Slashdot Mirror
Ask Slashdot: Dealing With the Business Software Alliance?
Kagetsuki writes "We've just gotten a letter from an attorney representing the Business Software Alliance stating someone (we're certain it's a disgruntled former employee) submitted information we are using illegally copied software. The thing is... we're not using illegally copied software. We have licenses for all the commercial software we are using. Still, according to articles on the BSA, that's irrelevant and they'll end up suing us anyway. So we now need a lawyer to deal with their claims and we don't have the money — this will surely be the end of the company into which I've sunk all my savings and three years of my life. Has anybody dealt with the Business Software Alliance before? What action should I take? Is there any sort of financial recourse, or at least a way cover our legal fees?"
Everything I've heard about the BSA is that they employ our now corporate police departments to force audits/etc.
If they don't find shit, they don't have shit.
With that in mind, do your own audit first .
You have licenses for everything? Really? Even the software that wanker down in the mail room installed on his PC? Not yours? Not for work? Wasn't you, was just the employee?
Doesn't matter.
Don't agree to any BSA demands or requests. Find a lawyer experienced with dealing with the BSA.
If you agree to an audit, it's highly probable they will find something illegal, regardless of whether you did anything illegal or not. You need a proof of purchase for every copy of an installed software product. If you use a Windows environment, you need proof that you had sufficient CALs for everything, on effective audit date.
If anything's not in order, or you can't find one proof of purchase for 1 license of XXX, the BSA will insist the software is pirated (even if you bought it good and legal), tack on huge fines, etc
"We've just gotten a letter from an attorney representing the Business Software Alliance stating someone (we're certain it's a disgruntled former employee)"
Be prepared to sue that former employee, for all damages and costs your business incurred as a result of their allegation, If they made a frivolous/false claim that hurt your business, and you can show who it is, take them to court. Maybe they (and others) will think twice, before making false reports to the BSA racket people.
The BSA needs their evidence to sue you, make sure you force the BSA to divulge the identity of the person reporting. Again, you will need legal counsel to help you with this
My guess is that if you let them in the door you will be screwed.
Keep in mind that while they like to act as if they are a government / law enforcement agency they are merely a private party that is hoping that people will be impressed enough with their act to hand over enough information to hand themselves.
We sent an affidavit stating that we had appropriately licensed software, detailed the number of employees, provided ****'d out license numbers, etc.
They then said they wanted to put a laptop on our network to verify all our license numbers. We told them to f@ck off, that we'd provided them more than enough information, and that we'd be happy to speak to the police if they thought a crime had been committed.
We never heard back from them.
Google is your friend, turning up this 2008 advice column.
Abstracted:
- 1. Retain a lawyer, don't go it alone.
- 2. Cooperate—carefully, the BSA's attorneys stay on retainer by maintaining a high recovery rate.
- 3. Don't let the BSA's rhetoric intimidate you.
- 4. Don't rush out and buy any software.
- 5. Preserve evidence with confidentiality.
- 6. Find your allies.
- 7. Create a compliance plan.
- 8. Negotiate non-monetary aspects.
Luke, help me take this mask off
While you would think that being reasonable and cordial is the right thing to do, you've given the BSA a letter they can use against you. If they find even one copy of software which you can't find the receipt, they'll use the letter. Get a lawyer first which will advise you of what to do. Remember, the BSA has started out with a threat not a cordial letter themselves. From that stance I would surmise that even if they are wrong, they don't care.
Well, there's spam egg sausage and spam, that's not got much spam in it.
We had a lawyer and had him draft a letter requesting information on what they claimed was illegal. Then we offered to show them the results of an internal audit. We also offered to submit to a third party audit that BSA would have to pay for. After lots of meetings and lots of legal wrangling the BSA went away empty handed. One small difference was we were running non-licensed software and were in violation. It was a web design house with 8 graphic designers and not one legal copy of Photoshop, Illustrator, etc. Since the BSA provided us with the list they claimed was illegal, we scrubbed it from the offending boxes so as to appear legal. Then over the span of the next 2-years we bought all of the licenses needed to cover our butts. This cost over $120,000 in software licenses. Far cheaper than what the BSA wanted. But the lawyer was key. Check with the Bar in your area for a probono lawyer. Perhaps you can find someone willing to work on a sliding scale. Also check with the Small Business Administration for ideas for legal help. Good luck.
Carpe Scrotum - The only way to deal with your competition.
NO! NEVER SAY ANYTHING YOU HAVEN'T RUN THROUGH YOUR OWN ATTORNEY TO AN ATTORNEY ON THE OTHER SIDE. There are so many problems with it. Anything you say can be twisted by them. At a minimum, the "Thank you for bringing this matter to our attention so we can put it to rest," could be construed as an admission that you thought you may have had piracy. Thereby negating any counterclaim and potentially surviving different motions to get rid of it earlier.
Short answer: don't say anything until you get an attorney.
I worked for an engineering company who said they couldnt justify the 25 licenses of autocad civil3d they were pirating (but also said they needed them to maintain the workflow they had) and said that they didnt care about my liability in the matter being the only IT person in the company. I turned them in. The BSA offers a reward, and at first they tell you that if they have to use your testimony they cant give you anything (it would be like paying for testimony) but they tell you that its rare that you ever have to actually use your testimony as the companies generally settle. If it gives you any comfort, the person that turned you in will not get any reward. the BSA find ways to make it so they dont have to pay out the reward for ratting you out. Now as far as your legally obtained software. Scan your PCs for software installed and make sure you have Purchase Records of all software installed that requires a license. this is what any lawyer you hire is going to want. the purchase records are there to prove you had the licenses prior to them coming to you stating that you didnt. the legal group the engineering company I worked for used was Scott and Scott, iirc they are a bit pricey but they will minimize any fines or fees that could hit you from them. I say do your own due diligence first, then see where you stand. just because you didnt authorize the install of software doesnt mean you have not had an employee installing any and everything they could get a serial generator for, which on your machines, means you are responsible for it. Oh also dont go formatting and reinstalling the OS on all of your machines. this looks bad if it goes to court like you were trying to hide something according to the lawyers at scott and scott. I regret doing this to the engineering company myself, but in the end, they are better off for it. Autodesk gave them a huge break on network licenses for their CAD software, and they are now operating 100% legit on the software side for less in fines than it would have cost to buy the stuff out right.
Shit, boys, I think they got to this one!
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
We've just gotten a letter from an attorney representing the Business Software Alliance stating someone (we're certain it's a disgruntled former employee) submitted information we are using illegally copied software.
Reply to the letter like this:
We are in receipt of your correspondence reference ____ dated _____. Could you please advise details of the claim. What software is claimed to be in breach?
Send the reply by registered mail and then do nothing more until you receive a reply.
Engage a lawyer who is experienced with the BSA.
As soon as you are done with your BSA nightmare, I advise you to stop using proprietary software. If Ernie Ball can do it, so can you.
Not really. That's why the GP pointed out that this is a civil, rather than a criminal matter. In criminal cases we have the principle of "innocent until proven guilty," but that's not true in civil cases. For civil cases, the judgment is supposed to go to the party that offers the preponderance of evidence in favor of their argument. If the BSA comes in and says it has an affidavit from a former employee that says he was eyewitness to license violations, and you come in with "no, we're fine"... well, that might not cut it. You'll want to provide some evidence in your favor.
Do you have a receipt for every copy of Photoshop or Office your company is using? Do you have the original media with the label showing the serial number? No? Well how did you get those serial numbers, then?
If it gets to the point that you're going to trial and you allow the BSA to determine the terms and nature of the audit, you will probably lose. What company doesn't have a few license violations here and there? Whether the violations are intentional or not, if you come before a judge and swear you are in absolute compliance and you have no reason to deal with the BSA, and the BSA shows proof of license violations, it will look bad for you.
Breakfast served all day!
No, do not do this. Do not have any contact with them that's not through a lawyer. This is very important if it should ever go to court. And yes, BSA hates going to court. That's exactly why you should do it this way. Document the hell out of everything.
Have a lawyer draft a letter saying you're in compliance, have them send it, registered mail, to the BSA. This should not coast more than $150 or so.
There is a 90% chance that the BSA will back off when you do this. They will see you aren't a pushover. If they ever show up at your door without a subpoena, ask them to leave. Then call the cops.
Posting near the top to state the bleeding obvious- 99% of Slashdotters are IANALs and many will offer advice that sounds sensible to them, but may turn out to be woefully misguided and possibly have unintended consequences and land you in hot water (e.g. advice like this). This is because the legal system does not always actually work like geeks think it does (regardless of whether it *should* work that way).
Bottom line- unless the person is a lawyer, or has actual experience of having gone through this (and the consequences that ensued), you should not be taking their advice. And as I said in the post linked above, the problem is sorting out the ones who *actually* know what they're talking about from the armchair lawyers arrogant enough to think that they do.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
I'm really glad the software shop I'm working with is on Linux. No Windows crap in sight. We could get one of those BSA letters and all have a good laugh.
I feel sorry for anyone that has to deal with the BSA. My condolences, but you should have chosen software without licensing issues. The idea of keeping track of the sales receipts as well as the licenses themselves is ridiculous. What would they do if you paid cash for the licenses? The source of the license does not matter as long as the license itself is not a forgery.
Still, according to articles on the BSA, that's irrelevant and they'll end up suing us anyway.
First off, do not despair. That's not going to do you any good.
Don't be afraid to tell the lawyer that you don't have any money during your free initial 30 minutes consultation (assuming you're in the US, call your local State bar association for a referral). I'm sure that you'll be able to work something out with him or her.
For now, read the article quoted below. The point of that article is that you can do a lot of this work yourself, but that you should still hire a lawyer to at least "supervise" the self-audit process and act as a go-between.
Now the article doesn't mention it, but if I were you I'd check that any old computer laying around the closet has current valid licenses. Whatever happens, make sure you do not get penalized for super old hardware that you're not even using anymore. Also, start inspecting any computer the disgruntled employee has had access to. You never know what he may have installed on there without your knowledge. It's good to go in this with your eyes wide-open.
And then, try contacting the same types of companies in the same niche industry as yours, chances are that they're not just targeting you -- since they recently increased their volume of enforcement letters. So if you can find others within the same jurisdiction as yours, with a similar predicament, you may be able to band together and pool resources.
http://www.baselinemag.com/c/a/Projects-Management/What-to-Do-When-You-Receive-a-BSA-Audit-Letter/
Let's face it, software asset management (SAM) might be a best practice, but there are still plenty of organizations out there who haven't instituted SAM due to a lack of resources or initiative. If your organization is one of them and the Business Software Alliance (BSA) hasn't come calling yet, there's still time to get your house in order. But once that BSA threat letter hits the mailbox, the ballgame changes.
The BSA is known to be a persistent enforcement agency which rarely grants clemency to organizations once it begins settlement proceedings. The following eight tips are offered by two attorneys who specialize in BSA defense cases; they give advice on what to do once your business receives a letter requesting a BSA audit.
1. Retain a lawyer.
The BSA is an efficient organization when it comes to extracting punitive damages from companies found to be in a non-compliant licensing situation—its experts and lawyers know copyright laws inside and out because that is all that they do. For that reason, Scott recommends seeking legal counsel as soon as an audit request is received from the BSA.
"Whether the attorney is working in-house or outside the firm, don't go it alone," you have an audit," said Rob Scott, partner at Houston-based Scott and Scott. Scott said. "The BSA has very experienced attorneys working for it and this is a very complicated process. It involves not only the legal issues related to copyright law, but also it subsumes with it all of the software licensing rules because the copyright claim that lies underneath the BSA audit matter is related to the software licensing rules."
2. Cooperate—carefully.
As much as a business person would love to screw up their eyes and wish the BSA away, the trouble will only multiply through inaction. Though the BSA is not a law enforcement agency it is acting on the behalf of the software companies and it will take matters to civil court if a business does not cooperate with the self-audit process and settlement negotiations.
"When you get a letter from the BSA do not throw it away," said Steve Helland, partner at the Minneapolis-based law firm of Fredrikson and Byron. "That is a serious tip, because some people think that 'Oh if I ignore this it will just go away, but the cases where the BSA is most likely to file in court are where they think there has been infringement and they don't get any response
First order of business, pull up information on the lawyer that initiated contact with you to determine how much experience they have at the firm. If you're a small company they may have someone with limited experience, say three years, and if so, argue as much as possible and you may distract them from one of my other points.
Secondly, forget anything you believe to be true about software licensing and forget about license agreements included with software. What Microsoft, Autodesk, Adobe, etc. licensing department tell you on the phone and what they state in their licensing terms is not true and will not hold up legally unless you have more money than the fines to afford lawyers to fight the big guns. It's not a legitimate license unless you have a receipt. This is important, I repeat, you do not have a legitimate license unless you have a receipt for it. It doesn't matter if it's past 7 years, you have product keys on the side of your chassis, or you have discs; you must have it on the receipt.
Thirdly, do not provide information unless you're specifically asked for it. Read what they've requested, interpret it as literally as possible and if that allows you to include some information and not include other information. This point may not seem relevant to you and I'm not going to get into detail, but I want you to consider this point for at least an hour as the outcome may have a huge monetary difference.
Fourth, you can't buy stuff now and attempt to pass it off as something you'd purchased before they served you. Don't even consider back-buying software you didn't own before. Date of receipt ties into point number two.
Fifth, consider how they obtained this information and how much the person who provided it really knows. I won't give you advice on what to do with the software this person may not be aware of but I'd ensure your file servers are Linux and if you've ever made a transition from Windows to Linux, hopefully it was a transparent process to the users.
I won't get into details over our case as it cost us a tremendous amount of money, five figures, and at the same time, they may have missed a lot of stuff (the site is certainly fully legal now). If you have any other questions, feel free to fire them off and I'll try to answer as well as possible. The best advice I can give you is to consider this a logic problem.
In order to pass the BSA's version of an audit, you don't just need receipts. You need receipts that:
1. Show retail purchases. In spite of the fact that it is perfectly legal to sell and purchase used software, the BSA pretends it's not. If you have a not-retail receipt, it's worthless.
2. Show a date prior to the first contact from the BSA. If you have an un-dated receipt, it is worthless.
3. Show the title of each piece of software purchased, on its own line item (quantities of identical titles are fine), with a line item price. You likely can't provide this for the copy of Windows that came with your PC.
4. Show the name of the company being audited. Did one of your employee's buy it and get reimbursed? Worthless. Do you have company cards that show employee names? Worthless. Did the retailer not print the billing information on the receipt? Worthless. Was is purchased by a company you bought or merged with? Worthless
If you're incensed enough by now to invite the auditor's in, knock them on the head and bury them in the hill, good for you. But you'll likely want to pursue a more subtle response. An attorney is absolutely necessary, if for no other reason than that the lack of one will make you look like easy pickings. Winning this game is about paperwork, stalling, bluffing and bargaining. Once you retain an attorney, their advice will probably be to not respond outwardly until forced to. The BSA doesn't necessarily follow up on every nastygram they send. Responding when you don't have to is acting like a mark.
If the process does progress, remember at all times that what you are involved in, more than anything else, is a long, drawn-out negotiation. The BSA is out to scare people and fund itself. You want them to believe that you are worth very little and come with a big price tag attached. Everything is negotiable, every decision is mercenary.
I agree with the above, but I would go further.
Ask that they state which software package is being used without proper licensing and on which machines so that you may properly investigate it yourself.
If the police come to your door and say, "I know you are breaking the law because of an unnamed snitch, please allow me to look around to see what I can find to use against you...and by the way, I get a commission from convictions." Would you allow them in?
Fight Spammers!
I'd pursue some form of extralegal remediation against that disgruntled former employee. And then follow it up with the same against the BSA lawyers. If the legal system doesn't protect the little guy, then nobody should be surprised when the little guy takes care of business without it.
I'm sure threatening to have the BSA's arms ripped out of their sockets because they're winning will go over great when they take you to court, Chewie.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
No, this isn't legally gray. You're describing an attempt to shield assets in a way that is completely illegal ("fraudulent transfer" is the legal term). You can't possibly imagine that this would work for more than a week, can you?
Get legal help, now. The BSA will need to demonstrate that there is a real question about whether your software is "illegal" or not. If you have reasonable records, a judge can (can't promise that, though) grant a motion for summary judgment in your favor, dismissing the lawsuit.
Make it go to trial, and seek punitive damages if you can either from the former employee or the BSA for filing a frivolous lawsuit.
-- Anonymous coward (almost a lawyer)
Of course. Example: I used to run IT at a graphic design firm, where the designers were always hungry for more memory and faster CPUs. Each time they got a new Mac, I'd set it up with all their software and maybe swap it out while they were on lunch. As soon as I did that, I was in violation -- two Macs had copies of the same software with the same serial on them! Technicality? The vendor would probably give you a break for it? Sure. But what does "give you a break" mean if it's already heading for court?
Thinking about graphic design firms again, just suppose you were completely on top of it and had all your licenses for Photoshop, Illustrator, etc. in order. (We were actually pretty good about this.) What about fonts? Every font is a copyrighted piece of software. Is every computer in your shop with a copy of a font on it licensed for that font? Are you sure? Suppose one of your partners, clients, or a contractor e-mailed one of your designers some files and included the fonts in a Zip: violation. In fact, I'd wager if you don't have a site license from Adobe then you're almost certainly in violation -- and sometimes even then.
What about servers? Is your server software licensed based on the number of clients? Does it have a hard control over how many clients can connect to it? If it doesn't, are you sure you're in full compliance? Have you hired anyone lately?
There are countless examples, and most of them happen without actual malice. Unfortunately, nobody has to prove malice.
Breakfast served all day!
This is both a question and a point but don't US courts require at least basic evidence before a suit can be brought?
Not generally, no. They require that the "pleading" or "complaint" state a claim on which relief can be granted, but they do not require evidence before you bring the suit. Evidence is produced through a process called "discovery" after the courts are formally involved (although they don't really do anything during discovery, and asking them to because you're in a fight about whether something is discoverable usually gets them mad at you. They don't like to get down in the mud, as it were). If there is no evidence after discovery, the matter will be dismissed, but if there is conflicting evidence, it will go to trial (usually).
At least, that is true in theory. In reality, the VAST majority of cases are settled.
They do require a little more than they used to--pleading standards were raised within the last few years--but they are not terribly high. The higher they are, the harder it is to sue someone who really deserves it but tries to hide evidence; the lower they are, the worse one can be harassed and the more someone can use lawsuits to reveal private company information.
Still, if you have absolutely no evidence--not even the testimony of someone who knows something happened--it would be highly inadvisable and possibly criminal to file a lawsuit. YMMV, IANAL, and consult an attorney if this is any way relevant to you, rather than purely academic.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
(IANAL, but an ex-paralegal.)
Better:
Dear BSA Attorney,
Thank you for your note of the 29th. We've reviewed software use at OurCompany and we have found no unlicensed nor unlawfully copied software.
We ask you:
Who has made these allegations against us? What precisely was alleged? Was there any ostensible evidence proffered to support these allegations?
We hope that our review has put these unfounded allegations to rest, and look forward to your reply,
You
If they want an audit, the reply to the request should note that you have privileged and proprietary information on your machines, that supervising the audit to ensure the security of this information and compensating for interference with and interruption of the operation of your computer systems will result in damages to your business, and while you are neither agreeing to nor refusing a software audit at this time, in discharging your obligations to your shareholders [and/or partners, investors, employees, etc. as appropriate] you would need non-disclosure agreements protecting your proprietary and privileged information, scrutiny of the backgrounds and prior approval of any proposed auditors, an agreement as to the limited scope, methods and purposes of the audit, a prior agreement as to the standards and consequences of such an audit, advance compensation for legal and other fees associated with the negotiation of their proposal and its implementation, and arrangements for specified compensation for any potential harm that might occur to your business, with acceptable performance bonds posted to ensure prompt compensation for any such harm. Further, you should request the full text and specifically applicable sections of any alleged potential contractual agreements which they believe may grant them any rights or impose any obligations to them by your company, with a notification of estoppel for any contractual claims of which they have not notified you, and reserving the right to dispute under estoppel, fraud or other theories any putative contractual claims made by them founded on the basis of alleged contracts to which both your company and the BSA are not both parties, putative contracts which were not signed, putative contracts which were not witnessed, putative contracts which were not sealed, putative contracts without demonstration of valid consideration, putative contracts in violation of law or public policy, including but not limited to: fraud, unconscionable, immoral, or impossible terms, coercive or misrepresented terms, those violating laws against barratry, maintenance, champerty, tortuous interference, frivolous and vexatious claims and litigation, and strategic lawsuits against public participation as well as any sections of such contracts violating , attempting to violate, or purporting to create a right to violate any of those laws or policies, or abridging, modifying, infringing or attempting or purporting to create a right to abridge, modify, or infringe any contractual rights assumed by law, including but not limited to peaceable enjoyment, warranties, implied terms, fair dealing and any other rights, privileges or legal theories which may be applicable to the case.
(Always use "alleged" or "putative" in connection with any "contract" which you might not want to follow slavishly - do not admit to the validity of any contracts with the BSA!)
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery?" - Patrick Henry
Unless you signed a contract to that effect, the burden of proof is on the BSA to prove that you in fact are using the software. Unless you have installed and used the software, you have not agreed to the license. Therefore, unless you are using the software, the BSA has no right to audit you. Now, unless the apps you run have a "phone home" feature or use some other online key verification, there are only three ways for the BSA to prove that you are using the software: you can admit to using the software, you can let them come into your place of business and they can observe it, or they can file a lawsuit against you and force you to disclose it during discovery.
If you neither confirm nor deny that you are using any particular piece of software and refuse to let them in, their only option for obtaining proof that they have the right to perform the audit in the first place is to go to court, file a suit, and perform discovery. Thus, unless their evidence is fairly strong, they'll probably back down if the first thing that happens involves your lawyer telling their lawyer to fuck off.
If they do not back down, that's a sure sign that you have some serious compliance problems, and you need to get somebody in there to audit all of your systems ASAP. The folks at BSADefense.com recommend that you have an attorney conduct the audit. This places the results of the audit under attorney-client privilege, meaning that they cannot be obtained by the BSA during discovery. That seems like good advice to me.
As always, the usual caveats apply. IANALBIPOOSD.
Check out my sci-fi/humor trilogy at PatriotsBooks.
A consultation will not cost as much as you expect. Gather up all your licenses, receipts, and certificates and have him send copies to the BSA along with what is euphemisitically called a "robust" response. You'll probably want to threaten to claim vexatious litigation and assert that you will ask that legal expenses be awarded. Don't let them do an "audit".
And in the future, perhaps you might want to consider not doing business with BSA members. There are alternatives. Just a thought...
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I don't happen to find any other post that mentions the elementary fact that unless you signed an agreement somewhere that gives the BSA the right to make an audit, you can just tell them to STFU and GTFO. If you bought everything at retail, for example, Best Buy, Provantage, PC Connection, etc, no such agreement would apply. It's when you buy site licenses or have to sign an agreement to make the purchase that you get roped in.
If there's something in the shrink wrap somewhere, then it gets murky. That's where they can claim that you "agreed" to something you never did, just by opening the package.
So step one is to ask them for their explicit basis of authority in your case.
If they want an audit, blah blah blah which may be applicable to the case.
That "paragraph" consisted of only two sentences, one of 176 words and the other of 235. Only a lawyer can abuse language in that manner. I call bullshit on your claim - you are a lawyer, aren't you?
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
Stop treating employees like shit. For an ex-employee to goto this trouble. You had to have done something to deserve it.
Not really. Asshole employees are fired regularly, and the BSA has commercials running saying things like "just fired? Report your ex employer and earn a reward!"
if someone at NASA and Thiokol had 'snitched' on their management to the media, then the Challenger would never have gone up in cold weather, the o-rings wouldn't have failed, the gas wouldn't have erupted into the main tank, the tank wouldn't have ruptured, and 7 people would be alive.
but hey. i guess 'not snitching' is more important than the lives of seven people.
glad you have your principles in the right place.