Shakedown: How the Business Software Alliance Operates

An anonymous source writes: "I'm a faculty member at a public university which the Business Software Alliance contacted in a bulk mailing last Fall. Stupidly, our IT department invited them in to 'explain' licensing to us, and now we are trying to fend off an audit on our computers (public and private). Two questions: what kind of leverage does the BSA actually have against us? And does anyone have war stories, successful or otherwise, of their encounters with the BSA?" Although Slashdot is running this story as from an anonymous reader, we have contacted the source and believe the story is factual and the appeal for help is real. Consider this Slashdot's contribution to National Copyright Awareness Week.

The source continues: "The report that the BSA gave to our administration was filled with scary stories about other schools who tried to resist, so unless there's some hard evidence to the contrary I suspect our university will just roll over. We were told that:

• auditing software *will* be installed on every campus machine;
• the license for every program, on every machine, must be produced upon demand;
• failure to produce licenses for all commercial or shareware software will constitute prima facie evidence of illegal possession, with penalties that could range from the confiscation of the machine to the firing of the user;
• and this includes computers *personally* owned by faculty."

Sounds like they are spouting off.

[Clay+Mitchell]

While I'm of course not a lawyer, but what right does this organization have to come in and put anything on the computers that are privately owned? I think they are trying to make you THINK that they have right and you'll give them the go ahead because they've convinced you they do... while in reality you could tell them to go to hell and they couldn't do a thing about it.

One word

[pongo000]

...and that word is "outrageous." If your administration does not step in and put a halt to this egregious evasion, then you can tell them I told you they are a bunch of pussies.

Seriously: Where's the search warrant? How enforceable is a EULA with such broad contractual provisions that it forces a licensee to waive all rights to due process and freedom from illegal searches? (Before you naysayers tell me the Constitution has no bearing in this, check the facts: In many cases, BSA shows up at the doorstep with their very own law enforcement escort.)

There is a legal concept known as "blue-lining" in which a judge has the legal authority to water down, modify, or even eliminate certain portions of a previously-agreed-upon contract. I learned about this after I found myself the unwitting signatory to a capricious and completely illegal legal document. The state recognized the document as legally binding; however, the state also found the terms of the agreement were overly-reaching, capricious, and without legal standing, effectively nullifying the contract.

The reason why companies continue to write obviously unenforceable contracts is that they know the number of people willing to fight in court is very low. Most will simply roll over, expose their underbellies, and submit to being raped rather than fight.

Can I suggest MIT?

[watanabe]

There have to be a few, powerful, tech savvy universities that have dealt with this before. What about MIT? Can someone here get this poor AC in touch with the right person at MIT? I'll bet some cash that MIT does not have the BSA's software on their student cluster PCs.

Also, my 2c on this: There are a few angles. Clearly, a private institution is innocent until proven guilty under US law. So, the scare tactics the BSA is using on your University take a couple of prongs:

• For the legally not so savvy, it says "We'll sue if there's even a hint that you might not own some software! Put our software on your computers to keep us from suing."
• For the legally more savvy, it says "We can make your life sufficiently annoying that it will be cheaper to just let us put this software on your system." Then we'll go away.

To address this for both audiences at your university, you'd like to be able to prove:

1. Your university is not, in fact, legally liable to the BSA, and that it in general isn't responsible for what people do with their personal computers.
2. It will be significantly more expensive to install the software they require, than it will be to get legal counsel to tell them to go away.

My guess is both those things are true: A nicely backed up presentation proving both those points would probably quelly our nightmares. Good luck! Post back and tell us what happened.

Lawyers.

[cnladd]

At this point, the only leverage that they really have is fear - they're trying to intimidate you. This is what they've done to hundreds of other companies. They come in, use your "acceptance" of a software product's EULA as a hammer, and either force an audit (which, with the criminal penalties they throw at you, gets to be scarily expensive) or force you to pay upfront and forget about the audit.

Yeah, some people call it legalized extortion. IANAL. :)

For something like this, they should really go through your university's legal department. If the legal department hasn't gotten involved yet, then get them involved now! Get some counsel. They are the folks that were hired to protect you from this sort of thing (among many others).

This sounds just like pure intimidation to me. Especially once you mentioned that the audit includes personally owned computers. If they want to audit my personal laptop, which I bring into the office sometime, they would not send the notice to my employer. They would send it to me. Like I said before, talk to a lawyer. A lawyer, not the Slashdot crowd, can give you the best advice.

Re:You will never escape the BSA ...

[pitcrew]

In talking to a judge friend of mine you have several choices: 1. Tell the BSA to go to hell and hope they don't have probable cause to get a search warrant. If they get one they will come back with the police and then you will have a criminal problem - this is not a likely scenario for a public institution. 2. Let the BSA in and try to deal with them as best possible - however I would have my attorney do the talking to them - most attorneys don't scare too easily. 3.Tell the BSA that you are busy and to come back in a couple of weeks. In that couple of weeks clean up your act and let them in. Personally I would tell them to go to hell and make them come back with the cops. Why? So they have to fight to get into every business. If they have to do this it will eventually stop them as it will become financially impossible for them to continue. As a public institution you have a different problem than private businesses. You have a public relations problem. I'm sure that this is what the powers that be in the university are thinking about. My problem is that the BSA thinks that they are a peace agency (police agency) and they aren't. As far as I am concerned the best solution is to not deal with the software companies that support the BSA!

My personal encounter with Autodesk & M$

[Taco+Cowboy]

This is my personal encounter - YMMV !

I attended a "seminar" hosted by Autodesk and M$ several years ago. At the entrance, the pretty girls were asking us to fill in info sheets, you know, like names, address, company you work for, et cetera, et cetera.

Since Autodesk and M$ were so kind to provide us with Orange Juice (Morn time, you know), I filled in the blanks.

Never would I thought that what I filled in ended up in BSA's file, and from then onwards - 6 years already - I and the company I work for, received THREATENING LETTERS, telling us that WE BETTER COUGH UP MONEY TO BUY GENUINE SOFTWARES or they will haul our butts in slammer.

Funny thing is, the Autodesk and M$ software we used (yes, USED, PAST TENSE !) were OFFICIALLY GENUINE, NON-PIRATED COPIES !

I got into troubles with my boss, since I was the one who filled in the blanks.

No matter how we tried to tell BSA that ALL OUR SOFTWARES ARE GENUINE, the threatening letters keep coming.

It got so bad that my boss decided to scrap M$ and all Autodesk softwares, and now we run Unix and NON-Autodesk softwares.

Yes, it actually cost us MORE to change our system, but at least, BSA, with Autodesk and M$, have NO MORE CLAIM ON US.

And the threatening letters still keep coming...

Talk about insanity.

And what happened above happened OUTSIDE of the good ol' U. S. of A.

Don't think you guys in the States suffer alone.

Countersue

Tortuous interference with prospective economic advantage is a crime. They have no real basis for assuming anyone has committed a criminal act and no intrinsic authority to prosecute. Contact your local prosecutor immediately and explain the situation - that your institute is in good faith compliance with copyright law, that these people are attempting to extort from you significant financial gain and that while it is your institute's expectation and intent to comply with copyright law, these people have no right to subject you to the cost burden, nor any right to access to your systems. Get the law on your side now, because if you refuse they will attempt to get a warrant with the federal marshals. Refusing access to a borderline RICO organization is not a crime. Also get some sympathetic local press coverage immediately.

Information at
http://slashdot.org/article.pl?sid=02/01/15/07 3257 &mode=thread&tid=10.5

Be proactive. Fight back. A good tactic might be to develop an open source policy predicated on the cost of compliance with commercial software licenses being too high since even the companies don't understand their EULAs it's just impossible to do so and therefore the university will outlaw commercial software on their network.

The BSA is funded by MS, adobe, etc. If the BSA generates net positive income, they will continue storm trooping around. If it becomes a liability to have one's names associated with the organization, the underwriters will pull their support. This is a political as well as legal battle and if you don't fight, you'll be screwed, as will the next organization.

Re:Legality in doing this?

[AntiNorm]

They are not a government organization, right?

Right. And this is why they CAN NOT just march in wherever they want, whenever they want, and do their raids. They CANNOT demand license documentation, they CANNOT install software, etc. without either a court order or police and a search warrant. I would do exactly what pitcrew suggested -- tell them to go to hell.

From the article: failure to produce licenses for all commercial or shareware software will constitute prima facie evidence of illegal possession

This, IMO, is absolute bullshit. It's like the police going through your refrigerator, making you produce receipts for every gallon of milk in there, and automatically assuming that the milk you can't account for with receipts was stolen from the local grocery store. They are assuming you to be guilty until you can prove yourself innocent. This is not the way our government works (or is supposed to work); the burden of proof is supposed to be on them, not you.

Re:Legality in doing this?

[DeputySpade]

It amazes me that no matter how many times this comes up, people still don't get it. READ the EFFEN UELA! When you accept the EULA from MS, Oracle, or whatever closed min^H^H^H source software, BSA participating company you purchase from, you agree to let the copyright holder _OR_ANY_DESIGNATED_ASSIGNEE_ come in and audit your system for license violations. And as for the idea every seems to have about simply making a quick switch to OSS, DON'T! if the BSA comes back tomorrow and can't find ANY software under their jurisdiction on ANY machine, they will assume that you blew it all away to cover up the fact that you were using it illegally. They will then want you to prove that you didn't try to destroy evidence! Trust me. I've been through this before.

Re:well within their rights

[Kamel+Jockey]

if you don'thave any illegal or pirated software, what have you to hide?

This kind of thinking is precisely what the BSA is looking for. If you are stopped by a cop and you consent to a search of your vehicle, then anything illegal that the cop finds can be used against you, because you consented to the search. For example, say you go out of state and purchase a bottle of liquor and you put it in your trunk (out of plain view), on your way back, you get pulled over for speeding in your home state. The cop asks you to search the car, you say yes, and BAM! In addition to a speeding ticket, you are also busted for illegally importing alcoholic beverages (in many states, this is a crime). Yes, you may not have had any idea this is illegal, but you are nonetheless responsible for it because you consented to the search. Unless the cop has actual probable cause to believe you have comitted a crime (e.g., your car/license plates match the description of a vehicle used to commit a crime), they cannot forcibly search your vehicle.

Given this context, and how the BSA is strictly out to get you (whereas the cops are not), they most likely have ways of finding "illegal" things (that you did not know were illegal) and nailing you for them. The only way to prevent this is to not cooperate with them. Bring in the lawyers and make the BSA prove its case against you.

Re:Go open source

[ivan256]

You don't have to go completely open source either. Keep a few Windows PCs and Macs with the proprietary stuff and let the BSA worry about those. You can fix the bulk of the problem by converting the bulk of the machines completely to open source software; the BSA can spend as much time as they want crawling around those machines.

That would be great except that the MS site licenses for universities require you to purchase licenses for every machine on your campus, wether it runs windows or not.

Re:Legality in doing this?

[jgerman]

The BSA has no authority in this matter EULA or no. You cannot sign away your constitutional rights. As far as making a quik change to OSS. Again, I don't care if they swear till they're blue in the face that there was un-licensed software running there yesterday, it isn't today, and that's all that matters.

Also, they absolutely CANNOT demand to install auditting software on those machines. That's theft in my book. They are forcefully taking away my cycles.

Furthermore, they can't attempt to enforce a EULA that they don't know you accepted. Until they audit they have no way of knowing that you have EULA covered software on your machines, until they know you have EULA protected software on your machines they have no right to audit those machines.

Re:As a CIO myself...

[dschuetz]

The CIO here is absolutely right -- talk to your lawyers, and above all, do what they tell you. I don't need to describe what the career path might be for someone who ignores the lawyers and opens their employer to a million-dollar settlement.

I had some thoughts about all this while out getting lunch, and now that I've posted my idealogical rant about "innocent until proven guilty" obviously not applying in the civil world, I'll try to be, like, constructive for a moment.

First, any lawyer (and most of the posters here today) is going to tell you that it's cheaper to simply buy all new licenses (or whatever the BSA is demanding). Rifle every likely file cabinet for existing licenes, then buy the difference. Either way, you still need to do your own audit.

On the other hand, if you're at a school with a strong reputation, lots of prestige, and even more money, and if your president believes there's a moral victory worth fighting (and paying) for, then I have some thoughts that I at least find intriguing:

• An early response might be "Oh, wow, this could be bad. Okay, we'll work with you. Here's how we'll do it. Here's exactly how we'll do it. And it'll take some time. But we'll be with you all the way, show you what we've done, give you monthly updates, etc." Look for documentation on your internal hardware inventory process (I'm sure you've got one, when I worked at UMCP I had my PC inventoried by like 5 different departments in one year), and use that as a starting point to justify the length of time you're expecting the audit to take. [I think this is the best response, since, ultimately, you'll probably need to do an audit eventually, anyway. Cooporate, but on your own terms.]
  
• Refuse (in legal terms) to deal with BSA. You haven't got any software from BSA (you can't, they don't sell software). Offer to deal with Microsoft, if they send you a letter from their legal team on their letterhead.
  
• Agree to do an audit, but only if BSA pays for it, on a time and materials basis. Present them with a nicely-detailed starting point for the process of actually doing the audit, how long it'll take (see above), how many people it'll take, and how much it'll cost. Tell them that you're pretty sure you're in compliance, but if they want to force an audit, they'll have to pay for it. This is an extension of the comment above, and might be the 'best' out in that you get them to foot the bill. It'd be a victory for both sides, more or less.
  
• Ask them why they've come to your university. Have they had an anonymous tip? Did they see people selling university-stamped materials on eBay? If they simply say that, stastically, there's "probably" piracy happening here, require better justification before you spend any more time with them.
  
• Require them to limit the scope of the search. If their tip came from someone in the Sociology department, limit the audit to only those machines in that department. If they got a tip that "everyone here is copying MS-Office," limit the audit to only look for the most recent version of MS-Office.
  
• If you've gotten this far, then they're probably going to a judge. Ensure that your school is represented at the hearing for the subpoena they'll use to force you to audit. Try to cast the situation in the same light as a search warrant: Police need a specific warrant for a search, showing just cause for the search, and specific targets to be searched, and specific items to search for. No cause, often, no warrant, in my understanding.
  
• Or get it to be treated just like a subpoena for a deposition -- with specific areas of discovery outlined. No judge (I think) would issue a subpoena for a deposition that says "go talk to this guy and ask him anything you want." Instead, the lawers are required to stick to a narrowly-defined scope of questions that directly pertain to some particular action. Try to get the judge to see a parallel between that situation and the BSA audit request.
  
• Ultimately, maybe you can find a lawyer gutsy enough to throw RICO at 'em. Hell, this is just this side of a protection racket on behalf of Microsoft, anyway.
  

Of course, my initial point still stands -- do your own audit, cheaply, and simply pay for the difference. And, most importantly, build a good system (centralized database backed up with a fire-safe holding physical license papers for the whole school) to track this stuff, and re-audit every 6 months. Or even more frequently. (client-side tracking software is obviously going to be in your future....)

Good luck!

Re:Legality in doing this?

[letxa2000]

When you accept the EULA from MS, Oracle, or whatever closed min^H^H^H source software, BSA participating company you purchase from, you agree to let the copyright holder _OR_ANY_DESIGNATED_ASSIGNEE_ come in and audit your system for license violations.

I think it is high time these damn EULAs get properly tested in court. I have a feeling they will ultimately fail the legal test. It's absurd that you "have" to read more legalese to install a piece of software than to buy a car (assuming you pay cash). It's also absurd that you can't read the legalese until you've purchased the software, opened the packge, and many times broken a stick on the internal CD sleave that reads "Breaking this sticker indicates your acceptance of the EULA"--which you see once you install the software.

Last I heard, ripping a sticker wasn't quite as legally binding as a signature.

The BSA coming charging in would be a perfect opportunity to test a EULA. Unless they come with cops and a warrant, you can tell them to take a hike even if they have a signed contract (which they don't). Tell them to get a court order. They may do that and they way try to sue you: But they'd sue you for violation of a contract, not copyright infringement. You could then argue that the EULA is invalid. Aside from the issue of whether "clicking accept" forms a contract, the EULA is invalid because no contract (in the United States) is enforceable if it abdicates a recognized right of one of the parties--in this case, unreasonable search and seizure.

You, as an adult can sign a contract that says you will never marry, that anyone can search your home and kill your sister--all three of those clauses will not be enforced by a court because they abdicate recognized rights that CANNOT be taken away by a contract. Otherwise many labor laws that protect workers would be useless since workers would just be forced to sign away their rights. You can't do it. You can't sign away your rights (well, you can, but no court will enforce them).

I think it'd be great if a BSA-initiated conflict resulted in the definitive invalidation of EULAs! :)

The Audi Tool is called GASP

Their audit software is called GASP and it's not available for Non-Windows or Non-Mac users. Darn!

http://www.bsa.org/usa/freetools/gasp/

Check it out, they have an EULA for GASP... I guess they'll want to see the EULA for each machine they install it on too.
http://www.bsa.org/usa/freetools/gasp/gasp_c .phtml