What's the Right Amount of Copy Protection?

WPIDalamar writes "I'm currently working on a piece of commercial software that will be available through a download and will use a license key to activate it. The software is aimed at helping people schedule projects and will be targeted mostly to corporate users. With the recent Windows Vista black screen of death, it got me thinking about what sort of measures I should go through to prevent unauthorized users from using the software. While I don't wish to burden legitimate users, I do want to prevent most piracy. How much copy protection is appropriate? Is it acceptable for the software to phone home? If so, what data is appropriate to report on? The license key? Software version? What about a unique installation ID? Should I disable license keys for small amounts of piracy, like when there's 3 active installations of the software? What about widespread piracy where we detect dozens or hundreds of uses of the same license key? Would a simple message stating the software may be pirated with instructions on how to purchase a valid license be sufficient?"

As little as it takes...

[pla]

Is it acceptable for the software to phone home?

As a member of a small corporate IT department, I can tell you that (except for Microsoft itself), software phoning home for anything other than updates means instant banning of your product.



If so, what data is appropriate to report on? The license key?

If you insist on going down that path, what information would really help you reduce piracy? Keep in mind that, merely during the initial evaluation of your software, the same license may get used a dozen times without any intended piracy... "Yup, works on XP. Yup, works on 2k... Oops, blows a gasket on 98... Doesn't seem to like server versions...".



Should I disable license keys for small amounts of piracy, like when there's 3 active installations of the software? What about widespread piracy where we detect dozens or hundreds of uses of the same license key?

That gets tricky... IANAL, but only the big boys like Microsoft can get away with that BS. If you try it, you should probably prepare to get sued.

Now, you do have one chance to block it - At installation. Even I'll allow (grudgingly) most products a one-time online activation. If at that time you deny activation and give an EASY way to contact you to resolve the problem (you can expect them to lie, and should probably just give them a new code, but it might serve as a reminder to the users that they shouldn't make too many more copies), okay, fair game. After-the-fact, though? YOu'll just piss legitimate users off.

Protected Environments.

[burnttoy]

Spot on - I know plenty of people who use PCs (usually laptops) in their music and/or art studios who never connect those machines to the internet... EVER! The muso types will often strip back everything on a PC leaving a bare OS + drivers + sampler/sequencer + ASIO drivers. It's all they need and they believe they get better performance and more security without it.

I also know, and have worked for, companies where information is so secret (mission critical biz stuff or military) that you have to use a provided laptop in a room with no windows that's shielded from radio wavs... paranoid, yes, but "phone home" software is simply not an option in that case. Also. no phones were allowed in that room so manual "phone home" wouldn't have been possible.

Also, some of us are so paranoid that we don't let anything in/out of our firewalls except our browser application. Mind you, I can still use the interweb and I've never been trojan/virused... except this damn cold I seem to have but I can't blame the internet for everything!