As the public cloud services market continues to mature and
grow – up from $178bn in 2015 to $209bn in 2016 according to research company
Gartner – the concentration of computing
resources into cloud data centres is increasingly attracting the attention of
NPEs (Non-Practising Entities) as a target for patent litigation. At a time
when data security and privacy risks are front of mind for cloud service
providers (CSPs) and their users, the IP risks to cloud service availability
posed by NPE patent claims are rising up the business agenda.
NPEs are businesses that assert patents
through litigation to achieve revenues from alleged infringers without
practising or commercialising the technology covered by the patents they hold.
NPEs are uniquely well placed to monetise their patents at each stage of the
litigation cycle. They have access to capital and all necessary forensic and legal
resources; as an NPE doesn’t practise its patents, it is immune to a
counterclaim that a defendant might otherwise be able to bring against a
competitor and has no use for a cross-licence that the defendant might
otherwise offer.
NPEs’ activities may attract attention
as arbitraging the patent system, but that is to miss the point: the defendant
in a patent claim brought by an NPE generally has an unattractive real-world
choice between the cost and distraction of litigation and the cost of
settlement which, whilst low in relation to likely litigation costs, is high
relative to the perceived merits of the claim.
According to PwC
in its 2016 Patent Litigation Study, although the number of patent
litigation cases filed in the USA has declined from a high point of 6,500 in
2013 to 5,600 in 2015, this is still almost double the 3,000 or so launched in
2009, and correlates fairly steadily over the last few years at around 2% of US
patents granted. With claimant
success in US jury trials running at over 70% and legal costs and time-to-trial
(2½ years on average) increasing, the PWC report notes that ‘NPEs still carry a
big stick’, with damages awarded in NPE cases three times greater than for
other claimants.
According to the PwC report, software
ranks in the top five US industries for patent claims, with NPE claims
accounting for half the total. Whilst recent US cases[2] have made it more
difficult to patent and enforce computer-implemented inventions, cloud-based
software patent litigation is increasing: NPEs appear to have doubled down over
the last five years, acquiring more cloud patents for their armoury as well as
filing more patent cases.
From a NPE’s standpoint this makes
sense. Claiming that software in the CSP’s PaaS (Platform as a Service) or IaaS
(Infrastructure as a Service) infringes the NPE’s patents can be an efficient
way to threaten alternative objectives: the CSP risks an injunction stopping it
from using the software that embodies the patented technology; and the CSP’s
customers using that software also face disruption as they may be liable both
for their own workloads and for their CSP’s infringing code that they use.
In fact, there is anecdotal evidence to
suggest that claimants may prefer to claim against a CSP’s customers rather
than the CSP itself. Australian patent holder Global Equity Management SA
(GEMSA) was reported in February and June 2016 to have sued a number of Amazon
Web Services (AWS) customers[3] for infringement
of GEMSA’s visualisation and virtualisation patents.[4]
The CSP customers in the GEMSA litigation are large, IP-sophisticated
companies, but most CSP customers usually will have less experience of cloud
IP, will be eager to settle to make the claim go away and (unlike the CSP
itself) will have little interest in solving the problem for others.
This last point is borne out in the
GEMSA litigation where AWS is reported[5] to have claimed
against GEMSA in July 2016 seeking invalidity of two of GEMSA’s patents, noting
in its claim that ‘GEMSA has specifically targeted technology of AWS’ and that
AWS has ‘a direct and substantial interest in defeating any patent infringement
claims relating to AWS services identified by GEMSA in its complaints and
infringement contentions’.[6]
From the CSP’s standpoint all this is
bad enough, but software patent risks are further exacerbated by increasing use
of open source software (OSS) in the cloud. OSS, long in the mainstream, now
commonly powers cloud computing systems. OSS developments are created by
communities of individual developers. With no single holder of software
rights, patent infringement issues are unlikely to be top of mind, and if they
are, developers will generally lack the resources to help them navigate the
risks. Compare this with a corporate developer of proprietary software
who holds all the rights to its technology and has both the incentive to
address patent infringement risks and the legal and technical resources to do
so. The rub is that, simply because they are open, OSS developments and
communities are easier targets for NPEs than proprietary software as they don’t
need to go to the same lengths to discover potential infringement. The softness
of the target increases risk for CSPs using OSS and their users.
Cloud software patent risk is evident
and growing, so it is perhaps surprising that it has figured so little in the
register of perceived risks up to now, especially when data protection, privacy
and information security figure so high. Yet an unsettled cloud software patent
claim runs risks to cloud service availability that are arguably of the same order
as information security risks.
The reason why cloud computing IP risks
have had little public airing so far is probably that, while implicitly
acknowledged, they have yet to be thoroughly expressed and articulated.
For example, in UK financial services, now one of the most heavily regulated
sectors, cloud computing is treated as outsourcing and in its cloud guidance,
the FCA states that regulated firms should:
‘identify and manage any risks
introduced by their [cloud] arrangements. Accordingly firms should carry out a
risk assessment to identify relevant risks and identify steps to mitigate them,
document this assessment, identify current industry good practice … assess the
overall operational risks, monitor concentration
risk and consider what action it would take if the provider failed
….’[7]
IP risks are not called out expressly
but this is clear guidance that firms must identify, assess and plan for all
relevant risks including service availability failure, which could crystallise
due to IP risks.
NPEs are arming for offensive patent
action in the cloud, stocking up their armouries and probing for weakness and
opportunity. Cloud software patent risks have emerged on to the business agenda
and are likely to become increasingly prominent for CSPs, cloud users and
regulators alike.
Richard Kemp is founder of Kemp IT
Law: richard.kemp@kempitlaw.com.
[1] ‘Gartner Says Worldwide Public Cloud Services Market to Grow 17 Percent
in 2016’, 15 September 2016
[2] See for example the US Supreme Court decision in Alice
Corp v CLS Bank, No. 13-298 (June 19, 2014)
[3] Cristina Violante, ‘Travel Sites Hit With Patent Suits Over Menu Bar Tech’,
Law360, 1 February 2016; Melissa Daniels, ‘Amazon Defends Cloud Tech, Customers Against IP
Holder’, Law 360, 25 July 2016.
[4] On 24 January 2017, GEMSA, announced a pre-trial hearing win in
the litigation, describing its technology as covering ‘three major
technological advance[s] that form the foundation of visualization and
virtualization technologies globally’ and stating that GEMSA ‘has significant
controlling interest and investment in cloud computing innovations and has over
35 patent infringement lawsuits pending against major cloud computing websites’.
(‘GEMSA Wins Court Ruling Against Alibaba, eBay,
Airbnb, And Other Parties’).
[5] Melissa Daniels, ‘Amazon Defends Cloud Tech, Customers Against IP
Holder’, Law 360, 25 July 2016.
[7] See ‘FG 16/5 – Guidance for firms outsourcing to the
‘cloud’ and other third-party IT Services’, pp 6 and 7,
FCA, July 2016 (emphasis added).