Everybody's Gotta Trust ... But Verify?

Dennis Báthory-Kitsz

September 5, 2003

Copyright ©2003 by Dennis Báthory-Kitsz

Some or all of the links in this article my no longer function from this archive version of this paper.

Why Are We Talking About This?

The topic is intellectual property, and how this term has been transformed from a useful principle into a contentious and exploitive tool. It is also a companion explanation for The 2003 Golden Bruce Award.


I once wrote software. My company went bankrupt after seven years. I interviewed Bill Gates the year I founded my company. His company didn't go bankrupt. Yet. But keep that in mind as this polemic progresses.

The Problem

Commercial software is sold for a price the market will bear, under conditions the market will bear. What is bearable, however, is changing -- from both sides of the cash register.

Commercial software authors would like the best of all worlds: copyrights, patents, trade secrets, and padlocks. And so far, they've gotten everything, with little for the commercial software buyer other than to take a risk, pain, disappointment, and frustration. Indemnified for bugs, cheered on by operating system changes, they rush new product versions to market, incompletely tested and with the liability for their use entirely placed at the fingertips of the buyer. (As an aside: Have I ever used a bug-free program? I can't tell, but I exercise my programs pretty hard, and only one has consistently failed to crash: Cool Edit 2000, now discontinued by Adobe, the buyers of Syntrillium Software.)

To secure their economic place, the authors (actually, their corporations) develop increasingly complex licenses that provide all benefit to themselves and no recourse to the purchasers. Aside from their indemnification by the buyer's act of slitting the shrinkwrap or clicking on a contract before the software can be tested on the host system, these authors and companies have included increasingly complex protection schemes. The most offensive of these schemes are the dongle (a hardware key attached to a computer port) and the authorization (a software key created from the computer's hardware configuration).

These are offensive because, post-purchase, they indenture the purchaser to the seller.

Authorization (or challenge/response) seems innocuous. In simplest form, it means that you install the program and copy-protection driver; the driver examines your machine's hardware and develops a 'challenge' code; you register the software; you provide the 'challenge' and you are provided with a generated 'response'. Both are required for the software to function, and if you change some aspect of your computer that the software uses to generate the challenge, the response no longer matches and you have to get a new one, usually by explaining what you need it for and convincing the person on the other end of the phone or email that you really have a right to run the software you paid for.

An Example

Reputedly the most egregious of these is PACE Anti-Piracy. PACE is "legitimate" software, but has been called a virus (by this author among others). There's been a year-long set of threads on the Cakewalk/Sonar newsgroups (as this article is being written). PACE has broken some machines to the point of having to re-install the operating system from scratch to purge the low-level PACE locks. PACE removal instructions (because it survives removal of the locked application itself) are regularly posted on the newsgroup.

Here is what some users have to say about it:

Tue, 26 Aug 2003 21:56:03 +0100
There's nothing particularly wrong with PACE's technology at the moment. So... why is PACE so bad?
a) Because it uses challenge/response. If Antares (for example) go under, who will authorise my next installation?
b) Because it works at a low-level - driver level. When the next version of Windows comes out will I find that I have to wait months for PACE to produce a version which doesn't cause intermittent crashes or damage my partition table; both of these have happened in the past. Perhaps there will be more serious problems in future. Or if PACE go under, will I ever be able to use my PACEd plug-ins on future versions of Windows.
Steve Bavin

Date: Tue, 26 Aug 2003 16:44:17 -0500
Same here. I suffer gladly without Autotune because I operate elsewise happily without PACE. It's like a timebomb. I want PACE to shrivel up and go away.
I'm waiting for a decent competitor to hit the market. You'd think someone would figure me for a buyer because I desperately need tuning when I sing. And I don't mean a crappy stripped-down lookalike, I mean a bonafide competitor on whom to blow my wad of cash.
David Duke

Date: Tue, 26 Aug 2003 20:22:27 -0700
Yes... many issues have been fixed.
But... that statement has been made several times. With Win9x there were problems. Eventually, they were fixed... and the people rejoiced. Win2K came out, and there were new problems. Eventually, they were fixed, and the people rejoiced. WinXP came out and there were new problems. They were fixed, and the people rejoiced.
All we need now is a new version of Windows to continue the endless cycle.
Scott Reams

Date: Thu, 28 Aug 2003 11:07:34 -0400
Pace sucks, but how hard is it to put a txt file, with the passwords, where you can get to it. Now if you have more than one piece of PACE protected software, you are beyond help, as you have learned nothing from your mistakes!
Tommy B

Date: Fri, 29 Aug 2003 10:34:41 -0400
But PACE is a hardware dongle. It actually turns the hard drive it is installed on into a dongle. PACE creates a low level driver that encrypts a code wherein the response of your hard drive's low level serial number becomes a part of the dongle. You can theoretically move a pace protected software package to a new hard drive and it still works, but you cannot remove the original hard drive. They even say you can theoretically reinstall the software on a new machine so long as the old hard drive goes in the new machine and you are good to go. (I never got either of those to work).
Bob Greaves

This is not just user complaint. Prosoniq, maker of sonicWORX dropped it, as have others. Breaking "good guy" news: Cakewalk Music Software has continued their policy of serial-number-only registrations for their new Sonar 3 high-end studio software. Well done!

But So What?

Software authors think objections to copy protection are overblown or even hysterical. Ross Bencina, in a post to the AudioMulch list (a list dedicated to his must-have, fantastic AudioMulch program), wrote, "Personally I don't think PACE is so bad -- Cycling 74 are doing a great job of developing one of the most powerful music tools on the planet. They are also quite reasonable about supplying new codes. If you don't want to use their software, fine, but I don't think there's any point bitching about whatever decision they have made to try to make their operation financially viable."

The problem here is twofold: There is nothing that has yet proven that financial viability comes from copy protection, and ethical objections must not be trivialized as bitching. It is important to oppose this sort of behavior vigorously, not only with the wallet but with the pen. (Ironically, Bencina's approach with AudioMulch is a good and simple one -- serial numbers to legal purchasers.)

How can I say there is nothing that proves financial viability? Because the studies are impossible to conduct. There is no accurate characterization of the purchaser who used an illegal copy for years, nor of the illegal copies available at various warez sites that are easy to find.

A significant reason to oppose these copy-protection schemes is because it encourages "protection creep", and it's showing up everywhere. I wanted to buy Cycling 74's Max/MSP, but won't. I refuse to lock my creative projects into software that I won't be able to use for all the reasons I posted. I also think it's crucial to point out these user-victimizations whenever they come up, especially since companies are so cagey about admitting to what they do and the consequences to users down the line.

Why is this an ethical issue? Why is it not just a simple capitalist expression of supply and demand? It is not because the issues are broader in an interconnected world. There is a free-marketeer theocracy whose dogma is to oppose corporate accountability and support crushing end-user licenses -- but those are simple questions of accountability (though software does not incur liability as hardware does [there is no Underwriters Laboratories for software], even if you can find the EULA).

IP Ethix Lite, Chapter 1: How Copy Protection Erodes the Moral Ground in 24 Hours or Less.

Of course, you can use the ethical shuffle: buy a copy of what you want, then use a cracked version from a warez site. But then, hey, they're turning you into the criminal they expected you would be, minutes after you received your copy! [The preceding is based on an actual exchange after arguing about copy protection as not being ethically compromising.]

One of the options is a key escrow. It would take almost no effort to create a key escrow, and I can imagine no reason why a company wouldn't be able to do it before their product ships. It would be great PR, too, and lead the way for other companies to combine an IP protection scheme with protection of their user base from their own failures.

Now, not too tangentially: Most users seem certain their favorite software companies will have to support a product into the future. Why? Can you point me to any law which requires a company or its successor to provide license keys? There's also a "force majeure" clause in just about every software contract or end-user agreement or warranty (to quote an actual one, terminating a license "due to fire, strike, war, civil unrest, terrorist action, government regulations, acts of Nature, or other causes beyond the reasonable control of the party claiming force majeure").

In the classic case of MakeMusic!, look at their stock price chart, and the news report on May 12, 2003, a mere three months before MakeMusic!'s flagship product, Finale, shipped with challenge/response copy protection:

MakeMusic! revenue down, loss shrinks.
MakeMusic! Inc. reported lower revenue for the first quarter of 2003. But the Eden Prairie-based maker of software for teaching music said its losses were $10 million lower than in the same period a year ago. The company noted that sales of its software were hampered by the fact that its Finale program is not yet compatible with the Macintosh OS X operating system, and a significant number of subscribers use Macintosh computers. The company said its next version, scheduled for release this summer, will run on OS X.
MakeMusic! announced that revenue for its first quarter ended March 31 was $1.7 million, down 15 percent compared to revenue of $1.9 million for the first quarter of 2002. Net loss dropped to $2.1 million, or 78 cents per diluted share, down from losses of $12.9 million, or $5.58 per diluted share in the same period last year.

MakeMusic! is one of the stable companies. As a software user, are you still confident? Ready to sign away your livelihood?

Our Moutons

But those are practical matters. What about returning to the ethics? Why object so strongly? It's for the same reason somebody might object to being searched while having nothing to hide, or to seat belt laws while always wearing one, or to gun-control laws while never owning one, or anti-terrorism laws while never engaging in it, or zoning laws while never violating them, or anti-drug laws while never using drugs ... because some issues are ethical ones and belong in the realm of liberty.

Liberty as a concept is increasingly eroded in our presently corporate-centric society as the law and practice allow companies to engage in behavior that the government may not engage in, including unwarranted searches (urine tests), restrictions on outside behavior (no smoking even off duty), expropriation of thought (where all ideas belong to the company, no matter when they're written down during the period of employment), covenants against present and future behavior (non-disclosure agreements are a good example), and any manner of actions that in the public sphere would be disallowed under Constitutional protections.

Copy protection is at heart unethical because it contractually exploits those who obey its terms, making its buyers digital serfs on the intellectual property plantation. That's why I call such software "victimware".

Okay, now, my European friends don't think this is all such a bad thing. Liberty never quite had the meaning associated with free-trade theocracy that it does in the United States, and their European Union software protection laws were considered worth little debate [however, as I write this in September 2003, there is a cloud gathering over the intellectual property corporation protection party across the pond].

Doesn't 'Fair Use' Help Me Out Here?

The so-called 'Fair Use' copyright clause has been used to mean, "I bought it, and I can bloody well do what I want with it."

A big "sort of" goes with that. In the United States, fair use is court-dependent. On the other hand, the lack of legislative establishment of a right doesn't mean it doesn't exist. This is an important part of the U.S. Constitution, which differs from founding government documents in some other countries in that it rarely sets out rights themselves. There were strong arguments that no rights be assigned at all, and it's interesting that the only right given in the body of the Constitution (before the amendments) was copyright (Article I, Section 8). But the Bill of Rights was felt necessary (after some acrimonious debate), but nevertheless with the 9th Amendment: "The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people."

So the idea of "fair use" was really slow to be codified in Section 107. The original 1984 Betamax case used time-shifting in its decision that the machines didn't engage in contributory infringement. Those are copies for private use, and doesn't quite seem to fit the law. The area remains flexible. Does the absence of specifically 'legal' copy mean it's illegal?

Some items to read are the section of the law and the notes that accompany it. It's a fluid area of law. (Ephemeral copies are also allowed, though that's a transmission issue.)

But software has some of its own rules, including the Digital Millennium Copyright Act (DMCA), now under review (I'm happy to say). There is a reverse-engineering clause in Title 17, Chapter 12, Sec. 1201: "Circumvention of copyright protection systems (a) Violations Regarding Circumvention of Technological Measures. - (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title."

On the other hand, Sec. 117 (Limitations on exclusive rights: Computer programs) says:

(a) Making of Additional Copy or Adaptation by Owner of Copy. -
Notwithstanding the provisions of section 106, it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided:
(1) that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner, or
(2) that such new copy or adaptation is for archival purposes only and that all archival copies are destroyed in the event that continued possession of the computer program should cease to be rightful.
(b) Lease, Sale, or Other Transfer of Additional Copy or Adaptation. - Any exact copies prepared in accordance with the provisions of this section may be leased, sold, or otherwise transferred, along with the copy from which such copies were prepared, only as part of the lease, sale, or other transfer of all rights in the program. Adaptations so prepared may be transferred only with the authorization of the copyright owner.

So "adaptations" are allowed (that could be read as "hacks", I suppose), but it's illegal to transfer them and even illegal to figure out how to do them because that requires reverse-engineering the software. So Section 117 and 1201 have already been interpreted to quash hacks, even 'benign' ones.

Whoa, You're Getting Way Off-Topic, Dude

Right. Maybe. So let's talk about creep. Canadian creep.

To secure their right to lost income (something I'd welcome for myself any day), various businesses and organizations have petitioned governments -- who have pliably complied -- to establish private collection agencies who set rules and fees for the sale of blank media. In simplest form, over-the-counter retail sales are taxed on the assumption that there's foul play afoot, and the money (after a cut for the agencies, publishers, and labels) goes to artists, pro-rated by their popularity. Wholesale or supplier sales are not taxed on the assumption that these are for legal duplication.

Lots of assumptions there, yet still the system quite naturally breaks down, hurting the least powerful and most excluded part of the equation: composers. Kalvos & Damian is about composers, right? Okay, then.

There are like organizations in the U.S. and Europe, but the innocently named Canadian Private Copying Collective takes care of this up north. Like, y'know what I mean, they take care of it. They established the zero-rating program ostensibly to help certain parties who should not pay such a royalty, such as the disabled, nonprofit corporations, and, um, composers who are duplicating their own work. Their site reads, "In 1999, CPCC established a program to permit media otherwise subject to private copying royalties to be purchased 'zero-rated' or royalty free. The program was available to a range of groups, such as educational institutions. Purchasers were required to be certified in advance by CPCC and buy from a CPCC-authorized seller." (CPCC. CCCP. Hmmmm....)

Yeah, part of this pony's trick is the 'CPCC-authorized seller' line, but that's not the half of it. Here's where the creep comes in, as summarized by professor and composer Dr. Paul Steenhuisen:

The [$15] membership fee in part pays for the administration to collect your money back for you. To make back the fee of $699.86 to register yourself as a business [required by the CPCC for the zero-rating program], at 21 cents per unit (year 2000 levy amount for CD-R's), you must purchase 3,332.667 blank cd's. No, wait, 75% goes to publishers, 11.3% to record companies, and 13.7% to recording artists, so of the 21 cents per unit levy, you are probably only eligible to receive 2.8 cents back on each CDR.

It is important that you accept that 75% goes to publishers who don't publish your music, and that by paying this fee, it compensates them for the losses they incur when you copy your own music for yourself as part of your own work.

It is therefore necessary for you to go out and purchase 24,995 blank cdr's to receive back your $699.86 in investment fees. at 50 cents cost for a blank cd, that is $12,497.5. at a commission fee of $750 a minute for orchestral music, that is about 16.66 minutes of music, possibly a year of work for you in order for you to break even and ensure that publishers and record companies who don't give a hoot about you continue to not give a hoot about you.

Thank you, Paul. And that is how amokly-crawling intellectual property protection creeps into the life of the composer.

More Creepage

Here's some more, a little briefer. We all love Wal*Mart, right? Right?

Wal*Mart is a defender of morality, in their own view. In another example of capitalist theocracy gone mad, Wal*Mart -- because of its buying power -- can pressure record companies into releasing special versions of popular recordings that bowdlerize lyrics that offend them with no indication to the buyer that this is a censored recording.

Takes a while for that to sink in, doesn't it? And then it makes your skin crawl. Or creep. I'll leave it at that.

Rights, Protection, Creep... and Stability

How do you feel about companies going under and taking your work with them, or the whole idea that the legitimate user must bear the burden of a company that's precarious? Don't you find it scary at all? The idea of limiting access to what you've purchased? Or, most hideously, limiting history's access to your work? ("There was a great piece you composed back in '06, but unfortunately, the program was locked and we'll never be able to hear it.")

Programs from Antares and Cycling 74, programs like Ableton Live and Finale and many others include challenge/response copy protection, and other software such as Graphire Music Press requires a hardware dongle. In Ableton's case, I downloaded and read their manual, but they do not disclose whose protection routines they use or how deeply they invade the system. This is a bad sign. (And remember that third-party support is there for cars and appliances and electronics, but not protected software.)

I'll reiterate the reasons to avoid challenge/response (and this goes for dongles as well):

  1. It makes you the victim, as a legal purchaser
  2. It makes you a slave to the willingness of the authors to support your requests
  3. Challenge/response can be damaging to the system because of low-level drivers
  4. Your software can 'time out' for any number of reasons not disclosed by the company
  5. It makes you dependent on the well-being of the company you bought it from

No company can promise you that their system is not a hassle (as Ableton does) or that they will be around tomorrow to support you.

What's All This About Hats?

No, not hats -- history.

History is the elephant in the room. Software authors and their companies know it. Artists know it.

It starts with the easy questions, such as digital formats. Where will the formats go? Not just CDs or format-flavor-of-the-month DVDs, but hard drives that no longer use present-day interfaces? Even if the hardware survives, what software will read the three or more PC formats or the Mac formats? And what about reading those data CDs in old formats? Or trying to extract audio from a scratched or chemically imbalanced compact disc on the brink of death (see CD-R's binnen twee jaar onleesbaar in PC-Active)?

And then the real question apropos of this essay: Have you committed to one company's software? Copy-protected software? When those companies die, and they will die, where will your projects, your hundreds of hours of musical (especially electroacoustic or computer-based) creation, go? Will you keep your old computer around and maintained to be able to read that data and use that software? And when your dongle fries, then what? Or you can't get further authorizations from a dead company? Or even a Microsoft or Apple decides no longer to support the format/software/hardware/interface you use?

What's safe? Static memory of the flashcard type is getting larger & cheaper. But what machine will read it in 10 years? Reproduce it? And understand the meaning of the data (sound? commands? spatialization? automation?...)? How about those digital cameras about ten years ago? Documentary photographic work entombed in Konica cameras, for example, has been lost forever, with no way to get it out.

Of course, there are distributed networks. The Internet as storage, depending on the willingness of the storage company to stay in business (remember the mp3 lockers?), has possibilities. Until you're a victim of commerce.

Some reading:

In "Brick Wall" Charles D'Ambrosio (Harper's Magazine, November 2001) speaks of ongoing progress and rebuilding in Chicago: "There were piles of rubble such as you imagine in war, but the absence of declared enemies and the lethargic unfolding of time kept people from seeing the scale of the shift as catastrophic."

As archivists around the world are discovering, the unfolding loss of the creative results of our technological near-present history are indeed catastrophic. But because electronic/electroacoustic/computer works fade, slowly, one by one, leaving tiny piles of rubble visible only to those who pass by and notice, we artists -- always bustling with progress and building up our new ideas and shucking off the past as, well, the past -- have become both the persecutors and the victims of this impending historical disaster, and unwittingly welcome the dismantling of what we set out to accomplish.

One doesn't have to be obsessive about history to know that it's that elephant over there, waiting. By purchasing copy protected software, we are our past's future's own undoing.

Are there solutions?

Yes. Well. That was easy. Here:

  1. Eliminate challenge/response and other company-dependent copy protection and use serial numbers keyed to your purchase information

Too simple? Yeah, and it ain't gonna happen because there are too many users cowed into buying protected software by their own delusion of need for the newest, greatest, most expensive. Okay, then if a company is so paranoid that they think they need challenge/response, I have already proposed the following the Makemusic, the authors of Finale, and have posted it several times on newsgroups and listservs:

  1. Publish the protection information truthfully on the website and ordering materials, removing comments that it is not copy protection.
  2. Create a universal unlock (skeleton) key. Most software companies already have one.
  3. Escrow that key to a third party contracted to the software company only for that purpose.
  4. Create and publish a support schedule for version obsolescence (product end-of-life).
  5. Publish the key and distribute it to purchasers when that version is no longer supported.
  6. Authorize the third party to publish the key when the software company violates the support schedule or shows other indications, with the third party as sole arbiter, that the product is endangered through the software company's tech, support, or economic failures or for the failure of the software company to provide authorizations in a timely manner or otherwise disrupt its use by legitimate purchasers.
  7. Require the serial number to purchase upgrades, as is done now.
  8. Include the universal unlock key escrow and release process as part of the user agreement and warranty.

Gadget Labs had a product called WaveZip. When I bought it, I didn't realize it was a challenge/response product -- until I upgraded my hard drive and had to call for re-authorization. Needless to say, I stopped using it immediately. But Gadget Labs did something quite good. When they realized their business was ending and they could no longer support their products, they published the universal unlock codes on their website. I oppose victimware. and would never have purchased WaveZip had I known about the challenge/response protection -- but Gadget showed that, despite their misstep in enabling it to begin with, they could ultimately do the right thing.

So the solution above is satisfactory even if it shouldn't be needed. It works for everyone, protecting buyer and seller, at least until some H. G. Wellsian Day of the Comet arrives and changes all our behavior from predatory to collaborative. AOI

Prove it!

This form does not function from this archived copy of this article.

Manufacturers have repeatedly defended their copy-protection. So here's our "challenge/response". This is not a scientific survey, but I have tried to make the questions as objective as possible.

Survey of Companies that Create, Manufacture, Sell and Distribute Software

1. We use copy protection:
Software (Challenge/Response)
Software (Serial Number)
Firmware (Key Disk)
Hardware (Dongle)
2. Our protection method is:
Third Party (Commercial)
Third Party (Contracted)
N/A (No Copy Protection)

3. We have stopped using copy protection

4a. For challenge/response copy protection methods, have you:
Published your protection information truthfully on the website and ordering materials.
Created a universal unlock (skeleton) key for your protected software.
Escrowed the unlock (skeleton) key with a Designated Third Party (DTP) contracted to you only for that purpose.
Created and published a support schedule for version obsolescence (product end-of-life).
Contracted to publish the skeleton key and distribute it to purchasers when that version is no longer supported.
Included the unlock key escrow and release process as part of your user agreement and warranty.
Authorized the DTP to publish the key if you violate the support schedule or show other indications, with the DTP as sole arbiter, that the product is endangered through your tech, support, or economic failures or for your failure to provide authorizations in a timely manner or otherwise disrupt its use by legitimate purchasers. (Note: No likelihood of such circumstances is to be inferred from the answer to this question.)

4b. For firmware (key disk) or hardware (dongle) copy protection methods, have you:
Published your protection information truthfully on the website and ordering materials.
Created a universal protection-disable utility for your protected software.
Escrowed the universal protection-disable utility with a Designated Third Party (DTP) contracted to you only for that purpose.
Created and published a support schedule for version obsolescence (product end-of-life).
Contracted to publish the universal protection-disable utility and distribute it to purchasers when that version is no longer supported.
Included the universal protection-disable utility escrow and release process as part of your user agreement and warranty.
Authorized the DTP to publish the universal protection-disable utility if you violate the support schedule or show other indications, with the DTP as sole arbiter, that the product is endangered through your tech, support, or economic failures or for your failure to provide authorizations in a timely manner or otherwise disrupt its use by legitimate purchasers. (Note: No likelihood of such circumstances is to be inferred from the answer to this question.)

For all copy protection methods (present or past):
5. Did you see a change in sales after enabling copy protection?
No Change
No Data
N/A (Always Copy Protected)
N/A (Never Copy Protected)
6. Did you see a change in sales after removing copy protection?
No Change
No Data
N/A (Never Copy Protected)
N/A (Always Copy Protected)
7. Do you attribute sales changes to the copy protection (use or removal)? Yes No

8. If you do attribute sales change to copy protection (use or removal), please describe how you validated these results:

9. Do you believe copy protection is an issue of...
Not Applicable
No Answer

10. Please add comments about this history of copy protection on your products, or to clarify any responses:

For all respondents. Please note that the submission of this form will be checked with the company that is identified in #13:
11. Your Name
12. Your Title
13. Company Name
14. Official Email
15. Telephone

16. May we associate your answers in our published results with your company by name? Yes No

176 Cox Brook, Northfield, Vermont 05663