Computer underground Digest Sun Feb 7, 1993 Volume 5 : Issue 11 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Copy Editor: Etaion Shrdlu, Junoir CONTENTS, #5.11 (Feb 7, 1993) File 1--Introduction to a Chat with the SPA File 2--A Chat with the SPA File 3--How does the SPA Calculate Piracy? Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; in Europe from the ComNet in Luxembourg BBS (++352) 466893; and using anonymous FTP on the Internet from ftp.eff.org (192.88.144.4) in /pub/cud, red.css.itd.umich.edu (141.211.182.91) in /cud, halcyon.com (192.135.191.2) in /pub/mirror/cud, and ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. European readers can access the ftp site at: nic.funet.fi pub/doc/cud. Back issues also may be obtained from the mail server at mailserv@batpad.lgb.ca.us. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: 29 Jan 93 23:49:21 CST From: Jim Thomas <tk0jut2@mvs.cso.niu.edu> Subject: File 1--Introduction to a Chat with the SPA Over the past few months, CuD talked with severeal SPA staff about their organization, goals, tactics, and membership. In CuD # 4.63, we reposted several SPA position papers and summarized their broad goals. Here, we attempt to present in more detail the SPA's view of its organization, mission, and activities from their perspective. We began our inquiry into the SPA knowing little about them other than what we had read in the press. Press accounts seemed taken primarily from SPA literature, which leave a number of questions unasked. We also were initially influenced by the rumors and other sources of information that portrayed the SPA as an evil entity inclined to invoke the law for its own narrow interests. Between these two extremes--an altruistic group devoted to high ideals and an opportunistic frontier sheriff, we found considerable middle ground and support for both views. The SPA is divided into two fairly distinct, but somewhat overlapping, groups. The first, represented by the SPA's General Fund, provides the same services for members that any solid professional organization does. It provides support, conferences, information, and other assistance for members. The bulk of the SPA's activities are devoted to these services, and from all accounts they do it well and take justifiable pride in their accomplishments. The second, represented by the SPA's Copyright Protection Fund (CPF) garners the publicity and raises the questions that prompted our initial inquiries. Although linguisticially awkward, the SPA calls each segment a "fund," rather than a group or a division. Some have called the CPF cyber-tech bounty hunters for its aggressive style in pursuing its targets and using the threat of law to obtain out-of-court settlements that have been has high as a half-million dollars. Those whom the SPA represent justifies this style as a necessary method to protect software authors from potential predators whose actions, if unchecked, reduce the compensation for intellectual property. We have said it before, and we'll repeat it: Both CuD editors are unequivocally opposed to all forms of predatory behavior, whether by the lawless or by those who ostensibly defend law. We strongly believe that if one obtains software, whether conventional copyright or shareware, and uses it regularly, it should be purchased. Period. This is the official position of CuD, and it is the strong personal view of both editors. However, we also judge the "zero-tolerance" approach to copying and distributing unpurchased software both unreasonable as a legal and ethical stance, and ultimately unhealthy for the software industry and for end-users. The recent passage of PL 102-561, the federal anti-piracy bill (formerly S893) is an example of a bad law that over-criminalizes "piracy," creates a broad category of offenses that lump both minor lapses in judgement with serious predations, provides an easy means for prosecutorial abuse, and gives a coercive weapon to groups inclined to seek out-of-court settlements. We are of two minds about the SPA. On one hand, their commitment to members interests, their willingness to engage in educational activities to raise the consciousness of end-users' obligations to software publishers, and their devotion to their cause are laudable. On the other hand, some of their tactics raise ethical questions, and their hard-line stance on "zero-tolerance" are not. Our intent in this and subsequent discussion of the SPA (and the Business Software Alliance) is not simply to criticize them. Instead, we hope to raise some of the issues underlying their methods and philosophy for the purpose of striking a balance between the rights of *both* publishers and users. In our discussions, we found the SPA staff without exception to be friendly and cooperative. They patiently answered repetitious questions and promptly provided information that we requested. Although we doubt that anything we say in CuD will influence them one way or the other, we hope they interpret our critiques in subsequent issues in the collegial spirit intended, and we invite them to engage in dialogue with the past and future comments that we and other readers provide. One might ask why the SPA should bother engaging in dialogue in Cu-Digest. Let me suggest a few reasons: 1) CuD's readers are primarily professional (computer types, attorneys, law enforcement, media) and discussion would reach at least 40,000 people, probably closer to 60,000. Readers are obviously computer-literate, and most are affected in some way by intellectual property issues. 2) Engaging in dialogue is healthy. Conflicting views, when publicly aired, can lead to sharpening of and changes in public thinking. 3) The SPA may have an image problem. Whatever they think they do, their actions are clearly misunderstood by many people. Public dialogue would give them the opportunity to reflect on the image and to assess if it's the one most-appropriate to their goals. 4) The SPA's goal of educational outreach would be served by contributing to the dialogue in CuD. Outreach is invaluable in challenging people's thinking, raising issues, and imparting information. For the SPA, the value is not whether people accept or reject their methods, but rather that the simple act of discussing them publicly serves to raise awareness about the problems and stimulate people to think in new ways about proprietary information for them. It's a no-lose situation for them. 5) The SPA staff came across as dedicated, well-meaning, and honorable, which suggests that they would welcome a public dialogue. We look forward to hearing from them. ------------------------------ Date: 30 Jan 93 01:03:34 CST From: Jim Thomas <tk0jut2@mvs.cso.niu.edu> Subject: File 2--A Chat with the SPA ((MODERATORS' NOTE: The following is a summary of conversations with SPA personnel between October, 1992 and January, 1993. The contacts, especially Terri Childs (SPA Public Relations Manager), Illene Rosenthal (SPA General Counsel), David Tremblay (Research Director), and Katherine Borsecnik, were patient, cordial and open. They also spoke slowly, allowing for occasional verbatim note-taking. The narrative attempts to present the SPA from their own perspective. We strongly encourage rational responses that address the issues raised)). THE ORIGINS OF THE SPA Ken Wasch, the founder and Executive Director of the SPA, was an attorney working for the federal government in 1984. Perhaps because the Beltway is an environment teeming with trade associations, he recognized a need for a trade association for the rapidly growing PC software industry. Unlike a professional association, which supports individuals in furthering their professional career, a trade association furthers the interests of companies in furthering their enterprise. He perceived a need, and he hoped to fill the vacuum. When 25 software companies signed up, the SPA officially came into existence as a non-profit organization. His motivation, according to one SPA staff person, was that he simply liked the software industry and wanted to further its goals. The SPA was officially founded on April 5, 1984. Its current staff of about two dozen people provides a variety of services to software publishers and others. SPA MEMBERSHIP Unlike some associations, such as the Business Software Alliance, SPA membership is open to any legitimate software or trade-related company. SPA membership reached 1,000 in fall of 1992, and continues to grow. As a trade association, it represents companies, *not* individuals. So, if an individual wants to join, they do so as a company. About two-thirds of the members are software developers, and one-third are companies who support the software industry, including venture capitalists, market researchers, public relations firms, and companies whose clients are software manufacturers. The diversity of membership is seen as one strength of the SPA, because it infuses a variety of ideas and perspectives into programs and policy. DUES AND BUDGET: SPA dues are assigned on an "ability-to-pay" sliding scale, depending on the company's annual revenues. Dues range from $750 to $125,000 a year. About 60 percent of the members pay in the three lowest categories, which are $750, $850, and $1,000. Annual dues for a small software company are about the same as the costs for a one-year family subscription to cable a cable television full service, and are therefore not prohibitive even for the smallest companies. EDUCATIONAL AND COPYRIGHT FUNCTIONS: The SPA is divided into two divisions, each with a separate operating budget. The first, the GENERAL SPA FUND, is the association's main group with an annual operating budget of about $4.5 million. The second, the COPYRIGHT PROTECTION FUND (CPF), has a budget of about $2.86 million for fiscal year 1993. The term "fund" is used to refer to each group, and does not refer only to a pool of money. The general fund provides for rent, maintenance, conferences, and salaries for the non-copyright protection personnel. The copyright Protection Fund's budget provides for enforcement, educational outreach activities such as producing videos, going into schools, and publishing SPA brochures, which are given away or at nominal cost. The question of how much the SPA spends on education is complex, because both groups engage in educational activities. According to Katherine Borsecnik: Remember, our primary mission is to serve our members, who are primarily software publishers. The copyright protection fund is a separate fund that pays for all our anti-piracy work, both the litigation and the education. The kind of education that you mention, going into schools, or going into businesses, or general speeches, all of that is related to copyright and intellectual property, so it all comes out of Copyright Protection Fund. We have a very large education budget in the general fund that goes for things like conferences for our members in the software industry. . . . I think we're talking about two different things here. You're talking about general education as anti-piracy stuff. . . . So, the $2. 86 million budget includes speeches, brochures, videos, and other information that goes to end users. . . They are more expensive, because we do them in large quantities, than our legal expenses. The SPA's anti-piracy activities are its most visible and dramatic, but they constitute only a portion of what the SPA does for members. Ms. Borsecnik explained: There's a laundry list of member benefits. We do a lot of market research. A lot of companies join because that market research is very valuable to them, and they'd never get the kind of research that we do. So we do tons of market research. We track sales in 25 diferent software categories every single month. We also do market-specific end-user studies.... And then we have a sales certification program, sort of like in the recording industry, gold and platinum, and these are programs that help companies with marketability programs, those little labels they put on the box that say "certified, 100,000 sold" or whatever. In addition, the general division does consumer and end-user studies on education, provides salary studies, and distributes publications that include newsletters, a recently-published book on distribution channels, and lengthy articles. They also host three conferences a year. They conduct an annual awards presenation modeled on the academy awards, and this year 525 products are being nominated for 25 categories of awards. THE COPYRIGHT PROTECTION FUND The Copyright Protection Fund's staff includes one clerical position, an administrative assistant, two or three non-attorney investigators, and Illene Rosenthal, the SPA's general counsel and overseer of the CPF. She and Ken Wasch, the SPA's Executive Director, are the only two attorneys on staff. The Copy Right Protection Fund, formed in 1985, is a separate subset of the SPA. It was initially set up and funded by contributions by some of the members to help "prime the pump" in the SPA's anti-piracy efforts. After that initial pump-priming, it has been entirely self-funded by litigtion settlements. A separate committee directs the staff a to what kinds of actions to take and is the overseer of the anti-piracy's efforts. Similar to a board of directors, the committee includes members from the software industry. The dual goals are to educate the public about acceptable software use and copyright law and to litigate against those judged to abuse copyright law. The fund filed its first suit in March, 1988, against "The Clone Store," a San Leandro, Calif., computer dealer. The case was settled out of court for $10,000. The CPF has generated considerable publicity for its aggressive reactive opposition to software piracy, but education, not enforcement, is the division's professed primary goal. According to staff. The CPF produces brochures explaining copyright protection for end-users, promotes awareness of the problem of "soft-lifting," a term for using unauthorized copyright software akin to shoplifting, and delivers its anti-piracy message to schools, business, and others. The SPA's rap-video, "Don't Copy that Floppy" (reviewed in CuD #4.63) is available at no cost. The SPA has also developed a program called SPAUDIT intended to help end-users, especially companies and schools, identify over 650 software programs of members that might be installed on a personal computer. The program allows a user to first identify which programs exist, and then sort out and remove those that might be unpurchased. The program is about 43K and quite easy to use. However, in using it on my own system, it identified 13 programs, but at least four of the "hits" were false in that these programs were not on my system. Nonetheless, the program, even if not particularly accurate, possesses a symbolic function in that it raises the consciousness of system supervisors and helps establish an ethos of attention to outside software on "the boss's" computer. THE CPF--SOFTWARE POLICE? The CPF actively promotes a self-image of "software cop." The June 17, 1991, issue of Information Week carried a cover graphic similar to a 1940s' comic book: Two respectable looking office workers are in their office when a super-hero in a suit and trenchcoat bursts through the door, knocking it off its hinges. "Nobody Move! Keep your hands away from those keyboards," he says. "Oh my gosh! It's the SPA!!" exclaims a shocked male worker. "QUICK! Stash the disks!!" says the female. Other advertisements, which it either sponsors or endorses, carry the same law-and-order/piracy-will-get-you-jailed theme. According to Ms. Rosenthal, the ads and the motif are intended to be humorous and not necessarily literal, but they nonetheless symbolize what many observers see as a simplistic ethos of harshly punitive responses to what in fact is a complex problem. Whether justified or not, the SPA has the reputation of simply "not getting it" when it comes to possession or use of unpurchased software. It is not that the SPA's critics condone theft or support the practice of regularly and intentionally violating copyright protections. Rather, critics point to what they judge to be questionable tactics in the SPA's war on piracy. The SPA responds by stressing that the rights of software publishers must be protected from rip-off and deprivation of fair compensation for their labor. TARGETING "PIRATES" Contrary to public perception, SPA personnel indicate that they do not target a particular group or type of offender. They respond to each case individually and target those for whom there is "clear evidence" of abuse. Despite their reputation for threats of litigation, they stress that their primary strategy is to obtain voluntary compliance with copyright law. CuD asked several staff members to explain, step-by-step, how they respond to a complaint of copyright violations. First, the SPA receives information from employees, whistle-blowers, or private citizens who call its highly publicized "anti-piracy" hotline (800-388-PIR8). They receive between 50-150 calls a week, but only about 2 to 10 of these are pursued. The first step in pursuing a case is to obtain as much information as possible. According to Illene Rosenthal: We want to know how long the person's been working, where they've been working, what the relationship is they have with the company....Obviously, we want to know as much as possible. We want to know where the person worked, how long they've worked there, how they know this information, whether or not they've discussed it with management, basically, everything you do in an investigation. What specific programs are involved, how many programs, illegal programs, there are. This kind of information you're going to get over several phone calls. You're not going to necessarily get it on the first phone call. But, we do a thorough investigation, and when we're comfortable with that information, what we're going to do is pursue the case. If we're not comfortable with that information, obviously we're not going to pursue the case. Depending on the evidence, the seriousness of the alleged offense, and the motivation, one of several courses of action exist. The first is THE RAID, which involves entering the alleged offender's premises and searching the computer system(s). Second is an AUDIT LETTER, in which the SPA provides a target with an opportunity to voluntarily comply with a request to examine hard drives for "unauthorized" software. Third is a CEASE AND DESIST LETTER, which is a letter notifying an alleged offender that they may be in violation of copyright law and provides the target with the opportunity to voluntarily stop the perceived offense and avoid further action. The letter option allows the company or BBS to do its own investigation and report back to the SPA. The decision on which option to invoke depends on a number of criteria on a case-by-case basis. According to Ms. Rosenthal: We discuss this in a group of about seven of us, and we sit down and discuss the cases, and we'll throw out the various factors and sometimes we'll say, "Look, I need more information," and they'll get back to the source to get more information. But, ultimately, you get the information you need so that you can feel as comfortable as possible taking whatever action you decide to pursue or not pursue in a given case. . . .We really look at each case on a case-by-case basis. It's not that we're looking for particular types of industries or particular types of organizations. It's the information that comes out, the quality of the information, the credibility of the informant, the seriousness of the violation, the willfulness of the violation, they're just all factors that go into it. The AUDIT LETTER presumes good faith on the part of the target. It requests permission for SPA personnel to conduct a software audit on the premises. In return, the SPA will forgo litigation. The SPA's Background Information brochure identifies four principles in the SPA software audit: 1. An SPA representative observes as the directories of each PC are printed. 2. Directory information is compared with purchase records. 3. The company agrees up front to make a penalty payment to the SPA Copyright Protection Fund in the amount equal to the retail price of each illegal software program found during the course of the audit. 4. All unauthorized copies are destroyed, and the audited company agrees to replace them with legitimate copies. Critics argue that this policy constitutes a double penalty. First, they claim, there is the equivalent of a coerced fine in payment of software costs. Second, purchasing a copy of each product found may exceed what some companies need or even were aware they had on the systems. SPA supporters counter by arguing the payments are voluntary and if the company feels an injustice has occured, they are able to pursue it through the litigation option. According to SPA staff, it would be difficult for the target to erase "evidence," because auditors normally have prior information of what software exists and where it is located. "People have tried that before and gotten caught," say staff. Staff also indicate that, when they choose an audit option, they normally have a source of information to inform them of whether the target is answering in good faith or not. Although this presumably means an "inside source," SPA staff stopped short of saying that it necessarily meant that the informant was still employed for or involved with the target: "We always have access to information when we send out the audit letters," according to Ms. Rosenthal. What happens if a target says "no!" to an audit letter? "We sue 'em," she said. The CEASE AND DESIST LETTER, the least intrusive of the options, conveys the threat of a suit if the recipient fails to comply, but generally the letter accomplishes the goal. Although the SPA has NEVER actually gone to court against an alleged software transgressor, to date they have initiated about 150 civil actions. All have been settled out of court, largely on the basis of the evidence. According to the SPA General Counsel, in only one case has the SPA been "wrong." The SPA's Background Information sheet (July, 1992), indicates that the Copyright Protection Fund's first law suit was filed in March, 1988, against "The Clone Store," a San Leandro, California, computer dealer. The case was settled for $10,000. In a larger settlement, the SPA won $350,000 (plus attorneys' feels) in a settlement against Parametrix, Inc., a Seattle-based environmental and engineering consulting firm in 1991. The information sheet also reveals that in 1991 the SPA won a settlement with the University of Oregon Continuation Center for $130,000, which included an agreement that the University organize and host a national conference in Portland, Oregon, on copyright law and software use. The University denied the allegations and, according to the University legal counsel, the settlement in no way implied an admission or concession of guilt. Why would a company chose to settle if they are innocent? According to one trial lawyer, it is often the most economically feasible. Trials are costly, and even winning a case can be more costly than a settlement. To lose can be even more costly. Hence, settling without an admission of guilt, as insurance and other companies have learned, can be the most rational strategy. When calculating the dollar amount of a settlement, SPA personnel look at a number of factors, including the amount of unlicensed software on a system. However, staff indicate that rarely will they include or respond to non-members' software that might be present, and focus instead on their memberships' programs. Nor do members share in settlement fees. All monetary awards are returned directly into the Copyright Protection Fund to pay for education, salaries, and other expenses. Ms. Borsecnik added: All of the money for our settlements goes back into the Copyright Protection Fund. The philosophy behind that is that that's how we produce the educational materials. Because, with the exception of one book that we charge for, all of our materials are either free or nominal cost because of postage. So our settlements help us continue our educational activities. The companies that pay membership dues don't pay for what we do on behalf of them in copyright. It's all self-funded. They pay us money, and we do a lot of other things. . . .education and publications, and just tons of stuff we do that have nothing to do with piracy. Those things are our primary mission. Piracy is something in addition we do for them. They don't pay us extra to do that. SPA personnel resist the accusation that they are more interested in litigating than in broader educational activities. According to the General Counsel: Our primary strategy is to get people to voluntarily comply with the software laws. And, we do that by a two-fold approach. The first is that we have an extremely effective and extremely good educational program. We give over a hundred lectures a year about the copyright laws and how to manage software, we give a lot of free material, we have the SPA audit kit, we have brochures that we give away for free--we've given away over 60,000 brochures that, in English, tell you what the copyright law is and what you have to do to comply, we have videos that talk to you about the software laws for about 12 minutes, we have educational videos that we give to schools for free. However, the SPA does feel that voluntary compliance requires a threat, as the General Counsel explains: ((As a criminologist)), you're certainly aware that people are unlikely to comply voluntarily if they think that there's no risk to complying. This is the perfect situation of where you really have to have some reasonable threat of enforcement or there's really no incentive for most people to comply. There is considerable debate among criminologists over the degree to which coercion is necessary to constrain behavior, and according to SPA data, software "piracy" steadily declined from 1989 to 1991. 1992 data is not yet available. In 1989, they estimated that about 48 percent of PC was pirated, declining to 37 percent in 1990, and 22 percent in 1991. This trend seems to challenge the view that aggressive litigation has contributed to the decline, because the heaviest SPA litigation and corresponding publicity has occured in the past two years. Critics would suggest that education and emphasis on "computer ethics" has been far more successful in curtailing illicit use. THE SHRINK-WRAP LICENSE There is considerable disagreement between attorneys and others over the legal status of shrinkwrap licenses. The SPA adheres to the view that the shrinkwrap license is a legally binding agreement between an end-user and the software author. A SHRINK-WRAP license is so-named because most software programs come in a cellophane wrapping that seals it. The typical shrinkwrap licence, as typified by the package that Microsoft's DOS 5.0 came in, provides among other things that 1) The software is owned by the manufacturer, and the user is only licensing it; 2) The user may install the program on one and only on one disk; 3) Only one backup/archival and no others may be made; 4) The user may not decompile or disassemble the program; and 5) If the program is transfered or given to another, no copies may be retained by the original user. Despite the many criticisms of these licenses, the SPA argues that unsealing by breaking the cellophane is an explicit and unalterable agreement that the user will abide by whatever restrictions on use and copying are contained in the small print. Although nothing on point has been established in a court of law, the SPA defends shrinkwrap as a valid contract. Others, however, aren't so sure (see Lance Rose's commentary in CuD 5.06). SUMMARY Whether one supports or opposes the SPA's methods, several points seem clear: 1) The SPA is committed to serving its members, and does so aggressively. 2) When discussing the SPA, care should be taken to distinguish between its general activities and the Copyright Protection Fund. 3) The SPA's actions have been instrumental in raising the issues of software piracy to a level that demands public dialogue regarding whether and/or where an acceptable line should be drawn between "zero-tolerance" and permissable fair-use. 4) The issues raised by the SPA's aggressive anti-piracy campaign extend beyond a single organization or policy. They raise issues of reconciling competing interests--those of publishers and end-users--and of identifying appropriate social responses to alleged transgressions. The issues also include resolving the problem of applying familiar legal and ethical concepts and theories to changes brought by revolutionary technology. The SPA certainly deserves credit for raising the issues of software abuse. However, some of its methods continue to be subject to severe criticism. In the interstices between "zero-tolerance" and fair-use lies considerable room for honest intellectual disagreement. It is not sufficient for those of us who are critical of some of the SPA's methods to simply sit back and take shots at their method. If we don't like the methods, we are certainly bound to criticize them, but we are also obligated to develop constructive alternatives to balance the rights of both users and publishers. Among the questions we pose to readers: 1) What, if any, are the acceptable limits of software copying and distribution beyond those authorized by shrinkwrap licenses? 2) What legal sanctions ought be provided for the wide range of possible infractions that recognize extreme abuse on one hand and casual ethical lapses on the other? 3) How might current or future laws be revised or written that would minimize potential prosecutorial abuse on one hand, but provide sufficient sanctions for appropriate transgressions on the other? 4) When does "fair-use" become ripoff? These and other issues will be explored in future issues. ((CONCLUDING NOTE: We invited the SPA to read this issue prior to publication. We delayed it by over a week to provide them the opportunity. We indicated that we would be amenable to correcting any errors, and would be willing to revise whatever they found inaccurate or unfair. I was given an email address, and it was confirmed as correct. Several notes and two of the three files were sent. The third was to be sent when I received confirmation of receipt. I received no response. I left a message on the appropriate SPA staffer's answering machine indicating that the files had been sent and reaffirmed encouragement to read the files and provide feedback. I received no answer as of Feb 7. We encourage the SPA to engage in a dialogue over the issues to be addressed in this and coming issues. If they are as serious about public outreach and education as they repeatedly emphasized, we hope they welcome the opportunity to engage in a dialogue with CuD readers)). ------------------------------ Date: 01 Feb 93 22:51:51 CST From: Jim Thomas <tk0jut2@mvs.cso.niu.edu> Subject: File 3--How does the SPA Calculate Piracy? The Software Protection Association (SPA) estimates that software piracy has declined between 1989-91. But, says the SPA, piracy still cost the industry over $1.2 billion in lost revenues in 1991. Critics argue that the piracy rate and its costs are grossly over-estimated. The SPA believes that its estimates, while perhaps imperfect, nonetheless are quite conservative and, if anything, significantly underestimate the extent of software piracy. Who's right? How does the SPA arrive at its estimates? The information below comes from SPA documents and from SPA David Tremblay, SPA's Research Director. Identifying and counting behaviors that are normally hidden presents several methodological problems. Calculating the extent of piracy is no exception. First, there is no victim in the traditional sense. There are no snatched purses, dead bodies, empty bank accounts, trashed computers, or other directly obvious signs of predation. Therefore, we rarely have direct knowledge of an alleged "offense." Second, the concepts used to define or measure an "offense" can pose particular problems, because definitions are subject to imprecision. Third, "victims" of piracy are often unaware that they are victims until informed by someone who measures victimization, such as the SPA. The "DARK FIGURE OF CRIME" is the knowledge-gap between crimes KNOWN to have occured and crimes that ACTUALLY occured. No existing methodolgy can precisely measure this dark figure, and even the most sophisticated provide only approximations. It's therefore not surprising that the SPA's attempts to measure the "dark figure of piracy" face methodological problems. The Methodology Four sets of facts and an assumption underlie the SPA's methodology. One set of facts is hardware sales from Dataquest, a marketing research company in San Jose, Calif. The calculations begin by determining the number of Intel- and MacIntosh-based PCs sold during a given year. The second set of data derives from an SPA reporting program in which about 150 of the generally larger companies report their unit sales and revenue to the SPA. The business applications sales are taken from the report and used to estimate the the total unit sales of software in the U.S. in a given year. Operating systems are excluded. The data do not constitute a random sample, but are based on voluntary self-reporting of the participating companies. This method is common in survey research and, if used with caution, the lack of randomness or representativeness of the population surveyed need not be a problem. The third set of facts is the average number of applications that users are estimated to have on their personal computers. This body of data comes from member research that is sent back to the SPA. The members obtain this information from several sources, including surveys of their own customer base and from returned registration cards. The SPA estimates that the typical DOS (or Intel-based) PC user has three applications, and the typical MacIntosh user has five. One reason that Mac users may have more than Intel-based users is the ease of use and the cross-learning between different Mac programs that reduces the learning curve and better-integrates the Mac programs with each other. The fourth datum is the average price for a software program in a given year. However, in calculating the total dollar volume of revenues lost to piracy, David Tremblay indicates that "street value" prices are factored in, rather than assuming that each program would sell for market list price. Finally, the methodology is based on the ASSUMPTION that all of the units of software that are purchased in a calendar year are purchased by or for use on PCS that are new that year. It assumes no application sales to computers purchased in previous years. These data are then plugged into a formula (figures are illustrative): 1. The PC hardware sales (in number of units) are multiplied by the number of applications used. If there are 1 million Intel-based units sold, and each has 3 commercial software applications (excluding the operating system itself), we get a figure of 3 million. 2. The number of applications used is subtracted from the number of applications purchased during that year. If 2.4 million applications are sold, the difference is 600,000. This is assumed to be the number of applications pirated. 3. The number of applications pirated is then multiplied by the average cost of a software package, which has declined from $189 in 1989 to $152 in 1991. David Tremblay candidly recognizes the methodological problems, although he feels that, on balance, the problems understate rather than overstate the level of piracy. He recognizes several market problems that could affect the estimates (the skewing directions are my own): 1) Since 1989, the average price per software application has decreased. This skews DOWNWARD the proportion of dollar losses from year to year. 2) Hardware sales have been revised downward by Dataquest, which reduces the base number of PCs on which piracy estimates are based. This skews the piracy estimate UPWARD. 3) Contrary to the assumption of "no application sales to installed base," there is evidence that an increasing percentage of software is being sold for use on existing PCs. This skews the piracy estimate UPWARD. There are additional problems. Among them: 1) The total software sales include sales of upgrades. This would seem to under-estimate the extent of illicit software, because it over-estimates the base-figure of software sold. For example, if 100 PCS are sold in a given year, and if each PC has an average of three applications, we would expect 300 applications to be sold. If, however, we find that only 270 applications are sold, the "piracy score" would be 300-270= 30; 30/300 = .1, or ten percent. If upgrades are included, and if 20 percent of sales are upgrades, that means 300-216 = 84; 84/300 = .28, or a 28 percent piracy rate. Including upgrades skews the piracy estimate DOWNWARD but the costs of piracy UPWARD. This, however, is misleading, because the base number of applications is taken for *all* PCs, not just the PCs purchased in the first year. There is no evidence to suggest that the number of applications on a PC declines overtime. The evidence, as the SPA acknowledges, is the opposite. Hence, the base-figure of total applications (3) does not give an accurate expectation of the expected number of software sales, which would dramatically inflate the base of software sales. Consider this example: Person A purchases a computer and three software programs in 1989. Person A purchases two more programs in 1990, and one in 1991. Person B purchases a computer in 1991 and three applications in 1991. Assuming that they are the only ones who purchased software or hardware in 1991, the average number of installed applications on a PC is 4.5. The number of software sales in 1991 is 4. An awkward percentage aside, The piracy score is .5 (half a program, or 12.5 percent piracy rate). In reality, all applications can be matched to sales, but the method's assumptions inflate the score. It's currently difficult to assess how severely inclusion of installed applications on previously purchased computers exaggerates the piracy figure. But, if the SPA's current piracy estimate of 20 percent is correct, even a small influence would produce a dramatic inflation of the estimate. The SPA's method of including all installed applications in its base data, while restricting comparison to only applications purchased in the most recent year, is to my mind a fatal flaw. In short, the applications on a PC include not only applications purchased the first year, but also include all those collected in subsequent years. Further, even if upgrades are included (which would push the piracy score DOWNWARD), the price of upgrades at street prices is generally a fraction of cost for a program's first-purchase, and failing to take this into account skews loss of revenue UPWARD. 2) A second problem involves the reliability (consistency) and validity (accuracy) of reporting methods of company-generated data, especially registration card data. It cannot be assumed that the methodological procedures of different reporting companies are either consistent among themselves (which means they may not be reporting the same things) or that their procedures are uniformly accurate. Differing definitions of concepts, variations in means of tracking and recording data, or differences in representative are but a few of the problems affecting reliability and validity. This could skew estimates EITHER upward or downward. 3) The value of lost revenue also is dramatically inflated by other questionable assumptions. For two reasons, it cannot be assumed that every unpurchased program represents a lost sale. First, there is no evidence to support, and much evidence to challenge, the assumption that if I did not possess a copy of dBase or Aldus Pagemaker "borrowed" from my employer that I would purchase it. The ethics of such borrowing aside, such an act simply does not represent nearly $1,000 of lost revenue. Second, as an actual example, I (and many others at my university) have dBase and Word Perfect (and many other programs) licitly installed on a home or office PC. These two programs alone have a street value of about $700. I would include them as "installed" programs in a survey. However, I did not purchase either program. Hence, they would not show up in sales statistics, and would therefore be attributed to "piracy." But, I did not obtain them illicitly. They were obtained under a site license and are installed licitly. Consider another example. When I purchased a PC in 1988, it came (legitimately) loaded with two programs. I bought two more. Now, I have four legitimate programs loaded, but only two would show up in normal sales figures. It would seem, from the statistics, that I had two "pirated" programs--two purchased, two unpurchased, even though there were none. BOTH the piracy score and the lost revenue estimate are skewed UPWARD. Although the subject of a separate article, the SPA's method also fails to consider the possibility that casual copying and sharing may enhance rather than reduce sales by creating a "software culture" and increasing the visibility and end-user facility with the products. If sales are increased, it would skew the lost revenues UPWARD. Whatever the result, this is an assumption that cannot be discarded without strong empirical evidence. These are just a few of the problems that inflate the overall picture of piracy and why I cannot accept the figure given by the SPA as accurate. And, if the piracy rate for 1991 is only about 20 percent (and in decline), it would appear that--even if the problem is only mildly inflated--the losses are far, far less (and the problem therefore not as severe) as anti-piracy advocates claim. Yet, despite dramatic evidence of decline on a variety of key indicators, SPA rhetoric, its advocacy for broader and more punitive legislation, and its lucrative aggressive litigation campaigns continue to escalate. A caveat: David Tremblay, the SPA Research Directory, makes no claims about total accuracy. He is also aware of and quick to point out some of the methodological problems. He would not agree with my view of at least some of the problems, and perhaps has antidotes for others. In my own discussions with him, he was careful not to speak beyond the data, and--like any good methodologist--approached the task of calculating piracy as a puzzle. His own attitude, if I understood him correctly, was that he's more than willing to modify the method with a better procedure if one can be pointed out. Perhaps I misunderstood him, but I was continually left with the impression that his goal was not to "prove" a preferred outcome, but to refine the data and method to provide as accurate an estimate possible, whatever answer it might provide. In short, he has no preconceived ideological ax to grind in coming up with his figures. It should be noted that if a different methodology were used, it is quite possible that both the extent of piracy and the lost revenue costs *could* be much higher than the SPA's estimates. However, at stake is *this* methodology. Contrary to SPA claims, *this* methodology appears to INFLATE the frequency and costs. This, however, does not alter the fact that SPA press releases and other material appear to manipulate the data to promote a distorted image of piracy. We can agree that there are those who unethically (and illegally) profit from piracy, and we can agree that if one uses a commercial software program regularly, payment should be made. This does not mean that we must also accept the dramatic image of rampant piracy and multi-billion dollar revenue loss by casual "chippers." Software piracy is, according to SPA data, in dramatic decline. Evidence suggests that this decline is the result of education and awareness, rather than coercive litigation. At stake is not whether we accept ripoff, but rather what we do about it. The statistical method and its results do not seem sufficient to warrant increased demands for tougher piracy laws or for expanding the law enforcement attention to address what seems to be a declining problem. If I am correct in judging that the SPA's estimate of piracy is significantly inflated, then it seems that they are engaging in hyperbole to justify its highly publicized litigation campaign. Some might find this a good thing. My own concern, however, is that the litigation campaign is a revenue-generating enterprise that--to use the SPA's own promotional literature--resembles a law unto itself, more akin to a bounty hunter than a public-interest group. The SPA appears to have an image problem, and the root of the image problem lies in some critics see as speaking beyond the data in describing piracy and in using the law to fill its coffers. It is unfortunate that the many valuable things the SPA does are overshadowed by its self-laudatory high-profile image as a private law enforcement agency. The methodology underlies an ideological opposition not just to intellectual property, but to human interaction and socal norms. In promoting a zero-tolerance attitude toward a strict definition of "piracy" and rigid adherence to the limitations of shrinkwrap licenses, the SPA would isolate the causal swapper and criminalize along with major predators non-predators as well. As Richard Stallman, a promoter of freeware, argues in the first issue of _Wired_ Magazine (p. 34), violation of shrinkwrap is called piracy, but he views sharing as being a "good neighbor:" I don't think that people should ever make promises not to share with their neighbor. It's that gray area between being a good neighbor and crossing over into unacceptable behavior that, to my mind, poses the dilemma over which there is room for considerable honest intellectual disagreement. ------------------------------ End of Computer Underground Digest #5.11 ************************************