To get security news and tips delivered to your inbox, click here to
A satisfactory solution to the business software piracy problem has proven elusive to the software industry. Draconian measures, such as rights management systems or hands-on key management systems, can drive up customer costs in IT administration, while in consumer markets the cost of a single support call can erode all profit margins and may even exceed the price of the product.
The Business Software Alliance issued its sixth annual BSA/IDC Global Piracy Study, placing a worldwide lost business market value of $53 billion due to illegal software, or fully 41% of the global legitimate software market. The BSA is a Washington, DC based organization that behaves like a government lobby, acting on behalf of major vendors to influence federal legislation and conduct education programs on software piracy and intellectual property protection.
The report claims the United States has a relatively low piracy rate of 21% , for a market exceeding $9 billion -- given a U.S. population of more than 300 million this calculates to approximately $30 per year in pirated software for every man, woman and child in the U.S. According to BSA/IDC, the software piracy pandemic exceeds 90% in many countries.
According to the study's methodology, the BSA/IDC numbers include estimates for lost tax revenues and employment opportunities in addition to lost license revenue potential. The estimates feel high, likely to support the BSA mission for government action, but the methodology is openly presented and is consistent for year-over-year comparisons. The report would be stronger if it balanced the existing logic by directly surveying users about pirated software, asking member support organizations for statistics on discovered pirated software rates or even working with the Geek Squad to measure pirated software on PC's under repair. However, even if the actual numbers are only 10% of BSA/IDC findings, business software piracy is still significant and merits action by governments, vendors and enterprises.
Government interdiction is necessary to combat organized high-tech crime. Correlating with the Cisco 2008 Annual Security Report and the Symantec Global Internet Security Threat Report shows the same regions that are leading offenders in software piracy are also leading in malicious attacks for spam, phishing and identity theft. Enforcement of legislation and ethics education of the user community are the most effective practical steps.
Vendors with antipiracy plans have to be careful not to alienate customers or incur large support headaches. Vendors with Software as a Service (SaaS) or subscription approaches can authenticate licenses before delivering the service, denying access to pirated users. Protection against account sharing either by device authentication (41st Parameter, iovation) or keystroke dynamics (AdmitOne, Behaviosec) to protect revenue streams becomes important for these vendors. As a rule, a technology that embeds tags and keys in files leads to technology that removes those secrets. However, antipiracy technology from vendors including Arxan and V.I. Labs may be too costly or impractical to reverse engineer and are worth exploring for certain classes of software.
Enterprises should make it a best practice to audit corporate systems for license compliance. Documented knowledge of actual product usage can save money when negotiating maintenance and upgrade renewals with vendors. Also, a business needs to be sure it can obtain timely support and it is in IT's own best interests to ensure maintenance contracts have not expired. Use software asset management capabilities to know what is running in the enterprise, and to control valid license and maintenance agreements.
Business software piracy will always plague the industry, but its impact can be reduced with a concerted effort by governments, vendors and enterprises. It would be nice to look forward to the tenth edition of the BSA/IDC report several years from now with a piracy rate far below 41%.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to email@example.com.