Unless you've been living in a cave for the past couple of years, it's not news to you that you need to own a license for all the software you use for home or business. Over the past few years, it has become steadily less acceptable to pirate software, and more dangerous to do so.
First, there's an ethics question: the software companies survive by making software good enough for people to buy it. No matter how much you enjoy programming, there's a limit to how much you're willingóor can affordóto do for free. Pirating software is not a statement against big software companies; it's stealing someone else's work.
Second, pirated software is an excellent source of viruses. This is less of an issue (but not unheard of) if you're pirating by passing a single copy of an application around your organization without buying licenses for everyone; however, if you download illegally-copied software from a bulletin board service (BBS) catering to self-proclaimed "hackers," you're really risking your hard disk. Face it: the type of person who thinks it's okay to copy someone else's work, and distribute it to anyone who wants it, may also be the type of person who'd infect that work with a virus before posting it on the bulletin board. Of course, if you pick up an illegally copied program and it's virus-infected, you've got little recourse with the original product manufacturer.
Third, an organization named the Software Publishers' Association can impose fines or temporarily shut down your organization for even a single software license violation. We'll discuss this organization and its role and powers later in this chapter, but at the outset you should be aware that this organization exists, and that that they can go after you even for unlicensed shareware.
For these reasons, it's best to be conscientious when it comes to software licensing. This chapter covers the following topics that should make your task of keeping track of your organization's licenses a bit simpler:
In its simplest form, a license is a proof of purchase. This proof can take a variety of forms, such as the following:
ï The envelope that the disks (or other component of the product) came in that says something along the lines of, "When you break this seal you are agreeing to the terms of the license agreement."
ï The disks themselves
ï The page in the manual titled "Licensing Information" or other wording to that effect
ï A paid receipt for the software (not a purchase order, which is simply a proof of intent to purchase)
Not all licenses give you the same powers and privileges: they can authorize the use of software by a machine, person, network, site, or company. The following sections provide a general overview of the various license types, but please note that licenses vary by manufacturer, and the specific license for each product is the one to which you must adhere. Also, keep in mind that not all software is available with all the following license types. Check with specific vendors to see what's available.
A single-user license gives the person to whom the software is licensed the right to use it on any machine, as long as he or she is the only person to use that software. In other words, if your word processing program carries a user license, then you can use that program on your home machine, work machine, and a laptop you take on business tripsóas long as you're the only person using the software. A user license does not give your friend the right to use your word processor on your home machine while you're at work, or give one of your co-workers the right to use the word processor on your machine while you're on the road.
Many licenses for common applications are user licenses, but be sure to read the fine print on each license (discussed later in this chapter) and check each manufacturer's policy before you start installing your software on all your personal machines.
User licenses often are available as a block license in increments of 25 or 50 users, particularly for network software such as an operating system.
A usage license, also known as a workstation license, authorizes anyone to use the software, as long as it is used on only one machine at a time. On a network, a usage license usually authorizes a certain number of concurrent users. Once you install software licensed to a workstation on your work machine, for example, you cannot legally copy that software onto your home machine, even to work at home with the same files and for the same company as when you're at the office.
Usage licenses are increasingly popular, touted as a way to reduce costs by paying for usage rather than for each person using the software. Some packages on the market today let you choose between user licensing and usage licensing.
Usage licenses are good for situations like shift work, where three people might do the exact same job, but do it at different times of the day. Usage licenses also are good for users who only use packages sporadically during the day, because you can get double- or triple-duty out of one license. For roving users who constantly use the same package throughout the day, however, a usage license might not be very practical. Likewise, a usage license is not a good idea for anyone who may use one machine one day, but a different machine the next.
Not surprisingly, a network license gives anyone on the same network the right to use the software. The definition of a network in this context is less flexible than some of the networks discussed elsewhere in this book: in terms of software licensing, a network usually refers to the machines connected to a single file serveróalmost certainly it's limited to a LAN rather than a WAN (see chapter 4, "Upgrading to a WAN," if you need a refresher on the difference).
Unless you have only one network in your workplace, a network license is not the same thing as a site license (described in the next section).
A network license is broader-reaching than a block license that is used on a network (refer to the "User Licenses" section), because a network license is not limited to a particular number of users; however, all things being equal, a network license usually is more expensive.
A site license is the next step up from a network license. Rather than limiting you to using the software on a single network, a site license permits anyone at your office's physical location to use the software. This permission is limited to those in that building, however; users at a branch office connected across a wide-area link are not included, and you should check with the specific manufacturer to see if telecommuting employees have rights to the software on the days when they dial into the office from home. It's possible that you'll have to buy extra licenses for them to use the same software on their home machines.
The broadest permission to use software is an enterprise license, by which any member of your organization has the right to use the software. (Enterprise, in this case, means the corporate enterprise rather than a network connecting more than one kind of NOS.) The rights granted by an enterprise license generally extend to dialup users, users across WAN links, and so on. As you might expect, this type of license is quite expensiveóit's only cost-effective for very large organizations in which many employees use the same software packages.
A license from a particular vendor might not always fit neatly into one of these categories, and might even overlap more than one category. For example, the license for MicroGrafx's Windows Draw! provides instructions for setting up the software both on a single-user basis and on a network (see fig. D.1).
Figure D.1 A license agreement can encompass more than one kind of license.
Now that you've got a basic idea of the various kinds of licenses, how can you make sure you're doing the right thing when it comes to licensing? Well, if you've got more than a couple nodes on your network, you need an organized system for tracking licensesóthis can be either paper-based or computer-based.
All right, you're a network administrator, and you're used to handling computer software. Why would you manually track licenses when there are automated systems that can do it for you?
One reason is that complexity might be brought about by a particular network design. For example, if users store their applications locally, but you have peer-to-peer connections in your network, then software metering needs to be local as well. There's a flaw in the design of some metering programs that won't release a license if the user doesn't exit an application normally (for example, if there's a sudden power outage and the user's computer shuts down). More metering programs are being designed to avoid this problem, but the time required to meter all the applications on a system still can be considerable. It might be easier to set up a less proactiveóbut less time-consumingómanual tracking procedure, like those described in the following sections.
***
Manual tracking works best for small networksówhen you get bigger, it's often easier to automate.
***
For networks in which each workstation has a fair amount of storage space nearby, you can just assign each software package a number, and then give each employee using that package a numbered copy. When the employee receives the software, the business manager gets a signed receipt. The business manager also needs a signed inventory from each employee, listing the software loaded on his or her machine. The inventory form should look something like the one shown in figure D.2.
***
Assigning the software by number rather than by name prevents the confusion that can arise when two people with the same name are on the network, or when Bob leaves and the new employee, Janet, inherits software named something like "Bob's SmartSuite."
***
Thereafter, each employee is responsible for keeping track of his or her work software and licensesóif something happens to the software, then it's up to that employee to replace it or at least to request a replacement through the appropriate channels.
Although the physical method has real advantages for a small network with a relatively stable population, it has some pretty serious disadvantages as well. First, you might not want everyone on the network to have direct access to disks. If you've installed a limited version of the software on their system (for example, you've installed Windows without games), then you certainly do not want them to circumvent your planning. Giving people direct access to disks is also potentially dangerous in terms of licensing and viruses. If an employee decides that he needs that software on his home machine, he might violate the license agreement, and worse yet, might infect the disks if there's a virus on the home system.
Second, many workstations don't really have the space to keep a bunch of software boxes around. If they do have sufficient storage space, is it secured with a lock? If another user does not have their own software anymore (for whatever reason), he might be tempted to "borrow" the software assigned to another person if that software is easily accessible.
In short, having everyone on the network keep track of their own software is only a good idea if you have a small network with a highly computer-literate, responsible staff, as well as plenty of storage space that can be locked. If you can't meet these requirements, consider a more centralized form of license control.
For those who want to keep track of their software licensing without installing an automated system to do so, it may be practical to put one person (perhaps the business manager, in cooperation with the network administrator or software support types) in charge of license tracking. The network administrator gets the software, the business manager gets the licenses, and the user provides a statement of the software installed on the machine. If the user brings in any outside utilities (such as shareware), he or she must account for them and provide licensing information.
It's true that this method still relies to an extent on the honesty and record-keeping abilities of the users on the network, but it has the advantage of centralizing control and licensing accountability. It's also a system capable of maintaining records of the software on each system without metering each system.
For larger networks, where the bookkeeping involved is too much for the business manager to track licensing manually, there's no shortage of metering and monitoring programs on the market. McAfee, Frye, and 3Com are just three of the big-name makers of such utilities, and there are dozens of shareware metering programs available through the Internet or online services such as CompuServe. The shareware metering programs usually are cheaper and less powerful than off-the-shelf programs, but are just right for some networks. Some NOSs (such as Microsoft's NT Server 3.51) now come with monitoring capabilities.
Don't forget that shareware metering programs are subject to the same licensing rules as software that you buy in a store. If it says "unregistered copy" and you've had it on your system longer than the evaluation period listed in the accompanying licensing information file (usually a 30-day period), then you're in violation of the license.
In automatic license tracking, there are basically two approaches: metering and monitoring. The essential difference is that metering prevents violations, and monitoring, well, monitors themóthat is, rather than ever preventing use, monitoring software just watches and keeps track of the number of users accessing a piece of software at any given time. Although this isn't easily to diagram literally, figure D.3 illustrates the conceptual difference between metering and monitoring, using a fictional software package named DrawRight.
Properly executed, software metering only permits a certain number of people to access a program. If the meter is set up for twenty simultaneous users, then when the twenty-first person attempts to start the program, he or she sees a message saying that the licenses for that program have been used up, and that he or she should try again later.
If a user attempts to run a metered application when all the available licenses are in use, the user sees a message.
Although the exact procedure varies from product to product, you set up a meter in the following fashion:
1. Install the software on the machine where the program to be metered resides. The software probably has to be in the same directory as the program.
2. Run the meter in administrative mode, and select the program or programs to be metered.
3. Specify the number of instances of that program that are allowed to run simultaneously. This number should be equal to or less than the number of licenses you have purchased for the program.
4. Enable the logging feature (if available) so that you can see how many times people try to access the file. This can help you determine if and when you need more licenses.
5. Save and exit.
Again, the specifics vary by program, but that's the basic idea. What you're doing is making the meter intervene between the user and the application, so that the meter can regulate usage. The log keeps track of those accessing the program, and also those attempting unsuccessfully to do so. If you don't choose to have the access activity logged, the metering itself can still occuróyou just don't get any record of access activity.
Software monitoring is more useful for seeing just how many licenses you need before you buy them. Assume, for example, that you have a copy of Word on the server, and you think that ten people are using it. You've got ten licenses, so you're in the clear. When another user develops a need for Word (perhaps someone who has always had an assistant type their letters begins typing their own, for some reason), that's an eleventh person who needs the software. Unfortunately, the network administrator and business manager might not think to add this person to the list of people needing licenses for the software, because the change in business practice seems to only affect who's typing a letter. Monitoring software would notice that sometimes the number of Word users now exceeds the number of valid licenses, so you could investigate and find out that the eleventh person has a legitimate use for it, then obtain another license.
With anything automated, there's a serious temptation to buy it, install it, and let it take care of itself. Automated license tracking systems don't work that way. Although they represent an easier means of tracking a large number of licenses than doing it by hand, the automated systems do require some effort from you. They can't tell you anything if you don't help a little.
Here are some tips to help you improve your software metering or monitoring practices:
ï Set it up as soon as possible. It's easy to get bogged down with network updates and other distractions, but metering or monitoring software won't do you any good if it sits on the shelf. Make time to set it up as soon as possible for all the applications that are to be tracked.
ï Make updates on a regular basis. This follows naturally from the previous tip. It's tempting to say that you'll make all necessary licensing changes as soon as they are required, but most people are too busy to be sure that they'll have the time. It's easier to schedule updatesóusers to be added, licenses to be added, or new applications to be monitoredóif you plan to do them at a regular interval, like once a week.
ï Back it up. The information garnered by your tracking system is important. Make sure that it's part of your regular backup program, so that if something happens to the hard disk that's being metered, you don't lose all the data you've gathered.
ï Don't keep the results to yourself.This information might do you, the network administrator, some direct good, but often, you're not the only one concerned about the results of the metering and monitoring logs. You set up the tracking to accumulate certain information: make sure that the information goes where it's supposed to.
This chapter has talked a lot about what a license is, and how to keep up with your licensing obligations. You may be wondering, however, who will care if you don't live up to these obligations. How will a manufacturer ever find out?
Actually, the manufacturer does not have to find out. A non-profit organization named the Software Publishers' Association (SPA) can take action on behalf of the software manufacturer. Let's learn more about the SPA.
The SPA is a non-profit private organization based in Washington, D.C. (they're not an arm of the federal governmentóthey just have offices in the city). It was created in 1984, with 25 member companies, in order to provide a voice to represent and protect the software publishing industry. The SPA's anti-piracy campaign began in 1989. As of late 1995, its membership numbered over 1200 companies. Member companies pay dues and authorize the SPA to audit businesses on their behalf.
Most of the SPA's actions begin with a tip on its hotline (currently the hotline receives about 30 calls per day). The SPA evaluates the tip in terms of its factual basis, the extent of the violation (unsurprisingly, one extra copy of a shareware game, for example, is of less concern than 2500 unlicensed copies of Lotus 1-2-3), and the perceived motivations of the person callingóthat is, is the person calling out of genuine concern about the violation, or is the call motivated by revenge? If the latter, does the call seem legitimate? Much of this sort of evaluation is done by instinct, rather than established criteria.
Once the SPA decides that a tip is worth looking into, it conducts its own investigation to verify the alleged violation. If it cannot substantiate the violation, the process ends there.
If the SPA collects enough information to file a lawsuit (the group does not act unless it does collect enough), it contacts the company to notify it of the identified violation, and informs the offending company of the action it intends to take. In most cases, this action takes the form of an audit, in which the SPA's auditors physically check the software on each computer in the company against the proof of purchase that the company provides. The best proof of purchase is an invoice or paid purchase order, as that's probably the easiest thing for most companies to lay hands on, but disks or manuals sometimes are accepted. On average, the audit takes about four months (the exact time depends on the size of the company and how cooperative it is), during which time the company can operate normally except that its employees occasionally might have to deal with auditors bumping them off of a machine to audit its contents. If the violation is confirmed, then the company must pay a fine to the SPA in the value of the unlicensed software, and the illegal copies are destroyed.
In serious cases, the SPA does not perform an audit but instead files civil or criminal charges against the offending company. The SPA has permission from all its members to audit companies on their behalf, but if a lawsuit is necessary the member company must grant permission to the SPA to file the lawsuit at that time. The fines can be up to $100,000 per civil violation, and up to $250,000 (as well as up to 5 years in prison) per criminal violation. Once again, the pirated software is destroyed so that the offender has to buy legitimate copies as well as paying any fine that is levied.
In the most drastic scenario, the SPA can get a judge to issue a warrant to perform a raid on a company (audits, remember, are announced by letter before the auditors show up). In such a case, a federal marshal accompanies the auditors to protect them (in case the offending company has a bad reaction to the auditors' appearance) and to explain that they are authorized to be there. This sounds dramatic, but once the initial few exciting minutes are over, the raid proceeds like a normal audit.
The SPA is not an organization of crusaders; it looks out for the interests of its members. This means that if a tip reports a license violation concerning software published by a company that is not a member of the SPA, then the SPA will not take action on the basis of that particular violation. If the violation is large enough to pursue, however, chances are good that the offender is violating the license of a member company as well, so the SPA may investigate anyway. If this turns out to be the case, then the SPA conducts an audit on behalf of the non-member company as well as the member company. Since all fines go to the SPA rather than to the company, this doesn't change anything as far as fines are concerned.
The SPA's function goes beyond punishing software licensing violations. They also provide training, educational software, and videos (including a rap video titled, "Don't Copy that Floppy") to explain why you should keep up licensing, and to help you do it right. To fund these activities, the SPA relies on the fines from licensing violators as well as the dues paid by its member organizations.
Why is an organization like the SPA necessary in the first place? The answer has to do with the peculiar nature of software as intellectual property. Copying has been around as long as originals have been around. Books, cassettes, compact discs, and videotapes are common targets. However, the market for the originals of these products (where originals are available and relatively inexpensive) is less easily affected because of two characteristics of the copies:
ï They take some effort to make.
ï Their quality normally is lower than that of the original, and gets worse if subsequent generations of copies are made.
In other words, a printed work usually is more readable as a bound book than as a sheaf of photocopies, and music or video usually sounds or looks better on the original than on copies. Where they violate copyright laws, illegally-made copies of books or videos are also hard to distribute on a large scale without getting caught.
Software is a kettle of fish of a different color. No matter how many generations you make of a binary file, it's still the same file. If you load Microsoft Word on 50 machines, the application works as well on every machine as it did on the first. That's true even without the original disksóif you copy the disks over and over, the quality of the copy does not deteriorate with each generation.
Understandably, this creates some worry for software manufacturers. It's no good to sell the world's best software if one person can buy it and give it to all of his or her friends. This was less of a problem several years ago, when hard disk space was still rare and expensive; back then, people had to keep program disks around if they wanted to use complex programs, since the hard disk didn't have enough space to store lots of applications. As disk space has become more affordable, the scope of the problem has increased.
For a time, some software vendors tried using key disks (you needed a "startup" disk to run an application), and special codes in the manual that were needed to start an application, but these protection means were cumbersome, so consumer demand has sent them the way of the dodo. Software vendors now are dependent on the ethics of consumers who buy their software, and on organizations like the SPA, to make sure that they are paid for their product.
This chapter described various types of software licenses, provided information to help you identify your present licensing situation, and explained some ways that you can make sure you're fulfilling your responsibilities to software manufacturers. You also learned about the SPA, how it polices software licensing, and what penalties exist for certain violations.
Armed with this knowledge, you should be prepared to keep track of your network's licenses, and make compliance adjustments as necessary.
