IT Software Audits Gone Bad: Beware the BSA -- Redmondmag.com

IT Software Audits Gone Bad: Beware the BSA

Software piracy is big business and bad for IT as a whole, so someone has to police it. But when the piracy police overstep their bounds, companies suffer needlessly. Here, Redmond explores the most harrowing tales of software audits and how companies should respond if the piracy cops come knocking.

By Lee Pender
09/01/2010

"Audit" is almost always a nasty word. It conjures images of unfeeling IRS agents and detail-obsessed accountants pouring over years of receipts, invoices and bills, and sometimes even notes quickly jotted down on scraps of paper. Audits are time-consuming, complex and can be pretty frightening.

In the software industry, audits can be just as difficult for IT professionals as IRS inquiries are for taxpayers, if not worse. Software licensing is only slightly more complicated than mapping the human genome, so even the best-run IT departments are likely to have slipped up with some licensing paperwork somewhere and fallen into non-compliance. But the Business Software Alliance (BSA), the software industry's vendor-backed licensing-enforcement organization, rarely shows mercy to even the most repentant of offenders and sometimes smacks around companies that aren't guilty of non-compliance at all.

To be sure, the BSA does a lot of good work in stamping out piracy, a major problem that not only hurts sales figures for vendors and partners, but also deprives the economy of jobs and tax revenues. The non-profit trade association uses money from the fines it collects from companies to fund anti-piracy education programs and other anti-piracy efforts.

BSA is the largest anti-piracy group in the technology sector and claims just about every major vendor as a member, including Adobe Systems Inc., Apple Inc., Cisco Systems Inc., Microsoft, Hewlett-Packard Co., IBM Corp., Intel Corp. and Symantec Corp. (The only mega-vendor conspicuously missing is Oracle Corp.)

The goal of this story is not to completely bash the BSA, but to make IT professionals aware of the BSA's (and vendors') tactics for conducting audits, which many readers and experts call overbearing. (We also let the BSA have its say.) We seek with this story to let companies know how rough software audits can be, just in case they're becoming lax with compliance. We also hope to advise IT professionals on dealing with software audits, particularly when they're completely innocent.

The stories told here are real tales from real Redmond readers, all communicated directly to the author of this article. Given the sensitive nature of this issue, we have changed the names of the parties involved at their requests.

Not Just Junk Mail
Software audits are big deals. They can cost companies millions of dollars and derail careers. The BSA is up front about potential penalties: "One of the things that we make clear right from the start is that this is a serious matter," says Jenny Blank, the BSA's North American enforcement programs manager. "The penalties allowed by law are up to $150,000 per title infringed."

The rewards for successfully turning in offenders can be handsome, too. The BSA conducts all of its audits based on tip-offs from individuals, Blank says, and the organization recently sweetened the pot for tipsters by offering rewards of "up to" $1 million for reporting licensing violations.

It's not always the BSA that requests -- or seems to request -- an audit, though. Vendors sometimes send their own letters independent of the BSA -- and those letters can be a bit tricky, possibly even completely misleading. Sometimes, a letter from a vendor sounds like a threat when, in fact, it's just a hard sell to upgrade.

"I received [a letter] several years ago from an over-eager employee at Microsoft advising me that I might be in violation of license agreements," Redmond reader Jim reports. "The letter was from the legal department, as I recall, and seemed to be more of a threat than what it later turned out to be -- a marketing solicitation to upgrade Office products we owned. Talk about misleading and heavy-handed ..."

It's usually the BSA that makes contact, though, especially with smaller businesses, licensing guru Scott Braden says: "The smaller you go, the more likely it's going to be the BSA," says Braden, senior vice president of distributed desktop services at NET(net) Inc. in Dallas, Texas. "The larger the [customer], the more likely it is to be the supplier."

For Redmond reader Marvin, the letter came from the BSA -- but the organization fudged Microsoft's involvement with the audit, Marvin claims. "At the time, I was an IT manager responsible for software licensing, desktop and server support, etc.," Marvin reports. "I opened the daily mail to find a letter from the Business Software Alliance indicating that they wanted me to call them to schedule a visit for a software audit. They stated that they were working as a partner with Microsoft, and were interested in helping our organization ensure that we were handling our licenses correctly.

"I visited the BSA Web site and checked some legal references to confirm that I was correct -- that [the BSA is] not a government investigative organization, but is nothing more than a private company, which does indeed demand rights to audit other companies under threat of blackmail.

"I took the letter to [my company's] attorney. I advised him that we were and had been purchasing our software under Microsoft's Volume Licensing Agreement, and that we had just completed an audit with the Microsoft licensing team's assistance. I provided Microsoft's report of the findings and included a copy of the recently signed purchase agreement, which bought a certain number of licenses, to correct any deficiencies listed in the report. I also provided a memo for record from Microsoft, which stated that the BSA was not, in fact, acting for them, or on their behalf. I strongly recommended that we 'deny BSA an opportunity to help,' and that we assert our right to immunity from search absent any legal justification. [Our attorney] so advised them and told them to come back when they had a warrant. We never heard another word."

Reader Jon, a Microsoft partner, had a similar experience when dealing with three clients who received audit requests from the BSA. The problem began when Windows Genuine Advantage (WGA) -- now Windows Activation Technologies (WAT), the Microsoft compliance-reporting system -- failed, and Microsoft lost compliance information for Jon's clients.

"WGA completely crapped out and died between SP1 and SP2 of [Windows] XP," Jon says. "The BSA used the problem to force audits." Jon wasn't falling for it, though. He advised the BSA to come back with a subpoena. The BSA started the process but never got anywhere, Jon says, mainly because Microsoft folded when he forced the vendor's hand.

He demanded the BSA go to Microsoft and ask the vendor to open its own sales records, to prove Jon's clients had properly licensed their software. At that point, Microsoft balked: "When the BSA folks had to go back to Microsoft to open up sales books, Microsoft told them that's not going to happen," Jon says. He was able to clear his clients' names -- and his own as well.

Microsoft Q&A:

Asked by Redmond about its licensing and audit policies, Microsoft offered these responses through a company official:

Q How does Microsoft handle audits?
A Microsoft customers with an Enterprise Agreement (EA) or other Microsoft Volume Licensing agreement are considered, in most cases, to be compliant, provided an organization has met the annual true-up requirement or appropriate consumption reporting via their reseller. Within 15 days after the anniversary date of each EA contract enrollment, the volume-licensing customer is required to submit a true-up order to report to Microsoft additional Qualified Desktops, Qualified Users and Additional Products that have been run since the last anniversary.

If a Microsoft EA customer has not had any changes, they're required to submit an "update statement," which affirms that there has been no change to products run since the last anniversary. A customer who elects not to renew their EA any longer has the option of reporting Qualified Devices or Qualified Users annually and must report all individual products added monthly under Select, or prior to use under Open.

In some cases, Microsoft customers may be contacted and asked to participate in a voluntary SAM [software asset management] engagement, conducted by one of Microsoft's business partners. Although the SAM engagement is not an audit per the terms of their licensing contract, the expected outcome is that they're required to appropriately license any shortfalls. The prospect of a SAM engagement or an audit should be of minimal concern for companies with good SAM practices. In summary, Microsoft SAM engagements are collaborative and voluntary, and clients have the right to decline.

Q What's the relationship with the BSA?
A Typically, Microsoft refers any inquiries about Business Software Alliance (BSA) raids to the BSA. Microsoft does not conduct "raids" as such. We do, however, support the appropriate law enforcement officials who are responsible for intellectual property rights in the appropriate geography.

Q What can customers do if they've violated some licenses and want to come clean?
A Customers that have been duped into purchasing pirated or counterfeit software should immediately return to the reseller and ask for their money back. They may also want to contact their credit card company to see if there's recourse. A customer should also arm themselves with information such as: reporting the pirated software to [email protected], call our hotline 1-800-RU-LEGIT, visit How To Tell, report piracy to the Business Software AllianceM or in the case of any type of Internet fraud to the U.S. federal government's Internet Crime Complaint Center.

Q What are the consequences for failing an audit?
A If a customer is suspected to be out of compliance, Microsoft works with an organization and may offer a SAM engagement to assist the customer in counting licenses per device or per user and using discovery tools and processes to ensure an accurate licensing count. The terms of settlement for out of compliance situations depend on the actual Microsoft Volume License program. They're defined specifically in the respective agreement.

Q What information does Microsoft offer customers to ensure they know how to be in compliance?
A The licensing agreement in place states the legal requirements so the customer is fully informed about how to be in compliance. There are also free tools, templates and processes available at microsoft.com/sam. In addition, via the Volume Licensing Service Center (VLSC) site, a customer may obtain a copy of their Volume License Statement or MLS. Also, Microsoft has over 700 SAM competency partners worldwide, which can assist those companies who don't have the in-house capabilities to set up a proper SAM practice.

"When they started screaming at me that I was the thief, I said that's impossible," Jon continues. "We found out that there was no chain going back from me to the distributor. They got nothing. The BSA and Microsoft looked like fools."

The case ultimately tilted in Jon's favor, but the experience left him bitter: "The whole burden of this whole con game is on the holder of this software," Jon says. "There's no obligation on the part of the BSA to be accurate.

"That hurt me so much as a professional that I haven't sold a Microsoft server in seven years," he continues. "It was the flat-out way they approached it, the way they attacked us and showed us the vulnerability of their own product. They made my customer prove that my customer was worthy of Microsoft."

Redmond reader Al had a somewhat morally ambiguous experience with the BSA, but it nevertheless ended with a colleague's career suffering serious damage. Al's story demonstrates that the BSA can sometimes fail to take extenuating circumstances into account when handing down punishments, even when those punishments are technically fully justified.

"A buddy -- with many kids to support -- worked for a government contractor that had purchased abundant legal copies of Adobe Photoshop," Al reports. "But IT hadn't yet installed a copy on his company laptop. The contractor owned several unused licenses.

"To get an assignment done at home one weekend, my buddy pulled an admittedly illegal copy off the Web -- for temporary use until IT could install a legal copy. The software feeder automatically -- and without announcing it -- made parts of Photoshop publicly available on his laptop. Essentially, it installed a bot.

"BSA's long arm learned of this 'publication,' traced the IP address to his company, and put them on harsh notice," Al continues. "The employee was immediately fired, though with sincere apologies: 'I'm sorry. We have no choice.' The contractor 'understood' but had to knuckle under to injustice.

"BSA blithely ignored the many Photoshop licenses that Adobe had already been paid for that were languishing uninstalled at the company.

"Thanks, BSA. [The former employee's] financially strapped family now regrets his desire to get his job done on time using your customer Adobe's software for a period that may have lasted until the following Monday. Tua culpa.

"It's sensible to own a bulldog to protect against career muggers," Al says. "It's immoral to sic the beast on someone who borrows an apple off your desk one night, which he'll replace next Monday."

Then again, reader Charley had almost the opposite experience with the BSA when he was a tipster himself: "We actually called the BSA on a client that was buying software at a university for their business," Charley said. "They didn't see the light that it was illegal. What a joke the BSA is! They 'called' the client, advised that they had a complaint of them using illegal software. The client responded, 'Uh, no ...' and the BSA replied, 'OK, thank you.' That was it."

Plenty of Justification
Charley's experience with the BSA is unusual compared to those of other Redmond readers, but it does help demonstrate the need for an organization to police software piracy. The BSA and analyst firm IDC said in May that the United States has a "piracy rate" of 20 percent, the lowest in the world (the worldwide figure is 43 percent). Still, the organizations reported that the commercial value of pirated software in the United States was $8.4 billion in 2009.

IDC and the BSA also calculated in 2008 that a 10-point reduction in the rate of software piracy in the United States would add more than 32,000 new jobs and almost $7 billion in tax revenue from 2008-2011. Piracy is big and damaging business, and the BSA is constantly fighting it. The organization produces educational videos about piracy and will soon launch a course on the benefits of software asset management (SAM), officials said.

Not all tales of software audits are nightmares about vendors or the BSA. Redmond readers themselves provided plenty of justification for the BSA's existence with tales of companies knowingly using illegal software.

The most stunning comes from Microsoft partner Fred, who had an unscrupulous customer literally break into his desk: "In 1998, a few months after I moved into my new office, my landlord asked me to get him a T1 line for his office and upgrade his Novell network to Windows NT Server," Fred says. "The request came as I was heading out the door to go on vacation. When I got back, I discovered that the lock on my filing cabinet, where I stored my software, was jimmied, and that the lock would not secure the cabinet anymore. Nothing was missing, so I didn't call the police. What a mistake.

"After that, I went about my doing an assessment of my landlord's computer system and prepared a quote. While doing the assessment, I found he was using the same copy of Windows 95 on multiple computers. Then, in talking to the landlord, I discovered he thought that was how the license worked -- one license fits all. I had to adjust his understanding.

"Needless to say, the deal did not materialize," Fred continues. "Once the deal went sour, the landlord revoked my parking permit. He then tore up my lease, and demanded that I move out of my office. The landlord refused to pay his final bill. So, thousands of dollars worth of work that I had done for him went unpaid.

"I moved into a virtual office with a mailbox, phone and conference facilities. I've been in the same office ever since. All my licensed software is in a place now where I have total control over access."

For his part, Chris decided to tip off the BSA just before becoming a former employee: "By June 2003, the private business college I worked for had seen tremendous growth since I had joined in 1996," Chris says. "They had recently been bought out by a capital investment group that sought to curb spending, and the IT budget was not immune. We were operating in the neighborhood of 400 to 450 systems, most of which were less than 2 years old. They were all purchased from legitimate vendors, and therefore had proper Windows licensing.

"However," Chris continues, "we had never updated licenses for Microsoft Office, several servers or Client Access Licenses to account for the growth. After spending some time with pencil, paper and spreadsheets, I came up with a solid inventory, which I used to fill out the academic Open License paperwork. I don't recall the exact dollar amount, but it was on the order of $10,000 to $15,000.

"I walked the papers around and got the signatures. On June 13 -- yes, a Friday! -- I came in and sent the paperwork out for the daily mail. At 4:30, I got called to 'the office' to be informed that I had been downsized. If only I had known! I can assure you that -- disgruntled former employee or not -- I had already decided to 'drop a dime' to the BSA if the company decided not to approve the licensing.

"I never followed-up to see if they, in fact, went ahead with actually purchasing the licenses," Chris says. "I guessed that, knowing that Microsoft knew how many licenses the paperwork listed, the owners would be inclined to cut the check when the bill arrived. For whatever other faults they had, plain stupidity was not one of them."

Responding to an Audit
Licensing expert Braden says the first thing companies should do in response to an audit request is understand what the request entails. The overwhelming majority of audit scenarios begins and ends with electronic communication -- very few involve a company talking to the BSA on the telephone, much less in person. It's important, then, Braden says, to examine the BSA's communication carefully.

"The first thing is to understand what it is they've sent you," Braden says. "There's varying levels of formality, and there's different types of audits. The low end of the scale might be a generic letter that looks kind of official and scary but really isn't an audit request. It will say, 'We're in your city' and rattle off statistics. It will invite the customer to open the kimono. They write them in ways that lead you to believe things that aren't necessarily going on. Your first mission is to find out: Is this an audit, or is this a fishing expedition? What is the auditor's authority?"

Braden says that attorneys and licensing experts are good people to turn to -- but that resellers might not be. "There are a few attorneys out there that have built a practice in this," Braden says. "There are people like me who have had a lot of experience over the years. Make sure you understand people's motives and interests. A lot of times I find people relying on their resellers. Resellers serve three masters -- themselves, the customer and the [vendor]."

For her part, Blank says that the BSA is simply trying to lend an air of importance to its correspondence: "We are asking the company to take this serious matter offline with us," she says. "It's important to lay out the size of the problem straight up front. I would describe our correspondence as serious but not threatening."

Vic DeMarines, vice president of products at V.i. Labs Inc., a Waltham, Mass.-based company that makes software that tracks pirated software, says if the BSA comes off as harsh, it's only because the organization is trying to unearth accurate information.

"It's a byproduct of how [the BSA gets] this information -- disgruntled employees," DeMarines says. "[The BSA has] no idea how much software is being used or misused. They're getting their leads from a social network. Their tactics are going to have to be a little rough because the information is not there."

Regardless of the BSA's tone, Braden emphasizes that companies should only reveal what they're required to reveal -- if anything at all. "Look at original contracts," he says. "If you have a [licensing] agreement, read the section on auditing and compliance and understand that. You don't need to give them a key to the kingdom so they can sniff around and find everything."

A Redmond reader with audit experience takes the concept a step further, saying that companies should move the burden of proof onto the BSA: "The BSA asserts this simple rule: If a company is using a BSA member product without being able to produce a purchase receipt, that company is an infringer. This rule is absurd. Asking for receipts to show proof of a license is unfair. Ask the BSA for a license agreement that shows that the only proof of license is a purchase receipt. There is no such agreement. Ask the BSA to accept photos of software discs as proof of license, if you have them."

Lee says...

I absolutely did not set out to bash the BSA in this story. The organization does a lot of good and important work. It's true, though, that the BSA and vendors alike can get overzealous with their audit practices, and IT professionals need to know how to recognize and defend themselves from unwarranted attacks.

There are also preventative measures companies can take to avoid audits, says Cynthia Farren, founder of licensing consultancy Cynthia Farren Consulting. Investing in a SAM tool is a start: "You can't manage what you don't know," Farren says. "You need a tool. There's no way an organization with more than 50 computers can know what's on every one of those computers at any given time. I guarantee you we'll find a surprise if you don't have a tool."

It's also a pretty good guarantee that an IT professional will face an audit at some point in his career: "Every three to five years, you're going to have somebody coming to you," Braden says. "It's going to happen sooner or later."

Farren concurs, and offers a warning: "A lot of companies don't think that [the BSA is] ever going to come calling," Farren says. "I've worked with a couple of companies that did get audited and realized how real the BSA is. When it happens, it's ugly."

Dirty Deeds Done in IT

Not all stories of software audits include bullying by the BSA. There are many companies knowingly using software illegally -- and sometimes quite brazenly, as Redmond readers report:

We had a copy of a Maxwell's Equations Finite Element Analysis software. It came with a dongle. Once it was run on one computer, it used CPU ID or some other method to identify the computer it was on. When we realized that computer didn't have enough memory, we tried it on another computer, moving the dongle. It wouldn't run and gave an error about illegal configuration. Another $50 dongle and it would run again. [Note: the $50 was cheap; a copy of the software was $5,000.] This was the kind of belt-and-suspenders protection that killed dongles (plus the fast disappearance of parallel and serial ports).

I have a client that hired me to do a network audit for them.
During the audit, I found that the previous IT provider sold my client PCs without any license or OEM stickers. The servers were running software that wasn't licensed as well, including all of the Client Access Licenses (CALs).
When we contacted the original IT guy, he said that everything was legal and provided Windows Vista NFR discs and said that he used downgrade rights. In addition, the new server he provided without a license started having hardware issues. We asked the IT guy to take back the server and refund the money for it and all the licensing he charged this client for, but he went ahead and filed for bankruptcy.
Now I had to install three new servers and eight new PCs and provide this client with new licensing. What a nightmare for them, and what cost they had to swallow.

I used to do a Software Value Assessment service for customers where I would look at their software licensing and cost as well as usage, and make recommendations for savings (now, understand this was on a mainframe). We had very good success with saving customers money on licensing and on software they were paying for but not using.
I was in Seattle talking with a customer and had gotten pretty good at guesstimating the approximate IBM and third-party software costs based on the machine they were running on.
In talking with this particular director, I estimated he was paying about $1 million dollars split 60/40 because he had mainly IBM and CA software. He leaned back in his chair with a proud look and declared to me, "You can't save me anything. I only spent $200,000 on my software -- most of the CA stuff I don't pay for, and they've never billed me for it." Of course, it was obvious by his body language that he was proud of this and had never mentioned to CA he had the software, either.
Well, knowing this was software piracy before this term was coined, I told him I had to agree with him and finished chit-chat with him and went on my way. I went to my car and got on my bag phone (kind of dates this story, huh?) and called a CA friend just to "chat." I wasn't around to see it, but I imagine when CA audited his software, it probably was a nightmare.

We had taken on a new client, and I was earmarked to do the audit.
I duly visited the site and went around all of the PCs, only eight, logged the software on them and then asked the now ex-IT manager for evidence of the licenses. She looked me in the face and said they had one copy of Office and one copy of Windows XP Pro. Astounded at her forthright abuse of her licenses, I asked how she could do that, expecting some moral outrage about Microsoft having too much money. But she started with, "I just phone up Microsoft and tell them I had to rebuild the PC and could I have an activation code?" And then she went on about how they couldn't afford to pay Microsoft and they didn't think they should. "We've bought a copy, but if I could've gotten away with someone else I would have."
I reported this to our managing director and we agreed, not just because we were a partner, that there was no way we could in all conscience have a customer with that blatant disregard for their legal requirement. We had to tell them we couldn't work with them.

I work at a small non-profit. This non-profit ran illegal copies of Windows, Office and Outlook for many years. They were never caught by BSA or Microsoft. After much pushing and prodding, they finally came around and are now running legal copies of everything. There are organizations out there that should have had a call from BSA or Microsoft.

How the BSA Crafts an Audit

Jenny Blank, North American enforcement programs manager for the Business Software Alliance (BSA), explains the BSA's audit process:

All of our cases begin with somebody who comes to us to report software piracy. They come to our Web site or call the hotline. We take their information. Each report that comes to us is reviewed by an experienced BSA employee. This is just the first step in a process we undergo because we want to make sure we only pursue the leads that lead to unlicensed software. We're looking at things like: Is the information fresh? Was the caller [at the company in question] recently? Is the information fleshed out? Does the caller have information that gives us the color of what's going on there? After initial review, we take those leads we think are solid, and we present them to [all of] our member companies for their input.

What we'll do is assign the lead to one of our attorneys. That attorney will reach out to the company. [The message is that] this is a serious matter, but we're providing you an opportunity to work with us amicably. A company taking responsibility right off the bat is always a good thing. Everything's done electronically. What we're looking for are two things -- inventory of everything that's installed on computers from when we first contacted them, [and] any dated documentation that would show proof of ownership of that software.

We did have one lawsuit that we filed where a company had given us audit results and our information was different, so we sued them. That's not our desire. We prefer to work together. [Companies] have to certify under penalty of perjury that their audit results are correct.

We don't find [lawsuits] to be a very productive or effective way to get our message out. The cases vary enormously. Sometimes we get a company that's really cooperative. We're able to work very quickly and effectively with that company. Others fight harder and they delay. It increases their time spent focused on the audit rather than on their businesses.

When [a company is innocent], usually it's a very quick and clean situation. They can demonstrate they haven't done anything wrong. We say "thank you," and that's it.

[Fines are] paid to the BSA and are invested in our operating budget. Not a penny goes to the vendor. Every penny of the settlement comes to the BSA and is reinvested.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.