In-Depth

IT Software Audits Gone Bad: Beware the BSA

Software piracy is big business and bad for IT as a whole, so someone has to police it. But when the piracy police overstep their bounds, companies suffer needlessly. Here, Redmond explores the most harrowing tales of software audits and how companies should respond if the piracy cops come knocking.

"Audit" is almost always a nasty word. It conjures images of unfeeling IRS agents and detail-obsessed accountants pouring over years of receipts, invoices and bills, and sometimes even notes quickly jotted down on scraps of paper. Audits are time-consuming, complex and can be pretty frightening.

In the software industry, audits can be just as difficult for IT professionals as IRS inquiries are for taxpayers, if not worse. Software licensing is only slightly more complicated than mapping the human genome, so even the best-run IT departments are likely to have slipped up with some licensing paperwork somewhere and fallen into non-compliance. But the Business Software Alliance (BSA), the software industry's vendor-backed licensing-enforcement organization, rarely shows mercy to even the most repentant of offenders and sometimes smacks around companies that aren't guilty of non-compliance at all.

To be sure, the BSA does a lot of good work in stamping out piracy, a major problem that not only hurts sales figures for vendors and partners, but also deprives the economy of jobs and tax revenues. The non-profit trade association uses money from the fines it collects from companies to fund anti-piracy education programs and other anti-piracy efforts.

BSA is the largest anti-piracy group in the technology sector and claims just about every major vendor as a member, including Adobe Systems Inc., Apple Inc., Cisco Systems Inc., Microsoft, Hewlett-Packard Co., IBM Corp., Intel Corp. and Symantec Corp. (The only mega-vendor conspicuously missing is Oracle Corp.)

The goal of this story is not to completely bash the BSA, but to make IT professionals aware of the BSA's (and vendors') tactics for conducting audits, which many readers and experts call overbearing. (We also let the BSA have its say.) We seek with this story to let companies know how rough software audits can be, just in case they're becoming lax with compliance. We also hope to advise IT professionals on dealing with software audits, particularly when they're completely innocent.

The stories told here are real tales from real Redmond readers, all communicated directly to the author of this article. Given the sensitive nature of this issue, we have changed the names of the parties involved at their requests.

Not Just Junk Mail
Software audits are big deals. They can cost companies millions of dollars and derail careers. The BSA is up front about potential penalties: "One of the things that we make clear right from the start is that this is a serious matter," says Jenny Blank, the BSA's North American enforcement programs manager. "The penalties allowed by law are up to $150,000 per title infringed."

The rewards for successfully turning in offenders can be handsome, too. The BSA conducts all of its audits based on tip-offs from individuals, Blank says, and the organization recently sweetened the pot for tipsters by offering rewards of "up to" $1 million for reporting licensing violations.

It's not always the BSA that requests -- or seems to request -- an audit, though. Vendors sometimes send their own letters independent of the BSA -- and those letters can be a bit tricky, possibly even completely misleading. Sometimes, a letter from a vendor sounds like a threat when, in fact, it's just a hard sell to upgrade.

"I received [a letter] several years ago from an over-eager employee at Microsoft advising me that I might be in violation of license agreements," Redmond reader Jim reports. "The letter was from the legal department, as I recall, and seemed to be more of a threat than what it later turned out to be -- a marketing solicitation to upgrade Office products we owned. Talk about misleading and heavy-handed ..."

It's usually the BSA that makes contact, though, especially with smaller businesses, licensing guru Scott Braden says: "The smaller you go, the more likely it's going to be the BSA," says Braden, senior vice president of distributed desktop services at NET(net) Inc. in Dallas, Texas. "The larger the [customer], the more likely it is to be the supplier."

For Redmond reader Marvin, the letter came from the BSA -- but the organization fudged Microsoft's involvement with the audit, Marvin claims. "At the time, I was an IT manager responsible for software licensing, desktop and server support, etc.," Marvin reports. "I opened the daily mail to find a letter from the Business Software Alliance indicating that they wanted me to call them to schedule a visit for a software audit. They stated that they were working as a partner with Microsoft, and were interested in helping our organization ensure that we were handling our licenses correctly.

"I visited the BSA Web site and checked some legal references to confirm that I was correct -- that [the BSA is] not a government investigative organization, but is nothing more than a private company, which does indeed demand rights to audit other companies under threat of blackmail.

"I took the letter to [my company's] attorney. I advised him that we were and had been purchasing our software under Microsoft's Volume Licensing Agreement, and that we had just completed an audit with the Microsoft licensing team's assistance. I provided Microsoft's report of the findings and included a copy of the recently signed purchase agreement, which bought a certain number of licenses, to correct any deficiencies listed in the report. I also provided a memo for record from Microsoft, which stated that the BSA was not, in fact, acting for them, or on their behalf. I strongly recommended that we 'deny BSA an opportunity to help,' and that we assert our right to immunity from search absent any legal justification. [Our attorney] so advised them and told them to come back when they had a warrant. We never heard another word."

Reader Jon, a Microsoft partner, had a similar experience when dealing with three clients who received audit requests from the BSA. The problem began when Windows Genuine Advantage (WGA) -- now Windows Activation Technologies (WAT), the Microsoft compliance-reporting system -- failed, and Microsoft lost compliance information for Jon's clients.

"WGA completely crapped out and died between SP1 and SP2 of [Windows] XP," Jon says. "The BSA used the problem to force audits." Jon wasn't falling for it, though. He advised the BSA to come back with a subpoena. The BSA started the process but never got anywhere, Jon says, mainly because Microsoft folded when he forced the vendor's hand.

He demanded the BSA go to Microsoft and ask the vendor to open its own sales records, to prove Jon's clients had properly licensed their software. At that point, Microsoft balked: "When the BSA folks had to go back to Microsoft to open up sales books, Microsoft told them that's not going to happen," Jon says. He was able to clear his clients' names -- and his own as well.

"When they started screaming at me that I was the thief, I said that's impossible," Jon continues. "We found out that there was no chain going back from me to the distributor. They got nothing. The BSA and Microsoft looked like fools."

The case ultimately tilted in Jon's favor, but the experience left him bitter: "The whole burden of this whole con game is on the holder of this software," Jon says. "There's no obligation on the part of the BSA to be accurate.

"That hurt me so much as a professional that I haven't sold a Microsoft server in seven years," he continues. "It was the flat-out way they approached it, the way they attacked us and showed us the vulnerability of their own product. They made my customer prove that my customer was worthy of Microsoft."

Redmond reader Al had a somewhat morally ambiguous experience with the BSA, but it nevertheless ended with a colleague's career suffering serious damage. Al's story demonstrates that the BSA can sometimes fail to take extenuating circumstances into account when handing down punishments, even when those punishments are technically fully justified.

"A buddy -- with many kids to support -- worked for a government contractor that had purchased abundant legal copies of Adobe Photoshop," Al reports. "But IT hadn't yet installed a copy on his company laptop. The contractor owned several unused licenses.

"To get an assignment done at home one weekend, my buddy pulled an admittedly illegal copy off the Web -- for temporary use until IT could install a legal copy. The software feeder automatically -- and without announcing it -- made parts of Photoshop publicly available on his laptop. Essentially, it installed a bot.

"BSA's long arm learned of this 'publication,' traced the IP address to his company, and put them on harsh notice," Al continues. "The employee was immediately fired, though with sincere apologies: 'I'm sorry. We have no choice.' The contractor 'understood' but had to knuckle under to injustice.

"BSA blithely ignored the many Photoshop licenses that Adobe had already been paid for that were languishing uninstalled at the company.

"Thanks, BSA. [The former employee's] financially strapped family now regrets his desire to get his job done on time using your customer Adobe's software for a period that may have lasted until the following Monday. Tua culpa.

"It's sensible to own a bulldog to protect against career muggers," Al says. "It's immoral to sic the beast on someone who borrows an apple off your desk one night, which he'll replace next Monday."

Then again, reader Charley had almost the opposite experience with the BSA when he was a tipster himself: "We actually called the BSA on a client that was buying software at a university for their business," Charley said. "They didn't see the light that it was illegal. What a joke the BSA is! They 'called' the client, advised that they had a complaint of them using illegal software. The client responded, 'Uh, no ...' and the BSA replied, 'OK, thank you.' That was it."

Plenty of Justification
Charley's experience with the BSA is unusual compared to those of other Redmond readers, but it does help demonstrate the need for an organization to police software piracy. The BSA and analyst firm IDC said in May that the United States has a "piracy rate" of 20 percent, the lowest in the world (the worldwide figure is 43 percent). Still, the organizations reported that the commercial value of pirated software in the United States was $8.4 billion in 2009.

IDC and the BSA also calculated in 2008 that a 10-point reduction in the rate of software piracy in the United States would add more than 32,000 new jobs and almost $7 billion in tax revenue from 2008-2011. Piracy is big and damaging business, and the BSA is constantly fighting it. The organization produces educational videos about piracy and will soon launch a course on the benefits of software asset management (SAM), officials said.

Not all tales of software audits are nightmares about vendors or the BSA. Redmond readers themselves provided plenty of justification for the BSA's existence with tales of companies knowingly using illegal software.

The most stunning comes from Microsoft partner Fred, who had an unscrupulous customer literally break into his desk: "In 1998, a few months after I moved into my new office, my landlord asked me to get him a T1 line for his office and upgrade his Novell network to Windows NT Server," Fred says. "The request came as I was heading out the door to go on vacation. When I got back, I discovered that the lock on my filing cabinet, where I stored my software, was jimmied, and that the lock would not secure the cabinet anymore. Nothing was missing, so I didn't call the police. What a mistake.

"After that, I went about my doing an assessment of my landlord's computer system and prepared a quote. While doing the assessment, I found he was using the same copy of Windows 95 on multiple computers. Then, in talking to the landlord, I discovered he thought that was how the license worked -- one license fits all. I had to adjust his understanding.

"Needless to say, the deal did not materialize," Fred continues. "Once the deal went sour, the landlord revoked my parking permit. He then tore up my lease, and demanded that I move out of my office. The landlord refused to pay his final bill. So, thousands of dollars worth of work that I had done for him went unpaid.

"I moved into a virtual office with a mailbox, phone and conference facilities. I've been in the same office ever since. All my licensed software is in a place now where I have total control over access."

For his part, Chris decided to tip off the BSA just before becoming a former employee: "By June 2003, the private business college I worked for had seen tremendous growth since I had joined in 1996," Chris says. "They had recently been bought out by a capital investment group that sought to curb spending, and the IT budget was not immune. We were operating in the neighborhood of 400 to 450 systems, most of which were less than 2 years old. They were all purchased from legitimate vendors, and therefore had proper Windows licensing.

"However," Chris continues, "we had never updated licenses for Microsoft Office, several servers or Client Access Licenses to account for the growth. After spending some time with pencil, paper and spreadsheets, I came up with a solid inventory, which I used to fill out the academic Open License paperwork. I don't recall the exact dollar amount, but it was on the order of $10,000 to $15,000.

"I walked the papers around and got the signatures. On June 13 -- yes, a Friday! -- I came in and sent the paperwork out for the daily mail. At 4:30, I got called to 'the office' to be informed that I had been downsized. If only I had known! I can assure you that -- disgruntled former employee or not -- I had already decided to 'drop a dime' to the BSA if the company decided not to approve the licensing.

"I never followed-up to see if they, in fact, went ahead with actually purchasing the licenses," Chris says. "I guessed that, knowing that Microsoft knew how many licenses the paperwork listed, the owners would be inclined to cut the check when the bill arrived. For whatever other faults they had, plain stupidity was not one of them."

Responding to an Audit
Licensing expert Braden says the first thing companies should do in response to an audit request is understand what the request entails. The overwhelming majority of audit scenarios begins and ends with electronic communication -- very few involve a company talking to the BSA on the telephone, much less in person. It's important, then, Braden says, to examine the BSA's communication carefully.

"The first thing is to understand what it is they've sent you," Braden says. "There's varying levels of formality, and there's different types of audits. The low end of the scale might be a generic letter that looks kind of official and scary but really isn't an audit request. It will say, 'We're in your city' and rattle off statistics. It will invite the customer to open the kimono. They write them in ways that lead you to believe things that aren't necessarily going on. Your first mission is to find out: Is this an audit, or is this a fishing expedition? What is the auditor's authority?"

Braden says that attorneys and licensing experts are good people to turn to -- but that resellers might not be. "There are a few attorneys out there that have built a practice in this," Braden says. "There are people like me who have had a lot of experience over the years. Make sure you understand people's motives and interests. A lot of times I find people relying on their resellers. Resellers serve three masters -- themselves, the customer and the [vendor]."

For her part, Blank says that the BSA is simply trying to lend an air of importance to its correspondence: "We are asking the company to take this serious matter offline with us," she says. "It's important to lay out the size of the problem straight up front. I would describe our correspondence as serious but not threatening."

Vic DeMarines, vice president of products at V.i. Labs Inc., a Waltham, Mass.-based company that makes software that tracks pirated software, says if the BSA comes off as harsh, it's only because the organization is trying to unearth accurate information.

"It's a byproduct of how [the BSA gets] this information -- disgruntled employees," DeMarines says. "[The BSA has] no idea how much software is being used or misused. They're getting their leads from a social network. Their tactics are going to have to be a little rough because the information is not there."

Regardless of the BSA's tone, Braden emphasizes that companies should only reveal what they're required to reveal -- if anything at all. "Look at original contracts," he says. "If you have a [licensing] agreement, read the section on auditing and compliance and understand that. You don't need to give them a key to the kingdom so they can sniff around and find everything."

A Redmond reader with audit experience takes the concept a step further, saying that companies should move the burden of proof onto the BSA: "The BSA asserts this simple rule: If a company is using a BSA member product without being able to produce a purchase receipt, that company is an infringer. This rule is absurd. Asking for receipts to show proof of a license is unfair. Ask the BSA for a license agreement that shows that the only proof of license is a purchase receipt. There is no such agreement. Ask the BSA to accept photos of software discs as proof of license, if you have them."

Lee says...

I absolutely did not set out to bash the BSA in this story. The organization does a lot of good and important work. It's true, though, that the BSA and vendors alike can get overzealous with their audit practices, and IT professionals need to know how to recognize and defend themselves from unwarranted attacks.

There are also preventative measures companies can take to avoid audits, says Cynthia Farren, founder of licensing consultancy Cynthia Farren Consulting. Investing in a SAM tool is a start: "You can't manage what you don't know," Farren says. "You need a tool. There's no way an organization with more than 50 computers can know what's on every one of those computers at any given time. I guarantee you we'll find a surprise if you don't have a tool."

It's also a pretty good guarantee that an IT professional will face an audit at some point in his career: "Every three to five years, you're going to have somebody coming to you," Braden says. "It's going to happen sooner or later."

Farren concurs, and offers a warning: "A lot of companies don't think that [the BSA is] ever going to come calling," Farren says. "I've worked with a couple of companies that did get audited and realized how real the BSA is. When it happens, it's ugly."



Featured

comments powered by Disqus

Subscribe on YouTube