compliance program in place.”

There are cautionary tales out there of software vendors’ sales teams reporting back on violations. A sales rep may learn about a misuse while renegotiating terms or selling new software/services, but these cases are rare and usually involve an organization that doesn’t even realize it is violating the terms of its license. Vendors have to tread lightly in these cases. Chances are they’re owed additional fees, but they can’t act too aggressively for fear of alienating customers; except for the most grievous cases.

For mid-sized organizations on down, the risk is small, except for three specific instances. “We’ll see software audits, or the threat of them, when a startup is seeking funding or companies are negotiating an M&A,” said Vaughn Bunch, a technology transactions attorney for the Oaks Technology Law Group.

The other instance is that grievous case where companies are intentionally violating their licenses and hoping they don’t get caught. “If you hear from the Business Software Alliance (a trade group that works to fight piracy and enforce software licenses), you should expect an audit,” Meeker said. “When the BSA calls, usually you were ratted out by, say, a disgruntled employee.”

If you think Meeker is exaggerating, take a moment and scroll through the recent BSA press releases and you’ll find case after case where individuals and companies have lost lawsuits or paid steep settlements due to piracy or license violations.

A Cloud Vendor’s Take

Rich Wolski, CTO and co-founder of Cloud-computing startup Eucalyptus Systems and professor of Computer Science at UC-Santa Barbara, encounters two main licensing problems as he and his team at Eucalyptus work with software vendors.

“The first is with service providers where a hosting service wishes to provide paid access to a software application or operating system produced by a third-party vendor where a ‘blanket’ license cannot be obtained,” he said.

In essence, the service provider needs to be a licensed reseller of the software, but many types of software do not permit resale or limited-use rentals. The only ways around this are to find an alternative vendor, roll your own out of open-source projects or negotiate a custom license.

The second problem Eucalyptus typically runs into is with the provisioning of license capacity. “Our customers run private Eucalyptus Clouds on their own infrastructure. Their goal is to host their legally licensed software in their Eucalyptus Cloud for their own internal use,” Wolski said.

The problem is the nature of virtualization and the Cloud. As customers realize the dynamic nature of new infrastructure and start firing up 20 servers with no pre-planning, or if they start shuffling assets all over the organization, the allure of flexible, fast provisioning could heighten the risk of license violations.

“Because Clouds can provision different application stacks dynamically in response to user demand, companies must take care to make sure that enough licenses are present to satisfy the maximum supported demand,” he said.

If this sounds like the shelfware problem all over again, it’s because it pretty much is. Vendors, of course, will want you to subscribe for peak demand, while most organizations would rather achieve the better ROI that comes from subscribing only for the high-end of actual demand.

Unlike shelfware, though, Cloud over capacity should eventually be handled through new licensing models, such as metered use. Until new licensing models are commonplace, however, you’ll have to be cautious as you migrate to the Cloud. An unexpected lawsuit will quickly erode the bottom-line boost you expected when you embraced these new computing models.

7 Ways to Avoid Violating Software Licenses

1. Negotiate new deals that take new computing (and business) environments into account.

2. Make software-license compliance part of your larger compliance program and automate it.

3. If you know you are violating licenses, don’t anger or fire your employees, who may well report you to the BSA.

4. Don’t blindly re-up legacy software. Those licenses are almost certainly out of date.

5. Embrace open source software.

6. Stop buying shrink-wrap software and migrate to subscription-based software.

7. Work with a Cloud or SaaS vendor who will license you the software and handle the larger licensing headaches for you.

Jeff Vance is a freelance writer and the founder of Sandstorm Media, a writing and marketing services firm focused on emerging technology trends. If you have ideas for future stories, contact him at jeff@sandstormmedia.net or visit www.sandstormmedia.net.