As someone who has spent a lot of time discussing piracy with the ISV community and researching the piracy scene, I believe what a software vendor does to combat piracy is directly proportional to its knowledge of the piracy scene motivations and its own piracy activity trends. In fact, you can group how software vendors respond to piracy into three stages: Denial, Reaction and Realization.
Let's explore each of these stages in some detail:
Stage No. 1: Denial
The belief that people who are downloading pirated software would never pay for it. If there is a piracy concern, then vendors at this stage only address overuse within their customer base and not the potential issues of overt piracy (unlicensed use).
Stage No. 2: Reaction
The focus here is to respond with techniques that target the piracy groups themselves (for example, legal takedowns, homegrown software protection, planting dummy software in peer to peer sites, etc.). It is often an emotional response to the very visible piracy groups that target the vendor's products. This can include more intrusive licensing approaches such as hardware dongles and activation, and may use technology that risks impact to customers.
Stage No. 3: Realization
Vendors in this stage focus on the users of pirated software and use business intelligence (BI), reporting and schemes that consider piracy viral marketing. Advanced methods include data gathering to identify organizations targeting pirated software, and then integrating this information into the legal and sales process.
An example of this relationship can be seen in the PC gaming market, perhaps the segment with the most piracy experience. Plagued with piracy, software game vendors turned to ever-escalating software protection techniques to combat the threat. Vendors deployed more and more anti-reverse engineering countermeasures, trying to stay a step ahead of the cracking community that was part of the piracy scene. These technologies ranged from traditional anti-debugging methods to more invasive protection using virtual machines and device drivers-which drew wide consumer criticism. One of the most egregious examples of this was the Sony BMG Digital Rights Management (DRM)/rootkit scandal.
Eventually the industry (for the most part) dropped intrusive protection approaches in favor of gradual piracy detection and response mechanisms, and server-based activation. In addition, the game industry recognized that piracy was a part of business and optimized its launch plans to maximize revenue within four weeks-the time it takes crackers to break their copy protection approach.
This final stage for gaming vendors captures what I call a final realization to focus on capturing the user revenue versus carrying on a countermeasure war with the crackers. Some online gaming companies have moved away from client software protection techniques to full server validation to catch fraud. In this scenario, the gaming company simulates game play on the server, then determines post-game whether the results were suspicious and impossible for a human to match (game bots).
Turning to the high-value software vendor market segment (Product Lifecycle Management (PLM), EDA, engineering software, etc.), I would argue that the software vendors in these industries are at the initial stages of an anti-piracy process: denial or reaction. They differ significantly from gaming vendors, not only on the per-seat price point ($15,000-$30,000), but because their software is experiencing recent increases in piracy rates due to demand in emerging markets.