What's the Right Amount of Copy Protection?

WPIDalamar writes "I'm currently working on a piece of commercial software that will be available through a download and will use a license key to activate it. The software is aimed at helping people schedule projects and will be targeted mostly to corporate users. With the recent Windows Vista black screen of death, it got me thinking about what sort of measures I should go through to prevent unauthorized users from using the software. While I don't wish to burden legitimate users, I do want to prevent most piracy. How much copy protection is appropriate? Is it acceptable for the software to phone home? If so, what data is appropriate to report on? The license key? Software version? What about a unique installation ID? Should I disable license keys for small amounts of piracy, like when there's 3 active installations of the software? What about widespread piracy where we detect dozens or hundreds of uses of the same license key? Would a simple message stating the software may be pirated with instructions on how to purchase a valid license be sufficient?"

As little as it takes...

[pla]

Is it acceptable for the software to phone home?

As a member of a small corporate IT department, I can tell you that (except for Microsoft itself), software phoning home for anything other than updates means instant banning of your product.



If so, what data is appropriate to report on? The license key?

If you insist on going down that path, what information would really help you reduce piracy? Keep in mind that, merely during the initial evaluation of your software, the same license may get used a dozen times without any intended piracy... "Yup, works on XP. Yup, works on 2k... Oops, blows a gasket on 98... Doesn't seem to like server versions...".



Should I disable license keys for small amounts of piracy, like when there's 3 active installations of the software? What about widespread piracy where we detect dozens or hundreds of uses of the same license key?

That gets tricky... IANAL, but only the big boys like Microsoft can get away with that BS. If you try it, you should probably prepare to get sued.

Now, you do have one chance to block it - At installation. Even I'll allow (grudgingly) most products a one-time online activation. If at that time you deny activation and give an EASY way to contact you to resolve the problem (you can expect them to lie, and should probably just give them a new code, but it might serve as a reminder to the users that they shouldn't make too many more copies), okay, fair game. After-the-fact, though? YOu'll just piss legitimate users off.

Re:None at all

[Anonymous Coward]

Some examples of companies which are successful and include no copy protection:

- Mysql, Trolltech (they both rely on open source software, and they're still alive).
- Paradox Entertainment (no copy protection on their software at all, and they're successful). I've got the impression they support their community quite well. And I'm already looking for a shop where I can get Europa Universalis 3.

Anybody got more examples?

Protected Environments.

[burnttoy]

Spot on - I know plenty of people who use PCs (usually laptops) in their music and/or art studios who never connect those machines to the internet... EVER! The muso types will often strip back everything on a PC leaving a bare OS + drivers + sampler/sequencer + ASIO drivers. It's all they need and they believe they get better performance and more security without it.

I also know, and have worked for, companies where information is so secret (mission critical biz stuff or military) that you have to use a provided laptop in a room with no windows that's shielded from radio wavs... paranoid, yes, but "phone home" software is simply not an option in that case. Also. no phones were allowed in that room so manual "phone home" wouldn't have been possible.

Also, some of us are so paranoid that we don't let anything in/out of our firewalls except our browser application. Mind you, I can still use the interweb and I've never been trojan/virused... except this damn cold I seem to have but I can't blame the internet for everything!

Re:None at all

[Goldberg's Pants]

My recommendation would be Elicense or similar.

With Elicense, you get an order ID. You enter that, it contacts their server and "unlocks" the software. You can choose how many installations are allowed as well. For example I have a few games that use it that come with two licenses, so you can run it on two computers. Another title only gives you one.

The install is painless (it installs a license control service that in many years of using I've never had any sort of issue with), and it stops a LOT of piracy. It IS possible to "unwrap" the executable, but of all the Elicense protected software I've used, I've only ever seen one game cracked. (Ironically it is the most obscure of the ones I own.)

I am vehemently opposed to DRM, copy protection, call it what you will, but I find Elicense extremely inoffensive due to it's ease of use. DRM should not impact legitimate consumers, and this one is the only one I've come across that has never caused me any sort of negative experience.

FLexlm

[Colin Smith]

License management software. Very common.

 

gentle reminders

[devonbowen]

A while back I wrote an app that was key activated. The key had two components. The first was the name of the person that it was sold to (from the credit card) and the other was a hash of that name, the version number, etc. The user needed to enter both in order for it to work. (And the two needed to match, of course.) My thinking was that using the name in plain text would make it personal and encourage the user to not give it away while still allowing them to do what they thought was reasonable (running on both a laptop and desktop, for example). Basically, a gentle reminder to help honest people stay honest. The dishonest people are just going to hack your binaries anyway.

Devon

Re:None at all

[Anonymous Coward]

Stardock's Galatic Civilisations 2 [galciv2.com] :

No CD copy protection. Once you install, you never need your CD again. You can even use the included serial # to re-download the entire game from us years from now.

It got very good reviews too, definitely worth a look if you're into deep strategy.

Re:Speaking as a very successful vendor: None.

[inflex]

Well, that pretty much summed up everything I could have said. The first few times I encountered people who insisted they paid 100% price for each and every licence completely shocked me - of course, that was a long time ago and I'm more than happy to have them roll up for more sales :D

Well done.

Wheee, my first slashdot article!

[WPIDalamar]

Thanks for all the comments everyone. I've been reading through them and have some ideas. Here's a scheme I had been considered that might address some of the concerns brought up.

1) Upon purchase, user gets a license key.
2) When installing, the software generates a random (somewhat) unique installation id
3) The license key is checked locally, with no net connection required.
3) Upon app startup, if there's an internet connection, the software phones home with the software version, the license key, and the installation ID
        The phone-home also gives a version-check to let the user know about any updates.
4) We log the license key and installation ID

Someday, we do some data analysis and find any license keys with a large number (maybe 5, maybe dozens, not sure) of installation ID's. The data analysis should look for interwoven log records of installation ID, because the user might have uninstalled it on one machine, and installed it on another. Then a person (not automated process) would get a report and be able to investigate and flag certain keys as compromised.

What happens next?

Do we cause the software to stop functioning? (I don't like that)
Do we cause the web service-portion to stop functioning? (I don't like that either)
Do we pop up a window saying, "SOFTWARE PIRACY DETECTED!! YOU ARE GOING TO JAIL IF YOU DON'T STOP!"
Do we pop up a window saying, "Hey, this might be pirated. Go to http://xxxxx/ [xxxxx] to purchase additional copies"
Maybe the software does nothing, and we deal with it through customer support. A friendly email to the original purchase agent?

I guess the goal is make honest people stay honest. As many have pointed out, it will be impossible to prevent someone who REALLY wants to pirate the software.

Re:None at all

[mce]

... that stays on the system after uninstalling the first piece of software (How else could it work, if you have multiple pieces of software that uses it?), and, as you say service, I assume it runs while the original piece of software is not.

You obviously have no clue what you are blabbering about. There is no reason whatsoever why you can't have multiple independent products protected by the same third party mechanism without linking said products together. I know, because I've done it.

In short: Nobody interested in anti-pirating wants the licensing to be in a dedicated dll, since those are easy to locate, break, and replace. Licensing code should always be fully merged into a key component of the product you're protecting and as such be "invisible". That automatically means that you can have multiple copies of it that are not aware of each other and that are automatically uninstalled together with the product they protect.

Re:None at all

[morgan_greywolf]

I do. And I hate these things. At any place that I've worked that uses these background daemons to control licensing, due to the proliferation of various similar programs, we've had to run a special license server -- and usually more than one. FlexLM, LUM, proprietary license solutions, etc., with multiple daemons usually. A typical box might run 25 different license processes. And management is usually a big PITA, because these processes almost always break in some way sooner or later.

Requiring an internet connection.

[IndustrialComplex]

One of my first assignments was to configure a database for a product demonstration. I had to do it outside of my home country and the software/customer could not provide a connection to the internet to the server.

One of the pieces of software required a connection to do its activation. No phone or snail mail supported. It was so backwards where we had a tech from the software company online and they didn't know how to activate the software w/o an internet connection. We had to wait for them to send us a patch disk that included the activation files.

Re:None at all

[Anonymous Coward]

FlexLM is a joke. We used to have node locked licences for a number of compilers and other tools. To FlexLM, node locked meant tied to the hard disk volume ID, which was also present in the licence files in clear text.

The problem was that every so often, someone's computer would get replaced (upgrade/malfunction etc...) and after reinstall, none of the FlexLM locked tools would work. Understandable - FlexLM was 'working', but a major PITA as it would take a couple of days to get licences re-issued from the distributors. Some distributors would also only allow a licence to be reissued once a year, complicating the matter on a number of occasions. At one time, all systems in the company were upgraded/refreshed, meaning almost 400 licences would need re-issuing.

We got bored with re-licensing very quickly, so decided to use volumeid [microsoft.com] to change the HDD IDs to match licences. After a reboot, FlexLM knew no difference and we could get on with work.

The 'node locked' mode of FlexLM is so utterly retarded. Waste of time.

Re:None at all

[morgan_greywolf]

Don't know what version of FlexLM you used, but every version I've used does nodelocked licenses by tying to a machine's 'lmhostid', which typically matches the MAC address on the machines first Ethernet card. Hardly unique, to be sure, but AFAIK, faking the MAC address with software doesn't work (but changing it using firmware that allows the MAC to be changed does.)

Re:None at all-Money

[Homr Zodyssey]

Well if they were all that then people would be using them instead of Winzip in the first place?

They are all that. People aren't using them in the first place because of the 'MindShare' aspect that you mentioned.

Spending money on a free version? Perish the thought.

The GP was right. I've now worked at two large corporations and one small one that all had site licenses to WinZip. They install them on all desktop systems automatically. Most large corporations have policies in place such that pre-installed software must be licensed. This is for audit reasons and so they can claim support if they need to.

I, of course, promptly uninstall it from my machines and replace it with 7-Zip. Last time I checked, Winzip still didn't handle several major file-types (like RAR).

Re:None at all

[Anonymous Coward]

One counterpoint. I once worked for a small game developer. Our 3D artists used various pieces of software protected by dongles and other methods of copy protection. We purchased licenses for all users of the software, but making all the copy protection stuff behave was a nightmare. The dongles would interact with each other and programs would "de-register" themselves on a regular basis making it impossible for people to work.

The solution? We tossed the dongles in a drawer and downloaded cracked versions of the programs. Everything worked fine. The EXTENSIVE copy protection on these programs accomplished NOTHING except making it tough for us to use the software we'd paid for.

Re:The only game to ever not be cracked

[Anonymous Coward]

It's called a lie. (Laser Induced Error) If a specified track/sector on the disk returns an expected error, then do the next valid step; otherwise operate as if it's a pirated copy and quit working properly.

Many software titles from the late 80's and early 90's used this method of copy protection. With CD installations and later downloaded installations, this method was no longer feasable.

Re:Speaking as an IT Director

[weave]

My users often steal dongles, sometimes just to be pricks. As for servers, I try to virtualize as much as possible. Dongles complicate that, or often don't work in that situation.