Piracy and Unconventional Wisdom

Introduction

As software developers, piracy is something that affects us all. If you are a software developer who works for a big company, you likely do not see it directly. But you still have an interest in who is using your company's software. If you are in a small company or are a developer who sells software, piracy hits a lot closer to home.

However, the conventional wisdom, which often equates to the "knee jerk" reaction, is not the proper one.

Emotions and Pride

Developers have a large amount of pride in their products. Some have egos as well - but that is another subject. :)

Because of this, when developers find their product is being pirated, they react emotionally. "Those stinking pirates! They are stealing my software! I will stop them!". An emotional response is the wrong one - the situation must be evaluated logically. Break it down to a dollar figure, and forget the emotions.

If you want to react emotionally, think about it this way. Pirates only take the time to crack software that is in demand. If your software has been pirated, it's a compliment and an indicator of your software's success.

Pirates work on egos too. Pirates often crack software to show their peers (other pirates) how talented they are. We show other developers our talent by writing software, they show theirs by cracking it. Pirates are more like us than we would like to admit. It is the thrill of the chase.

Show Me the Money

A developer once called me after he found his software on a warez site. He was frantic, and had all kinds of schemes dreamed up to prevent it. We talked about it for a while. I let him talk it out for a bit then I asked him, "So how long do you think it will take you to implement these safe guards?". "I think I can do it in 4 weeks", he replied.

4 weeks. Think about this. Most professional developers' time is worth at least $50 per hour. This developer I know works about 70 hours a week. Furthermore, I knew this developer's estimates are not accurate (like most developers). So, let's factor in the standard fudge factor of at least 2. This makes it 70 (hours per week) x 2 (fudge factor) x 4 (original estimate) x 50 ($ per hour) = $28,000.

$28,000 is a lot of product! Let's assume your product is a higher end product and sells for $500. That's 56 products. Which is more productive - trying to sell 56 more products - or preventing 56 losses?

Ghost Sales

Even if you say that it is worth it - consider this. Are those 56 sales really lost sales? No. Most people using warez sites will not buy your product anyway. You have stopped the freeloaders from using your product, but you have not increased your sales, in fact you have decreased them by not focusing on your product, and diverting from it.

In such a battle to "outsmart" the pirates, you quickly pass the rate of return for your investment of time and effort. Would you invest your money in a bank that provided a negative interest rate?

Cat and Mouse

No matter how many schemes you come up with, chances are someone will crack it. Many pirates love a challenge. So, your efforts to thwart them only reward them, and make your software more valuable to trade on the warez forums.

Its like Wiley Coyote and the Roadrunner. Except we as developers are not the Roadrunner. Remember how many times Wiley got smacked on the head by an anvil, blown up, or otherwise obliterated? Did it look like fun? Do you want to be Wiley Coyote?

A Little Piracy Can Be Good Now and Then

I am not endorsing piracy, or telling anyone that they should pirate software. So, please do not take what I have said out of context and run around saying "But Kudzu said I can pirate!". But a little piracy is a good thing, pirates spread the word about your product.

Many pirates become consultants later for corporations. And most corporations are not pirates, they have too much at risk. When they work for these corporations, they make the recommendations, and the corporations become your customers.

One reader posted a reply that he would rather the pirates use his software than his competitors. He said later they might have money and buy it. This is very true, not all pirates are financially deprived forever and only engage in piracy while it is "financially necessary" to do so. Please note that when I say "financially necessary", I am speaking about their rationalization of the situation - not mine.

If the people that are pirating your software will not buy it anyway, why not let them have it? Does it cost you anything? No, only if you consider it a lost sale. But considering an individual in Siberia or Africa as a potential paying customer, is not sound marketing. Yes, some corporations will buy your product if it is too difficult to obtain a warez copy. But an individual making $100 a month, and using it at home, will never buy your product unless it goes on the dinner table.

I am not recommending that you encourage piracy as your latest marketing technique. However, it is good to know that there are at least some benefits that may be reaped from the piracy that you cannot prevent. If you have lemons, make lemonade. But I am not proposing you become a lemon farmer.

Financial Incentives

Your financial incentive is to sell your product. While some pirates make money by selling your software at $1 a piece, most pirate it for peer recognition, trading abilities, or for use. The ones that pirate it at $1 a piece do not make very much at it because of the overhead of distribution, CD copying, etc. Thus, the pirates make nothing, and have no financial incentive for their efforts.

Your motivations are not the same as theirs, and you cannot approach the problem from the same angle. When you speak of bread, you mean money. When many of the pirates speak of bread, they really mean it.

Your Software Will *NEVER* be Pirate Proof

There is a saying, (referring to houses) "Locks keep honest people honest". Criminals will just bust the door down. The same is true of software. Make it reasonably difficult, you will never succeed in building a burglar proof house, and you will never succeed in producing pirate proof software.

Microsoft spends more on anti piracy measures than most of us will ever earn in our lives, and their products are pirated more than any other software. You may be smart, but so are many of the high paid brains at Microsoft.

Impact on YOUR Customers

Some developers are so pirate crazy they implement hardware locks, dongles, impossible to enter keys, registrations, and other crazy schemes. Each of the schemes I cited has an impact on your paying customers. This is bad. When you make it harder for your customers, you increase technical support, their dissatisfaction with your product, and more. Many of these will also cause customers not to buy your product because of concerns of transferring it to new computers, etc. So, in preventing piracy, you are pushing away paying customers. You gain nothing by preventing the pirate from using your software, but you lose because paying customers are not buying your product. Is it worth killing a paying customer for every pirate you prevent?

Draconian Solutions

In the past, some vendors have resorted to hardware dongles. Hardware dongles typically connected to the printer or serial port, and very often interfered with existing devices and did not allow for other dongles to be used. USB has alleviated these problems, but still does not make the use of hardware dongles a good choice. Imagine a USB hub just to provide a place to plug in dongles. Or worse yet, consider laptop users.

Hardware dongles add to the cost of your product as well. Unless your software sells for thousands of dollars, hardware dongles should never be considered.

Hardware dongles are typically only used in very high end software where in some cases they do make sense. However, something more troubling is hardware locking. Hardware locking locks the software to a specific computer. This may seem like a great idea to the software vendor, but it is a horrible option for the customer. The customer may change the computer, upgrade the hard drive, or even buy a new computer and dispose of the old one. In my mind, it is a customer's "fundamental right" to transfer their software to a new computer and not worry about having most of their software "die" if they install a new hard drive.

Vendors have self justified hardware locking by allowing the customer a limited number of relocks for new computers, etc. However, this is a bad solution as well.

For me personally, such locks are draconian. While not everyone has the same situation, similar factors apply to many, especially software developers. My situation includes:

• I travel a lot - sometimes with just a USB hard drive and a few CDs. During that time, I install some software on computers where I am, and wipe it when I leave.
• I buy a new laptop every 12 months.
• I use VMWare extensively. I could not live without it. I use VMWare for debugging, build solutions, and testing. Software must be installed in VMWare each time I build a test environment.

I have about 40 programs that are part of my "Essential kit". If I have to contact each vendor every year that I buy a new laptop, travel, or create a VMWare machine, I am not going to be a very happy customer left to hunt down and deal with 40 software vendors each year. Some software vendors may even have gone out of business, or decided "not to support my older version". Not supporting an older version is fine, but not when it comes to my ability to install and run it.

Microsoft has recently ventured down this path with Windows XP and newer versions of Office.

Creating Pirates

Many vendors end up creating their own pirates, often specific to their products. These "pirates" pirate only your software to bypass draconian anti piracy measures you have created. Often they continue to buy your software, but refuse to use your officially released version, but instead seek, create, or use cracked and modified versions without the negative features of your anti piracy solution. Your solution to prevent piracy has turned on you and has created pirates.

Example 1: Microsoft

As I mentioned previously, Microsoft has introduced hardware locking in Windows XP and other software. Microsoft calls this activation. Activation locks the software to your computer. You cannot install it to a new computer, or even make too many changes to your computer without disabling the software.

Microsoft realized that their bigger customers would not tolerate this treatment and thus excluded activation from the corporate edition. Microsoft felt that it was permissible to inflict such a draconian solution on their individual and small business customers however.

Activation can hit mistakenly as well, even though nothing has changed. There are several well documented cases of this.

Because many users refuse to submit to such treatment, special editions of Microsoft's software have been created by pirates that do not require activation. But, it's not only the pirates that are using these editions. I know of many people who have legitimately purchased or bundled copies of Windows XP, but who have not installed or have installed over top with a pirated un-activated version.

Since they already have a licensed copy, Microsoft has not lost the money to these individuals. However, what these individuals have done is still illegal in most countries. But by creating the need for such cracked versions, Microsoft has made their software available to an even wider audience. In short, the end result of Microsoft's anti-piracy move is:

1. It has created more pirates. People who otherwise would not engage in piracy feel forced to become "weekend pirates" just to use software they legitimately own.
2. It created the "need" for a pirate version. Since pirate versions exist, their anti-piracy implementation has been rendered ineffective.
3. It affected customers. Such a move inconvenienced customers, and turned Microsoft's customers further against them. Customers will also consider the competition more seriously.

Example 2: Record Companies

Another example of creating pirates is Napster and the record companies. The record companies may not have created Napster, but they made it what it was. Users want digital content of their music. Users also want to purchase single tracks without the need to purchase a complete album. By not recognizing this fact, the record companies "pushed" people into the black market. Please note before I proceed, that again I am not endorsing Napster, or its users. I am pointing out that being blind does not make things disappear, and often fuels the fire instead.

Instead of offering what customers wanted, they turned a blind eye. What the record companies should have done is listen to the needs of the market and adapt by offering music singles for purchase and download at an affordable cost. If such a thing had been offered early on, Napster would have still existed. However, it would not have grown to the size it did, and many users would have used their service instead.

Personally, if single song tracks were offered at rates from $0.25 (old songs) to $3, I would easily use such a service to legally obtain the music I want. For those with voracious appetites, bulk discounts or subscription plans could be offered. The record companies would have higher profit on such songs because there is no overhead for CD production and shipping. Only negligible overhead associated with bandwidth.

But users had no way to give the record companies what they wanted (money) without purchasing whole albums. Many users did not see it reasonable to spend $20 for an album to obtain a single song, and instead turned to Napster.

Record companies countered with the fact that if they provided such a solution, users would share the files. How is that any different than what users were already doing? Offering a paid solution for customers could not and would not increase song sharing that was already rampant.

When a plague exists, you do not hold back the antidote because there might be some recipients with negative reactions.

Release Often

If you have a strong enough protection scheme, pirates will have to resort to cracks. This is a good thing. Easy ways to pirate are using key generators or shared keys. If they cannot use these, they will crack your software. You can make it difficult to crack your software, but you will not make it impossible.

However, cracks take time, and if your code is structured properly they will have to crack each version. If you release often, the pirates will soon get tired of cracking all the latest updates, and the pirate copies will be older versions.

Sell Benefits They Cannot Pirate

Provide more than just an executable. Provide items such as upgrades, authenticated bug reporting, authenticated support, etc. If you provide public support, you will be supporting the pirates along with your customers and draining your resources. By providing private support, you can focus your resources on your customers and provide a benefit that cannot be pirated. Sure, someone can pass their username and password around, but you can track and contain that. Because of this, usernames and passwords will not be shared very far.

Make it Cheaper to Buy

I am not telling you to lower your price. I am telling you to make your software cheaper to buy, than to pirate.

I keep in close touch with other vendors. Most of them have almost no sales in Eastern Europe, or China. We do. In fact, we have quite a few sales in Russia, China, South Korea, African countries, and more. Why? We provide additional benefits that are difficult, or not cost effective to pirate. These include priority private support, frequent updates, priority bug fixes, and reasonable anti piracy procedures. For companies making money, it is not worth their time to pirate it. It is cheaper for them to buy it, because of the benefits they receive.

Microsoft until recently had a one price world wide policy. However, now they have reversed this policy and are pricing regionally. Why? Piracy, and Linux. CNN Article - Microsoft to emerging markets: We've got a deal for you.

Defend, Don't Attack

Defense is a requirement of preservation of your software. However, defense does not include attacking the pirates. Attacks can consist of attempts to render damage to the pirate's computer, or providing an outright challenge. Neither is wise.

Some developers as a result of their emotional response to piracy of their software wish to inflict damage to the pirates. Damage may consist of attempting to delete system files, or other. This is a very foolish response, and without doubt will accidentally affect a legitimate customer, as well as open you to legal repercussions.

Other developers attempt to actively challenge pirates. This is both dangerous and foolish. Pirates may not have a lot of money, but they do have a lot of talent and time and will accept the challenge. Madonna once challenged those who were pirating her songs. The pirates fought back and released unreleased songs, and hacked her website in protest. CNN story: Hackers have fun with Madonna decoy.

Be Up Front

Should you choose to use system locks, activation, dongles or other intrusive methods, clearly tell your customers up front before they purchase. Twice in the past few months, I have bought software that was activated or system locked, and the vendor did not make this fact known before the purchase.

In the first case, the software required activation. I was upgrading from an older version of their software which did not require activation, and the software was an essential part of the system with which the computer could not function. The computer it runs on is a secure computer and heavily fire-walled. Upon installation of the registered upgrade, the computer was rendered useless as it could not access the registration server. After finally dialing into the Internet on an international call to attempt to access the registration server, the registration server turned out to be down anyway. Murphy's law always applying, it was the weekend where this company's offices were. It took 3 days for the problem to be resolved in a proper manner. If I had not resorted to other less desirable means, the computer would have been unusable for those 3 days until the vendor resolved it.

The second case was less trouble, but had still caused several inconveniences. Fortunately, the software was less critical and thus did not have such serious implications. Had I known that the software was system locked, I would have chosen another vendor to prevent the troubles which it had caused.

Goals of Piracy Prevention

While it may seem like I am suggesting you allow a free for all on your product, I am not. Let me summarize what you should be doing to limit piracy:

1. Take reasonable steps to prevent piracy. Implement prudent, and non-invasive solutions to "keep the honest people honest".
2. Follow the money. Forget those without money. If they do not have money, they will not buy your product.
3. Forget your elaborate anti-piracy schemes. Stick to something simple, un-intrusive and reasonably effective.
4. Sell more than software. Provide your purchased users with private authenticated support and other options that cannot be pirated.

DO's of Piracy Protection

1. Track your keys. This will prevent widespread key sharing because you can track them. Make your users well aware that keys are trackable to them, and they will be less likely to share them.
2. Use strong keys. If you use weak keys, the pirates will generate key generators and make their own keys.
3. Use asymmetric encryption. If you use symmetric encryption, the pirates have your key and can make keys as well.
4. Change your license logic. Change the procedure names and logic of your licensing code frequently to prevent routine cracking.
5. Never release debug builds to the public. Debug builds contain tons of information in your program to assist pirates.
6. Release often. Keep the crackers busy, and make their return on investment a negative value.
7. Protect your executable. While there are many such utilities, and none are crack proof, ASProtect is a nice affordable one. The developer even provides custom builds upon request.