Software Piracy is an issue which has been a daunting task for ISVs to fight and prevent. Time has come to implement intelligent and innovative solutions to overcome this barrier. But solutions need strong strategy to execute the entire activity successfully. This article looks into strategies and solutions, which eventually can produce significant result to prevent piracy.

Piracy of successful software is probably one of the biggest challenges, principle software architects have ever faced. If we go back to history of any big software developing company, they have been thrown challenges to prevent piracy to protect their revenue loss every time, whenever they have either introduced any new software or enhanced version of their existing software. Piracy is a natural phenomenon of any successful software product and it’s there since 1980s when the first packaged software applications were being created. In the US, Intellectual Property (IP) laws, Sarbanes-Oxley, and other corporate governance standards have helped to control the piracy rate. However, the growth in new and emerging markets, the explosion of internet users globally, increasing bandwidth, and the advent of peer-to-peer (P2P) file distribution networks have all helped to create unacceptably high piracy rates outside the US, costing Independent Software Vendors (ISVs) millions of dollars a year.

A lot of attention has been paid to more popular consumer software from Microsoft and other desktop software vendors. These same vendors have adopted aggressive anti-piracy campaigns involving legal, educational, governmental, and technology-based countermeasures. However, high value software (i.e., software licenses costing thousands of dollars per seat) used in manufacturing, design, test, and other analysis processes has also been specifically targeted by piracy groups. This demand feeds from businesses in emerging countries that need infrastructure software to build new products and compete for offshore contracts. Although ISVs in this space have adopted sophisticated licensing systems designed to prevent piracy (and some have pursued legal interdiction services), none of these solutions have been effective. Licensing systems were quickly cracked and legal enforcement has been severely limited by weak IP laws in emerging countries.

Vendors Loose Big for Piracy

Business Software Alliance (BSA) reported that, on average 43 percent of software used in computers worldwide in 2009 was pirate, from 41 percent the year prior. Worldwide, piracy losses reached 51.4 billion dollars in 2009, with 16.5 billion dollars of this in the Asia-Pacific, the annual report found. The deluge of counterfeits was largely due to the growth of the personal computer market in Brazil, India and China, the group, which has a base in Singapore, said.

However, last year's losses worldwide were three percent down from 2008 while the rate of pirated software use fell in 54 economies, remained steady in 38 and rose in 19. The average piracy rate in Asia-Pacific was 59 percent, which means that of the more than 900 million units installed last year, more than 530 million were unlicensed, said Victor Lim, a vice president at IDC, which carried out the study with the software alliance.

Bangladesh had the highest software piracy rate in Asia, followed by Sri Lanka, Indonesia and Vietnam, with China and India also among the most prominent culprits. For one, the BSA thinks that most businesses have their software house in order, largely because they've opted to invest in enterprise license management software. Most of the problems with piracy are now in the consumer space, but that's also where most of the growth is, especially in emerging markets like the BRIC (Brazil, Russia, India, and China) nations.

So, why is piracy flattening out despite this trend? The report offers several suggestions. For one, the fall in hardware prices is inducing those consumers to buy new systems from established vendors, which tend to have a lower incidence of pirated software than the used and white-box markets. The newer computers are also coming with more bundled software, which enables purchasers to get more done without looking for software in other places; ISPs and other companies are also offering software with ancillary services.
Finally, the report notes that sites offering pirated software also frequently offer malware, either inadvertently in user-uploaded files, or intentionally, as part of a larger criminal enterprise. The cost of blocking and removing malware, according to the BSA, easily exceeds the local price of a lot of commercial software.

Driven by the growth of PC sales in China, India and Brazil, global piracy climbed to 43 percent of all installed software, up 2 percentage points from 2008. The rate represents $51.4 billion of goods, unchanged from the year earlier when currency fluctuations are taken into account,
The chief executives of 12 software companies -- angered by what they say is China's failure to fight software piracy -- are meeting with lawmakers and Obama administration officials in hopes of persuading them to pressure China to crack down on the illegal copying. China -- long a center of pirated movies, music and software -- had been making some progress in stopping illegal copying, said the Business Software Alliance, which estimated that 79 percent of China's computers last year ran on pirated software.

Microsoft's Steve Ballmer, Shantanu Narayen of Adobe, Carl Bass of Autodesk and Enrique Salem of Symantec are among the chief executives meeting with Treasury Secretary Tim Geithner, Attorney General Eric Holder, Office of Management and Budget Director Peter Orszag. The executives are also meeting with lawmakers like Senate Majority Leader Harry Reid, Representative Howard Berman, chair of the House Foreign Affairs Committee, and Representative Eric Cantor, the Republican whip. Microsoft, which has continued doing business with China despite the piracy, recently, won a lawsuit in Shanghai against a local insurance company that was running 450 copies of pirated Microsoft software.

Understanding the Dynamics of Software Piracy

Understanding how software is pirated, distributed, and adopted is an important pre-requisite for deciding on the right anti-piracy strategy for an ISV. Figure 1 below compares the ISV producers, their channels and end users with the software piracy groups, and distribution channels and operations.

Figure – 1

Software Producers

As shown, both ISVs and software piracy operations have distribution channels and end users. In the case of ISVs, their channel is made up of resellers, distributors, and other partners focused on delivering and fulfilling licensed versions of the ISV’s application to customers. In contrast, the piracy groups act as an ISV by producing versions of the ISV’s application that have been “cracked” to disable or bypass license enforcement and activation functions. The piracy groups are analogous to ISV’s in that they are organized (e.g., using suppliers, packagers, couriers, crackers, etc.) to produce quality “crack” releases of the latest ISV products and make them available for distribution. These groups typically recruit individuals embedded within the ISV itself, resellers, or customers to acquire pre-release or early release versions of the software, assuming the role of “suppliers.”

Distribution Channels

In comparison with traditional channels used to distributed software, the piracy scene uses an efficient and well distributed framework to make cracked ISV applications available to the masses. Key distribution methods include peer-to-peer file sharing services like BitTorrent, popular search engines or pirate index services like thepiratebay.com, Cyberlockers like Rapidshare.net, Web and auction sites6 , and street warez merchants that distribute counterfeit software.

End User Customers

ISVs’ product management and sales organizations are normally experts on their own customer base and jointly focused on maintaining license revenue as well as seeking new revenue opportunities that leverage this base. Because the known customer base is the focus, internally driven anti-piracy efforts have traditionally only targeted license overuse and not overt piracy. This is shown in Figure 1 as the intersection between unlicensed and licensed customers. There may be efforts within a vendor’s legal team to recover license revenue from the overt or unlicensed customers, but this can be an isolated effort and outside of the normal ISV sales process. Depending on the type of software being sold and the demand in emerging markets, this unlicensed customer base can represent a significant new revenue opportunity.

Two Anti-Piracy Strategies

ISVs have two groups of anti-piracy methods available: Prevention and Piracy Business Intelligence.

Prevention approaches

Preventative strategies can be categorized into interdiction based services and technology based countermeasures like software protection. Both approaches are designed to prevent piracy of software applications by increasing the “Time to Crack” (see Figure 2). Time to crack refers to the point in time after the vendor releases its software and piracy groups have released their cracked version of the application for illegal use. The greater the period of time between the actual software release and time to crack, the greater the opportunity the vendor has to recover license revenue that would have otherwise been lost to piracy.

Figure – 2

To achieve this, interdiction based services normally target and attempt to disrupt the distribution of “cracked” software through the piracy networks (e.g., P2P, web, etc.). Techniques range from issuing Web site take down notices to collecting IP addresses and other infringement data, and can go as far as uploading dummy software onto theP2P network to frustrate the sharing of pirated software and media. All of these approaches have a limited effectiveness because of the distributed and resilient nature of the Web and P2P networks.
 
Alternatively, software protection is a technology based solution that targets the piracy group and the software cracking process itself. With software protection, the ISV adds anti-reverse engineering protection into the software release to prevent the embedded Digital Rights Management or licensing functions from being bypassed. This process is known as binary tampering and is the most predominant method to enable an application to be pirated. Protection techniques normally involve code encryption, obfuscation, anti-tampering and anti-debugging capabilities. These capabilities can be added directly into source code or automatically inserted into software binaries themselves. Protection approaches have the added benefit of safeguarding IP that may be contained in the application as well. Software protection is classified as preventative since it is not an absolute method to stop reverse engineering.

Piracy Business Intelligence approaches

On the other end of the anti-piracy spectrum, piracy business intelligence approaches attempt to identify the actual end users of pirated software and pursue them through legal or sales activities to recover the license revenue. Examples of organizations that provide these services are Business Software Alliance (BSA) and Software Information Industry Association (SIIA). Traditionally these services rely on whistleblowers, self auditing, and other insider information to create actionable leads.

“Phone home,”7 activation, and other reporting technologies are available to ISVs to be built into applications and gather usage intelligence. Most of these implementations are focused on license overuse versus overt piracy. In addition, if the reporting system itself is tied to license activation then it will become the focus of the piracy groups to disable. Piracy groups will target any mechanism that attempts to block unlicensed use. However, detecting piracy and reporting information back to the ISV can be an important part of developing piracy business intelligence and combating the true piracy issue – businesses with potential to pay licenses using the software illegally.

In fact, if the reporting function can gather enough forensic information over a period of time that can be resolved to an actual business, then this capability can be easily extended to generate sales leads. The data can be leveraged by the sales organization (or partners within the region) to target the businesses using the software and recover revenue. If you can link the products businesses are building (and creating revenue) with pirated software, you can then approach them to “true up” and pay the software license revenue. This is especially true in the case of high value software.

However, there are a number challenges for the ISV to implement detection and reporting within their applications.

• Need for stealth: The reporting operation would need evade detection by the piracy groups and not be easily detected once running within the infringing organization. This requires reporting to only activate if piracy is detected and tied to when the software functionality is being exercise. Piracy groups focus on the disabling of licensing not using the software application itself, by leveraging this reporting can implemented to avoid detection and allow the software to be distributed through the piracy channel.
• Integration: It’s difficult to add detection and reporting mechanisms to a mature product unless it was designed in from the beginning. In addition, reporting techniques need to be designed to minimize detection by network firewalls and end point software firewalls across different platforms. This is normally requires security expertise and focused testing to achieve.
• Data collection and reporting: Simply gathering data from suspected pirated software installs is not enough. Because the data is essentially a lead, it needs to be made accessible and focused to the key businesses using unlicensed software appropriately to allow sales and marketing to act upon the information. The information must provide enough data to identify the business, but the collection functionality itself must constrained to network and environment data on the machine where software is installed.
• Data filtering: Depending on you’re organizations legal policies, you may want to filter and exclude certain geographies from data collection. This capability requires a system to centrally evaluate the data, query other data services to determine geographic location, and apply filter rules to redact or exclude data.

Intelligent Industry Approaches to Prevent Piracy

Microsoft is aiming to beat a couple of illegal downloaders by offering 2,010 free copies of the new Office 2010 RTM.

The software package is worth a hefty $499 and is set to launch to the general public on June 15. To get budding secretaries and fill-the-blanks salivating Microsoft has organised a clever little competition called the Microsoft Office Social Media Challenge Sweepstakes. It could have added a few more words to up the search page rankings, but let's not get greedy now.

The competition basically involves Facebook, Twitter, and LinkedIn, three of the most popular social sometimes-but-usually-notworking sites, and requires potential winners to advertise the latest incarnation of Office to all their friends and family. 

These challenges will take the form of prompts, which people will have to respond to in a timely fashion. An example given by Microsoft is the prompt of "Share an Office 2010 tip. Be the first person to respond via a ‘tweet’ to @Office with the #Office2010tip tag to win a copy of Office 2010." That's a pretty good way to get thousands of people talking about Office and trending some of Microsoft's hashtags. If it takes off, which it may not.

Microsoft's CEO Steve Ballmer has been rather vocal about software piracy lately, particularly in China, which isn't generating as much revenue as he would like. Giving away free copies of software probably isn't the answer, but at least there's some advertising to be had from it. 2,010 copies is also a rather small number considering how many people use Office, but then with Apple upsetting Ballmer by taking the financial lead the Vole probably has to sell a few copies as well.

NEC Corporation recently announced the development of a video content identification technology that detects illegal copies of video content uploaded to the Internet in a matter of seconds.

This technology generates a fingerprint (video signature) to identify video content then compares video signatures to the signatures of original content in order to detect copies or altered versions. Therefore, altered video content, such as caption overlays, camera captured copies and analog copies, can be quickly and accurately detected.

This new technology enables content holders and service providers to automatically detect illegal copies and prevent illegal upload of video content on the Internet by registering original video content. These developments are expected to significantly reduce the time and cost of manual content inspections as well as improve the scale and accuracy of content assessment.

Video signatures are extracted for each frame based on differences in the luminance between sets of sub-regions on a frame that are defined by a variety of locations, sizes, and shapes. Video signatures represent a unique fingerprint that can be individually detected frame by frame. This technology is capable of accurately detecting video content with that was created with such editing operations as analog capturing, re-encoding and caption overlay, which was conventionally very difficult to detect.

By estimating confidence of signatures generated from each frame and using the confidence for sequence identification, the technology achieves a high detection rate with a very low false positive rate. These technologies achieved an average detection rate of 96% at a very low false alarm rate of 5ppm (5 in one million) through tests conducted by the international standardization organization.

Looking forward, NEC will further develop this technology in order to provide a variety of applications that establish a content distribution structure where all video rights are respected.

Anti-piracy SaaS will track you – Be Aware

V.i. Laboratories, one of the leading software intelligence solutions provider, recently announced new SaaS-based intelligence reporting capabilities for small and mid-sized ISVs looking to collect and report information on the use and misuse of their products.
Now, software companies can quickly integrate advanced reporting capabilities into their applications to collect data on how and where software is used, what features are most important to customers, and to determine the extent of unlicensed use. The new information can dramatically impact the full product lifecycle, from development, to lead generation, to recouping lost revenue due to software piracy.

Based on V.i. Labs’ Piracy Business Intelligence solution, the Piracy Detection and Reporting service allows small or midsize ISVs bringing new applications to market to detect and quantify the true extent of their piracy problem. ISVs can then leverage the reporting to generate actionable business leads from piracy release distribution and accelerate compliance and revenue recovery efforts.

V.i. Labs now offers an application that gives ISVs deep visibility into actual usage during trial periods of their products. It helps prioritize pipeline opportunities, uncovers the best and fastest revenue potential, accelerates win-rates, and provides data to help in an assortment of other sales, marketing and product management activities. By tracking actual trial use of software, it provides necessary and new information that goes far beyond web site analytics by offering a clear understanding of trial software usage and geographic distribution for strategic marketing initiatives. ISVs can use this information to improve trial conversion rates, prioritize leads, track product feature usage and win-loss ratios.

Using software intelligence to track the use and misuse of software is particularly useful for product managers, engineering teams, licensing and legal departments and marketing personnel. Identifying which features and modules are most valuable, as well as the platforms and software environments in which they are used, can offer important business-decision information to help streamline development and time to market. Insight can be gained into licensing status and how non-compliant companies are using specific products -- including software that has been cracked and distributed -- which can then be turned into actionable leads for recovering revenue. Plus, having the benefit of knowing how geographic adoption is changing and how trial downloads are being used can help drive sales efforts.

Conclusion

There is no solution, which can stop software piracy overnight. Prevention strategies need to be assessed carefully for impact to existing products and customers and require sustained investment to continually counter the piracy group reverse engineering approaches. Thanks to relentless effort of industry vendors, who are continuously in search of innovative solutions to prevent piracy. But vendors and solutions alone can’t fight this piracy, as consumers, we should also understand the real benefit, we can harness using genuine software.

—By: 'InfoSecurity' Bureau.