Software Escrow Specialists Since 1974

The Verification Trap

What is the point of having source code in escrow if it has not been verified as complete and authentic?

That is the question many escrow agents ask before suggesting that they, a supposedly independent third party, should do the verification. At first glance, it all seems fairly reasonable, but on closer inspection the warts begin to show.

When a licensor deposits Product X Rel 1.23 into escrow, he should swear a certificate in writing by a responsible individual that indeed the source materials lodged with the escrow agent are complete and authentic. But when the escrow agent urges you to hire him to verify somethng that the licensor has already certified, the escrow agent, by implication, is asking you to conclude two things:

    (a) that he is more competent than the licensor to decide the matter of completeness and authenticity, and
    (b) that he is more honest than the licensor who, for some unspecified reason, might swear a false certificate, whereas the escrow agent would not.

As to the first of these conclusions, the escrow agent is a complete stranger to the software and will simply hire an outside consultant to climb a steep learning curve, the massive cost of which will land on your shoulders, and will most likely deliver a report full of reservations and qualifications. A simple yes or no is unlikely.

As to the second conclusion, it is arrogant to the point of insult.

Let us turn now and examine the possible consequences to the licensor.

Source code might be protected by patent or copyright, but the real protection comes from the law of trade secrets, which states that the law will protect your secret information only if you keep it secret. Putting that another way, the more people who know the secret the weaker the legal protection becomes, until at some point the information is deemed to be public.

While a well drafted non disclosure agreement signed by the outside consultant would probably satisfy a judge that the trade secret had been properly protected, there is a less obvious but much greater risk from another direction. When a potential future buyer of the licensor's business performs due diligence he looks for warts before signing the check. Unlike a judge, that buyer is not governed by legal rules and the balance of probabilities. He is simply looking for ways to knock down the purchase price of the licensor's business - and what better way than to create a doubt that the trade secret (probably the core asset of the business) is out of the bag because the escrow agent and an outside consultant have seen it, and therefore the licensor at best is selling damaged goods. Also, the attorney who fails to warn his client about the risk associated with this method of verification might find himself facing a malpractice claim.

Then how should a source code deposit be verified?

Over the past thirty years we have found several ways, none of which required intrusive participation by us or third parties. Some are pre-deposit and others are post-deposit depending on the situation, but they all protect trade secrecy while allowing proper verification, and do so with little or no fee to the escrow agent or others. But more importantly, we know our verification procedures work because in all that time we have never had a release of escrow materials that proved false or deficient.

If your escrow agent is pressing to be hired for verification, beware of the trap, and find another escrow agent.