Revulytics Blog

Balancing Piracy Business Intelligence with Privacy Concerns

April 14, 2011

Subscribe

An interesting article appeared on Techdirt.com this morning.

While we have insufficient knowledge of the facts in this case to comment on it (and it’s really none of our business to begin with), the blog post on Techdirt.com muddies the waters with its own interpretation of the allegations in the complaint. We do want to note that V.i. Labs is not a party to this lawsuit, and the software vendor named in the complaint is not a V.i. Labs customer. We have always been, and continue to be, a champion of personal privacy rights and support the use of ‘notice and consent’ mechanisms.

Here’s what we know:

An engineering software vendor, licensing technology vendor, and compliance organization have been named in a class action complaint that claims that they violated privacy rights by collecting and using personally identifiable information “without notice and without users’ consent” (you can read the complaint here). As clearly stated in the complaint, the plaintiff acknowledges the right of a software vendor to “implement technology to protect its intellectual property.”

To clarify, here’s our approach to fighting piracy and what makes us and our customers different:

Defining Piracy Business Intelligence
Piracy Business Intelligence is an approach to deal with software piracy that:

  1. Once notice has been provided and consent has been given, uses technology to detect when license enforcement and protection have been deliberately bypassed or removed, and
  2. Reports the infringing use of that software by businesses to the Independent Software Vendor (ISV) without transmitting personally identifiable information.

The reporting function gathers data from a machine running the pirated software to help identify the non-compliant organization and the amount of usage of the application. This information creates business intelligence that ISVs can leverage to protect their intellectual property with further license enforcement programs or license compliance activities to recoup revenue lost to piracy from organizations, not consumers.

V.i. Labs and its customers are committed to using best practices when implementing Piracy Business Intelligence (PBI), which include the following:

Include Notice and Consent – The security and reporting mechanisms used to gather PBI must be included in the End User License Agreement (EULA).

Do Not Target Individuals – Data collected through PBI is used in conjunction with the ISV’s global compliance program to reduce pirated use of their application by businesses, not to target individual end users. Business organizations may be inadvertently or intentionally running tampered or cracked versions of the ISV’s applications. In these situations, the ISV’s license compliance team would approach contacts responsible for compliance in these organizations and resolve the issue.

Integrated self auditing – A proper PBI implementation is integrated into the ISV’s applications and would only activate if it detects the software licensing functions have been cracked/disabled and is actually being used by the infringing organization. The reporting function is integrated into the ISV’s application and not separately installed on the end user’s machine; therefore it is deleted when the pirated application is uninstalled.

Do Not Collect Personally Identifiable Data – When PBI is used to provide an ISV’s compliance program with actionable data, personally identifiable information is not collected. For example, an ISV’s compliance program will seek to recover license revenue from businesses that are running tampered software obtained from the piracy channels. In these situations, the ISV will communicate with a senior official in the business responsible for compliance and present evidence of the infringement activity recorded. Personal data is not required for this process.

Software Origin and Forensic Proof
– Forensic proof that the application has been pirated (license enforcement disablement) is a critical requirement when collecting data on misuse of the software.

Summary
As acknowledged in the complaint, ISVs have the right to implement technology to protect their intellectual property. However, software vendors must balance this with privacy constraints when approaching an organization using unlicensed software. The data our customers have collected to date with their PBI deployments has confirmed the widespread adoption of pirated software by business organizations: A sample of our customers have identified close to $1B in lost revenue, which supports the $50B estimate provided in the most recent BSA/IDC annual study of global software piracy. A PBI approach offers a less invasive anti-piracy approach when compared to draconian licensing and software protection technologies. A PBI strategy also protects an ISV’s licensed customers by leveling the playing field when competitors have reduced costs due to their use of pirated software.

- Vic

Activate Your Data-Driven Compliance Program

Add new license revenue by detecting, identifying and converting unpaid users into paying customers.

Victor DeMarines

Post written by Victor DeMarines

Vice President, Products & Strategy at Revulytics

Victor DeMarines brings extensive security product management and marketing experience to Revulytics, where he is responsible for product strategy and direction. He is a frequent speaker and author on topics including piracy, reverse engineering and the protection of intellectual property.