The Denial Stage
The denial stage
Yet, a majority of these software vendors are still in denial that piracy of their software represents a real revenue threat. In my experience, when they are presented with evidence of increased activity at the piracy group level, product management and licensing representatives are more apt to pursue strategies that target the piracy groups themselves. This can often manifest itself in the protection or hardening of the licensing management routines embedded in their software products, or by taking legal action against the piracy groups.
A protection strategy may make sense in certain scenarios:
Scenario No. 1: The software application is developed in Microsoft .NET and therefore the Intellectual Property (IP) within it is exposed to reverse engineering.
Scenario No. 2: A new licensing system has been implemented and early protection of the approach may limit easy "class break" cracks from being created by the piracy groups (for example, key makers).
Scenario No. 3: The application is an appliance or runs on an embedded operating system. Here, software and hardware protection would be combined to maximize effectiveness of the protection without impacting the customer experience.
However, there is increasing evidence to suggest that piracy groups or the piracy scene may only be indirectly responsible for revenue loss attributed to piracy and, therefore, not an ideal primary target in an anti-piracy strategy. The piracy scene has long stated that it releases software for fun or to compete with other groups-not to profit by them. But the cracked software they distribute makes its way to the P2P, Web and merchant sites that profit from their sales.
There are vendors that have gone through the early stages of an anti-piracy response and evolved to the "realization" stage. They have selected strategies that focus on gathering BI on piracy use and methods to identify organizations using that software. Ultimately, the "piracy problem" is only a problem if legitimate businesses have adopted it. This is evident in Microsoft's use of its Software Protection Platform in Vista. Following its implementation, Microsoft claimed it recovered $164 million in one quarter using a combination of reporting and licensing validation technology.
The realization stage
In the realization stage, vendors strategize on how to quantify pirated use and create business leads from pirated software adoption. They ask questions such as, "If we could stop the pirated software from being available, how does it relate to our sales (or viral marketing) strategy in a region or to our competitors' growth?"
A technology response may take the form of "phone home" or automatic software auditing approaches that are only triggered when pirated use is detected and that collects enough information to identify an organization. Armed with this level of data, the vendor can pursue organizations directly for license revenue or leverage the BI to extend partnerships in specific regions with high piracy rates.
Although it may be difficult to categorize all software vendors and their anti-piracy responses, before selecting any response or deciding on a specific piracy strategy, vendors must first measure and quantify just how large and wide their problem is.
Victor DeMarines is VP of Product at Vi Labs. Victor brings extensive product management and marketing experience in the security industry to his current position at Vi Labs. Most recently, Victor was a senior product manager at RSA Security, where he drove product strategy for the company's strong authentication, smart card and enterprise single sign-on client products.
Prior to RSA, Victor was the director of product management at Authentica, where he was instrumental in defining product strategy and direction for Authentica's enterprise rights management and secure e-mail solutions. Before Authentica, Victor held senior product management positions at AXENT Technologies and Progress Software, a global supplier of software technology and services. He can be reached at firstname.lastname@example.org.