Hello!

I am involved on a shrink-wrapped software development team and we are
interested in learning about tried and tested methods to be
incorporated into this product, to curtial piracy. Are there
industrial benchmarks & check lists for what measures need to be
incorporated into the shrink-wrapped product?

Can we build in a 'call home' feature into each individual item, that
would call (connect to our server) and register itself upon use by the
customer? Of course, we would explicitly mention this feature to the
customer. Are there any legal ramifications to doing so?

Thanks.
TVR

A few thoughts, prefatory to an actual Researcher posting an answer:

1.  As an obvious first step, you should make sure that you register
the copyright in the code.  You cannot file a lawsuit against someone
for piracy (copyright infringement) until you register the copyright. 
See http://www.loc.gov/copyright/.

2. The distributed code should have a well-written shrink-wrap or
click-wrap license agreement that the end-user must have to agree to
before proceeding to install/operate the software.  This will give you
contract rights that you may enforce against a pirate in addition to
the rights you gain through copyright registration.

3.  You should install identifiers or unique tags into the source code
that will enable you to prove that it is your code that has been
pirated.  This will be invaluable if you do have to sue for copyright
infringement--then you can prove that it really is your code.

4.  There is no law that prohibits your using a call-home feature
[unless perhaps your software relates to medical records or financial
institutions--then HIPAA (see
http://www.cms.hhs.gov/hipaa/hipaa2/default.asp) or Graham Leach
Bliley (see http://www.efoley.com/service_group/service_group_doc_listing.asp?ID=104&SGID=55)
may create privacy issues that would prevent you from doing this]. 
You should also be careful that your call-home feature does not send
an automated e-mail response without confirming that you are not
violating one or more of the several state anti-spam laws, or the new
federal anti-spam law that just passed the House (see
http://news.com.com/2100-1024-5110622.html?tag=nefd_hed).  You may
also want to research the Electronic Communications Privacy Act (see
http://legal.web.aol.com/resources/legislation/ecpa.html) to make sure
there are no issues there.  I do not think there are.

5.  Intuit got in public-relations trouble recently for having an
anti-piracy feature that prevented end users from installing the
software on more than one machine, etc.  (see
http://www.extremetech.com/article2/0,3973,834915,00.asp)  Might want
to keep that in mind.

What you need is ESD..  where you could incorprate the feature you are
looking at.. there are many in the market..
check out.. http://www.Softwrap.com / http://www.esellerate.net /
http://www.digitalriver.com / http://www.element5.com and there are
many more..

You could also try http://www.ealaddin.com, just in case you would
like to try Hardware Lock Protection :)

Hi,

All I can say is that you are fighting an uphill battle. If the
world's largest IT company (MS) can't stop their products being
pirated, I don't think you stand much chance.

Any steps you take should be carefully considered. Consumers are
incresingly frustrated by anti-piracy measures that are unreasonable
and assume everyone is a theif. This is especially true of IT
professionals who have to deal with it over and over again (just ask a
IT managed about Windows Product Activation).

Many larger ticket products ship with hardware protection, such as
dongles. These tend not to obstruct installation, or maintainance.
They provide a reasonable level of protection.

Call-home features are more and more common, but people are very
distrusting, especially now, of these measures, the information they
gather, and exactly where it ends up. There are also, in many cases,
installations that for some reason or anyother are unconnected to the
internet (think secure facilities, banks etc.)

Obviously you know your customers or target market best and should
make any decision based on that. Also remember that nothing stays
secret, any backdoor or workaround you create for those difficult
situations will surface.

Good Luck.

Regards,
Sycophant-ga