The Copy Protection Dilemma

The protection of intangible intellectual property rights -- such as software, recorded music, videos, etc. -- has been a sticky issue for decades, starting with the invention of the audio tape and gaining momentum as a serious concern for IP creators once DAT, CD-R, DVD-R, and even VHS rolled around. Unfortunately there is a fundamental tension between the right of the consumer to enjoy purchased material, unimpeded, and the right of the IP holder to ensure that their material is not illegally distributed or shared. This article surveys some of the issues involved with this controversial topic.

Cultural Acceptance of Piracy

I think most consumers accept that IP holders deserve to be compensated for their work. At the same time, it seems that the bulk of people who can get something "for free" will do so if there is minimal moral stigma associated with that action. Theft of physical property carries that stigma -- if a friend bragged about how he just stole a car and now had free transportation, most good citizens react negatively. But theft of digital property does not carry that same opprobrium -- if a friend brags about how he downloaded the latest [Insert Favorite Musician] CD illegally, most people don't care, and some would even ask for a copy. I have found that even reasonably financially secure acquaintances of mine that can afford CDs, DVDs, or software will often attempt to pirate first just on general principle -- if it's free, why should I just "throw away" money?

And herein lies the biggest problem: American society does not believe that piracy is a bad thing. Now, if you ask someone if piracy is bad, they'll say "Yes." But they'll say it's "bad", in quotes, indicating that it's not really bad. Yeah, I guess piracy is "bad", but whatever. Until there is a societal shift in point of view, all the technology and legal wrangling used to enforce IP holder rights is an unsteady bulwark against the public's apahy towards IP protection.

There are numerous strategies to address this problem, with varying levels of practical effectiveness and philosophical dogma. At one end we have the "no one should own anything" school of thought, which I won't even bother addressing -- that's a purely philosophical argument best left to people more concerned about theory than practice. At the opposite end is the "we created this, feel lucky you can use it" school, where the IP is overvalued to the detriment of the end user experience.

Impact of Piracy

Inevitably discussions about piracy come down to both sides arguing about its economic impact. On the one side you get industry groups throwing out ridiculous figures (something like $26 billion last I heard), usually computed by taking every believed pirated copy of software known to exist and multiplying it by its retail value -- a rather optimistic point of view that assumes if piracy were wiped out overnight that this would immediately translate to immediate megasales for developers everywhere. On the other side you have the pirates saying that it doesn't make a difference, they wouldn't buy the software anyway, so it's almost zero lost dollars.

The truth, of course, lies somewhere in between, but I'm not going to try pin a number on it because I don't think it matters. The issue isn't really about the raw numbers, it's about the principle of the matter. People shouldn't steal shit from other people. Maybe some people need to see big numbers to quantify this "cost", but I don't -- I'm arguing that we all know software pirates, many of us have pirated software, and none of us feel particularly bad about it. I would guess that anyone reading this article has pirated at least $50 in software during their life, if not significantly more. I care more about that subjective level of ubiquity than I do about some arbitrary number assigned to the problem. Because in the end I don't care how it affects the industry, I care about how it affects me, the software developer and consumer.

Institutionalized Piracy

One of the biggest issues in piracy today has to do with the massive duplication plants in Asia, where counterfeit copies of Office XP, Photoshop, and X-Box games are routinely manufactured then sold by street vendors for mere dollars. This article does not address that issue, since that is clearly more to do with greed and the criminal element than, say, laziness or opportunism by the consumer. Counterfeit everything exists today, software just gets to go along with the ride.

Copy Protection Mechanisms

Copy protection, as the name implies, ideally prevents the willy nilly propagation of software to parties that have not paid for that software. A software product that has no form of copy protection is trivial to copy and distribute to anyone who wants it. Software of this nature relies on the honesty and/or ignorance of users to ensure that the software is purchased legally.

There are two basic mechanisms to prevent the illegal spread of software: copy prevention and use verification. Prevention actively denies the user the ability to grab the raw data from its installation media, making propagation difficult (but far from impossible). For example, copy protected CD-ROMs use special technology that interferes with the user's ability to make copies of the CD. Use verification, on the other hand, ensures that the software is being used only by the registered user and/or computer, either by gaining permission from an authentication server or requiring specical hardware (a "dongle" or sometimes just the original CD in the drive).

Both copy prevention and use verification impose significant burdens on the activities of the user. Copy prevention schemes suffer from numerous problems:

  • performance and stability defects
  • inability to backup media
  • requirement for physical media

The performance and stability problems of major copy protection technologies are well documented. Windows XP required a hot fix for the SafeDisc? copy protection mechanism. In fact, SafeDisc? incurred such significant performance and compatibility issues that at least one company, Bethesda Softworks, issued a patch that specifically disabled SafeDisc? -- the performance overhead was supposedly dropping use frame rates by 25% or more. The StarForce? copy protection technology installs a special device driver as part of its protection system, and there are numerous claims that this driver interferes with some hardware devices (CD and USB drives). Not only that, but the StarForce? driver is notoriously difficult to remove, especially if a game manufacturer forgets to pull it as part of the uninstall process (StarForce? has a software removal tool on their Web site, unfortunately most users don't even know that StarForce? is even installed).

The inability to backup your media is a significant problem, especially for those of us with small children. While I don't expect my kids to get their hands on a copy of Doom 3, it's kind of hard to keep them from occasionally grabbing a Wiggles DVD or a Reader Rabbit CD-ROM. These CDs get trashed all the time, because children try to change, remove, or insert discs on their own. If I could just back this stuff up, I wouldn't have to stress about it, but unfortunately every time Freddie the Fish gets trashed, I have to buy a new copy even though I own it already.

This is a case where publishers want to play both sides -- I'm not allowed to backup the physical media, yet at the same time they don't feel obligated to replace it. So if I'm licensing the content, then that license should exist regardless of whether I have the physical media, right? I wish.

Finally, the requirement for physical media ("Please insert Disc 1") is a pain in the ass. No one likes to shuffle CDs around constantly -- they're exposed to damage, they get lost, and if you're traveling with a laptop they add weight and bulk. Hard drives are big enough that you can do a full install of probably a half dozen games, yet we're still stuck manipulating and toting these archaic CDs even when they're not really needed. It's ridiculous. To get around this a lot of legitimate consumers use "virtual drive" software available from legal programs such as Daemon-Tools, Alcohol 120%, CloneCD, and even Nero (the standard CD burning software that ships with the majority of CD-RW drives out there). However, to add insult to injury, the makers of various copy protection technologies now prevent the installation or execution of some games if any of those legal programs which have legitimate uses are even installed on the user's system. It's insane.

Use verification attempts to guarantee that the person using the software is the person who bought/registered that software. Instead of trying to stop the proliferation of the software itself, this technique focuses on the legitimacy of individual users. Examples of this include:

  • special hardware requirements
  • mandatory registration/authorization
  • server connections

Hardware requirements include anything from dongles to code wheels to booklets to key discs. Dongles are special devices attached to a parallel or USB port, and when the software runs it periodically checks for the existence of that device. Code wheels and booklets/manuals were common anti-piracy measures during the 1980s for PC software -- the program would start up and ask you questions revealed only in the book or by the code wheel. Code wheels could not be photocopied, and books were often large enough that Xeroxing the whole thing wasn't worth the effort. Key discs are simply CDs or floppy disks that must be inserted in the computer for the software to run -- obviously the key disks are copy protected as well, so you get two layers of protection (the software is difficult to copy and you must have the original media in order to run your software).

The problem with hardware protection is that it can be lost, broken, stolen, or rendered incompatible. Dongles sticking out of a USB slot are notoriously easy to misplace, take, or break. Parallel port based dongles had compatibility problems due to different parallel port implementations. Code wheels broke, manuals were lost, key discs got erased or went bad. Key discs don't make much sense if your laptop doesn't have a CD-ROM or floppy drive installed. If you lose or break a hardware device, the odds of having it replaced are very slim -- you often have to purchase an entirely new copy of your software.

Mandatory registration and authorization requires you to "unlock" your software before it may be used. Unlocking comes in numerous forms. The simplest is the CD key, such as seen with many earlier Microsoft products. Without that special key, the software won't install. Of course, nothing prevents a pirate from just distributing the key with the software, but it prevents multiple users from registering the same copy. One step beyond that is a "registration key" that is tied to the user's computer or the the user's personal information. This cannot be shared as easily, since user information and computer configurations are rarely the same.

As you might guess, mandatory authorization has its problems as well. For starters, it's not all that effective -- it can be relatively easy to crack, and user information based authorization systems can be spoofed. A simple Google for cracks on software protected with authorization codes turns up pages and pages of results. The other problem is that there is significant inconvenience and risk to the end user. There is no guarantee that the developer of that software will be around in a few years or even a few months. What happens when you reinstall your software and the company responsible for unlocking your software has gone out of business? You're shit outta luck there.

Another problem with mandatory authorization is access. You bought the software, you want to use it, so what gives when you run home, install it, and now have to wait until the developer decides to get back to you with your "Response" before you're ready to use it? If I'm busting ass on a project at 3AM and need to reinstall some software and find out that I can't use it until 9AM in Hamburg, I'm going to be mighty pissed, and possibly screwed. Some manufacturers offer a trial period, at the end of which you must have the registration key. This helps with the immediate use problem, but still doesn't help with the long term accessibility of that software.

The safest, most secure form of copy protection is to place necessary, access controlled content somewhere else. Application service providers have been doing this for years, where companies effectively "rent" the software as a service. Multiplayer games such as Quake 3 and Everquest do this as well -- to get on-line and play you must authenticate with a central server, and if you're denied that authentication you're simply not allowed to play. This is the most secure form of copy protection around since it's extremely difficult to bypass, but as with registration codes, you have to worry about accessibility (what if you don't have a network connection? What if the company goes under?)

Of course, the exceptionally paranoid companies use multiple mechanisms: copy prevention, mandatory registration, server authentication, and hardware authentication -- but in the end, they still get cracked.

Copy Protection and Backlash

Unfortunately, due to the invasive and bumbling nature of a lot of copy protection systems, legitimate and honest end users are the ones that get screwed. Hardware level device drivers are secretly installed and requirements for installation are rarely printed on the box. Between these two irritants and the resulting performance drops, system crashes, malfunctioning hardware, or even plain old inability to read from a CD-ROM drive, the user gets righteously pissed. When they try to return the product, they're denied -- once opened, it's theirs. Too bad, kthxbye. Without the ability to return broken software, copy protection systems that interfere with a customer's ability to play or even install a game simply piss off users, making them less likely to buy a product in the future and, to be honest, far more likely to pirate that software.

It is not that difficult for non-pirates to justify piracy when they've made every attempt to legitimately purchase and install software only to be thwarted by the manufacturer's insistence on treating every user like a career criminal. At some point, after enough blue screens and failures to execute and requirements to uninstall unrelated packages, a user just says "fuck it", downloads the cracked version, and skips the bullshit. The publisher has no one to blame but themselves for that sequence of events.

Product or a Service?

Copy protection schemes really boil down to how developers position themselves. Are they selling a product or a service? They can try to sell a product, and thus protect that product from illegal distribution. But if they do this, they had better be willing to accept returns from users when the protection mechanisms interfere with the software's ability to function. Not only that, but they need to implement media replacement policies -- if they're going to prevent the user from making legal backups of their software, then they need to be willing to exchange bad media for good media at little cost. Until company's adopt policies like these, I'm not going to feel too terribly sad for them when they bitch about piracy and NoCD cracks.

Alternatively, manufacturers can position themselves as services, not resellers. As mentioned before, on-line gaming companies and application service providers already adopt this approach. There is an understanding that the service may, one day, disappear, and thus users need to factor this into their purchasing/leasing decisions, but once you're a member of the service you should always be able to use that service irrespective of the presence of physical media. You should also be able to transfer the rights of that service to another party if you're no longer using it -- just like you can give a CD to a friend.

What aggravates me, personally, is when a company wants the best of both worlds -- you are responsible for the physical media, but you're not allowed to protect/backup that media, and you have to get authorization to use it. Far too many companies engage in this practice, ironically enough usually rationalizing that losses due to piracy force them to. One VST plug-in manufacturer I know requires you to purchase their CDs for $299, then you must authorize your software with them, then if you want to give that software to someone else, you have to pay a $99 "license transfer fee".

Paving Stones for the Road to Hell

In the end the problem is one of intent. When thinking of the nameless, faceless user, a software developer has no way of knowing why that user needs to copy their software or use it from another machine. Is it because they want to give a copy to a friend? Or is it because they have a toddler that accidentally chewed on their Freddi Fish CD-ROM? Did they install this software on another machine because a coworker will use it, or is that machine their laptop and they're still the only user?

The software developer simply has no idea whether the user's intentions are honest or nefarious -- assume the former, and the software gets copied; yet assume the latter, and honest users are inconvenienced.

Why Pirate?

Piracy isn't driven strictly by greed or parsimony. For some, it is simply pragmatism. -- software is too expensive; it is difficult to ascertain its value before purchasing it; and it is sometimes bug ridden, slow, incompatible, or just plain shitty. I've been burned more often than not when buying games and application software -- my bookshelf is a graveyard of software I bought and never used: Paintshop Pro, Visual J++, McAfee? Virus Scan, QuickBooks? Pro, Kai's Power Tools, Starfleet Command: Orion Pirates, Madden 2004 for the PC, Cubase SX, the list goes on.

I've resorted to using shareware programs almost exclusively, since demos of their functionality are available. Major application developers are realizing that a good demo can stave off piracy, since users can check out a product legally.

As a rule, there are five basic rationalizations for piracy.

  1. I Don't Really Use This Software
  2. I'm Just Checking It Out/Software Sucks
  3. I Can't Afford It
  4. It Doesn't Hurt Anyone, It's Not Like Stealing a Car
  5. Why Not?

I Don't Really Use This Software/I Wouldn't Have Bought It Anyway

Ahh, the war cry of the casual pirate who sleeps well at night. This is the rationalization for the myriad copies of Adobe Photoshop, 3DStudio Max, and Office 2000 floating around the computing universe. These packages are extremely expensive and the professionals that use them can afford them. However, a huge number of the pirates out there are casual pirates that like having overpowered software just to dick with. They don't really need Photoshop, but if given the choice between having Photoshop or GIMP, they'll take Photoshop every time.

The availability of low-cost alternative software that has the features usable by hobbyists undermines this rationalization. A lot of publishers do, in fact, provide such low cost versions, and while I'm confident that this does reduce piracy somewhat, I doubt that it makes a huge dent since, by and large, this reason is more of a rationalization. If someone wants something that's good enough "to play with", many free or inexpensive versions of most software packages are available -- but it's human nature to get the best you can for the least amount of money. It's a sad statement that we can justify getting something very good by theft more easily than we can justify getting something adequate at some cost.

I'm Just Checking It Out/Software Sucks

These are two sides of the same justification. I don't think many people will dispute that today's PC software is buggy, difficult to use, bloated, slow, and often incompatible. The consumer doesn't know if a specific piece of software works on their machine, as advertised -- and even if it does, the issue of quality exists. Major software companies rarely include demo versions of their flagship software, so all users have to go on are reviews on the net and whatever the manufacturer decides to tell you.

If that software you purchased doesn't work or crashes all the time, you have little recourse for satisfaction. For this reason, trying-before-you-buy is almost a requirement. Nothing pisses off a consumer worse than blowing a wad of cash on a new game or application only to find that it doesn't work, and then learning that the software can't be returned. And publishers wonder why there's piracy?

So there is a reasonable justification for piracy-as-test-drive. The problem is when you try-but-don't-buy. This is happens a lot with games -- someone "borrows" a game, finishes it, and then decides not to purchase it because, well, they've already finished it.

Without proper demo versions, consumers can't determine if a particular application A.) is good and B.) actually runs well on their system. If publishers won't provide these demos, then the consumers will -- in the form of pirated copies. The problem then is that once it's been pirated, well, why even bother getting the legal version?

Fixing this situation is, again, relatively easy -- provide full featured demo versions of your software. Those that legitimately want to investigate a particular application may now do so without resorting to getting a cracked version from a friend and, by extension, falling into the trap of just keeping that pirated copy instead of buying a legit copy.

I Can't Afford It

I don't have too much sympathy for the group that says they can't afford it. Even in countries where a typical user literally cannot afford software -- Photoshop costs something like the equivalent of three months wages in some east European countries -- there are always other options. Use free or lower cost versions. Don't use the software you can't afford. For some reason society is willing to nod understandingly when someone says "Of course I didn't pay for Microsoft Visual Studio, I can't afford $1000!" But, oddly enough, society gets a lot more irritated when someone, say, steals $1000 in computer equipment, since the latter has a "victim" and the former, well, hey, who is really a victim if it wasn't really a lost sale in the first place, right? Right?

Lowering prices would help, to some degree, but there are market positioning concerns there ($20 games often sell poorly due to a perception that they have to be $20 to make up for lower quality). There isn't much you can say to a Bulgarian make $200/month to convince him that they should save up a year and buy 3DStudio Max 6. It's just not going to happen. To turn it around, for you Americans -- would you buy the latest CD from your favorite band if it cost you $100? Thought not.

But still, in the end it's hard to sympathize too much towards someone that doesn't have the means. If you can't afford something, then come up with a legal work around (such using open source equivalents).

It Doesn't Hurt Anyone, It's Not Like Stealing a Car

This is the classic excuse. It's a victimless crime! There is this justification that unless something is made out of raw materials and is a tangible item that theft isn't taking place. Digital data has the wonderful property of cost free duplication, so no new resources are consumed in their creation. Hell, the publisher and developer don't even have to be involved in the duplication.

To some degree, this is sort of true. If someone "borrows" a game from a friend, then it's not like I'm losing something. They didn't break into a warehouse and steal something that I then have to replace. However the long term cost is the same to the developer -- lost income. This lost income is the difference between surviving or not. Every time a popular game that you would have bought is pirated, that's fewer dollars back to the developer, and the less chance that they'll make cool games. Anyone reading this that warezed Thief or System Shock -- don't bitch too loudly about the lack of good games anymore.

It's kind of like voting -- yes, your one vote may not make a difference, but if everyone thinks like that, the country goes to shit. Every time you buy a game that you like, it's a vote of confidence to the publisher about that developer. Publishers use these sales figures to determine if the developer is competent; whether copy protection is necessary; and whether the PC platform is still viable. When sales plummet and/or piracy statistics skyrocket, publishers have a tendency to write off the entire PC market.

So piracy does hurt someone -- it hurts the developer, who loses money. It hurts the gamer, who is now wondering why no one makes good PC games anymore. It hurts the industry, and to some degree it hurts society by propagating this belief that copyright theft is okay.

How Much Protection Do We Need?

I have generally viewed anti-piracy measures as a relationship between copy protection effort, software price, and the effect on developer time, pirate time, and total number of lost sales. Completely absent copy protection simply opens up the flood gates, primarily because you're relying on the goodwill of your end users for profit. Many a "donation ware" author has found this to be the case -- there is a belief that if you're not requiring payment, that you don't need the payment, so users won't bother.

Light copy protection probably stops the vast amount of casual piracy. It prevents someone from just zipping up some files and e-mailing them to a friend. It prevents burning a CD for a friend. Usually a very trivial amount of effort is required to implement (and crack) this form of protection, but depending on the technological savvy of the user base, this may not be a real concern.

Heavy copy protection hits a wall of diminishing returns. It's still going to get cracked, but now you've infuriated many of your legitimate users and incurred the associated support costs of dealing with them. Stopping trivial copying and distribution makes sense, but I find it difficult to imagine that anything past that is going to be worthwhile. Is getting one more sale worth pissing off one good customer? Five customers? A hundred customers?

Steps to Fixing Things

So to some extent the developers, publishers, and retailers are partly to blame for driving honest users to piracy. Note that I'm ignoring "serious" pirates -- everyone from the mass duplication pirates in the Republic of China to the guys running pirate Web sites. I consider these in the minority, even though their total numbers are fairly significant.

The question we must ask ourselves, as developers, is "what can we do to discourage 'casual' piracy?"

First, we need to let users try our software before they commit money if they're not allowed to return faulty or incompatible software. I've been in the shareware business for years now and have never had a single return from a direct sale -- why? Because every user can try our software first and then spend money only if they feel that it's the right product for them. The only reason not to release demo versions is fear that your software will be exposed as substandard and thus you won't get "captured" sales -- people who base their buying decisions on optimism and thus will pre-order or buy blindly.

I've used several demo versions to see if something would be right for me. Most recently I purchased MindJet?'s MindManager?, which is a fantastic program. Without a demo I would have been forced to either pirate it (doubtful I would have bothered) or solely trust reviews -- but I'm not sure if I want to commit hundreds of dollars based strictly on the opinions of others. On the other side I tried out ActiveState?'s Komodo IDE for Python, both version 2.5 and 3.0, and each time, while I liked it, I didn't end up purchasing it because of incompatibilities with other software on my system, making it unusable. If I had spent the money, I would have been very angry if I couldn't get a refund.

The second thing we can do is make entry level versions of our software (with inexpensive upgrades). Some companies already do this, such as Adobe with their Photoshop Elements or Microsoft with Visual C++ Standard Edition. Inexpensive, feature limited versions of software appeal directly to the "I'm just checking it out" and "I don't really use this stuff" crowd -- if you can get a copy of Photoshop Elements for $80 and you're a hobbyist, then it's doubtful that you have a legitimate excuse to pirate Photoshop CS. Any features in the "big" versions are probably those features only professionals or hardcore users would miss.

Third, if you don't have a demo, provide a reasonable return policy. The fact is that there are just too many random incompatibilities out there, not to mention sucky software. Use an authorization system if you have to and forcibly disable their installation the next time they run, but at least allow them the right to return software they don't use.

Fourth, decide if you're going to require registration or physical verification -- don't do both. That really aggravates users, who are now at risk of losing their software either by losing some physical item (dongle, CDs) or because of an inopportune authorization failure (due to the company going out of business, need to reinstall at 3AM, dodgy network connection, etc.).

Fifth, if you're going to use a pain in the ass copy protection mechanism, clearly mark it on the box so that users can choose whether they want to deal with the hassles before they purchase your product. There is no legitimate reason to hide this information from the user, particularly if you don't provide a reasonable return policy.

Finally, if you're going to require use verification, then provide a fail safe so that if your company ever kicks the bucket, the software is still available. This isn't a major issue right now except in some industries (graphics, music, design, and audio), but in the next few years there's going to be a collective outcry as more and more people are left stranded with expensive but orphaned software. Either escrow unlocked builds with some kind of centralized authority, or automatically have your software unlock after some calendar date -- presumably patches or upgrades will reset the internal clock, but if your software hasn't been changed in a couple years there's a good chance that your company is out of business. Whatever scheme you choose, the important thing is that the user needs to feel comfortable that their investment won't just evaporate along with the company. I have games made by companies that no longer exist, and I feel pretty good that I can still play them even though those companies are no longer around.

By following the above basic rules I think that casual piracy can be reduced by a reasonable fraction. The major excuses are addressed by all those, but in the end the real root enabling of piracy -- society's unwillingness to identify piracy as an unwholesome act on a par with physical theft -- needs to be addressed. Until then developers will rely on the honesty of individual users, and this is a tough sell in today's market, especially when you routinely meet otherwise normal people that think anyone that pays for software or music is a moron.

One final note: given the degree to which SafeDisc? and StarForce? invade a system, I think that it's absolutely vital that game reviewers indicate which protection system is used by a game. If the publishers won't inform the users, then the advocates for the consumer (in this case, game reviewers), should. In fact, I would go so far as to say that any game with overly invasive copy protection simply be docked points outright and denied any awards. It's that simple -- the path we're currently going down with copy protection is just wrong. Piracy needs to be curtailed, but punishing legitimate users is not an acceptable means to that end.

Discuss this article in our forums!