Vulnerabilities / Threats
5/18/2011
11:04 AM
50%
50%

Schwartz On Security: Developers Battle Piracy Channels

Business Software Alliance report finds widespread software piracy, but experts say market pressures are to blame.

What's the best way for software developers to deal with piracy?

That question is pertinent given last week's release of the 2010 BSA Global Software Piracy Study, which was commissioned by the Business Software Alliance, a trade organization, and conducted by market researcher IDC and Ipsos Public Affairs, a public opinion research firm.

According to the study, which looked at software-usage practices in 116 countries, "the commercial value of software piracy grew 14% globally last year to a record total of $58.8 billion." Given the BSA's members, which include Adobe, Apple, Microsoft, and Symantec, the pirated software in question likely refers largely to personal and productivity applications.

Interestingly, the BSA report found that the most prevalent form of piracy wasn't bootleg copies sold from markets or applications procured via peer-to-peer networks. "The most common way people in developing economies engage in piracy is to buy a single copy of software and install it on multiple computers--including in offices," said the report. "Most PC users believe this practice is legal at home (57% in developing economies and 63% in mature economies), and about half believe it is legal at work (51% in developing economies, 47% overall)."

What's the best way for software vendors to target this lost revenue? For starters, it helps to see software piracy from the standpoint of a consumer--paid up or otherwise. That's because according to a study released earlier this year, which was backed by Canada's Social Science Research Council, "piracy is chiefly a product of a market failure, not a legal one." In other words, piracy most often occurs when people have difficulty procuring legitimate copies of software, or face few legal disincentives.

"The mentality in certain geographies is one of 'we will use it until we are caught,'" Victor DeMarines, VP of products for V.i. Labs, which develops piracy detection and business intelligence tools for independent software vendors (ISVs), said in a telephone interview. "ISVs must realize they are competing with piracy channels as an effective distribution for any type of software, including high-value applications."

Suspecting or knowing there's a problem, however, is only part of the challenge. Indeed, a vendor may suspect that its software is the de facto standard for a region, but won't have the licensees to show for it--"similar to the early days of Autodesk [and its] CEO referencing that 95% of China uses AutoCAD, but we only have one paid license," said DeMarines.

To address that situation, software vendors can increase their distribution, sales team, or legal presence in the target country. In addition, large organizations often have the BSA or existing legal relationships at their disposal, and an amnesty or anti-piracy program that converts pirated software users into paying customers, even for a license fee of a few dollars, can mean a few million dollars in additional revenue.

But such economies and backing, not to mention organizational growth, aren't always available to smaller software vendors, and in some countries, they may simply be out of luck. "Take China. In Hong Kong, you might have better luck. In Taiwan, there are processes there you can manage. Whereas in China, it's all about how much presence you have in the country that will dictate the success you have in the country," said DeMarines. In other words, unless you're a large software vendor, think twice before pursuing piracy in some countries, such as China.

On the other hand, mature markets also offer potential sources of new revenue. For example, according to the BSA report, the United States shares--with Japan and Luxembourg--the lowest level of software piracy per country, at 20%. But the sheer volume of U.S. users means that the BSA ranks the United States as tops in the overall consumption of pirated PC software. All told, people in the United States used an estimated $9.5 billion in pirated software in 2010, followed by China ($7.8 billion) and Russia ($2.8 billion).

As those piracy levels suggest, at least for smaller U.S. software vendors, turning nonpaying consumers into paid users is a project that may best start close to home.


In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.