As the public cloud services market continues to mature and grow – up from $178bn in 2015 to $209bn in 2016 according to research company Gartner[1] – the concentration of computing resources into cloud data centres is increasingly attracting the attention of NPEs as a target for patent litigation. At a time when data security and privacy risks are front of mind for cloud service providers (CSPs) and their users, the intellectual property (IP) risks to cloud service availability posed by NPE patent claims are rising up the business agenda.

NPEs (Non-Practising Entities) are businesses that assert patents through litigation to achieve revenues from alleged infringers without practising or commercialising the technology covered by the patents they hold. NPEs are uniquely well placed to monetise their patents at each stage of the litigation cycle. They have access to capital and all necessary forensic and legal resources; and an NPE doesn’t practise its patents so is immune to a counterclaim that a defendant might otherwise be able to bring against a competitor, or a cross-licence that the defendant could otherwise offer.

NPEs’ activities may attract attention as arbitraging the patent system, but that is to miss the point: the defendant in a patent claim brought by an NPE generally has an unattractive real-world choice between the cost and distraction of litigation and the cost of settlement which, whilst low in relation to likely litigation costs, is high relative to the perceived merits of the claim.

Although the number of patent litigation cases filed in the USA has declined from a high point of 6,500 in 2013 to 5,600 in 2015, this is still almost double the 3,000 or so launched in 2009, and correlates fairly steadily over the last few years at around 2% of US patents granted[2]. With claimant success in US jury trials running at over 70% and legal costs and time-to-trial (2½ years on average) increasing, PwC in its 2016 Patent Litigation Study notes that ‘NPEs still carry a big stick’, with damages awarded in NPE cases three times greater than for other claimants.

According to the PwC report, software ranks in the top 5 US industries for patent claims, with NPE claims accounting for half the total. Whilst recent US cases[3] have made it more difficult to patent and enforce computer-implemented inventions, cloud-based software patent litigation is increasing: NPEs appear to have doubled down over the last five years, acquiring more cloud patents for their armoury as well as filing more patent cases.

From the NPE’s standpoint this makes sense. Claiming that software in the CSP’s PaaS (Platform as a Service) or IaaS (Infrastructure as a Service) infringes the NPE’s patents can be an efficient way to threaten alternative objectives: the CSP risks an injunction stopping it from using the software that embodies the patented technology; and the CSP’s customers using that software also face disruption as they may be liable both for their own workloads and for their CSP’s infringing code that they use.

In fact, there is anecdotal evidence to suggest that claimants may prefer to claim against a CSP’s customers rather than the CSP itself. Australian patent holder Global Equity Management SA (GEMSA) was reported in February and June 2016 to have sued a number of Amazon Web Services (AWS) customers[4] for infringement of GEMSA’s visualisation and virtualisation patents.[5] The CSP customers in the GEMSA litigation are large, IP sophisticated companies, but most CSP customers usually will have less experience of cloud IP, will be eager to settle to make the claim go away and (unlike the CSP itself) will have little interest in solving the problem for others.

This last point is borne out in the GEMSA litigation where AWS is reported[6] to have claimed against GEMSA in July 2016 seeking invalidity of two of GEMSA’s patents, noting in its claim that “GEMSA has specifically targeted technology of AWS” and that AWS has “a direct and substantial interest in defeating any patent infringement claims relating to AWS services identified by GEMSA in its complaints and infringement contentions.”[7]

From the CSP’s standpoint all this is bad enough, but software patent risks are further exacerbated by increasing use of open source software (OSS) in the cloud. OSS, long in the mainstream, now commonly powers cloud computing systems. OSS developments are created by communities of individual developers. With no single holder of software rights, patent infringement issues are unlikely to be top of mind, and if they are, developers will generally lack the resources to help them navigate the risks. Compare this with a corporate developer of proprietary software who holds all the rights to its technology and has both the incentive to address patent infringement risks and the legal and technical resources to do so. The rub is that, simply because they are open, OSS developments and communities are easier targets for NPEs than proprietary software as they don’t need to go to the same lengths to discover potential infringement. The softness of the target increases risk for CSPs using OSS and their users.

Cloud software patent risk is evident and growing, so it is perhaps surprising that it has figured so little in the register of perceived risks up to now, especially when data protection, privacy and information security figure so high. Yet an unsettled cloud software patent claim runs risks to cloud service availability that are arguably of the same order as information security risks.

The reason why cloud computing IP risks have had little public airing so far is probably that, while implicitly acknowledged, they have yet to be thoroughly expressed and articulated. For example, in UK financial services, now one of the most heavily regulated sectors, cloud computing is treated as outsourcing and in its cloud guidance, the FCA (Financial Conduct Authority, the UK regulator) states that regulated firms should:

“identify and manage any risks introduced by their [cloud] arrangements. Accordingly firms should carry out a risk assessment to identify relevant risks and identify steps to mitigate them, document this assessment, identify current industry good practice … assess the overall operational risks, monitor concentration risk and consider what action it would take if the provider failed ….”[8]

IP risks are not called out expressly but this is clear guidance that firms must identify, assess and plan for all relevant risks including service availability failure, which could of course crystallise due to IP risks.

NPEs are arming for offensive patent action in the cloud, stocking up their armouries and probing for weakness and opportunity. Cloud software patent risks have emerged on to the business agenda and are likely to become increasingly prominent for CSPs, cloud users and regulators alike.