I sat down this morning with a cup of coffee or four and read through the 43 pages of Oracle’s lawsuit against SAP. It makes for fascinating reading, but I was disappointed to discover that the alleged skullduggery doesn’t quite live up to the hype of the complaint’s memorable first sentence: “This case is about corporate theft on a grand scale, committed by the largest German software company – a conglomerate known as SAP.” “Grand scale” feels like an overstatement, and despite the hint of corporate jingoism in that opening sentence, Oracle doesn’t present any hard evidence that the scheme went beyond one SAP subsidiary in the very American state of Texas.
The story begins in January 2005, when Oracle completed its acquisition of PeopleSoft, a major supplier of enterprise resource planning (ERP) applications and a big SAP competitor. (PeopleSoft itself had recently acquired another large ERP supplier, J.D. Edwards.) That same month, and in response to the Oracle acquisition, SAP bought TomorrowNow, a small Texas firm set up by former PeopleSoft employees that was in the business of providing support to companies using PeopleSoft programs. Buying TomorrowNow (subsequently renamed SAP TN) allowed SAP to get its foot in the door of some PeopleSoft customers, many of whom were unhappy with PeopleSoft’s merger into Oracle. In addition to getting support revenues from PeopleSoft clients, SAP clearly hoped that it would be able to convince some of them to switch to SAP applications – through what it called its “Safe Passage” program.
TomorrowNow’s central pitch was that it could dramatically reduce the ongoing support and maintenance fees that corporations pay to the vendors of complex ERP applications to keep the systems running. Oracle alleges that the reason TomorrowNow was able to keep its fees so low was that its employees broke into PeopleSoft’s customer support website and downloaded the software and documents required to maintain, troubleshoot, and update PeopleSoft software. In other words, according to the suit, instead of developing its own intellectual property, SAP TN simply stole PeopleSoft’s (and hence Oracle’s). As the suit charges:
It was not clear how SAP TN could offer, as it did on its website and its other materials, “customized ongoing tax and regulatory updates,” “fixes for serious issues,” “full upgrade script support,” and, most remarkably, “30-minute response time, 24x7x365” on software programs for which it had no intellectual property rights. To compound the puzzle, SAP continued to offer this comprehensive support to hundreds of customers at the “cut rate” of 50 cents on the dollar, and purported to add full support for an entirely different product line – Siebel [which Oracle acquired later in 2005] – with a wave of its hand. The economics, and the logic, simply did not add up.
Oracle has now solved this puzzle. To stave off the mounting competitive threat from Oracle, SAP unlawfully accessed and copied Oracle’s Software and Support Materials.
In late 2006, Oracle says it noticed anomalies in certain customers’ use of the PeopleSoft support site. In particular, some customers were clicking through the site with “lightning speed” – indicating that an automated program was being used to rapidly scan and copy the site’s contents. Oracle launched an investigation and soon, it says, “discovered a pattern”:
Frequently, in the month before a customer’s Oracle support expired, a user purporting to be that customer, employing the customer’s log-in credentials, would access Oracle’s system and download large quantities of Software and Support Materials, including dozens, hundreds, or thousands of products beyond the scope of the specific customer’s licensed products and permitted access. Some of these apparent customer users even downloaded materials after their contractual support rights had expired.
Oracle says it traced the suspicious activity to an IP address at TomorrowNow’s headquarters in Bryan, Texas:
Although it is now clear that the customers initially identified by Oracle as engaged in the illegal downloads are SAP TN customers, those customers do not directly appear to have engaged in the download activity; rather, the unlawful download activity observed by Oracle and described here originates directly from SAP’s computer networks. Oracle’s support servers have even received hits from URL addresses in the course of these unlawful downloads with SAP TN directly in the name … The wholesale nature of this unlawful access and downloading was extreme. SAP TN appears to have downloaded virtually every file, in every library that it could find.
Oracle charges that “SAP TN conducted these high-tech raids as [parent company] SAP AG’s agent and instrumentality and as the cornerstone strategy of SAP AG’s highly-publicized Safe Passage program.” But the suit supplies, so far as I could see, no evidence that anyone beyond the TomorrowNow headquarters authorized or knew of the alleged “raids.” Oracle does say it has “concerns that SAP may have enhanced or improved its own software applications offerings using information gleaned from Oracle’s Software and Support Materials,” but, again, the suit itself offers no evidence to back up that charge.
Clearly, if SAP TN did what Oracle claims, it at the very least violated licenses and copyrights (though it’s worth remembering that the materials were contained in a public site open to thousands of Oracle customers). If it turns out that the scheme was a rogue operation carried out by a few TomorrowNow employees, it will cost SAP considerable embarrassment and, likely, some cash. If it turns out that it was part of a larger conspiracy of corporate espionage, and resulted in Oracle intellectual property being incorporated into SAP software, that would be a much, much larger problem for SAP. But, as I noted, we don’t have any clear evidence of the latter scenario.
The suit does raise some other issues. Not least is the apparent ineptitude displayed by both companies. If, as Oracle claims, the copying of the materials on its support site caused it “irreparable injury,” one has to wonder why it was so lackadaisical in protecting the site and the materials. By Oracle’s own admission in the suit, gaining access to all the code and documents on the site seems to have been almost farcically easy:
In many instances, including the ones described above, SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle’s system under false pretexts … These “customer users” supplied user information (such as user name, email address, and phone number) that did not match the customer at all. In some cases, this user information did not match anything: it was fake. For example, some users logged in with the user names of “xx” “ss” “User” and “NULL.” Others used phony email addresses like “firstname.lastname@example.org” and fake phone numbers such as “7777777777” and “123 456 7897.”
You’d think a big, sophisticated software company like Oracle might have been able to write some code that would sniff out “7777777777” as a suspicious phone number or “email@example.com” as a fake email address. Weak security doesn’t exonerate theft, of course, but it does seem to undercut Oracle’s claims about the value of the contents of the site.
As for the alleged SAP TN trespassers – jeez, guys, couldn’t you have at least tried to cover your IP tracks a little bit? They were so blasé about getting into and copying the site, that you might almost think that such shenanigans are common in the enterprise software business. (One imagines that, as SAP prepares a response to the suit, it is rushing to comb through its own support site logs for any evidence of activity by Oracle employees.)
Finally, the vast quantity of patches, updates, and explanatory documents that were taken from the Oracle support site gives eloquent if unintended testimony to the enormous complexity of traditional enterprise software – and goes a long way toward explaining why so many companies have been eager to explore alternatives like open-source programs and the delivery of applications as services over the net. Maybe some day software support sites will be simpler affairs representing much less economic value – and hence providing a much less tempting target for pilfering.
UPDATE: Michael Hickins, of Internet News, examines some of the legal ramifications of the suit:
Eric Goldman, director of the High Tech Law Institute at the Santa Clara University School of Law, said that if allegations in the complaint are true, “then SAP is in a world of trouble.” According to Goldman, by law, each instance of copyright infringement costs the guilty party $150,000; Oracle has claimed that there are 10,000 such instances, but even if it can only prove 500 instances, that still amounts to $75 million. And that’s only the beginning. If found guilty, SAP would not only have to disgorge all of its “ill-gotten gains,” but reimburse Oracle for its losses. Given the extent of these claims, if true, the U.S. Department of Justice could step in as well and begin criminal proceedings.
I’m not a lawyer, nor do I play one on the Internet, so I have no way to evaluate Goldman’s assessment, but it does suggest that the suit’s stakes may be high.