Questions regarding client access most often arise in relation to installations of certain server-based Microsoft products, such as SQL Server database software, Exchange Server messaging software, and the Windows Server operating system software. License agreements often (though not always) require that business purchase two types of licenses for these products: one license for the server product installation and client access licenses (CALs) for each user or networked device accessing that product. In other words, a Windows-based file server in a network with ten workstations accessing shared files on that server would require one product license for the server installation and ten device CALs to allow the workstations to connect to and access information on the server.
During audit investigations, the BSA usually requests that targeted businesses disclose the number of server product installations, the number of workstations or users accessing those installations, and the number of CALs purchased by the businesses (with proofs of purchase for all licenses claimed). However, that information is essentially inconsistent with the stated aim of most audit engagements, in that a client access instance is not a software product that can be copied - it is, rather, a mechanism that Microsoft uses to increase its revenue from server product licensing based on the nature of a particular product deployment. Unlike the unauthorized installation and use of a software product, which in most cases constitutes copyright infringement, access to a server product without a CAL can only serve as the basis for a claim of copyright infringement to the extent that the CAL rules constitute conditions on the product license or restrictions on the license scope. Were the matter to be litigated, that issue likely would turn into a fact question.
The Ninth Circuit has summarized the legal issue as follows:
Whether this is a copyright or a contract case turns on whether the [license provisions at issue] help define the scope of the license. Generally, a copyright owner who grants a nonexclusive license to use his copyrighted material waives his right to sue the licensee for copyright infringement and can sue only for breach of contract. If, however, a license is limited in scope and the licensee acts outside the scope, the licensor can bring an action for copyright infringement.
Sun Microsystems, Inc. v. Microsoft Corp., 188 F.3d 1115, 1121 (1999).
There is no doubt that the BSA and Microsoft would (and do) argue that the CAL provisions constitute a restriction on the scope of the server product license. However, those arguments likely would not be dispositive at trial, and a court would (or, at least, should) look to other factors, such as the facts that the Microsoft EULAs are essentially one-sided, non-negotiable contracts of adhesion and that the interests protected by the provisions are revenue-oriented, rather than intellectual property-oriented.
However, it is possible that none of those finer legal points will result in significant traction during a BSA investigation and that the BSA will refuse to provide a release at settlement (if necessary) for server product installations without client access information. At this stage, it is essential for a targeted business to carefully weigh the pros and cons of disclosing the CAL information. For larger environments, an absence of documentation for CALs could result in significantly higher exposure at settlement, possibly making a refusal to disclose client access information, even in the face of not receiving a release for the server products, a preferable option. This is an analysis in which the opinion of a knowledgeable and experienced attorney often will be exceptionally valuable.
In FM Industries, Inc. v. Citicorp Credit Services, Inc., the United States District Court for the Northern District of Illinois determined the existence and extent of infringement of a software program by a business whose license to use the program had expired. In the case, the business at issue claimed that it its use was non-infringing because it initially installed the software with the consent of the publisher. The court rejected this argument, holding that "a user reproduces a program stored in his computer's hard drive merely by launching that program, thereby causing the computer to copy it to Random Access Memory." The court also cited to a Ninth Circuit opinion in the case of MAI Systems Corp. v. Peak Computer, Inc., where the court there stated:
The district court's grant of summary judgment on MAI's claims of copyright infringement reflects its conclusion that a "copying" for purposes of copyright law occurs when a computer program is transferred from a permanent storage device to a computer's RAM. This conclusion is consistent with its finding, in granting the preliminary injunction, that: "the loading of copyrighted computer software from a storage medium (hard disk, floppy disk, or read only memory) into the memory of a central processing unit ("CPU") causes a copy to be made. In the absence of ownership of the copyright or express permission by license, such acts constitute copyright infringement." We find that this conclusion is supported by the record and by the law.
These opinions are at odds with the standard tactics employed by the BSA, the SIIA, Autodesk, and other software auditors. For example, when presented with information that a design firm has repurposed a CAD workstation to a reception desk or, in a perhaps more stark example, decommissioned the machine to a storage closet, the BSA would argue that any design or CAD software remaining on the machine's hard drive remains relevant for audit purposes, and they would use any such installations as factors in calculating a settlement demand. However, according to the FM Industries and MAI Systems opinions, this methodology is flawed. A correct damages model would not count as "copying" the mere presence of copyrighted software on a hard drive. The relevant inquiry is whether that software is being used by loading it into a computer's RAM.
When faced with a software audit demand from the BSA, the SIIA, or any other software publisher or industry representative, before disclosing any information regarding the software in use in your business' computer network, it is important to consult with counsel to determine what is and what may not be within the scope of the audit.
Generally, the BSA's settlement demands are premised on a lump-sum payment. However, many businesses often find themselves unable to pay expensive settlement fees. Therefore, negotiating extended settlement-payment terms can be an important way to make the settlement fee more affordable. Depending on the size of the settlement payment and financial situation of the company, settlement payments may be spread out over 3 to 6 months or even more, in some cases. However, extended terms often are available only if the business is able to demonstrate an inability to pay the full lump sum. That demonstration often requires the disclosure of balance sheets or profit & loss statements, which company officers may be hesitant to disclose.
The process to negotiate a settlement with the BSA - regardless of the inclusion of any special provisions pertaining to confidentiality or payment terms - can be complex. It is important to seek legal counsel who has experience negotiating with the BSA in order to secure the most palatable settlement.
Focus on Your Business - the only way to be successful in a software piracy audit is to continue to stay focused on running your business and taking care of your clients.
If you have been accused of software piracy please call Scott & Scott, LLP for a free consultation.
Self Audits
Self audits are the least disruptive of all software audits. They are a mechanism often employed by trade associations acting on behalf of software publishers. The trade associations, and in some instances, the publisher itself, requests that the target company conduct a self audit and report the results of the audit to the trade association or publisher. Companies that agree to conduct a self audit must inventory the applicable software on the computers within the scope of the audit and report the number of installations, the number of licenses, and the number of license deficiencies.
When evaluating whether you should cooperate or litigate after a request for a self audit, you should consider the benefits of a self audit compared to the other types of audits. For instance, in publisher and third-party audits, you usually have a contractual obligation to participate in the audit and provide information to the auditors. When conducting a self audit, you have some control over the timing of the audit and the allocation of resources. That flexibility is not always present in other types of audits.
Additionally, outside auditors are not always required to be impartial and may submit incomplete or inaccurate audit results. For these reasons, regardless of the type of audit requested by the software publisher, companies faced with an audit should request the opportunity to provide a self audit rather than an independent audit, a publisher-staffed audit, or (usually) a SAM engagement.
Independent Audits
An independent software audit involves the use of a third-party auditor to gather the facts relevant to the dispute. This audit method may be the most costly and time consuming option for the audit target.
Many software licenses incorporate audit provisions allowing the software publisher to request an independent audit. Such provisions must be carefully analyzed to determine the potential business impact of the audit and liability that may result from the audit.
In an independent audit, the organization has no input into the selection of the auditor, how long the audit will last, or the scope of the materials the auditors may review. The target company must also bear the costs of the audit if the auditor finds a licensing discrepancy of more than 5%. If the auditors conclude there is a discrepancy, the publisher has the contractual authority to unilaterally determine the license price for the software necessary to become compliant. Independent audits have significant business impacts and should be avoided if possible. Nonetheless, independent audits are preferred over SAM engagements and publisher-staffed audits because the auditor is usually ethically obligated to remain independent.
SAM Engagements
SAM engagements are also conducted by third-party auditors or consultants, but there is no obligation that the auditor in a SAM engagement be independent. The software publisher requests that the target allow a third party to audit its software installations and report the results directly to the publisher. In these engagements, the publisher pays the auditor, and the target is required to purchase licenses to cover any deficiencies in its software licenses. Microsoft's SAM engagement has been extensively used in lieu of traditional software audits with mixed reviews from the end user's perspective.
Participation in a properly managed SAM engagement may be in the client's best interest because such engagements typically provide some flexibility and a lower total cost of resolution than self audits and independent audits. In many instances, the publisher seeks no compensation for alleged past infringements in exchange for an agreement to come into compliance on a go-forward basis.
Publisher-Staffed Audits
Publisher-staffed audits are the most intrusive and least impartial of all software audits. In these audits, the publisher's employees collect information relevant to the dispute. In many instances, publishers request a company's confidential information or access to a company's network to conduct the audit. Although a publisher may arguably have a contractual right to request that it be allowed to examine its customers' computer network, it is never advisable to agree to a publisher-staffed audit without examining all of the alternatives first.
The first thing a target of a software audit needs to do is preserve the evidence of software products installed on the company's computers as of the audit effective date. Second, the software installed needs to be reconciled against proof of purchase information to determine whether there is gap between licenses owned and software installed. Third, a decision needs to be made regarding whether to purchase or uninstall any unlicensed software. The auditing entity is only concerned with those products installed as of the audit effective date, and accepts only proofs of purchase dated on or before that date.
I advise my clients that regardless of what was installed on the audit effective date, they only need to purchase software licenses for products that they need to use going forward. Although it will not resolve past liability, companies may choose to uninstall unlicensed products at the conclusion of the audit matter, rather than purchase unnecessary software simply because it was installed on the effective date. At the conclusion of a software audit matter, the target must certify that it has come into compliance through the combination of buying and\or uninstalling the products in question.
Construction against the Drafter
When dealing with ambiguities, it is important to determine whether the license in question contains a provision indicating that ambiguities will not be construed against the drafter. If there is no such provision, the general rule in most jurisdictions is that ambiguities in software license agreements will be construed against the drafter. If the contract is silent on construction against the drafter, it is important to review any choice of law provision and determine if the specific jurisdiction follows the general rule.
Parol Evidence
The Parol Evidence Rule, which is applicable in most states, provides that when a court determines that a contractual provision is ambiguous, the parties may introduce extrinsic evidence to prove that their interpretations of the contract are consistent with the parties' intent when entering into the contract.
In a software dispute, parol evidence will include testimony from both the software company and the end user regarding pre-contract discussions and negotiations as well as pre-contract writings including e-mails, faxes, purchase orders and draft license agreements. All of this evidence would be precluded in a contract dispute where there was no ambiguity in the contract. In such instances the court would be confined to what is called the "four corners" of the software license agreement when conducting its interpretation.
Software licenses often discuss technical matters, and are therefore frequently ambiguous. These ambiguities require the parties to develop and present extrinsic evidence in court. Typically, the evidence is developed through pre-trial discovery mechanisms such as requests for production of documents and depositions, which can be very expensive.
Triable Issues of Fact
Contract disputes, including those involving software licenses, are frequently resolved before the trial begins through motions for summary judgment. The interpretation of a non-ambiguous contract is decided as a matter of law by the court. In addition, because the parol evidence rule precludes the introduction of evidence in contravention of the plain meaning of an unambiguous contract, litigation costs are reduced because the extrinsic evidence regarding the parties' pre-contract intent is not considered by the court.
However, a third class of software copyright litigation - what might be labeled "competing works litigation" - typically requires substantially more effort from the parties and the tribunal than either of the above types of disputes. In these cases, the developer or owner of one program complains that a different product created or distributed by the defendant consists, in whole or in part, of the work in which the plaintiff holds the copyright. These cases on average involve significantly higher stakes than other software copyright disputes, in that they can threaten the defendant with elimination of an entire line of business or even, in some cases, with the cessation of business operations altogether. The legal analyses and factual development in such matters can approach the level of complexity usually associated with patent disputes, and, indeed, many of the considerations in such matters likely would be familiar to dedicated patent law practitioners.
It is not unusual for a company to discover during the audit process that its current or former employees installed software on company computers without authorization. Unfortunately, this oversight may lead to substantial financial penalties from the BSA or SIIA for any allegedly unauthorized installations. During the course of settlement negotiations, the BSA and SIIA routinely fine companies three times the MSRP value of each allegedly unlicensed product.
While no written policy is foolproof against employees installing unauthorized software, a proactive approach includes guidelines and policies to outline proper use of a company's computers. This may include provisions banning installing, using, or accessing software unless specifically authorized by the company. Educating employees to have a better understanding of how to use a company's resources and technology properly may help to prevent costly penalties in the future. In addition to a written policy, it also is advisable for a company to routinely conduct an internal audit of its computers to help ensure software compliance. Once the BSA or the SIIA gets involved, it is typically too late to avoid paying a penalty.
Due to the nature of the process and the possibility that a settlement may be misconstrued to reflect misconduct on the part of a company, many companies that settle with the BSA seek to keep the existence and terms of settlement confidential. However, the BSA disfavors confidentiality provisions, because they interfere with its efforts to publicize the results of its license enforcement program. Therefore, the BSA typically demands a higher settlement payment to include such a provision.
Absent a confidentiality provision in the settlement agreement, the BSA generally is free to issue a press release detailing the terms of settlement and name of the company. The BSA often then seeks to publish the release in media outlets relevant to the targeted business' industry or geographic location, in addition to publishing the press release on its web site.
There are many considerations for a company contemplating a demand for confidentiality. Some larger, more recognizable companies seek confidentiality provisions to offset potentially negative publicity associated with their brand. Under those circumstances, the additional penalty amount may represent an acceptable cost. However, smaller companies often choose to pay a lower settlement amount not inclusive of confidentiality, based on a determination that damage to their brands, if any, likely would be less significant. This is a decision in which a company's upper management should be given an opportunity to contribute. Finally, on rare occasions, some companies seek to issue their own press releases, detailing the settlement terms, and exposing the BSA's software auditing process as a warning for other businesses.
Regardless of the strategy a company chooses regarding confidentiality, it is important to be aware of the implications of failing to include a confidentiality provision in the final settlement agreement. When in doubt, it is beneficial to seek counsel from an attorney familiar with the BSA process.
The court rejected NEI's request for damages for each separate work and concluded that "a plaintiff should not receive a windfall recovery by inflating the number of works infringed from its own compilation." The court determined that "when a plaintiff compiles assorted copyrighted products into a new product, the compilation constitutes one work for purposes of copyright infringement."
NEI's focus on "whether each item (in a compilation) has an independent economic value and is, in itself, viable" did not sway the court. Rather, the Court held that "adopting such a test would be to make a total mockery of Congress' express mandate that all parts of a compilation must be treated as a single work for purposes of computing statutory damages." The court also declined to apply rulings from cases NEI presented in which defendants, rather than plaintiffs, created compilations of the plaintiff's works.
If you have been contacted by the Business Software Alliance (BSA), Software & Information Industry Association (SIIA), or another software industry auditing entity, you should contact counsel experienced in negotiating with auditing entities regarding bundled software suites that resemble compilations.
IBM previously employed a processor-based licensing formula for its server products, but in 2006 it moved to a licensing model using what it calls "processor value units" (PVUs). Under this model, each server processor is assigned a per-core PVU number that depends on the manufacturer and specifications for that processor. (IBM maintains a chart of per-core PVU numbers here.) That PVU number then is multiplied by the number of physical processor cores embodied in the processor to determine the processor value for the physical processor. For servers with multiple processors, that processor value then is multiplied by the number of processors to determine the server value. It is this final PVU number that reflects the licensing required for each computer, as follows:
Server Description: Dual processor, quad-core Dell PowerEdge SC1435
Server value = 50 PVUs/core x 4 cores/processor x 2 processors = 400 PVUs
IBM terms the formula described above "capacity licensing." For machines employing virtualization technologies, under which a virtual server hosted on a physical machine may utilize less than all of the physical machines resources, IBM allows its customers to apply "sub-capacity" licensing rules to reduce the number of PVUs required for compliance. However, the sub-capacity rules entail a number of significant requirements, including use of IBM's License Metric Tool, which reports information about hardware configurations and software deployments directly to IBM.
IBM software licensing involves a significant financial cost, and IBM's products typically function in business-critical capacities in a company's network. Companies that find themselves engaged in IBM audits are well advised to discuss their IBM licensing status with knowledgeable outside counsel before disclosing any information to IBM or making any changes to their IBM software deployments.
A small company with few computers is better suited than a larger corporation to conduct its own audit either manually or to take advantage of one of the many free software scan tools available on the internet. There are still risks of inaccuracy involved. One danger is that a company may submit information regarding a free download that may be mislabeled, and inaccurately reported to the BSA as unlicensed software.
This risk is amplified for larger companies with many computer systems and multiple users. If a large company seeks to conduct its own audit, the free scanning tools are still an acceptable choice, as manually checking each computer is both tedious and can lead to mistakes. An alternative is to seek a consultant who specializes in software infringement issues and who can assist with network inventory and sorting through software purchasing invoices and receipts. However, it is important to keep in mind that, unless that consultant is an attorney, he or she may have no duty of confidentiality to the company. Therefore, it is wise either to obtain a comprehensive confidentiality agreement from the consultant or to retain a knowledgeable attorney to assist with the inventory.
In addition to collecting an inventory of software installations, it is important to gather purchasing information to provide to the BSA. If receipts and invoices are not provided for all software installations reported, the BSA will assume the software is unlicensed and will increase its settlement demand. Regardless of the size of a company, if there are concerns about the ability to scan software, locate purchasing information or evaluate audit results, it is advisable to seek outside assistance with the process from an expert.
Unfortunately, the BSA's definition of software piracy is considerably more broad than the common understanding and may be confusing to companies audited by the BSA who have never knowingly copied unlicensed software. During a BSA-initiated software audit, the BSA requires the businesses it targets to provide dated proofs of purchase for each software product installed on their computers. There are specific types of documentation the BSA accepts, and it usually rejects purchases from E-bay, Amazon, or similar Internet-based re-sellers. Therefore, if a company unknowingly purchases software from an unauthorized retailer or simply is unable to find receipts for products it purchased, the BSA will penalize the company as though it intentionally violated copyright law and "pirated" the software.
Worse, typically after an audit the BSA will enter into settlement agreements with the companies it accuses of copyright infringement. Unless a provision for confidentiality is included in a settlement agreement (usually only in return for a significant additional amount to be paid at settlement), there is nothing to prevent the BSA from publishing a press release identifying the targeted company, the software products involved, and the settlement amount, and otherwise making express or implied statements that the company is guilty of "software piracy."
As a general rule, companies should keep all receipts from software purchases indefinitely, and they should purchase software only from authorized dealers. Additionally, recipients of letters from the BSA should seek experienced legal counsel to assist with the audit and to help negotiate a resolution that may prevent the unnecessarily negative publicity that can result from the BSA's overzealous application of the "pirate" label.
The audit process is lengthy and arduous and often is affected by costly mistakes. One of those mistakes involves the use of an inadequate tool to conduct the kind of audit called for by the auditing entity. There are many ways a business may tackle the audit process. It may hire a law firm that specializes in software audits to conduct the review, it may hire external IT consultants, or it may proceed with its own in-house software audit. The BSA often suggests a number of tools to assist with a self-audit, sometimes including Novell, Symantec, Frontrange Solutions, Belarc and Spiceworks. Many of those tools are available for little or no licensing fee, making them appear to be attractive alternatives.
However, if a company chooses to conduct a self-audit, it is essential to verify the results produced by the tool deployed prior to submitting any information to the BSA or SIIA. Often, software audit tools are not sophisticated enough to discern between free trial software or remnants from previous installations and full installations of licensable software products within the scope of the audit. Over-reporting can carry significant consequences, because each product mistakenly reported as a full version for which a business is unable to demonstrate license ownership typically entails a penalty at settlement based on the MSRP of that product. The BSA then typically applies a multiplier for each product included in its settlement offer calculations.
For these reasons, it is important when conducting an in-house software audit to carefully look for any mistakes in the audit results and to ensure that those results accurately reflect what was installed as of the effective date of the audit requested by the BSA or SIIA. If there is any doubt regarding the accuracy of those results, it is vital to seek the advice of a knowledgeable attorney or consultant prior to submitting any information to the auditing entity.