The conviction of four self-proclaimed Robin Hoods for conspiracy to defraud last week has raised some serious questions over just how much public resource should be diverted into helping software companies protect their wares when they don't use all the security technology currently designed for just this purpose.
The gang members, collectively known as DrinkorDie, who were arrested between December 2001 and January 2002, were sentenced at the Old Bailey last week for their part in a global software counterfeiting ring. Three of the four — Alex Bell, Mark Vent, and Andrew Eardley — worked or were previously employed as IT managers while the fourth — Steven Dowd — was unemployed. Sentences ranged from 18 months to two years, with Eardley's sentence suspended for two years.
The gang was charged with conspiracy to defraud after being arrested by the UK National Hi-Tech Crime Unit, which acted on information coming from US investigations including Operations Blossom and Buccaneer in 2001.
DrinkorDie formed part of a so-called "warez" group — from the plural of software — which operate by allegedly disseminating pirated copies of computer software, games, movies and music on the Internet. According to the US Justice Department, warez members distributed material to "select clientele" over secure servers, and those files eventually end up on an IRC network or a peer-to-peer file-sharing service.
The latest major US operation against warez groups, termed "Operation Fastlink", began last year and consisted of 120 searches in 27 US states and 10 other countries with US authorities estimating that the seized copyright material was worth $50m.
But despite the apparent success of such investigations some experts have questioned whether so much public sector time and money should be spent on what could be seen as essentially copyright infringement.
Peter Sommer, a security specialist called as an expert witness for the defence in the DrinkorDie case, claims the group should never have been prosecuted under charges of conspiracy. "The main concern that I have is the colossal expenditure of the UK investigating trial, which stems from the way the Crown Prosecution Service (CPS) decided to charge this. Because the CPS decided to go with conspiracy charges rather than charging individuals substantively under copyright or trademark law, it increased costs by several million pounds," he says.
While Sommer acknowledges that the crimes committed were not victimless, he argues that the corporate victims weren't exactly defenceless but rather large companies that are, in the main, not even based in the UK.
"While they do have a problem, there are various remedies in terms of the civil courts and how they sell and distribute software. When there's scarce funding available, in my view, protecting companies is lower down the scale than protecting children abused by online paedophile rings," says Sommer.
Other experts have also questioned whether the ponderous judicial system can really keep pace with the changing activities and trends amongst the hacking fraternity. "Trends are shifting and because crackers do this for academic pleasure, they're going to want to move onto what's trendy. Warez groups are starting to die out, and although there's still quite a lot of activity on the Web, it's mainly between hackers and so is a limited market," says Neil Hare Brown, senior security advisor at security incident response company, QCC Information Security.
Crackers have started looking for challenges elsewhere, argues Hare-Brown. While some have simply refocused their energies on working within the open source community in a more benevolent fashion, others have started concentrating on the games market, which so far has received less attention from law enforcement agencies than the commercial applications world.
"There's already an illegal burgeoning in the games market, with a good number of recent cracks on disk protection. The market is now saturated and it's easy to distribute illegal software in markets like that. People are just ripping stuff off DVDs and putting it on peer-to-peer networks," says Hare Brown.
But another problem indicates Sommer, who works as a research fellow at the London School of Economics, is that the lack of structure of warez groups means that members simply reappear elsewhere under different guises if they come under scrutiny.
"I suspect that many of the people that were in DrinkorDie are now doing other things. The US produced affinity charts trying to marry individuals to groups and it got very complex because a lot of them had different roles in different groups," he explains.
This lack of central structure means that it is very difficult to pursue a decapitation strategy or to round up ring leaders and "makes it a different type of case to investigate than drugs cartels", where there is an obvious hierarchy.
As a result, from a software publisher's point of view, Sommer believes, "going down the legal route is not the most effective means of protecting intellectual property. Mechanisms such as online registration may be rarer, but they're more effective because you can connect a software release to a real computer".
But Shona Jago, communications director for Europe, the Middle East and Africa at anti-piracy group the Business Software Alliance (BSA), claims it was necessary to make an example of the DrinkorDie members to try and prevent such cases happening again.
"This group did a lot of damage while it was operating and other groups are still doing damage. I think there's a deterrent value in showing that the law can act against this type of criminal activity. It's important that people understand that this type of activity is against the law and they can get caught," she says.
The BSA claims that while DrinkorDie may have been shut down as a result of co-ordinated global law enforcement actions, other warez groups are still active and continuing to cause harm. Jago was unable to provide figures on how much money software vendors had lost as a result of DrinkorDie's illegal pursuits but cited a study undertaken by IDC and commissioned by the BSA to indicate the knock-on effects of piracy on the wider economy.
The report found that 29 percent of software in the UK is not licensed properly, and that if 10 percent of this software was properly licensed paid for, the industry could generate a further £10 billion towards the UK's gross domestic product, provide £2.5 billion more in tax revenues and create 40,000 extra jobs, all within a three year period.
But some security experts claim it is high time that software vendors started becoming more proactive in protecting their software by using readily available technological mechanisms to safeguard it.
Hare Brown said: "It's not rocket science. It's about software companies making up their minds. They either want evidence to show that this software should be on that PC or they want a wide as possible distribution of their software and so are prepared to turn a blind eye. So the question is why haven't they put more stringent mechanisms in place to license their software before?"
Even five years ago, before online license registration was possible, suppliers could have requested that customers register their applications over the telephone, for example.
The fear was, however, that they would simply go to rivals rather than bother "so the software companies made it simple to use and asked customers to just click and agree. But now they don't want people stealing their software so they're gradually tightening down and it's also easier to do now there's the Internet", explains Hare Brown
There are already mechanisms in existence that could be used to stop software piracy from the outset such as digital watermarking or authentication, he argues.
"There's been a lot of research work funded by the European Union to come up with better mechanisms to prevent software piracy. It's put a lot of money into it, but it always takes time before the software community gets together and decides to adopt any particular form of copyright prevention technology," says Hare Brown.
The BSA's response to such logic is that, while its members have been exploring such options for some time, there is no one-size-fits-all-approach and different software markets require different IP protection solutions. "In terms of technical solutions, it's something that the industry has been looking at since piracy began. But it's a question of balancing intellectual-property protection against not holding back the legitimate needs of users," says the BSA's Jago.
Self-proclaimed anti-piracy groups such as the BSA argue there is "no silver bullet" for solving these problems as at the end of the day it comes down to individual ethics.
"The DrinkorDie group were hobbyists who were more or less competing among themselves as to who could crack code the quickest, but the problem is one of IP protection. In some cases, it's taken years and a huge investment to develop this software and if it's cracked and made available to anyone who wants to download it, it can be used for counterfeit purposes to sell on," says Jago.