Software Audit Defenses – Copyright Statute of Limitations [Crash reports]
This blog discusses one potential defense that may be used in software audit cases involving companies like the BSA, SIIA, Adobe, Vero, Siemens, Autodesk, Solidworks, CNC Mastercam, and other companies. It relates to a statute of limitations defense.
Bonus Materials: We discuss common defenses to copyright infringement on this blog.
Say it is the year 1995. Your company has 50 workstations and 20 laptops. NONE OF THE WINDOWS OR OFFICE PRODUCTS ARE LICENSED FOR PURPOSES OF THIS HYPOTHETICAL Let's say one of the users is working on a Microsoft WORD document or Excel Spreadsheet (part of the Office Suite) and the software CRASHES. You are asked if you want to send an error report to Microsoft, and you do so in order to try to prevent the problem from happening again, and to avoid performance issues in the future. Microsoft receives this information through a web service, and logs certain information (see below) and attempts to fix the issue. The question this blog addresses is DOES MICROSOFT GET NOTICE OF POTENTIALLY UNLICENSED SOFTWARE THROUGH THESE CRASH REPORTS SUCH THAT THEY ARE ON NOTICE OF POTENTIALLY UNLICENSED SOFTWARE, SUCH THAT THE STATUTE OF LIMITATIONS TO BRING A COPYRIGHT INFRINGEMENT ACTION BEGINS TO RUN (as we have noted on other blogs, the general rule is the statute of limitation on software piracy/copyright infringement claims is three years).
“What types of information can be collected? The reporting service can collect information about problems that interrupt you while you work and information about errors that occur behind the scenes. It's important to diagnose errors that occur behind the scenes because these problems, if left unsolved, might cause additional problems such as performance or program failures.
Reports contain information that is most useful for diagnosing and solving the problem that has occurred, such as:
Where the problem happened in the software or hardware.
The type or severity of the problem.
Files that help describe the problem.
These failures are typically system or report-generated files about software behavior before or after the problem occurred.
Basic software and hardware information.
This information can include operating system version and language, device models and manufacturers, or memory and hard disk size.
Possible software performance and compatibility problems.
Another section noted other possible information that is collected:
“Information such as your IP address, operating system version, browser version, and regional and language settings are also collected because you're connecting to an online service (web service) to send error reports.
However, this information is used only to generate aggregate statistics. It is not used to identify you or contact you.
Reports might unintentionally contain personal information, but this information is not used to identify you or contact you. For example, a report that contains a snapshot of memory might include your name, part of a document you were working on, or data that you recently submitted to a website.
If you host virtual machines using a Windows operating system, reports generated by the Windows operating system for the MER service might include information about virtual machines. If you're concerned that a report might contain personal or confidential information, you should not send the report.
After you send a report, you might be asked to complete a survey about the error you experienced. If you choose to provide your phone number or email address in response to the survey, your report will be personally identifiable. Microsoft might contact you to request additional information to help solve the problem you reported.
At this point it seems fairly clear that Microsoft may obtain enough information to identify your company including personal information and information about the crashed software. At this juncture, it seems they would be able to link this information to their licensing database to see if the product that crashed is properly licensed or not (note: it would seem to be prudent for them to check because “cracked” software is known to contain malicious malware that can cause the software to crash in the first place. In other words, it would seem a crash report could be seen as a “red flag” that would put Microsoft on notice that it should check licensing records to make sure the crashed software is properly licensed. But do they do this? Hard to say. Should they do this? Who knows. Does this put Microsoft on “Notice” of a potential claim of copyright infringement such that the statute of limitations on a copyright infringement claim (three years) should begin to run? I think it is a fair question and may be one for the courts if a company (like many) continually send in error crash reports trying to fix their software, and MS collects the information which may indicate pirated software is being used. This may be an issue best left to the courts.
Microsoft and their Blockchain Argus Project
How does Microsoft use “crash report” error information?
The MS privacy statement further describes who collected information may be used:
“Who can use the information and how can it be used?
Microsoft uses information about errors and problems to improve Microsoft products and services as well as third-party software and hardware designed for use with these products and services.
Microsoft employees, contractors, vendors, and partners might be provided access to information collected by the reporting service, including survey responses.
However, they will use the information only to repair or improve Microsoft products and services and third-party software and hardware designed for use with Microsoft products and services. For example, if a report indicates that a third-party product is involved, Microsoft might send that information to the vendor of the product. The vendor might provide the information to sub-vendors and partners; however, all parties must abide by the terms of this privacy statement.
To improve the products that run on Microsoft software, Microsoft might share aggregate information about errors and problems. Aggregate information is used for statistical analysis and does not contain specific information from individual reports, nor does it include any personal or confidential information that might have been collected from a report.”
I would argue that part of “improving products and services” includes lowering the price of same. Given that piracy if a global issue believed (according to a recent lawsuit filed in Washington Federal Court – Microsoft v. The Software King) that pirated software costs over 10 billion annually. As software publishers like the business software alliance note, these losses get passed on to everyone and raises the costs of software. As such, it is conceivable, applying a broad interpretation of “improving” things that checking to see if crashed software is licensed would be something that could arguably be done, and perhaps should be done to lower the costs of products/services.
If so, possibly this could trigger the statute of limitations and start the ticking of the three year clock when a crash report is submitted due to faulty Office, Windows, Visio, or other products. This is just an argument however, and I was not able to find any cases that discusses this so make sure you check with an intellectual property law firm before seeking to make this type of argument. This is general legal information only and not legal advice.
Here is the page that discusses their Crash Reporting system
Contact a federal copyright infringement and software piracy law firm firm
Our IP firm can help both Plaintiff's and Defendants in federal copyright matters involving books, movies, films, art work, paintings, photography, tattoos, jewelry, songs, lyrics, parody, and other copyright law issues. We can be reached at (877) 276-5084 and offer a free consultation to copyright clients. We may offer contingency fee recovery programs for rights holders. Contact us to discuss.