Who Are The BSA and What Power Do They Have?
The following article is based on a recent conversation with an ITAM Review reader.
Reader – Q. Who are the BSA?
The Business Software Alliance (BSA) are an international body that are financed by the biggest software companies on the planet (BSA Members).
Their work is split into two parts; education/awareness and enforcement.
One half of their business promotes the legal use of software and does PR and marketing around anti-piracy, the other half of the business takes companies to court (if necessary) to reclaim lost revenue on behalf of the software vendors.
The nature of unlicensed software can vary significantly such as:
- Companies unknowingly installing software they don’t have a license for
- Companies knowingly installing software they don’t have a license for
- Kids ripping CD’s of their favourite games in their bedrooms for their friends
- Illegal rackets creating counterfeit software to finance organised crime
Rather unhelpfully, the BSA collects all these different types together and labels them as – Pirate!
Q. What power do they have?
Quite a bit. Firstly they act with power of attorney on behalf of their members, who in turn are supported by their End User License Agreements (EULA’s) which you have accepted by proxy because you have their software installed.
Q. The BSA has requested that our company completes a ‘Self-Audit”
Is it a marketing style flyer or genuine letter addressed to you and your company?
(Some enforcement agencies, or companies trying to act like enforcement agencies, sometimes send speculative letters with a software amnesty, suggesting that companies complete a self-assessment, realize the error of their ways and sort themselves out. This is based on no evidence other than the fact their address is in the telephone book)
Q. No, it was a genuine and certified letter addressed to our company. They suspect one of our subsidiaries may not be properly licensed and have even quoted which specific products for which we are not licensed.
The BSA (and vendors in general) has two main sources for this information. Either via a tip-off or via some form of product activation mechanism. I am unsure whether the BSA only works on tip-offs or whether it also acts on activation information from vendors, either way they have some incriminating evidence.
Q. So this letter might stem from a tip-off from one of our previous employees?
Correct. The BSA actively encourages individuals to report piracy (see https://reporting.bsa.org/r/report/add.aspx?src=us).
“In 2008, the Business Software Alliance received more than 2,500 reports of illicit use of software by companies in the U.S. It settled 588 cases for a total of $9.5 million. The BSA also paid out $136,000 to 42 informants, with the average reward being about $3,000.” Software Piracy: The whistle-blowers’ motives
You must bear in mind when approached by a vendor or enforcement agency that they are sometimes acting on a suspicion or incomplete information. Sometimes it is simply a case of furnishing them with the remaining pieces of the jigsaw puzzle. For example a vendor might be aware of your volume purchases but not underlying OEM licenses bought via retail.
Reader letter reads as follows:
“The Business Software Alliance (“BSA”), an association comprised of leading software publishing companies, has received information that [COMPANY] may have installed illegally duplicated copyrighted software programs on its computers. Specifically, [COMPANY] may not have the licenses required to support all copies of [SPECIFIC APPLICATIONS] currently installed on its computers.
….The BSA member companies instead wish to resolve this matter amicably by providing [COMPANY] with an opportunity to conduct it’s own company-wide investigation….. (the) investigation must include an audit of all the software published by BSA members installed on its computers and a review of the software licenses and proofs of purchase, such as invoices or receipts, for those licenses.”
Note that it says “published by all BSA members”. So even though the tip-off was regarding one vendor, they might want to know about all the others. This is similar to the zero-tolerance policing policy in New York in the early nineties – if you are guilty of one misdemeanour with Adobe, we’ll check Microsoft and Autodesk whilst we’re here.
Letter continues:
“…. Please do not destroy or replace any copies of any of the computer software products published by the above-mentioned companies that are currently installed on your company’s computers prior to a conclusion to this matter. “
At this point the BSA may be acting on evidence that you are not aware of. If they find out you are doing some retrospective deleting to cover your tracks you are likely to get the book thrown at you.
Q. What is the risk?
Fines and penalties vary by country. As a worse case scenario take the retail price of the unlicensed products, then triple that value as a fine. So let’s say you have 1,000 machines which have a $250 unlicensed software application, the total exposure is potentially $1M. ($250 x 1000 for the product, then $250 x 1000 x 3 for the fine). Add to that any bad press (see BSA Fines: The Hidden Costs).
Software companies love loyalty and predictable revenue. Which is why many companies who find themselves at the wrong end of a compliance audit without the right information to hand end up signing multi-year, all you can eat agreements. The all you can eat agreement serves as a band aid to cover up the underlying issue – that the company does not have control of it’s IT estate.
The solution is SAM.
Related articles:
About Martin Thompson
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.
Hi Martin,
My understanding is that vendors can also provide the BSA with “tip-offs”, so it is not always a disgruntled employee. I’ve dealt with cases where there was suspicious enough activity going on in a company, but at the time we didn’t have any proof to provide, so when we advised the vendor of our suspicions they “referred” the matter to the BSA. Not sure of what happened after that (clearly not made public) but needless to say there are many different ways that you can end up on the desk of the BSA.
Your comment on the bottom is perfect though… the answer is SAM.
Hi. You have a typo in the title. They should be the, however, the use of are is incorrect. BSA is an organization and should be referred to as it. It is not a person, singular or plural. The title should be “What is the BSA and What Power Does it Have? Before you rewrite the article, check you facts and be sure you have accurate background on the BSA and how it operates. Your source is uninformed and incorrect on many counts. It’s never a good idea to use a source and not check to make sure the material is accurate. It undermines your credibility. You could contact BSA directly. They have an office in London. They have a press representative in Washington, DC. The survey referred to in question four is three years old and it isn’t an example of how the BSA encourages individuals to report. It’s a number reported by BSA without a context of what kind of companies and if the number is more or less than previous years. Who cares? The letter quoted in the article is a well-known example used often over the years. But what is it’s significance? What can we learn or what actions can we take if we receive such a letter. And the closing paragraph is nothing more than opinion and hearsay. On what basis can you claim that users are signing agreements to avoid audits? Is it a BSA survey or did it come from an anonymous source at Microsoft? The best think to do is delete this article and explore a course in writing for the Web and be sure pick up a style guide as well as an editor with a background in journalism.
Concerned Reader,
Thanks for picking up my typo. Much appreciated.
re: “Your source is uninformed and incorrect” – on what basis? Which specific points are you suggesting are inaccurate?
I did contact the BSA prior to publishing this article.
What is the significance of the points I make: That the BSA have power and that the letter should be taken seriously. Hence the title.
My ‘opinion and hearsay’ is based on experiences of end user organisations under pressure to finish an audit.
Thanks for your advice on editorial. I don’t want a journalist anywhere near my site thanks.
Hiding somewhere deep behind Concerned Reader’s contempt may be a reasonable point. I cannot speak for the BSA, but I can about some other ‘self-audit’ programs run by the major vendors. The methods used to generate leads are often highly sophisticated, and in my experience neither tip-offs nor product activation records are typically involved. This information is sometimes distributed to trusted partners, so I wouldn’t be at all surprised if they occasionally did so with the BSA. I think it’s highly unlikely that the BSA would have access to the requisite depth of information otherwise. Either way, I whole-heartedly agree with Martin’s conclusion that the solution is SAM!
useful article. Is it ok to quote this article in my blog, of course with due credit?
Joe
Certainly. No problem.
The best “think” for “Concerned Reader” to do is to stop commenting on typos in articles, seeing as their own comment contains several of its own.
Sounds like good advice to me Martin.
The solution is FOSS, GNU/Linux, etc. We’re right back to not being able to fix your printer driver. Especially if you use a Microsoft OS, given the BSA is 90% a MSFT front. The other companies are hoping to piggyback on MSFT.