Shakedown: How the Business Software Alliance Operates

An anonymous source writes: "I'm a faculty member at a public university which the Business Software Alliance contacted in a bulk mailing last Fall. Stupidly, our IT department invited them in to 'explain' licensing to us, and now we are trying to fend off an audit on our computers (public and private). Two questions: what kind of leverage does the BSA actually have against us? And does anyone have war stories, successful or otherwise, of their encounters with the BSA?" Although Slashdot is running this story as from an anonymous reader, we have contacted the source and believe the story is factual and the appeal for help is real. Consider this Slashdot's contribution to National Copyright Awareness Week.

The source continues: "The report that the BSA gave to our administration was filled with scary stories about other schools who tried to resist, so unless there's some hard evidence to the contrary I suspect our university will just roll over. We were told that:

• auditing software *will* be installed on every campus machine;
• the license for every program, on every machine, must be produced upon demand;
• failure to produce licenses for all commercial or shareware software will constitute prima facie evidence of illegal possession, with penalties that could range from the confiscation of the machine to the firing of the user;
• and this includes computers *personally* owned by faculty."

Sounds like they are spouting off.

[Clay Mitchell]

While I'm of course not a lawyer, but what right does this organization have to come in and put anything on the computers that are privately owned? I think they are trying to make you THINK that they have right and you'll give them the go ahead because they've convinced you they do... while in reality you could tell them to go to hell and they couldn't do a thing about it.

BSA have a history of lunacy.

[Anonymous Coward]

The Register's article BSA deploys imaginary pirate software detector vans [theregister.co.uk] explains everything.

- Toby Inkster

Scientology?

[dattaway]

Looks like the BSA is taking lessons from Scientologists.

Re:Scientology?

[F34nor]

"Arg! Your crawling with Body Thetans! Some body get a e-meter over here QUICK!" *sucking sound "GOT EM! You're luck those little alien spirits were weighing your spirit down"

"No they weren't that was my wallet you took! Come back here you fucking cultist bastards!" *sucking sound "My HOUSE! You fucks took my house. Man, now I am going to have to go and pee on L. Ron Hubbard's grave."

How the cable company catches tappers

[SonOfFlubber]

"Does anyone know if this works?"

Yes - but the cable company does not drive around the neighborhood with some kind of scanner. They use an instrument called a Time-Domain Reflectrometer to do a thing called, not suprisingly, Time-Domain Reflectrometry.

How it works is somewhat like this - the TDR instrument must be connected to the cable line feed end. The instrument launches an electrical pulse over the cable then listens for 'echoes' - kind of like a radar. If it hits a tap in the line, hits a load, or hits an open (unconnected) cable, an echo is produced which is detected by the unit. They can measure the echos and see how many feet down the line is the tap.

"Do they actually do this?" Yes again, but it is not as easy as they would like you to believe.
Theoretically, this instrument can detect almost anything that is attached to the cable. In practice, it is a lot harder to catch tappers since the technician doing TDR on the line must distinguish between what is supposed to be on the lines and what is not. He almost has to 'map' the reflections and then come back later and see if the TDR 'profile' has changed to detect a tapper.

TDR is blocked by the line amplifiers they use to boost the signal on the cable lines. It has been almost 20 years since I did any work on cable systems, but at that time it was a real pain to shimmy up a pole, undo the cable from the amplifier and then run the TDR. This disrupted the service for the customers on the branch we were testing, and most of the 'tappers' we caught were in reality people whose cables became disconnected from the set-top boxes or got cut while digging in the garden. They all did not know why their reception suddenly became so poor!!

In the end we limited TDR to analyzing lines that had signal problems, and we generally depended on disgruntled neighbors to find people stealing signal. The TDR could help us find taps, but in a couple cases the tappers were real smart and used a high impedance amplifier piggybacked on our line, which would not show up on TDR. This approach does not produce a nice clean signal one would get from a properly split and terminated cable, but it got the job done.

There was talk of some super TDR system that could be run on the whole system from the head end, but I have not seen or heard of one in use. Remember I am describing the state of the art circa 1982, and much has surely changed, so that doesn't mean it doesn't exist.

As for vans driving around picking up signals - the last I heard of such a thing was from the late '70s when HBO was broadcast over microwave, and various small cable companies and hotels would pick up the signal and distribute it over their systems. One could get downconverter kits and plans to make a box that would let you pick up HBO without a subscription. The box you could mount on your antenna mast had a local oscillator that produced a signal that would downconvert the HBO microwave signal to channel 2 VHF.

The trucks had radio direction finders that homed in on the local oscillator frequency from the downconverter boxes. I had a friend who had one set up and he actually got caught, and received a summons in the mail to appear in court.

He actually showed up in court without an attorney. He was asked to verify where he lived and evidence was produced against him that a certain frequency was radiating from his property, one which could be used to illegaly downconvert HBO. My friend got his turn to testify and much to the suprise of the prosecuting attorney, he produced an Extra class ham radio license. He then submitted a page from the ARRL Handbook showing the RF spectrum priveleges given to different classes of Amateur licenses. The frequency in question was in the broadcast privileges for his class of license! He then said that in this case the evidence against him was circumstantial. He admitted that he was "performing experiments in those range of frequencies" and went on to add that he was soon going to broadcast regularly at that frequency.
Case dismissed.

The Audi Tool is called GASP

[Anonymous Coward]

Their audit software is called GASP and it's not available for Non-Windows or Non-Mac users. Darn!

http://www.bsa.org/usa/freetools/gasp/

Check it out, they have an EULA for GASP... I guess they'll want to see the EULA for each machine they install it on too.
http://www.bsa.org/usa/freetools/gasp/gasp_c .phtml

counterthreats

[Tablizer]

(* This is who the BSA *really* is: [big software companies] *)

Try this: Tell them you will go on a mad OSS campaign if they don't go away. Show them a proposal to spend X amount of money on OSS advertising and promotion around the campus and elsewhere.

Show them a draft of an article about BSA thuggery and why it is now time for OSS that you plan to publish.

When they send in a representative, have a bunch of Penguins, OSS posters, and Red Hat boxes around your office. Give them a free Penguin T-shirt on their way out.

Re:counterthreats

[Technician]

Tell them you will match the fine in promoting OSS and campaign against corporate raids. The fines and campaign funds all are to be from the budget for new software licenses. They will be killing the golden goose to continue. Part of the promotion is showing the audit cost + penalties are part of the TCO of the Windows Platform.

Legality in doing this?

[morhoj]

Perhaps I'm not 100% informed in what the BSA does, but how can they just march in and start installing software and demanding licensing documentation? They are not a government organization, right? It looks like they operate Internationally, so where do they get their jurisdiction to start making demands?

Re:Legality in doing this?

[bstrahm]

That is very simple... The legal system. I am a private organization/person. I want you to do something - I simply say Do it, or I will get a court to make you do it, and by the way it will cost you a lot of money cause you will have to pay your lawyers, my lawyers, and the damages

If you aren't breaking any licencing agreements, it just costs money to fight... But much like speeding - No large organization is perfect and someone, somewhere, will have some software that the licensing documentation isn't perfect on... The BSA is willing to bet for that (So you have to pay their legal bills, discovery, etc) are you willing to bet against it ???

Re:Legality in doing this?

[ergo98]

That's called barratry [dictionary.com] and it's actually illegal: If you threaten groundless legal action to blackmail or intimidate, you are abusing the legal system in an unsavoury way and I believe in most Western nations you can face criminal or civil punishment.

Re:Legality in doing this?

[sphealey]

That's called barratry [dictionary.com] and it's actually illegal: If you threaten groundless legal action to blackmail or intimidate, you are abusing the legal system in an unsavoury way and I believe in most Western nations you can face criminal or civil punishment.

In theory, yes.

In practice, if such laws were enforced, the amount of work for lawyers and judges to do would drop drastically, and the money earned by lawyers would also go down.

Laywers (including prosecuting attorneys) and judges decide whether or not barratry cases will be allowed. Do you spot a small conflict of interest? How do you think it will be resolved?

sPh

Groundless??

[sterno]

If it were completely groundless, then yes it would be illegal. The problem here is that in these situations, there's no way for the university to 100% license everything they use. Even if they make a concerted best try effort to license everything a few licenses will slip through the cracks. The university knows this, the BSA knows this, and that is why the BSA, to the best of my knowledge, has never been challenged when these audits come up.

Let's say on your entire campus, one license is not valid. If the BSA comes knocking at your door, you face a relatively minor penalty for that license, but then you have to pay for your legal counsel, their legal counsel, damages, the auditors, etc. The BSA knows this, and they use it to their advantage.

Now, keep in mind here that they are suggesting a product is not legally licensed if you don't have the paperwork to proove it. Therefor, if you aren't totally pristine in keeping track of the licenses for all your software that is, in fact, 100% legitimate, you can still get screwed by the BSA. Although I do wonder how well that would stand up in court, that is, unless the BSA can proove those copies are pirated, is simply not being able to proove them legitimate enough to get you into hotwater. I'm sure their license provisions make certain statements about this, but I don't know if they would stand up in court.

What it boils down to is that the BSA takes advatange of our legal system to extort businesses and it's about time that something was done to put an end to this. For example, I would propose that any organization that licenses software for more than say 50 computers, they should have certain protections from this sort of action. I would suggest the following protections:

1) Provide protection for good faith effort. If your company makes a good faith effort to license your software (at least say 80% of the value of the software is legitimately licensed), then all you can be held accountable for is the cost of licenses at retail price. No damages, no attorneys fees, no auditing fees. It would still cost you the attorneys fees to fend it off, but at least the expense would be clear and reasonable. If you have more than 90% compliance, then your legal fees would be covered by the suing party (though you'd still have to pay for the licenses). Thus, there's a strong disincentive to go after an organization that's not blatantly violating the law.

2) Receipts or other proof of software purchase should be considered valid proof of legal license. If you buy a thousand copies of a piece of software, you shouldn't have to keep track of a thousand pieces of paper. It would be impossible to proove that a piece of software is pirated, so it makes sense for the purchaser to be required to demonstrate ownership in court, but the burden of what needs to be proven should be much more reasonable.

Re:Groundless??

[PhotoGuy]

If the BSA comes knocking at your door, you face a relatively minor penalty for that license, but then you have to pay for your legal counsel, their legal counsel, damages, the auditors, etc. The BSA knows this, and they use it to their advantage.

IANAL, but as I understand it, here in Canada we have a great solution to frivolous lawsuits and bullying through threats of groundless lawsuits. The defendant in a lawsuit can receive (or perhaps counter-sue for?) legal fees from the agressor, when such a groundless case is lost.

Knowing that a judge will make you pay for the defense in such a bullying lawsuit, can put a pretty quick stop to this type of unethical behaviour. And if you know you're clearly in the right and will likely win, it's worthwhile to float the legal fees until the buggers lose.

Re:Contracts

[Drachemorder]

You may have given them the right to make inspections or audits when you signed a contract. My local cable company has a clause for this in their service agreement.

They can't conduct an inspection if I don't open the door for them. And they better not try to get in my house without my permission --- that would be breaking and entering, and I could legally shoot them if I catch 'em doing it. I wouldn't shoot a cable guy, of course, but a BSA representative, now, that's different. :-)

Re:Contracts

[Sir Tristam]

that would be breaking and entering, and I could legally shoot them if I catch 'em doing it.

Ummmm.... No, be very careful there. Even in your own home, you do not have the legal right to use deadly force except when protecting yourself or another from immediate danger of death or severe injury. If you shoot an unarmed intruder just for being in your home, you're probably going to jail. As soon as they have a gun, knife, baseball bat, pipe wrench, etc. they're fair game, though. Also if you're a 100-pound woman and the intruder's a 300-pound man.

If you own a gun and you're not 100% sure if I'm right or wrong, I'd advise you to look in the Yellow Pages under "Gun Safety" or "Firearms Instruction". They should be able to fill you in on such concepts as the Castle Doctrine and Disparity of Force. The book "In the Gravest Extreme" is also a good idea for a read.

Off-topic? Yeah, but I'm at the karma cap anyway. If burning three worthless points keeps one of you clowns from being victimized twice (intruder & system) then they're well spent.

Chris Beckenbach

Re:Legality in doing this?

[AntiNorm]

They are not a government organization, right?

Right. And this is why they CAN NOT just march in wherever they want, whenever they want, and do their raids. They CANNOT demand license documentation, they CANNOT install software, etc. without either a court order or police and a search warrant. I would do exactly what pitcrew suggested -- tell them to go to hell.

From the article: failure to produce licenses for all commercial or shareware software will constitute prima facie evidence of illegal possession

This, IMO, is absolute bullshit. It's like the police going through your refrigerator, making you produce receipts for every gallon of milk in there, and automatically assuming that the milk you can't account for with receipts was stolen from the local grocery store. They are assuming you to be guilty until you can prove yourself innocent. This is not the way our government works (or is supposed to work); the burden of proof is supposed to be on them, not you.

Re:Legality in doing this?

[zangdesign]

Actually, it's more like your neighbor going through your fridge, making you produce receipts. At least the police have legal authority in some cases (ie., drugs, stolen merchandise).

Why justify them with a response

[lildogie]

> I would do exactly what pitcrew suggested -- tell them to go to hell.

A safer strategy is to pretend you didn't hear them in the first place.

Ever send a registered letter with return receipt, and never get the return receipt? It happens, and it's because the recipient doesn't want to acknowledge the communications.

IANAL, but it seems to me, to haul you into court requires a subpoena or a summons. Those documents require a response. Others could be ignored, as long as you don't intend to do business with the source of the noise.

Re:Legality in doing this?

[Waffle Iron]

but how can they just march in and start installing software and demanding licensing documentation? They are not a government organization, right?

Maybe they interpret the U.S. Constitution thusly:

• The government is not permitted to perform unreasonable searches and seizures.
• All rights not expressly given to the government are reserved for the people.
• Therefore: Private parties have the express right to perform unreasonable searches and seizures!

Re:Legality in doing this?

[DeputySpade]

It amazes me that no matter how many times this comes up, people still don't get it. READ the EFFEN UELA! When you accept the EULA from MS, Oracle, or whatever closed min^H^H^H source software, BSA participating company you purchase from, you agree to let the copyright holder _OR_ANY_DESIGNATED_ASSIGNEE_ come in and audit your system for license violations. And as for the idea every seems to have about simply making a quick switch to OSS, DON'T! if the BSA comes back tomorrow and can't find ANY software under their jurisdiction on ANY machine, they will assume that you blew it all away to cover up the fact that you were using it illegally. They will then want you to prove that you didn't try to destroy evidence! Trust me. I've been through this before.

Re:Legality in doing this?

[jgerman]

The BSA has no authority in this matter EULA or no. You cannot sign away your constitutional rights. As far as making a quik change to OSS. Again, I don't care if they swear till they're blue in the face that there was un-licensed software running there yesterday, it isn't today, and that's all that matters.

Also, they absolutely CANNOT demand to install auditting software on those machines. That's theft in my book. They are forcefully taking away my cycles.

Furthermore, they can't attempt to enforce a EULA that they don't know you accepted. Until they audit they have no way of knowing that you have EULA covered software on your machines, until they know you have EULA protected software on your machines they have no right to audit those machines.

Re:Legality in doing this?

[letxa2000]

When you accept the EULA from MS, Oracle, or whatever closed min^H^H^H source software, BSA participating company you purchase from, you agree to let the copyright holder _OR_ANY_DESIGNATED_ASSIGNEE_ come in and audit your system for license violations.

I think it is high time these damn EULAs get properly tested in court. I have a feeling they will ultimately fail the legal test. It's absurd that you "have" to read more legalese to install a piece of software than to buy a car (assuming you pay cash). It's also absurd that you can't read the legalese until you've purchased the software, opened the packge, and many times broken a stick on the internal CD sleave that reads "Breaking this sticker indicates your acceptance of the EULA"--which you see once you install the software.

Last I heard, ripping a sticker wasn't quite as legally binding as a signature.

The BSA coming charging in would be a perfect opportunity to test a EULA. Unless they come with cops and a warrant, you can tell them to take a hike even if they have a signed contract (which they don't). Tell them to get a court order. They may do that and they way try to sue you: But they'd sue you for violation of a contract, not copyright infringement. You could then argue that the EULA is invalid. Aside from the issue of whether "clicking accept" forms a contract, the EULA is invalid because no contract (in the United States) is enforceable if it abdicates a recognized right of one of the parties--in this case, unreasonable search and seizure.

You, as an adult can sign a contract that says you will never marry, that anyone can search your home and kill your sister--all three of those clauses will not be enforced by a court because they abdicate recognized rights that CANNOT be taken away by a contract. Otherwise many labor laws that protect workers would be useless since workers would just be forced to sign away their rights. You can't do it. You can't sign away your rights (well, you can, but no court will enforce them).

I think it'd be great if a BSA-initiated conflict resulted in the definitive invalidation of EULAs! :)

Re:Legality in doing this?

[nolife]

Can you point to a specific EULA that includes text of this nature? I can not find one. I am interested in how this is worded. I searched Microsoft with Google and MS's own internal search engine and can not find an EULA posted online. I found a eula.txt in the system32 directory on my 2000 machine at work and it mentions nothing about allowing an audit.

General points to ponder...
I just walked through the entire process of buying WinXP from shop.microsoft.com and NO WHERE was I given a chance, a link, or even a hint of an EULA that I would be binding too when I open the software. How could they not include this license in the buying process? There is no excuse for not making this a part of the purchasing process.

Microsoft statements about "piracy" and license agreements [microsoft.com]

What is the minimum amount of documentation I should keep to prove my software products are legally licensed?
All legally licensed Microsoft products should contain an End-User License Agreement (EULA), which is your primary proof that you own a legally acquired product. However, it is also recommended that you keep the original user's manual (or at least the cover and first page of the manual), the product disks, the Certificate of Authenticity, and your purchase receipt.

This EULA they speak of, is this a hardcopy of some sort? That seems to be all that they require. What is with the should and recommended? Sounds shaky to me.

First,

[crumbz]

Contact your in-house legal department or if you don't have one, consider retaining counsel that specializes in IP (intellectual property). If they have sent you a formal inquiry in the attempt to perform an audit, forward all correspondence to your counsel. By no means allow any staff or others to contact them or respond to them directly or indirectly. At this point, all contact should be coming from your legal team.

Good luck.

Actually...

[SPYvSPY]

Can I recommend that you retain lawyers that are technology generalists rather than IP counsel? I am a technology lawyer, and my experience is that IP lawyers are generally quite clueless about the nitty-gritty realities of transactional technology (e.g., the character of the major vendors, typical licensing provisions, typical workarounds, typical negotiating points, non-IP leverage points, etc., etc., etc.) IP-types (who are typically litigators rather than transactional lawyers) are more likely to take a dispute-oriented approach, rather than a more creative and effective negotiated approach. YMMV.

since you are a lawyer

[fons]

since you are a lawyer, could you answer the questions raised in the story?

I understand you normally get paid for advice so you don't have to go into details. But some general information from someone with your expertise could be enlightening.

Re:since you are a lawyer

[Anonymous Coward]

The BSA is to be feared. But the BSA is nothing but a single point of contact representing the interests of a group of "the usual suspects" in the IT vendor community. No organization of the size and scope and nature of a University will be survive an audit unscathed. The key is to stay under the radar. Apparently, it's too late in this case.

It's hard to say what rights the BSA has, since those rights will typically stem from the terms of the license agreements to which the University has agreed. Where enterprise or site licenses apply, they may or may not contain negotiated terms that vary from the off-the-shelf EULAs. If there is not a negotiated "umbrella" agreement, the click-wrap/shrink-wraps will probably govern, and I'd venture to guess that those give the vendors (and the BSA) some audit rights. However, many courts remain skeptical of the enforceability of what are known as "adhesionary" (think "overreaching") terms of a click-wrap EULA. Vendors are aware of this, as is the BSA. This diminishes the BSA's audit rights, and gives the University a foothold to prevent an audit. This is just one example of an approach to defeat this type of threat. There are *always* leverages to be exploited. Good lawyers do their homework and read all the facts and all the license terms and find a way. That's what makes them good lawyers. ;) I can't go any further, due to ethical restrictions. (I know it's annoying, but there is a good reason for those restrictions.)

Go open source

[Animats]

What a great time to convert to an all-open-source campus!

Some big organization needs to do this in response to a BSA audit request.

Re:Go open source

[Derkec]

Yeah, that's a great plan if you don't need to use any software. Seriously, a chemistry friend of mine works on commericial software running in the 10K per seat range. No quality open source alternitive. Oh, and it runs on Windows. Language classes use language tutoring software. Graphic art classes use photoshop. Computer science runs on donated equipment. It might be hard to get Sun to keep sending you free boxen when you remove solaris from every box you get so you can go free.

While the idea of a campus that's totally open source is cute, the idea is totally unworkable and not a feasible solution. That is the reason noone will respond this way. People spend money on software because some software is only legally available when you spend money. If I was still in high school, it would be a no-brainer to decide not to go to any school that didn't use any proprietary software.

We'd all like free software. However, with very rare exceptions, the best (or all) software in most domains is closed. Why? Because I can't find enough chemistry people and programmers who will cooperate to make me specialized software of superb quality unless I unload a big pile of cash.

Re:Go open source

[Fiver-rah]

Your point is taken in terms of people running Photoshop/CAD software/etc. Since a university has an obligation to train people to use commercial software, unfortunately, it may not be avoidable. But as a member of a theoretical chemistry research group which runs only Linux, I want to gripe about your Chemistry comments.

Most of the major Chemistry commercial software out there is available to run under Linux. Sure, it ain't free. But it doesn't imply you have to run Windows to use it.

*Gaussian runs under Linux (although they are pretty draconian about licensing in their own rights).
*QChem runs under Linux (hell, Martin Head-Gordon's research group only has one Windows box, and they only use it for the occasional PowerPoint presentation).
*CHARMM runs under Linux.

Furthermore most of the major commercial chemistry packages don't contract out with the BSA. Most of the people I know in theoretical chemistry don't run Windows. Why? Because if your jobs take months to run, you sure as hell don't want an uptime that is order days. Sure, you can't go totally open source (yet). But you can evade the juggernaut.

And for reference purposes, the next generation of theoretical chemists is pretty geek-happy. Give us another twenty years, and I'm sure you'll start seeing GPLed versions of molecular modeling programs. Hey, I'd consider doing it. The point of all this is that you *can* do things in stages. You can run whatever commercial software you want, scientifically, under Linux. And it's only going to get better. Why? Well, I know people who have license credits on Gaussian/QChem. And you know where they get their thrills? It sure ain't from the royalty check. It's from the fact that *everyone* who uses their software cites them in their articles. Citations are power in the academic world. Money is nothing.

Re:Go open source

[Paul Komarek]

Personal nitpick: Universities have *no* obligation to train people for any particular application. Universities have an obligation to teach people how to *think*. Technical/vocational training is where a person can pay to learn particular programs. This is *not* the role of a university.

Wow, I *am* sensitive about this! =-)

-Paul Komarek

Re:Go open source

[MrResistor]

I have to disagree with this statement:

a university has an obligation to train people to use commercial software

Unless the student takes a class to specifically learn to use a particular piece of software the school is under absolutely no obligation to train them on commercial software, and in fact I would argue that the school is doing the student a disservice if the do so.

For example; when I take a class in C++ I expect to be taught the C++ language, and the skills I learn in that class should be portable to whatever environment I then choose to use. If I'm forced to use only MS VisualC++ when I would prefer to use Borland Builder or vi/gcc my education is being limited. I'm not suggesting that the school should be forced to provide me with alternatives, merely that I shouldn't be restricted from using them if I so desire.

It comes down to this; the business of the University is education, the teaching of concepts which can be applied within the given field regardless of the tools available. Training on a particular tool is process-oriented job training, best left to trade schools or employers.

Now, obviously, there are situations where this doesn't apply. If I'm taking a class in Visual Basic I'm going to use MS Visual Basic because it's the only game in town. I imagine that's likely the case with some highly specialized scientific software as well. However, I would still argue that the university has no obligation to train the student on that particular software, but rather the obligation is to teach the student what they need to know in order to understand and interpret what that software does. I was never trained in using Mathematica, but I was taught enough algebra and calculus that I figured out how to use it, and how to interpret the results it gave me, without too much difficulty.

Anyway, I don't want this to seem like a flame. Other than that one point I wholeheartedly agree with you and find the examples you give encouraging.

On the CAD front, rumor has it (rumors are treason. Trust the Computer) that Pro-Engineer runs on Linux. I haven't verified that, though. I suspect AutoCAD might also as they used to have a Unix version, though I'm not sure if they still do. If you're just doing 2D CAD I hear QCAD is a viable alternative.

All the graphics folks I know swear by Photoshop of course (except one, who prefers Corel for some reason), but I suspect it's largely because that's what they were taught. I admit that I am not a graphics guy, but the GIMP seems perfectly capable to me.

Re:Go open source

[Derkec]

I think the best you could say is that you would migrate away from BSA where possible. Checking the list of BSA partners, which is smaller than I thought, I saw both apple and microsoft. It's difficult to run a university free of those companies. 99.9% of students would be less than pleased. You might find some success by targetting other members in an effort to get them to withdraw from the alliance or change it's policies. For instance, you could target Intel by formally letting them know, that in response to BSA tactics, all further purchases for x86 student labs will be run on AMD. Dell and Compaq could be notified that Gateway will be your premier supplier. IBM notified that they won't be used for servers or integration.

I was mistaken before that they were the total proprietary software dicks. They are really rather limited. Tactically choosing to take business away from some members could erode the funding and credibility of the organization should those members choose to leave.

In fact, I would suggest that users don't wait for the BSA to knock on their door. Instead, they contact companies and tell them how many dollars of business they will now loose. Hopefully, enough people will do this that the lost amount will be less than revenues generated by the assholes.

BSA members:

[Derkec]

FYI: BSA members are:

"BSA members represent the fastest growing industries in the world. Worldwide members include
Adobe, Apple, Autodesk, Bentley Systems, Borland, CNC Software/Mastercam, Macromedia,
Microsoft, Symantec, and Unigraphic Solutions. Additional members of BSA's Policy Council
include Compaq, Dell, Entrust, IBM, Intel, Intuit, Network Associates, Novell, and Sybase"

Re:Go open source

[ivan256]

You don't have to go completely open source either. Keep a few Windows PCs and Macs with the proprietary stuff and let the BSA worry about those. You can fix the bulk of the problem by converting the bulk of the machines completely to open source software; the BSA can spend as much time as they want crawling around those machines.

That would be great except that the MS site licenses for universities require you to purchase licenses for every machine on your campus, wether it runs windows or not.

Re:Go open source

[j09824]

Ever try to find a open source tax preperation program? Doesn't exist.

You can do taxes over the web from Linux and other free operating systems just fine. But taxes are a special case anyway (highly legalistic, highly time constrained, of no independent interest to scientists or programmers). Scientific and educational software is about as different as you can get.

True, you can get lots of programs from the open source world, but the more specialized the programs get, the less likely you will find a free alternative.

There are plenty of very specialized programs that you can only get for free. In fact, most research software starts out that way before some company picks it up, makes it closed source, and generally ends up making it much less useful.

These programs normally take a higher expertise level (ie, you need to be a chemistry expert to design a feasible chemistry app), and the open source need just isn't there.

Scientists who develop software as part of publically funded grants, or who want to publish results related to their software, should be required to make the software available for free: it's necessary for experimental reproducibility, and why should the tax payer fund private software companies anyway?

Many scientists appreciate those reasons. And many scientists don't want to become software entrepreneurs anyway and publish their software even if they could commercialize it.

And your average unversity isn't going to spend tens of thousands of dollars in salary to develop a complex app and then give it away for free to their competitors (ie, other universities).

Universities generally don't spend money on developing science-related software; funding agencies do. Universities are trying to get into the act by asserting rights to software they didn't pay for, but we shouldn't let them get away with that. In fact, these days, it's often the universities that try to close source against the wishes of researchers and funding agencies.

Beware

[dreamchaser]

Once the BSA has its sights set on an organization, then that organization had better have either the licenses or the money to pony up FAST to buy them. I have seen cases where the BSA isn't satisfied with responses and comes back with Federal agents (yes, guys armed with subpoenas and guns.)

If you are reasonably sure that your licensing is OK, then you could probably stave them off. It would be a unique Uni that licenses all of the software being used though, based on my experiences.

Basically, you are screwed if you a) don't comply with them and b) don't have your licensing in order.

Re:Beware

[Xader Vartec]

I'm sorry but FSCK THAT!!!

If I word for an orginization (University, corporation) I am NOT going to allow some orginization to TOUCH my PERSONAL computer!!!

I don't copy software from my work but it is NONE OF THE BSA'S BUSINESS what I have on my computer (I don't pirate software either).

I think the BSA's demand to see the faculties computers is OUTRAGOUS!!!

Re:Beware

[lildogie]

>I have seen cases where the BSA isn't satisfied with responses and comes back with Federal agents (yes, guys armed with subpoenas and guns.)
...
> Basically, you are screwed if you a) don't comply with them and b) don't have your licensing in order.

If you're remotely close to satisfying (a) and (b), find a lawyer who can say the word "racketeering."

Treble damages.

Peanalized for personal computers

[Aiku1337]

and this includes computers *personally* owned by faculty."

Why should an organization be peanalized for personally owned computers? Yes, IT can set rules and what not but how many users actually follow IT rules?

Note to self, don't bring laptop to work if company is being audited by gestapo...err, BSA.

As a CIO myself...

[Argyle]

I would suggest that you 'lawyer up'.

You absolutely need your legal counsel involved in this. An IT department is generally unsuited to handle these type of business/legal affairs.

By sucking in the legal folks you turn it from an IT problem to a 'university as a whole' problem.

Do not let them strong arm you into anything. Play hardball. Tell them you are doing an internal review that could take months.

Remember, they will be very reluctant to force the issue into a courtroom. It is very bad PR for them to take an impoverished college to court. A jury would be filled with people who all have 'unlicensed' software on their home PCs.

But in the end, you will have to make a reasonable effort to be in compliance and generally pay for the software you use. That, my friend, will be unavoidable. Unless, you switch IT platforms to a free or close-to-free software environment.

Good luck.

Re:As a CIO myself...

[dschuetz]

The CIO here is absolutely right -- talk to your lawyers, and above all, do what they tell you. I don't need to describe what the career path might be for someone who ignores the lawyers and opens their employer to a million-dollar settlement.

I had some thoughts about all this while out getting lunch, and now that I've posted my idealogical rant about "innocent until proven guilty" obviously not applying in the civil world, I'll try to be, like, constructive for a moment.

First, any lawyer (and most of the posters here today) is going to tell you that it's cheaper to simply buy all new licenses (or whatever the BSA is demanding). Rifle every likely file cabinet for existing licenes, then buy the difference. Either way, you still need to do your own audit.

On the other hand, if you're at a school with a strong reputation, lots of prestige, and even more money, and if your president believes there's a moral victory worth fighting (and paying) for, then I have some thoughts that I at least find intriguing:

• An early response might be "Oh, wow, this could be bad. Okay, we'll work with you. Here's how we'll do it. Here's exactly how we'll do it. And it'll take some time. But we'll be with you all the way, show you what we've done, give you monthly updates, etc." Look for documentation on your internal hardware inventory process (I'm sure you've got one, when I worked at UMCP I had my PC inventoried by like 5 different departments in one year), and use that as a starting point to justify the length of time you're expecting the audit to take. [I think this is the best response, since, ultimately, you'll probably need to do an audit eventually, anyway. Cooporate, but on your own terms.]
  
• Refuse (in legal terms) to deal with BSA. You haven't got any software from BSA (you can't, they don't sell software). Offer to deal with Microsoft, if they send you a letter from their legal team on their letterhead.
  
• Agree to do an audit, but only if BSA pays for it, on a time and materials basis. Present them with a nicely-detailed starting point for the process of actually doing the audit, how long it'll take (see above), how many people it'll take, and how much it'll cost. Tell them that you're pretty sure you're in compliance, but if they want to force an audit, they'll have to pay for it. This is an extension of the comment above, and might be the 'best' out in that you get them to foot the bill. It'd be a victory for both sides, more or less.
  
• Ask them why they've come to your university. Have they had an anonymous tip? Did they see people selling university-stamped materials on eBay? If they simply say that, stastically, there's "probably" piracy happening here, require better justification before you spend any more time with them.
  
• Require them to limit the scope of the search. If their tip came from someone in the Sociology department, limit the audit to only those machines in that department. If they got a tip that "everyone here is copying MS-Office," limit the audit to only look for the most recent version of MS-Office.
  
• If you've gotten this far, then they're probably going to a judge. Ensure that your school is represented at the hearing for the subpoena they'll use to force you to audit. Try to cast the situation in the same light as a search warrant: Police need a specific warrant for a search, showing just cause for the search, and specific targets to be searched, and specific items to search for. No cause, often, no warrant, in my understanding.
  
• Or get it to be treated just like a subpoena for a deposition -- with specific areas of discovery outlined. No judge (I think) would issue a subpoena for a deposition that says "go talk to this guy and ask him anything you want." Instead, the lawers are required to stick to a narrowly-defined scope of questions that directly pertain to some particular action. Try to get the judge to see a parallel between that situation and the BSA audit request.
  
• Ultimately, maybe you can find a lawyer gutsy enough to throw RICO at 'em. Hell, this is just this side of a protection racket on behalf of Microsoft, anyway.
  

Of course, my initial point still stands -- do your own audit, cheaply, and simply pay for the difference. And, most importantly, build a good system (centralized database backed up with a fire-safe holding physical license papers for the whole school) to track this stuff, and re-audit every 6 months. Or even more frequently. (client-side tracking software is obviously going to be in your future....)

Good luck!

The BSA isn't all bad

[larsu]

The BSA isn't all bad. First, haggles over license increase the total cost of ownership for commercial software, which makes free (as in speech) software more attractive.

Second, I used them to shut down a competing software retail store once. The place was selling Microsoft OEM software off the shelf. A call each to the BSA and to Microsofts Piracy line and the place was out of business in 4 months. :)

Re:The BSA isn't all bad

[Anonymous Coward]

Everyone else replying to this called the guy a scumbag and wished him a similar fate. I would like to know something though. Just to be sure I understand this correctly isn't OEM software all marked clearly with something along the lines of "Not for resale" or "not to be sold seperatly"?

If that's the case and I am correct in my understanding (Being right up front I might very well be mistaken) then wouldn't his competitor in all likelyhood be selling OEM copies of this software far cheaper than he could sell retail versions? Following then what's the real problem with busting someone who is undercutting you by doing something outside the lines?

Personally I think the guy creatively used the system to smack down an unethical competitor to his own advantage assuming all of this was true of course. The other guy was trying to work the angle and got caught. Tough shit.

I just can't find anything wrong with that.

Re:The BSA isn't all bad

[afidel]

To all those who think the parent is a bad person forturning the competitor. NO, this is exactly what the BSA SHOULD be doing, busting professional pirates, because anyone selling OEM liscensed software on retail shelfs is exactly that. OEM liscensing is a volume discount/ get em hooked pricing model, it is not meant to be bought off of retail shelves, when you get an OEM liscensed copy you are supposed to get all support from the company selling the software, not the authors, but people who buy OEM copies retail do not realize this and call the support line of the authors, not the now out of business fly by night shop they bought the software from!

One word

[pongo000]

...and that word is "outrageous." If your administration does not step in and put a halt to this egregious evasion, then you can tell them I told you they are a bunch of pussies.

Seriously: Where's the search warrant? How enforceable is a EULA with such broad contractual provisions that it forces a licensee to waive all rights to due process and freedom from illegal searches? (Before you naysayers tell me the Constitution has no bearing in this, check the facts: In many cases, BSA shows up at the doorstep with their very own law enforcement escort.)

There is a legal concept known as "blue-lining" in which a judge has the legal authority to water down, modify, or even eliminate certain portions of a previously-agreed-upon contract. I learned about this after I found myself the unwitting signatory to a capricious and completely illegal legal document. The state recognized the document as legally binding; however, the state also found the terms of the agreement were overly-reaching, capricious, and without legal standing, effectively nullifying the contract.

The reason why companies continue to write obviously unenforceable contracts is that they know the number of people willing to fight in court is very low. Most will simply roll over, expose their underbellies, and submit to being raped rather than fight.

Firing of users?

[Fiver-rah]

You can tell that they're full of it for at least one reason. They claim that they can force the university to fire users, including professors. This is, quite simply, bull.

It seems to me that there's no way they can force the university to fire people over licensing issues. *Especially* professors. Most of those people have tenure, you know. Professors with tenure at my university have gotten away with embezzling grant money and sleeping with undergraduate students. Depending on the tenure contract at your school, it is probably *illegal* for the university to fire professors over this issue. BSA can't possibly wield a big enough stick for this to hold any water.

As such, it seems to me like they're protesting too much. The scenario they paint is patently ridiculous.

Can I suggest MIT?

[watanabe]

There have to be a few, powerful, tech savvy universities that have dealt with this before. What about MIT? Can someone here get this poor AC in touch with the right person at MIT? I'll bet some cash that MIT does not have the BSA's software on their student cluster PCs.

Also, my 2c on this: There are a few angles. Clearly, a private institution is innocent until proven guilty under US law. So, the scare tactics the BSA is using on your University take a couple of prongs:

• For the legally not so savvy, it says "We'll sue if there's even a hint that you might not own some software! Put our software on your computers to keep us from suing."
• For the legally more savvy, it says "We can make your life sufficiently annoying that it will be cheaper to just let us put this software on your system." Then we'll go away.

To address this for both audiences at your university, you'd like to be able to prove:

1. Your university is not, in fact, legally liable to the BSA, and that it in general isn't responsible for what people do with their personal computers.
2. It will be significantly more expensive to install the software they require, than it will be to get legal counsel to tell them to go away.

My guess is both those things are true: A nicely backed up presentation proving both those points would probably quelly our nightmares. Good luck! Post back and tell us what happened.

Re:Can I suggest MIT?

[ckd]

What about MIT?

I can see it now...the BSA auditor shows up, sees a Dell box, and walks up to it to start his Win32 auditing tools.

Then he says "what's this freaking owl doing on the login screen [mit.edu]?"

Fire that guy!

[Jon Howard]

If the Gestappo comes by asking if you've seen any Jews, do you ask them to explain what Naziism is all about?

Until this IP law is overturned, cower and hide if you're not williong to put your ass on the line to do something about it. In this case, your guy put his ass on the line, it's only natural that he takes what's coming to him. Consider it a form of back-assward martyrdom.

Re:Fire that guy!

[scrytch]

If the Gestappo comes by asking if you've seen any Jews, do you ask them to explain what Naziism is all about?

Godwin's Law. Discussion over. Ask a Bosnian Muslim how he feels about your comparison. Or a Hutu.

Re:Fire that guy!

[scrytch]

By gum, I sure do hope I didn't offend anyone! It would be so utterly un-politically correct to exaggerate a little in making a point.

No you cretin, it has more to do with the fact that the nazi comparison is

so

utterly

treadworn


That it has no coinage any more. Every god damned thing you don't agree with, well just shout "Nazi". The quips about other folks who got massacred had more to do with the idea that yes Virginia, there really are people who get systematically killed in this world who don't give two shits about software licensing.

Get some perspective. Jesus.

Lawyers.

[cnladd]

At this point, the only leverage that they really have is fear - they're trying to intimidate you. This is what they've done to hundreds of other companies. They come in, use your "acceptance" of a software product's EULA as a hammer, and either force an audit (which, with the criminal penalties they throw at you, gets to be scarily expensive) or force you to pay upfront and forget about the audit.

Yeah, some people call it legalized extortion. IANAL. :)

For something like this, they should really go through your university's legal department. If the legal department hasn't gotten involved yet, then get them involved now! Get some counsel. They are the folks that were hired to protect you from this sort of thing (among many others).

This sounds just like pure intimidation to me. Especially once you mentioned that the audit includes personally owned computers. If they want to audit my personal laptop, which I bring into the office sometime, they would not send the notice to my employer. They would send it to me. Like I said before, talk to a lawyer. A lawyer, not the Slashdot crowd, can give you the best advice.

My two peeves here:

[dschuetz]

• failure to produce licenses for all commercial or shareware software will constitute prima facie evidence of illegal possession, with penalties that could range from the confiscation of the machine to the firing of the user;
  
• and this includes computers *personally* owned by faculty

I'll hit the second one first. If the personally-owned computers are on the network, they're close, maybe, to being able to audit those. Maybe. But that's really grey. I know I, for one, wouldn't let them on, and if they came into my office and said "let me look on that machine," I'd simply disconnect it and say "no."

For the first one, though, I have a much bigger problem. Can anyone cite any other [industry / realm / product space] where one is required to retain all receipts in order to prove ownership? I don't need a receipt to show that I own the shirt I'm wearing. If someone wants to accuse me of stealing it, show some evidence. I don't need a receipt to verify that I own the couch in my living room -- if someone thinks I stole it from my neighbor, fine, prove it. So, why on earth do I need a receipt for software?

I can understand the technical complications that are entailed here -- like when you've got 1 CD for 100 machines. But the legal issues are what I'm more curious about. In no other situation am I, essentially, guilty until proven innocent.

Does anyone know if anyone's fought the software industry on those terms? You can't prove I stole it, so go away. Seems like it should work, but then again, maybe I'm being idealistic.

(Okay, I thought of two examples -- cars and real estate. But those are tracked for me by the government, and if I lose a copy of my title they can send me a new one, for a modest fee.)

I wonder...

[cnkeller]

If anyone has told the BSA to f**k off? Had them come back with Federal Marshalls/FBI, then politely let them inside, offered tea and cookies, showed all appropriate licenses, then bill the BSA for wasting the companies time in a fruitless search and wasting tax payer dollars for the marshalls....

Personally, I enclosed a RedHat sticker in their mailing and told them where to stick it....

Yet another reason to use Open Source Software

[RailGunner]

.. because it keeps predators like this out of your life. The BSA is nothing more then a modern day mafia - pay them protection money, and they won't tell on you for having an unlicensed copy of an application. It's a total racket, and we ought to get a class action suit against them for extortion.

As far as whether or not they can do this, if anyone (person or organization) who wants to audit you like this is not an official department of a Government Law Enforcement Agency, whether it's federal, state, or city, then tell them to fuck off. Otherwise, you are guaranteed due process and they will need to obtain a search warrant.

Privately owned PC's would be a separate search warrant - as they are not owned by the University they the University is not liable for it's contents.

Too bad the powers that be at the University won't do this. But what they should do is just install the Open Source, Free OS of their choice and tell the BSA jackals to burn in hell.

And to any member of the BSA who might be reading this: I run Red Hat Linux 7.1 at home. Go away. Kapisch?

my vision of talking with the BSA

[Evil Willow]

BSA: We need to see licenses for all your software.
Me: This is an open source shop, but if you tell me which open source license you would like to see...
BSA: We at least need you to run this auditing software.
Me: Hmmm, seems kinda pointless, but what the hell. Do you have a Linux version?
BSA: No. You will have to remove your Linux OS and install an MS based OS that we do support.
Me: You want me to do what?!? Get the !&@$#%*@$%^& outta my sight!

Re:my vision of talking with the BSA

[Tackhead]

> BSA: We need to see licenses for all your software.
> Me: This is an open source shop, but if you tell me which open source license you would like to see...
> BSA: We at least need you to run this auditing software.
> Me: Hmmm, seems kinda pointless, but what the hell. Do you have a Linux version?
> BSA: No. You will have to remove your Linux OS and install an MS based OS that we do support.
> Me: You want me to do what?!? Get the !&@$#%*@$%^& outta my sight!

You left out a part...

BSA: "Step away from the computer. We're installing our auditing tool. Huh? Linucks? What's this gear doing where the Start menu should be?" (power-cycles machine)

You: "Hey, what are you doing with that DOS boot floppy?"

BSA: FDISK... FORMAT C: /S...

~ two hours later ~

BSA: Finally, I've installed Windows ME. Now I can install and run the audit tool.

You: YOU BASTARD! YOU JUST REFORMATTED MY DEVELOPMENT WORKSTATION WITH TWO WEEKS OF MY WORK ON IT!

BSA: Relax, Mr. Willow, your audit was pretty clean. Everything seems to be in order on your network, except you have one unlicensed copy of Windows ME. Please pay $10,000 in fines or face one criminal charge of copyright infringement.

Re:my vision of talking with the BSA

[Lxy]

BSA: We need to see licenses for all your software.
Me: This is an open source shop, but if you tell me which open source license you would like to see...
BSA: We at least need you to run this auditing software.
Me: Hmmm, seems kinda pointless, but what the hell. Do you have a Linux version?
BSA: No. You will have to remove your Linux OS and install an MS based OS that we do support.

To continue:

Me: Ok, fine. (Installs Windoze on a machine not currently being used)
BSA: Where did you get that copy of Windows?
Me: It came with the PC. See the sticker?
BSA: You mean you have a licensed PC but are not running Windows on it?
Me: Yes. We don't run Windows here. We're a linux shop.
BSA: According to MS's license policy, the license must remain installed on that PC.
Me: Ummm..... what?
BSA: And as for the rest of these PCs..
Me: I'm calling the cops.
BSA: We're giving you a grace period to reinstall Windows on all of them to meet compliance requirements. You have 5 days.
Me: But.. But...
BSA: Good Day.

bloody good marketing campaign by the BSA.

[il_diablo]

[the obligitory IANAL here]

we did some research here at our company. my CEO and i were discussing it (i'm the CTO), and he told me he had done some leg work on the subject when the BSA first started their "scare tactic" TV/radio campaign.

the BSA is a software reseller. they have NO LEGAL AUTHORITY. they are not the "Software Police". they can't come to you and demand anything. you have to (stupidly, actually) ask them to come and perform an audit. then, when they find non-compliance, they offer to sell the company the licenses at a "special price".

they're vampiric...if you don't invite them in, they have no power.

of course, now that the ball has started rolling, they can probably bring some legal action. i'm not sure what legal recourse the SPA has (for example). subpoenas/warrants/etc, possibly. i imagine that there is a goverment agency to which they can appeal for such. and the BSA only has to pick up the batphone to them to start the ball rolling.

i know that doesn't help now, since they've already gotten a foot in the door. but it may help others.

Countersue

[Anonymous Coward]

Tortuous interference with prospective economic advantage is a crime. They have no real basis for assuming anyone has committed a criminal act and no intrinsic authority to prosecute. Contact your local prosecutor immediately and explain the situation - that your institute is in good faith compliance with copyright law, that these people are attempting to extort from you significant financial gain and that while it is your institute's expectation and intent to comply with copyright law, these people have no right to subject you to the cost burden, nor any right to access to your systems. Get the law on your side now, because if you refuse they will attempt to get a warrant with the federal marshals. Refusing access to a borderline RICO organization is not a crime. Also get some sympathetic local press coverage immediately.

Information at
http://slashdot.org/article.pl?sid=02/01/15/07 3257 &mode=thread&tid=10.5

Be proactive. Fight back. A good tactic might be to develop an open source policy predicated on the cost of compliance with commercial software licenses being too high since even the companies don't understand their EULAs it's just impossible to do so and therefore the university will outlaw commercial software on their network.

The BSA is funded by MS, adobe, etc. If the BSA generates net positive income, they will continue storm trooping around. If it becomes a liability to have one's names associated with the organization, the underwriters will pull their support. This is a political as well as legal battle and if you don't fight, you'll be screwed, as will the next organization.

extortion

[ikeleib]

There's a name for this and it's called extortion. Here's how it works. I am the extorter and you are the extortee. I come up to you and say, "A little birdie told me that you are/have performed xxx criminal act. If you don't pay me off, I'll tattle on you." Note: Even if even you do pay me, you still have committed a criminal offense. Paying the extorter cannot change that. If they have legitimate knowledge that you are committing a criminal offense, taking hush money is a crime.

The BSA uses the same tactics. They allege that if you don't comply, you'll be busted. However, they're not acting on behalf of the government. In fact, with only the evidence of "I got an anonymous tip," they shouldn't be able to get a Judge to sign off on a search warrant. After all, for them to get a search warrent, the cops need to have probable cause. I don't see how a third party, who has an anonymous tip from some other third party is probable (it's heresay). Without a search warrant, there's no phyiscal evidence of criminal conduct.

In short, consult your legal professional. Don't forget that you can sue them, too.

BSA: All Bark and No Bite BSA: All Bark and No Bit

[osOpinion.com]

I actually tried to send the BSA after my old employer screwed me over.

Despite the radio and television commercials suggesting that he'd get fined up the ying yang, nothing happened. I have since concluded that the BSA is all bark and no bite. Here is my story [osopinion.com].

Chump Change? No wonder the BSA ignored you.

[nlindstrom]

An awful lot of people are either complaining about how the BSA ignored their past employers for violations, or how the BSA went after them for "lots of money." Bah. Wait until you hear my story.

I work as a Sr. UNIX Administrator for a very large (Fortune 100) company that shall remain nameless for all the obvious reasons. I plan to leave soon, just as quickly as I settle upon a new opportunity in this less-than optimal job market.

Microsoft is currently auditing us. Granted, that is not what Microsoft or we are calling it; rather, Microsoft is "helping us to determine our licensing needs" but that is just a sugary title for what is really going on.

What is really going on is this: this company has long made an unofficial policy of pirating software. Factual, verified (by me) examples include:

* A single MSDN subscription CD of Office 2000 being installed on virtually every PC in a particular department (over one hundred machines)
* Remote sites throughout the United States being sent CD-R copies of software such as Microsoft Project and being told that it is OK to deploy it on all their PCs
* Numerous Windows Terminal Servers being setup for use by Sun workstation clients, each running Office, Project, and Visio - with at best only a handful (read: less than five) of licenses apiece, with no CALs at all - and definitely not enough licenses to cover the 300+ workstations that use them
* Mass upgrades of PCs from Windows 9x to Windows 2000, with nary a license in sight
* Another department, supposedly responsible for license compliance documentation, cannot now seem to lay their hands on any more than a third of the licenses that supposedly exist - thus leading to a deficit of more than 2,000 unlicensed copies of Office, Project, Visio, and Acrobat.

In my department alone, which is one of the smaller ones at this company, I estimated that we are looking at an easy $400,000 to "true up." Nevertheless, the departments are busy engaged in a finger-pointing battle, each blaming responsibility for license compliance on someone else. Upper management has completely ignored the issue, and as the deadline of July 31 draws ever closer, it is becoming rapidly apparent that this debacle may prove of truly colossal proportions.

Well, one option is to uninstall everything

[Illserve]

Just nuke your machines across the board, backing up the important data, and reinstall everything after they leave. Tell them you use MSDOS Edit to write your papers in LATEX by hand. This process, while a huge hassle, is probably less hassle than the BSA will give you, and when you're done, you'll have cleared out hundreds of gigs of useless crap, reinitialized your Windows registries and effective defragmented everything in one fell swoop. Also a good time to do some software upgrades.

I know this idea is unfeasible, but I'd love to see the look on their faces when a dual processor 1.5 ghz machine boots to a dos prompt.

Re:Well, one option is to uninstall everything

[ivan256]

FreeDos [freedos.org]

Not BSA necessarily, but like it..

[salsashrk]

When I worked as a SysAdmin for our local University, we received a letter from Microsoft that basically amounted to the same thing. "We're coming, we're auditing, be ready"

Now, we were mostly in compliance as far as we knew due to our large per-seat volume licensing through dynamic pooling, but we were pretty sure that we'd come up short in the end. Given that we weren't running any auditing software on the PCs it was difficult to impossible to know what was on every machine. So we called Microsoft and told them we needed time. They agreed to grant us two months, but then went on to specify exactly what software we were to use to perform the audting. We replied that we were going to choose our own that was less expensive, but were told that we must use this particular software, because they knew it to be honest and compatible with Access. (Like that should make a shit bit of difference) In the end we just bent over and took it rather than deal with the auditors showing up, and purchased this lame auditing software. It had to be deployed manually from machine to machine. Almost 2000 computers later, we had our audit. We wound up ponying up some pretty serious bucks for our machines. It slaughtered our entire budget for the next three quarters.

Point is: Microsoft probably didn't have the right to just announce that they were coming, but we knew that, as a public institution, we couldn't afford the battle to fight.

No one ever totaled up how much money we lost on that piece-of-shit software and in man-hours for manual deployment, but if you add it to the big fat check we wrote in the end to keep Microsoft off our campus, it was a hell of a lot of wasted grant money intended for student use.

You can pontificate for days on replacing Windows with *nix, or killing Office for StarOffice. God knows I went to the shared governance committee more than once trying to get them to see the light. In the end, however, everyone winds up signing a fat-check.
Cynical perhaps, but a truism all the same

Have you signed a bulk-license contract?

[Malor]

Caveat: IANAL.

As far as I know, they have no grounds to force you to do ANYTHING unless you have signed a bulk-license or site-license agreement. Those agreements generally give you access to the software for a lot less money, but in return you give up all protection against 'unreasonable search' -- part of the agreement you sign allows them to inspect your systems to make sure you are in compliance.

If you bought your software through normal distribution channels, chances are very good you can tell them to pike off. As far as I know, a click-wrap license DOES NOT allow a search, because they can't know whether you agreed to the license without searching you first. It's only when you signed another agreement, which they have on file, that they have you over a barrel.

I will add my voice to the many others here telling you to get the lawyers involved. The BSA plays serious hardball. These people survive and can continue to exist only by extracting large sums of cash from your organization, and will use any tactic required.

They are not your friends. They are active enemies and you should treat them as such.

Have proof of internal auditing

[Teun]

By being able to prove you have a reasonable policy towards assuring licensed software on the machines you have authority over and responsibility for you have a better chance to keep them (the BSA) at a distance.

A company or organisation that cannot show any proof of such policy beforehand is more likely to get the goons in.

A search warrant of some sort is always required and the authority issuing it will be far more prudent when you have such a policy in place and are able to show you enact it.

We were audited (Community College)

[JimmytheGeek]

Fortunately we completed a massive compliance effort shortly before we received the notice.

The deal was, "cooperate or face draconian penalties", with a tie-in to a vendor selling auditing software. We install the auditing app, use it in demo mode or something to comply with the auditing demand, and then possibly purchase the auditing software to use from then on. It wasn't clear whether any settlement would be based on an agreement to purchase the app.

My first reaction was, "Not on my net!" We had auditing software already, which put us in a great position. They didn't provide an online list of executables to search for, so we collected info on every executable we had. They had a list of something like 20,000 apps, much of it from the tiniest, least significant software vendors around. If we were playing hardball, we could have submitted an undigested count - something like 70,000 unique executables on just under 1000 machines. "Here's everything we have - let us know if there's a problem." But instead we played nice. We sent them a report on audited and identified applications, a report on identified .exe's excluded from the count (usually part of an audited app or known installation detritus), and a fairly large list of unidentified stuff. That, plus the licensing info.

It was full and cooperative disclosure, without installing an alien app we had no control over. I think cooperating was important- I don't think we had escalation dominance in this situation. They could push it farther than we could, to a place we didn't want to go.

My recommendation? For those not in the situation already, pretend you are! Then if you are audited, you send them the report you've already done if you are chicken, or tell them to fuck off *knowing* you are in compliance. If you don't do the audit, you don't *know*, and you may find that someone slipped up and included an app that went out to too many machines. It wouldn't take many rogue installs to give them the ability to hose you.

Incidentally, they apparently can get marshalls to show up with them. Marshalls probably can't crack passwords though. And the BSA can't fire you, but they can include your firing as part of a settlement agreed to by the people who can fire you.

Search warrants and subpoenas

[Get Behind the Mule]

IANAL, and so on and so forth, blah blah blah. And yet I'm going to render opinions about the law anyaway. %^)

A lot of posters have mentioned search warrants so far, but unless I am sorely mistaken, neither the BSA nor any other private party can ever be issued a search warrant. A search warrant can only be granted to law enforcement agencies in criminal cases; and I think that if the BSA has anything on you at all, it's a civil suit.

(Police can search without a warrant if they have "probable cause", which is evidence of a certain kind that you have or are going to commit a crime right then and there, say within the next thirty seconds. Again, I don't think this applies here.)

A private party does get the power to subpoena during the discovery phase of a civil suit, and then both parties do have rather broad powers to demand evidence from each other. But for that, they have to sue you first, and there a lot of procedures to go through before you get there.

For certain kinds of civil suits, such as for copyright violations, a plaintiff can request a judge in secret for powers to search the defendant (there's a Latin name for that, but I can't remember it). This is the case when there is a risk that the defendant can destroy evidence before discovery can begin, like destroying the illegally copied material. The Church of $cientology did this once to one of its Internet critics.

I suppose the BSA may have grounds such a request, but it's a pretty outrageous mechanism, the kind of thing only $cientologists would do, and you ought to raise an enormous public stink if they try. God help us all if the BSA is granted that kind of power.

this article was bait

[rnd()]

This article could very well have been bait submitted by someone who wants to equate the Slashdot and Open Source community with condoning software piracy.

Of course, in reality this is about privacy, but most people don't realize that.

No business in law enforcement.

[interstellar_donkey]

I go to great pains to make sure all the software on all of my companies computer is legal, and paid for. And, if a law enforcement agency had somehow gotten a suspicious that we were breaking the law, I would have no problem cooporating with them.

But the BSA is not law enforcement. It bugs the heck out of me that they can do what they do. If they sent us a letter, the first thing I'd do is write up a proposal with an estimate of hours billing rate for them to sign before we would do business with them, another private business.

Granted, we are not a big company, they would probably ignore my proposal, and we don't have the money or the resources to fight them in court, so chances are I'd end up having to comply. But it really chaps my hide that a private orginization, with no real authority, can go around enforcing the law.

What somebody really should do is start an orginzation called 'Citizens for a drug free workplace', contact the BSA, and say that there is quite a bit of suspicion that BSA executives are in possession of, and regular uses of crack. You have one month to get off the crack, because then we're going into your offices, disrupting your business, and piss testing every one of your employees. While we have no legal right to do this, we're going to do it anyways or you're going down.

Go on the offensive

[mikosullivan]

IANAL. Yada yada yada.

The way to deal with bullies is to go on the offensive. Sue back. Perhaps the most promising avenue in that direction would be to sue the BSA consituents for distributing software they know is insecure, yet laid claims to it being secure. There's a hundred years of rulings on health claims for food and other consumables that show that you're not allowed to claim something is healthful, even if you later state in fine print that it isn't. Those should make some good precedents. Be sure to quote the security specialist from Microsoft who quit recently and publicly sounded off that he couldn't understand why Microsoft still has buffer-overflow vulnerabilities. You might be able to use the precedent from some of the automotive cases in which manufacturers were proved to have released faulty products. If it can be shown that Microsoft knowingly releases a faulty product, you could turn the tables. Another point to bring up could be that Windows allows pretty much anybody with a floppy disk to install software. To me, that's faulty. Drum it into the head of everyone who will listen that insecure software opened you to unauthorized software installations.

Next, claim that the insecure software violates the DMCA by assisting in the distribution of copyrighted material... I'm sure you can find one installation of Back Orifice on your campus to back up your claim. Sound ridiculous? It's not as ridiculous as having to submit to warrantless search.

Be sure not to go on the offensive against law enforcement... on the contrary, get law enforcement angry at the BSA for wasting their time hurting the sweet little local colleges. Make sure everyone is clear that the agents could have been out fighting drug dealers. That sort of tactic worked for the tobacco lobby who convinced the California legislature that it was a waste of taxpayer money to run anti-smoking ads when the money could be put towards birth-defect research. There's always something more worthy out there.

Lobby your congresspeople. If applicable, mention that the people who would profit from the search are from out of state. Remember, pork runs congress, and it's not pork if it gets diverted out of your congressperson's district. You may win this through lobbying.

They're not being nice to you, don't be nice to them.

Solution

[dh003i]

(1) Tell the BSA to fuck off. You're a university, and likely have professors of law teaching there. Thus, no need to pay expensive legal fees, just ask your professors. They might not be able to win the case, but they sure can stall and drag it on at minimal cost to you while you take other measures.

(2) Archive all raw data.

(3) Wipe all of your machines -- that is, write over all data with zero's. To be safe, wipe the hard-drives a few times.

(4) Install GNU/Linux or *BSD on all of your systems, using all Office/spreadsheet/etc equivalents.

The Internet is a community right?

[sup4hleet]

And it seems like some members of the community are not playing nice, so why not kick them out of your yard? The BSA's IP range is: 204.180.189.0/24 (props to arin.net whois), if enough of us routed that to the bit bucket it would make it more difficult for them to do their jobs, hopefully reducing their profit and their supporter's interest in them. Ev1l Gr1n %^>

I can't believe how evil the Boy Scouts are!

[Self-Important]

Darned BSA! Always camping and hiking and...trying to enforce manopolistic, cartel-like business practices! Shame!

Duh, sorry, our mistake...

[Steve Franklin]

"I'm a faculty member at a public university which the Business Software Alliance contacted in a bulk mailing last Fall. Stupidly, our IT department invited them in to 'explain' licensing to us, and now we are trying to fend off an audit on our computers (public and private)."

Tell them the guy who invited them in wasn't authorized to do so. They'll just have to resubmit their request. "Please send it in triplicate and don't forget to include return postage. Also, please include a detailed description of what this so-called 'explanation' involves, and while you're at it, a description of previously achieved benefits of this kind of 'explanation' would be appreciated. We can't waste our time watching another silly dog and pony show."

Briefly, you need to take back control of your gameboard and, for god's sake, man, stop acting like a kid who has been caught with his hand in the cookie jar. They're trying to sucker you. They seem to think that you're a bunch of ivory tower intellectuals (possibly true) who don't have enough real world experience to realize it. From what I can tell from the incomplete description of the original mailing, it was deceptive at least and a bold-faced lie at most. These characters know this. They are banking on what all school-yard bullies bank on--you don't have the balls to call them. Beyond this, do not talk to them. They do not have your interests nor the interests of any other educational institution at heart. They are a bunch of greedy bastards with the morals of a mafia don. Treat them as such.

If they want to make jackasses of themselves, let them sue a public educational institution. These are the same guys who give away free computers to school kids to make themselves look good. Maybe they *are* that stupid. I doubt it.

courts

[schporto]

Use their annonymous tip line. Report that your local courthouse is using illegal software. But just give the address and claim the violations are in the hundreds. Esp if you call from right outside the courthouse. Somehow I think it'd be amusing. "Your honor that computer you're using is illegal." Wham. "Contempt. Go to jail." Sorry daydreaming now.

Fight Back

[gnovos]

You are auniversity, right? You MUST have some IP of your own, right? Well, go the the exact same judge that the BSA goes to and present the exact same legal work tha they do and "audit" the BSA offices for illigal copies of your code.

Copyright Awareness Week

[mlc]

See the CAW logo license [67.96.34.143] and then my homepage [mlcastle.net].

Re:EULAs

[campbedj]

The BSA holds Power of Attorney to act for the manufacturers in these matters. So, if you have software from a BSA member then the BSA asking to see the license IS like the manufacturer asking for the license.

Re:EULAs

[Arandir]

If licenses are really contracts (like everyone from RMS to Bill Gates say they are), then why do they need to see them? It would be like your landlord demanding to see your rental agreement, or your insurance agent going all nasty on you and demanding to see your insurance policy.

If it's a legally valid contract, then the manufacturer will already have a copy of the license and already possess proof of your assent. It seems to me that if they even have to ask to see the license, then it can't be contract.

p.s. Can you be in breach of contract for not agreeing to the contract?

Re:EULAs

[Kwil]

Interesting idea for a EULA case..

Ask the IP holder to produce the EULA that you specifically agreed to. Request proof that it was you/your institution that accepted the EULA, and not the OEM, shipper, independant IT person who installed the software, etc..

Not only can they not prove who exactly accepted the EULA, they can't even prove the EULA was presented in the first place.

"No your honour. Nothing that said click to proceed came up on my screen. Could be a bug in this copy of their software I guess, I dunno, I didn't make it."

Re:BSA's feedback phone number

[great_flaming_foo]

You know they have to have caller ID on that line and are most likely takeing notes on who to audit next.

Ain't anonymous

[A nonymous Coward]

As the others have implied or said -- 800 numbers are NOT anonymous. They pay for the telephone, they get to know who called, it's called ANI I think, and it has nothing to do with caller id, so don't try waste time wuth *67 to block it. Use a payphone far from your home or work, or a competitor's phone.

Re:Ain't anonymous

[Sabalon]

Okay...lets see the BSA converge on the pay phone outside of the wal-mart. :)

Google search says...

[Anonymous Coward]

that the phone # is owned by davidriddle.com - go to the site, and u'll see the same 800 # listed on the side menu.

Apparently that Anonymous Coward is trying to get us to harass the poor fellow. The local number is also David Riddle's home phone #. Mod that sucker down to flamebait. Better yet, someone (u listening CmdrTaco?) should get the BSA on that troll's ass.

Re:BSA's feedback phone number

[kruczkowski]

And the guy next to you answers the phone...

Re:City of Virginia Beach

[SocialWorm]

According to this article [theregister.co.uk] at The Register, M$ ordered the audit, not the B$A. Am I missing something?

Re:City of Virginia Beach

[sylvester]

hermph. This brings up an interesting point. When people do comparisons of the TCO of windows vs. Linux, they really oughta include the cost of an audit. And maybe a little function based on P the probability of you having unlicenced software installed and C the cost of being caught with that. Seems to me that from the sounds of it, the TCO for MS (and all BSA companies) will be hands-down higher than that of Free alternatives.

Someone should take a TCO analysis from someone in the BSA (probably MS), add an estimate of audit cost, and then compare to the same company's TCO analysis for Linux/Unix systems.

Re:You will never escape the BSA ...

[pitcrew]

In talking to a judge friend of mine you have several choices: 1. Tell the BSA to go to hell and hope they don't have probable cause to get a search warrant. If they get one they will come back with the police and then you will have a criminal problem - this is not a likely scenario for a public institution. 2. Let the BSA in and try to deal with them as best possible - however I would have my attorney do the talking to them - most attorneys don't scare too easily. 3.Tell the BSA that you are busy and to come back in a couple of weeks. In that couple of weeks clean up your act and let them in. Personally I would tell them to go to hell and make them come back with the cops. Why? So they have to fight to get into every business. If they have to do this it will eventually stop them as it will become financially impossible for them to continue. As a public institution you have a different problem than private businesses. You have a public relations problem. I'm sure that this is what the powers that be in the university are thinking about. My problem is that the BSA thinks that they are a peace agency (police agency) and they aren't. As far as I am concerned the best solution is to not deal with the software companies that support the BSA!

My personal encounter with Autodesk & M$

[Taco Cowboy]

This is my personal encounter - YMMV !

I attended a "seminar" hosted by Autodesk and M$ several years ago. At the entrance, the pretty girls were asking us to fill in info sheets, you know, like names, address, company you work for, et cetera, et cetera.

Since Autodesk and M$ were so kind to provide us with Orange Juice (Morn time, you know), I filled in the blanks.

Never would I thought that what I filled in ended up in BSA's file, and from then onwards - 6 years already - I and the company I work for, received THREATENING LETTERS, telling us that WE BETTER COUGH UP MONEY TO BUY GENUINE SOFTWARES or they will haul our butts in slammer.

Funny thing is, the Autodesk and M$ software we used (yes, USED, PAST TENSE !) were OFFICIALLY GENUINE, NON-PIRATED COPIES !

I got into troubles with my boss, since I was the one who filled in the blanks.

No matter how we tried to tell BSA that ALL OUR SOFTWARES ARE GENUINE, the threatening letters keep coming.

It got so bad that my boss decided to scrap M$ and all Autodesk softwares, and now we run Unix and NON-Autodesk softwares.

Yes, it actually cost us MORE to change our system, but at least, BSA, with Autodesk and M$, have NO MORE CLAIM ON US.

And the threatening letters still keep coming...

Talk about insanity.

And what happened above happened OUTSIDE of the good ol' U. S. of A.

Don't think you guys in the States suffer alone.

Re:My personal encounter with Autodesk & M$

[fishbowl]

>No matter how we tried to tell BSA that ALL OUR
>SOFTWARES ARE GENUINE, the threatening letters
>keep coming.

File a TRO to stop the threatening letters.

The threats will continue, then you nail them for
violating the restraining order.

Re:Scared of audits?

[MeNeXT]

The issue is not about enforcement but about the tactics used. How can they demand to search for infringements? They should know on which systems these infringements exist. Imagine someone comming up to you on the street and asking you where you bought your pants and to prove it or else you will sued...

Re:single vendor?

[dstone]

if you are sure you are not using lots of pirated software... then you'll be fine... just give them the info you have...

Whoa! Isn't that like submitting to being searched by John Doe at the side of the road just because you're certain you have nothing to hide from him? Please, please, please heed every else's advice here and stock up on some copyright/software/IT lawyers. Repeat after me, "the BSA is a private interest group", "the BSA is not an elected or state-imposed authority", etc...

Re:well within their rights

[Kamel Jockey]

if you don'thave any illegal or pirated software, what have you to hide?

This kind of thinking is precisely what the BSA is looking for. If you are stopped by a cop and you consent to a search of your vehicle, then anything illegal that the cop finds can be used against you, because you consented to the search. For example, say you go out of state and purchase a bottle of liquor and you put it in your trunk (out of plain view), on your way back, you get pulled over for speeding in your home state. The cop asks you to search the car, you say yes, and BAM! In addition to a speeding ticket, you are also busted for illegally importing alcoholic beverages (in many states, this is a crime). Yes, you may not have had any idea this is illegal, but you are nonetheless responsible for it because you consented to the search. Unless the cop has actual probable cause to believe you have comitted a crime (e.g., your car/license plates match the description of a vehicle used to commit a crime), they cannot forcibly search your vehicle.

Given this context, and how the BSA is strictly out to get you (whereas the cops are not), they most likely have ways of finding "illegal" things (that you did not know were illegal) and nailing you for them. The only way to prevent this is to not cooperate with them. Bring in the lawyers and make the BSA prove its case against you.

Re:well within their rights

[swordgeek]

OK, mostly true. Here's something to consider, though.

You're a university. You have 30,000 undergrad students, faculty, staff, grad students, post-docs, etc., etc., etc.. There is, on average, one PC for every three people (just to pull a number out of a hat--it's probably more) on campus, and most of the individuals with their own machines (or even without!) have the ability to install software locally.

Are you going to guarantee me that every single copy of every single commercial software package on every one of those 10-15 THOUSAND computers is properly licensed? If a machine with Office95 has a hard drive blow up, are you sure that Office98 didn't get installed? Are you willing to gamble a few hundred thousand dollars on it, and incur an invasive three-month search to win that gamble?

While proper licensing for software is unquestionably a legal (and moral) necessity, it doesn't excuse the BSA's behaviour. They're thugs, plain and simple.

Re:One helpful suggestion

[Skevin]

When you say personal machines, do you mean machines that are actually owned by the primary user?
Makes me think of the following war story: I worked at a company that hired a few consultants who brought their own machines in. On the day of a BSA audit, one of the contractors left his laptop unattended for a couple of hours, during which one of the auditors started going through it. The auditor was still on when the consultant came back, and needless to say, he wasn't pleased.

Consultant: Get off my notebook.
Auditor: I see you have X, Y, and Z. Do you have licenses for these packages?
[note: we hired consultants who have software that we don't - they should be responsible for their own machines]
Consultant: I know who you bastards are, and I don't have to answer to you. Nobody touches my notebook but me. Get out of my cubicle.
Auditor: Sir, you are interfering with an official BSA audit. Please be patient while I finish installing this monitoring software...
[Other auditors and employees start homing in on the disturbance.]
Consultant: I won't warn you again.
[Moment of silence, then...]
[Cursing, sounds of something tearing, loud scuffle, followed by a dull *thud*.]

At this point, I tried to see what had happened, but the crowd outside his cubicle was too tight for me to get a good view. Moments later, the consultant emerged from the crowd, into the open arms of security guards, but with a strange look of triumph on his face and notebook computer clutched under his arm. A dented metal curtain rod followed shortly after (now in my possession, which I affectionately call my "BSA Stick").
I never saw the consultant again.