High Time for Your Software Audit (Or Else!)

August 2001


Performing Your Own Audit

I have previously suggested that you might want to audit the servers (and perhaps all other computers) in your organization to check on

a) their physical configuration (CPU, RAM, etc.)

b) their current operating system, applications, and use

c) their future intended use

with a view to seeing what machines will be upgradable to the newer operating system software coming from Microsoft.

Another reason for performing this survey is to see whether any Open Source software is already at work there. Because a Linux or BSD machine with Samba looks like a Microsoft machine to the network, it is easy to be fooled by a cursory polling. While you are investigating, remember that the most likely Open Source hosts are any machines connected to the Internet, such as Web servers, Web application servers, and mail servers. Lowly file and print servers, particularly if they are old machines, are likely candidates as well.

Despite the fact that some 65% of Web servers are running Apache (an Open Source product), there are a great many business managers who have no idea either that Open Source software is at work within their organizations, or what the benefits of that software are. That's a subject I've also talked about previously.

This month I'd like to extend your audit awareness beyond the idea of using Open Source products just to extend hardware life and save software costs.

Does Somebody Else Want You to Make an Audit?

While you are at it, have you considered counting your Microsoft and other proprietary licenses and matching them to the machines? Can you prove you bought every copy?

Please don't think that the computer industry's recent devotion to protecting intellectual property in all forms (not just software) is merely an American phenomenon. The Business Software Alliance, an organization that actively hunts down users who don't have proper software licenses, is active in Europe (for instance http://www.bsa.org/europe-deu/) and around the world as well.

The organization takes a gruff crime-fighter attitude towards users, solicits denunciations through its own bocca di leone (https://bsa20.securesites.com/espana/report/formulario.phtml), and offers Spitzelgeld to informers (http://www.bsa.org/ireland/press/newsreleases/2000-10-11.52.phtml; http://www.bsa.org/asia-eng/press/newsreleases/2000-05-29.61.phtml). From time to time various geographical regions are targeted and a time-limited amnesty is announced: perform your own software audit, declare your licensing shortcomings to the BSA by a certain date, and pay considerably less in fees and penalties than if the BSA has to come looking for you (http://www.bsa.org/deutsch/press/newsreleases//2001-07-04.652.phtml; http://uk.bsatruce.com/). The BSA posts its success stories on the Web (http://www.bsa.org/sweden/press/newsreleases//2001-05-28.602.phtml).

Four things that should interest you as a small to medium-sized business owner are that these actions can happen to any organization, that no fault needs to be found for an audit to be an expensive proposition, that the license form does not have to specifically authorize a vendor's right to audit, and that businesses of your size are the targets, not large corporations.

The BSA's Web site in the United States no longer lists the many news stories of lucrative audits the group has conducted; an idea of what it was once like can be found by examining this page from a licensing software vendor who is promoting his software to help with self-audits during amnesty periods: http://www.pcprofile.com/busted2.htm.

Before we go any further, please understand that the actions of the software vendors and their organization, the Business Software Alliance, are all legal. Using software without paying for it violates copyright laws. Microsoft makes its point bluntly (http://www.microsoft.com/uk/piracy/). No responsible business owner wants to put himself in the position of a criminal, but the smaller the business, the fewer the resources and the less attention paid to matters of ensuring auditable licensing compliance. The large corporations have large staffs to look after such details, including staff lawyers who make sure that the corporation is following all applicable laws and regulations.

Small businesses, on the other hand, cannot assume that they are too small to be of interest to the BSA. As a means of frightening users into compliance, any scalp hanging from the belt will do, and if it comes from an unlikely head, such as local government or the public schools, the effect is all the greater. The cases below will give you an idea.

The City of Virginia Beach

In the fall of 2000, the City of Virginia Beach, Virginia settled a licensing case with Microsoft for $129,000. When asked by Microsoft to show licenses and proofs of their purchase for 3,900 computers, the city could not find licenses for 13% of the 6,526 Microsoft items installed on those machines. The city got off cheaply because the basic fine starts at $150,000, but it still took a quarter of the IT staff at a cost of $81,000 to comply with the audit demand.

Some commentators have tried to argue that the audit was possible only because the city is in Virginia, which is one of only two states to have approved the Uniform Computer Information Transactions Act (UCITA), a law that enforces otherwise unenforceable requirements in software licenses. Such commentators are probably thinking of a Microsoft requirement under its Open Licensing plan that deals in licenses only, not individual copies of software or documentation. Under this plan the user is required to supply a software inventory and proof of purchase on demand.

But it is not this licensing requirement or its enforceability that is important here. The schools cases cited below shows that the same thing can happen to an organization in a non-UCITA state. All it takes to trigger an audit is for an informer to fill out the BSA form cited above, or to telephone the toll-free number the BSA provides. This was the case in Philadelphia, and very probably in Los Angeles as well.

Philadelphia and Los Angeles Public Schools

In Philadelphia a teacher used a single disk to install Microsoft Word on a few computers that normally use AppleWorks; the users had complained that the schools' central office was sending them Word .doc files which they could not otherwise read. As a result of this violation, the school system must audit all 264 schools and the central office to complete an inventory of Microsoft products and proof of their purchase before being allowed to reach a settlement with Microsoft. The school system could not afford the few copies that triggered the case in the first place, let alone now pay for the audit, legal expenses, and any settlement costs; it has already announced that without help from the Federal government it cannot not pay its 27,000 employees. So far as I know the case is still open.

The Los Angeles city schools fell even deeper into the licensing compliance pit in 1996, when an audit revealed several hundred unlicensed copies of Macromedia and Microsoft products. At $150,000 per violation, the potential cost was $19.8m, plus cost of audit and legal expenses. The schools had already spent $8m for technology during the 1995-6 school year, but they had obviously not budgeted enough to make sure their licenses were provable. The case was settled for a $300k fine and an agreement that the schools spend $3m to replace the unlicensed products and $1.5m to create a "piracy team" inside the school system to police licenses in the future. Businesses may judge for themselves whether they can expect such gentle settlements as the schools received.

Tua res agitur

There are two reasons for Europeans not to dismiss the anecdotes above as simply tales of American business practices gone wild. For one thing, there are ongoing discussions in The Hague with a view to bringing American-style intellectual-property law to the EC. For the second, if the stories of current European enforcement (see the BSA Web sites above) do not make you wonder whether it is time for your own quiet computer/software audit, the headline on a BSA press release, "WATCHDOG GROUP 'SWEEPS' ACROSS EUROPE, THE US, ASIA, THE MIDDLE EAST, SOUTH AFRICA AND LATIN AMERICA" (http://www.bsa.org/uk/press/newsreleases//2001-05-25.595.phtml) should wake you up. Elsewhere the BSA has said that it is targeting 5,000 medium-sized businesses for software audits; they believe that license compliance in large corporations is better.

Tougher Proprietary Licensing Means Increased Total Cost of Ownership (TCO)

Not only are all software vendors becoming tougher, Microsoft is undertaking an ambitious move to sell all its software as subscription services that will extract more money from users while holding them under the continual threat of having their software turned off (more on that next month). For all of these reasons it is time for IT departments to consider their present position and future options with regard to proprietary licenses and Total Cost of Ownership. A growing advantage of Open Source software is that you won't have to worry about the BSA.

Copyright © 2001 by Donald K. Rosenberg, Stromian Technologies (http://www.stromian.com)

Return to Rosenberg's Corner -- Topics