Software Audits

A Western District of New York Magistrate Judge recently recommended that claims filed by the owners of several copyrighted songs (allegedly performed without their permission) should be dismissed as a result of the plaintiffs’ membership in the American Society of Composers, Authors and Publishers (“ASCAP”). In ruling on a number of pre-trial matters, the Judge independently raised the issue of the plaintiffs’ standing to sue based on ASCAP membership agreements they had attached to a motion for summary judgment. Those agreements included the following provisions:

1. "[Plaintiff] grants to [ASCAP] for the term hereof, the right to license non-dramatic public performances ... of each musical work .... The rights hereby granted shall include:
(a) All the rights and remedies for enforcing the copyrights or copyrights of such musical works ... as well as the right to sue under such copyrights in the name of [ASCAP] and/or in the name of [plaintiff] and/or others, to the end that [ASCAP] may effectively protect and be assured of all the rights hereby granted.
* * *
3. [ASCAP] agrees, during the term hereof ... to hold and apply all royalties, profits, benefits and advantages arising from the exploitation of the rights assigned to it by its several members, including [plaintiff], to the uses and purposes as provided in its Articles of Association.
4. [Plaintiff] hereby irrevocably, during the term hereof, authorize, empowers and vests in [ASCAP] the right ... to prevent the infringement thereof, to litigate, collect and receipt for damages arising from infringement ... and to release, compromise, or refer to arbitration any actions, in the same manner and to the same extent ... as [plaintiff] might or could do, had this instrument not been made.
5. [Plaintiff] hereby makes, constitutes and appoints [ASCAP] or its successor [plaintiff's] true and lawful attorney ... to do all acts, take all proceedings ... proper or expedient to restrain infringements and recover damages".
6. [Plaintiff] agrees from time to time, to execute, acknowledge and deliver to [ASCAP], such assurances ... as [ASCAP] may deem necessary or expedient to enable it to ... enjoy ..., in its own name or otherwise, all rights and remedies aforesaid."

The Judge stated that the effect of the above provisions was to strip the plaintiffs of their standing to sue under Article III of the U.S. Constitution. Under the Judge’s interpretation of the agreements, the plaintiffs assigned exclusively to ASCAP all rights to seek remedies for infringement of the covered works. Therefore, according to the Judge’s recommendation, none of the plaintiffs was unable to show that his “individual need requires the remedy for which he asks…that he stands to profit in some personal interest…and that he personally would benefit in a tangible way from the court's intervention." (internal quotes and citations omitted)

Many software publishers, including Microsoft, Adobe and Autodesk, are members in industry trade groups such as the Business Software Alliance (“BSA”) and the Software & Information Industry Association (“SIIA”), which typically operate under powers of attorney from the publishers to target small-to-medium-sized businesses with allegations of software copyright infringement. In the event of litigation arising from such allegations, filed either directly by the publishers or by the BSA or SIIA, it would be a good idea to carefully review all relevant membership documents to determine the scope of authority under which the named plaintiff has filed the action. It will also be interesting to watch the New York litigation to see if the Magistrate Judge’s recommendation is adopted by the District Court and upheld on appeal, if any.

The BSA and SIIA are not the only organizations pursuing business for software copyright infringement. Though it is a member of both the BSA and SIIA, Autodesk, which manufactures the popular design software AutoCAD, often pursues audit targets on its own.

The audits begin much like those instituted by the BSA or SIIA. The target of Autodesk’s audit will receive a letter from a law firm representing Autodesk demanding the business’ cooperation in disclosing the number Autodesk installations on its network and the number of Autodesk licenses it owns, including serial numbers. The law firm will assert it has received information that indicates the business may have more installations of Autodesk software than it is licensed to use. The letter will go on to describe the various penalties associated with copyright infringement and it may threaten the business with civil litigation.

Targets who receive such letters should treat the matter very seriously. It is important to know your legal rights and protect your legal position before responding to a request for information from a software publisher who is trying to conduct an audit. Additionally, many companies who prepare their own responses to Autodesk without the benefit of counsel and before conducting a thorough investigation often receive an unexpectedly high settlement offer from Autodesk.

In many cases, Autodesk demands a settlement payment calculated as the MSRP of the allegedly unauthorized products installed on the business’ network multiplied by three. The multiplier, Autodesk argues, is the penalty for using unauthorized software and is assessed in lieu of proceeding with formal judicial resolution. The use of multipliers as an approximation of damages is a hotly contested issue.

When responding to Autodesk audit requests, companies should work with experienced counsel to thoroughly investigate the software usage on their computers, protect themselves by requesting agreement from Autodesk regarding the use of the materials that will be produced in the audit, and negotiate a resolution geared toward ensuring future compliance.

In many software audits, the auditing entity like the Business Software Alliance or the Software & Information Industry Association requires a dated proof of purchase to demonstrate when a license for a software product was acquired. However, in audits initiated by Autodesk, the serial number can play a crucial role in demonstrating ownership.

Autodesk products are typically upgraded frequently and Autodesk usually issues a new, unique serial number with each purchase. When responding to an Autodesk audit, the business that owns Autodesk products may elect to provide the serial numbers in lieu of the invoices. It is important to provide serial numbers for the versions of the products that are installed and in use as of the date of Autodesk’s letter. For instance, if a company upgraded a copy of AutoCAD ® 2000i to AutoCAD ® 2004, the company should not provide both serial numbers to Autodesk in response to the audit request.

It is also important to realize that Autodesk licenses are generally non-transferrable without Autodesk’s written permission. If an audited company is planning to produce a serial number for a product that was not obtained from an authorized Autodesk reseller, there is a strong likelihood that the company will not get credit for the license.

If you have been audited by Autodesk, please seek advice from experienced counsel before responding. For more information, please visit www.scottandscottllp.com.

New Licensing Model for Microsoft Windows Web Server 2008

Microsoft will apply a new licensing model to Windows Web Server 2008. Microsoft will no longer restrict the number of users that can access the Web Server. Though Windows Web Server 2003 did not require Client Access Licenses (CALs), it did limit access to 50 users. CALs are licenses that allow a user or machine to access the functionality of the server software. A CAL is separate and distinct from the server software license and is generally required in addition to the software license. According to Microsoft’s web site, located at http://www.microsoft.com/windowsserver2003/howtobuy/licensing/priclicfaq.mspx, Windows Web Server 2003 does not require CALs.

The End User License Agreement for Windows Server 2003 also supports this conclusion. The License Agreement contains a provision excluding from the CAL requirement any user or device accessing the server solely through the internet that is not authenticated or otherwise individually distinguished by the server software. This allows internet users to access the server and request web pages from an internet browser. However, Microsoft did place a 50-user access limit in the Web Server license terms.

Microsoft will remove the 50-user access limit contained in Web Sever 2003 from Web Server 2008, provided that the server is deployed as a internet-facing, front-end server. Microsoft will also remove from Web Server 2008 restrictions on how its built-in database components may be used.

If your business needs assistance selecting a server product and understanding its licensing structure, you should contact counsel experienced with licensing issues and software compliance.

One of the most common mistakes I encounter in software audits is what I call the post-effective date software buying spree. The buying spree occurs in response to a letter from a publisher or publisher's attorneys requesting a self audit. Many clients are discouraged to learn that software purchases made after the date of the initial letter have no impact in a software audit matter. For this reason, I advise my clients against scrambling to acquire software in response to a software audit.

The first thing a target of a software audit needs to do is preserve the evidence of software products installed on the company’s computers as of the audit effective date. Second, the software installed needs to be reconciled against proof of purchase information to determine whether there is gap between licenses owned and software installed. Third, a decision needs to be made regarding whether to purchase or uninstall any unlicensed software. The auditing entity is only concerned with those products installed as of the audit effective date, and accepts only proofs of purchase dated on or before that date.

I advise my clients that regardless of what was installed on the audit effective date, they only need to purchase software licenses for products that they need to use going forward. Although it will not resolve past liability, companies may choose to uninstall unlicensed products at the conclusion of the audit matter, rather than purchase unnecessary software simply because it was installed on the effective date. At the conclusion of a software audit matter, the target must certify that it has come into compliance through the combination of buying and\or uninstalling the products in question.

One of the most controversial tactics the software policing agencies use when calculating its settlement demands is its practice of unbundling software suites such as Microsoft Office and Adobe Creative Suite. Unbundling occurs when the target of an agency audit is unable to provide acceptable proof of purchase for one or more installation of a software suite.

The effect of unbundling is to dramatically and artificially inflate the monetary component of an agency settlement because the fines are based upon the MSRP of each component part of the software. In an agency software audit involving Microsoft Office for example, they unbundle the suite by separating Microsoft Outlook, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and Microsoft Access and then calculate its proposed fine on the basis of the MSRP of each component. This practice results in a proposed fine per installation of approximately $2,000 for a product with a market price ranging from $150 to $350, depending on the version.

In my opinion, the practice of undbundling is completely contrary to law because the software suites of an agency's member publishers are compilations under the copyright law and therefore constitute a single work for purposes of calculating statutory damages for infringement. The U.S. Copyright Act 17 U.S.C. § 101(c) defines a compilation as follows:

A "compilation" is a work formed by the collection and assembling of preexisting materials or of data that are selected, coordinated, or arranged in such a way that the resulting work as a whole constitutes an original work of authorship. The term "compilation" includes collective works.”

The statutory damages provision of the U.S. Copyright Act 17 U.S.C. § 504(c) provides in pertinent part that:

For the purposes of this subsection, all the parts of a compilation or derivative work constitute one work.

Federal court’s have also interpreted these provisions to preclude recovery of statutory damages for the component parts of a compilation. For example, in XOOM v. Imageline, the Court of Appeals for the Fourth Circuit only made one statutory damage award for each compilation of electronic clip art, even though each compilation included thousands of works because “[a]lthough parts of a compilation or derivative work may be ‘regarded as independent works for other purposes[,]’ for purposes of statutory damages, they constitute one work.” XOOM v. Imageline at 285, citing H.R. Rep. No. 94-1476, at 162 (1976).

Similarly, in WB Music Corp. v. RTV Communications Group, 445 F.3d 538 (2d Cir. 2006) the Court of Appeals for the Second Circuit interpreted 17 U.S.C. § 504(c) and discussed the distinction between compilations authorized by the copyright holder that constitute “one work” for statutory damages purposes and collections of separate works compiled by the defendant and never authorized by the copyright holder. Because the software suites implicated in SIIA audits involve separately copyrighted works included in a compilation authorized by the copyright owners, section 504(c) applies and prohibits the award of statutory damages for the component parts of the suite.

Like all audits, success in a SIIA software audit depends less on what you own and more on what you can prove that you own. Although not required by law, the SIIA takes the position that a target company is out of compliance for each installation of SIIA member software products for which the target company cannot produce a dated proof of purchase. Many clients are dismayed to discover what does and does not constitute valid proof of purchase according to the SIIA.

Not Considered Valid Proof
1. Copies of Checks to Software Vendors
2. Dated Purchase Orders
3. Undated Software Licenses
4. Credit Card Statements Evidencing Software Purchases
5. Certificates of Authenticity
6. Media, Manuals, or Key-Codes
7. Invoices Bearing and Entity Name Other than the Entity Named in the SIIA’s Initial Letter

Valid Proof of Purchase
1. Dated Invoices in the Name of the Audited Entity
2. Soft Records (online account statements) from Recognized Resellers
3. Signed and Dated License Agreements
4. Soft Records from SIIA Member’s such as Microsoft Licensing Statements
5. Cash Register Receipts for Retail Sales where Product, Version, Quantity and Price Paid are Included.

Understanding how the SIIA analyzes software audit materials is critically important to achieving the most favorable outcome. In our experience, it is the most time consuming and difficult part of the process for clients to handle on their own.

Scott & Scott, LLP is not affiliated in any way with the SIIA

One of the top ten questions asked by my clients is “How long does the self-audit process take from start to finish?” Of course I give the standard lawyer answer: it depends. Here are the steps to a typical software audit.

Preparation of Audit Materials (3 to 6 months)
A software audit is a request, under threat of litigation, to compile a listing of software products installed on the audited entity’s computer network as of the Audit Effective Date. The Audit Effective Date is the date on the initial letter requesting an audit. The first step in preparing this information is conducting an automated inventory of the software products installed on all computers owned or leased by the target company, using a software inventory tool such as Scott & Scott's Compliance Manager. Once an accurate inventory is completed, the next step is to reconcile the software inventory information with proofs of purchase dated prior to the audit effective date. While there are various ways to prove ownership of a software license, typically an invoice is considered the best evidence of ownership in a software audit. In the typical case, the software inventory and reconciliation process takes three to six months.

Secure a Confidentiality and Federal Rule of Evidence 408 Agreement (1 week)
With very limited exceptions, we advise the targets of software audits to cooperate with the self-audit process but to do so in a way that does not compromise their position in the event that an out of court settlement is not possible. We do not disclose any information to the audting entity until it signs an agreement regarding the confidentiality of the information disclosed and specifically limiting the entity's ability to introduce the information as evidence in court. In the typical case, this is signed within one week.

Audit Entity Analyzes Self-Audit Materials and Makes a Settlement Demand (3 to 6 months)
After the self-audit materials are submitted by the target, the auditing entity typically takes three to six months to respond. The response provides its interpretation of the self-audit materials and applies a formula for its initial settlement proposal. In many instances, the settlement proposal is substantially more than the target may have expected due to differences of opinion regarding what constitutes valid proof of ownership. In our experience, the auditing entity usually takes three to six months to make substantive response following the submission of the self-audit materials.

Negotiation of Monetary and Non-Monetary Terms of Settlement (6 to 24 months)
After the auditing entity makes its initial settlement demand, there are various monetary and non-monetary terms that need to be negotiated. The obvious material term in every software audit negotiation is the monetary amount to be paid to the auditing entity for alleged past infringement. The most significant non-monetary issue is whether the auditing entity will agree to a confidentiality provision. Such provisions require the auditing entity to keep the existence and details of the audit confidential and preclude the them from issuing a press release. The length of the negotiation process differs from case to case but generally lasts between six months and two years.

One of the first things I ask a prospective client is: What is the date on the initial letter you received from the SIIA? The date on the initial in a SIIA letter is often referred to as the Audit Effective Date. This date is important for many reasons. I like to tell my clients that a software audit measures a snap-shot in time – what SIIA member software was installed on the company’s computers as of the Audit Effective Date. Once you have an accurate inventory of what was installed on the Audit Effective Date, the next step is to determine what proofs of purchase are available to establish purchases prior to the Audit Effective Date.

When a software audit matter is settled, the target is required to certify that the audit results provided during the course of negotiations are true and correct as of the Audit Effective Date. For this reason uninstalling software that was installed on the effective date, or purchasing software products after the effective date have no impact on the calculation of fines in software audits. It is critical to obtain an accurate inventory of the software installed on the target company’s computers as quickly as possible, using a software inventory tool such as Scott and Scott's Compliance manager, following receipt of the initial letter from the SIIA. Failure to understand the importance of the Audit Effective Date, has caused companies to go on software buying sprees in response to a software audit and to report results to the SIIA reflecting the software installed on a date after the Audit Effective Date. I believe that both of these strategies are mistakes that should be avoided.

The most common mistake we encounter in software audits is the failure to compile and produce accurate installation information. Like all technology projects, collecting the information to produce in response to a request for an audit can be very complicated and time consuming. To begin the audit process, it is necessary for the company to select an automated software discovery tool, such as Scott & Scott's Compliance Manager. Even for small environments, employing a manual process to review the software on each computer is time consuming and unreliable. Any automated discovery that is conducted directly by the client or by a third-party provider will not be protected by the attorney-work product privilege because the privilege only applies to communications between attorneys and their clients. Many tools capture information related to the software installations on a computer network, but produce the results in a format that the company cannot interpret. Even worse, many companies produce the audit results from the free tools provided by the trade associations. These tools, more often than not, inaccurately report the data and fail to exclude information that is outside the scope of the audit request.

Companies also err in the audit process by relying on their IT staff to respond to the request for an audit. Members of IT departments typically prepare audit reports containing information that is incorrect or beyond the scope of what is required to adequately respond. This is particularly problematic because the release of liability contained in most software audit settlement documents is contingent on the accuracy of the results produced during settlement negotiations. If the technology department improperly reports the software installations, the monetary portion of the settlement will be inflated, and the release of liability will be jeopardized.

Another common error audited companies make is submitting improper documentation in an attempt to demonstrate proof of ownership for software licenses. Contrary to popular belief, trade associations and publishers only accept dated proofs of purchase, with an entity name matching that of the audited company, before acknowledging that the company owns a license for a particular product. For this reason, companies should avoid purchasing additional licenses of installed software in response to a request for an audit as these purchases will be irrelevant to the audit. Companies should seek the advice of counsel regarding the purchase of additional software during the audit process and the impact that it may have on the pre-litigation audit and any subsequent litigation that may arise.

Because most clients are not able to properly interpret copyright laws and software licenses without specialized legal assistance, it is critical to involve experienced counsel in the process of interpreting the software installation information gathered by the automated discovery tool and reconciling that data with all available proof-of-purchase information. Once the installation information has been collected, it should be reviewed to determine whether it only includes information within the scope of the audit. Additionally, licensing models are often dependant on the actual use of the product in the company’s specific environment. In other words, you cannot interpret the license without a thorough understanding of the computing infrastructure and how the software is being used from a technical perspective. Other licensing considerations that require specialized knowledge and expertise include client access licensing, upgrade and downgrade rights, and licensing for non-concurrent laptop use.