A fellow software entrepreneur emailed me today with this question:
My question is, as I am trying to get an application of mine built in AIR, and it is commercial software, with features disabled that I want enabled after entering a license key.... since AIR sends out your whole SWF file that can easily be decompiled, what do you recommend doing to protect your IP since it's basically being given away free with every download? It could also be easily cracked I assume.
What he is referring to is the fact that Adobe AIR application files are really in essence simple Flash movies (SWF files), zipped up. SWFs are, and have always been, fairly easy to decompile, which means that you can run the SWF through a piece of software which will spit out the original source code for the application (what he refers to as "your IP" in the question).
He suggested I answer in a blog post, so here it is.
My short answer is this: I don't do anything to protect against decompiling, and I'm not worried about it.
The following is my current thinking on software piracy and what to do about it. These are just my current views, I don't claim them as great ideas of my own. It's just what I have learned so far, from different people, books, blog postings, etc.
Also, I realize that the rise of SaaS might make this less relevant in the future, but who knows...I think the future is hybrid, we'll see.
The software buyer/hacker spectrum
I don't like generalizing, but here it goes. I believe there are 3 main categories of software users when it comes to purchasing software versus stealing it: "those who'll buy", "those who might buy" and "those who will never buy".
I the pie chart below I refined it a bit to 5 categories, and since I don't know how big they really are, I intentionally made all the pieces the same size, except for the yellow one, which I believe is the biggest one:
Let me describe each piece before discussing how I approach each one.
- At one end of the spectrum are those who will never spend money on your software. This category includes actual criminals who will steal your SW to repackage it and sell it, high school kids who like to show off their hacking skillz, and also very legitimate and respectable entities like the Free Software Foundation others who simply believe software should be gratis (the strikethrough is due to a mistake of mine in confusing free as in speech vs free as in beer. My bad, I respect the FSF!).
- Then there's a piece of the world population who simply cannot afford to spend money on your software, or at least not a lot. These people probably don't feel great about using cracked versions of your software, but they do it because they need it and cannot afford what you are charging for it. In other words, they have bigger problems to deal with.
- I think the majority of people in the world fit in the yellow (gray?) area in the middle. They'll use pirated software if it's easy to get, but will pay for it otherwise. The more expensive the software, the more these people will shift towards the red pieces.
- Then there's a piece that only pays for software because they fear getting caught stealing it. I think this pie includes a big chunk of businesses too.
- The last piece is the nice guys, the honest people who pay for what they use, pay all of their taxes, etc.
I try to please each segment of the population with a different approach:
- for the hackers: again, don't try to beat them with crazy encryption schemes, because they are better than you: what you consider a nuisance to code is their passion. My approach is this: try not to make enemies and don't give them a challenge. If you are perceived as "a nice company", the likelihood you will be targeted by hackers is lower (I wonder how many Windows viruses were created because of MS's arrogance and offensive remarks about linux over the years). This is, in small part, why I give so many licenses away to non-profits and do-gooders of all kinds. Also, if the software is cheap to start with, has a free version available, and the license key looks fairly simple to hack, why bother hacking it? I believe these are all factors that contribute to why only 16 people have Googled "balsamiq mockups serial" so far (in over 8,800 search-generated-visits).
- for the "I believe software should not be paid for" crowd...just give them the software for free! I am a fan of OSS, and though it doesn't make sense for me financially to go that route, I like to contribute by offering free versions of all my software to open source projects. Plus it's not like they would pay for it anyways...
- for those who can't afford it: offer a fully functional but "somewhat uncomfortable" version of your software for free. This way they'll be able to use the software (some) and not even bother looking for a cracked version of it somewhere. This is what I do with the Mockups demo on this site. It nags you every 5 minutes, but you can dismiss the nag and keep working. You cannot save mockups to file from the software, but you can export the XML and save it in a text file, only to re-import it later. In short, it's a bit of a pain, but you can use it. It's a fine line: you want to give enough away to be useful, but you want to make it annoying enough that people will rather buy the full version, for convenience or for added features. Oh, and give the full version away to those in this category who ask you directly, in exchange for a promise to spread the word about it. Again, it's not like you'd get their money if you had stricter protection...
- then we have the yellow guys. These are who your licensing code should be designed for. You want to shift as many of these as possible towards the green side, not the red side. Here's what I do: I have a license key that's fairly simple to read or type (it will be something more or less like this made up one: eOLi0odswsqklKz/C36lOzM0srD9E0MjIxNjM3MgCBGQw3). The key alone doesn't unlock the software, it needs your full name as well (it's encoded in the key and the two have to match). The size and format of the key are important because making it too long or hard to deal with (like having them download a license file from your servers than placing it on a specific directory, or having the software "call home" on launch) would reduce the usability of your software and give this kind of user the impression that you really don't think they should be trusted. The fact that the key has a name in it is a big psychological deterrent to sharing it. If I found a key on a cracked site, I'd be able to immediately trace it back to the owner. I believe this, coupled with the accessible price of my software, is enough to sway most of the "yellow area" people in the buying direction.
- The "embed the name in the key" trick works well for those who buy the software because they fear getting caught with a cracked copy as well. Another thing to do here could be to embed the key (and thus their name) in every file that your software generates. I don't do this, but I know some do.
- for those of you who pay for my software based on your moral values, I thank thee, and wish you happiness and prosperity. The world needs more of your kind.
To sum it up:
- give lots away
- have a simple key with a name embedded in it
In the end, the code doesn't matter that much!
A couple of months ago I was explaining to my dad how I try to be as transparent as possible, sharing my revenue numbers, designing my features in the open, blogging about it all, etc. I believe it builds trust in Balsamiq and frankly I wouldn't want to do it any other way.
At the end he asked me: "Ok, I think I get it. But what is "your secret"? What's the thing that, if someone stole or copied from you, would mean catastrophy for your company?"
I thought about it for a second, and I realized that there isn't a single thing.
Mockups is a simple product, a good coder could create a clone of it in a couple of months starting from scratch. Someone could post a crack for my licensing algorithm on a BitTorrent site today.
I don't think either would spell catastrophy for Balsamiq.
People buy products from companies they trust and respect, and who treat them well in return. People buy software if they know that the people behind it care for your success while using it. They want to see the software improved continuously and with a passion. They care about a sensibility for usability and attention to details.
These aren't things one can steal.
I believe Balsamiq is successful so far because of all that I do every day: the site, the blog, the promotions, helping customers, listening to their ideas...and of course improving the product with new features and bug fixes. It's one big puzzle, every piece contributes to the whole (what Geoffrey Moore calls "The Whole Product Model").
I am a huge fan and avid reader of the Business of Software forums, a community of small software vendors. Here are some links on this topic taken from there. As you can see, none of my ideas is original or revolutionary, though there is some debate about these topics...
- Software cracked! Now what?
- Me vs Crackers
- If you sell X software a day and now your app was cracked
- Cracks sites - Should Google help us?
Here's another article, which I have only scanned quickly but seems in line with my views: Piracy and Unconventional Wisdom
While I was writing this post I thought about checking if Mockups had in fact been cracked without my knowledge and was available for download somewhere.
So I did some research, and while "The search of balsamiq was not successfully" [sic] on Astalavista :), I did find something on TorrentTractor. Check it out, one of the files is 833Megabytes! Now, the original Mockups for Desktop file is less than 3Mb right now...I pity the fool who downloads almost a Gig of crap, likely full of viruses, trojans and who knows what...I couldn't have done a better job at polluting the hacker sites myself! :)
I want to leave you with a quote from Pete Santangeli, which I think sums it all up nicely: "the best way to slow down your competitors is to give them your source code".
[UPDATE: someone just anonymously posted my licensing key generation code in a comment to this post, which I deleted. Anonymous hacker: congrats, you are better than me! :) I'm sorry you didn't post your name or I would have sent you a picture of a medal or something. I have deleted your comment because, like I say in the post above, I am trying to convince people in the "yellow group" to move towards the green area...not make it too easy for them to go towards the red (Balsamiq is how I am trying to make a living after all). I hope you'll understand. I'm going back to work now...]