New Weapons in the War Against Internet Software Pirates

Vint Cerf, father of the Internet, defined leadership as the art of finding out which direction everyone is running, then running like hell to get out in front of them. In hopes of attaining leadership status, a veritable army of software developers, resellers and licensors have begun to use the Internet as both an advertising medium and a distribution channel for their software. However, as many software copyright owners have come to learn the hard way, placing or allowing others to place software on the Internet dramatically increases the risk of infringement. Even vendors who choose not to distribute software products through the Internet can find themselves victims of rampant infringement. For example, id Software Inc., which developed the exceedingly popular "Quake" and "Doom" computer games, estimates that 50% of the full versions¹ of "Quake" currently being played are unlicensed, having been accessed through pirate web sites that made "Quake" available for unauthorized download by anyone accessing the web site. Thus, even software vendors who continue to rely on conventional delivery methods using disk, CD-ROM and, in some cases, direct point to point electronic distribution using a secure connection, are increasingly exposed to the risks of Internet piracy.

Nevertheless, one key legislative development as well as maturing technological solutions offer promise to the software developers and distributors, both those intent on exploiting the Internet.s inherent opportunities as well as those who choose to ignore them.

ESD and Other Technical Solutions

In recent years, the software industry has developed and supported various technical solutions to the problem of "downstream"² copyright infringement. One promising software distribution method is electronic software distribution (ESD). In this distribution model, software vendors typically contract with one or more clearinghouses which implement ESD-based sales on behalf of the vendors. Clearinghouses allow customers to purchase software on the Internet through the use of a secure "envelope" which is transmitted to the customer.³ The envelope cannot be opened and thus the software cannot be viewed, manipulated, installed or used unless and until the clearinghouse receives confirmed payment, electronic or otherwise, from the licensee. When the clearinghouse receives payment, it then sends the new licensee an unlocking key through E-mail, old fashioned mail or over the phone. Each key is specific to the particular ESD transaction and offers first level protection against unauthorized use of the software.

Even with this form of ESD, there is no protection against downstream copyright infringement because there is nothing to stop an authorized user from further distributing clear unauthorized copies on the Internet or otherwise. In an effort to address this problem, a general class of enhancements to ESD sometimes known as "thumbprinting" or "fingerprinting" have been proposed and implemented. According to this model, a key similar to the one described above is generated and provided to a customer upon payment. However, this key is checked not only when the "envelope" is opened, as with basic ESD, but also when the software is installed or, most importantly, executed. The key is encrypted and stored in a protected environment. Further, the "key" includes information specific to the hardware platform, for example a PC.s serial number, with which the software is licensed to be executed. In order to implement the thumbprinting technique it is necessary for the licensed software to be enhanced with functionality that checks system information against the installation key whenever the software is executed. If the system information does not reflect the "thumbprint" designated by the key, the program will not execute.

Other technological solutions, while effective for non-Internet based software distribution models, are unusable in the Internet distribution environment. For example, some software licensees, particularly corporate end-users, have controlled software access and usage among employees through "diskless PCs" and/or through controlled menuing systems. With the diskless PC implementation, floppy disk drives and/or CD-ROM drives are included with PCs connected to a corporate network and are used initially, if necessary, to load and install software onto that machine. After initial installation, the drives are disabled, thus preventing employees from loading software onto the system themselves and possibly violating copyrights. New software which is properly licensed may be obtained through access to the network according to carefully controlled access and distribution mechanisms. However, if the PC also contains an Internet browser and Internet access, as most corporate PCs do, a user of that PC could easily download software from the Internet onto the PC hard drive, thus circumventing the intended controlled access to software.

The controlled menuing access solution is similarly ineffective in an Internet context. In this situation, particular portions of the PC.s operating system are typically disabled so that, for example, an employee might not be able to copy software from a floppy drive onto the hard drive or execute a program resident on a floppy disk. Again, if Internet access is provided, a user can execute and store programs garnered from the Internet even when menu access is controlled.

While "thumbprinting" technology can be effective in combating unauthorized use of Internet accessible software, it is an imperfect solution. Although such technology effectively blocks unauthorized use even in an Internet context, it can be burdensome in that legitimate users can suffer slower execution times and other difficulties by virtue of the added overhead of the verification software. In so doing, the protection, in its present form, undermines the very expediency benefits which the Internet is intended to facilitate. Still, additional development work in this area as well as the potential for other technological solutions in the future offer hope to current and would be Internet software vendors.

Trade Associations

Both the Software Publishers Association (SPA)⁴ and the Business Software Alliance (BSA)⁵, are assertive proponents of protecting software on the Internet. In 1996, the SPA organized its "Internet Anti-Piracy Campaign" to advance its objectives regarding Internet piracy. In December of 1997, the SPA formally requested suggestions from server operators, including Internet Service Providers (ISPs), on how to best address software piracy on the Internet. The SPA also offers its own auditing software, which companies may use to ensure all software on its system is properly licensed. Further, in an effort to educate information professionals in these companies, the SPA offers seminars and certifications teaching these individuals how to effectively, legally, and productively acquire, maintain and use software assets.

The SPA has also published a number of policy papers relating generally to Internet commerce and specifically to software distribution, including Electronic Software Distribution Policies for Software Publishers, which is intended as a "standard" for implementing ESD transactions. In connection with these policies, the SPA actively solicits, tracks and pursues reports from individuals, server operators and ISPs regarding Internet piracy of which they become aware. The SPA.s piracy hotline and email address make reporting of suspected violations easy and theoretically anonymous. According to SPA officials, the SPA receives about 30 calls per day on its hotline. Often, the callers are ex-employees reporting violations at their old companies.

The BSA, formed in 1988, is a software industry affiliation which focuses its software protection efforts internationally. Its members include such household names as Microsoft, Apple, and IBM. While the BSA is also active in policy development and dissemination, it also works closely with international law enforcement agencies to carry out raids on overseas pirate software users and vendors.

Existing Copyright Law

As an adjunct to the technical solutions described above, Internet software vendors may also achieve a level of protection by pursuing remedies available under existing copyright law. Lawsuits alleging "Internet piracy" as a violation of the exclusive copyright rights are gaining recognition in the courts. In one of the first such cases, the SPA brought suit in 1996 against an individual it claimed had illegally uploaded copyrighted software to an Internet site for distribution to unauthorized users.⁶ The action, which the SPA brought on behalf of three of its member companies, resulted in both an injunction against further uploading and distribution of the software by the defendant as well as a damage award of $60,000.

More recently, in October of 1997, the SPA filed another lawsuit⁷ on behalf of seven of its members against two individuals operating two separate websites which offered copyrighted material as well as bootleg serial numbers for installing approximately 4500 software products. In addition, the site permitted web users to download software piracy tools designed to circumvent technical protection for the copyrighted software.

The "NET" Act

Perhaps the most promising development in the war against pirating of software available on the Internet is the No Electronic Theft Act, or "NET" Act, signed into law by President Clinton on December 16, 1997. The NET Act was promoted and passed primarily to eliminate the "personal profit" requirement or so-called "LaMacchia Loophole" in the federal copyright statute. The LaMacchia Loophole is a reference to the 1994 case of United States v. LaMacchia⁸ in which an MIT student provided those accessing his Internet bulletin board with free, unauthorized copies of computer software. He was charged by the government under the federal wire fraud statute⁹. The government did not attempt to prosecute LaMacchia under the criminal copyright statute¹⁰ because that statute requires proof that the defendant sought to profit personally from a scheme to defraud. LaMacchia did not derive any economic benefit from his website. He provided the "service" as many hackers do, because of non-financial benefits such as personal notoriety.

No such profit motive is required in connection with prosecution under the wire fraud statute. Nevertheless, the district court dismissed the indictment noting that "absent clear indication of Congressional intent, the criminal laws of the United States do not reach copyright-related conduct. Thus copyright prosecutions should be limited to Section 506 of the [Copyright] Act, and other incidental statutes that explicitly refer to copyright and copyrighted works".¹¹

Since the wire fraud statute could not be used and since the criminal copyright statute required a profit motive, "hackers" like LaMacchia who harm copyright owners by causing significant lost sales revenue, but who themselves do not gain financially, could not be prosecuted under the existing legal framework. The judge in LaMacchia recognized this loophole and suggested in his opinion that Congress should amend the law so that LaMacchia type individuals would not be immune from criminal penalties.

Both the SPA and the BSA strongly supported a change in the law and have been lobbying for the NET Act.s passage in recent months. The NET Act, as passed, criminalizes computer theft of copyrighted works, whether or not the defendant derives a financial gain from the activity. As amended by the NET Act, section 506 of the copyright law provides that criminal penalties may be imposed in either of two cases. First, criminal liability will attach if a person willfully infringes a copyright "for purposes of commercial advantage or private financial gain"¹². A definition of "financial gain" was also added to section 101 of the copyright law to specify that receiving other copyrighted works, and not necessarily money, will constitute financial gain sufficient to invoke the first case for attaching criminal liability.

Criminal penalties under 18 U.S.C. ' 2319 may also be imposed is if a person copies one or more software programs having a total retail value of more than $1,000 in any 180 day period even if no profit motive of any kind is involved.¹³ In most cases, non-de-minimus LaMacchia type infringers would thus be subject to criminal prosecution even though they did not receive compensation for the unauthorized copies of the software programs.

Incarceration penalties under the NET Act, as specified in the amended 18 U.S.C. ' 2319, range from 1 year to 6 years depending upon the retail value of the works and whether the infringement is a second offense. Additionally, monetary penalties may reach $250,000. Civil remedies may be sought in addition to any criminal penalties imposed. The NET Act also increased the statute of limitations for criminal copyright infringement from three to five years.¹⁴

The NET Act thus provides a powerful tool by which copyright owners may deter even non-financially motivated illegal distribution of their software. There are, however, some detractors, who think that the new law goes too far in the other direction. They argue that the new law will have a chilling effect on, for example, university scientists who wish to publish their work on the Internet. In particular, these detractors point to the common practice of professors selling all rights to an article to a research journal but nevertheless posting the article on the a university web page or the school computer system for students or other interested parties to view and potentially download. Under the NET Act, the professor could be subject to criminal penalties as long as the cumulative value of the article among those who download it amounts to $1,000. At least one representative of the software industry¹⁵ dismisses this concern pointing out that once the professor sells the article, he or she is in no position to determine the policy of the new owner of the work with respect to academic postings on the Internet irrespective of the NET Act. In other words, this representative argues that if a copyright author sells all of his or her rights in the work, that author may not post the work on a website absent the new owner.s permission. The author.s posting is an infringing act with or without the NET Act.

Conclusion

Software developers, resellers and licensors continue to face material risks of misappropriation when they place their software on the Internet. However, a diverse array of legal and technological advancements are beginning to level the field. The strong software lobby, primarily through the SPA and BSA, has been and continues to be a vocal and effective proponent in the battle against pirating of software on the Internet. As one of the first tangible results of this lobbing effort, the NET Act strengthens the web of legislature protections available to software copyright owners. Technologies such as electronic fingerprinting promise greater protection and offer more piece of mind to copyright owners. Now that both Congress and the industry have identified the issues and have shown that they are willing to confront head-on the growing threat of Internet piracy, there is reason to believe that the future of software distribution on the Internet may be a bright one.

1. A "shareware" version of Quake which did not include all of the functionality of the full version was distributed through the Internet. This marketing model was first used by id for its first major product - Doom.
2. "Downstream" copyright infringement refers to infringement by users who obtain copies of software programs from legitimate licensees. The "downstream" infringer does not obtain a license or pay any fees to the copyright owner for use of the program.
3. This is one method by which, for example, id Software distributes its Quake program. Alternatively, a customer may order a CD-ROM containing the full version by calling id.s clearinghouse and providing credit card information.
4. The SPA is a trade association representing the interests of its members from the software industry. It has approximately 1200 member companies.
5. The BSA is an organization that represents the interests of the leading publishers of software for personal computers. It promotes continued growth of the software industry in 65 countries worldwide.
6. Cinco Networks Inc. v. Butler (W.D. Wa., No. C96-1146, July 23, 1996). Judgment was entered on consent.
7. Adobe Systems et. al v. Doe (W.D. Penn., No. 97-1831, filed October 6. 1997) The SPA settled this case with all defendants and the case was closed in December, 1997.
8. 871 FSupp 535, 33 USPQ2d 1978 (DC Mass 1994).
9. 18 U.S.C. ' 1343.
10. 17 U.S.C. ' 506.
11. Citing 3 Nimmer on Copyright, ' 15.05 at 15-20 (1993).
12. 17 U.S.C. ' 506(a)(1), as amended by the NET Act.
13. 17 U.S.C. ' 506(a)(2), as amended by the NET Act.
14. 17 U.S.C. ' 507(a), as amended by the NET Act.
15. Steve LaCount, a member of the board of directors of the Computer Law Association. See Columbus Dispatch article.