Legal implications of serving as a software escrow agent
by Ragnar Schierholz
Does anyone have experiences with serving as a software escrow agent? What are legal liabilities of the escrow? We've been asked whether we would provide such a service, but I am hesitant to engage in major liabilities. Any hints very welcome.
Software Escrow Agent is a legal mechnism to protect clients of individual software development from the danger of bankruptcy of the software developer. I am not a legal expert but from what I could find out on the web, the source code is deposited at an escrow agent and the escrow agent testifies that the source code belongs to the software in question.
The latter is the point I am interested in. If there is a case and the source code is actually needed, imagine it turns out it is not the code for the software in question. How is the liability of the escrow agent? In particular, the legal situation in Switzerland would be of interest, but any other country would be interesting as well.
Comments
Typically software escrow services are handled by Notaries (Notar). Most of the time they would limit their responsibilities to hand over the sealed envelope if the conditions (bancrupt, death etc.) have been proven.
For the testification you run pretty high risk unless you can prove due dilligence (im Verkehr erforderliche Sorgfalt). What works relativly well: the developer checks in the versions into a version control system owned by the escrow. The build runs on the escrow machine and the resulting binaries are compared to the of the developer -OR- the resulting binaries are the ones delivered.
Hth
;-) stw
Thanks, Stephan, that sounds like a pretty decent model.
We've actually been contacted by a notary who wanted someone to testify that the code is the one for the delivered software.
Running the build process on the machine of the escrow agency obviously lowers the liability risk to almost zero. Also it means substantial efforts for the escrow though, if the service is to be offered commercially for all kinds of development environments.
There are a number of scenarios you can think about. At the end of the day is is a question of risk assesment. How important is the escrow. Depending on that various levels of service could be thought of. The build process at the notary probably is the highest security. The other could be a sealed machine that runs the build either at the developer or (better) customer side. It would pull the data through the version control system on the notary's server. Sealed would mean: Physically locked (get you local safe builders something to do) and a hardened OS where the customer has no access. The resulting binaries would be made available with http or mailed through smtp.
At the end of the day it depends on the value of the deal. Eventually the number of environments you need to provide is quite limited. Very likely Intel base would be sufficient as a first step... and there is VMWare.
:-) stw
