Vulnerabilities / Threats
5/18/2011
11:04 AM
50%
50%

Schwartz On Security: Developers Battle Piracy Channels

Business Software Alliance report finds widespread software piracy, but experts say market pressures are to blame.

What's the best way for software developers to deal with piracy?

That question is pertinent given last week's release of the 2010 BSA Global Software Piracy Study, which was commissioned by the Business Software Alliance, a trade organization, and conducted by market researcher IDC and Ipsos Public Affairs, a public opinion research firm.

According to the study, which looked at software-usage practices in 116 countries, "the commercial value of software piracy grew 14% globally last year to a record total of $58.8 billion." Given the BSA's members, which include Adobe, Apple, Microsoft, and Symantec, the pirated software in question likely refers largely to personal and productivity applications.

Interestingly, the BSA report found that the most prevalent form of piracy wasn't bootleg copies sold from markets or applications procured via peer-to-peer networks. "The most common way people in developing economies engage in piracy is to buy a single copy of software and install it on multiple computers--including in offices," said the report. "Most PC users believe this practice is legal at home (57% in developing economies and 63% in mature economies), and about half believe it is legal at work (51% in developing economies, 47% overall)."

What's the best way for software vendors to target this lost revenue? For starters, it helps to see software piracy from the standpoint of a consumer--paid up or otherwise. That's because according to a study released earlier this year, which was backed by Canada's Social Science Research Council, "piracy is chiefly a product of a market failure, not a legal one." In other words, piracy most often occurs when people have difficulty procuring legitimate copies of software, or face few legal disincentives.

"The mentality in certain geographies is one of 'we will use it until we are caught,'" Victor DeMarines, VP of products for V.i. Labs, which develops piracy detection and business intelligence tools for independent software vendors (ISVs), said in a telephone interview. "ISVs must realize they are competing with piracy channels as an effective distribution for any type of software, including high-value applications."

Suspecting or knowing there's a problem, however, is only part of the challenge. Indeed, a vendor may suspect that its software is the de facto standard for a region, but won't have the licensees to show for it--"similar to the early days of Autodesk [and its] CEO referencing that 95% of China uses AutoCAD, but we only have one paid license," said DeMarines.

To address that situation, software vendors can increase their distribution, sales team, or legal presence in the target country. In addition, large organizations often have the BSA or existing legal relationships at their disposal, and an amnesty or anti-piracy program that converts pirated software users into paying customers, even for a license fee of a few dollars, can mean a few million dollars in additional revenue.

But such economies and backing, not to mention organizational growth, aren't always available to smaller software vendors, and in some countries, they may simply be out of luck. "Take China. In Hong Kong, you might have better luck. In Taiwan, there are processes there you can manage. Whereas in China, it's all about how much presence you have in the country that will dictate the success you have in the country," said DeMarines. In other words, unless you're a large software vendor, think twice before pursuing piracy in some countries, such as China.

On the other hand, mature markets also offer potential sources of new revenue. For example, according to the BSA report, the United States shares--with Japan and Luxembourg--the lowest level of software piracy per country, at 20%. But the sheer volume of U.S. users means that the BSA ranks the United States as tops in the overall consumption of pirated PC software. All told, people in the United States used an estimated $9.5 billion in pirated software in 2010, followed by China ($7.8 billion) and Russia ($2.8 billion).

As those piracy levels suggest, at least for smaller U.S. software vendors, turning nonpaying consumers into paid users is a project that may best start close to home.


In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4692
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

CVE-2015-1840
Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

CVE-2015-1872
Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

CVE-2015-2847
Published: 2015-07-26
Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

CVE-2015-2848
Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before 5.2.19.0_VA allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!