As someone who has spent a lot of time discussing piracy with the ISV community and researching the piracy scene, I believe what a software vendor does to combat piracy is directly proportional to its knowledge of the piracy scene motivations and its own piracy activity trends. In fact, you can group how software vendors respond to piracy into three stages: Denial, Reaction and Realization.
Let’s explore each of these stages in some detail:
Stage No. 1: Denial
The belief that people who are downloading pirated software would never pay for it. If there is a piracy concern, then vendors at this stage only address overuse within their customer base and not the potential issues of overt piracy (unlicensed use).
Stage No. 2: Reaction
The focus here is to respond with techniques that target the piracy groups themselves (for example, legal takedowns, homegrown software protection, planting dummy software in peer to peer sites, etc.). It is often an emotional response to the very visible piracy groups that target the vendor’s products. This can include more intrusive licensing approaches such as hardware dongles and activation, and may use technology that risks impact to customers.
Stage No. 3: Realization
Vendors in this stage focus on the users of pirated software and use business intelligence (BI), reporting and schemes that consider piracy viral marketing. Advanced methods include data gathering to identify organizations targeting pirated software, and then integrating this information into the legal and sales process.
An example of this relationship can be seen in the PC gaming market, perhaps the segment with the most piracy experience. Plagued with piracy, software game vendors turned to ever-escalating software protection techniques to combat the threat. Vendors deployed more and more anti-reverse engineering countermeasures, trying to stay a step ahead of the cracking community that was part of the piracy scene. These technologies ranged from traditional anti-debugging methods to more invasive protection using virtual machines and device drivers-which drew wide consumer criticism. One of the most egregious examples of this was the Sony BMG Digital Rights Management (DRM)/rootkit scandal.
Eventually the industry (for the most part) dropped intrusive protection approaches in favor of gradual piracy detection and response mechanisms, and server-based activation. In addition, the game industry recognized that piracy was a part of business and optimized its launch plans to maximize revenue within four weeks-the time it takes crackers to break their copy protection approach.
This final stage for gaming vendors captures what I call a final realization to focus on capturing the user revenue versus carrying on a countermeasure war with the crackers. Some online gaming companies have moved away from client software protection techniques to full server validation to catch fraud. In this scenario, the gaming company simulates game play on the server, then determines post-game whether the results were suspicious and impossible for a human to match (game bots).
Turning to the high-value software vendor market segment (Product Lifecycle Management (PLM), EDA, engineering software, etc.), I would argue that the software vendors in these industries are at the initial stages of an anti-piracy process: denial or reaction. They differ significantly from gaming vendors, not only on the per-seat price point ($15,000-$30,000), but because their software is experiencing recent increases in piracy rates due to demand in emerging markets.
The Denial Stage
The denial stage
Yet, a majority of these software vendors are still in denial that piracy of their software represents a real revenue threat. In my experience, when they are presented with evidence of increased activity at the piracy group level, product management and licensing representatives are more apt to pursue strategies that target the piracy groups themselves. This can often manifest itself in the protection or hardening of the licensing management routines embedded in their software products, or by taking legal action against the piracy groups.
A protection strategy may make sense in certain scenarios:
Scenario No. 1: The software application is developed in Microsoft .NET and therefore the Intellectual Property (IP) within it is exposed to reverse engineering.
Scenario No. 2: A new licensing system has been implemented and early protection of the approach may limit easy “class break” cracks from being created by the piracy groups (for example, key makers).
Scenario No. 3: The application is an appliance or runs on an embedded operating system. Here, software and hardware protection would be combined to maximize effectiveness of the protection without impacting the customer experience.
However, there is increasing evidence to suggest that piracy groups or the piracy scene may only be indirectly responsible for revenue loss attributed to piracy and, therefore, not an ideal primary target in an anti-piracy strategy. The piracy scene has long stated that it releases software for fun or to compete with other groups-not to profit by them. But the cracked software they distribute makes its way to the P2P, Web and merchant sites that profit from their sales.
There are vendors that have gone through the early stages of an anti-piracy response and evolved to the “realization” stage. They have selected strategies that focus on gathering BI on piracy use and methods to identify organizations using that software. Ultimately, the “piracy problem” is only a problem if legitimate businesses have adopted it. This is evident in Microsoft’s use of its Software Protection Platform in Vista. Following its implementation, Microsoft claimed it recovered $164 million in one quarter using a combination of reporting and licensing validation technology.
The realization stage
In the realization stage, vendors strategize on how to quantify pirated use and create business leads from pirated software adoption. They ask questions such as, “If we could stop the pirated software from being available, how does it relate to our sales (or viral marketing) strategy in a region or to our competitors’ growth?”
A technology response may take the form of “phone home” or automatic software auditing approaches that are only triggered when pirated use is detected and that collects enough information to identify an organization. Armed with this level of data, the vendor can pursue organizations directly for license revenue or leverage the BI to extend partnerships in specific regions with high piracy rates.
Although it may be difficult to categorize all software vendors and their anti-piracy responses, before selecting any response or deciding on a specific piracy strategy, vendors must first measure and quantify just how large and wide their problem is.
Prior to RSA, Victor was the director of product management at Authentica, where he was instrumental in defining product strategy and direction for Authentica’s enterprise rights management and secure e-mail solutions. Before Authentica, Victor held senior product management positions at AXENT Technologies and Progress Software, a global supplier of software technology and services. He can be reached at [email protected].