Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Shakedown: How the Business Software Alliance Operates 954

An anonymous source writes: "I'm a faculty member at a public university which the Business Software Alliance contacted in a bulk mailing last Fall. Stupidly, our IT department invited them in to 'explain' licensing to us, and now we are trying to fend off an audit on our computers (public and private). Two questions: what kind of leverage does the BSA actually have against us? And does anyone have war stories, successful or otherwise, of their encounters with the BSA?" Although Slashdot is running this story as from an anonymous reader, we have contacted the source and believe the story is factual and the appeal for help is real. Consider this Slashdot's contribution to National Copyright Awareness Week.

The source continues: "The report that the BSA gave to our administration was filled with scary stories about other schools who tried to resist, so unless there's some hard evidence to the contrary I suspect our university will just roll over. We were told that:

  • auditing software *will* be installed on every campus machine;
  • the license for every program, on every machine, must be produced upon demand;
  • failure to produce licenses for all commercial or shareware software will constitute prima facie evidence of illegal possession, with penalties that could range from the confiscation of the machine to the firing of the user;
  • and this includes computers *personally* owned by faculty."
This discussion has been archived. No new comments can be posted.

Shakedown: How the Business Software Alliance Operates

Comments Filter:
  • by Clay Mitchell ( 43630 ) on Friday April 26, 2002 @01:28PM (#3417000) Homepage
    While I'm of course not a lawyer, but what right does this organization have to come in and put anything on the computers that are privately owned? I think they are trying to make you THINK that they have right and you'll give them the go ahead because they've convinced you they do... while in reality you could tell them to go to hell and they couldn't do a thing about it.
    • by Anonymous Coward on Friday April 26, 2002 @01:57PM (#3417229)

      The Register's article BSA deploys imaginary pirate software detector vans [theregister.co.uk] explains everything.

      - Toby Inkster

      • by dattaway ( 3088 )
        Looks like the BSA is taking lessons from Scientologists.
    • by Anonymous Coward on Friday April 26, 2002 @03:18PM (#3417843)
      Their audit software is called GASP and it's not available for Non-Windows or Non-Mac users. Darn!


      Check it out, they have an EULA for GASP... I guess they'll want to see the EULA for each machine they install it on too.
      http://www.bsa.org/usa/freetools/gasp/gasp_c .phtml
  • by morhoj ( 573833 ) on Friday April 26, 2002 @01:28PM (#3417005)
    Perhaps I'm not 100% informed in what the BSA does, but how can they just march in and start installing software and demanding licensing documentation? They are not a government organization, right? It looks like they operate Internationally, so where do they get their jurisdiction to start making demands?
    • by bstrahm ( 241685 ) on Friday April 26, 2002 @01:34PM (#3417046) Homepage
      That is very simple... The legal system. I am a private organization/person. I want you to do something - I simply say Do it, or I will get a court to make you do it, and by the way it will cost you a lot of money cause you will have to pay your lawyers, my lawyers, and the damages

      If you aren't breaking any licencing agreements, it just costs money to fight... But much like speeding - No large organization is perfect and someone, somewhere, will have some software that the licensing documentation isn't perfect on... The BSA is willing to bet for that (So you have to pay their legal bills, discovery, etc) are you willing to bet against it ???

      • by ergo98 ( 9391 ) on Friday April 26, 2002 @01:50PM (#3417170) Homepage Journal
        That's called barratry [dictionary.com] and it's actually illegal: If you threaten groundless legal action to blackmail or intimidate, you are abusing the legal system in an unsavoury way and I believe in most Western nations you can face criminal or civil punishment.
        • by sphealey ( 2855 ) on Friday April 26, 2002 @01:55PM (#3417216)
          That's called barratry [dictionary.com] and it's actually illegal: If you threaten groundless legal action to blackmail or intimidate, you are abusing the legal system in an unsavoury way and I believe in most Western nations you can face criminal or civil punishment.
          In theory, yes.

          In practice, if such laws were enforced, the amount of work for lawyers and judges to do would drop drastically, and the money earned by lawyers would also go down.

          Laywers (including prosecuting attorneys) and judges decide whether or not barratry cases will be allowed. Do you spot a small conflict of interest? How do you think it will be resolved?


        • Groundless?? (Score:5, Interesting)

          by sterno ( 16320 ) on Friday April 26, 2002 @03:09PM (#3417786) Homepage
          If it were completely groundless, then yes it would be illegal. The problem here is that in these situations, there's no way for the university to 100% license everything they use. Even if they make a concerted best try effort to license everything a few licenses will slip through the cracks. The university knows this, the BSA knows this, and that is why the BSA, to the best of my knowledge, has never been challenged when these audits come up.

          Let's say on your entire campus, one license is not valid. If the BSA comes knocking at your door, you face a relatively minor penalty for that license, but then you have to pay for your legal counsel, their legal counsel, damages, the auditors, etc. The BSA knows this, and they use it to their advantage.

          Now, keep in mind here that they are suggesting a product is not legally licensed if you don't have the paperwork to proove it. Therefor, if you aren't totally pristine in keeping track of the licenses for all your software that is, in fact, 100% legitimate, you can still get screwed by the BSA. Although I do wonder how well that would stand up in court, that is, unless the BSA can proove those copies are pirated, is simply not being able to proove them legitimate enough to get you into hotwater. I'm sure their license provisions make certain statements about this, but I don't know if they would stand up in court.

          What it boils down to is that the BSA takes advatange of our legal system to extort businesses and it's about time that something was done to put an end to this. For example, I would propose that any organization that licenses software for more than say 50 computers, they should have certain protections from this sort of action. I would suggest the following protections:

          1) Provide protection for good faith effort. If your company makes a good faith effort to license your software (at least say 80% of the value of the software is legitimately licensed), then all you can be held accountable for is the cost of licenses at retail price. No damages, no attorneys fees, no auditing fees. It would still cost you the attorneys fees to fend it off, but at least the expense would be clear and reasonable. If you have more than 90% compliance, then your legal fees would be covered by the suing party (though you'd still have to pay for the licenses). Thus, there's a strong disincentive to go after an organization that's not blatantly violating the law.

          2) Receipts or other proof of software purchase should be considered valid proof of legal license. If you buy a thousand copies of a piece of software, you shouldn't have to keep track of a thousand pieces of paper. It would be impossible to proove that a piece of software is pirated, so it makes sense for the purchaser to be required to demonstrate ownership in court, but the burden of what needs to be proven should be much more reasonable.
          • Re:Groundless?? (Score:3, Informative)

            by PhotoGuy ( 189467 )
            If the BSA comes knocking at your door, you face a relatively minor penalty for that license, but then you have to pay for your legal counsel, their legal counsel, damages, the auditors, etc. The BSA knows this, and they use it to their advantage.
            IANAL, but as I understand it, here in Canada we have a great solution to frivolous lawsuits and bullying through threats of groundless lawsuits. The defendant in a lawsuit can receive (or perhaps counter-sue for?) legal fees from the agressor, when such a groundless case is lost.

            Knowing that a judge will make you pay for the defense in such a bullying lawsuit, can put a pretty quick stop to this type of unethical behaviour. And if you know you're clearly in the right and will likely win, it's worthwhile to float the legal fees until the buggers lose.
    • by AntiNorm ( 155641 ) on Friday April 26, 2002 @02:01PM (#3417265)
      They are not a government organization, right?

      Right. And this is why they CAN NOT just march in wherever they want, whenever they want, and do their raids. They CANNOT demand license documentation, they CANNOT install software, etc. without either a court order or police and a search warrant. I would do exactly what pitcrew suggested -- tell them to go to hell.

      From the article: failure to produce licenses for all commercial or shareware software will constitute prima facie evidence of illegal possession

      This, IMO, is absolute bullshit. It's like the police going through your refrigerator, making you produce receipts for every gallon of milk in there, and automatically assuming that the milk you can't account for with receipts was stolen from the local grocery store. They are assuming you to be guilty until you can prove yourself innocent. This is not the way our government works (or is supposed to work); the burden of proof is supposed to be on them, not you.
      • Actually, it's more like your neighbor going through your fridge, making you produce receipts. At least the police have legal authority in some cases (ie., drugs, stolen merchandise).
      • > I would do exactly what pitcrew suggested -- tell them to go to hell.

        A safer strategy is to pretend you didn't hear them in the first place.

        Ever send a registered letter with return receipt, and never get the return receipt? It happens, and it's because the recipient doesn't want to acknowledge the communications.

        IANAL, but it seems to me, to haul you into court requires a subpoena or a summons. Those documents require a response. Others could be ignored, as long as you don't intend to do business with the source of the noise.
    • by Waffle Iron ( 339739 ) on Friday April 26, 2002 @02:12PM (#3417340)
      but how can they just march in and start installing software and demanding licensing documentation? They are not a government organization, right?

      Maybe they interpret the U.S. Constitution thusly:

      • The government is not permitted to perform unreasonable searches and seizures.
      • All rights not expressly given to the government are reserved for the people.
      • Therefore: Private parties have the express right to perform unreasonable searches and seizures!
    • by DeputySpade ( 458056 ) on Friday April 26, 2002 @02:16PM (#3417376) Homepage Journal
      It amazes me that no matter how many times this comes up, people still don't get it. READ the EFFEN UELA! When you accept the EULA from MS, Oracle, or whatever closed min^H^H^H source software, BSA participating company you purchase from, you agree to let the copyright holder _OR_ANY_DESIGNATED_ASSIGNEE_ come in and audit your system for license violations. And as for the idea every seems to have about simply making a quick switch to OSS, DON'T! if the BSA comes back tomorrow and can't find ANY software under their jurisdiction on ANY machine, they will assume that you blew it all away to cover up the fact that you were using it illegally. They will then want you to prove that you didn't try to destroy evidence! Trust me. I've been through this before.
      • by jgerman ( 106518 ) on Friday April 26, 2002 @03:07PM (#3417763)
        The BSA has no authority in this matter EULA or no. You cannot sign away your constitutional rights. As far as making a quik change to OSS. Again, I don't care if they swear till they're blue in the face that there was un-licensed software running there yesterday, it isn't today, and that's all that matters.

        Also, they absolutely CANNOT demand to install auditting software on those machines. That's theft in my book. They are forcefully taking away my cycles.

        Furthermore, they can't attempt to enforce a EULA that they don't know you accepted. Until they audit they have no way of knowing that you have EULA covered software on your machines, until they know you have EULA protected software on your machines they have no right to audit those machines.

      • by letxa2000 ( 215841 ) on Friday April 26, 2002 @03:09PM (#3417776)
        When you accept the EULA from MS, Oracle, or whatever closed min^H^H^H source software, BSA participating company you purchase from, you agree to let the copyright holder _OR_ANY_DESIGNATED_ASSIGNEE_ come in and audit your system for license violations.

        I think it is high time these damn EULAs get properly tested in court. I have a feeling they will ultimately fail the legal test. It's absurd that you "have" to read more legalese to install a piece of software than to buy a car (assuming you pay cash). It's also absurd that you can't read the legalese until you've purchased the software, opened the packge, and many times broken a stick on the internal CD sleave that reads "Breaking this sticker indicates your acceptance of the EULA"--which you see once you install the software.

        Last I heard, ripping a sticker wasn't quite as legally binding as a signature.

        The BSA coming charging in would be a perfect opportunity to test a EULA. Unless they come with cops and a warrant, you can tell them to take a hike even if they have a signed contract (which they don't). Tell them to get a court order. They may do that and they way try to sue you: But they'd sue you for violation of a contract, not copyright infringement. You could then argue that the EULA is invalid. Aside from the issue of whether "clicking accept" forms a contract, the EULA is invalid because no contract (in the United States) is enforceable if it abdicates a recognized right of one of the parties--in this case, unreasonable search and seizure.

        You, as an adult can sign a contract that says you will never marry, that anyone can search your home and kill your sister--all three of those clauses will not be enforced by a court because they abdicate recognized rights that CANNOT be taken away by a contract. Otherwise many labor laws that protect workers would be useless since workers would just be forced to sign away their rights. You can't do it. You can't sign away your rights (well, you can, but no court will enforce them).

        I think it'd be great if a BSA-initiated conflict resulted in the definitive invalidation of EULAs! :)

      • by nolife ( 233813 ) on Friday April 26, 2002 @03:43PM (#3418015) Homepage Journal
        Can you point to a specific EULA that includes text of this nature? I can not find one. I am interested in how this is worded. I searched Microsoft with Google and MS's own internal search engine and can not find an EULA posted online. I found a eula.txt in the system32 directory on my 2000 machine at work and it mentions nothing about allowing an audit.

        General points to ponder...
        I just walked through the entire process of buying WinXP from shop.microsoft.com and NO WHERE was I given a chance, a link, or even a hint of an EULA that I would be binding too when I open the software. How could they not include this license in the buying process? There is no excuse for not making this a part of the purchasing process.

        Microsoft statements about "piracy" and license agreements [microsoft.com]

        What is the minimum amount of documentation I should keep to prove my software products are legally licensed?
        All legally licensed Microsoft products should contain an End-User License Agreement (EULA), which is your primary proof that you own a legally acquired product. However, it is also recommended that you keep the original user's manual (or at least the cover and first page of the manual), the product disks, the Certificate of Authenticity, and your purchase receipt.

        This EULA they speak of, is this a hardcopy of some sort? That seems to be all that they require. What is with the should and recommended? Sounds shaky to me.
  • First, (Score:5, Informative)

    by crumbz ( 41803 ) <<remove_spam>jus ... o spam>gmail.com> on Friday April 26, 2002 @01:30PM (#3417023) Homepage
    Contact your in-house legal department or if you don't have one, consider retaining counsel that specializes in IP (intellectual property). If they have sent you a formal inquiry in the attempt to perform an audit, forward all correspondence to your counsel. By no means allow any staff or others to contact them or respond to them directly or indirectly. At this point, all contact should be coming from your legal team.

    Good luck.
    • Actually... (Score:5, Informative)

      by SPYvSPY ( 166790 ) on Friday April 26, 2002 @01:53PM (#3417192) Homepage
      Can I recommend that you retain lawyers that are technology generalists rather than IP counsel? I am a technology lawyer, and my experience is that IP lawyers are generally quite clueless about the nitty-gritty realities of transactional technology (e.g., the character of the major vendors, typical licensing provisions, typical workarounds, typical negotiating points, non-IP leverage points, etc., etc., etc.) IP-types (who are typically litigators rather than transactional lawyers) are more likely to take a dispute-oriented approach, rather than a more creative and effective negotiated approach. YMMV.
      • by fons ( 190526 ) on Friday April 26, 2002 @02:31PM (#3417480) Homepage

        since you are a lawyer, could you answer the questions raised in the story?

        I understand you normally get paid for advice so you don't have to go into details. But some general information from someone with your expertise could be enlightening.

        • by Anonymous Coward on Friday April 26, 2002 @03:33PM (#3417945)
          The BSA is to be feared. But the BSA is nothing but a single point of contact representing the interests of a group of "the usual suspects" in the IT vendor community. No organization of the size and scope and nature of a University will be survive an audit unscathed. The key is to stay under the radar. Apparently, it's too late in this case.

          It's hard to say what rights the BSA has, since those rights will typically stem from the terms of the license agreements to which the University has agreed. Where enterprise or site licenses apply, they may or may not contain negotiated terms that vary from the off-the-shelf EULAs. If there is not a negotiated "umbrella" agreement, the click-wrap/shrink-wraps will probably govern, and I'd venture to guess that those give the vendors (and the BSA) some audit rights. However, many courts remain skeptical of the enforceability of what are known as "adhesionary" (think "overreaching") terms of a click-wrap EULA. Vendors are aware of this, as is the BSA. This diminishes the BSA's audit rights, and gives the University a foothold to prevent an audit. This is just one example of an approach to defeat this type of threat. There are *always* leverages to be exploited. Good lawyers do their homework and read all the facts and all the license terms and find a way. That's what makes them good lawyers. ;) I can't go any further, due to ethical restrictions. (I know it's annoying, but there is a good reason for those restrictions.)
  • Go open source (Score:4, Insightful)

    by Animats ( 122034 ) on Friday April 26, 2002 @01:31PM (#3417028) Homepage
    What a great time to convert to an all-open-source campus!

    Some big organization needs to do this in response to a BSA audit request.

    • Re:Go open source (Score:5, Insightful)

      by Derkec ( 463377 ) on Friday April 26, 2002 @01:54PM (#3417204)
      Yeah, that's a great plan if you don't need to use any software. Seriously, a chemistry friend of mine works on commericial software running in the 10K per seat range. No quality open source alternitive. Oh, and it runs on Windows. Language classes use language tutoring software. Graphic art classes use photoshop. Computer science runs on donated equipment. It might be hard to get Sun to keep sending you free boxen when you remove solaris from every box you get so you can go free.

      While the idea of a campus that's totally open source is cute, the idea is totally unworkable and not a feasible solution. That is the reason noone will respond this way. People spend money on software because some software is only legally available when you spend money. If I was still in high school, it would be a no-brainer to decide not to go to any school that didn't use any proprietary software.

      We'd all like free software. However, with very rare exceptions, the best (or all) software in most domains is closed. Why? Because I can't find enough chemistry people and programmers who will cooperate to make me specialized software of superb quality unless I unload a big pile of cash.

      • Re:Go open source (Score:5, Interesting)

        by Fiver-rah ( 564801 ) <slashdot@qiken.oNETBSDrg minus bsd> on Friday April 26, 2002 @02:22PM (#3417417) Homepage Journal
        Your point is taken in terms of people running Photoshop/CAD software/etc. Since a university has an obligation to train people to use commercial software, unfortunately, it may not be avoidable. But as a member of a theoretical chemistry research group which runs only Linux, I want to gripe about your Chemistry comments.

        Most of the major Chemistry commercial software out there is available to run under Linux. Sure, it ain't free. But it doesn't imply you have to run Windows to use it.

        *Gaussian runs under Linux (although they are pretty draconian about licensing in their own rights).
        *QChem runs under Linux (hell, Martin Head-Gordon's research group only has one Windows box, and they only use it for the occasional PowerPoint presentation).
        *CHARMM runs under Linux.

        Furthermore most of the major commercial chemistry packages don't contract out with the BSA. Most of the people I know in theoretical chemistry don't run Windows. Why? Because if your jobs take months to run, you sure as hell don't want an uptime that is order days. Sure, you can't go totally open source (yet). But you can evade the juggernaut.

        And for reference purposes, the next generation of theoretical chemists is pretty geek-happy. Give us another twenty years, and I'm sure you'll start seeing GPLed versions of molecular modeling programs. Hey, I'd consider doing it. The point of all this is that you *can* do things in stages. You can run whatever commercial software you want, scientifically, under Linux. And it's only going to get better. Why? Well, I know people who have license credits on Gaussian/QChem. And you know where they get their thrills? It sure ain't from the royalty check. It's from the fact that *everyone* who uses their software cites them in their articles. Citations are power in the academic world. Money is nothing.

        • Re:Go open source (Score:4, Insightful)

          by Paul Komarek ( 794 ) <komarek.paul@gmail.com> on Friday April 26, 2002 @03:11PM (#3417797) Homepage
          Personal nitpick: Universities have *no* obligation to train people for any particular application. Universities have an obligation to teach people how to *think*. Technical/vocational training is where a person can pay to learn particular programs. This is *not* the role of a university.

          Wow, I *am* sensitive about this! =-)

          -Paul Komarek
        • Re:Go open source (Score:3, Insightful)

          by MrResistor ( 120588 )
          I have to disagree with this statement:

          a university has an obligation to train people to use commercial software

          Unless the student takes a class to specifically learn to use a particular piece of software the school is under absolutely no obligation to train them on commercial software, and in fact I would argue that the school is doing the student a disservice if the do so.

          For example; when I take a class in C++ I expect to be taught the C++ language, and the skills I learn in that class should be portable to whatever environment I then choose to use. If I'm forced to use only MS VisualC++ when I would prefer to use Borland Builder or vi/gcc my education is being limited. I'm not suggesting that the school should be forced to provide me with alternatives, merely that I shouldn't be restricted from using them if I so desire.

          It comes down to this; the business of the University is education, the teaching of concepts which can be applied within the given field regardless of the tools available. Training on a particular tool is process-oriented job training, best left to trade schools or employers.

          Now, obviously, there are situations where this doesn't apply. If I'm taking a class in Visual Basic I'm going to use MS Visual Basic because it's the only game in town. I imagine that's likely the case with some highly specialized scientific software as well. However, I would still argue that the university has no obligation to train the student on that particular software, but rather the obligation is to teach the student what they need to know in order to understand and interpret what that software does. I was never trained in using Mathematica, but I was taught enough algebra and calculus that I figured out how to use it, and how to interpret the results it gave me, without too much difficulty.

          Anyway, I don't want this to seem like a flame. Other than that one point I wholeheartedly agree with you and find the examples you give encouraging.

          On the CAD front, rumor has it (rumors are treason. Trust the Computer) that Pro-Engineer runs on Linux. I haven't verified that, though. I suspect AutoCAD might also as they used to have a Unix version, though I'm not sure if they still do. If you're just doing 2D CAD I hear QCAD is a viable alternative.

          All the graphics folks I know swear by Photoshop of course (except one, who prefers Corel for some reason), but I suspect it's largely because that's what they were taught. I admit that I am not a graphics guy, but the GIMP seems perfectly capable to me.

  • Beware (Score:5, Interesting)

    by dreamchaser ( 49529 ) on Friday April 26, 2002 @01:31PM (#3417030) Homepage Journal
    Once the BSA has its sights set on an organization, then that organization had better have either the licenses or the money to pony up FAST to buy them. I have seen cases where the BSA isn't satisfied with responses and comes back with Federal agents (yes, guys armed with subpoenas and guns.)

    If you are reasonably sure that your licensing is OK, then you could probably stave them off. It would be a unique Uni that licenses all of the software being used though, based on my experiences.

    Basically, you are screwed if you a) don't comply with them and b) don't have your licensing in order.
    • Re:Beware (Score:3, Interesting)

      I'm sorry but FSCK THAT!!!

      If I word for an orginization (University, corporation) I am NOT going to allow some orginization to TOUCH my PERSONAL computer!!!

      I don't copy software from my work but it is NONE OF THE BSA'S BUSINESS what I have on my computer (I don't pirate software either).

      I think the BSA's demand to see the faculties computers is OUTRAGOUS!!!
    • Re:Beware (Score:3, Insightful)

      by lildogie ( 54998 )
      >I have seen cases where the BSA isn't satisfied with responses and comes back with Federal agents (yes, guys armed with subpoenas and guns.)
      > Basically, you are screwed if you a) don't comply with them and b) don't have your licensing in order.

      If you're remotely close to satisfying (a) and (b), find a lawyer who can say the word "racketeering."

      Treble damages.
  • by Aiku1337 ( 551438 ) on Friday April 26, 2002 @01:32PM (#3417037)
    and this includes computers *personally* owned by faculty."

    Why should an organization be peanalized for personally owned computers? Yes, IT can set rules and what not but how many users actually follow IT rules?

    Note to self, don't bring laptop to work if company is being audited by gestapo...err, BSA.

  • As a CIO myself... (Score:5, Insightful)

    by Argyle ( 25623 ) on Friday April 26, 2002 @01:35PM (#3417053) Homepage Journal
    I would suggest that you 'lawyer up'.

    You absolutely need your legal counsel involved in this. An IT department is generally unsuited to handle these type of business/legal affairs.

    By sucking in the legal folks you turn it from an IT problem to a 'university as a whole' problem.

    Do not let them strong arm you into anything. Play hardball. Tell them you are doing an internal review that could take months.

    Remember, they will be very reluctant to force the issue into a courtroom. It is very bad PR for them to take an impoverished college to court. A jury would be filled with people who all have 'unlicensed' software on their home PCs.

    But in the end, you will have to make a reasonable effort to be in compliance and generally pay for the software you use. That, my friend, will be unavoidable. Unless, you switch IT platforms to a free or close-to-free software environment.

    Good luck.
    • by dschuetz ( 10924 ) <david@d a s net.org> on Friday April 26, 2002 @03:08PM (#3417767)
      The CIO here is absolutely right -- talk to your lawyers, and above all, do what they tell you. I don't need to describe what the career path might be for someone who ignores the lawyers and opens their employer to a million-dollar settlement.

      I had some thoughts about all this while out getting lunch, and now that I've posted my idealogical rant about "innocent until proven guilty" obviously not applying in the civil world, I'll try to be, like, constructive for a moment.

      First, any lawyer (and most of the posters here today) is going to tell you that it's cheaper to simply buy all new licenses (or whatever the BSA is demanding). Rifle every likely file cabinet for existing licenes, then buy the difference. Either way, you still need to do your own audit.

      On the other hand, if you're at a school with a strong reputation, lots of prestige, and even more money, and if your president believes there's a moral victory worth fighting (and paying) for, then I have some thoughts that I at least find intriguing:
      • An early response might be "Oh, wow, this could be bad. Okay, we'll work with you. Here's how we'll do it. Here's exactly how we'll do it. And it'll take some time. But we'll be with you all the way, show you what we've done, give you monthly updates, etc." Look for documentation on your internal hardware inventory process (I'm sure you've got one, when I worked at UMCP I had my PC inventoried by like 5 different departments in one year), and use that as a starting point to justify the length of time you're expecting the audit to take. [I think this is the best response, since, ultimately, you'll probably need to do an audit eventually, anyway. Cooporate, but on your own terms.]
      • Refuse (in legal terms) to deal with BSA. You haven't got any software from BSA (you can't, they don't sell software). Offer to deal with Microsoft, if they send you a letter from their legal team on their letterhead.
      • Agree to do an audit, but only if BSA pays for it, on a time and materials basis. Present them with a nicely-detailed starting point for the process of actually doing the audit, how long it'll take (see above), how many people it'll take, and how much it'll cost. Tell them that you're pretty sure you're in compliance, but if they want to force an audit, they'll have to pay for it. This is an extension of the comment above, and might be the 'best' out in that you get them to foot the bill. It'd be a victory for both sides, more or less.
      • Ask them why they've come to your university. Have they had an anonymous tip? Did they see people selling university-stamped materials on eBay? If they simply say that, stastically, there's "probably" piracy happening here, require better justification before you spend any more time with them.
      • Require them to limit the scope of the search. If their tip came from someone in the Sociology department, limit the audit to only those machines in that department. If they got a tip that "everyone here is copying MS-Office," limit the audit to only look for the most recent version of MS-Office.
      • If you've gotten this far, then they're probably going to a judge. Ensure that your school is represented at the hearing for the subpoena they'll use to force you to audit. Try to cast the situation in the same light as a search warrant: Police need a specific warrant for a search, showing just cause for the search, and specific targets to be searched, and specific items to search for. No cause, often, no warrant, in my understanding.
      • Or get it to be treated just like a subpoena for a deposition -- with specific areas of discovery outlined. No judge (I think) would issue a subpoena for a deposition that says "go talk to this guy and ask him anything you want." Instead, the lawers are required to stick to a narrowly-defined scope of questions that directly pertain to some particular action. Try to get the judge to see a parallel between that situation and the BSA audit request.
      • Ultimately, maybe you can find a lawyer gutsy enough to throw RICO at 'em. Hell, this is just this side of a protection racket on behalf of Microsoft, anyway.

      Of course, my initial point still stands -- do your own audit, cheaply, and simply pay for the difference. And, most importantly, build a good system (centralized database backed up with a fire-safe holding physical license papers for the whole school) to track this stuff, and re-audit every 6 months. Or even more frequently. (client-side tracking software is obviously going to be in your future....)

      Good luck!

  • by larsu ( 473425 ) on Friday April 26, 2002 @01:35PM (#3417062)
    The BSA isn't all bad. First, haggles over license increase the total cost of ownership for commercial software, which makes free (as in speech) software more attractive.

    Second, I used them to shut down a competing software retail store once. The place was selling Microsoft OEM software off the shelf. A call each to the BSA and to Microsofts Piracy line and the place was out of business in 4 months. :)
    • by Anonymous Coward on Friday April 26, 2002 @02:21PM (#3417410)
      Everyone else replying to this called the guy a scumbag and wished him a similar fate. I would like to know something though. Just to be sure I understand this correctly isn't OEM software all marked clearly with something along the lines of "Not for resale" or "not to be sold seperatly"?

      If that's the case and I am correct in my understanding (Being right up front I might very well be mistaken) then wouldn't his competitor in all likelyhood be selling OEM copies of this software far cheaper than he could sell retail versions? Following then what's the real problem with busting someone who is undercutting you by doing something outside the lines?

      Personally I think the guy creatively used the system to smack down an unethical competitor to his own advantage assuming all of this was true of course. The other guy was trying to work the angle and got caught. Tough shit.

      I just can't find anything wrong with that.
    • by afidel ( 530433 ) on Friday April 26, 2002 @02:56PM (#3417676)
      To all those who think the parent is a bad person forturning the competitor. NO, this is exactly what the BSA SHOULD be doing, busting professional pirates, because anyone selling OEM liscensed software on retail shelfs is exactly that. OEM liscensing is a volume discount/ get em hooked pricing model, it is not meant to be bought off of retail shelves, when you get an OEM liscensed copy you are supposed to get all support from the company selling the software, not the authors, but people who buy OEM copies retail do not realize this and call the support line of the authors, not the now out of business fly by night shop they bought the software from!
  • One word (Score:5, Informative)

    by pongo000 ( 97357 ) on Friday April 26, 2002 @01:37PM (#3417072)
    ...and that word is "outrageous." If your administration does not step in and put a halt to this egregious evasion, then you can tell them I told you they are a bunch of pussies.

    Seriously: Where's the search warrant? How enforceable is a EULA with such broad contractual provisions that it forces a licensee to waive all rights to due process and freedom from illegal searches? (Before you naysayers tell me the Constitution has no bearing in this, check the facts: In many cases, BSA shows up at the doorstep with their very own law enforcement escort.)

    There is a legal concept known as "blue-lining" in which a judge has the legal authority to water down, modify, or even eliminate certain portions of a previously-agreed-upon contract. I learned about this after I found myself the unwitting signatory to a capricious and completely illegal legal document. The state recognized the document as legally binding; however, the state also found the terms of the agreement were overly-reaching, capricious, and without legal standing, effectively nullifying the contract.

    The reason why companies continue to write obviously unenforceable contracts is that they know the number of people willing to fight in court is very low. Most will simply roll over, expose their underbellies, and submit to being raped rather than fight.
  • by Fiver-rah ( 564801 ) <slashdot@qiken.oNETBSDrg minus bsd> on Friday April 26, 2002 @01:38PM (#3417077) Homepage Journal
    You can tell that they're full of it for at least one reason. They claim that they can force the university to fire users, including professors. This is, quite simply, bull.

    It seems to me that there's no way they can force the university to fire people over licensing issues. *Especially* professors. Most of those people have tenure, you know. Professors with tenure at my university have gotten away with embezzling grant money and sleeping with undergraduate students. Depending on the tenure contract at your school, it is probably *illegal* for the university to fire professors over this issue. BSA can't possibly wield a big enough stick for this to hold any water.

    As such, it seems to me like they're protesting too much. The scenario they paint is patently ridiculous.

  • Can I suggest MIT? (Score:5, Informative)

    by watanabe ( 27967 ) on Friday April 26, 2002 @01:39PM (#3417085)
    There have to be a few, powerful, tech savvy universities that have dealt with this before. What about MIT? Can someone here get this poor AC in touch with the right person at MIT? I'll bet some cash that MIT does not have the BSA's software on their student cluster PCs.

    Also, my 2c on this: There are a few angles. Clearly, a private institution is innocent until proven guilty under US law. So, the scare tactics the BSA is using on your University take a couple of prongs:

    • For the legally not so savvy, it says "We'll sue if there's even a hint that you might not own some software! Put our software on your computers to keep us from suing."
    • For the legally more savvy, it says "We can make your life sufficiently annoying that it will be cheaper to just let us put this software on your system." Then we'll go away.
    To address this for both audiences at your university, you'd like to be able to prove:
    1. Your university is not, in fact, legally liable to the BSA, and that it in general isn't responsible for what people do with their personal computers.
    2. It will be significantly more expensive to install the software they require, than it will be to get legal counsel to tell them to go away.
    My guess is both those things are true: A nicely backed up presentation proving both those points would probably quelly our nightmares. Good luck! Post back and tell us what happened.
  • Fire that guy! (Score:3, Interesting)

    by Jon Howard ( 247978 ) <{moc.liamg} {ta} {noj.drawoh}> on Friday April 26, 2002 @01:39PM (#3417087) Journal

    If the Gestappo comes by asking if you've seen any Jews, do you ask them to explain what Naziism is all about?

    Until this IP law is overturned, cower and hide if you're not williong to put your ass on the line to do something about it. In this case, your guy put his ass on the line, it's only natural that he takes what's coming to him. Consider it a form of back-assward martyrdom.

    • by scrytch ( 9198 ) <chuck@myrealbox.com> on Friday April 26, 2002 @01:48PM (#3417158)
      If the Gestappo comes by asking if you've seen any Jews, do you ask them to explain what Naziism is all about?

      Godwin's Law. Discussion over. Ask a Bosnian Muslim how he feels about your comparison. Or a Hutu.
  • Lawyers. (Score:4, Informative)

    by cnladd ( 97597 ) on Friday April 26, 2002 @01:40PM (#3417095) Homepage
    At this point, the only leverage that they really have is fear - they're trying to intimidate you. This is what they've done to hundreds of other companies. They come in, use your "acceptance" of a software product's EULA as a hammer, and either force an audit (which, with the criminal penalties they throw at you, gets to be scarily expensive) or force you to pay upfront and forget about the audit.

    Yeah, some people call it legalized extortion. IANAL. :)

    For something like this, they should really go through your university's legal department. If the legal department hasn't gotten involved yet, then get them involved now! Get some counsel. They are the folks that were hired to protect you from this sort of thing (among many others).

    This sounds just like pure intimidation to me. Especially once you mentioned that the audit includes personally owned computers. If they want to audit my personal laptop, which I bring into the office sometime, they would not send the notice to my employer. They would send it to me. Like I said before, talk to a lawyer. A lawyer, not the Slashdot crowd, can give you the best advice.
  • My two peeves here: (Score:5, Interesting)

    by dschuetz ( 10924 ) <david@d a s net.org> on Friday April 26, 2002 @01:40PM (#3417098)
    • failure to produce licenses for all commercial or shareware software will constitute prima facie evidence of illegal possession, with penalties that could range from the confiscation of the machine to the firing of the user;
    • and this includes computers *personally* owned by faculty

    I'll hit the second one first. If the personally-owned computers are on the network, they're close, maybe, to being able to audit those. Maybe. But that's really grey. I know I, for one, wouldn't let them on, and if they came into my office and said "let me look on that machine," I'd simply disconnect it and say "no."

    For the first one, though, I have a much bigger problem. Can anyone cite any other [industry / realm / product space] where one is required to retain all receipts in order to prove ownership? I don't need a receipt to show that I own the shirt I'm wearing. If someone wants to accuse me of stealing it, show some evidence. I don't need a receipt to verify that I own the couch in my living room -- if someone thinks I stole it from my neighbor, fine, prove it. So, why on earth do I need a receipt for software?

    I can understand the technical complications that are entailed here -- like when you've got 1 CD for 100 machines. But the legal issues are what I'm more curious about. In no other situation am I, essentially, guilty until proven innocent.

    Does anyone know if anyone's fought the software industry on those terms? You can't prove I stole it, so go away. Seems like it should work, but then again, maybe I'm being idealistic.

    (Okay, I thought of two examples -- cars and real estate. But those are tracked for me by the government, and if I lose a copy of my title they can send me a new one, for a modest fee.)
  • I wonder... (Score:4, Funny)

    by cnkeller ( 181482 ) <cnkeller.gmail@com> on Friday April 26, 2002 @01:43PM (#3417116) Homepage
    If anyone has told the BSA to f**k off? Had them come back with Federal Marshalls/FBI, then politely let them inside, offered tea and cookies, showed all appropriate licenses, then bill the BSA for wasting the companies time in a fruitless search and wasting tax payer dollars for the marshalls....

    Personally, I enclosed a RedHat sticker in their mailing and told them where to stick it....

  • by RailGunner ( 554645 ) on Friday April 26, 2002 @01:49PM (#3417166) Journal
    .. because it keeps predators like this out of your life. The BSA is nothing more then a modern day mafia - pay them protection money, and they won't tell on you for having an unlicensed copy of an application. It's a total racket, and we ought to get a class action suit against them for extortion.

    As far as whether or not they can do this, if anyone (person or organization) who wants to audit you like this is not an official department of a Government Law Enforcement Agency, whether it's federal, state, or city, then tell them to fuck off. Otherwise, you are guaranteed due process and they will need to obtain a search warrant.

    Privately owned PC's would be a separate search warrant - as they are not owned by the University they the University is not liable for it's contents.

    Too bad the powers that be at the University won't do this. But what they should do is just install the Open Source, Free OS of their choice and tell the BSA jackals to burn in hell.

    And to any member of the BSA who might be reading this: I run Red Hat Linux 7.1 at home. Go away. Kapisch?

  • by Evil Willow ( 24876 ) on Friday April 26, 2002 @01:49PM (#3417169)
    BSA: We need to see licenses for all your software.
    Me: This is an open source shop, but if you tell me which open source license you would like to see...
    BSA: We at least need you to run this auditing software.
    Me: Hmmm, seems kinda pointless, but what the hell. Do you have a Linux version?
    BSA: No. You will have to remove your Linux OS and install an MS based OS that we do support.
    Me: You want me to do what?!? Get the !&@$#%*@$%^& outta my sight!
    • by Tackhead ( 54550 ) on Friday April 26, 2002 @02:17PM (#3417384)
      > BSA: We need to see licenses for all your software.
      > Me: This is an open source shop, but if you tell me which open source license you would like to see...
      > BSA: We at least need you to run this auditing software.
      > Me: Hmmm, seems kinda pointless, but what the hell. Do you have a Linux version?
      > BSA: No. You will have to remove your Linux OS and install an MS based OS that we do support.
      > Me: You want me to do what?!? Get the !&@$#%*@$%^& outta my sight!

      You left out a part...

      BSA: "Step away from the computer. We're installing our auditing tool. Huh? Linucks? What's this gear doing where the Start menu should be?" (power-cycles machine)

      You: "Hey, what are you doing with that DOS boot floppy?"

      BSA: FDISK... FORMAT C: /S...

      ~ two hours later ~

      BSA: Finally, I've installed Windows ME. Now I can install and run the audit tool.


      BSA: Relax, Mr. Willow, your audit was pretty clean. Everything seems to be in order on your network, except you have one unlicensed copy of Windows ME. Please pay $10,000 in fines or face one criminal charge of copyright infringement.

    • by Lxy ( 80823 ) on Friday April 26, 2002 @02:22PM (#3417419) Journal
      BSA: We need to see licenses for all your software.
      Me: This is an open source shop, but if you tell me which open source license you would like to see...
      BSA: We at least need you to run this auditing software.
      Me: Hmmm, seems kinda pointless, but what the hell. Do you have a Linux version?
      BSA: No. You will have to remove your Linux OS and install an MS based OS that we do support.

      To continue:

      Me: Ok, fine. (Installs Windoze on a machine not currently being used)
      BSA: Where did you get that copy of Windows?
      Me: It came with the PC. See the sticker?
      BSA: You mean you have a licensed PC but are not running Windows on it?
      Me: Yes. We don't run Windows here. We're a linux shop.
      BSA: According to MS's license policy, the license must remain installed on that PC.
      Me: Ummm..... what?
      BSA: And as for the rest of these PCs..
      Me: I'm calling the cops.
      BSA: We're giving you a grace period to reinstall Windows on all of them to meet compliance requirements. You have 5 days.
      Me: But.. But...
      BSA: Good Day.
  • by il_diablo ( 574683 ) on Friday April 26, 2002 @01:50PM (#3417171) Homepage
    [the obligitory IANAL here]

    we did some research here at our company. my CEO and i were discussing it (i'm the CTO), and he told me he had done some leg work on the subject when the BSA first started their "scare tactic" TV/radio campaign.

    the BSA is a software reseller. they have NO LEGAL AUTHORITY. they are not the "Software Police". they can't come to you and demand anything. you have to (stupidly, actually) ask them to come and perform an audit. then, when they find non-compliance, they offer to sell the company the licenses at a "special price".

    they're vampiric...if you don't invite them in, they have no power.

    of course, now that the ball has started rolling, they can probably bring some legal action. i'm not sure what legal recourse the SPA has (for example). subpoenas/warrants/etc, possibly. i imagine that there is a goverment agency to which they can appeal for such. and the BSA only has to pick up the batphone to them to start the ball rolling.

    i know that doesn't help now, since they've already gotten a foot in the door. but it may help others.
  • Countersue (Score:5, Informative)

    by Anonymous Coward on Friday April 26, 2002 @01:55PM (#3417220)
    Tortuous interference with prospective economic advantage is a crime. They have no real basis for assuming anyone has committed a criminal act and no intrinsic authority to prosecute. Contact your local prosecutor immediately and explain the situation - that your institute is in good faith compliance with copyright law, that these people are attempting to extort from you significant financial gain and that while it is your institute's expectation and intent to comply with copyright law, these people have no right to subject you to the cost burden, nor any right to access to your systems. Get the law on your side now, because if you refuse they will attempt to get a warrant with the federal marshals. Refusing access to a borderline RICO organization is not a crime. Also get some sympathetic local press coverage immediately.

    Information at
    http://slashdot.org/article.pl?sid=02/01/15/07 3257 &mode=thread&tid=10.5

    Be proactive. Fight back. A good tactic might be to develop an open source policy predicated on the cost of compliance with commercial software licenses being too high since even the companies don't understand their EULAs it's just impossible to do so and therefore the university will outlaw commercial software on their network.

    The BSA is funded by MS, adobe, etc. If the BSA generates net positive income, they will continue storm trooping around. If it becomes a liability to have one's names associated with the organization, the underwriters will pull their support. This is a political as well as legal battle and if you don't fight, you'll be screwed, as will the next organization.
  • extortion (Score:5, Insightful)

    by ikeleib ( 125180 ) on Friday April 26, 2002 @01:56PM (#3417227) Homepage
    There's a name for this and it's called extortion. Here's how it works. I am the extorter and you are the extortee. I come up to you and say, "A little birdie told me that you are/have performed xxx criminal act. If you don't pay me off, I'll tattle on you." Note: Even if even you do pay me, you still have committed a criminal offense. Paying the extorter cannot change that. If they have legitimate knowledge that you are committing a criminal offense, taking hush money is a crime.

    The BSA uses the same tactics. They allege that if you don't comply, you'll be busted. However, they're not acting on behalf of the government. In fact, with only the evidence of "I got an anonymous tip," they shouldn't be able to get a Judge to sign off on a search warrant. After all, for them to get a search warrent, the cops need to have probable cause. I don't see how a third party, who has an anonymous tip from some other third party is probable (it's heresay). Without a search warrant, there's no phyiscal evidence of criminal conduct.

    In short, consult your legal professional. Don't forget that you can sue them, too.
  • by osOpinion.com ( 263889 ) on Friday April 26, 2002 @01:57PM (#3417232) Homepage
    I actually tried to send the BSA after my old employer screwed me over.

    Despite the radio and television commercials suggesting that he'd get fined up the ying yang, nothing happened. I have since concluded that the BSA is all bark and no bite. Here is my story [osopinion.com].

    • by nlindstrom ( 244357 ) on Friday April 26, 2002 @04:22PM (#3418312)
      An awful lot of people are either complaining about how the BSA ignored their past employers for violations, or how the BSA went after them for "lots of money." Bah. Wait until you hear my story.

      I work as a Sr. UNIX Administrator for a very large (Fortune 100) company that shall remain nameless for all the obvious reasons. I plan to leave soon, just as quickly as I settle upon a new opportunity in this less-than optimal job market.

      Microsoft is currently auditing us. Granted, that is not what Microsoft or we are calling it; rather, Microsoft is "helping us to determine our licensing needs" but that is just a sugary title for what is really going on.

      What is really going on is this: this company has long made an unofficial policy of pirating software. Factual, verified (by me) examples include:

      * A single MSDN subscription CD of Office 2000 being installed on virtually every PC in a particular department (over one hundred machines)
      * Remote sites throughout the United States being sent CD-R copies of software such as Microsoft Project and being told that it is OK to deploy it on all their PCs
      * Numerous Windows Terminal Servers being setup for use by Sun workstation clients, each running Office, Project, and Visio - with at best only a handful (read: less than five) of licenses apiece, with no CALs at all - and definitely not enough licenses to cover the 300+ workstations that use them
      * Mass upgrades of PCs from Windows 9x to Windows 2000, with nary a license in sight
      * Another department, supposedly responsible for license compliance documentation, cannot now seem to lay their hands on any more than a third of the licenses that supposedly exist - thus leading to a deficit of more than 2,000 unlicensed copies of Office, Project, Visio, and Acrobat.

      In my department alone, which is one of the smaller ones at this company, I estimated that we are looking at an easy $400,000 to "true up." Nevertheless, the departments are busy engaged in a finger-pointing battle, each blaming responsibility for license compliance on someone else. Upper management has completely ignored the issue, and as the deadline of July 31 draws ever closer, it is becoming rapidly apparent that this debacle may prove of truly colossal proportions.
  • by Illserve ( 56215 ) on Friday April 26, 2002 @02:02PM (#3417266)
    Just nuke your machines across the board, backing up the important data, and reinstall everything after they leave. Tell them you use MSDOS Edit to write your papers in LATEX by hand. This process, while a huge hassle, is probably less hassle than the BSA will give you, and when you're done, you'll have cleared out hundreds of gigs of useless crap, reinitialized your Windows registries and effective defragmented everything in one fell swoop. Also a good time to do some software upgrades.

    I know this idea is unfeasible, but I'd love to see the look on their faces when a dual processor 1.5 ghz machine boots to a dos prompt.
  • by salsashrk ( 573024 ) on Friday April 26, 2002 @02:07PM (#3417310)
    When I worked as a SysAdmin for our local University, we received a letter from Microsoft that basically amounted to the same thing. "We're coming, we're auditing, be ready"

    Now, we were mostly in compliance as far as we knew due to our large per-seat volume licensing through dynamic pooling, but we were pretty sure that we'd come up short in the end. Given that we weren't running any auditing software on the PCs it was difficult to impossible to know what was on every machine. So we called Microsoft and told them we needed time. They agreed to grant us two months, but then went on to specify exactly what software we were to use to perform the audting. We replied that we were going to choose our own that was less expensive, but were told that we must use this particular software, because they knew it to be honest and compatible with Access. (Like that should make a shit bit of difference) In the end we just bent over and took it rather than deal with the auditors showing up, and purchased this lame auditing software. It had to be deployed manually from machine to machine. Almost 2000 computers later, we had our audit. We wound up ponying up some pretty serious bucks for our machines. It slaughtered our entire budget for the next three quarters.

    Point is: Microsoft probably didn't have the right to just announce that they were coming, but we knew that, as a public institution, we couldn't afford the battle to fight.

    No one ever totaled up how much money we lost on that piece-of-shit software and in man-hours for manual deployment, but if you add it to the big fat check we wrote in the end to keep Microsoft off our campus, it was a hell of a lot of wasted grant money intended for student use.

    You can pontificate for days on replacing Windows with *nix, or killing Office for StarOffice. God knows I went to the shared governance committee more than once trying to get them to see the light. In the end, however, everyone winds up signing a fat-check.
    Cynical perhaps, but a truism all the same
  • by Malor ( 3658 ) on Friday April 26, 2002 @02:09PM (#3417323) Journal
    Caveat: IANAL.

    As far as I know, they have no grounds to force you to do ANYTHING unless you have signed a bulk-license or site-license agreement. Those agreements generally give you access to the software for a lot less money, but in return you give up all protection against 'unreasonable search' -- part of the agreement you sign allows them to inspect your systems to make sure you are in compliance.

    If you bought your software through normal distribution channels, chances are very good you can tell them to pike off. As far as I know, a click-wrap license DOES NOT allow a search, because they can't know whether you agreed to the license without searching you first. It's only when you signed another agreement, which they have on file, that they have you over a barrel.

    I will add my voice to the many others here telling you to get the lawyers involved. The BSA plays serious hardball. These people survive and can continue to exist only by extracting large sums of cash from your organization, and will use any tactic required.

    They are not your friends. They are active enemies and you should treat them as such.
  • by Teun ( 17872 ) on Friday April 26, 2002 @02:16PM (#3417370) Homepage
    By being able to prove you have a reasonable policy towards assuring licensed software on the machines you have authority over and responsibility for you have a better chance to keep them (the BSA) at a distance.

    A company or organisation that cannot show any proof of such policy beforehand is more likely to get the goons in.

    A search warrant of some sort is always required and the authority issuing it will be far more prudent when you have such a policy in place and are able to show you enact it.

  • by JimmytheGeek ( 180805 ) <jamesaffeld@ y a h oo.com> on Friday April 26, 2002 @02:26PM (#3417440) Journal
    Fortunately we completed a massive compliance effort shortly before we received the notice.

    The deal was, "cooperate or face draconian penalties", with a tie-in to a vendor selling auditing software. We install the auditing app, use it in demo mode or something to comply with the auditing demand, and then possibly purchase the auditing software to use from then on. It wasn't clear whether any settlement would be based on an agreement to purchase the app.

    My first reaction was, "Not on my net!" We had auditing software already, which put us in a great position. They didn't provide an online list of executables to search for, so we collected info on every executable we had. They had a list of something like 20,000 apps, much of it from the tiniest, least significant software vendors around. If we were playing hardball, we could have submitted an undigested count - something like 70,000 unique executables on just under 1000 machines. "Here's everything we have - let us know if there's a problem." But instead we played nice. We sent them a report on audited and identified applications, a report on identified .exe's excluded from the count (usually part of an audited app or known installation detritus), and a fairly large list of unidentified stuff. That, plus the licensing info.

    It was full and cooperative disclosure, without installing an alien app we had no control over. I think cooperating was important- I don't think we had escalation dominance in this situation. They could push it farther than we could, to a place we didn't want to go.

    My recommendation? For those not in the situation already, pretend you are! Then if you are audited, you send them the report you've already done if you are chicken, or tell them to fuck off *knowing* you are in compliance. If you don't do the audit, you don't *know*, and you may find that someone slipped up and included an app that went out to too many machines. It wouldn't take many rogue installs to give them the ability to hose you.

    Incidentally, they apparently can get marshalls to show up with them. Marshalls probably can't crack passwords though. And the BSA can't fire you, but they can include your firing as part of a settlement agreed to by the people who can fire you.
  • by Get Behind the Mule ( 61986 ) on Friday April 26, 2002 @02:30PM (#3417471)
    IANAL, and so on and so forth, blah blah blah. And yet I'm going to render opinions about the law anyaway. %^)

    A lot of posters have mentioned search warrants so far, but unless I am sorely mistaken, neither the BSA nor any other private party can ever be issued a search warrant. A search warrant can only be granted to law enforcement agencies in criminal cases; and I think that if the BSA has anything on you at all, it's a civil suit.

    (Police can search without a warrant if they have "probable cause", which is evidence of a certain kind that you have or are going to commit a crime right then and there, say within the next thirty seconds. Again, I don't think this applies here.)

    A private party does get the power to subpoena during the discovery phase of a civil suit, and then both parties do have rather broad powers to demand evidence from each other. But for that, they have to sue you first, and there a lot of procedures to go through before you get there.

    For certain kinds of civil suits, such as for copyright violations, a plaintiff can request a judge in secret for powers to search the defendant (there's a Latin name for that, but I can't remember it). This is the case when there is a risk that the defendant can destroy evidence before discovery can begin, like destroying the illegally copied material. The Church of $cientology did this once to one of its Internet critics.

    I suppose the BSA may have grounds such a request, but it's a pretty outrageous mechanism, the kind of thing only $cientologists would do, and you ought to raise an enormous public stink if they try. God help us all if the BSA is granted that kind of power.
  • by rnd() ( 118781 ) on Friday April 26, 2002 @02:43PM (#3417569) Homepage
    This article could very well have been bait submitted by someone who wants to equate the Slashdot and Open Source community with condoning software piracy.

    Of course, in reality this is about privacy, but most people don't realize that.

  • I go to great pains to make sure all the software on all of my companies computer is legal, and paid for. And, if a law enforcement agency had somehow gotten a suspicious that we were breaking the law, I would have no problem cooporating with them.

    But the BSA is not law enforcement. It bugs the heck out of me that they can do what they do. If they sent us a letter, the first thing I'd do is write up a proposal with an estimate of hours billing rate for them to sign before we would do business with them, another private business.

    Granted, we are not a big company, they would probably ignore my proposal, and we don't have the money or the resources to fight them in court, so chances are I'd end up having to comply. But it really chaps my hide that a private orginization, with no real authority, can go around enforcing the law.

    What somebody really should do is start an orginzation called 'Citizens for a drug free workplace', contact the BSA, and say that there is quite a bit of suspicion that BSA executives are in possession of, and regular uses of crack. You have one month to get off the crack, because then we're going into your offices, disrupting your business, and piss testing every one of your employees. While we have no legal right to do this, we're going to do it anyways or you're going down.
  • by mikosullivan ( 320993 ) <miko@idocPLANCKs.com minus physicist> on Friday April 26, 2002 @03:02PM (#3417716)
    IANAL. Yada yada yada.

    The way to deal with bullies is to go on the offensive. Sue back. Perhaps the most promising avenue in that direction would be to sue the BSA consituents for distributing software they know is insecure, yet laid claims to it being secure. There's a hundred years of rulings on health claims for food and other consumables that show that you're not allowed to claim something is healthful, even if you later state in fine print that it isn't. Those should make some good precedents. Be sure to quote the security specialist from Microsoft who quit recently and publicly sounded off that he couldn't understand why Microsoft still has buffer-overflow vulnerabilities. You might be able to use the precedent from some of the automotive cases in which manufacturers were proved to have released faulty products. If it can be shown that Microsoft knowingly releases a faulty product, you could turn the tables. Another point to bring up could be that Windows allows pretty much anybody with a floppy disk to install software. To me, that's faulty. Drum it into the head of everyone who will listen that insecure software opened you to unauthorized software installations.

    Next, claim that the insecure software violates the DMCA by assisting in the distribution of copyrighted material... I'm sure you can find one installation of Back Orifice on your campus to back up your claim. Sound ridiculous? It's not as ridiculous as having to submit to warrantless search.

    Be sure not to go on the offensive against law enforcement... on the contrary, get law enforcement angry at the BSA for wasting their time hurting the sweet little local colleges. Make sure everyone is clear that the agents could have been out fighting drug dealers. That sort of tactic worked for the tobacco lobby who convinced the California legislature that it was a waste of taxpayer money to run anti-smoking ads when the money could be put towards birth-defect research. There's always something more worthy out there.

    Lobby your congresspeople. If applicable, mention that the people who would profit from the search are from out of state. Remember, pork runs congress, and it's not pork if it gets diverted out of your congressperson's district. You may win this through lobbying.

    They're not being nice to you, don't be nice to them.

  • Solution (Score:3, Interesting)

    by dh003i ( 203189 ) <dh003i@gmCURIEail.com minus physicist> on Friday April 26, 2002 @03:08PM (#3417765) Homepage Journal
    (1) Tell the BSA to fuck off. You're a university, and likely have professors of law teaching there. Thus, no need to pay expensive legal fees, just ask your professors. They might not be able to win the case, but they sure can stall and drag it on at minimal cost to you while you take other measures.

    (2) Archive all raw data.

    (3) Wipe all of your machines -- that is, write over all data with zero's. To be safe, wipe the hard-drives a few times.

    (4) Install GNU/Linux or *BSD on all of your systems, using all Office/spreadsheet/etc equivalents.
  • by sup4hleet ( 444456 ) on Friday April 26, 2002 @03:32PM (#3417941) Homepage
    And it seems like some members of the community are not playing nice, so why not kick them out of your yard? The BSA's IP range is: (props to arin.net whois), if enough of us routed that to the bit bucket it would make it more difficult for them to do their jobs, hopefully reducing their profit and their supporter's interest in them. Ev1l Gr1n %^>
  • by Self-Important ( 460103 ) on Friday April 26, 2002 @03:36PM (#3417967)
    Darned BSA! Always camping and hiking and...trying to enforce manopolistic, cartel-like business practices! Shame!
  • by Steve Franklin ( 142698 ) on Friday April 26, 2002 @03:55PM (#3418123) Homepage Journal
    "I'm a faculty member at a public university which the Business Software Alliance contacted in a bulk mailing last Fall. Stupidly, our IT department invited them in to 'explain' licensing to us, and now we are trying to fend off an audit on our computers (public and private)."

    Tell them the guy who invited them in wasn't authorized to do so. They'll just have to resubmit their request. "Please send it in triplicate and don't forget to include return postage. Also, please include a detailed description of what this so-called 'explanation' involves, and while you're at it, a description of previously achieved benefits of this kind of 'explanation' would be appreciated. We can't waste our time watching another silly dog and pony show."

    Briefly, you need to take back control of your gameboard and, for god's sake, man, stop acting like a kid who has been caught with his hand in the cookie jar. They're trying to sucker you. They seem to think that you're a bunch of ivory tower intellectuals (possibly true) who don't have enough real world experience to realize it. From what I can tell from the incomplete description of the original mailing, it was deceptive at least and a bold-faced lie at most. These characters know this. They are banking on what all school-yard bullies bank on--you don't have the balls to call them. Beyond this, do not talk to them. They do not have your interests nor the interests of any other educational institution at heart. They are a bunch of greedy bastards with the morals of a mafia don. Treat them as such.

    If they want to make jackasses of themselves, let them sue a public educational institution. These are the same guys who give away free computers to school kids to make themselves look good. Maybe they *are* that stupid. I doubt it.

  • courts (Score:3, Funny)

    by schporto ( 20516 ) on Friday April 26, 2002 @04:36PM (#3418397) Homepage
    Use their annonymous tip line. Report that your local courthouse is using illegal software. But just give the address and claim the violations are in the hundreds. Esp if you call from right outside the courthouse. Somehow I think it'd be amusing. "Your honor that computer you're using is illegal." Wham. "Contempt. Go to jail." Sorry daydreaming now.
  • Fight Back (Score:3, Interesting)

    by gnovos ( 447128 ) <gnovos.chipped@net> on Friday April 26, 2002 @04:38PM (#3418406) Homepage Journal
    You are auniversity, right? You MUST have some IP of your own, right? Well, go the the exact same judge that the BSA goes to and present the exact same legal work tha they do and "audit" the BSA offices for illigal copies of your code.
  • by mlc ( 16290 ) on Friday April 26, 2002 @06:41PM (#3419077) Homepage
    See the CAW logo license [] and then my homepage [mlcastle.net].

When you go out to buy, don't show your silver.