SAP Has Bad News in Oracle Lawsuit, But Tries to Bury It

By Eric Goldman

Oracle Corp. v. SAP AG, Case No. 07-CV-1658 MJJ (N.D. Cal. answer filed July 2, 2007)

You’re an international corporate giant with some bad news in a high-profile case that you want to bury. What do you do? One possibility: hold a press teleconference for 11 pm Pacific on July 2–just late enough to miss the newspaper deadlines for July 3, so the news will effectively break on the July 4th holiday. Genius!

But SAP does have lots of bad news in its Oracle lawsuit, and it substantially undercuts SAP’s initial claim that it was going to defend this lawsuit aggressively. After all, it’s hard to be aggressive when your hand has been caught in the cookie jar, and SAP admits that its wholly-owned subsidiary TomorrowNow (TN) engaged in some unambiguously rogue downloading.

Worse, with respect to the downloads that SAP claims weren’t rogue, SAP’s main defense is doomed to fail as well. SAP argues that TN’s customers authorized it to download the materials on their behalf–what I call a “proxy defense,” i.e., we were just a proxy for our customers’ legitimate behavior. Unfortunately, there is typically no proxy defense for most types of claims–certainly not for claims like trespass to chattels or the Computer Fraud and Abuse Act, and usually not for copyright infringement either. In other words, Oracle can control the manner and means by which people access its servers, so even if it permits its customers to access the site, that permission isn’t automatically extensible to third parties acting on the customers’ behalf. Indeed, Oracle expressly precluded such behavior in some cases.

As a direct-on-point example, see the lawsuit by Facebook against ConnectU for grabbing data from Facebook’s servers. ConnectU said that Facebook’s users gave their credentials to ConnectU and asked them to get the data on their behalf. This permission did not change ConnectU’s relationship to Facebook, which had expressly said that third parties couldn’t use its servers to engage in the behavior ConnectU was doing. Thus, the court held that ConnectU trespassed Facebook’s chattels. I could cite dozens of other examples where the proxy defense fails. It isn’t likely to succeed here either.

Even worse still, SAP announced that the DOJ is probing the matter. As I said earlier, this could be a serious criminal matter. There remains a serious risk that people will be prosecuted here.

From my perspective, given SAP’s admissions, the only open Qs are:

1) How big of a check will SAP/TN write to Oracle?

2) After checks are written and injunctions are issued, will TN survive this lawsuit? Or, will SAP “burn” its limited liability subsidiary to insulate the larger enterprise?

3) Will this lawsuit degrade SAP’s ability to position itself as an ethical competitor?

4) Will anyone be going to jail?

Some other observations:

* I find it remarkable that some analysts have downplayed–and continue to downplay–the import of this lawsuit. Oracle’s allegations go far beyond day-to-day ethical competition.

* On that front, SAP’s materials implicitly suggest that SAP knew of TN’s behavior but tried to insulate itself from information gathered by TN. At best, this suggests SAP engaged in willful blindness. As a result, even if no SAP employee took the rogue actions, SAP may not be able to avoid responsibility.

* In an effort to provide faux transparency, SAP launched a lawsuit portal. It’s nice to have this resource, but a real portal would provide a complete repository of the relevant documents, including Oracle’s complaint. And if SAP wants to foster real transparency, it should provide explain in full detail exactly what behavior it admits was rogue.

UPDATE: TN appears to be losing business from the lawsuit. And SAP’s CEO seems to think this whole problem could have been handled with a phone call from Oracle to him instead of a lawsuit.