Computer underground Digest    Sun Feb 7, 1993   Volume 5 : Issue 11
                           ISSN  1004-042X

       Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
       Archivist: Brendan Kehoe
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
       Copy Editor: Etaion Shrdlu, Junoir

CONTENTS, #5.11 (Feb 7, 1993)
File 1--Introduction to a Chat with the SPA
File 2--A Chat with the SPA
File 3--How does the SPA Calculate Piracy?

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be
contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at:
Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115.

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL0 and DL12 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS
at (414) 789-4210; in Europe from the ComNet in Luxembourg BBS (++352)
466893; and using anonymous FTP on the Internet from ftp.eff.org
(192.88.144.4) in /pub/cud, red.css.itd.umich.edu (141.211.182.91) in
/cud, halcyon.com (192.135.191.2) in /pub/mirror/cud, and
ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD.
European readers can access the ftp site at: nic.funet.fi pub/doc/cud.
Back issues also may be obtained from the mail server at
mailserv@batpad.lgb.ca.us.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited.  Some authors do copyright their material, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

----------------------------------------------------------------------

Date: 29 Jan 93 23:49:21 CST
From: Jim Thomas <tk0jut2@mvs.cso.niu.edu>
Subject: File 1--Introduction to a Chat with the SPA

Over the past few months, CuD talked with severeal SPA staff about
their organization, goals, tactics, and membership. In CuD # 4.63, we
reposted several SPA position papers and summarized their broad goals.
Here, we attempt to present in more detail the SPA's view of its
organization, mission, and activities from their perspective.

We began our inquiry into the SPA knowing little about them other than
what we had read in the press. Press accounts seemed taken primarily
from SPA literature, which leave a number of questions unasked. We
also were initially influenced by the rumors and other sources of
information that portrayed the SPA as an evil entity inclined to
invoke the law for its own narrow interests.  Between these two
extremes--an altruistic group devoted to high ideals and an
opportunistic frontier sheriff, we found considerable middle ground
and support for both views.

The SPA is divided into two fairly distinct, but somewhat overlapping,
groups. The  first, represented by the SPA's General Fund, provides
the same services for members that any solid professional organization
does. It provides support, conferences, information, and other
assistance for members. The bulk of the SPA's activities are devoted
to these services, and from all accounts they do it well and take
justifiable pride in their accomplishments.  The second, represented
by the SPA's Copyright Protection Fund (CPF) garners the publicity and
raises the questions that prompted our initial inquiries.  Although
linguisticially awkward, the SPA calls each segment a "fund," rather
than a group or a division.  Some have called the CPF cyber-tech
bounty hunters for its aggressive style in pursuing its targets and
using the threat of law to obtain out-of-court settlements that have
been has high as a half-million dollars. Those whom the SPA represent
justifies this style as a necessary method to protect software authors
from potential predators whose actions, if unchecked, reduce the
compensation for intellectual property.

We have said it before, and we'll repeat it: Both CuD editors are
unequivocally opposed to all forms of predatory behavior, whether by
the lawless or by those who ostensibly defend law.  We strongly
believe that if one obtains software, whether conventional copyright
or shareware, and uses it regularly, it should be purchased. Period.
This is the official position of CuD, and it is the strong personal
view of both editors.

However, we also judge the "zero-tolerance" approach to copying and
distributing unpurchased software both unreasonable as a legal and
ethical stance, and ultimately unhealthy for the software industry and
for end-users. The recent passage of PL 102-561, the federal
anti-piracy bill (formerly S893) is an example of a bad law that
over-criminalizes "piracy," creates a broad category of offenses that
lump both minor lapses in judgement with serious predations, provides
an easy means for prosecutorial abuse, and gives a coercive weapon to
groups inclined to seek out-of-court settlements.

We are of two minds about the SPA. On one hand, their commitment to
members interests, their willingness to engage in educational
activities to raise the consciousness of end-users' obligations to
software publishers, and their devotion to their cause are laudable.
On the other hand, some of their tactics raise ethical questions, and
their hard-line stance on "zero-tolerance" are not.

Our intent in this and subsequent discussion of the SPA (and the
Business Software Alliance) is not simply to criticize them.
Instead, we hope to raise some of the issues underlying their methods
and philosophy for the purpose of striking a balance between the
rights of *both* publishers and users.

In our discussions, we found the SPA staff without exception to be
friendly and cooperative.  They patiently answered repetitious
questions and promptly provided information that we requested.
Although we doubt that anything we say in CuD will influence them one
way or the other, we hope they interpret our critiques in subsequent
issues in the collegial spirit intended, and we invite them to engage
in dialogue with the past and future comments that we and other
readers provide.

One might ask why the SPA should bother engaging in dialogue in
Cu-Digest. Let me suggest a few reasons:

1) CuD's readers are primarily professional (computer types,
attorneys, law enforcement, media) and discussion would reach at least
40,000 people, probably closer to 60,000.  Readers are obviously
computer-literate, and most are affected in some way by intellectual
property issues.

2) Engaging in dialogue is healthy. Conflicting views, when publicly
aired, can lead to sharpening of and changes in public thinking.

3) The SPA may have an image problem. Whatever they think they do,
their actions are clearly misunderstood by many people. Public
dialogue would give them the opportunity to reflect on the image and
to assess if it's the one most-appropriate to their goals.

4) The SPA's goal of educational outreach would be served by
contributing to the dialogue in CuD. Outreach is invaluable in
challenging  people's thinking, raising issues, and imparting
information. For the SPA, the value is not whether people accept or
reject their methods, but rather that the simple act of discussing
them publicly serves to raise awareness about the problems and
stimulate people to think in new ways about proprietary information
for them. It's a no-lose situation for them.

5) The SPA staff came across as dedicated, well-meaning, and
honorable, which suggests that they would welcome a public dialogue.

We look forward to hearing from them.

------------------------------

Date: 30 Jan 93 01:03:34 CST
From: Jim Thomas <tk0jut2@mvs.cso.niu.edu>
Subject: File 2--A Chat with the SPA

((MODERATORS' NOTE: The following is a summary of conversations with
SPA personnel between October, 1992 and January, 1993.  The contacts,
especially Terri Childs (SPA Public Relations Manager), Illene
Rosenthal (SPA General Counsel), David Tremblay (Research Director),
and Katherine Borsecnik, were patient, cordial and open. They also
spoke slowly, allowing for occasional verbatim note-taking.
The narrative attempts to present the SPA from their own perspective.
We strongly encourage rational responses that address the issues raised)).

THE ORIGINS OF THE SPA

Ken Wasch, the founder and Executive Director of the SPA, was an
attorney working for the federal government in 1984.  Perhaps because
the Beltway is an environment teeming with trade associations, he
recognized a need for a trade association for the rapidly growing PC
software industry.  Unlike a professional association, which supports
individuals in furthering their professional career, a trade
association furthers the interests of companies in furthering their
enterprise.  He perceived a need, and he hoped to fill the vacuum.
When 25 software companies signed up, the SPA officially came into
existence as a non-profit organization. His motivation, according to
one SPA staff person, was that he simply liked the software industry
and wanted to further its goals.  The SPA was officially founded on
April 5, 1984.  Its current staff of about two dozen people provides a
variety of services to software publishers and others.

SPA MEMBERSHIP

Unlike some associations, such as the Business Software Alliance, SPA
membership is open to any legitimate software or trade-related
company.  SPA membership reached 1,000 in fall of 1992, and continues
to grow.  As a trade association, it represents companies, *not*
individuals.  So, if an individual wants to join, they do so as a
company.  About two-thirds of the members are software developers, and
one-third are companies who support the software industry, including
venture capitalists, market researchers, public relations firms, and
companies whose clients are software manufacturers.  The diversity of
membership is seen as one strength of the SPA, because it infuses a
variety of ideas and perspectives into programs and policy.

DUES AND BUDGET: SPA dues are assigned on an "ability-to-pay" sliding
scale, depending on the company's annual revenues. Dues range from
$750 to $125,000 a year. About 60 percent of the members pay in the
three lowest categories, which are $750, $850, and $1,000.  Annual
dues for a small software company are about the same as the costs for
a one-year family subscription to cable a cable television full
service, and are therefore not prohibitive even for the smallest
companies.

EDUCATIONAL AND COPYRIGHT FUNCTIONS:

The SPA is divided into two divisions, each with a separate operating
budget. The first, the GENERAL SPA FUND, is the association's main
group with an annual operating budget of about $4.5 million. The
second, the COPYRIGHT PROTECTION FUND (CPF), has a budget of about
$2.86 million for fiscal year 1993.  The term "fund" is used to refer
to each group, and does not refer only to a pool of money.

The general fund provides for rent, maintenance, conferences, and
salaries for the non-copyright protection personnel.  The copyright
Protection Fund's budget provides for enforcement, educational
outreach activities such as producing videos, going into schools, and
publishing SPA brochures, which are given away or at nominal cost. The
question of how much the SPA spends on education is complex, because
both groups engage in educational activities.  According to Katherine
Borsecnik:

     Remember, our primary mission is to serve our members, who
     are primarily software publishers. The copyright protection
     fund is a separate fund that pays for all our anti-piracy
     work, both the litigation and the education. The kind of
     education that you mention, going into schools, or going
     into businesses, or general speeches, all of that is related
     to copyright and intellectual property, so it all comes out
     of Copyright Protection Fund. We have a very large
     education budget in the general fund that goes for things
     like conferences for our members in the software
     industry. . . . I think we're talking about two different
     things here.  You're talking about general education as
     anti-piracy stuff. . . . So, the $2. 86 million budget includes
     speeches, brochures, videos, and other information that goes
     to end users. . . They are more expensive, because we do them
     in large quantities, than our legal expenses.

The SPA's anti-piracy activities are its most visible and dramatic,
but they constitute only a portion of what the SPA does for members.
Ms. Borsecnik explained:

    There's a laundry list of member benefits. We do a lot of market
    research.  A lot of companies join because that market
    research is very valuable to them, and they'd never get the
    kind of research that we do. So we do tons of market
    research. We track sales in 25 diferent software categories
    every single month. We also do market-specific end-user
    studies....

    And then we have a sales certification program, sort of like
    in the recording industry, gold and platinum, and these are
    programs that help companies with marketability programs,
    those little labels they put on the box that say "certified,
    100,000 sold" or whatever.

In addition, the general division does consumer and end-user studies
on education, provides salary studies, and distributes publications
that include newsletters, a recently-published book on distribution
channels, and lengthy articles. They also host three conferences a year.
They conduct an annual awards presenation modeled on the academy
awards, and this year 525 products are being nominated for 25
categories of awards.

THE COPYRIGHT PROTECTION FUND

The Copyright Protection Fund's staff includes one clerical position,
an administrative assistant, two or three non-attorney investigators,
and Illene Rosenthal, the SPA's general counsel and overseer of the
CPF. She and Ken Wasch, the SPA's Executive Director, are the
only two attorneys on staff.

The Copy Right Protection Fund, formed in 1985, is a separate subset
of the SPA.  It was initially set up and funded by contributions by
some of the members to help "prime the pump" in the SPA's anti-piracy
efforts.  After that initial pump-priming, it has been entirely
self-funded by litigtion settlements. A separate committee directs the
staff a to what kinds of actions to take and is the overseer of the
anti-piracy's efforts.  Similar to a board of directors, the committee
includes members from the software industry.  The dual goals are to
educate the public about acceptable software use and copyright law and
to litigate against those judged to abuse copyright law.  The fund
filed its first suit in March, 1988, against "The Clone Store," a San
Leandro, Calif., computer dealer.  The case was settled out of court
for $10,000.

The CPF has generated considerable publicity for its aggressive
reactive opposition to software piracy, but education, not
enforcement, is the division's professed primary goal. According to
staff.

The CPF produces brochures explaining copyright protection for
end-users, promotes awareness of the problem of "soft-lifting," a term
for using unauthorized copyright software akin to shoplifting, and
delivers its anti-piracy message to schools, business, and others.
The SPA's rap-video, "Don't Copy that Floppy" (reviewed in CuD #4.63)
is available at no cost.  The SPA has also developed a program called
SPAUDIT intended to help end-users, especially companies and schools,
identify over 650 software programs of members that might be installed
on a personal computer.  The program allows a user to first identify
which programs exist, and then sort out and remove those that might be
unpurchased.  The program is about 43K and quite easy to use. However,
in using it on my own system, it identified 13 programs, but at least
four of the "hits" were false in that these programs were not on my
system.  Nonetheless, the program, even if not particularly accurate,
possesses a symbolic function in that it raises the consciousness of
system supervisors and helps establish an ethos of attention to
outside software on "the boss's" computer.

THE CPF--SOFTWARE POLICE?

The CPF actively promotes a self-image of "software cop."
The June 17, 1991, issue of Information Week carried a cover graphic
similar to a 1940s' comic book: Two respectable looking office workers
are in their office when a super-hero in a suit and trenchcoat bursts
through the door, knocking it off its hinges. "Nobody Move! Keep your
hands away from those keyboards," he says. "Oh my gosh! It's the
SPA!!" exclaims a shocked male worker. "QUICK! Stash the disks!!" says
the female. Other advertisements, which it either sponsors or
endorses, carry the same law-and-order/piracy-will-get-you-jailed
theme.  According to Ms. Rosenthal, the ads and the motif are intended
to be humorous and not necessarily literal, but they nonetheless
symbolize what many observers see as a simplistic ethos of harshly
punitive responses to what in fact is a complex problem. Whether
justified or not, the SPA has the reputation of simply "not getting
it" when it comes to possession or use of unpurchased software.  It is
not that the SPA's critics condone theft or support the practice of
regularly and intentionally violating copyright protections. Rather,
critics point to what they judge to be questionable tactics in the
SPA's war on piracy.  The SPA responds by stressing that the rights of
software publishers must be protected from rip-off and deprivation of
fair compensation for their labor.

TARGETING "PIRATES"

Contrary to public perception, SPA personnel indicate that they do not
target a particular group or type of offender.  They respond to each
case individually and target those for whom there is "clear evidence"
of abuse. Despite their reputation for threats of litigation, they
stress that their primary strategy is to obtain voluntary compliance
with copyright law.  CuD asked several staff members to explain,
step-by-step, how they respond to a complaint of copyright violations.

First, the SPA receives information from employees, whistle-blowers,
or private citizens who call its highly publicized "anti-piracy"
hotline (800-388-PIR8).  They receive between 50-150 calls a week, but
only about 2 to 10 of these are pursued. The first step in pursuing a
case is to obtain as much information as possible. According to Illene
Rosenthal:

     We want to know how long the person's been working,
     where they've been working, what the relationship is they
     have with the company....Obviously, we want to know as
     much as possible. We want to know where the person
     worked, how long they've worked there, how they know this
     information, whether or not they've discussed it with
     management, basically, everything you do in an
     investigation.  What specific programs are involved, how
     many programs, illegal programs, there are.  This kind of
     information you're going to get over several phone calls.
     You're not going to necessarily get it on the first phone
     call. But, we do a thorough investigation, and when we're
     comfortable with that information, what we're going to do
     is pursue the case. If we're not comfortable with that
     information, obviously we're not going to pursue the
     case.

Depending on the evidence, the seriousness of the alleged offense, and
the motivation, one of several courses of action exist.  The first is
THE RAID, which involves entering the alleged offender's premises and
searching the computer system(s). Second is an AUDIT LETTER, in which
the SPA provides a target with an opportunity to voluntarily comply
with a request to examine hard drives for "unauthorized" software. Third
is a CEASE AND DESIST LETTER, which is a letter notifying an alleged
offender that they may be in violation of copyright law and provides
the target with the opportunity to voluntarily stop the perceived
offense and avoid further action.  The letter option allows the
company or BBS to do its own investigation and report back to the SPA.

The decision on which option to invoke depends on a number of criteria
on a case-by-case basis. According to Ms. Rosenthal:

     We discuss this in a group of about seven of us, and we sit
     down and discuss the cases, and we'll throw out the
     various factors and sometimes we'll say, "Look, I need more
     information," and they'll get back to the source to get more
     information. But, ultimately, you get the information you
     need so that you can feel as comfortable as possible taking
     whatever action you decide to pursue or not pursue in a
     given case. . . .We really look at each case on a
     case-by-case basis. It's not that we're looking for
     particular types of industries or particular types of
     organizations. It's the information that comes out, the
     quality of the information, the credibility of the
     informant, the seriousness of the violation, the
     willfulness of the violation, they're just all factors
     that go into it.

The AUDIT LETTER presumes good faith on the part of the target.  It
requests permission for SPA personnel to conduct a software audit on
the premises. In return, the SPA will forgo litigation.  The SPA's
Background Information brochure identifies four principles in the SPA
software audit:

1. An SPA representative observes as the directories of each PC are
printed.

2. Directory information is compared with purchase records.

3. The company agrees up front to make a penalty payment to the SPA
Copyright Protection Fund in the amount equal to the retail price of
each illegal software program found during the course of the audit.

4. All unauthorized copies are destroyed, and the audited
company agrees to replace them with legitimate copies.

Critics argue that this policy constitutes a double penalty.
First, they claim, there is the equivalent of a coerced fine
in payment of software costs. Second, purchasing a copy of
each product found may exceed what some companies need or
even were aware they had on the systems. SPA supporters
counter by arguing the payments are voluntary and if the
company feels an injustice has occured, they are able to
pursue it through the litigation option.

According to SPA staff, it would be difficult for the target to erase
"evidence," because auditors normally have prior information of what
software exists and where it is located.  "People have tried that
before and gotten caught," say staff.  Staff also indicate that, when
they choose an audit option, they normally have a source of
information to inform them of whether the target is answering in good
faith or not.  Although this presumably means an "inside source," SPA
staff stopped short of saying that it necessarily meant that the
informant was still employed for or involved with the target:  "We
always have access to information when we send out the audit letters,"
according to Ms. Rosenthal.  What happens if a target says "no!" to an
audit letter?  "We sue 'em," she said.

The CEASE AND DESIST LETTER, the least intrusive of the options,
conveys the threat of a suit if the recipient fails to comply, but
generally the letter accomplishes the goal.

Although the SPA has NEVER actually gone to court against an alleged
software transgressor, to date they have initiated about 150 civil
actions. All have been settled out of court, largely on the basis of
the evidence. According to the SPA General Counsel, in only one case
has the SPA been "wrong." The SPA's Background Information sheet
(July, 1992), indicates that the Copyright Protection Fund's first law
suit was filed in March, 1988, against "The Clone Store," a San
Leandro, California, computer dealer.  The case was settled for
$10,000. In a larger settlement, the SPA won $350,000 (plus attorneys'
feels) in a settlement against Parametrix, Inc., a Seattle-based
environmental and engineering consulting firm in 1991.  The
information sheet also reveals that in 1991 the SPA won a settlement
with the University of Oregon Continuation Center for $130,000, which
included an agreement that the University organize and host a national
conference in Portland, Oregon, on copyright law and software use.
The University denied the allegations and, according to the University
legal counsel, the settlement in no way implied an admission or
concession of guilt.

Why would a company chose to settle if they are innocent?  According
to one trial lawyer, it is often the most economically feasible.
Trials are costly, and even winning a case can be more costly than a
settlement. To lose can be even more costly.  Hence, settling without
an admission of guilt, as insurance and other companies have learned,
can be the most rational strategy.

When calculating the dollar amount of a settlement, SPA personnel look
at a number of factors, including the amount of unlicensed software on
a system. However, staff indicate that rarely will they include or
respond to non-members' software that might be present, and focus
instead on their memberships' programs. Nor do members share in
settlement fees.  All monetary awards are returned directly into the
Copyright Protection Fund to pay for education, salaries, and
other expenses. Ms. Borsecnik added:

     All of the money for our settlements goes back into the
     Copyright Protection Fund. The philosophy behind that is
     that that's how we produce the educational materials.
     Because, with the exception of one book that we charge for,
     all of our materials are either free or nominal cost because
     of postage.  So our settlements help us continue our
     educational activities.  The companies that pay membership
     dues don't pay for what we do on behalf of them in
     copyright. It's all self-funded. They pay us money, and we
     do a lot of other things. . . .education and publications, and
     just tons of stuff we do that have nothing to do with
     piracy.  Those things are our primary mission. Piracy is
     something in addition we do for them. They don't pay us
     extra to do that.

SPA personnel resist the accusation that they are more interested
in litigating than in broader educational activities.
According to the General Counsel:

     Our primary strategy is to get people to voluntarily comply
     with the software laws. And, we do that by a two-fold
     approach. The first is that we have an extremely effective
     and extremely good educational program. We give over a
     hundred lectures a year about the copyright laws and how to
     manage software, we give a lot of free material, we have the
     SPA audit kit, we have brochures that we give away for
     free--we've given away over 60,000 brochures that, in
     English, tell you what the copyright law is and what you
     have to do to comply, we have videos that talk to you about
     the software laws for about 12 minutes, we have educational
     videos that we give to schools for free.

However, the SPA does feel that voluntary compliance requires
a threat, as the General Counsel explains:

   ((As a criminologist)), you're certainly aware that people are
   unlikely to comply voluntarily if they think that there's no
   risk to complying.  This is the perfect situation of where you
   really have to have some reasonable threat of enforcement or
   there's really no incentive for most people to comply.

There is considerable debate among criminologists over the degree to
which coercion is necessary to constrain behavior, and according to
SPA data, software "piracy" steadily declined from 1989 to 1991.  1992
data is not yet available.  In 1989, they estimated that about 48
percent of PC was pirated, declining to 37 percent in 1990, and 22
percent in 1991.  This trend seems to challenge the view that
aggressive litigation has contributed to the decline, because the
heaviest SPA litigation and corresponding publicity has occured in the
past two years.  Critics would suggest that education and emphasis on
"computer ethics" has been far more successful in curtailing illicit
use.

THE SHRINK-WRAP LICENSE

There is considerable disagreement between attorneys and others over
the legal status of shrinkwrap licenses.  The SPA adheres to the view
that the shrinkwrap license is a legally binding agreement between an
end-user and the software author. A SHRINK-WRAP license is so-named
because most software programs come in a cellophane wrapping that
seals it.

The typical shrinkwrap licence, as typified by the package that
Microsoft's DOS 5.0 came in, provides among other things that 1) The
software is owned by the manufacturer, and the user is only licensing
it; 2) The user may install the program on one and only on one disk;
3) Only one backup/archival and no others may be made; 4) The user may
not decompile or disassemble the program; and 5) If the program is
transfered or given to another, no copies may be retained by the
original user.

Despite the many criticisms of these licenses, the SPA argues that
unsealing by breaking the cellophane is an explicit and unalterable
agreement that the user will abide by whatever restrictions on use and
copying are contained in the small print.  Although nothing on point
has been established in a court of law, the SPA defends shrinkwrap as
a valid contract.  Others, however, aren't so sure (see Lance Rose's
commentary in CuD 5.06).

SUMMARY

Whether one supports or opposes the SPA's methods, several points seem
clear:

1) The SPA is committed to serving its members, and does so
aggressively.

2) When discussing the SPA, care should be taken to distinguish
between its general activities and the Copyright Protection Fund.

3) The SPA's actions have been instrumental in raising the issues of
software piracy to a level that demands public dialogue regarding
whether and/or where an acceptable line should be drawn between
"zero-tolerance" and permissable fair-use.

4) The issues raised by the SPA's aggressive anti-piracy campaign
extend beyond a single organization or policy. They raise issues of
reconciling competing interests--those of publishers and
end-users--and of identifying appropriate social responses to alleged
transgressions. The issues also include resolving the problem of
applying familiar legal and ethical concepts and theories to changes
brought by revolutionary technology.

The SPA certainly deserves credit for raising the issues
of software abuse. However, some of its methods continue to be subject
to severe criticism. In the interstices between "zero-tolerance" and
fair-use lies considerable room for honest intellectual disagreement.
It is not sufficient for those of us who are critical of some of the
SPA's methods to simply sit back and take shots at their method. If we
don't like the methods, we are certainly bound to criticize them, but
we are also obligated to develop constructive alternatives to balance
the rights of both users and publishers. Among the questions we pose
to readers:

1) What, if any, are the acceptable limits of software copying and
distribution beyond those authorized by shrinkwrap licenses?

2) What legal sanctions ought be provided for the wide range of
possible infractions that recognize extreme abuse on one hand and
casual ethical lapses on the other?

3) How might current or future laws be revised or written that would
minimize potential prosecutorial abuse on one hand, but provide
sufficient sanctions for appropriate transgressions on the other?

4) When does "fair-use" become ripoff?

These and other issues will be explored in future issues.

((CONCLUDING NOTE: We invited the SPA to read this issue prior to
publication. We delayed  it by over a week to provide them the
opportunity. We indicated that we would be amenable to correcting any
errors, and would be willing to revise whatever they found inaccurate
or unfair. I was given an email address, and it was confirmed as
correct. Several notes and two of the three files were sent. The third
was to be sent when I received confirmation of receipt. I received no
response.  I left a message on the appropriate SPA staffer's answering
machine indicating that the files had been sent and reaffirmed
encouragement to read the files and provide feedback. I received no
answer as of Feb 7.

We encourage the SPA to engage in a dialogue over the issues to be
addressed in this and coming issues. If they are as serious about
public outreach and education as they repeatedly emphasized, we hope
they welcome the opportunity to engage in a dialogue with CuD
readers)).

------------------------------

Date: 01 Feb 93 22:51:51 CST
From: Jim Thomas <tk0jut2@mvs.cso.niu.edu>
Subject: File 3--How does the SPA Calculate Piracy?

The Software Protection Association (SPA) estimates that software
piracy has declined between 1989-91. But, says the SPA, piracy still
cost the industry over $1.2 billion in lost revenues in 1991.  Critics
argue that the piracy rate and its costs are grossly over-estimated.
The SPA believes that its estimates, while perhaps imperfect,
nonetheless are quite conservative and, if anything, significantly
underestimate the extent of software piracy.  Who's right?  How does
the SPA arrive at its estimates?  The information below comes from SPA
documents and from SPA David Tremblay, SPA's Research Director.

Identifying and counting behaviors that are normally hidden presents
several methodological problems.  Calculating the extent of piracy is
no exception. First, there is no victim in the traditional sense.
There are no snatched purses, dead bodies, empty bank accounts,
trashed computers, or other directly obvious signs of predation.
Therefore, we rarely have direct knowledge of an alleged "offense."
Second, the concepts used to define or measure an "offense" can pose
particular problems, because definitions are subject to imprecision.
Third, "victims" of piracy are often unaware that they are victims
until informed by someone who measures victimization, such as the SPA.

The "DARK FIGURE OF CRIME" is the knowledge-gap between crimes KNOWN
to have occured and crimes that ACTUALLY occured.  No existing
methodolgy can precisely measure this dark figure, and even the most
sophisticated provide only approximations.  It's therefore not
surprising that the SPA's attempts to measure the "dark figure of
piracy" face methodological problems.

The Methodology

Four sets of facts and an assumption underlie the SPA's methodology.
One set of facts is hardware sales from Dataquest, a marketing
research company in San Jose, Calif.  The calculations begin by
determining the number of Intel- and MacIntosh-based PCs sold during a
given year.

The second set of data derives from an SPA reporting program in which
about 150 of the generally larger companies report their unit sales
and revenue to the SPA.  The business applications sales are taken
from the report and used to estimate the the total unit sales of
software in the U.S. in a given year.  Operating systems are excluded.
The data do not constitute a random sample, but are based on voluntary
self-reporting of the participating companies. This method is common
in survey research and, if used with caution, the lack of randomness
or representativeness of the population surveyed need not be a
problem.

The third set of facts is the average number of applications that
users are estimated to have on their personal computers.  This body of
data comes from member research that is sent back to the SPA.  The
members obtain this information from several sources, including
surveys of their own customer base and from returned registration
cards. The SPA estimates that the typical DOS (or Intel-based) PC user
has three applications, and the typical MacIntosh user has five. One
reason that Mac users may have more than Intel-based users is the ease
of use and the cross-learning between different Mac programs that
reduces the learning curve and better-integrates the Mac programs with
each other.

The fourth datum is the average price for a software program in a
given year.  However, in calculating the total dollar volume of
revenues lost to piracy, David Tremblay indicates that "street value"
prices are factored in, rather than assuming that each program would
sell for market list price.

Finally, the methodology is based on the ASSUMPTION that all of the
units of software that are purchased in a calendar year are purchased
by or for use on PCS that are new that year. It assumes no application
sales to computers purchased in previous years.

These data are then plugged into a formula (figures are illustrative):

1. The PC hardware sales (in number of units) are multiplied by the
number of applications used. If there are 1 million Intel-based units
sold, and each has 3 commercial software applications (excluding the
operating system itself), we get a figure of 3 million.

2. The number of applications used is subtracted from the number of
applications purchased during that year. If 2.4 million applications
are sold, the difference is 600,000. This is assumed to be the number
of applications pirated.

3. The number of applications pirated is then multiplied by the
average cost of a software package, which has declined from $189 in
1989 to $152 in 1991.

David Tremblay candidly recognizes the methodological problems,
although he feels that, on balance, the problems understate rather
than overstate the level of piracy.  He recognizes several market
problems that could affect the estimates (the skewing directions are
my own):

1) Since 1989, the average price per software application has
decreased. This skews DOWNWARD the proportion of dollar losses from
year to year.

2) Hardware sales have been revised downward by Dataquest, which
reduces the base number of PCs on which piracy estimates are based.
This skews the piracy estimate UPWARD.

3) Contrary to the assumption of "no application sales to installed
base," there is evidence that an increasing percentage of software is
being sold for use on existing PCs.  This skews the piracy estimate
UPWARD.

There are additional problems. Among them:

1) The total software sales include sales of upgrades.  This would
seem to under-estimate the extent of illicit software, because it
over-estimates the base-figure of software sold.  For example, if 100
PCS are sold in a given year, and if each PC has an average of three
applications, we would expect 300 applications to be sold. If,
however, we find that only 270 applications are sold, the "piracy
score" would be 300-270= 30; 30/300 = .1, or ten percent. If upgrades
are included, and if 20 percent of sales are upgrades, that means
300-216 = 84; 84/300 = .28, or a 28 percent piracy rate.  Including
upgrades skews the piracy estimate DOWNWARD but the costs of piracy
UPWARD.

This, however, is misleading, because the base number of applications
is taken for *all* PCs, not just the PCs purchased in the first year.
There is no evidence to suggest that the number of applications on a
PC declines overtime. The evidence, as the SPA acknowledges, is the
opposite.  Hence, the base-figure of total applications (3) does not
give an accurate expectation of the expected number of software sales,
which would dramatically inflate the base of software sales.  Consider
this example: Person A purchases a computer and three software
programs in 1989. Person A purchases two more programs in 1990, and
one in 1991. Person B purchases a computer in 1991 and three
applications in 1991. Assuming that they are the only ones who
purchased software or hardware in 1991, the average number of
installed applications on a PC is 4.5. The number of software sales in
1991 is 4. An awkward percentage aside, The piracy score is .5 (half a
program, or 12.5 percent piracy rate). In reality, all applications
can be matched to sales, but the method's assumptions inflate the
score.  It's currently difficult to assess how severely inclusion of
installed applications on previously purchased computers exaggerates
the piracy figure. But, if the SPA's current piracy estimate of 20
percent is correct, even a small influence would produce a dramatic
inflation of the estimate.  The SPA's method of including all
installed applications in its base data, while restricting comparison
to only applications purchased in the most recent year, is to my mind
a fatal flaw.

In short, the applications on a PC include not only applications
purchased the first year, but also include all those collected in
subsequent years.  Further, even if upgrades are included (which would
push the piracy score DOWNWARD), the price of upgrades at street
prices is generally a fraction of cost for a program's first-purchase,
and failing to take this into account skews loss of revenue UPWARD.

2) A second problem involves the reliability (consistency) and validity
(accuracy) of reporting methods of company-generated data, especially
registration card data.  It cannot be assumed that the methodological
procedures of different reporting companies are either consistent
among themselves (which means they may not be reporting the same
things) or that their procedures are uniformly accurate. Differing
definitions of concepts, variations in means of tracking and recording
data, or differences in representative are but a few of the problems
affecting reliability and validity. This could skew estimates EITHER
upward or downward.

3) The value of lost revenue also is dramatically inflated by other
questionable assumptions.  For two reasons, it cannot be assumed that
every unpurchased program represents a lost sale.  First, there is no
evidence to support, and much evidence to challenge, the assumption
that if I did not possess a copy of dBase or Aldus Pagemaker
"borrowed" from my employer that I would purchase it. The ethics of
such borrowing aside, such an act simply does not represent nearly
$1,000 of lost revenue.  Second, as an actual example, I (and many
others at my university) have dBase and Word Perfect (and many other
programs) licitly installed on a home or office PC. These two programs
alone have a street value of about $700. I would include them as
"installed" programs in a survey.  However, I did not purchase either
program. Hence, they would not show up in sales statistics, and would
therefore be attributed to "piracy." But, I did not obtain them
illicitly. They were obtained under a site license and are installed
licitly.  Consider another example. When I purchased a PC in 1988, it
came (legitimately) loaded with two programs. I bought two more.  Now,
I have four legitimate programs loaded, but only two would show up in
normal sales figures. It would seem, from the statistics, that I had
two "pirated" programs--two purchased, two unpurchased, even though
there were none.  BOTH the piracy score and the lost revenue estimate
are skewed UPWARD.

Although the subject of a separate article, the SPA's method also
fails to consider the possibility that casual copying and sharing may
enhance rather than reduce sales by creating a "software culture" and
increasing the visibility and end-user facility with the products.  If
sales are increased, it would skew the lost revenues UPWARD.  Whatever
the result, this is an assumption that cannot be discarded without
strong empirical evidence.

These are just a few of the problems that inflate the overall picture
of piracy and why I cannot accept the figure given by the SPA as
accurate. And, if the piracy rate for 1991 is only about 20 percent
(and in decline), it would appear that--even if the problem is only
mildly inflated--the losses are far, far less (and the problem
therefore not as severe) as anti-piracy advocates claim.  Yet, despite
dramatic evidence of decline on a variety of key indicators, SPA
rhetoric, its advocacy for broader and more punitive legislation, and
its lucrative aggressive litigation campaigns continue to escalate.

A caveat: David Tremblay, the SPA Research Directory, makes no claims
about total accuracy. He is also aware of and quick to point out some
of the methodological problems. He would not agree with my view of at
least some of the problems, and perhaps has antidotes for others.  In
my own discussions with him, he was careful not to speak beyond the
data, and--like any good methodologist--approached the task of
calculating piracy as a puzzle. His own attitude, if I understood him
correctly, was that he's more than willing to modify the method with a
better procedure if one can be pointed out.  Perhaps I misunderstood
him, but I was continually left with the impression that his goal was
not to "prove" a preferred outcome, but to refine the data and method
to provide as accurate an estimate possible, whatever answer it might
provide. In short, he has no preconceived ideological ax to grind in
coming up with his figures.

It should be noted that if a different methodology were used, it is
quite possible that both the extent of piracy and the lost revenue
costs *could* be much higher than the SPA's estimates. However, at
stake is *this* methodology. Contrary to SPA claims, *this*
methodology appears to INFLATE the frequency and costs.

This, however, does not alter the fact that SPA press releases and
other material appear to manipulate the data to promote a distorted
image of piracy. We can agree that there are those who unethically
(and illegally) profit from piracy, and we can agree that if one uses
a commercial software program regularly, payment should be made. This
does not mean that we must also accept the dramatic image of rampant
piracy and multi-billion dollar revenue loss by casual "chippers."
Software piracy is, according to SPA data, in dramatic decline.
Evidence suggests that this decline is the result of education and
awareness, rather than coercive litigation.  At stake is not whether
we accept ripoff, but rather what we do about it. The statistical
method and its results do not seem sufficient to warrant increased
demands for tougher piracy laws or for expanding the law enforcement
attention to address what seems to be a declining problem.

If I am correct in judging that the SPA's estimate of piracy is
significantly inflated, then it seems that they are engaging in
hyperbole to justify its highly publicized litigation campaign.  Some
might find this a good thing. My own concern, however, is that the
litigation campaign is a revenue-generating enterprise that--to use
the SPA's own promotional literature--resembles a law unto itself,
more akin to a bounty hunter than a public-interest group. The SPA
appears to have an image problem, and the root of the image problem
lies in some critics see as speaking beyond the data in describing
piracy and in using the law to fill its coffers. It is unfortunate
that the many valuable things the SPA does are overshadowed by its
self-laudatory high-profile image as a private law enforcement agency.

The methodology underlies an ideological opposition not just to
intellectual property, but to human interaction and socal norms.  In
promoting a zero-tolerance attitude toward a strict definition of
"piracy" and rigid adherence to the limitations of shrinkwrap
licenses, the SPA would isolate the causal swapper and criminalize
along with major predators non-predators as well. As Richard Stallman,
a promoter of freeware, argues in the first issue of _Wired_ Magazine
(p. 34), violation of shrinkwrap is called piracy, but he views
sharing as being a "good neighbor:"

     I don't think that people should ever make promises not to
     share with their neighbor.

It's that gray area between being a good neighbor and crossing over
into unacceptable behavior that, to my mind, poses the dilemma over
which there is room for considerable honest intellectual disagreement.

------------------------------

End of Computer Underground Digest #5.11
************************************