The following article is based on a recent conversation with an ITAM Review reader.
Reader – Q. Who are the BSA?
The Business Software Alliance (BSA) are an international body that are financed by the biggest software companies on the planet (BSA Members).
Their work is split into two parts; education/awareness and enforcement.
One half of their business promotes the legal use of software and does PR and marketing around anti-piracy, the other half of the business takes companies to court (if necessary) to reclaim lost revenue on behalf of the software vendors.
The nature of unlicensed software can vary significantly such as:
Rather unhelpfully, the BSA collects all these different types together and labels them as – Pirate!
Q. What power do they have?
Quite a bit. Firstly they act with power of attorney on behalf of their members, who in turn are supported by their End User License Agreements (EULA’s) which you have accepted by proxy because you have their software installed.
Q. The BSA has requested that our company completes a ‘Self-Audit”
Is it a marketing style flyer or genuine letter addressed to you and your company?
(Some enforcement agencies, or companies trying to act like enforcement agencies, sometimes send speculative letters with a software amnesty, suggesting that companies complete a self-assessment, realize the error of their ways and sort themselves out. This is based on no evidence other than the fact their address is in the telephone book)
Q. No, it was a genuine and certified letter addressed to our company. They suspect one of our subsidiaries may not be properly licensed and have even quoted which specific products for which we are not licensed.
The BSA (and vendors in general) has two main sources for this information. Either via a tip-off or via some form of product activation mechanism. I am unsure whether the BSA only works on tip-offs or whether it also acts on activation information from vendors, either way they have some incriminating evidence.
Q. So this letter might stem from a tip-off from one of our previous employees?
Correct. The BSA actively encourages individuals to report piracy (see https://reporting.bsa.org/r/report/add.aspx?src=us).
“In 2008, the Business Software Alliance received more than 2,500 reports of illicit use of software by companies in the U.S. It settled 588 cases for a total of $9.5 million. The BSA also paid out $136,000 to 42 informants, with the average reward being about $3,000.” Software Piracy: The whistle-blowers’ motives
You must bear in mind when approached by a vendor or enforcement agency that they are sometimes acting on a suspicion or incomplete information. Sometimes it is simply a case of furnishing them with the remaining pieces of the jigsaw puzzle. For example a vendor might be aware of your volume purchases but not underlying OEM licenses bought via retail.
Reader letter reads as follows:
“The Business Software Alliance (“BSA”), an association comprised of leading software publishing companies, has received information that [COMPANY] may have installed illegally duplicated copyrighted software programs on its computers. Specifically, [COMPANY] may not have the licenses required to support all copies of [SPECIFIC APPLICATIONS] currently installed on its computers.
….The BSA member companies instead wish to resolve this matter amicably by providing [COMPANY] with an opportunity to conduct it’s own company-wide investigation….. (the) investigation must include an audit of all the software published by BSA members installed on its computers and a review of the software licenses and proofs of purchase, such as invoices or receipts, for those licenses.”
Note that it says “published by all BSA members”. So even though the tip-off was regarding one vendor, they might want to know about all the others. This is similar to the zero-tolerance policing policy in New York in the early nineties – if you are guilty of one misdemeanour with Adobe, we’ll check Microsoft and Autodesk whilst we’re here.
“…. Please do not destroy or replace any copies of any of the computer software products published by the above-mentioned companies that are currently installed on your company’s computers prior to a conclusion to this matter. “
At this point the BSA may be acting on evidence that you are not aware of. If they find out you are doing some retrospective deleting to cover your tracks you are likely to get the book thrown at you.
Q. What is the risk?
Fines and penalties vary by country. As a worse case scenario take the retail price of the unlicensed products, then triple that value as a fine. So let’s say you have 1,000 machines which have a $250 unlicensed software application, the total exposure is potentially $1M. ($250 x 1000 for the product, then $250 x 1000 x 3 for the fine). Add to that any bad press (see BSA Fines: The Hidden Costs).
Software companies love loyalty and predictable revenue. Which is why many companies who find themselves at the wrong end of a compliance audit without the right information to hand end up signing multi-year, all you can eat agreements. The all you can eat agreement serves as a band aid to cover up the underlying issue – that the company does not have control of it’s IT estate.
The solution is SAM.