Will More DRM Mean Fewer Audits?

With the prospect of new DRM and nastier audit procedures, 2007 is shaping up to be the year of software license enforcement by the major software publishers. And since we’re inevitably going to be hearing a lot more gripes in those areas in the coming months, now is perhaps a good time to air the opinion of one IT manager who thinks there may be a silver lining for customers in these tougher anti-piracy measures.

The reader first responded to a recent story in which we discussed Microsoft and Adobe corporate copy protection schemes by expressing some sympathy at least for what Adobe is doing with its Adobe License Manager (ALM) DRM. “While I cannot comment on Micro$oft’s software management system, I can comment on Adobe’s,” the reader wrote. “It is nowhere near as bad as everyone makes it out to be. You purchase licenses from Adobe, in this case for Acrobat. Your ALM makes a one-time, connection to Adobe’s central licensing server to install your purchased licenses on your server. After that, no subsequent connections to Adobe’s systems are necessary, except when you purchase additional product seats. Rather than the activation routine phoning to Adobe’s licensing system, it phones to yours, behind your firewalls. You can then distribute as many copies as needed, just the first ones to activate will be unlocked.”

The reader’s company has several thousand seats of Acrobat and he helped beta test ALM. “I agree that the system has some shortcomings — failed equipment means you have to phone Adobe to recover a license, no means to yank or pull back a license, no failover/redundancy, no support for multiple sites (global offices) and the like,” he wrote. But he thinks the ALM technology should actually help “the corporate customer in that it reduces Adobe’s desire to audit you. Think about it, if they audit you and find that you are using the system properly and are out of compliance that means that they didn’t do a good job of designing the system. Since they don’t want something like that getting out they actually have a desire to not audit you … Hey, if it helps keep the lawyers at bay, I’ll take a cold hard look to see how it can benefit my business.”

Of all software publishers, Adobe has been perhaps the most aggressive auditor of corporate customers in recent years, which the reader acknowledged when I wrote him. “I will admit, they have. Adobe also has the second most pirated library of software on the planet, after Microsoft. Think about it, how many institutions really pirate IBM VM/VSE? It may have something to do with the 1500-pound dongle needed to run it. But, in all seriousness, it is a cold war mentality between the rights of consumers –which continue to be eroded on with things like DMCA, copyright extensions, UCITA, DRM and the like — and that of big business (and big bucks), to get as much money, er marketshare, as possible all in the name of ‘shareholder value.’ It has nothing to do with shareholder value, but everything to do with monopolistic control. They have it, they don’t want to lose it and will put up a fight to keep it. Even it means stepping on those that actually put them where they are. Think of the recent Congressional elections. Or even more recent announcement by the MPAA to ‘license’ (think ‘tax’) home theaters (loosely defined as having a 36″ or larger screen and a stereo). Both are prime examples. Why should software companies be any different?”

“In the end, Adobe has to pay their employees,” the reader continued. “They do that by selling software. Companies sell software by having a) better product (Adobe model), b) squashing the competition (Microsoft), c) being trendy (Apple). All of that effort takes time and money of which Title 17 and Title 35 provide protections and legal recourse. How they go about doing that is a matter for the PR folks and how they view the long-term viability of their company.”

So will ALM mean that Adobe no longer has to audit its corporate customers? “I don’t think ALM, in and of itself, will negate the need to audit, but it will lessen the need to do so,” the reader answered that question. “The problem with activation like the type Adobe first introduced in Photoshop is that many organizations do not want their employee’s desktops ‘speaking’ to the outside world except in a tightly controlled manner. But that’s where ALM comes in, as it moves Adobe’s activation server from their premises to yours, with a trusted chain that they wrote for the activation process. Rather than phoning Adobe, the clients are phoning your internal server.”

Of course, like all anti-piracy technology, Adobe’s ALM can be beaten by those who really want to do so. “Let’s say you place the ALM server on a VMware system, snapshot it, then back that snapshot off, restoring it when you get low on seats,” the reader wrote. “As you have already activated a bunch of seats, those won’t be calling home and will continue to run until their hardware or OS implodes. Through this mechanism you could increase your seat counts indefinitely. The ALM records date, time, user ID and other info regarding activation, but as it remains on your site, you’re not worried about it.”

“Until an audit. Then you would be easily caught. The first thing they would look at would be the activation log. Something so obvious that a blind auditor would find it — all the activations are recent, or there are long, unexplained, gaps in the record. Or, you’re really clever, and cycle between 2, 3, 4 VMware sessions on a daily basis — giving you 2X, 3X, 4X the seats. Now you have premeditated a crime. The former you could write off as due to ‘hardware failure’ and restoration from a previous backup. Small fine, and done. The latter, full weight of Title 17 thrown at you. Either way, the audit would be short and swift. The auditors would never have to interrogate your desktops to see how many seats you have deployed unless they suspect something.”

While the possibility of an audit still has to be there, the reader thinks they will become much less frequent in Adobe’s case. “Audits are expensive for both parties involved and neither really enjoy them all that much,” the reader wrote. His own company was once audited by Adobe, he says. “Due to diligent recordkeeping and iron-clad software deployment and our internal custom-written auditing tools, Adobe and their auditors walked out of here with tails between their legs and their arses smarting a bit. The reason for this is because I never deceived them. What they found is exactly what I told them they would find. The holes they found were the holes I told them they would find. And the fact we were about 1200 seats under-allocated didn’t hurt.”

“So, a corrupt organization will still be corrupt, and they will be audited and they will be caught. An organization that plays by the rules will continue to do so. They may or may not be audited, but it is less likely as Adobe knows that they would be caught. ALM activation technology means they will need to do fewer audits, but those that they conduct will result in a higher burnt-finger rate. ALM will make the audit process faster for both sides.”

“In conclusion, I do not believe that tools like ALM will totally stop the need for audits,” the reader wrote. “A corrupt organization will still be corrupt, and they will be audited and they will be caught. An organization that plays by the rules will continue to do so. They may or may not be audited, but it is less likely because the software companies will need to do fewer audits while those they do conduct will take less time and will result in a higher burnt-finger rate. Professionally, as a corporate IT manager, do I like things like ALM? No. But they will go a long way to negating the need for audits … so long as the tools work.”

Read and post comments about this story here.