Software Piracy: Are You A Trusted Adviser Or An Accomplice To A Crime?3:30 PM EST Fri. Oct. 19, 2012
Not long ago, Entre Computer Services visited a new client in its region of Rochester, N.Y., and made a rather peculiar -- but no longer uncommon -- discovery. The IT assessment team from Entre performed a top-to-bottom review of all of the client's assets and infrastructure and, as part of the process, Entre tracked and cataloged all applications and operating systems to match corresponding software licenses. There were approximately 100 employees at the company, and when Entre reviewed the client devices, it found little to no discrepancies between installed software and the client's licenses. In other words, the desktops and notebooks were free of pirated software.
But when Entre looked at the client's servers, it was an entirely different story. The customer's data center was filled with unlicensed software: desktop applications, office programs, expensive server software and more.
Mark Lucas, executive vice president of Entre, said finding pirated software in customer environments is fairly common these days. "We see it all the time," he said, "and we see it as our responsibility to inform them of the risks of piracy."
What's more, Lucas, like many other solution providers, said the majority of today's businesses, even in the age of technology, don't understand the intricacies and complexities of software licensing. "You wouldn't believe how ignorant of this issue people are," he said.
The face of digital piracy has been that of teenagers downloading popular music, movies and TV shows from BitTorrent sites, but solution providers say the problem of commercial software piracy is real and abundant in the corporate world -- whether it's illegally downloading software from the Web or simply "overusing" legally purchased software by installing the same program on too many systems.
"We've seen big organizations – multimillion-dollar manufacturing companies -- that were overusing software with the understanding of the executive leadership," said Victor DeMarines, vice president of products at V.I. Labs, a software vendor that specializes in software license compliance and piracy protection tools. "It happens much less in North America than overseas, but it does happen."
The software piracy problem is made even more complicated in the corporate world, thanks to virtualization, cloud computing and the bring-your-own-device trend. And instead of pirated software being localized to a few client machines, it's often lurking behind the closed doors of the data center.
Scenarios such as the one Entre encountered can be uncomfortable for solution providers -- and pose potential legal and ethical problems as well. Are solution providers legally bound to report clients using pirated software to the authorities? Are MSPs accomplices to a crime if they manage or service unlicensed software? Are Microsoft Certified Partners, for example, obligated to notify Microsoft if they discover pirated versions of Windows or Office in their customer's environment? These are the questions a solution provider should be asking today, as it's become exceedingly easy to find pirated software and download expensive programs from the Web free of charge.
NEXT: Piracy By The Numbers
PIRACY BY THE NUMBERS
A big reason software piracy is a murky area for solution providers is because software piracy itself is difficult to put into context -- though many have tried.
The major software publishers, along with piracy watchdogs such as the Business Software Alliance (BSA) and the Software & Information Industry Association (SIIA), have spent the past 10 years decrying the rise of illegal downloading and file sharing via the Internet. Software makers such as Microsoft and Adobe contend commercial software piracy robs them of millions of dollars of revenue each year. The BSA's research puts the total losses for the software industry at an incredible figure -- $63.4 billion worldwide in 2011, up from $58.8 billion the year before -- and claims more than half of the world's computer users admit to pirating software, according to the BSA's 2011 piracy survey.
"It tells you people are still pirating software," said Peter Beruk, senior director of compliance marketing at the BSA, "and that it's a growing problem."
Keith Kupferschmid, general counsel and senior vice president of Intellectual Property Policy & Enforcement at SIIA, attributes the growth of software piracy to two factors: the technology that makes file sharing incredibly easy, and economic factors that lead businesses and consumers to download software to save money.
"The issue fluctuates, going up and down," Kupferschmid said. "A couple of years ago, during the height of the recession, corporate software piracy went way up, according to our metrics."
But there are plenty of skeptics who have challenged the BSA's data and argue that accurately determining the number of illegal downloads or copies is not feasible.
"I know people want a number that's close to reality, but it's probably impossible," said Julian Sanchez, a research fellow at the Cato Institute, a libertarian think tank. "The tendency here is that these organizations are trying to estimate the amount of pirated software in circulation and then estimate the dollar amount lost based on inflated Western prices."
Sanchez covers Internet and technology policy for the institute and has followed legislative efforts to curb piracy such as the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA), which initially were supported by the BSA and SIIA (the groups withdrew their support following last January's massive SOPA protest). Sanchez said even if some software piracy represents a lost sale, it could have a positive effect for the company that is having its software pirated.
For example, Sanchez said when Microsoft Word is pirated, it propagates the .doc standard and displaces other competing platforms and even free alternatives. So even if Microsoft is losing some revenue, it's gaining a stronger hold on the market. "Do people use Word because they love Word? Probably not," Sanchez said. "It's more that they want the .doc standard. They could use OpenOffice or other free alternatives, but not if Word is also available for free."
Further complicating the issue is defining software piracy, which is far from cut and dried. Copyright infringement -- the act of reproducing a copyrighted work and distributing it without authorization -- is a criminal offense in the U.S. and carries a maximum penalty of five years in prison and a $250,000 fine. Under federal law, infringing users may be liable for up to $150,000 for each software program pirated or copied.
Most people probably don't think that installing a legally purchased version of Microsoft Office on a second computer is the same as "stealing" Office from the Web via a BitTorrent site. But the SIIA calls this practice "softlifting" and contends it's just as illegal as traditional software piracy.
And technically speaking, the SIIA is correct. Then again, it's technically illegal to photocopy a magazine article and distribute it without the publisher's permission, which is a common practice and is no longer demonized today as a money-draining plague.
It's this practice of "softlifting" or sharing legally purchased software that gets a lot of businesses in trouble with the BSA and SIIA, which audit companies suspected of corporate software piracy on behalf of their software publisher members.
"The vast majority of corporate piracy cases are inadvertent infringement and bad oversight and cutting corners, with the minority being willful software pirates and infringers," the SIIA's Kupferschmid said. "I think we see less cases of willful piracy at the corporate level, so there's a silver lining."
In fact, most solution providers say their clients are largely in the dark about software licensing and what's legal -- and more importantly, not legal -- when it comes to software.
NEXT: Breaking The Bad News
BREAKING THE BAD NEWS
Discovering your customer has unlicensed software in his or her IT environment, for whatever reason, can put solution providers in a difficult situation. Informing company leadership of the situation can make for an uncomfortable discussion, especially if the clients' IT budgets are small and they're being told they need to spend more money on software.
On the other hand, ignoring the issue can lead to serious legal and technological issues as well. Solution providers say downloading software from digital lockers like Megaupload or BitTorrent sites like The Pirate Bay carries serious security risks, as free software downloads can often contain malicious code.
For Entre, the decision was easy -- it's company policy to give customers all the facts, even if they might not want to hear them. The solution provider delivered the IT assessment report to the company's executive business managers, who were surprised by the piracy findings.
"We told them we're not the police, and it's up to them to decide, but we strongly urged them to get the proper licenses for all their software," Entre’s Lucas said. "The company's leadership was completely in the dark. They had no idea that their IT manager was running a loose ship, and software piracy was just one of the problems."
The customer was thankful for the assessment report and eventually purchased the proper software licenses to get compliant. Lucas said the vast majority of Entre's customers do the same. But there are some that don't. "It's very rare that we encounter clients who say, 'Let's keep this private; we'll take our chances.' But it does happen," he said.
Solution provider Marathon Consulting, New York, takes the same approach as Entre when it comes to breaking the news to clients: Tell the truth, even if it hurts. "We always do reports of what software is licensed and what isn't for our clients," said Scott Wilson, founder and CEO of Marathon Consulting. "We make it known to them that it's a liability."
Solution providers say it helps to frame the issue in language that clients can understand. "It is a compliance issue," said Mark Giannini, managing director of All Covered Memphis, "and that's what we tell customers."
Giannini, who sold his managed services business Service Assurance to All Covered earlier this year, said finding and eliminating pirated software was a common practice at Service Assurance; in fact, offering IT assessment scans that "cleaned up" customer environments helped him win new customers because clients were eager to rid themselves of any legal worries or potential headaches.
"We're very cognizant of keeping our clients 'legal,' so to speak," Giannini said. "We looked at everything -- every desktop, notebook and server and not just the software, but any pictures or unlicensed music that may be on that server."
But finding and removing unlicensed software in the data center can be much more difficult than purging a desktop or notebook.
NEXT: Piracy In The Data Center
PIRACY IN THE DATA CENTER
Software piracy was long viewed as a problem rooted in the client device; users would download applications or digital media to their individual systems for personal use either at home or in the office. But times have changed.
Lately, solution providers such as Marathon Consulting have seen more pirated software in the data center -- where unlicensed software can be hidden, so to speak, instead of on a client device tied to one particular employee. "There are a lot of shady IT guys out there building data centers with cracked versions of Windows and other server software," Marathon Consulting's Wilson said. "We've seen that happen quite a bit in the data center with SQL server software and applications."
Piracy in the data center is costly in more ways than one. Not only does it pose serious legal and security risks for the client, it also creates a number of headaches for solution providers. Wilson explains a common scenario when coming into a client's IT environment for the first time as an MSP. "You find out the previous IT guys didn't care much about software licenses," he said. "We've definitely been in customer environments where the server software has been unlicensed, and that's a big problem because it's not cheap and that causes your price to go up."
As a result, the solution could become cost-prohibitive for the client and the solution provider could end up losing the deal altogether. So why is pirated software more common in the data center today?
Kevin Lalor, founder and CEO of Business Intelligence 101, has an idea about that. Lalor started the company in 2004 and for several years, Business Intelligence 101 made traditional software delivery and on-premise integration a big part of its business. "We saw pirated software a lot," he said. "And some of those conversations with customers weren't very pleasant."
Specifically, Lalor said most of the pirated or unlicensed software was found in the backrooms of dark server closets and icy data centers. In his experience, individual employees were less likely to have pirated software on their office computers for two simple reasons: any unlicensed material would be easily discovered and traced on a single user's machine, and because most desktop or notebook applications are affordable and likely to be approved by management.
On the other hand, unlicensed or pirated software was rampant on servers behind closed doors, Lalor said. If the number of people in a client's IT staff is high, then it becomes harder to pin down who was doing the downloading. And if the data center is large, it's much more difficult to find the unlicensed software and figure out how many people are using it.
"When it comes to the IT teams, they have budget restrictions and the server software is more expensive so they'll download the stuff to cut corners and save money," he said.
The situation can be frustrating for solution providers, too. Ridding a customer data center of unlicensed software is far more challenging than client devices.
"Once [unlicensed software] gets into an organization, it spreads virally and it becomes very difficult to remove," V.I. Labs' DeMarines said. For V.I. Labs, sorting through software in the data center is made even more of a challenge because of virtualization. "Virtual machines are a big challenge," DeMarines said. "It's tough to enforce licensing if the application is being cloned on several virtual machines."
Therefore, virtualizing a desktop and pushing it out to several different users may or may not be a violation of your end user license agreements (EULAs), and wading through all the terms and conditions to figure it out can be difficult. "It can be very complex and hard to understand," said Andrea Godfrey, president and CEO of Entre. "We're lucky we have experts on staff that know licensing very well and understand the virtualization model."
However, most businesses don't have that luxury. So how do customers and solution providers know what's permissible with the software they purchase?
NEXT: Licensing Confusion
Barbara Rembiesa founded the International Association of IT Asset Managers (IAITAM) in 2002 after realizing that software license agreements were becoming more complex and confusing and, as a result, most businesses didn't have the first clue about what those agreements meant. Many small and midsize businesses, she found, mistakenly believed that one legally purchased copy of a software program could be installed on several different PCs. They had no concept of EULAs and couldn't grasp the cryptic language used in the lengthy agreements (Microsoft Office 2010's licensing terms are, for example, 24 pages long).
"Most people think they're buying the actual software," she said. "But they're not."
IAITAM began providing education and certification for IT managers on software compliance, asset management and other areas. Software licensing has been the trade organization's biggest focus over the past 10 years.
"Most businesses, especially SMBs, don't know what a EULA even is," Rembiesa said. "The education isn't out there, and if they don't get it from IAITAM then I'm not sure where they'd get it."
Even if businesses do begin to grasp the concept of license agreements vs. pure ownership, they also must contend with rapidly evolving terms and conditions, which sometimes are changed on the fly by software vendors. For example, Rembiesa said, Microsoft used to have a "work from home" provision for Microsoft Office that allowed users to install a second copy on their home computers. But the software giant quietly removed that provision in a later version of Office.
"A lot of businesses got hit with audits because one line in a big EULA got changed," she said.
Similarly, Microsoft changed the terms for Office 2010's Home and Student edition to prohibit the version from being used for any commercial use. While using the Home and Student edition for business is technically piracy, it is considered a license violation because you don't have a license for Office Home and Business or Office Professional.
Where do solution providers fit in the equation? Software vendors must walk a fine line between keeping their customers' trust and ensuring their customers are legal. Most vendors don't require partners to inform them of pirated software in customer environments.
According to Entre's Lucas, as a Microsoft Gold Certified partner Entre's only obligation, under the terms of the partnership, is to refrain from installing or servicing pirated Microsoft software. But Entre is not required to report instances of unlicensed software to Microsoft or any law enforcement agency.
"I strongly advise them to remove the unlicensed software and purchase the proper licensing. What I won't do is report my customers to Microsoft or Symantec or any other software vendor," Lucas said. "Why? Because that's not my job."
Mary Jo Schrade, senior Microsoft attorney who specializes in the software company's anti-piracy efforts, agreed with Lucas. "I think it's incumbent for Microsoft partners to advise their clients against using unlicensed and pirated software," she said. "But I don't think it's incumbent on partners to report their clients because then the partner is no longer in a position to be a trusted adviser to their clients."
Schrade said the trusted adviser role that solution providers play is an incredibly beneficial tool to fight piracy. In fact, Schrade said Microsoft has made significant progress in its war on piracy over the past decade, thanks to certified partners educating their clients and raising awareness for software licensing compliance. "We think of partners as people who can resolve the issue without having to report or go through legal channels," she said. "If they don't already, SMBs should rely on Microsoft partners for guidance on software licensing."
NEXT: BYOD, Cloud And The Future
BYOD, CLOUD AND THE FUTURE
Even if a business is well versed in software EULAs and is up to date with its licensing, the rapidly changing world of technology has plenty of curve balls to throw. One of the biggest factors complicating matters for solution providers and their clients is the bring-your-own-device trend, which some say has accelerated the growth of unlicensed software in their customer's IT environments.
"It's definitely something we see on the corporate side," Marathon Consulting's Wilson said. "It's becoming more common now that you have BYOD. A lot of employees will bring their own devices into work and they're downloading a lot of software."
Wilson said the growth of mobile devices and BYOD created an environment where unlicensed software can thrive because of the lack of oversight and management. And if an employee brings his or her notebook to the office as a work device and it contains unlicensed software, it could lead to trouble for the organization, even if the employer doesn’t technically own the device in question. "We let our clients know it can get them into trouble," Wilson said.
The SIIA is also concerned about the introduction of personal mobile devices in the workplace. "It used to be easier for companies to see what software their employees were using," said the SIIA's Kupferschmid. "But now it's different because employees have their own devices at work."
But are companies actually liable for copyright infringement if an employee downloads software from their home onto their personal laptop? It depends on what software is being downloaded, according to the SIIA. "Let's say an employee is doing taxes on an illegal TurboTax version -- the company is probably not going to be held responsible for that," Kupferschmid said. "But if the employee is using Adobe Photoshop and photo editing is part of their job, then there's a problem."
Solution providers say cloud computing and Software-as-a-Service can cure a lot of the headaches for both software vendors and customers. While Business Intelligence 101, for example, made the majority of its revenue from on-premise software integration services five years ago, today 90 percent of the solution provider's business comes from SaaS.
"In the SaaS world, software is much easier to manage," Business Intelligence 101's Lalor said, adding that the company can see exactly how many client employees are logged into Google Apps, for example. And while some cloud apps and SaaS offerings allow multiple simultaneous logins on a single account -- or account sharing -- Lalor said it's a far cry from the kind of abuse he sees with traditional software.
But will businesses embrace the cloud software model? IAITAM's Rembiesa isn't so sure. "Six months ago, I would have said cloud adoption would happen a lot faster," she said. "But after talking with CIOs and executives lately, I think it's going to take longer. You'll see some apps being moved to the cloud but not all because businesses are concerned about not having access to their data."
The BSA, meanwhile, is concerned that login credential sharing will become the new form of software piracy. The organization recently published a survey of nearly 15,000 PC users worldwide that showed 42 percent of respondents share login credentials for paid cloud services inside their place of business.
While solution providers are quick to point out that many SaaS and cloud app providers allow some measure of multiple logins for a single account, the BSA said its software members -- which include Microsoft, Apple, Adobe, Symantec and other top vendors -- are concerned about the potential for cloud app and SaaS abuse. "Credential sharing is just one of several new variations of license abuse around the cloud, and it's the one we see most today," said Matt Reid, senior vice president of external affairs at the BSA. "[But] traditional packaged software will not go away. It will continue to grow, especially in emerging regions."
Whatever the case, solution providers will have their work cut out for them -- either keeping their customers on top of their traditional licenses or convincing them to move to the cloud -- as the software industry continues to evolve.