Intellectual Property in the Cloud: The Patent Troll Threat
Digital transformation is propelling business cloud-wards at prodigious rates: research company Gartner forecasts (pre-COVID-19) that public cloud market will grow 17% in 2020, up from $228bn in 2019 to $266bn. At the same time scale economies are extending the cloud’s reach out from the data centre, connecting billions of intelligent IoT (Internet of Things) devices at the edge: by 2021, one million new IoT devices will be coming online every hour.
The concentration of computing resources into the expanding cloud is becoming increasingly attractive as a target for patent litigation to NPEs, non-practising entities that buy patents to sue others for infringement as their only revenue source. At a time when data security and privacy risks are front of mind for cloud service providers (‘CSPs’) and their customer, the intellectual property risks to cloud service availability posed by NPE patent claims are attracting increasing attention.
NPEs are well placed to monetise their patents at each stage of the litigation cycle. They have access to capital and all necessary forensic and legal resources; and an NPE doesn’t practise its patents so is immune to a defendant’s competitive counterclaim or cross-licence offer. Patent stats show consistently increasing NPE activity. Overall, NPE patent litigation increased 4% in 2019 over 2018, accounting for 58% of new cases in the US District Court. In the cloud sector, NPEs appear to have doubled down over the last five years, acquiring more cloud patents for their armoury as well as filing more patent cases. As the cloud extends out to embrace IoT devices at the edge, early trends in the IoT patent space show a similar picture, with NPEs acquiring more patents and launching more claims year on year.
NPE activities may attract opprobrium as arbitraging the patent system, but that is to miss the point: the defendant in a patent claim brought by a NPE generally has an unattractive real-world choice between the cost and distraction of litigation and the cost of settlement which, whilst low in relation to likely litigation costs, is high relative to the perceived merits of the claim.
From the NPE’s standpoint this makes sense. Claiming that software in the CSP’s PaaS (Platform as a Service) or IaaS (Infrastructure as a Service) infringes the NPE’s patents can be an efficient way to threaten alternative objectives: the CSP risks an injunction stopping it from using the software that embodies the patented technology; and the CSP’s customers using that software also face disruption as they may be liable both for their own workloads and for their CSP’s infringing code that they use.
From the standpoint of the CSP and its customers all this is bad enough, but software patent risks are further exacerbated by ubiquitous use of OSS, which now generally powers the cloud. OSS developments are created by communities of individual developers. With no single holder of software rights, patent infringement issues are unlikely to be top of mind; and if they are, developers will generally lack the resources to help them navigate the risks. Compare this with a corporate developer of proprietary software who holds all the rights to its technology and has both the incentive to address patent infringement risks and the legal and technical resources to do so. The rub is that, simply because they are open, OSS developments and communities are easier targets for NPEs than proprietary software as they don’t need to go to the same lengths to discover potential infringement. The softness of the target increases risk for CSPs using OSS and their users.
Cloud software patent risk is evident and growing, so it is perhaps surprising that the regulatory response has been muted, especially when data protection, privacy and information security figure so large. Yet an unsettled cloud software patent claim runs risks to cloud service availability that are arguably of the same order as information security risks. In cloud guidance, regulators like the UK’s Financial Conduct Authority (‘FCA’) and the European Banking Authority (‘EBA’) do not expressly address IP risks but implicitly consider them in terms of business continuity, customer duties and reputational risk. So, the FCA says that firms should:
“identify and manage any risks introduced by their [cloud] arrangements. Accordingly firms should carry out a risk assessment to identify relevant risks and identify steps to mitigate them, document this assessment, identify current industry good practice … assess the overall operational risks, monitor concentration risk and consider what action it would take if the provider failed ….”
The EBA states that institutions outsourcing to the cloud should:
“should … take into account all of the following: (a) … activities that are critical to the business continuity/viability of the institution and its obligations to customers, (b) the direct operational impact of outages, and related legal and reputational risks, (c) the impact any disruption of the activity might have on their revenue prospects …”
IP risks are not called out expressly, but this is clear guidance that firms must identify, assess and plan for all relevant risks including service availability failure, which could of course crystallise due to IP risks.
CSPs have been quick to respond to growing cloud IP risks as a means of competitive differentiation and offering innovation protections to their cloud customers. For example, Microsoft took an early lead in designing measures to counter NPE cloud patent litigation with its Azure IP Advantage program. Launched in February 2017, the program provides without further charge to eligible customers for their applications on Microsoft’s Azure platform (i) uncapped indemnification coverage against IP infringement claims, (ii) patent pick giving access to 10,000 patents to choose from and use in defence of a claim and (iii) a springing licence, sprung for the customer if Microsoft transfers patents to an NPE. In October 2017, the program was extended to China and in October 2018 Microsoft joined the LOT (License On Transfer) Network to increase the strength of the springing licence component for the broader LOT community. To help customers meet the developing NPE IoT patent threat at the cloud’s edge and in a first for the cloud/IoT industry, Microsoft announced on 28 March 2019 a further expansion by offering cloud to edge, end to end coverage to address patent risk. The program will extend the protections available through Azure IP Advantage to Azure Sphere and Windows 10 IoT for eligible customers.