Vulnerabilities / Threats
5/18/2011
11:04 AM
50%
50%

Schwartz On Security: Developers Battle Piracy Channels

Business Software Alliance report finds widespread software piracy, but experts say market pressures are to blame.

What's the best way for software developers to deal with piracy?

That question is pertinent given last week's release of the 2010 BSA Global Software Piracy Study, which was commissioned by the Business Software Alliance, a trade organization, and conducted by market researcher IDC and Ipsos Public Affairs, a public opinion research firm.

According to the study, which looked at software-usage practices in 116 countries, "the commercial value of software piracy grew 14% globally last year to a record total of $58.8 billion." Given the BSA's members, which include Adobe, Apple, Microsoft, and Symantec, the pirated software in question likely refers largely to personal and productivity applications.

Interestingly, the BSA report found that the most prevalent form of piracy wasn't bootleg copies sold from markets or applications procured via peer-to-peer networks. "The most common way people in developing economies engage in piracy is to buy a single copy of software and install it on multiple computers--including in offices," said the report. "Most PC users believe this practice is legal at home (57% in developing economies and 63% in mature economies), and about half believe it is legal at work (51% in developing economies, 47% overall)."

What's the best way for software vendors to target this lost revenue? For starters, it helps to see software piracy from the standpoint of a consumer--paid up or otherwise. That's because according to a study released earlier this year, which was backed by Canada's Social Science Research Council, "piracy is chiefly a product of a market failure, not a legal one." In other words, piracy most often occurs when people have difficulty procuring legitimate copies of software, or face few legal disincentives.

"The mentality in certain geographies is one of 'we will use it until we are caught,'" Victor DeMarines, VP of products for V.i. Labs, which develops piracy detection and business intelligence tools for independent software vendors (ISVs), said in a telephone interview. "ISVs must realize they are competing with piracy channels as an effective distribution for any type of software, including high-value applications."

Suspecting or knowing there's a problem, however, is only part of the challenge. Indeed, a vendor may suspect that its software is the de facto standard for a region, but won't have the licensees to show for it--"similar to the early days of Autodesk [and its] CEO referencing that 95% of China uses AutoCAD, but we only have one paid license," said DeMarines.

To address that situation, software vendors can increase their distribution, sales team, or legal presence in the target country. In addition, large organizations often have the BSA or existing legal relationships at their disposal, and an amnesty or anti-piracy program that converts pirated software users into paying customers, even for a license fee of a few dollars, can mean a few million dollars in additional revenue.

But such economies and backing, not to mention organizational growth, aren't always available to smaller software vendors, and in some countries, they may simply be out of luck. "Take China. In Hong Kong, you might have better luck. In Taiwan, there are processes there you can manage. Whereas in China, it's all about how much presence you have in the country that will dictate the success you have in the country," said DeMarines. In other words, unless you're a large software vendor, think twice before pursuing piracy in some countries, such as China.

On the other hand, mature markets also offer potential sources of new revenue. For example, according to the BSA report, the United States shares--with Japan and Luxembourg--the lowest level of software piracy per country, at 20%. But the sheer volume of U.S. users means that the BSA ranks the United States as tops in the overall consumption of pirated PC software. All told, people in the United States used an estimated $9.5 billion in pirated software in 2010, followed by China ($7.8 billion) and Russia ($2.8 billion).

As those piracy levels suggest, at least for smaller U.S. software vendors, turning nonpaying consumers into paid users is a project that may best start close to home.


In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.