Legal implications of serving as a software escrow agent

by Ragnar Schierholz

Does anyone have experiences with serving as a software escrow agent? What are legal liabilities of the escrow? We've been asked whether we would provide such a service, but I am hesitant to engage in major liabilities. Any hints very welcome.

Software Escrow Agent is a legal mechnism to protect clients of individual software development from the danger of bankruptcy of the software developer. I am not a legal expert but from what I could find out on the web, the source code is deposited at an escrow agent and the escrow agent testifies that the source code belongs to the software in question.

The latter is the point I am interested in. If there is a case and the source code is actually needed, imagine it turns out it is not the code for the software in question. How is the liability of the escrow agent? In particular, the legal situation in Switzerland would be of interest, but any other country would be interesting as well.

2005-03-21 :: email :: bookmark :: digg

Comments

Typically software escrow services are handled by Notaries (Notar). Most of the time they would limit their responsibilities to hand over the sealed envelope if the conditions (bancrupt, death etc.) have been proven.
For the testification you run pretty high risk unless you can prove due dilligence (im Verkehr erforderliche Sorgfalt). What works relativly well: the developer checks in the versions into a version control system owned by the escrow. The build runs on the escrow machine and the resulting binaries are compared to the of the developer -OR- the resulting binaries are the ones delivered.
Hth
;-) stw

Stephan H. Wissel, 2005-03-21 09:47

Thanks, Stephan, that sounds like a pretty decent model.
We've actually been contacted by a notary who wanted someone to testify that the code is the one for the delivered software.
Running the build process on the machine of the escrow agency obviously lowers the liability risk to almost zero. Also it means substantial efforts for the escrow though, if the service is to be offered commercially for all kinds of development environments.

Ragnar Schierholz, 2005-03-21 10:08

There are a number of scenarios you can think about. At the end of the day is is a question of risk assesment. How important is the escrow. Depending on that various levels of service could be thought of. The build process at the notary probably is the highest security. The other could be a sealed machine that runs the build either at the developer or (better) customer side. It would pull the data through the version control system on the notary's server. Sealed would mean: Physically locked (get you local safe builders something to do) and a hardened OS where the customer has no access. The resulting binaries would be made available with http or mailed through smtp.
At the end of the day it depends on the value of the deal. Eventually the number of environments you need to provide is quite limited. Very likely Intel base would be sufficient as a first step... and there is VMWare.
:-) stw

Stephan H. Wissel, 2005-03-21 18:14

Post a comment











Shall I remember this for you?




Use your full name and a working email address. Unless you want your comment to be removed. No kidding.



Recent comments

Volker Weber on BIS customers now getting instant IMAP e-mail at 23:04
Stuart Mcintyre on BIS customers now getting instant IMAP e-mail at 22:59
Volker Weber on BIS customers now getting instant IMAP e-mail at 22:09
Jan-Piet Mens on BIS customers now getting instant IMAP e-mail at 22:01
Ingo Seifert on Nur bei Regen at 19:53
Dirk Steins on Nur bei Regen at 09:01
Carl Tyler on Everybody's PIN Number: Revealed! at 01:09
Armin Roth on Everybody's PIN Number: Revealed! at 00:43
Frank L. Quednau on Everybody's PIN Number: Revealed! at 23:42
Volker Weber on Everybody's PIN Number: Revealed! at 22:00
Chris Linfoot on Everybody's PIN Number: Revealed! at 21:57
Jan-Piet Mens on Everybody's PIN Number: Revealed! at 21:39
Marco Klop on Synchronizing iPhone with ... Lotus Notes at 18:55
sunny gerscky on Pwnage 2.0 released at 16:00
Tobias Lange on Remember, it's always the cable at 13:16
Volker Weber on Remember, it's always the cable at 12:21
Ian White on Remember, it's always the cable at 11:56
Andy Brunner on Remember, it's always the cable at 11:37
Ben Rose on Remember, it's always the cable at 11:33
Ben Poole on It has only been less than two hours at 09:44
Frank L. Quednau on It has only been less than two hours at 09:29
Martin Hiegl on It has only been less than two hours at 08:27
Stephan H. Wissel on Notes.ini parameter RunFaster=1 is finally here at 05:24
Volker Weber on It has only been less than two hours at 01:33
Thomas "Duffbert" Duff on It has only been less than two hours at 01:26

Ceci n'est pas un blog

vowe.net is a personal website published by Volker Weber a.k.a. vowe. I am an author, consultant and systems architect based in Darmstadt, Germany.

rss Click here to subscribe

Hello

About me
Contact
Publications
Certificates
Frequently asked questions

Twitter Updates

More >

Poll

Can you bring a camera phone to work?

Getting poll results. Please wait...

Local time is 01:35

visitors.gif
99 visitors online

News

Other sources of news, imported into my own format to make them more accessible:

Heise Online
Schlagzeilen
Weather

Archives

As most of my articles roll off the front page rather quickly, I am making an archive of previous posts available here. You can also use the handy search box at the top of the page if you are looking for something particular.

Last 30 days
More archives

Got the T-shirt?

Got the T-shirt?
Are you buying from the US?

Systems Architecture

This site runs on an Apache web server on top of the Linux operating system. The content is managed with MovableType which is implemented in Perl. Last but not least the HTML code your browser sees is put together with PHP.

© 1992-2008 Volker Weber.
All Rights Reserved.

Impressum