Software as a Service (SaaS) – and the Implications for Intellectual Property
August 2021
Introduction
Software as a Service (SaaS) is an umbrella term for applications that are provided, hosted and maintained on a server by a third party that customers must access remotely over the Internet. SaaS is one of the concepts now covered under the broader field of “Cloud Computing” (Rouse 2012). Examples of popular SaaS applications available today include the Google suite of products such as Google Docs and Gmail, and even Facebook and Twitter.
The concept of SaaS is not new, with mainframe systems providing a similar business model as early as the 1960s, and famous computer scientists of the era such as John McCarthy predicting the future rise of cloud computing (Childs 2011). However the increase in the use of the SaaS business model in recent years has led to a collision between the business goals of service providers, and the Intellectual Property (IP) rights of its users.
What is Software as a Service (SaaS)?
“Computation may some day be organised as a public utility.” Computer scientist John McCarthy – During a speech to MIT students in 1961.
Typically, a SaaS product will consist of a centrally hosted server-side application, of which there is essentially one instance, and a client-side application, which each customer runs on their own computer. The clients all connect to the same server. The client application usually provides only the functionality required to accept user input and display the application output to the user. The bulk of the application’s logic is executed on the server. The most common form of SaaS client-server application delivery is to access the service via a web browser, with the centralised component hosted on a web server (Singleton 2019).
Examples of popular SaaS applications include the Google suite of tools such as Google Docs, Google Drive, Gmail, Google Maps, and so on. In these cases, the bulk of application logic, data storage and processing occurs on the Google servers. Without access to the Google servers, the client components of these tools either have severely reduced functionality, or do not work at all.
A typical web application delivered in the SaaS way might be hosted centrally on a web server, with a web browser on the customer's local PC acting as the client interface. The web browser component provides enough functionality to display the user interface and accept user input via HTML (utilising software technologies such as HTML5, CSS3 and JavaScript), while the application logic and storage are all handled server-side (utilising an Apache web server, the PHP language and a PostgreSQL database, for instance).
SaaS provides many advantages including;
- Upgrades to the server application are available immediately to all clients, without necessarily having to update each client application individually.
- SaaS eliminates the need for organisations to maintain applications on their own servers, which removes the costs of hardware and employing administrators.
- Reliance on third parties for software security. This can be an advantage if the third party operator has better cyber security expertise and capabilities than the client organisation.
- SaaS can provide a flexible rent-based ongoing payment structure to access the service, which can be more attractive to customers than paying a larger amount to own the software outright.
- SaaS offers excellent scalability, with customers being able to use as much or as little of the service as they require, and to change their level of demand on the service at any time.
- SaaS makes the application highly available, as it is typically delivered via the Internet and can be accessed from any location in the world at any time.
Disadvantages of SaaS include;
- Reliance on third parties to deliver and maintain the service. If the service owner fails to continue to support and maintain the application, or goes out of business, the service may become unusable.
- Reliance on third parties for software security. This may be a disadvantage if the provider does not address security issues adequately.
- Availability issues may compromise functionality. For instance if the service becomes unavailable due to an issue with the servers or internet connectivity, then the application will be unusable.
- SaaS also involves many potentially negative copyright and intellectual property implications.
Implications of SaaS for Copyright and Intellectual Property
“With SaaS, the users do not have even the executable file that does their computing: it is on someone else's server, where the users can't see or touch it. Thus it is impossible for them to ascertain what it really does, and impossible to change it.” Richard Stallman, Free Software Foundation (Stallman 2010)
SaaS and Software Piracy
SaaS provides a level of protection against software piracy that is impossible to attain under the traditional software distribution model. SaaS allows the software vendor to retain absolute control of the software’s code, by preventing access to it and only allowing customers to interact with the application’s functionality. In this way, there is no copy of the software that pirates can obtain or distribute. In addition to this, the “service” component of SaaS is an important part of the overall product. Even if customers could obtain an illegal copy of the application, they would have to host it themselves and then would lose many of the benefits afforded by the SaaS model such as reduced hardware costs, reduced administration costs, global availability, and so on.
The centralisation and large community of users accessing a single SaaS application is also a benefit that would be lost if a customer used an illegal copy instead. Imagine obtaining an illegal copy of Facebook’s application code and hosting your own instance. One major benefit of using the genuine social media platform is that it has billions of monthly active users (Noyes 2019), which is something only the genuine Facebook service can provide.
SaaS and the Control of Intellectual Property
Security
The nature of SaaS means that a third party hosts the application remotely on servers some distance away from the customer’s location, often in an entirely different country. The key implication for intellectual property rights is that the customer’s data (their intellectual property) is also hosted remotely by the third party.
For instance, in the case of Google Docs, customers using the service have their written documents stored on Google’s servers. These documents may contain IP as benign as shopping lists, or as valuable as copies of software code in development, an author’s book manuscripts or movie scripts, commercially sensitive research data, patient medical records, or even government secrets.
While SaaS providers typically make assurances about the safety of the data, it can be argued that outsourcing security of valuable IP data is an unacceptable risk. SaaS providers can make mistakes, be negligent, or simply be unable to prevent customer data being compromised even if they employ industry-best-practice security measures.
According to DiGiacomo (2018), there were as many as 115 monthly publicly reported successful cyber attacks globally on major businesses as far back as 2018. The number of undetected attacks, or attacks that have not been made public is surely a much greater number.
Customers concerned about the security of their data that make use of SaaS must be willing to trust a third party with that security. And yet, even major well funded organisations with expertise and enormous security resources at their disposal have proven to be vulnerable to cyber attacks.
Ownership and Control
One of the most troubling aspects of the rise of SaaS is the potential loss of control over intellectual property (Stallman 2010). As customers host more and more of their IP on remote servers controlled by third parties, they are at the mercy of the End User License Agreements (EULA), service contracts, as well as the whims and goodwill of those third parties.
These contracts vary significantly between services and providers. They can range from allowing the customer to retain all rights to IP uploaded to the service, all the way up to the customer signing over the entirety of rights of their IP to the service provider. Often customers will not read the contract terms when using a SaaS application, and may not be aware of what IP rights they have signed away by doing so.
Even after agreeing to the terms imposed by the SaaS provider at the time the customer first uploaded their IP to the service, the contractual conditions governing the ownership of a customer’s IP may later change. Typically the service provider is required to notify customers of contract changes, but may not always do so. The customer may be bound by these changes without consent or confirmation, depending on the nature of the original contract, and specifics of law in the jurisdiction that governs the contract.
Even if the customer is notified of service contract changes that affect their IP, and rejects them, there is often no guarantee that the customer will be able to remove all their IP completely from the service, or be able to easily move their IP to another service. Vendors of SaaS applications have little incentive to make it easy for a customer to move their data to a competing platform.
An additional concern for SaaS customers is the location of hosted data. Due to the global nature of the internet and SaaS applications, a customer’s IP may end up being hosted in any number of jurisdictions outside their country of residence. For this reason it is not always clear to customers which legal jurisdictions their IP may be held in, or what jurisdictions may apply if legal proceedings are brought against the application provider.
This legal ambiguity can have serious consequences when a customer’s IP is accessed outside their home jurisdiction and used in a way they do not authorise. This could occur if the SaaS provider is forced to comply with legal orders from a foreign government, or if the provider itself uses weak IP and privacy law in a specific jurisdiction to gain access to the data legally to use for purposes the customer did not originally agree to. This may include uses such as harvesting data from the customer’s IP for advertising purposes, on-selling it to other third parties, etc.
Users accessing a typical social media web application, such as Twitter or Facebook, may upload video, images, or text messages. Text content, even something as informal as text chat messages, still counts as a customer’s IP. While text may appear to have little value when compared to IP such as artwork, images, video and so on, these messages may still be valuable to access for market research and advertising purposes. A company providing a text chat service may be interested in harvesting chat content for keywords and key phrases to help them build profiles of users to either target advertising at those users, or to on-sell data about the users to a third party. Web applications typically have clear definitions in a user contract about what constitutes a customer’s IP, and what rights the provider has to access and on-sell that IP, or data derived from it.
Provides such as Google have gone to great lengths to try to reassure their customers of the security of their IP, with the company having announced it had its Google Drive SaaS application verified by Ernst & Young to ensure it complies with the ISO 27018 privacy standard. Google maintains that this proves its customers’ IP is absolutely private and will not be accessed for the purposes of harvesting targeted advertising data (Kapko 2015).
Conclusion
Despite assurances from some of the biggest SaaS providers in the world, such as Google, Facebook, Twitter and Amazon, the protection of their customers’ IP rights (including rights of ownership, privacy and security) continues to be a point of contention.
While the contract put in place at the time a customer signs up to a SaaS service may promise adequate protection, providers can fall short of these promises or change the terms of the contract at a later time, often without the customer’s consent or knowledge. Even the biggest SaaS providers have been known to change contract terms, or have shown to be vulnerable to security breaches, as any internet connected service always will be.
Questions of jurisdiction in the global SaaS marketplace can lead to ambiguity about where and how a customer’s IP is stored and protected, exposing them to the possibility of their IP being accessed without their permission in an otherwise legitimate and legal manner, such as by state actors ordering a SaaS provider to hand over a customer’s IP via a court order.
These considerations must be foremost in the minds of any individual or organisation looking to migrate their IP and business systems to SaaS platforms. While the advantages of reduced cost, greater availability and accessibility may be highly attractive, the implications for IP rights are dire.
Bibliography
Childs, M. (2011). “John McCarthy: Computer scientist known as the father of AI”. The Independent. https://www.independent.co.uk/news/obituaries/john-mccarthy-computer-scientist-known-as-the-father-of-ai-6255307.html
Kapko, M. (2015). “4 out of 5 Google for Work customers avoid Google Drive”. CIO Website, IDG Communications, Inc., USA. https://www.cio.com/article/2985352/4-out-of-5-google-for-work-customers-avoid-google-drive.html
Rouse, M. (2012). “Software as a Service (SaaS)”. Techtarget Website. https://searchcloudcomputing.techtarget.com/definition/Software-as-a-Service
Singleton, D. (2019). “What is SaaS? 10 FAQs About Software as a Service”. Software Advice Website, Software Advice Inc. https://www.softwareadvice.com/resources/saas-10-faqs-software-service/
Stallman, R. (2010). “What Does That Server Really Serve?”. Boston Review, USA. https://bostonreview.net/richard-stallman-free-software-DRM
Ashley Flynn – Games and Simulations Software Engineer Portfolio and contact – https://ajflynn.io/