Overcoming the piracy stigma in China

SHANGHAI — Walk into the access-controlled room full of software developers at Bleum Inc.’s headquarters here and you can’t miss the slogan written in large blue and black letters that stretches across the far wall: “Protect our customer.”

The message is there to serve as a constant reminder for Bleum’s team of English-speaking software engineers of the importance of keeping clients’ software code secure, said Eric Rongley, the outsourcing service provider’s founder and CEO.

Concerns about the protection of intellectual property and proprietary corporate data are hardly unique to China. But the security risks are greater here than in locations such as India or Eastern Europe, Rongley said. “It’s definitely in the interests of a company here to overcompensate for it,” he said.

China’s poor reputation for intellectual property protection stems largely from the widespread availability of pirated DVD movies and software. Last month, the Business Software Alliance in Washington, D.C., estimated that 92 percent of software used in China during 2003 was unlicensed and illegal. That figure tied the country with Vietnam for the dubious distinction of having the world’s highest piracy rate.

But a high piracy rate for packaged applications doesn’t inherently place outsourced software development projects at risk, said Chen Lingsheng, vice president of greater China at BearingPoint Inc., calling security concerns in China overblown. Outsourcing projects to companies in China can be as secure as it is anywhere else, he said.

“We had a major financial client from the U.S. come over here to do a security audit before they would give us a project, and we passed the audit,” Chen said, noting that BearingPoint follows the same security procedures in China that it uses in the U.S.

In addition to conducting security audits, those procedures include strictly enforcing nondisclosure agreements and restricting development work to facilities that require a keycard for access.

BearingPoint and other outsourcing service providers in China are willing to go even further to meet their customers’ security demands. For example, BearingPoint developers have access only to code and project documentation.

“As an outsourcing service provider, we take it very seriously to protect our clients’ secrets and business data,” said Walter Fang, group vice president and chief technology officer at Neusoft Group Ltd., a Chinese software company based in the northeastern city of Shenyang. Neusoft employs 1,500 developers who work on outsourcing projects at several locations in China.

Neusoft allocates separate buildings for major clients such as Toshiba Corp. and Alpine Electronics Inc., and it restricts access to the buildings to staff working with those companies, Fang said.

On-site offices are available to each client’s project managers, and Neusoft can provide them with individual phone lines rather than company extensions, he said.

Aside from physical security measures, Fang said foreign companies can build effective legal protections into their contracts with outsourcing providers in China. For example, Neusoft’s contracts with its Japanese clients are typically designed to be enforceable in both Japan and China while offering an avenue for arbitration with a third party under Hong Kong law, he said.

For companies that want to keep a closer eye on outsourced development projects, BearingPoint has offered to install video cameras to monitor work in project rooms at its facilities in Shanghai and the northeastern Chinese city of Dalian, Chen said.

At Bleum’s highest level of security, Rongley said, the company offers a “shadow group” of developers who are given financial incentives to uncover vulnerabilities in software developed by the lead development team.

The shadow developers examine the code for security holes such as back doors or opportunities for buffer overflows that would allow attackers to run executable code.

While these and other measures may help to guarantee the security of a customer’s code and data, the best way to improve intellectual property protection in China is to change cultural attitudes, according to Rongley. He noted that service providers can advance the cause through training sessions and staff meetings.

And even slogans on the wall.