How software escrow could help you keep software suppliers in line

OUT-LAW Radio, 24/07/2008

We look at the esoteric world of software escrow to find out if it can give your company the edge in negotiating with suppliers

• Download OUT-LAW Radio, 24/07/2008 (10MB, 12 minutes)
• Low quality recording for 24/07//2008 (2MB, 12 minutes)
• Instructions for listening and subscribing to OUT-LAW Radio

A text transcription follows.

This transcript is for anyone with a hearing impairment or who for any other reason cannot listen to the MP3 audio file.

The following is the text spoken by OUT-LAW journalist Matthew Magee.

Hello and welcome to OUT-LAW Radio, the weekly podcast that keeps you up to date on all the twists and turns in the world of technology law.

Every week we bring you the latest news and in depth features that help you to make sense of the ever-changing laws that govern technology today.

My name is Matthew Magee, and this week we look into the mysterious world of software escrow

but first, the news:-

ISPs and content producers agree on piracy action

and

Top EU Court makes the link between data security and human rights

The UK's six major internet service providers have agreed to write to 1,000 of their subscribers a week on behalf of the music and film industries warning them not to engage in copyright infringing file-sharing.

The Government brokered deal will involve the creation of a code of practice on what to do with persistent illegal file sharers.

No decision on that has been made yet but telecoms and media regulator Ofcom will help ISPs and the content industry agree on whether or not customers' internet access should be disconnected if they do not heed warnings.

Kim Walker is an intellectual property law expert at Pinsent Masons, the law firm behind OUT-LAW and he says that Ofcom's involvement could be crucial.

Walker: I think it's rather convenient for everybody that Ofcom is going to be involved in the consultation on what sanctions might be involved because that has just postponed the decision and rather conveniently taken it out of the hands of the ISPs, It would rather indicate that Ofcom might end up having to advocate some sort of change in the law to make it practically easier for everybody to take action.

The European Court of Human Rights has ordered the Finnish government to pay out €34,000 because it failed to protect a citizen's personal data. One data protection expert has said that the case creates a vital link between data security and human rights.

The Court made its ruling based on Article 8 of the European Convention on Human Rights which guarantees every citizen the right to a private life. It said that public bodies and governments will fall foul of that Convention if they fail to keep data private that should be kept private.

The woman in the case, who had AIDS and argued that a hospital did not protect her medical records well enough, did not have to show a willful publishing or release of data, it said. A failure to keep the data secure was enough to breach the Convention.

Data protection law expert, Dr Chris Pounder of Pinsent Masons, said that the ruling could be crucial as controversies mount over government agencies' loss of citizens' personal data.

“The judgment is important because it links security of personal data to the human rights framework," said Pounder. "Organisations have to be proactive in their security practices and procedures. It is not sufficient to say that 'we will do something' security-wise – it will be important to show that that something has been done."

That was this week's OUT-LAW News

Buying software when you are a company is nothing like doing it as a consumer. You or I might get by on a couple of office products from Microsoft and a photo-retouching program for those Christmas day red eyes, but companies have such varied and specific needs that they have to buy incredibly specialised products from often quite small developers.

It may only occur to one of those companies when it is too late but once it has signed a contract its fate is to an alarming degree – intertwined with that of the software firm.

If you are a corner shop and your brown paper bag supplier goes bust, you just find someone else to sell you brown paper bags. But if you are a company that punches the holes in cheese graters and there is only one cheese grater hole punching piece of software to run your machines and then that company goes bust, your whole business is in danger.

So what do you do? Well, the first answer is, think of this before you sign your software contract and then look into an esoteric little corner of the business world called software escrow.

Escrow is what happens when two people hand over valuables to a trusted third party to be released when certain conditions are met. Software escrow is a kind of insurance against your provider going bust, or even against just poor service.

Pinsent Masons software law expert Charles Park explained exactly what goes into escrow.

Park: The majority of software code is written in source code and then compiled into object code and what you as a customer receive for running your applications is object code and the source code which is described as human readable is kept by the developer or the creator of the software. And that because it is human readable has a value and is often described as the Crown Jewels of the software developer and obviously if you don’t have that as a customer then your ability to do anything with that code without a relying on the original software developer is extremely limited. That source code is put in an escrow safe situation and certain circumstances a customer can have access to that source code.

Escrow services are run by someone independent of the two parties to a software contract such as archiving firm Iron Mountain or NCC. Everyone agrees on a set of what are called release events. If any of these things happens, the customer company automatically gets a hold of the software source code. Jon Leigh, NCC's director of escrow solutions, outlines what those events usually are.

Leigh: There are four standard release events that we have in our standard template agreements. One of which is as I said going out of business, one of which is ceasing to trade which is pretty much the same thing but they decided to do so. Another one of which is failure to maintain which means in this case they actually have failed to carry out contractual maintenance obligations and the fourth one of which is assignment. So whereby if the software provider actually assigns the IPR software to another company that other company also needs to take over the obligations the escrow agreement and if they failed to do so within a certain timeframe that also constitutes a release event.

So your supplier has gone belly up or has stopped caring about you and now you are the proud holder of hard drive after hard drive of software source code.

But software is notoriously inconsistently produced – sure there are rules about how to create clean, legible, usable model software but developers are famous for ignoring them. So is the material you actually get of any use? Park said that the quality of what you get is crucial.

Park: It depends on people and the people might be programmers and it be written a language which is reasonably accessible and it has been written in a pure form so people who were not involved in its original creation can get to the code and do what they need to do with the code. I think bad programming would make a mockery of quite a few escrow arrangements.

Leigh says that there is a way at least partially around this problem. NCC and other escrow providers offer an additional service which should help to keep the released software in a usable form.

Leigh: One of the key products that we have which has a very high take-up is something called full verification whereby we go through a process with the software owner and then also involving the end user, of taking that source code and building it into the executable application and writing a big manual as to how to do it, what environment to do it on etc, etc and then providing that to the user. Now that means that, first of all what we're holding is correct but secondly we have actually got a very good starting point for anybody to pick up that source code and understand how it is actually maintained and build it. That is something that is very important to users.  Now without that I think it would be very hard, to be very honest with you.

But the quality of the source code is for many people completely irrelevant. In fact for many users of escrow services its main benefit is not the retrieval of software code of dubious quality, but the threat of forcing that retrieval. It is, says Park, like a sophisticated form of insurance.

Park: If you go back to the original premise it is the crown jewels of the developing company and what the developing company does not want is that being made available more generally, then the fact that escrow might be triggered and that the source code might get out of their control is a reason for them to take the issue that much more seriously. Certainly where I have come across it, it has actually been in situations where it has been effectively default in the maintenance obligations that cause the concern and then when you are advising the customer you are saying, well if you carry on this way then you have got a good lever in terms of the escrow release and commercially it puts pressure on.

Perhaps the greatest testament to how escrow works as insurance more than anything is how seldom software is actually released from escrow. NCC's Leigh again.

Leigh: We have in the region of about 8,000 agreements. Going to the actual release as in physically releasing rather than as I said the scenario of it could have been released but they ended up working with the new owner, we would get typically no more than about 50 a year.

In deteriorating economic conditions that release rate rises, and Leigh said that it is likely to rise in coming months as the economy falters.

According to Park, escrow is just one part of the increasingly vital planning that a firm should engage in for all its technology.

Park: Corporate risk and business continuity are things that have moved up the corporate agenda in most larger organisations and I would say SMEs are following on from that. Even if a Company does not go down the route of escrow it needs to understand where its dependencies are particularly on smaller suppliers of key applications.

That's all we have time for this week, thanks for listening.