We saw a few weeks ago that Quest Software have taken Nike to court over their refusal to settle up for license non-compliance discovered during an audit (article here).
Nike have submitted a counter claim and it is full of very interesting details, many of which can apply to the wider ITAM community. In particular, it helps highlight the difference an audit defence strategy, and managing the audit process, can make to the amount of money on the table for a non-compliance settlement.
Size of the bill
Nike reveal that the bill presented to them by Quest was $15,646,191.55 – that’s 68,210 pairs of Jordan XXX2 “All Star MVP” trainers.
Nike have countered and said that in fact they owe Quest just $348,664.74 – a 98% reduction.
Why so different?
Quest stated their final total included:
- Four years of interest calculated on the Oregon prejudgment interest rate of 9%
- Charges for licenses for access to freeware and trialware versions of Quest software
- One year of maintenance
- A multiplier of three times applied to alleged use by NIKE of “pirated software.”
- Licenses for everyone with access to servers running Quest software, not just actual users.
Nike rejected the claim because:
- It was based on all potential users, rather than actual users
- Nike were not required to pay interest
- Nike did not have to pay for free/trialware, or limit where it was used
- Nike were not subject to multipliers
Nike offered to pay the lower amount in September 2017, but Quest rejected the offer.
The shoe giant goes on to say that they “continued in good faith to attempt to resolve this dispute over the subsequent months and responded promptly to Quest’s additional requests for information” but Quest refused to withdraw their initial claim.
Crux of the argument
The size of the bill centres, in part, on the definition of unauthorised users in Nike’s SLSA (Software License and Service Agreement) with Quest. A large part of the cost is for licenses to cover users who “could” access Quest software, regardless of whether they did or not; a concept familiar to anyone who has looked to license Microsoft desktop applications in a Citrix environment.
Nike state they have:
“…not agreed, under the SLSA or otherwise, to pay for licenses for Quest Software for persons or systems who could theoretically access the Quest Software, but who do not actually use the software”
And go on to point out that:
“People legitimately need to access these servers, but have no need to run Quest software – for example “NIKE’s cyber security and forensics professionals”
A situation that will be common to many organisations worldwide.
Looking at section 12 of the SLSA, the audit clause between Nike & Quest states:
“In the event that an audit conducted as set forth herein discloses that Licensee has caused or permitted access to or use of the System by persons or entities that are not authorized under the terms of this Agreement to such use or access, Licensee shall pay Quest the underpayment, in the amount of the negotiated fee applicable to the particular Software Product or Product to which unauthorized access was permitted, for all such unauthorized users”
It seems Quest are relying on the language that states:
“permitted access to…the System by person…not authorized…to such use or access”
to make their claim that Nike are liable for all potential users based on system access.
Nike, however, are arguing that the clause simply states they must pay for:
“All unauthorized users”
And that the “ordinary meaning of user” is a person or machine that has actually:
“caused a Quest Software program to be executed so as to perform its intended function”
Thus, meaning they are liable only for direct users – not including those who accessed the servers for other purposes.
Quest’s original suit claims that “Nike…used pirated keys to circumvent the Quest License Key System.”
Nike deny this outright.
It is clear that Nike are not going to take this lying down and they certainly seem to be up for a fight. They completely refute many of the allegations, such as that they used pirated keys, and they have included a list of reasons in contradiction of Quest’s claims, including:
- Claims for copyright infringement and DMCA violations are invalid because Quest elected that their sole remedy for claims against Nike would be the contractual remedy as per Section 12 of their SLSA agreement.
- Nike offered payment for all amounts due for unauthorized access, but they refused.
- Quest has failed, refused, and/or neglected to take reasonable steps to mitigate Quest’s alleged damages,
- Some of the offences Quest are claiming violate the DMCA occurred outside the US, so the court has no jurisdiction.
- Quest’s conduct, including its predatory audit practices, constitutes copyright misuse
- Quest lacks valid registrations of copyrights alleged in the Complaint.
- Quest’s claims are barred, in whole or in part, because Quest expressly or impliedly licensed NIKE to make the uses of the Quest software products alleged in the Complaint, subject only to payment as required by the SLSA
- Quest’s claims against NIKE are based on bad faith and are barred by the doctrine of unclean hands, bad faith and wrongful conduct
- NIKE is not liable for any alleged actual damages because Quest has not suffered any actual damages attributable to the conduct alleged in the Complaint.
- statute of limitations
- (Failure to Comply with 17 U.S.C. § 412) Quest’s alleged copyright registrations for its alleged copyrightable works were not made within three months after first publication and Nike used them straight away – before they were registered.
Additionally, Nike have put arguments based on the agreements of other Quest customers and precedent set in previous Quest audit lawsuits.
Reference to other agreements
Nike entered into an SLSA with Quest in 2001 – which appears to be a non-standard agreement.
Nike say it “does not restrict NIKE’s ability to download and use evaluation, trialware, or freeware versions of Quest Software, whether in production or non-production environments”, nor does it “restrict NIKE from using license keys or other license access devices not obtained from Quest to access and use Quest Software”.
This is based on the absence of clauses to the contrary – if Quest didn’t want them to do it, they would have specified this in the agreement. Nike point out that agreements between Quest and other customers DO expressly prohibit these activities, which they claim lends weight to their position that omission is permission.
For example, Nike submit a copy of a 2012 “Master Product Agreement” between Quest and World Fuel Services Corporation which states that evaluation software may only be used in non-production environments and has a time limit of 30 days use. The World Fuel Master Agreement also specifies that:
“Customer may not use any license keys or other license access devices not provided by Quest, including but not limited to ‘pirated keys,’ to install or access the products”
Again, this clause is missing from the agreement between Quest and Nike.
Nike also present judgements from the 2011 lawsuit “Quest Software Inc. v. DirecTV Operations, LLC”, when Quest sued DirecTV in a similar manner and use this to show that license over-deployment does not warrant a copyright infringement claim. Even if the contract breach claims go ahead, Nike are seeking to remove the copyright infringement element and the extra potential damages that makes available.
Importance of audit defence
It appears Nike made at least 2 mistakes when it came to the audit process itself:
- Allowing the auditors seemingly carte blanche access to their systems
- Not checking what the auditor’s scripts did
Nike’s court documents show they:
“provid[ed] Deloitte with access to NIKE’s systems and databases” and “permitted Deloitte and Quest to run (their) scripts on NIKE’s systems and databases and to receive the corresponding inventories of users.”
And, once they received the reports from Quest – with the large non-compliance figures, “NIKE realized…the “scripts…were not designed to inventory users of Quest Software on NIKE systems…(but were)… intentionally designed to inventory all persons or machines which had the right to access servers on which Quest Software programs were stored, without regard to whether such persons or machines ever actually used a Quest Software program”
At this point, Nike performed its own inventory to determine “the number of users who had actually run a Quest Software program but for whom a license had not been purchased”.
This all helps illustrate the importance of having a pre-defined Audit defence playbook and making sure it is followed. Performing internal “mock” audits is key to understanding your licensing position with a specific vendor and it is vitally important that you know this before entering audit negotiations.
Ideally, Nike should have verified the scripts first and confirmed they would only produce required data. Even then, they should have run the scripts themselves and checked the data produced before handing it over to Quest/Deloitte.
Support & Maintenance
Another interesting point in this case is the importance of support and maintenance, and how it is being used as a bargaining chip by vendors.
On December 28, 2017, Quest informed Nike they would not renew any of their maintenance as they were “in the middle of an active compliance…process”.
Quest’s support and maintenance:
- updates and enhancements to software (including those made necessary by changes and upgrades to the underlying Oracle database software)
- security improvements to protect against hacking, malware and other outside threats
- support where problems are encountered in operation of Quest Software
Nike point out that “Quest is aware of the importance of its maintenance and support services to its…licensees” and in fact Quest’s marketing positions these services as a “vital aspect of its software and a reason for choosing Quest over its competitors”.
It is reasonable to assume that Nike’s databases are extremely important to Nike, that they are a large profile organisation attractive to hackers and malware creators, and that the Quest software forms a key element of their database infrastructure – and thus that the stability and security of the Quest products is integral to the stability and security of the overall database environment. Therefore, by refusing to offer support and maintenance until the $15 million bill was settled, it could be said that Quest were trying to force their client’s hand to pay an inflated bill.
Nike offered to pay the $348,664.74 they felt they owed for being under licensed – as per section 12 of their SLSA – and so believe Quest were not entitled to refuse maintenance. Nike claim being denied support means they are “injured” due to lack of access to product updates and lack of protection against hacking, malware etc. and so Quest must make remedy for that.
Bad faith and unclean hands
Nike contend that Quest’s refusal to renew support and maintenance was done in bad faith to force Nike to pay amounts “not due” to Quest – the software equivalent of a loan shark threatening to break someone’s legs if they don’t pay up.
The clean-hands doctrine states that someone who violates “equitable norms” cannot then make a claim based on the law of equity. For example, in “Morton Salt Co. v G. S. Suppiger”, the patent holder had used their patent to unfairly restrict competition and thus he was denied “equitable relief” in a subsequent case. Basically, if your claim comes about because you did something unfair – such as over stating the amount of non-compliance to increase fees, you can’t complain when someone does something unfair to you on a related matter – such as refusing to pay that inflated amount.
Acting in bad faith is seen as violating these equitable norms and Nike posit that Quest have performed such bad faith acts by:
- Withholding support and maintenance
- Disregarding the terms of its license agreements with licensees
- Deliberately designing the audit scripts to report “improper” over-deployment
- Demanding payment of an amount some 45 x what Nike believe is the proper sum
- Refusing to accept payment when offered
- Claiming licensees must pay for freeware & trialware versions of software
- Demanding payments over the published list prices
- Threatening DMCA/Copyright claims
Nike also state they believe that the new owners of Quest are using audits, and bad faith tactics, to quickly increase value and profitability of the company. It is interesting to note that the venture capital firm who now own Quest were former owners of Attachmate – another organisation known for its aggressive audit tactics.
What Nike are asking
The Court should therefore issue an order “declaring, determining and adjudging” that under the SLSA:
- NIKE’s obligation to pay Quest for over deployment of Quest Software is to be calculated on the basis of actual unauthorized users of that Quest Software;
- NIKE is not required to pay Quest for use by NIKE of freeware or trial versions of Quest Software;
- NIKE is not required to pay interest to Quest on amounts determined to be owed by NIKE to Quest for over deployment of Quest Software under Section 12 of the SLSA;
- In calculating any amounts due to Quest for over deployment of Quest Software, the license price to be used for the calculation is the negotiated fee applicable to the particular software program, whether or not the license key or other device used to gain access to that program was supplied by Quest;
- Quest’s sole and exclusive remedy for over deployment (including that involving trialware, freeware, and license keys and other access devices not provided by Quest) is payment by NIKE of amounts determined in accordance with Section 12 of the SLSA; and
- Quest is required to provide and renew Maintenance Services to NIKE in accordance with Section 6 of the SLSA
Nike say they haven’t breached contract, but Quest have by refusing support.
This is a very interesting case which, if taken all the way to judgement, could have an impact far outside this individual case. Having a court rule on points such as:
- The definition of a “user” when it comes to under-licensing
- What limitations can be applied around trial versions of software
- Whether support and maintenance can be withheld for non-payment
Could have far reaching effects across the industry, with other vendors’ practices being brought into question too.
I would expect Quest will make an out of court settlement offer, to prevent such a ruling taking place; that way they can continue these practices with other organisations in the future.
Nike have been very firm in their response, so perhaps an out of court settlement is unlikely. That said, with such a large potential bill on the cards, a reduced settlement may be attractive to Nike to draw a line under the episode.
I will certainly be keeping an eye on this case and writing up further developments. If you’ve got any thoughts on this and/or experience with Quest – get in touch.
A Northerner renowned for his shirts, Rich is a big Hip-Hop head, and loves travel, football in general (specifically MUFC), baseball, Marvel, and reading as many books as possible. Finding ways to combine all of these with ITAM & software licensing is always fun!
Connect with Rich on Twitter or LinkedIn.