Software Distribution and Licensing over the Internet

Today, software vendors increasingly deliver their products over the Internet.  This trend will only accelerate as bandwidth increases.  The Internet poses new challenges with regard to software piracy.  This document investigates the most popular piracy deterrents in use. 

The Internet

The Internet is a relatively new technology.  However, shareware has been around for a long time.  Today's Internet-delivered applications have the same challenges as yesterday's shareware.  Shareware authors invented several clever solutions which will be described later in this paper.

How does the Internet change things?  In fact, the Internet is not all bad.  The Internet brings two new exciting capabilities to the table:

1. Electronic distribution

   Software can be located and downloaded virtually instantaneously over the Internet.  Vendors can reach their customers directly via search engines, www.shareware.com, etc..  Previously, shareware vendors had to rely on external distribution channels, such as PC magazines, mail-order software companies, or local computer user groups.
   

2. Electronic payment

   Software can be purchased online.  Payment is quick and easy, resulting in more sales.  After all, most people are lazy and don't want to write checks and lick envelopes.

The first item, electronic distribution, makes the Internet a pirate's dream.  Electronic distribution is cheap, easy, and fast.  Furthermore, thanks to search engines, pirates can conspire in great numbers yet operate in relative secrecy.  Cracks, keys, codes, and secret URLs are all just a search away.

Secret URL

Software is available via a "secret" URL.  Customers must purchase software before the URL is revealed to them.  Typically the customer initiates an online credit card transaction and upon successful completion their browser is redirected to this URL.  This solution is not very effective because the software can be easily acquired as long as you know the URL.  URLs can be posted on pirate sites around the world and located easily via search engines.

Protected Download

Protected download is similar to a secret URL.  Only paying customers can download software.

Protected download is implemented as follows:

1. The user starts the browser, visits a particular web page, and initiates an online credit card transaction
2. Upon success of the transaction, the server's database is updated to allow the user to download the file
3. The user clicks on an icon called "download now" (for example)
4. The browser initiates an HTTP Post (submit) back to the user
5. The server identifies the user, either through cookies, the URL, or hidden form fields
6. The server looks up the user's credentials in a database
7. If the credentials don't allow the file to be accessed, HTML is sent back to the browser indicating invalid access and asking whether the user wants to purchase the software
8. If the credentials allow the user to download the file, the file is returned in the HTTP response.  The mime-type of the response is application/octet-stream (or something similar).  The mime-type is contained in the HTTP header.  See http://whatis.com/mime.htm

Secret URL and Protected Download suffer the same problem.  Once someone receives the software, they can give it to someone, post it to the Internet, or install it on multiple computers in violation of the license agreement.

Evals and Access Keys

Some vendors don't restrict access to their software.  Products can be downloaded freely and copying is encouraged.  However, the software functions only during an "evaluation period" which is typically one month.  After the evaluation period expires, the product stops functioning until the software is purchased.

Some products never stop functioning but instead an annoying reminder appears every time the program is run. The logic being that people are generally good but forgetful.  Needless to say this is an ineffective strategy because while most computer users are "good,"  they are willing to put up with an annoying pop-up window in order to use software for free.

Some installation programs require a valid key to be entered.  Unless a valid key is entered, the software won't install.  This is just a variation on the eval model in which there is no evaluation period.  This type of model is much easier to develop because no lock/unlock logic needs to be written.

Typically, keys can be purchased via an online credit card transaction.  An email is sent to the buyer containing an access key which unlocks the software.  There are several flavors of access keys.  Some keys are actually executable programs.  This prevents the key from being posted to web sites as text, but that can be easily thwarted -- just post the executable on the web site instead.

Access keys can support a variety of licenses - "single user license", "single computer license", or "site license."  Some of these licenses are enforced via complex software but most rely on the customer's good will.  Keys can be generated from the user's name and computer name, which allows the key to only work on a particular computer when only a certain user is logged in.  Generated keys are quite effective for single-computer licenses.

Like all forms of piracy protection, access keys can be circumvented.  Once someone posts a key on a pirate web site, anyone can use the software for free.  The computer's clock can be rolled back.  Some applications can detect this and refuse to function (if current_time is_less_than last_time_the_app_was_shut_down then refuse_access).  The software can be reinstalled, restarting the evaluation period.  Some applications leave timestamps hidden in the registry or obscure files even after they have been uninstalled.  Generated keys are often thwarted by "cracks" which are rogue programs that generate the keys.  Simple key generation algorithms are easily thwarted as long as someone is willing to spend the time writing a crack.

Serial Number

This strategy involves generating a unique serial number each time the application is installed.  The customer presents the serial number when requesting an access key.  The access key is generated using the serial number and only works on software that has the provided serial number.  The key will not work if the software is reinstalled or is installed on another machine.

Serial numbers are very effective at deterring piracy.  Serial numbers practically guarantee one valid license per machine.  However, they tend to frustrate customers, because each software installation requires a new key, which will cost the customer time and possibly an additional license fee.

Expiring Access Key

The strategies presented thus far don't require an Internet connection to install the software or "unlock" it.  Expiring access keys rely on an Internet connection.  At product registration time, the software contacts a server over the Internet to validate the key.  Once the software has been registered, the key becomes invalid so no one else can re-use the key.  Keys can also expire after a fixed amount of time in case the software is never registered.

Expiring access keys require a non-trivial amount of client and server development effort.  They also require some sort of technical support to distribute new keys, for example when the customer upgrades his machine.  Many customers will become frustrated with this scheme because their keys may expire prematurely or they might not have an active Internet connection when installing the software.  Furthermore this solution must work for customers that sit behind a fire wall.

On the other hand, expiring access keys are an effective deterrent against piracy.  There is no such thing as "illegal" copies of software.  Because keys expire, the damage caused by posting them to pirate web sites is greatly diminished.

Expiring access keys could be augmented with additional strategies to protect the vendor from misuse.  For example, X.500 digital certificates could be used to authenticate the customer.  However, certificates represent a usability problem as most people in the world don't have a certificate and probably never will, at least until smart cards and smart card readers become prevalent.  Furthermore the additional effort required to build such a solution is not trivial.

Network License Server

License servers provide a way to license software to a set of computers or users at once.  A "floating" license of, say, 10 instances lets at most 10 copies of the software run simultaneously on any machine within the enterprise.  Network license servers keep track of who is using software and when.  It enforces that a valid license exists for each execution of an application, so the software can be freely distributed on the Internet.

License servers represent the only technology described in this document that can enforce per-user licensing.  All other schemes in this document only implement per-machine licensing.  License servers are least susceptible to piracy and inadvertent misuse.

End-users generally like server-based licensing, at least when it works.  License servers allow software to be installed on client machines with no hassles -- no license keys to enter, etc..  From an IT perspective, license servers require installation and maintenance.  If the license server goes down, applications can not be started, resulting in a flurry of support calls.  Therefore IT generally doesn't like software that requires a license server to be installed in-house.

All computers require a fast, reliable connection to the license server.  Off-line strategies can be implemented for applications that use license servers.  Applications can permit access as long as a certain period of time has not elapsed since the last time the license server was contacted.  Granted, this is not a fool-proof scheme.  For instance, the system's clock could be turned back, which would allow the application to be used illegally indefinitely.

Some license servers work over the Internet.  Internet-based licensing eliminates the installation and maintenance that IT would otherwise have to endure.  Distributing licenses over the Internet is still a hard problem.  When an application registers itself with the license server, the license server must authenticate the application's user.  User identity is difficult to represent and even harder to protect against misuse and theft.

License servers are very difficult to write from scratch.  Unexpected application termination should not result in "lost" licenses.  Modern operating systems should perform this role, but as of yet, they still don't.  It's inevitable that a company will take the initiative and offer an Internet-based software licensing service, complete with auditing and billing, because such an undertaking is no small matter.  Software licensing will be offered to software publishers via an ASP model (Application Service Provider).

A good example of a company that uses Internet-based licensing is WebEx.  Contrary to WebEx's marketing campaigns, WebEx competes with products such as PC Anywhere and Carbon Copy.  WebEx provides remote-control computer services over the Internet.  WebEx doesn't provide all the functionality of the more mature products on the market, but it does a pretty good job.

A network-based licensing model makes sense for WebEx because the software is useless without a network connection.  WebEx's licensing scheme ensures that the remote computers and the computers controlling them all have a valid license.  Temporary evaluation licenses can even be granted to prospective customers.  WebEx's model provides a hyper-constant revenue stream compared to traditional off-the-shelf, easily pirated software such as PC Anywhere.

WebEx has another leg-up on its competition:  its software can be distributed over the Internet for free, no strings attached.  WebEx's software can be used for many purposes, such as software evaluations, technical support, and collaboratoin.  If two parties want to engage in a remote-control computer session, they just download the WebEx software, get evaluation licenses, and start working together.  Try asking someone to install PC Anywhere on their machine.  It's easy to get started with WebEx and therefore it's easier for WebEx to turn prospects into revenue.  If Windows Terminal Services wasn't enough competition, now companies like Symantec have to battle an ASP.

Summary

The following table summarizes the strategies given various criteria.  The numbers in a given column are relative.  The larger the number, the more the strategy fits the criteria. 

Strategy	Overall Rating	Protection to Publisher	Publisher's Support Burden	Difficulty to Implement	Works Offline?	Customer Satisfaction
Expiring Key	7	7 - Even if keys are illegally distributed, they will expire, minimizing the damage	5 - Customer calls when reinstalling & finds that license expired	10 - Client and server solution	Yes	7 - customers are annoyed by the license restrictions and required Internet connection at install time
Internet License Server	6	10	5 - Customer calls to add licenses	100 - Requires client/server programming, expensive if bought off the shelf	No	8 - No offline option, and reserving a license can be slow
Serial Number	5	8	5 - Customer calls when re-installing	4 - Client only solution	Yes	6 - Customers can't install on home and work machines
Eval / Key	5	5 - Keys are easily posted to warez sites, but key is tied to a credit card, therefore revealing the identity of the poster	2 - Customer only calls when license key is lost	4 - Client only solution	Yes	8 - customers like the fact that the software is encouraged to be copied and like "try before you buy"
Protected download	2	1 - Passwords easily posted to warez sites	1	5 - Requires user database	Yes	10
Enterprise License Server	2	10	5 - Customer calls to add licenses	100 - Requires client/server programming, expensive if bought off the shelf	No	1 - License server is too much of a burden
Secret URL	1	1 - URL is easily posted to warez sites	1	1	Yes	10

There's a fine balance between the author's protection and customer satisfaction.  They seem mutually exclusive, but they don't have to be.  Most customers are reasonable enough to understand that if they don't pay for software, high-quality applications will eventually cease to exist.  Not everyone is a pirate.

Internet-based licensing is the most promising technology, although the required network connection doesn't make it a viable solution for all types of software.  ASP-based licensing services looks like a lucrative market as long as there are only a few major players.  ASP-based authentication, auditing, and billing services could be used by traditional applications as well as modern web-based XML services.  License servers offer new possibilities.  Usage can be tracked in order to help understand how applications are used, although this will no doubt cause a privacy uproar.  Secondly, new billing options can be offered to customers, such as monthly, weekly, or per-minute usage rates.

Expiring access keys offer the best strategy for per-machine licensing for software that must be usable while off-line.  Expiring keys provide the happy medium between customers' and vendors' concerns.  It's not too preposterous to assume that customers can easily establish a connection to the Internet in order to register their software.  Augmenting this solution with additional piracy-deterrent strategies will result in diminishing returns.  The registration process should be fast, easy, and simple.  The customer should only be prompted to enter the registration key.  The registration process should not require the customer's name, address, phone number, etc., because this will likely introduce privacy concerns.

Finally, another substantial aspect of software distribution has not been discussed:  upgrades.  Are upgrades free?  Do old keys work with new versions?  How are upgrades distributed?  These are hard questions.  Once again, Internet-based license servers offer some solutions.  If an author wants to charge for an upgrade, the license server can verify the application's version number.  Server-based solutions will always provide the most functionality, albeit at the loss (or partial loss) of off-line operation.