Why Software Activation Sucks: The Elasticity of Piracy
Software piracy has been around since probably about an hour after the first commercial software license. It's a problem that frustrates software vendors, and in recent years they have sought to neutralize this nuisance.
In the realm of software piracy, there are at least three kinds of pirates.
are the evil-doers that we can all hate. They pirate software with intent to resell. They are the truly evil pirates that we ALL can agree that we need to rid the world of. Blackbeard pirates are often found in places like China.
are those that pirate software for their own use when they could and should be legitimate. They have a true need to use the software. In other words, the software has real value to them. If the software was taken away from them, they would lash back, and retrieve it without a moment's hesitation. For these pirates the elasticity of the pirated software is relatively inelastic
Finally, Yellowbeard pirates
are those that pirate software for their own use but the value of the software to them is not the same as Redbeard pirates. Their piracy is more of opportunity than evil or greed. If the software was taken from them, they might not have any adverse affects. For these pirates the softare is VERY elastic
. You would tend to find poor college students in this category.
Suppose that there were a magic way for software vendors to prevent 100% of software piracy, and it didn't cost them anything to implement. In effect the price of the software would go from being $0.00 (pirated) to some retail or discounted retail price. What would happen?
With piracy gone, everyone would fall into one of two camps: a legitimate paying user, or a non-user of the software.
Because of the inelasticity of the Redbeard pirates, they would be forced to buy the software. The story for the Yellowbeards is quite different. Because of the high elasticy for them, the increase in price would make them choose to do without the software.
The Blackbeard pirates would cease to exist since they were never users of the software, but rather resellers. The customers of the Blackbeard pirates however, would follow the path of either the Redbeard or Yellowbeard pirates becoming paying uers, or non-users respectively.
Clearly post-piracy Yellowbeards are of no benefit to software vendors since they won't be buying the software, even after piracy is stamped out. It's the Redbeard pirates that the software vendors are after. Every Redbeard that can be converted represents another sale and increased revenue.
The question then becomes, what percentage of the pirates are Redbeards and what percentage are Yellowbeards? The answer is ... we don't know, but it is an important question to ask. With zero cost to implement this magic way to prevent piracy, even one Redbeard means it would be worth it to implement.
Problems With The Supposition
The problem with the forementioned supposition is twofold.
- There is no magic way to prevent 100% of piracy
- There does not exist a zero cost anti-piracy implementation.
I would hope that statement #1 would be unanimously agreed upon, but an argument would go something like this:
- Postulate #1 There will always exist some bad people in the world.
- Postulate #2 Nothing is 100% secure.
The claim that there does not exist a zero cost anti-piracy implementation may require further discussion. Any attempt to thwart piracy comes at some cost, either to the vendor (internally) or the legitimate buyer (externally), but usually both.
The Costs of Anti-Piracy Implementations
All current copy protection technologies (such as SecuROM and SafeDisc) must be licensed by the software vendors. Even if they choose to develop their own copy protection, that will still have a price tag attached to it.
Anti-piracy implementations almost always have some cost to the legitimate user. These range from having to enter long cumbersome CD keys, to product activation, to having to have the CD in the CD-ROM drive before you can use the software. Let us consider the cost to the vendor (CtV
), cost to the consumer (CtC
), and power of prevention (PoP
) of these anti-piracy implentations:
Minimal. Devise an algorhythm for a valid set of codes.
Minimal, but still there. Only need it when installing product.
Almost non-existant for non-Inernet required applications. Small to medium otherwise.
I never understood CD keys. They are pointless or non-Internet multiplayer games. A single valid key would work for all installations, and how hard is it to gain access to a single valid CD key? For Internet multiplayer games, one only needs to get their hands on a CD key generating program.
CD in the CD-ROM Requirement
Low to Medium. License from SecuROM, SafeDisc, or others.
Medium. Users must swap out CD's to play a different game.
Low. Bit-level disc buring programs easily overcome this.
Requiring the CD to be in the CD-ROM drive always frustrated me too. There will always be low-level bit-level CD copiers, so that one can pirate an exact copy of a legitimate CD. Supporting postulate #2 (Nothing is 100% secure), I ripped an image of my favorite CD game and use a free CD ghost program to fool the game into thinking that the CD is in a CD-ROM drive. The game loads much faster, and I don't have to find it whenever I want to play the game. Under the DMCA
that makes me a criminal, even though I bought the CD.
Low to Medium. Requires dedicated servers, bandwidth and/or personnel to activate products.
Low to Medium. Users must activate product after installation.
Medium to High. Much more difficult to overcome.
Vendors seem to have found the Holy Grail with product activation. The cost to both consumers and themselves is relatively low, and the power to prevent piracy is relatively high. The problems with activation are less obvious, but they are very real. The main arrow to the heart of product activation is the volume license version. Most of the big players like Microsoft, Adobe, and others have a volume license version of their software for enterprise customers. While these versions typically require specific CD keys to unlock, there is usually no activation required. While there may be big penalties for violating an enterprise license agreement, pirates don't care; they're pirates! (See Postulate 1
). The mere existence of these versions renders the usefulness of activation paralyzed. Which version do you think pirates will get their hands on?
Problems With Product Activation
There's nothing to compel the vendor to activate a user's software
Once the user has consumed his one or two automatic activations, he is at the mercy of the vendor to respond in a timely manner, or even to respond at all. You may be thinking "what company in its right mind would do that to their customers?" Companies don't have minds; they have bottom lines. How hard would it be for them to say "we no longer support that version"? If they can't reactivate, then they will just have to pay for an upgrade, right? I haven't personally encountered this situation yet, but you can count on it happening at some time in the future. I have
encountered the problem of a vendor not responding in a timely manner thus rendering my paid-for licensed software to be inoperable for two weeks. More on that here
. Finally, one might assume that the software vendor is legally bound to activate your product. Even so, they may drag their feet or even choose to stonewall. How much justice do you think Joe six-pack can afford vs. the corporate lawyers of giants like Microsoft and others?
What if the vendor goes belly up?
You buy software that requires activation. The vendor goes bankrupt. You try to install your software on your new PC, and it requires activation. You try to activate, but there is nobody on the other end. You're knockin', but nobody's home. You are left out in the cold with useless inoperable sofware.
Adobe's answer to this problem
should be mandatory by all vendors who use activation.
Q: Will I be able to use the software in perpetuity? What happens if Adobe shuts down?
A: Adobe's Product License Agreements typically grant the user of an Adobe product the right to use it in perpetuity. Adobe plans to honor these agreements. In the unlikely event of the company's shutting down, we will enable automatic approval of all activation requests or provide other technical means allowing users to continue using our products.
So What's The Solution?
Well, the soution is .... umm, I don't know. Why spend all this time writing an article complaining about problems for which you have no solution? While I don't have a total solution, I do at least have suggestions on how to move in the right direction.
Reconsider Activation All-Together
To say that "Piracy costs vendors money" is an inexact statement. Blackbeard and Redbeard piracy may cost vendors money, but Yellowbeard piracy does not. Also consider that a Yellowbeard pirate will not necessarily become a Redbeard or Blackbeard pirate. Many times they will become a legitimate customer. I was (dare I say it) a Yellowbeard pirate when I was in college. Even the steep academic discounts weren't enough for me. Over the years however, I've spent thousands of dollars on buying software including various versions of Windows, Office, Photoshop, and countless games.
If I were in college today facing activation of Windows XP, and now the prospect of not being able to get updates, there would be a good chance that I would become a Linux user. As it was, I was able to Yellowbeard pirate Windows (3.1) and got comfortable with it. Since then, Microsoft has received hundreds of dollars from me for Windows 95 to Windows XP. If/when the Yellowbeard becomes a legitimate customer, the question is whose customer, your locked-down product, or your competitors' pirate-friendly product?
Don't get me wrong. I'm not advocating piracy, but it is a fact of life. It should be dealt with, but in an intelligent way. Carefully consider the costs and benefits of activation. Have your profits risen dramatically since you implemented activation? Has your customer satisfaction? Have you heard of TurboTax? In 2003, Intuit reversed its standing on TurboTax activation
Automate / Recycle Activation
OK, so I can't convince you to remove activation. How about reducing the frustration factor for legitimate customers while still dealing a big blow to Blackbeard pirates? Periodically reset the activation counter for your customers. For example, every 6 months or so, reset the activation counter to allow for one additional automatic activation without the user having to phone in. The Blackbeard pirate loses here because he can't sell just one key to hundreds of his customers. Only the first 1 or 2 are able to activate. Of course 6 months later someone else could activate, but now you are trickling at the rate of 2 per year, rather than hemorrhaging hundreds or thousands per month.
This idea is very much like the password lockout time feature in MS Windows Server. After say 5 unsuccessful attempts to login, lock out the account for say 15 minutes. Then the user knows he can attempt to login again in 15 minutes without the helpdesk having to intervene. Sure, a hacker can still try to brute force into their account, but now only at a rate of 20 attempts per hour. It would take a long time for the hacker to get in, but the user isn't inconvenienced very much. You must learn to achieve balance.
By no means is product activation the end-all Holy Grail of anti-piracy. Continue to seek new ways to thwart piracy. Just be sure consider not only your internal costs, but also the external costs and burdens to your legitimate customers. You can only burden your customers so much before they become someone else's customers.
Piracy is a real problem. Software vendors not only have the right
to fight against it, they should
fight against it, however any and all attempts to battle this beast should be well thought out, and carefully scrutinized before execution in order to minimize friendly fire.
Tangent Rant on Vendor's (Lack of) Responsiveness on Activating Software
In December 2001 I bought CuteFTP Pro 2.0 from Globalscape. Over the years however, I have bought many new computers and reinstalled my OS several times. In November 2004 when I did yet another rebuild, I was unable to activate my legitimate copy of CuteFTP Pro 2.0. After going to the website and reading the support pages, I followed its suggestions. I was still unable to activate my copy. I emailed support, and of course got the automated reply telling me to do exactly what I had already done. After battling it out for a couple of weeks with support, I finally got a "human" reply. It was as follows:
I have increased your registration limit. Please try to register again.
We've made lots of great improvements to CuteFTP Pro since CuteFTP Pro 2 was
released in 2001. The current version is CuteFTP 6 Professional. For more
information about CuteFTP 6 Professional or to upgrade online please visit here:
In other words, my legitimate copy of their software was totally cut off until they manually increased my registration (activation) limit.
In this case the vendor did the right thing, but what if they didn't? They had me by the balls, and I would be powerless to stop them.