What's the Right Amount of Copy Protection?

WPIDalamar writes "I'm currently working on a piece of commercial software that will be available through a download and will use a license key to activate it. The software is aimed at helping people schedule projects and will be targeted mostly to corporate users. With the recent Windows Vista black screen of death, it got me thinking about what sort of measures I should go through to prevent unauthorized users from using the software. While I don't wish to burden legitimate users, I do want to prevent most piracy. How much copy protection is appropriate? Is it acceptable for the software to phone home? If so, what data is appropriate to report on? The license key? Software version? What about a unique installation ID? Should I disable license keys for small amounts of piracy, like when there's 3 active installations of the software? What about widespread piracy where we detect dozens or hundreds of uses of the same license key? Would a simple message stating the software may be pirated with instructions on how to purchase a valid license be sufficient?"

A license key is enough.

[Draconix]

A license key is enough to discourage the casual pirate (custom encryption and multiple variables helps, such as name + password instead of just password) while, from my experience, not being enough to discourage regular users. Entering a key once and not worrying about it ever again is normal enough, and not bothersome. Going beyond that is asking for some glitch to cause legit customers to be calling you up to ask what the hell just caused their copy of your software to invalidate, or why they can't install it on their new computer, etc. Most importantly, it will also encourage people to crack your protection, thus making the pirate version more appealing to the end user.

Don't require a connection

[dargaud]

I worked with equipment that was 3000+km and 10 months away from the closest internet connection, so anything that requires a net-activated key is an absolute no-no. We are still using Win2K for that purpose, and more Linux all the time (although you have to select a distro that won't try to download itself all over again once a week).

You don't need to go this far: I spent the last 3 weeks on the road with my laptop: Matlab ceased to function as soon as the license key manager got out of touch of the license server. I hate that macromedia shit.

Do unto others

[TheLink]

As you would have them do unto you.

FWIW, I think license keys are fine. But phoning home is not a good idea.

If you can link a license key to a mailing address or email address then that's good (could be yahoo mail doesn't matter - it's a matter of getting some stats).

If you're planning to have future versions of your software then you might as well decide on how upgrades and patching is to be done - key upgrades, discounts etc :).

Re:None at all

[lukas84]

I disagree, even though just on a tiny bit.

Businesses tend to purchase software they need, yes, but extending of software licenses is often overlooked.

e.g. they buy 5 licenses of your software. A year later, a team member is added to the team using said software. Now there are 6 users. Over time, many more people than the original number of licenses will use the software.

This doesn't happen in all Businesses, but the smaller the more often.

A good idea would be to add "soft activation". This means customer have to activate your software, and the number of currently active machines counted. Deactivating machines should be running a simple tool that removes the software and decrements the activation count on the server. Activation should never fail (even if the activation server is unreachable), but the customer should be reminded if he is running unlicensed software. This way, you can make sure that users don't mistakenly use to many licenses.

Criminal elements will of course find ways around this, so i wouldn't bother with making the activation process very secure - it's essentially just a license counter for your honest customers.

Let some fall through the cracks

[otter42]

Who was it that said to always make sure to leave a spot in the fence where children could sneak through? P.T. Barnum, perhaps? The point is, people used to understand and accept that a certain amount of "losses" will occur, and that sometimes these "losses" are in fact good for profits, by driving more paying customers to the business. It's only recently that we've evolved the technology and capabilities to ensure that EVERY person gets charged for EXACTLY what they consume. As if we could even know that for sure...

Don't apply macro-laws (movement of fluids) to micro situations (individual molecules in a fluid). Focus on the macro violations-- widespread corporate use without a license-- but let the little people slip through the cracks. Those of us who install and forget, and never really get much use out of the program anyway, are very unlikely to buy the program in the first place.

Explaining to people how to pirate but appealing to their goodwill might go a little far, though. I would report only the serial numbers used in the registration, along with the IP address that contacts your server (not the IP address of the machine itself). The rest of the information is None Of Your Business (TM). Try to find a happy medium between accepting a couple copied serial numbers in the wild, and noticing that a large number of computers coming from similar IP addresses are using the same serial number.

Definitely do NOT disable the program if it cannot phone home. I *hated* that about Bioshock, when my crappy firewalled network made it almost impossible for me to activate the software. Since you're aiming at corporate networks, you're certain to have lots of people with this problem.

Good luck with it.

PS: What are the current laws on downloading a program and using a serial number to unlock it? We all know that EULAs have yet to be proven in court, with many cases existing that both support and reject EULAs. So is there a clear case where it's illegal to use a serial number to unlock freely given content?

Re:Give it away for free

[Anonymous Coward]

You can make tons of money on service contracts.

Spoken like somebody who has never run a software development company.

The fact is most companies will not make tons of money on support. If people are not willing to pay for the software up front, they are not willing to pay for support. I will take my former employer as an example. They purchased one copy of RHEL and had a support contract in place for that one copy. They installed it on over 200 machines.

My current company charges $100 per agent and $20 per agent/year for support. We often get requests from people asking if we have a free or open source version. We have had people make comments that they would gladly pay for support if we had a free version. Based on experience, that is a lie and these people want something for nothing. We have business expenses to cover and cannot rely on support fees that may not show up.

Re:None at all

[jamesh]

In short, the answer is to have no copy protection at all and trust your customers.

It depends on how the product is distributed. If it's downloadable then I think a one off registration key is probably a requirement - it doesn't have to be very complex, just a step so that people won't download the product and not get around to paying you.

I'm all for trusting people not to be intentionally dishonest, but I think you'd go broke trusting people not to be slack.

What to remember

[rjwoodhead]

As a veteran of the first copy protection wars, let me give you one simple insight that should guide you:

"Thieves don't buy"

Software thieves will not pay for your software, no matter how much you lock it up. If they can't get a cracked copy or code, 99.44% of them won't use it. It doesn't matter if they still live with their parents, or are the CEO of a big company; thieves don't buy.

Thus, you must tailor your strategy towards supporting your non-thief customers, while minimizing the parasitic cost of the thieves.

Consider doing this:

* Require registration for support, not for running the program. If they run an unregistered copy (ie: no serial number), give them full functionality but remind them how to pay on startup, gently. Perhaps do it only when you do the weekly update check, or whatever. Support is your major marginal cost, so you want to try and avoid giving support to the thieves.

* Phone home to check for updates, but continue to run no matter what. If the phone-home does detect a registration conflict, alert the user ("someone may have stolen your registration number") but continue to run.

* Explicitly disclose what your phone home does, and allow the user to disable it, or the registration check, if they so desire.

* Provide a way for your legit users to get logs of the phone-home information. Say their laptop gets stolen; the IP address logged on the phone-home could mean it gets recovered, you're a hero, and have a customer for life. But have strong data privacy rules about the information and how long it gets retained.

* If you have a product with low/no marginal costs, consider letting your users decide how much to pay you (works best with small ticket items). See http://tipping.selfpromotion.com/ [selfpromotion.com] for an essay I wrote on this some years back.

* Always remember to add the clause to your software license that makes Bill Gates promise to become your towel-boy.

The easier you make it for your honest users to pay you, and the more helpful you are to them, the more you will be paid.

How important is your software?

[15Bit]

Any level of copy protection is an inconvenience to the end user:

1. Install keys are a pain, but we're all used to them now and we accept them. Very few users send the software back or refuse to upgrade just because of install keys.

2. Phone home activation is a bigger pain. It gives you some control but can cause headaches for the customers IT dept. It can also make cracked versions more appealing, and makes non-internet connected computers impossible to activate. In general though, it is acceptable if its a once only affair. However, regular phone-home checks are more than enough to sway the purchasing decision against your product.

3. Locally installed license servers can be a pain, but they offer both you and the end user complete control over whats going on. They do represent an initial setup hurdle, but after that they offer considerable flexibility in that the end user can install your software on all the computers on their system and then there is a limit applied on how many clients can run at any one time. Your customer can then buy a small number of licenses and upgrade to more if necessary. Obviously this still needs the customer to have a decent internal network, but not necessarily internet connected, which is an issue in some places.

4. Hardware dongles are just a menace and a guaranteed way to drive your customers away.

At the end of the day i think you need to evaluate how important your software is to your customer. If its critical, and they have no alternative, then you have the option of going the Microsoft route and pissing them off as much as you like cos they need you more than you need them. This may come back to bite you in the arse.

If your software has little or no value to the home user (i.e. they have no use for or it or wouldn't pay for it anyway) then you can probably get away with just a license key activation cos business customers tend to be a little more honest by nature. This also makes your product appealing to small companies cos they can buy one license (so they feel honest) and use it on 3 or 4 computers. This *is* technically "stealing", but you've still sold one more copy than you might have done.

If you really want to have total control, and you think your customers will accept it, then the license server is a good choice. Your sales people should be able to dress it up as a convenient way for the IT staff to manage their licenses and if some sort of phone home is needed then only one hole needs to be drilled through the firewall. In future revisions you could also expand its role into an update server or something.

It is possible to do some mix and match. For instance, Intel distribute the free versions of their C++ and Fortran compilers with both a phone home activation code AND a license key file. I find this to be quite convenient (though admittedly it doesn't stop the software being replicated across several machines). You could for instance sell single or double licenses to small companies (in the expectation that they will use it on more than one or two computers) and sell license servers to larger companies (who might be more strict about license accounting). This sort of flexibility (not adopting a one size fits all approach) would reduce the chances alienating whole segments of potential customers.

So in summary, you are selling a product and that product has to be acceptable to your potential customers. If its not, they won't buy. Consider your target market and implement your controls accordingly. And if you can afford it, don't be afraid to offer flexibility in the licensing systems.

That trick never works.

[porkchop_d_clown]

So, by way of example, I wrote an un-copy-protected software package and released it as "guiltware" - I asked them to click on the paypal link and make a donation to MDA through me. 5 years on, I know people are still using it because I get help requests.

But not one person ever, ever, ever clicked the link.

Case Study.

[bronney]

I am not as knowledgeable as most replies here but I can tell you which software I bought and which I didn't. Maybe it'll give some insights.

===

1. Fraps. Bought.

Copy protection: reg key

Tried the trial version many years ago, cool to record your games, not much games needed recording, and youtube wasn't out. Forgot about it. Later when youtube hits the web, there're some stuff I wanna post up. Insta thought of fraps. Googled it, wow this guy's still at it! I can easily crack it, but bought it instead because it's "worth" it and the dude is still working hard on it. Lifetime upgrade, smooth running program. Would I've bought it if it was $3449 usd? Probably not. Even if fraps didn't require a reg key, I would donate to it. Why? It does what it says it does, and it does it in a quick, smooth, no BS way.

2. Steam. Bought.

Copy protection: online registration (MMO account style), clean, works instantly after format, no backups necessary

When I felt like playing CS again, it installs steam by default. Thought nothing of it. Later when HL2 came out, pirated, played first map, blew me away. I emailed dev and asked if they will earn more money if I buy it off steam or the box. The answer is "same". But I skip the publisher anyway and bought off steam while I already had a copy in my hdd. The game was so good I didn't mind the $50 to show props. Again, smooth running, works as advertised. Doesn't cost $4k.

3. Famous photo editing software. Pirated.

Copy protection: activation key

Can't afford, but need to use. New version every year (not sure, maybe 2 years). With newer version files non-importable back to older version without losing some data. Cannot afford every new version upgrade price. Would I pay for it if it were the same price of a PC game? Definately. Would I pay for it if it were the same price range as some less reputable photo software? Yes. Would I pay for Winning Eleven 8, 9, 10, 10 Evolution every year just cuz the jerseys changed? No.

4. Famous OS. Pirated.

Copy protection: activation key

Can afford, however doesn't always do as advertised. Requires tremendous attention and work to make it work smoothly. Makes me nervous when people need to use my computer as little voice says they will screw it up and it'll cost you another 3 hours of my finite life. Not sure if I will get MORE support by paying for it. Worst, not sure if MORE support will make this experience "better".

===

I guess what I am trying to show is, and my general direction towards CP is that the the best CP is no CP. Instead, make something that is truly fun, good, happy, addictive, smooth, sexy, that people want to pay for it. Your software might not be at the Ferrari level, but at least make it so that people feel like pirating a Mercedes is teh ghey. Pirating a Hyundai is less so, you agree? It doesn't have to be cheap, look at Smart car. Nice, cute. But if you see a pirated Volkswagen beetle, you'd immediately think it's ghey. Pirating ipod? Ew. Pirating a famous memory makers' mp3 player? Sure.

I generally agree with the fraps direction. Pay once, use it for life. Lifetime upgrade, lifetime URL to download the upgraded version, quick, fast, and malware free. Pirate it? you gotto search for the seeds every single time, read comments, and virus scan it every time buddy.

Ideal copy protection

[eknagy]

The answer is, as for any good questions: depends.

A few rules what not to do:
A) "Phoning home required" and "online registration required" means "won't use this".
B) Crippling unregistered versions is a bad idea for business software - they need to spend more on IT support.
C) Time-limiting your software is a no-go - the limit will be exceeded in the middle of an important meeting/negotiation, and your software will be eradicated in two days.
D) No matter what you add, pirates can remove it, but legitimate users will suffer.
E) Never take your client's data as ransom - you will lose your customers if you do (in this particular case, a read-only access for unregistered clients could be acceptable).

A few rules what to do:
A) Printing nice license certificates will get you more money from typical business users.
B) "Phoning home for updates if accepted by user" and "online updates are available only for registered instances, offline updates are available only for registered cusmtomers" is OK - they feel they get support.
C) Giving volume licenses will save some headache for Business and for you (if they need 7 license, they will likely to buy a 10-pack for a price of 8 licenses).
D) Offer site licenses based on the size of the company, if they ask you about the price/discount - that way, your software has a chance to become "the internal standard".
D) Unique ID is a good idea, as long as it is visible to the user and the software is working even if not capable to phone home (a red "unregistered" label is a good reminder for legitimate users).
E) If you add time-locked registration codes, you should make it possible to load multiple codes and continue if at least one of them is valid.
F) Consider building customised instances for them - like embedding a background image of "Licensed to company X, for 10 seats".
G) Offer them absolutely copy-protection free versions for double-price.
H) An automated version check in the background (no serial, just checks an txt file via http) will give you some info if you have access to the web server logs and will be considered as a feature.

Re:None at all

[teh moges]

I've always considered the best method is a combination of none and some. Have a license key that activates the program. Link the license key to the purchaser. If >x licenses are activated, notify the purchaser. If they didn't know about it, void their last serial number and give them a new one. If this happens too many times (like twice), stop issuing new serial numbers.

This removes the problem of false negatives (since all activations count) and eventually copied serial numbers will be found as the pirated software spreads.

You can then do as Citrix does, freely deploy the client software (helpful if you loose the CD) on your website, and sell only licenses instead.

Re:As little as it takes...

[pla]

So you guys don't use Adobe or Google products?

Google, absolutely not (except directly, as a web page).

Adobe, you can "break" its phone-home aspects simply by replacing the updater executable (the name of which seems to change with each version) with a stub exe that simply returns 0 (the standard Unix "true" program, if I can say that without causing an argument about true vs. Posixly-true).

And believe me, if I could ban Adobe products, I most certainly would. For supposedly high-quality, nearly-ubiquitous software, that crap causes me more headaches than just about anything except a POS POS (both interpretations intended) program we use. Unfortunately, at least Acrobat falls into a category approaching my "Microsoft" exemption for importance to the company.

Re:None at all

[DarkMantle]

I'm not familiar with ELicense but this sounds similar to what we used at a shop I worked at before.

Basically the user entered a "product key" and then the system generated a "unique" install ID and contacted the web server for an activation number. What was cool with the one we used was if your product key was 1234-5678-0123-7890 then the first 5 (or 6 I don't recall) characters of the activation request was based on that product key was the same. the last half of the activation request was all hardware ID based. The activation server stored this in the database. So if request with the first 5 digits being the same constantly came in then we'd cancel that key. We sold shop licenses so that quiet often they were installing on at least 5-10 computers so we had the cut off high. Like 30 in x days (lets say 30) or 100 overall. This allowed for them to reinstall after system failures.

Since it was done just like entering product code and the rest was done in the background, no one ever complained.

Fascinating. But Back on Earth, It's Like This:

[RobotRunAmok]

Where do you work? A Deli? 1996?

You run cracked software on a workplace PC here in 21st Century Corporate America, you'll be lucky to get away with a strictly worded warning. Get caught again and your employment will be terminated for sure.

On the other hand, install some nice new DRM-free software in the corporate workplace and wave it around enough and it will get copied and brought home by hundreds of non-paying users.

The answer to the man's question lay in just exactly how good and unique his software is. If he's created the new spreadsheet-like paradigm for which their is no competition, he can attach a big ball and chain to the floppy and Corporate America will still make him rich (God Bless the USA!). If it's "Yet Another [fill in the blank]" for which there are better marketed (e.g., MS) or free open-source versions of, then he'll need a friendlier DRM scheme, or folks will just go with what they know/what costs less.

Do what your customers expect

[Exp315]

Lots of good comments here already, but what the heck - always room for a few more. I was a shareware vendor for many years, and now I run a small software company offering commercial products. I've dealt with this issue for a long time, so I can offer a few observations. The first thing I would say is "do what your customers expect". In some markets, people expect to have to enter a serial number, but nothing more. In other markets, people expect to use a hardware dongle with the software. If you find out what others are doing and do the same, you won't violate your customers' expectations. They will perceive you as a responsible, professional vendor, while accepting a modest amount of inconvenience. Most new software vendors tend to err on the side of too much copy protection, because they over-estimate the value of their work and they get really pissed-off at the thought of people stealing it. You should be so lucky! Cut whatever you had in mind in half, and do what must to deal with piracy later if you are fortunate enough to have your software widely copied and used. Most business and professional software users are pretty responsible about paying for the software they use. A very modest speed bump that lets them notice if they are using a non-legitimate copy is generally sufficient. In every successful company I have ever worked at, there's a clear policy that all commercial software in use must be properly licensed and paid for. Not that there isn't some unofficial copying going on, but it has to stay below the level that comes to anyone's official attention. My company is very careful to protect the value of its commercial products, but never in a way that gets beyond customer expectations. In various markets we use registration codes, timeouts, permanent personal registration of software copies, and even hardware dongles. All have their value, but it's never worth losing customers over this issue. Any legitimate customer complaints, and we would back right off and offer an acceptable alternative. That's business. Personal software is another matter. As a shareware author I always made sure that my trial versions remained useful even if never registered, and I always encouraged users to ask their support questions even if they weren't registered. Based on the support questions and the number of downloads versus paid registrations, I would estimate about a 10:1 ratio between users and paying customers. Did that make me unhappy? Not at all! Most of those unpaid users would never pay for the software anyway, but by using it they are spreading the word and helping me test and improve the product. Plus I don't mind doing a little bit to improve the world for free as long as I'm getting an adequate return on my personal time investment.

Re:None at all

[Em Adespoton]

Maybe he doesn't, but I do. And I completely agree with him. Installing a background task just to deal with license keys is bad juju.

I also agree -- Working for a hardware company that also sells support software, we've found a very elegant solution that has worked quite well while not being too cumbersome:
1. Tie the version of the software you're using to the hardware they have -- basically, sell more than one part of the solution, and make them depend on each other.
2. Provide a "serial number activation" field during install. Any number entered will work as long as it fits the right hash and is the right length. The number is encoded in such a way that it contains the product version, date of sale, and some piece of information about the customer (eg. last 4 digits of contact phone number). This information shows up in the about box of the installed software.
3. Whenever anyone calls in for support, we ask for the serial number. If the phone number doesn't match, we ask for further verification that the person is a legitimate customer.

So far, the "enter a serial number" step seems to be enough to keep piracy down, when combined with the hardware+service model. If we ever went out of business, the software would continue working. No serial number (old Apple style) tends to not stop the average person from pirating, but making licensing more than a simple step will cause at least one person to decide it is easier to crack the software than to jump through all the hoops -- at which point you lose control.

Think of it as "newspaper box" level security. Sure... someone could put in their money and take ALL the papers, but they have little incentive to do so. Make it difficult to get that first paper (sign up and provide SSN, credit card, etc.) and someone will break into the box and take the whole stack. This seems to be the human condition.