off.Root

It’s about time, I think, that I started some sort of public blog. I had one before, except then some friendly people who actually knew me got the link and had a bit of a field day with it. So I shut them off from it. That was in May 2003.

So almost two years later, I’m trying something different. Because there’s a nicely sized Intraweb out there, and I’m looking to actually have something of mine available to it. Thus, I established this. Apologies for the name, I’m truly not that inventive (though I capitalized the B in blog to prevent any mistakes in word-separation). Your ideas are appreciated. But we’ll see how this goes.

First on the agenda: developers, how they protect their applications against piracy, and how far they can and should go. In the interest of disclosing relevant details of my background, I am not a commercial software developer, and I’m not running a single piece of pirated software on either my computer or my PDA(s). Personally I rely on freeware and open-source software because I’ve found they can usually get the job done for my needs just as well as any commercial program.

There was a case in the 80s, the reference to which I credit to a poster in a thread to which I will link later, about a subway vigilante. It’s rather interesting if you’re unfamiliar with the case, it’s basically the case of a man shooting four kids because he thought they were robbing him. What does that have to do with software piracy? Keep reading.

Slashdot had an article about this in September. The idea is that a software developer, frustrated with the spread of pirated versions of his product, threw in some code to his 1.0 release that detected illegal serials and erased the user’s home directory if such a serial was used. He bent under the pressure, though, and the code was removed. (So was the product.)

Then a couple days ago we learn of the presence of similar code in a PPC program called Pocket Mechanic. The discussion over at Pocket PC Thoughts (linked above) is actually somewhat thought-provoking, but the general consensus seems to be that these kinds of anti-piracy measures aren’t where developers should be taking their software.

It does get a bit more involved, though. Posts from around the ‘Net suggest that such code has been in place since May of last year, and while I do not personally have anything to substantiate those claims, there are some considerations that make it increasingly likely that such code was present in Pocket Mechanic, at least prior to version 1.51 (the current version).

Beyond the fact that users have posted instructions on how to initiate the hard reset with a pirated key, the developer himself has worsened the situation by avoiding the issue and refusing to outright deny that such code has existed. If he had outright apologized and admitted that the code had existed, and removed it, I doubt such a controversy would be erupting. Instead he claims that this is an “organized attack” and attempts to address some of the issues (you can read the entire thread above, but I’m taking select quotes here):

2. An entry of an invalid serial number won’t cause the device to hard-reset. Everybody can check this pretty easily.

Note the use of the word invalid, not illegal or pirated. One would hope that simply mistyping your valid key wouldn’t result in a hard reset, that would be an awful punishment for hitting the wrong key on a soft input panel.

One user posed a question to him, to which he responded promptly:

Anton, just to clearify this and to avoid any misunderstanding: can you guarantee that there is not - and has never been - any malicious code in Pocket Mechanic that would under any circumstances hard-reset my device without a warning?

His response:

Yes, I do confirm that there is no such code (and I am speaking of the latest version 1.51).

Well, that should settle it, should it not? No, of course, because he only addresses “the latest version,” which was “last updated” on February 3rd - after other outlets had disclosed his practices. And even then, there’s something a bit more damning, because in his reply he also quotes the original question:

Anton, just to clearify this and to avoid any misunderstanding: can you guarantee that there is no malicious code in Pocket Mechanic that would under any circumstances hard-reset my device without a warning?

Nice try, except I notice that the whole bit about “has never been” was removed somehow. This is pointed out later in the thread as well, except the developer refuses to acknowledge those who call him out on it or to clarify his statement. I also credit one of the posters in this thread for mentioning the Goetz case, it does bolster the point.

But back to the core subject: when does a developer take anti-piracy measures too far?

Regardless of where exactly you draw the line, I don’t believe that deleting files owned by the user in question is acceptable, be they in the home directory or anywhere on that user’s Pocket PC. Piracy is not ethical, but neither are a variety of other still-somewhat-minor crimes. Shooting someone who is about to kill me is acceptable; shooting someone for trying to take $5 from me is not. If you want to delete things to stop piracy, delete your own program. Assuming you subscribe to the reasoning that buying a software product in reality is just buying a license to use a copy of the software, the product is still your property and you have the right to prevent this user from using your software illegally.

That’s where your right to stop its use ends, however. Deleting the program itself is all that is necessary to stop the end user from using your program illegally. Anything beyond that is morally wrong and frankly worse than what the pirate is doing. The bottom line is that you do not own anything on that device aside from your software, and by erasing the device’s contents you are not only deleting the property of the end user, but you may be destroying the property of third parties who are not involved in the piracy at all, be they mere owners of other software on the device or even other individuals who have their legitimate property also on that device.

Even if you justify the deletion of a user’s data, doing so requires that one make several assumptions. One must assume at least that the user is knowingly installing pirated software, and that the user has full ownership of whatever you intend to delete. Consider the user who asks someone else to install a program on their computer that fits such-and-such a purpose. Someone else chooses a program, which happens to contain malicious code. If this third party is not entirely truthful, he may decide to install a pirated version without the knowledge or consent of the owner of the data. Thus JoeUser, non-infringer, loses all of the pictures he’s taken over the past three years because he trusted another person to find a program to suit some purpose. JoeUser knew not that pirated software was being installed on his system, and the someone else in this instance did not have ownership of JoeUser’s home directory. What lesson is being learned here? All of this assumes, even then, that there is no chance that a user’s legitimate key may be marked as pirated, or that a typo cannot result in a key being marked pirated, or that the code checking for pirated keys isn’t in some way bugged.

Another assumption one would presumably make is that the software is indeed being installed without the developer having been paid. But this makes no consideration for those who do legitimately own the software in question, but for one reason or another cannot access their registration key or the original software and thus - reasonably so - decide to obtain a key to make the software that they have paid for work. Perhaps this behavior is not legally sound, but I venture to guess that it’s not the goal of most developers to alienate their paying customer base for looking for such a workaround.

Perhaps, again, that this is an incorrect assumption. The mere backlash from implementing such code has been enough to remove the code from the aforementioned products, although the kinds of cover-ups that seem to be going on are far from PR-friendly. Independent software developers aren’t the kinds of people, though, who can afford to continue business and simultaneously piss off half of their user base. The kind of trust that is needed between independent developers and end users is delicate, and implementing such code while refusing to come clean as to where it’s been (or currently is) present after you’ve been found out, or failing to alert legitimate users as to what kinds of protections you are putting in place on their software (something that certainly shouldn’t be objectionable if they’re paying customers, right?) simply goes leaps and bounds to destroy that trust. I appreciate how commercial developers rely on sales to put food on their tables, but taking the law into your own hands simply can’t be justified, and I’m not alone in saying I’ll consciously avoid any software that has such tactics.

Let’s face it, how much are you actually losing in sales again? It’s somewhat cruel to consider, but most of the 13 year olds who think they’re cool for getting Photoshop to run without paying for it aren’t costing Adobe a dime. Even then, the goal of a developer should be to prevent piracy, not to punish those who pirate excessively after the fact. It’s the same reason one would post a “Guard Dog on Duty” sign outside their property - the goal is to avoid confrontation with a burglar, not punish them for blindly trying to trespass in the first place. I’m willing to bet that there are more lost sales in all of this avoiding-the-issue business than in actual sales lost to piracy in this whole case.

This is why, of course, such behavior is downright deplorable. It turns out that Pocket Mechanic isn’t a worst-case of reactions to piracy gone wrong. Another developer of a popular program (Tweaks2k2) said that while his program doesn’t contain any sort of hidden trigger for pirates:

Yes, I released in WAREZ and P2P sites a version of that key generator that asked users to copy the file into my program folder and run it from there and then it triggered a Hard Reset. Can anyone tell me that a honest, legal user, could run that file by mistake?

Source
So other developers find it acceptable to actually circulate fake program crackers, which instead initiate a hard reset.

It’s the plaintiff taking the role of judge and jury, and imposing punitive damages on the accused - not even the guilty.

There are, of course, other interesting facets of this discussion. One is how binding the EULA of a product can be, and whether a section that says the product may intentionally delete a user’s data is even enforceable. Another is the question of why, exactly, it is so easy for a program to delete a user’s home directory, or - more specifically - to hard reset a user’s device without any sort of user intervention. All of these are certainly worthy of discussion, which is part of why a discussion on developer’s rights and piracy is compelling.

So what are your views on piracy and software developer vigilantes? Should such tactics be used more often? Do they go too far? Who’s at fault? How should developers try to stop piracy?