No Secrets

By Eric S. Raymond

May 28, 2003

You can help stop the SCO attack on IBM and the Linux community. I'm looking for ways that Unix trade secrets may have been legally nullified.

OSI has explained [ http://catb.org/~esr/hackerlore/sco-vs-ibm.html ] why this suit is groundless. Now I want to know if you have ever had read access to proprietary Unix source code (not just binaries and documentation) under circumstances where either no non-disclosure agreement was required or whatever non-disclosure agreement you had was not enforced.

All proprietary Unix and Unix-like operating systems are relevant. I am especially interested in AT&T, USL/Novell/UnixWare and XENIX/SCO versions, but all proprietary versions are interesting. This includes but is not limited to AIX, SunOS/Solaris, and HP-UX. It includes not just living Unix dialects but dead ones as well.

Do not tell me about access to Linux sources or those for the open-source BSD variants. Access to "ancient Unix" (Version 7, Version 6, and older; yes, I know all about the Lions book, so don't tell me about it) is also not interesting; we can prove those were generally available.

I can't talk about how this information will be applied, nor by who. You'll have to trust me, or at any rate my record as an ambassador of the community, that it will be effective and that I will respect your confidentiality and not disclose any facts about individuals without their express permission.

You can read about Trade Secret Law and Risk [ http://catb.org/~esr/nosecrets/legal.html ] and How To Report Access [ http://catb.org/~esr/nosecrets/howto.html ].

SCO wants to use the courts to attack us and claim control of the Linux code; let's make them rue the day they thought this was a good idea, by proving that they have no trade secrets.

For a particularly entertaining take on this lawsuit, see this Dukes of Hazzard [ http://www.arie.org/doh/ ] parody. There is also a Eminem-style rap song [ http://slashdot.org/comments.pl?sid=65718&cid=6057100 ].

Trade Secret Law and Risk

Trade-secret protection is fragile. It's designed that way. To maintain trade secrecy, the holder of the trade secret has to make a certain minimum effort to prevent it from being disclosed. There is good reason to suspect that SCO and other proprietary Unix vendors have not met this obligation, and can no longer claim trade-secrecy status in the Unix code.

The one time a judge has looked at this question, during the AT&T-vs-Berkeley lawsuit in 1993-94, he denied AT&T an injuction, noting that he thought it likely that AT&T had forfeited trade secrecy simply by selling source licenses in the way they had been doing.

How to break trade secrecy

The following are all scenarios that could compromise trade-secrecy protection on Unix source code:

Enough evidence of these kinds with respect to any given Unix version would nullify the trade-secret status of the code.

If you still have copies of proprietary Unix source code, or can provide me with a live download pointer to same, that is especially interesting.

Legal risks

You take no risk by telling me you have had read access to Unix source code.

You should not be at risk in giving me download pointers to source unless you are yourself bound by an employment contract or nondisclosure agreement with respect to the source — under trade-secret law, it only takes one uncontrolled link in the chain for you to be in the clear.

Giving me an actual copy of source code, on the other hand, would need to be handled carefully to avoid copyright violation.

Please note that I have no intention of violating anyone's intellectual-property rights — rather, I am seeking instances in which some of those rights have been actually forfeited under controlling law.

How To Report Access

Here is a sample response in a useful form:

%%No-secrets 1.0:
Name:      Eric S. Raymond
Email:     esr@thyrsus.com
Version:   System V Release 1
When:      June 1986
Where:     Rabbit Software
Who:       co-worker
Public:    Yes
Affidavit: Yes
Have-Copy: Yes
%%

If there are special circumstances you think I should know about, feel free to include a text explanation afterwards.

Here is an explanation of the fields:

  1. Name: Your full legal name. Reports under an alias or handle will be ignored.
  2. Email: A valid return email address.
  3. Version: The OS name, version, and release.
  4. When: The date you gained access. Year is good; year and month is better.
  5. Where: Where it happened. You may omit this information if you believe some person could be placed at legal risk by it.
  6. Who: Your relationship to the person who gave you access, or to the institution where you got it. Were you a student, an employee, a colleague, a friend?
  7. Public: Whether you are willing to have your report be public.
  8. Affadavit: Whether you are willing to sign an affidavit to the effect that you had this access.
  9. Have-copy: Do you still have access to a copy?

You may think your story is too typical to need reporting, but don't let that stop you. I want to be able to show dozens, hundreds or even thousands of examples of disclosure — a pervasive and continuing pattern of failure to do what is required to maintain trade secrecy under the law. The privacy of individual whistleblowers will be respected.

Please consider copying the above, changing the response to describe your access, and sending it back to me. I expect to receive hundreds or perhaps even thousands or responses; getting them in a form easy for analysis scripts to process would be a good thing.

Mail all responses to me [ esr+nosecrets@thyrsus.com ] Please use the subject line "No secrets".

Copyright 2003 http://catb.org/~esr/nosecrets/