One of the most striking findings in the global survey data we are releasing this week is the fact that 42 percent of the people who use paid cloud services for business say they share their log-in credentials inside their organizations. This points to a worrisome new avenue for software license abuse, and it is the latest sign that piracy is evolving in the cloud era, rather than dying out.
Let me stress: Credential-sharing within organizations does not always amount to pirating cloud services. In some cases, organizations may hold licenses that allow users to share accounts. In fact, many cloud service providers charge for their services not by “seat” but by the volume of computing resources consumed, making the path users take to access those resources less important.
But it is worth noting that 56 percent of those who use paid cloud services for business believe it is wrong to share employer-provided log-in credentials for those accounts with other people in their organizations. (That includes many of the very same people who are doing it.) And in many cases, depending on the terms of their service agreements, they would be right: Sharing credentials would in fact constitute license abuse.
Two other points are especially noteworthy. First, there is a decided split in the credential-sharing habits of users in emerging markets and their counterparts in mature markets. In emerging markets, 45 percent of those using paid cloud services for business say they share their log-in credentials internally, compared to 30 percent in mature economies. This mirrors a trend we have long seen in the rates of piracy for installed PC software — the problem is significantly more acute in emerging economies.
Second, the computer users who admit they pirate PC software most frequently (a question we asked directly in this year’s Global Software Piracy Study) also are more likely than other users to say they share log-in credentials for paid cloud services.
This highlights the chronic nature of software piracy, and it underscores a point BSA articulated in the policy blueprint we released earlier this year as part of our Global Cloud Computing Scorecard: We need to modernize intellectual property laws so they provide clear protection and allow for vigorous enforcement against misappropriation and infringement of IP in the cloud
BSA first began assessing how piracy might occur in the cloud in late 2010 and early 2011. We conducted a series of interviews with industry experts and frontline technologists in our member companies and other sectors and concluded cloud piracy could take at least four forms:
- End users could abuse their licenses for cloud services by sharing their account credentials.
- A rogue business could set up a “dark cloud” to deliver illegal software or offer software as a service without a license for redistribution.
- An enterprise could set up a private “dark cloud” for its own use — that is, to provide pirated software to its employees.
- An enterprise could use a private “gray cloud” to provide legally purchased software to more users than the license allows.
Of those four types of cloud-related IP theft, sharing credentials for public cloud services might prove to be less of a long-term threat than the types of piracy that can occur in private cloud environments hosted by enterprises. That is because private clouds are merely efficient, scalable architectures for delivering traditional IT tools — which are typically licensed the same way whether they are installed locally for each individual user, or deployed through traditional networks or clouds.
For decades now, the most common form of enterprise software piracy has occurred when an otherwise legal company buys a license to install a program on one computer but then installs it on tens, hundreds, or thousands of additional machines. Today, in a private cloud environment, the company can centrally serve the software to all of its users rather than install it on their individual hard drives. But the end result is the same: The company is paying for fewer licenses than it should.
It is critical that we enforce copyright laws in both sorts of cases. Given the rate at which cloud services are growing — especially in emerging economies — the balance appears likely to shift.