BSA Audits

“Software piracy” is a favorite catch-phrase used by the Business Software Alliance (BSA) and the software companies it represents. Most people understand software piracy to involve the intentional copying and, in many cases, distribution of copyrighted software to third parties without permission of the copyright owner. Understandably, the term has extremely negative connotations, and most businesses will go to great lengths to avoid behavior that could reasonably be branded as “piracy.”

Unfortunately, the BSA’s definition of software piracy is considerably more broad than the common understanding and may be confusing to companies audited by the BSA who have never knowingly copied unlicensed software. During a BSA-initiated software audit, the BSA requires the businesses it targets to provide dated proofs of purchase for each software product installed on their computers. There are specific types of documentation the BSA accepts, and it usually rejects purchases from E-bay, Amazon, or similar Internet-based re-sellers. Therefore, if a company unknowingly purchases software from an unauthorized retailer or simply is unable to find receipts for products it purchased, the BSA will penalize the company as though it intentionally violated copyright law and “pirated” the software.

Worse, typically after an audit the BSA will enter into settlement agreements with the companies it accuses of copyright infringement. Unless a provision for confidentiality is included in a settlement agreement (usually only in return for a significant additional amount to be paid at settlement), there is nothing to prevent the BSA from publishing a press release identifying the targeted company, the software products involved, and the settlement amount, and otherwise making express or implied statements that the company is guilty of “software piracy.”

As a general rule, companies should keep all receipts from software purchases indefinitely, and they should purchase software only from authorized dealers. Additionally, recipients of letters from the BSA should seek experienced legal counsel to assist with the audit and to help negotiate a resolution that may prevent the unnecessarily negative publicity that can result from the BSA’s overzealous application of the “pirate” label.

The Business Software Alliance (BSA) regularly targets small-to-medium sized businesses for expensive software audits to determine whether those businesses are in compliance with their BSA-member software licenses. In furtherance of that effort, the BSA offers cash rewards to disgruntled current or former employees who provide information about allegedly unlicensed software installed on their employers’ computers.

However, in many cases, businesses targeted by the BSA discover that there appear to be significant discrepancies between the information apparently provided by the BSA’s confidential informants and the actual license-compliance status of those businesses. Many businesses suspect that the cause of the discrepancy is the informants’ desire to profit from the BSA’s reward program. Regardless of the cause, however, when the audit materials submitted in an audit matter do not conform to the information supplied by the confidential informant, the BSA typically disputes the results. The business then ends up incurring additional legal fees in an effort to authenticate those results and move the matter forward to a resolution.

Worse, though, even when the BSA discovers that its informant may have provided false information, it typically will not stop pursuing the copyright infringement claims. The BSA’s loose definition of “unlicensed” software covers any software with no proof of purchase. Therefore, even though business records are only required to be kept for seven years for tax purposes, because the BSA requires dated proof of purchase in order to credit a business with license ownership, it effectively expects its business targets to keep their invoices for software license purchases forever. The BSA thus justifies its continued pursuit of businesses, even in the face of an apparently unreliable informant, based less on principles of copyright law than on potentially inadequate accounting practices.

There is usually little recourse against the BSA or the informant for initiating legal action based on false information. In some cases, a company may consider suing the informant on a breach of contract or breach of confidentiality claim, depending on the existence of any prior agreements with the informant, but the expense of such an action would be prohibitive for most businesses. For these reasons and others, it is important for all companies, regardless of whether they are faced with a BSA audit, to be prepared to document their license ownership, to keep confidential all information relevant or potentially relevant to an audit, and to seek the assistance of counsel.

Many companies choose to pursue an internal audit of software systems after receiving a request from the Business Software Alliance (BSA). When it comes to deciding how to proceed with an audit, there are multiple considerations, including, but not limited to, the size of the company, amount of computers, type of software at issue, IT support, and accuracy of a company’s records.

A small company with few computers is better suited than a larger corporation to conduct its own audit either manually or to take advantage of one of the many free software scan tools available on the internet. There are still risks of inaccuracy involved. One danger is that a company may submit information regarding a free download that may be mislabeled, and inaccurately reported to the BSA as unlicensed software.

This risk is amplified for larger companies with many computer systems and multiple users. If a large company seeks to conduct its own audit, the free scanning tools are still an acceptable choice, as manually checking each computer is both tedious and can lead to mistakes. An alternative is to seek a consultant who specializes in software infringement issues and who can assist with network inventory and sorting through software purchasing invoices and receipts. However, it is important to keep in mind that, unless that consultant is an attorney, he or she may have no duty of confidentiality to the company. Therefore, it is wise either to obtain a comprehensive confidentiality agreement from the consultant or to retain a knowledgeable attorney to assist with the inventory.

In addition to collecting an inventory of software installations, it is important to gather purchasing information to provide to the BSA. If receipts and invoices are not provided for all software installations reported, the BSA will assume the software is unlicensed and will increase its settlement demand. Regardless of the size of a company, if there are concerns about the ability to scan software, locate purchasing information or evaluate audit results, it is advisable to seek outside assistance with the process from an expert.

Many businesses targeted for software audits initiated by the Business Software Alliance (BSA) often make the decision as a result of the audit process to forego the expense and risk associated with using BSA-member software and instead transition to open-source software (OSS) solutions. While OSS may entail some challenges related to hardware and software compatibility, in many cases, those products do not entail any licensing fees, are subject to much less stringent licensing requirements, and may be upgraded at will to the latest versions without the purchase of any support subscriptions or product upgrades. As a result, they present a tempting and cost-effective alternative to other solutions, especially in light of the fact that expensive BSA settlements typically do not include the acquisition of any software licenses that a business may require in order to achieve compliance. However, through the International Intellectual Property Alliance (IIPA) – an IP trade organization of which the BSA and other content-oriented groups like the Motion Picture Association of America and Recording Industry Association of America are members – the BSA appears to be subscribing to the position that the use and endorsement of OSS is the equivalent of software “piracy.”

The IIPA’s position was reflected recently in comments it submitted to influence U.S. trade policy. Each year, the Office of the U.S. Trade Representative (USTR) conducts a review of foreign IP laws – called the Special 301 review – to identify those nations believed to have unacceptably lax copyright policies. Negative treatment in the review can lead to trade sanctions and is intended to exert pressure on foreign nations to adopt more stringent copyright policies. During the review process, the USTR accepts recommendations from interested parties regarding countries they believe should be added to the “blacklist” of poor copyright enforcers. In its 2010 recommendations to the USTR, the IIPA named among the countries to be “watched,” among others, Indonesia, Brazil and India, at least in part, it seems, for endorsing the use of OSS in governmental agency offices. This is in spite of the fact that some nations – Indonesia notable among them – adopted those recommendations in order to curb the use of unlicensed software.

A person could be forgiven for adopting a cynical assessment of the BSA’s motivations in the wake of such an apparent policy endorsement. Under the guise of protecting its members’ valuable copyright interests, the BSA has targeted hundreds of small-to-medium-sized businesses for software audits under the threat of federal court litigation and has labeled many of those businesses “pirates” upon failure to meet the BSA’s unnecessarily strict requirements for proving ownership of software licenses. However, the IIPA’s position with regard to OSS seems to indicate that copyright enforcement may be less of a concern to the BSA than is driving sales of its members’ products.

The BSA has not historically objected to businesses transitioning to OSS in the wake of software audits, but the IIPA’s recommendations to the USTA may be cause for concern. All businesses that have been contacted by the BSA for such audits should consult with counsel to work toward the most reasonable available resolution.

The full text of the IIPA’s recommendations is available here:

http://www.iipa.com/2010_SPEC301_TOC.htm

The Business Software Alliance (BSA) and the Software & Information Industry Association (SIIA) are organizations that represent software publishers seeking to enforce the copyrights in the products they publish. In furtherance of this goal, these entities routinely send letters to businesses they believe may be infringing their members’ copyrights by failing to satisfy the requirements of applicable software license agreements. In the letter, the BSA and SIIA request audits of all member software products installed on all computers and servers owned by the targeted businesses.

The audit process is lengthy and arduous and often is affected by costly mistakes. One of those mistakes involves the use of an inadequate tool to conduct the kind of audit called for by the auditing entity. There are many ways a business may tackle the audit process. It may hire a law firm that specializes in software audits to conduct the review, it may hire external IT consultants, or it may proceed with its own in-house software audit. The BSA often suggests a number of tools to assist with a self-audit, sometimes including Novell, Symantec, Frontrange Solutions, Belarc and Spiceworks. Many of those tools are available for little or no licensing fee, making them appear to be attractive alternatives.

However, if a company chooses to conduct a self-audit, it is essential to verify the results produced by the tool deployed prior to submitting any information to the BSA or SIIA. Often, software audit tools are not sophisticated enough to discern between free trial software or remnants from previous installations and full installations of licensable software products within the scope of the audit. Over-reporting can carry significant consequences, because each product mistakenly reported as a full version for which a business is unable to demonstrate license ownership typically entails a penalty at settlement based on the MSRP of that product. The BSA then typically applies a multiplier for each product included in its settlement offer calculations.

For these reasons, it is important when conducting an in-house software audit to carefully look for any mistakes in the audit results and to ensure that those results accurately reflect what was installed as of the effective date of the audit requested by the BSA or SIIA. If there is any doubt regarding the accuracy of those results, it is vital to seek the advice of a knowledgeable attorney or consultant prior to submitting any information to the auditing entity.