July/August 2020 issue of acmqueue The July/August 2020 issue of acmqueue is out now

Subscribers and ACM Professional members login here



Intellectual Property and Software Piracy

The Power of IP Protection and Software Licensing, an interview with Aladdin vice president Gregg Gronowski

Queue: Hello, and welcome to another premium edition of the ACM QUEUECAST, with your host, Mike Vizard. This edition is sponsored by Aladdin. We're here today to talk about intellectual property and the whole issue of software piracy and our friends at Aladdin are considered one of the de facto standards today for protecting software IP, preventing software piracy, and enabling software licensing and compliance. So joining us today to discuss that topic is Aladdin Vice President, Greg Gronowski. Greg, welcome to the show.

Gronowski: Thank you. I'm welcomed.

Queue: How big a problem is this whole issue of piracy and how much does it relate back into intellectual capital for a software company. I believe if you look at a software company, at least 80 percent of its assets have got to be tied up in intellectual property, but I'm just curious how much of this, is there a real problem around theft, first. Is this some kind of concern that people have?

Gronowski: Well, it's addressed in two manners. The software industry or all of the associations that support the industry look at it as, from a software piracy point of view, in excess of probably $30 billion annually on a global basis and continuing to grow year over year just as some of the economies start to pick up in many of the Eastern and Latin and Asian countries where the security aspect of protection and IP protection is not as strictly followed as much as it is here and as well as in the European community.

So what happens is that you've got software that's being pirated and at the same time, you also have the concern from an IP perspective of not only just the out and out piracy of taking, making copies and selling it illegally, but also the issue of someone actually stealing -- I hate to use the simple term -- but the family jewels.

In many cases, it's what the core technology behind the application or the embedded software that's controlling some device, and interestingly enough, we find that with many companies, that was not a major issue up until more than a few years ago, when they've all started to realize what's happened as a result of all of the exposure of piracy, the global piracy issue.

Queue: So it's really not just about the fact that some end-user somewhere is using my software illegally and should be paying me. It's a lot more about, there's probably some competitor, odds are in some country where licensing rolls are a little more lax, that's actually lifting my intellectual capital and leveraging it to drive their company.

Gronowski: It's interesting, as I mentioned, the only data that we have from an estimated loss perspective is what's been identified from a piracy point of view, where people are actually illegally using technology and/or just copying it and selling it illegally. The estimated amount of IP loss is still somewhat difficult to put your arms around, but when you see the comparison, it's pretty easy to understand that it becomes an issue from an internal perspective.

When we talk to a lot of customers and do a variety of presentations to industry folks, we present it as an issue of who's really minding the store, and what we mean by that is there's numerous companies that we have worked with that don't even realize that they may have a partnership or with an existing or a company that they have a partnership with, or they're making available to them their technology that's being implemented, they're licensing it to them, and then all of a sudden, they're finding out, well, they're losing vast amounts of dollars in revenues as a result because someone internally into that partner is all of a sudden taking that technology and sending it out for free or selling it to a variety of other people.

And similar situation when we find out with companies that have employees internally. It's the same situation as well, where they don't really have a grasp at times within a given -- relative to a product cycle -- where an employee might have the ability to get their hands on that core IP and do the same thing. They turn around and they sell it illegally to someone and it could be for their own gain or it could be for the gain of the receptor in terms of turning it around and making it into a new product that they can compete against.

Queue: How aggressive are software companies approaching this problem because my suspicion would be that a lot of people are taking the behind plain sight approach and maybe no one will find me rather than actually taking any steps to actually prevent this?

Gronowski: It's interesting. It's again, and I kind of look at it, I've been in the software security end of this world for about five years now, and meeting with some of the largest companies in the world, that satisfy some of the widest breadth of vertical markets that are imaginable, that are traditional and nontraditional relative to software distribution and it's exactly what you're stating.

Some of them don't even know it, or they'll have a massive organization internally within that company and then they'll work with companies like ourselves to help provide them with solution, to prevent the loss.

Queue: Is there some tools that you provide people, to help them understand what their risk analysis tools might be around this whole situation? Or, is there some way for the average CFO to grasp what's really at risk here?

Gronowski: Well, we do have a piracy calculator that we make available and that's generally an assessment based on the product that you sell, the price that you sell, where you sell it to, and the volume that you sell, and it kind of estimates based on what we know as the piracy levels in the regions specifically outside the United States as well as in the United States, and that gives them somewhat of an idea of how much revenue they could be losing to piracy.

But on the IP side, no, that's still -- it's kind of challenging because in a lot of cases people find out about it after the fact. We work with a lot of -- you know, from small tiny companies that have in-fights within organizations where you may only have two partners and all of a sudden, one steals the core technology and is off and starting his own company and all of a sudden, they get into a legal battle. We see that quite frequently, and in some instances, even on a very large and grand scale, we've got some customers that, as I mentioned, find out that they've got an OEM partner that all of a sudden they're now using our technology to not only protect the IP but also control the license distribution and the amount of how their product -- the amount of the product that they sell to one of their partners from a usage perspective because they found out after the fact that in many cases, there were alpha and beta versions of their technology out in the street long before they even ever got to the final product and the end route wasn't in their own house, it was actually through one of the third parties that they were working with.

Queue: How complicated is the software to deploy to mitigate this problem. Do I have to have eight guys in lab coats? Can the average developer deal with this?

Gronowski: The beauty about our technology is that an average deployment is probably less than 30 minutes and depending upon how complex of an integration that they want to do. I mean we provide a very simple tool set, both from using a hardware-based technology, the ... every one knows is our software-based implementation and it all depends upon what the publishers' needs are. In many cases, if they're looking for pure security and the IP protection, they can go to extensive levels to go to what we call a very simple process that is an Aladdin-patented technology that we call an envelope and that basically puts the secure wrap around the application.

In addition to that, we have the ability for them to integrate into the API core of the application as well for more security and depending upon which hardware piece that they use from ours, we offer a variety. Some have more memory than others, some have time capabilities, some due network support as well.

So as much as the developer wants to integrate the technology, they can. And they can make it real simple. Here's the key -- there's no key, or easy from that perspective.

Queue: Do you know what type of software licensing model I'm using because a lot of people will have a paper-use model. They have a subscription model. They have floating models.

Gronowski: We can support them all, and that's one of the interesting things that we find. On a monthly basis, we've been doing for almost two years now, seminars around the country and we meet with not only our existing customers but also with prospective customers and it's an opportunity for us not only to reintroduce our technology from a technical point of view, making sure that their implementation is proper and that they're doing everything all correct, but at the same time, are they really aware of what the technology can do because what happens in the software industry is that there's generally a fairly high turnover of developers.

So sometimes the individual that we may have started with a year ago, may not be here six months later or eight months later or 12 months later. So, part of our mantra is to constantly make sure we're in communication. So the complexity is -- it's relatively simple in terms of the implementation but the technology itself is state-of-the-art from that perspective.

Queue: Your software also gets used to help me manage the licensing process overall, not just the piracy issue, right?

Gronowski: Oh definitely, yes. From a licensing point of view, again, the same issue. When we meet with a lot of these customers, many of them are very -- look at it from a very single-minded perspective and not saying from a negative point of view but a lot of them were just charged with let's just look at it from a single license point of view. So it's a single-user.

And that's always been the core from Aladdin's technology, but within that single license, you've got perpetual license, you have trial-ware, you have the ability to allow them to use it over a certain period of time from a subscription model, a rental model, a paper-use model. So we support all of those capabilities and we do that both in the hardware-based solution as well as a software-based solution.

Queue: The point of that is you don't necessarily want to be thinking about piracy and digital rights issues after the licensing fact. You want to have that integrated into the process.

Gronowski: Definitely, definitely. And in some industries, that we work with, there's a balance in terms of piracy is a much bigger concern than say, licensing, and while they both regulate revenue relative to the ISV, it depends upon the market that they're in, and in some cases we'll work with the broadcast industry for example. We work with many, many of the large players in the broadcast industry and their biggest concern is licensing and controlling the usage and the distribution of their technologies, and what they like about working with folks like ourselves is the homegrown methodology that everybody takes into consideration is becoming more of a burden relative to just the management of it and being able to keep up with the latest technologies and features that are out there that can be taken advantage of.

So that's generally where we find a wide opportunity, is when we talk to a lot of software companies that are saying, you can do all of this for me and now the same guy that I have that's not only developing the application but probably spending 50 percent of his time to manage the licensing, we've got a store-bought product right off the shelf that does more than what we wanted and now they free-up that resource to do what that person's originally hired to do, develop product, not necessarily do all of the other ancillary things.

Queue: So people really want, should want their people to focus on what they do best rather than all these, as you describe it, ancillary functions, so how much time and energy -- you mentioned maybe 50 percent from one individual -- but if you looked at it as across an organization, how much of their time and energy is spent on these ancillary activities versus the core product that is actually making the money?

Gronowski: If it's a homegrown, if it's someone doing homegrown, you have to look at either a series of fulltime people, that's all they're doing is managing a homegrown solution, or it's someone probably spending 50 percent of their time, and then this is based on when we talk to a lot of developers and just basically ask them and companies asking them that same question, how much time do you spend, how much of the part of the actual day are you involved in managing your security and licensing technology from a homegrown point of view?

And what happens is there's always that not invented here attitude from a developer perspective. I've worked with engineers, the majority of my life, and that's true of pretty much any product that they develop, and what happens is that they always feel that I can do the best, but what we see all the time is that they develop that product, say, maybe two, three years ago, someone came up with this great idea, and they're using some kind of reg code and they're doing a variety of things internally, but all of a sudden, what they're not realizing is that the hack community, the hacker community, has become so advanced in their approach in attacking products and technologies because hacking has become a professional business.

I mean it's no longer casual activity of you and I just sharing a CD for yucks. There are organizations that they prey on, a variety of software companies, all over the world, specifically for illegal revenue, and the average software development company just doesn't have the resources because that's not what their core focus is. If it's somebody that's developing a software technology to manage a manufacturing machine in an automotive industry, licensing and piracy technology are not of their concern.

But they may have someone in there trying to do this little, something that they got off of freeware or somebody created it, but two months later, maybe six months later, that product, that technology doesn't even work any longer, and now that individual never goes back. He's not constantly on a daily basis making sure that they have the technology that's up with the times.

Queue: Right, so it's the guy who draws the short-straw winds up working on the licensing management tool and then three weeks later, he's onto something else?

Gronowski: I'll tell you an interesting story, this is very specific, and I wasn't actually even selling at this point in time, or actually looking to sell a product. I was visiting a large tradeshow called NAMM, it's the National Association of Musical Merchants, a year ago this January, this past January 2006, and I've been an avid multimedia music fan pretty much most of my life. So I have a small little recording studio at home, and there was a product there that was available from a company that I use, and I was there more than anything just to look at the latest technology that they were using, and they weren't using ours. They were using a homegrown solution and again, I wasn't there to try to make a sale, but the guy had this phenomenal demonstration. They were even connected to the Internet. He was doing a whole bunch of great stuff, and the minute he saw my badge, he realized who I was from, the company that I was from, and he says, 'well, you know I created our technology and it's the best that's out there.'

And I said, 'I'm not here to sell you. I'm really here to talk about your product. I'm a big fan of your product.'

Well, about two minutes later, he was pitching product to an actual live person and so he had one of their computers was connected to the Internet, and I did a Google search, and the product that he was demonstrating with his technology, the new product, was available, the beta version was available, a pirated version was available on the Internet, and I showed it to him right there, and so it's kind of an example of the fact that he felt that he created this best product, that he created this phenomenal technology for security, and they haven't even taken the product to the streets in terms of a complete product and they're showing it at the biggest event of their industry and you can go on the Internet and do a Google search and you're able to find hacked beta versions of it already before it ever even hit the street.

Queue: Lately, in these digital rights management has been getting something of a black-eye in the media. What is the reality of the issues around digital rights management and how complex is it to develop and maintain? How should developers approach this subject, with some sensitivity to their users?

Gronowski: Well, it's interesting. I think the black-eye came about a couple of years ago when everybody started talking about -- and this goes back to Microsoft with product activation -- and then there were a variety of companies in our field that were actually leaving. People felt that there was an agent that was sitting on the PC so it would commune constantly, communicate with the server so there was always this watchdog concern of people having access to your PC if you used their application. Well, the newer technologies today like ours, they don't do that. There is no agent sitting in there. It's a pretty simple technology in terms of implementation while the technology itself is complex but it's pretty simple from a management point of view, implementation point of view, and as long as a software provider, or not provider, but software developer, is maintaining and keeping an updated release of all of the current technologies of what we would offer, they should feel in pretty good comfort.

Queue: So if you had to sum it up, what would be your best advice to developers and the companies they work for in terms of approaching this whole space?

Gronowski: Well, it's a couple of things. One, it kind of goes back to the earlier comment that I said, is you really have to understand who's mining your store. What is important to you? Is it IP? Is it IP protection? Is piracy an issue? Or, is licensing an issue? And relate all of them relative to revenue growth because a lot of people look at it from a perspective of just saying, well, I'm just protecting things from someone that's trying to steal something from me, and in reality, all of the security technologies that we've created over the last few years has really opened up the door to more opportunities for software publishers to grow their business because they can now license and sell their products in a variety of new ways that they couldn't do before, or they were limited by their own internal resources.

So it's 1) don't be afraid to look at third-party technology companies like Aladdin because we're in this business. We've been in the business for over 20 years. We are an expert like many of the ISVs are experts in their own markets that they serve.

Queue: So Greg, thanks for sharing your thoughts. For listeners that want to get more information, we encourage you to go visit www.Aladdin.com, the website for the company with the digital rights management solutions for protecting your software intellectual property.

Greg, good luck to you and we hope to hear from you again in the future.

Gronowski: Thank you, Michael.


Originally published in Queue vol. 5, no. 1
see this item in the ACM Digital Library



Roger Piqueras Jover - Security Analysis of SMS as a Second Factor of Authentication
The challenges of multifactor authentication based on SMS, including cellular security deficiencies, SS7 exploits, and SIM swapping

Simson Garfinkel, John M. Abowd, Christian Martindale - Understanding Database Reconstruction Attacks on Public Data
With the dramatic improvement in both computer speeds and the efficiency of SAT and other NP-hard solvers in the last decade, DRAs on statistical databases are no longer just a theoretical danger. The vast quantity of data products published by statistical agencies each year may give a determined attacker more than enough information to reconstruct some or all of a target database and breach the privacy of millions of people. Traditional disclosure-avoidance techniques are not designed to protect against this kind of attack.

Rich Bennett, Craig Callahan, Stacy Jones, Matt Levine, Merrill Miller, Andy Ozment - How to Live in a Post-Meltdown and -Spectre World
Spectre and Meltdown create a risk landscape that has more questions than answers. This article addresses how these vulnerabilities were triaged when they were announced and the practical defenses that are available. Ultimately, these vulnerabilities present a unique set of circumstances, but for the vulnerability management program at Goldman Sachs, the response was just another day at the office.

Arvind Narayanan, Jeremy Clark - Bitcoin’s Academic Pedigree
We’ve seen repeatedly that ideas in the research literature can be gradually forgotten or lie unappreciated, especially if they are ahead of their time, even in popular areas of research. Both practitioners and academics would do well to revisit old ideas to glean insights for present systems. Bitcoin was unusual and successful not because it was on the cutting edge of research on any of its components, but because it combined old ideas from many previously unrelated fields. This is not easy to do, as it requires bridging disparate terminology, assumptions, etc., but it is a valuable blueprint for innovation.

© 2020 ACM, Inc. All Rights Reserved.