Advice Line | Bob Lewis » Legal challenges to virtual machines

March 15, 2008 | Comments: (0)

Legal challenges to virtual machines

TAGS: General

Dear Bob ...

I talked with our PC support group about the topic you've been discussing the past few weeks [see for example "Getting to 21st century IT," Keep the Joint Running, 3/3/2008 - Bob].

The overriding concern voiced is the liability for improperly licensed software. From the company's point of view, we are liable for any illegitmate copies of software on any computer that connects to our network, no matter which virtual machine it is installed in. What would you say to an SPA auditor who came in and found this situation? There was also concern about the cost of three copies of the operating system - one for each virtual machine, etc.

- Concerned

Dear Concerned ...

I wonder to what extent fear of SPA audits prevents good business. In any event, to answer your question (what would I say to an SPA auditor?) I think I'd say, "Show me your search warrant."

Then I'd call my Microsoft sales rep and point out that while I don't have a lot of choice about whether to use Windows on my company's desktops and laptops, nor about whether to use MS Office, I have a lot of choice when it comes to whether I use/continue to use SQL*Server, Sharepoint, Exchange, IIS, and a very wide variety of other Microsoft products.

Yes, it's Microsoft. Microsoft is a business. That means its sales reps want to do more business with you, not less.

I'm not sure of the legal situation when it comes to virtual machines layered on top of physical machines. To the extent I can figure out the Windows EULA, each license is good for one physical machine. I don't think I've seen any prohibition against installing a license more than once on different virtual machines that run on the same physical machine.

In any event, corporations can usually negotiate minor changes in license terms. I'd think this one would be pretty innocuous from Microsoft's perspective.

So far as illegitimate application software, I'm pretty sure (although I'm certainly not an attorney) that as with harassment, a demonstration that the company has exercised reasonable care in trying to prevent abuses is the key issue - not the existence of a small number of "undocumented" applications.

Plus, with both the locked-down and sandbox VMs the company can and should use scanning software to detect and inventory all applications installed everywhere. When something new pops up, IT asks the user to document the software's legitimacy.

That leaves the personal VM - the physical hardware attaches to the corporate network but the personal VM stays outside the corporate firewall.

You educate your employees regarding the rules; a bad apple or two violate the rules. How liable is your company?

I don't know the answer. I do know that Exxon/Mobil is pushing the legal theory that it isn't legally responsible for the actions of the Exxon Valdez's captain. That would seem to be an applicable precedent.

Even if the SCOTUS finds against Exxon/Mobil, I'm pretty sure the harassment standard of taking reasonable care should keep a company out of trouble with this, but it's very hard to say for sure.

- Bob

Posted by Bob Lewis on March 15, 2008 01:03 PM

RATE THIS ARTICLE: