What's the Right Amount of Copy Protection?

WPIDalamar writes "I'm currently working on a piece of commercial software that will be available through a download and will use a license key to activate it. The software is aimed at helping people schedule projects and will be targeted mostly to corporate users. With the recent Windows Vista black screen of death, it got me thinking about what sort of measures I should go through to prevent unauthorized users from using the software. While I don't wish to burden legitimate users, I do want to prevent most piracy. How much copy protection is appropriate? Is it acceptable for the software to phone home? If so, what data is appropriate to report on? The license key? Software version? What about a unique installation ID? Should I disable license keys for small amounts of piracy, like when there's 3 active installations of the software? What about widespread piracy where we detect dozens or hundreds of uses of the same license key? Would a simple message stating the software may be pirated with instructions on how to purchase a valid license be sufficient?"

As little as it takes...

[pla]

Is it acceptable for the software to phone home?

As a member of a small corporate IT department, I can tell you that (except for Microsoft itself), software phoning home for anything other than updates means instant banning of your product.



If so, what data is appropriate to report on? The license key?

If you insist on going down that path, what information would really help you reduce piracy? Keep in mind that, merely during the initial evaluation of your software, the same license may get used a dozen times without any intended piracy... "Yup, works on XP. Yup, works on 2k... Oops, blows a gasket on 98... Doesn't seem to like server versions...".



Should I disable license keys for small amounts of piracy, like when there's 3 active installations of the software? What about widespread piracy where we detect dozens or hundreds of uses of the same license key?

That gets tricky... IANAL, but only the big boys like Microsoft can get away with that BS. If you try it, you should probably prepare to get sued.

Now, you do have one chance to block it - At installation. Even I'll allow (grudgingly) most products a one-time online activation. If at that time you deny activation and give an EASY way to contact you to resolve the problem (you can expect them to lie, and should probably just give them a new code, but it might serve as a reminder to the users that they shouldn't make too many more copies), okay, fair game. After-the-fact, though? YOu'll just piss legitimate users off.

Protected Environments.

[burnttoy]

Spot on - I know plenty of people who use PCs (usually laptops) in their music and/or art studios who never connect those machines to the internet... EVER! The muso types will often strip back everything on a PC leaving a bare OS + drivers + sampler/sequencer + ASIO drivers. It's all they need and they believe they get better performance and more security without it.

I also know, and have worked for, companies where information is so secret (mission critical biz stuff or military) that you have to use a provided laptop in a room with no windows that's shielded from radio wavs... paranoid, yes, but "phone home" software is simply not an option in that case. Also. no phones were allowed in that room so manual "phone home" wouldn't have been possible.

Also, some of us are so paranoid that we don't let anything in/out of our firewalls except our browser application. Mind you, I can still use the interweb and I've never been trojan/virused... except this damn cold I seem to have but I can't blame the internet for everything!

gentle reminders

[devonbowen]

A while back I wrote an app that was key activated. The key had two components. The first was the name of the person that it was sold to (from the credit card) and the other was a hash of that name, the version number, etc. The user needed to enter both in order for it to work. (And the two needed to match, of course.) My thinking was that using the name in plain text would make it personal and encourage the user to not give it away while still allowing them to do what they thought was reasonable (running on both a laptop and desktop, for example). Basically, a gentle reminder to help honest people stay honest. The dishonest people are just going to hack your binaries anyway.

Devon

Wheee, my first slashdot article!

[WPIDalamar]

Thanks for all the comments everyone. I've been reading through them and have some ideas. Here's a scheme I had been considered that might address some of the concerns brought up.

1) Upon purchase, user gets a license key.
2) When installing, the software generates a random (somewhat) unique installation id
3) The license key is checked locally, with no net connection required.
3) Upon app startup, if there's an internet connection, the software phones home with the software version, the license key, and the installation ID
        The phone-home also gives a version-check to let the user know about any updates.
4) We log the license key and installation ID

Someday, we do some data analysis and find any license keys with a large number (maybe 5, maybe dozens, not sure) of installation ID's. The data analysis should look for interwoven log records of installation ID, because the user might have uninstalled it on one machine, and installed it on another. Then a person (not automated process) would get a report and be able to investigate and flag certain keys as compromised.

What happens next?

Do we cause the software to stop functioning? (I don't like that)
Do we cause the web service-portion to stop functioning? (I don't like that either)
Do we pop up a window saying, "SOFTWARE PIRACY DETECTED!! YOU ARE GOING TO JAIL IF YOU DON'T STOP!"
Do we pop up a window saying, "Hey, this might be pirated. Go to http://xxxxx/ to purchase additional copies"
Maybe the software does nothing, and we deal with it through customer support. A friendly email to the original purchase agent?

I guess the goal is make honest people stay honest. As many have pointed out, it will be impossible to prevent someone who REALLY wants to pirate the software.

Re:None at all

[mce]

... that stays on the system after uninstalling the first piece of software (How else could it work, if you have multiple pieces of software that uses it?), and, as you say service, I assume it runs while the original piece of software is not.

You obviously have no clue what you are blabbering about. There is no reason whatsoever why you can't have multiple independent products protected by the same third party mechanism without linking said products together. I know, because I've done it.

In short: Nobody interested in anti-pirating wants the licensing to be in a dedicated dll, since those are easy to locate, break, and replace. Licensing code should always be fully merged into a key component of the product you're protecting and as such be "invisible". That automatically means that you can have multiple copies of it that are not aware of each other and that are automatically uninstalled together with the product they protect.

Re:None at all

[morgan_greywolf]

I do. And I hate these things. At any place that I've worked that uses these background daemons to control licensing, due to the proliferation of various similar programs, we've had to run a special license server -- and usually more than one. FlexLM, LUM, proprietary license solutions, etc., with multiple daemons usually. A typical box might run 25 different license processes. And management is usually a big PITA, because these processes almost always break in some way sooner or later.

Re:None at all

[morgan_greywolf]

Don't know what version of FlexLM you used, but every version I've used does nodelocked licenses by tying to a machine's 'lmhostid', which typically matches the MAC address on the machines first Ethernet card. Hardly unique, to be sure, but AFAIK, faking the MAC address with software doesn't work (but changing it using firmware that allows the MAC to be changed does.)