Mail and security appliance vendor Barracuda Networks announced plans today to defend the open-source ClamAV antivirus program from dubious patent threats made by Trend Micro, a prominent security software company. Trend Micro claims that its US Patent 5,623,600 broadly covers the concept of server-based antivirus software on FTP and SMTP gateways.
Trend Micro alleges that Barracuda’s inclusion of the open-source ClamAV server-based antivirus software in commercial network security appliances constitutes patent infringement. Trend Micro has already wielded this patent against Symantec, McAfee, and a number of smaller companies, who have settled out of court despite issuing public statements denying that the patent is valid. For most companies, the cost of settlement is cheaper than the cost of protracted litigation—a factor that companies count on when they attempt to collect licensing money.
The most cost-effective solution for Barracuda would likely be to negotiate a licensing agreement with Trend Micro that provides limited patent indemnity to Barracuda customers (much like the controversial agreement between Microsoft and Novell), but Barracuda is unwilling to consider that option because it would leave all other downstream users at risk. In an effort to protect the ClamAV project and its users from predatory infringement claims, Barracuda has decided to take the matter to court rather than settling. The company announced today that it has already filed for a declaratory judgment that Trend Micro’s patent is invalid.
“Trend Micro’s actions illustrate that ClamAV and other open-source projects remain vulnerable to commercial patent holders attempting to unjustly hinder the free- and open-source community,” said Barracuda CEO Dean Drako in a statement. “Trend Micro appears to be seeking an interpretation of its ‘600 patent such that it would have exclusive control of gateway antivirus scanning. Scanning for viruses at the gateway is an obvious and common technique that is utilized by most businesses worldwide. So this interpretation would mean that anyone, including the owners of the more than one million active ClamAV installations, could potentially be sued by Trend Micro.”
Open source and ubiquitous security
The prevalence and remediation costs of computer-related crimes like identity theft have sharply increased in the past decade. Although harsher penalties and stronger enforcement have done little to stem the tide of cybercrime, evolving security software offers the potential to decrease exposure to threats.
It is important to remember that when circumstances deprive an organization of the ability to provide adequate computer security, society as a whole bears the burden of the aggregate risk. Consider the relevance of this point in the context of gateway antivirus filtering software. If Trend Micro’s patents prevent free distribution of ClamAV and some organizations consequently decide to abandon gateway antivirus filtering altogether, their machines become vulnerable to the risk of infection and could become part of botnets that send more virus spam. A single company’s lack of security software could provide hundreds or even thousands of new nodes for deploying additional viruses through a multitude of vectors, thus contributing to increased security risks for everyone.
The need for pervasive adoption of security software is very clear, but security obviously needs to be affordable before it can become ubiquitous. Open-source development models present a means by which security software can be made universally accessible, even to cash-constrained organizations like government agencies and non-profits (the state of Vermont uses ClamAV on all of its e-mail hubs, where it scans approximately 250,000 messages every day). Unfortunately, Trend Micro’s patent wielding threatens to undermine the availability of open-source gateway antivirus software, to the extreme detriment of universal computer security.
Trend Micro has declined to respond to our requests for comment about whether or not the company intends to target noncommercial ClamAV users, like the state of Vermont.
Trend Micro’s patent threats also discourage the emergence of new commercial and proprietary entrants in the gateway antivirus software market, effectively limiting competition and decreasing the rate at which such software will increase in efficacy. That obviously has a very negative impact on overall computer security.
The search for prior art
Legal filings submitted to the United States International Trade Commission by Barracuda in response to Trend Micro’s suit include a massive list of prior art that spans numerous pages. During our own independent analysis that we conducted prior to reading Barracuda’s legal filings, we also identified a number of the same products as prior art relevant to Trend Micro’s patent.
Barracuda’s research into the prior art is impressively detailed and turned up a few intriguing revelations that we missed. For instance, Barracuda notes that one of the inventors listed on Trend Micro’s patent must have been cognizant of the prior art, because during her previous employment at Intel, she was directly involved with work on the LANDesk Virus Protect product. That particular point provides grounds for challenging the procedural validity of the patent.
“As a second and separate affirmative defense, the ‘600 patent is unenforceable by virtue of Trend Micro’s inequitable conduct in the preparation and/or prosecution of the ‘600 patent,” says a Barracuda legal filing dated June 2007. “In particular, at least Eva Chen, a named inventor on the ‘600 patent who was involved in the preparation and prosecution of the application that led to the issuance of the ‘600 patent, was aware of prior art material to the patentability of the ‘600 patent by virtue of her work at Intel, and failed to disclose such prior art and/or misrepresented such art to the Patent Office and/or the prosecuting attorney.”
Barracuda’s meticulous ITC filing is practically a comprehensive overview of the history of server-based antivirus software in the time prior to Trend Micro’s work in the field. The patent is very clearly without merit, but that hasn’t stopped Trend Micro from using it to threaten ClamAV and extort money from several companies. Situations like this demonstrate a very urgent need for patent reform and illuminate the risks posed by broad software patents, particularly in the area of security.