Toggle navigation

My Thoughts on Software Piracy

I don't worry too much about Balsamiq Cracks or Balsamiq Key Generators. Here's why.

A fellow software entrepreneur emailed me today with this question:

My question is, as I am trying to get an application of mine built in AIR, and it is commercial software, with features disabled that I want enabled after entering a license key... since AIR sends out your whole SWF file that can easily be decompiled, what do you recommend doing to protect your IP since it's basically being given away free with every download? It could also be easily cracked I assume.

What he is referring to is the fact that Adobe AIR application files are really in essence simple Flash movies (SWF files), zipped up. SWFs are, and have always been, fairly easy to decompile, which means that you can run the SWF through a piece of software which will spit out the original source code for the application (what he refers to as "your IP" in the question).

He suggested I answer in a blog post, so here it is.

My short answer is this: I don't do anything to protect against decompiling, and I'm not too worried about it.

The following is my current thinking on software piracy and what to do about it. These are just my current views, I don't claim them as great ideas of my own. It's just what I have learned so far, from different people, books, blog postings, etc.

Also, I realize that the rise of SaaS might make this less relevant in the future, but who knows... I think the future is hybrid, we'll see.

The software buyer/hacker spectrum

I don't like generalizing, but here it goes. I believe there are 3 main categories of software users when it comes to purchasing software versus stealing it: "those who'll buy", "those who might buy" and "those who will never buy".

I the pie chart below I refined it a bit to 5 categories, and since I don't know how big they really are, I intentionally made all the pieces the same size, except for the yellow one, which I believe is the biggest one:

Let me describe each piece before discussing how I approach each one.

  • At one end of the spectrum are those who will never spend money on your software. This category includes actual criminals who will steal your SW to repackage it and sell it, high school kids who like to show off their hacking skillz, and others who simply believe software should be gratis.
  • Then there's a piece of the world population who simply cannot afford to spend money on your software, or at least not a lot. These people probably don't feel great about using cracked versions of your software, but they do it because they need it and cannot afford what you are charging for it. In other words, they have bigger problems to deal with.
  • I think the majority of people in the world fit in the yellow (gray?) area in the middle. They'll use pirated software if it's easy to get, but will pay for it otherwise. The more expensive the software, the more these people will shift towards the red pieces.
  • Then there's a piece that only pays for software because they fear getting caught stealing it. I think this pie includes a big chunk of businesses too.
  • The last piece is the nice guys, the honest people who pay for what they use, pay all of their taxes, etc.

I try to please each segment of the population with a different approach:

  • For the criminals: you can't beat them on technical grounds, just forget it. If people want to crack software, they will (code obfuscation, call-home schemes or not. These guys write decompilers before breakfast). The way to deal with this is to have a nice End User License Agreement on your site as well as a Terms of Use document. Make sure that each download link says "I agree" on it, and basically give people the impression that you have done your homework, have a lawyer and are not some rookie waiting to be taken advantage of. Oh, and do keep a good lawyer handy to help you if the time comes. If you find out that someone is selling your same product under a different brand, I believe that a strongly worded letter from your lawyer might go a long way... then again, who knows. But as I will explain later, this doesn't matter that much.
  • For the hackers: again, don't try to beat them with crazy encryption schemes, because they are better than you: what you consider a nuisance to code is their passion. My approach is this: try not to make enemies and don't give them a challenge. If you are perceived as "a nice company", the likelihood you will be targeted by hackers is lower (I wonder how many Windows viruses were created because of MS's arrogance and offensive remarks about Linux over the years). This is, in small part, why I give so many licenses away to nonprofits and do-gooders of all kinds. Also, if the software is cheap to start with, has a free version available, and the license key looks fairly simple to hack, why bother hacking it? I believe these are all factors that contribute to why only 16 people have Googled "balsamiq serial" so far (in over 8,800 search-generated-visits).
  • For the "I believe software should not be paid for" crowd... just give them the software for free! I am a fan of OSS, and though it doesn't make sense for me financially to go that route, I like to contribute by offering free versions of all my software to open source projects. Plus it's not like they would pay for it anyways...
  • For those who can't afford it: offer a fully functional but "somewhat uncomfortable" version of your software for free. This way they'll be able to use the software (some) and not even bother looking for a cracked version of it somewhere. This is what I do with the demo on this site. It nags you every 5 minutes, but you can dismiss the nag and keep working. You cannot save wireframes to file from the software, but you can export the XML and save it in a text file, only to re-import it later. In short, it's a bit of a pain, but you can use it. It's a fine line: you want to give enough away to be useful, but you want to make it annoying enough that people will rather buy the full version, for convenience or for added features. Oh, and give the full version away to those in this category who ask you directly, in exchange for a promise to spread the word about it. Again, it's not like you'd get their money if you had stricter protection...
  • Then we have the yellow guys. These are who your licensing code should be designed for. You want to shift as many of these as possible towards the green side, not the red side. Here's what I do: I have a license key that's fairly simple to read or type (it will be something more or less like this made up one: eOLi0odswsqklKz/C36lOzM0srD9E0MjIxNjM3MgCBGQw3). The key alone doesn't unlock the software, it needs your full name as well (it's encoded in the key and the two have to match). The size and format of the key are important because making it too long or hard to deal with (like having them download a license file from your servers than placing it on a specific directory, or having the software "call home" on launch) would reduce the usability of your software and give this kind of user the impression that you really don't think they should be trusted. The fact that the key has a name in it is a big psychological deterrent to sharing it. If I found a key on a cracked site, I'd be able to immediately trace it back to the owner. I believe this, coupled with the accessible price of my software, is enough to sway most of the "yellow area" people in the buying direction.
  • The "embed the name in the key" trick works well for those who buy the software because they fear getting caught with a cracked copy as well. Another thing to do here could be to embed the key (and thus their name) in every file that your software generates. I don't do this, but I know some do.
  • For those of you who pay for my software based on your moral values, I thank thee, and wish you happiness and prosperity. The world needs more of your kind.

To sum it up:

  • Give lots away.
  • Have a simple key with a name embedded in it.
  • Relax.

In the end, the code doesn't matter that much!

A couple of months ago I was explaining to my dad how I try to be as transparent as possible, sharing my revenue numbers, designing my features in the open, blogging about it all, etc. I believe it builds trust in Balsamiq and frankly I wouldn't want to do it any other way.

At the end he asked me: "Ok, I think I get it. But what is "your secret"? What's the thing that, if someone stole or copied from you, would mean catastrophe for your company?"

I thought about it for a second, and I realized that there isn't a single thing.

Balsamiq is a simple product, a good coder could create a clone of it in a couple of months starting from scratch. Someone could post a crack for my licensing algorithm on a BitTorrent site today.

I don't think either would spell catastrophe for Balsamiq.

People buy products from companies they trust and respect, and who treat them well in return. People buy software if they know that the people behind it care for your success while using it. They want to see the software improved continuously and with a passion. They care about a sensibility for usability and attention to details.

These aren't things one can steal.

I believe Balsamiq is successful so far because of all that I do every day: the site, the blog, the promotions, helping customers, listening to their ideas...and of course improving the product with new features and bug fixes. It's one big puzzle, every piece contributes to the whole (what Geoffrey Moore calls "The Whole Product Model").

Something funny

While I was writing this post I thought about checking if Balsamiq had in fact been cracked without my knowledge and was available for download somewhere.

So I did some research, and while "The search of balsamiq was not successfully" [sic] on Astalavista :), I did find something on TorrentTractor. Check it out, one of the files is 833Megabytes! Now, the original Balsamiq for Desktop file is less than 3Mb right now... I pity the fool who downloads almost a Gig of crap, likely full of viruses, trojans and who knows what... I couldn't have done a better job at polluting the hacker sites myself! 🙂

In conclusion

I want to leave you with a quote from my former boss Pete Santangeli, which I think sums it all up nicely: "the best way to slow down your competitors is to give them your source code".

Brilliant! 🙂

This article was originally posted on the Balsamiq Blog. You can read several useful comments on it there.