SAM Practitioners: Watch Out for This Source Code Escrow Disaster

When your enterprise acquires a mission critical software package or suite it is vital that you include a “software code escrow" clause in the license agreement. This practice is intended to ensure that, should the software publisher shut down, go out of business, or become the victim of a buy-out, you will still have access to the original source code for your application. Essentially, the full source code is placed in storage with an independent third party for later recovery and use. Unfortunately, the source code escrow safety net concept has frequently become a casualty of sharp business practices.

Government Software Asset Managers: Be VERY aware of source code escrow. This single contractual clause is nearly as critical to your ongoing operations as the software products themselves. Also, to be fully compliant with FITARA and/or MEGABYTE, this clause should always be utilized as a key element of due diligence in technology spending.

The way escrow was originally designed to work is as follows: The software publisher places the code for your specific version/release of the application in secure storage. If, or when, the software publisher goes out of business you have the right to acquire the source code so that your mission critical application doesn’t fade away. Then, if the software publisher fades away, your enterprise can download the code and continue using the product, theoretically without interruption.

Real World: We’ve seen at least multiple instances of major software publishers that have been bought out by competitors who have immediately ceased all support of the acquired publishers’ applications with the specific intent of forcing consumers to acquire an entirely new product line when the first is no longer available. Source code escrow is the only recourse for a consumer who finds their applications have been phased out.

In recent years, however, the way escrow has been working has been anything BUT effective. On one hand, software publishers tend to be hesitant to genuinely deliver working source code to the escrow holding service. Instead, they may (intentionally, or not) deliver the wrong code, or they deliver code that is defective. On the other hand, software publishers may actually deliver valid code, but that code is never checked to ensure that it transferred accurately.

The bottom line is that, when the consumer attempts to access the code, it is essentially useless – it won’t work at all or the code is for the wrong product, version, or release. The end result is a source code escrow safety net that literally fails to provide its intended value – leaving the consumer holding a mission critical application that is gradually failing to function.

Resolution: When negotiating for ANY mission critical application, always include a source code escrow process. Fully define that process and include very specific procedures for conducting periodic code reviews to ensure that the code you THINK is available for your safety net genuinely IS available and is the correct version/release to match the product you are using. Also, ensure that you allow for transfer, storage, and testing of any future upgrades, patches, fixes, or modifications to the base code. 

All of this is even more critical when we plug so-called cloud services into the mix. Keep in mind that a clear majority of cloud storage service contracts include a clause that permits the service provider to re-locate your stored data to another server - anywhere on the planet - without either notifying you, or without your consent. The end result is that you will simply not be aware of the condition of, or location of, your code - possibly (probably?) a significant disaster scenario.

Failure to take these basic steps during the original negotiations with the original software publisher can expose your enterprise to sharp practices – whether deliberate or unintentional – that could easily spell complete failure of a mission critical application in the long term.

As usual, there is much more to source code escrow than we can cover in this briefing. For additional software life cycle management training, check in at TAMInstitute.org for additional strategies and tactics that genuinely work in the real world.

Killing the Risks of Click Licenses

No matter what you may wish to say about software publishers (and their legions of lawyers), they are definitely not stupid. Click-wrap licenses are an excellent case in point. Essentially this scam (sorry… I couldn’t think of a more applicable word) entraps your enterprise in a product license agreement you have never seen. And…conveniently enough, the same software industry lawyers have made sure to prove in court that these nearly invisible agreements are 100% legally binding.

In most cases, a click-wrap license appears via the Internet where ANYONE using your enterprise systems can lock you into an unexpected license (or other) agreement by clicking on a check box, NOT clicking on a check box, or even simply by accessing a given URL. They also very frequently appear when technicians “update” a working application or even when applying patches to existing defective products. We’ve all done this: stepping through a seemingly endless install process by clicking through the dozens of default settings.

Ever done a PDF application upgrade and ended up with an entirely new anti-virus? Then you know what a pain in the neck click-wrap is.

You will also discover that a majority of click-wrap licenses are (intentionally) designed to make it difficult – even nearly impossible – to read or print. Frequently, that tiny little two-inch square box on your screen hides a 15 page single-spaced license agreement. If the only way to document all this licensing content is to scroll through the text box and print it out 3 lines at a time using Print Screen, you should recognize that you have a high risk license on your hands.

In another very costly insult added to the click-wrap experience, over two-thirds of major click-wrap licenses intentionally supersede your carefully negotiated previous licenses with a seriously onerous new agreement.

A final, very popular, version of the click-wrap agreement is that the license clause may also permit the software publisher to “…modify the terms of this agreement at any time…”

NO! Do NOT allow ANY software industry player to include this clause in ANY license. If you do, you will pay a heavy price – literally.

For the large organization, unauthorized click-wrap licenses can represent tens of millions of dollars in invisible, unexpected, and unbudgeted license, support, and/or maintenance fees, not to mention the long term risks represented by the undocumented nature of this type of agreement. For the small enterprise, this perfectly legal game could become a crippling drain on the meager bottom line.

 

Resolution? From this point forward ensure that ALL software-related agreements contain a very clear statement that… “This license may not be superseded by any future agreement without direct written approval by both parties…” Get your lawyer to write this so it follows all the rules. And don’t forget to eliminate that “…modification…” clause mentioned above.

In terms of existing licenses, you are probably not going to be “allowed” to modify the agreement to add this clause. Here’s what you need to do: Make it very clear to any software industry player who wants to play this game that you will NOT participate, and do it in writing. Ensure that, every time you interact with this product supplier, you make it clear that you are willing to remove their products from your systems and replace them with a product developed by a software publisher that is honest and above-board in their licensing frameworks. If the given product developer wants to continue the game, displace their products.

Is your organization part of the FITARA or MEGABYTE Act initiatives in the U.S. Government? We've seen the end results of click-wrap style licensing in multiple government settings and a little proactive license work such as this can drastically reduce the IT/software spend. This content applies to you as well.

Is there more depth to this topic? Absolutely! However, I’m writing a brief (?) blog entry, not teaching a Software Asset Management (SAM) or Technology Asset Management (ITAM) course in this venue. If you want the courses, check out the Institute web site. Our professional development programs cover significantly more competencies than anything else available on the planet.

Data Center Consolidation in Your Near Future? Watch Out!!

If your organization is planning on merging, consolidating, or moving a data center, you need to become very aware of the hidden risks involved in the process. As enterprises grow/expand – even minimize – they find themselves involved in significant modifications to traditional data centers.

Is your organization impacted by FITARA or the MEGABYTE Acts? These professional development programs are precisely what you need to succeed.

Here’s Your Warning: “Renegotiate – or negotiate – ALL software agreements to integrate potential data center modifications without additional costs into the terms and conditions of the license, support, and/or maintenance agreement.” Failure to do so can easily double, even triple, your software costs.”

As an effective software asset manager (SAM) or IT asset manager (ITAM) you should already have done this. Unfortunately, very few SAMs have been trained to competence in managing data center-sized issues. Oh... And don't expect your acquisitions or purchasing people to address these issues (very frequently, they simply don't know about the long term licensing risks).

Failure Factor? Your mainframe-related software publishers can – and WILL – void your licenses when you make changes to the data center environment. (They’ll cite “breach” but, like many other software issues, it’s all about how much money they can siphon out of your enterprise.)

Real World: During a recent data center merge, a major mainframe software publisher voided all licenses due to the change and demanded the enterprise re-purchase all products. Cost? Over $12 million – and that was only one of the dozens of software publishers with products on the systems.

Resolution: If you are negotiating new software agreements, or updating old agreements, ensure that you include a VERY CLEAR clause permitting changes to the data center – with no penalties. Also ensure that no clause or agreement is permitted to supersede your negotiated license agreements.

Want to know more? Look over the Institute professional development programs: Core SAM & Extended SAM cover more Software & Copyright Compliance Assurance and Software Life Cycle Management competencies than any other programs in this class.