Software License Management
Software licensing is complex. Compliance with all of its terms and conditions requires in-depth knowledge. Typically, an organisation will need to assign the responsibility for understanding licensing to specific individuals, and then ensure that they have the necessary training to master the area. Software licenses are rights to use software, with certain terms and conditions attached, and are one of the main issues addressed by Software Asset Management. These right to use software are totally separate from the legal rights to the software itself, which are normally kept by the software manufacturer or another third party. Licenses may be brought or may be free subject to special terms and conditions. Even open source software normally has a license, even though payment may be required.
Licenses are normally required whenever externally sourced software is used which will typically be defined as either being installed on a machine, even if installed elsewhere (e.g a server). They may also be defined in enterprise terms, such as the number of workstations or employees, in which case a license is required for each qualifying unit or individual regardless of actual usage.
Even with commercial software, there are several situations where paid licenses may not be required, depending on specific contractual conditions. Often, these situations are not understood and, as a result, organisations may purchase licenses they do not need. These situations include workstations used for dedicated training purposes, copies used for evaluation purposes. Likewise, there can be runtime versions of some software, which do not require separate paid licenses.]
Backups are problematical legally. Many software contracts only allow for one backup copy for archival purposes, but this is contrary to good IT practice for making backups. However, it is unlikely that a software manufacturer would make an issue of this, or that a court would uphold it if taken that far. The critical issue is that the copies should be purely for backup purposes, with no more copies ever being used than are licensed. The situation for hot backups is different because in these cases the backup software is installed. Reference must be made to specific license terms and conditions in these cases.
Basic types of license
The license can have many different characteristics for description purposes:
- Perpetual: Historically, most licenses sold have been perpetual, i.e. the use rights are permanent once purchased.
- Subscription or rental: Licenses that can be used for a specific period of time, which can vary from days to years and may not include upgrade rights.=
- Temporary: In addition to subscription or rental licenses, there can be other cases of temporary licenses, e.g. pending full payment or receipt of proof of license.
Measure of usage
- Per Copy: By workstations/seat/device, named user, anonymous user, concurrent
- Usage: Historically, most licenses sold have been on a per-copy-used basis, with several different units of measure possible. Sometimes multiple uses will be allowed per license. It should also be noted that licensing is sometimes based on unit counts other than just PCs. For example, printer counts are important in several licensing schemes, e.g. for fonts, and for some networking software node counts. Likewise, mobile devices have licensing requirements but may not be recognised by many traditional approaches to License Management based just on PCs.
- Concurrent usage: This allows a specified number of users to connect simultaneously to a software application. This is a commonly understood licensing approach, and there are a number of software products to help monitor and control concurrent usage. However, such licenses are not as commonly available as previously was the case.
- Per server speed or per processor: These are linked to the speed or power of the server on which they are run, or the number of processors within the server.
- Client/server access: Most licenses correspond to physical installations or use of the software. However, there is an important category of licenses that do not correspond to physical software, and these are frequently misunderstood. These are client access licenses, which give a client device the right to access a server package, regardless of whether or not there is client software associated with it. The detailed terms and conditions for such licenses prevent software tricks to combine multiple clients into a single channel for licensing purposes.
- Enterprise or site: Increasingly, licenses are being sold on an enterprise or site basis that requires just a count of qualifying entities. This is usually easier for administration purposes, especially in organisations with limited SAM capabilities. Nonetheless, people who do not understand the contractual definition of the enterprise may try to apply per copy counting rules instead. A further complication may be that qualifying workstations or employees/contractors may not be simple to identify.
There are many different types of upgrades that have been sold, each typically with detailed conditions as to what is acceptable as a basis for the upgrade. A common problem is that upgrade licenses are purchased, for which there are no qualifying underlying licenses, e.g. competitive upgrades may have been purchased without any competitive product actually being owned, in which case the licenses are invalid for use.
- Version upgrades normally refer to a late release of the same product
- Product upgrades normally refer to changes within a product family, e.g. a partial suite of products being upgraded to a more extensive suite of the same product family
- Competitive upgrades normally refer to upgrades based on competitive products
- Language upgrades allow the use of a more expensive product with different/additional language capabilities.
- Upgrade insurance. Many software manufacturers offer upgrade insurance under a variety of names. Essentially, they all allow the purchases to use any upgrades that are released during the period of the insurance. A problem that occurs sometimes is that organisations forget the upgrade rights they purchased with this insurance because they do not perform the physical upgrade during the same time period. They may then purchase the upgrades again later when the physical upgrade is performed.
- Technology guarantees, etc. Technology guarantees are limited-duration upgrade rights that a software manufacturer may grant to purchasers of one version of the software when a new version is expected but not yet released. It is important to note these rights when they are issued, as they may be difficult to determine retroactively.
- Commercial vs Academic: There is typically less expensive pricing for academics pricing for academic users than for commercial users. The risk is that academic copies may be purchased in situations that do not qualify.
- Commercial vs Personal: Some licenses distinguish between commercial use and personal use, charging for the former but not the latter. This is common, for example, with some shareware/freeware packages.
License Management Responsibility
- Vendor-Managed Usage ((VMU): Technical License Management products are in place with some software manufacturers. In these cases, end users can be largely absolved of the License-Management aspect of SAM, although it may still be desirable as a check on the correctness of software manufacturer measurements, and to facilitate strategic planning.
- Customer-Managed Usage (CMU): Most License Management requires customer management.
- Suite: A group of applications sold together. The terms of the license normally preclude the individual applications being separated and used individually on separate devices, or by different users simultaneously.
- Secondary Usage: A license that provides for the use of software either by secondary users or in a secondary location. Examples are the ability to use on license on a desktop and a laptop, or on both a work computer and a home computer. Secondary usage rights may come with the main license or may be sold separately.
- Locked license: This requires an activation key and is not readily copied or moved.
- Token-activated: This uses a dongle or security device to restrict usage.
- Serialised Licence: Identifiable by a unique serial number, therefore easier to check authenticity.
Types of licenses by sales channel
Frequently there are differences in license terms and conditions depending on the sales channel in particular:
- OEM: Original equipment manufacturers often have their own licensing terms for software that they supply together with equipment. One of the most significant conditions typically attached to such software is that the software can only be used on the original equipment. If the equipment is replaced, the software cannot be moved to a new machine (although any upgrades used may be movable). The End-User License Agreement (EULA) for OEM software is normally between the equipment manufacturer and the end-user, and not between the software manufacturer and the end-user.
- Retail: Software sold in retail packaging is the closest to a typical hardware product in terms of physical characteristics. It is also usually the most expensive and maintaining the proof of license is typically the most onerous for this type of product.
- Low volume: There are low-volume methods of purchasing software licenses that do not require the signing of a contract with the software manufacturer, but which usually require user registration. Media may have to be purchased separately. There may be some limited audit rights associated with such licenses.
- High volume: The high-volume methods of purchasing software licensing generally require a signed contract with the software manufacturer. There are typically several levels of contract and/or pricing. This type of contract typically gives the software manufacturer significant audit rights,
- Service provider: Software is increasingly being made available through hosting organisations, or applications Service Providers (ASPs). This is normally on a rental or other temporary rights basis.
- Solution provider: Software and sometimes hardware from multiple manufacturers may be bundled by a solution provider as a turnkey package. These may be small packages, to major ERP systems. These bundled licenses need to be recognised as part of overall SAM Management.
- Shareware, freeware and public domain software: These tend to be distributed through the internet rather than through commercial resellers. There may be many shareware, freeware and public domain software packages in use within an organisation, e.g. zipping utilities. These types of software should be subject to the same controls as software procured from major software manufacturers. – Shareware: Users are encouraged to copy the program for preview purposes. If the user intends to keep using it then a license fee must be paid to the developer. – Freeware: No license is paid but these programs still come with a license agreement that could potentially be violated. See also ‘Open-source’ below. – Public domain: This must be clearly marked as such, and means the copyright holder has relinquished all rights to the software so it can be freely copied, modified, enhanced, etc.
- Open-Source: This is an increasingly common version of freeware that, as a condition of its license, requires the source code to be provided and to be modifiable. The licenses themselves are free, but there may be charges for media and distribution.
Counterfeit software is software that falsely appears to be genuine including its related proof of licensed materials. This is not the same as pirated software, as with hard disk loading, whereby a dealer may load unlicensed copies of legitimate software onto machines it sells. With hard-disk loading, there are typically no materials supplied which purport to come from the software manufacturer.
There is a serious risk of an organisation purchasing the counterfeit software. The risk is greater than any organisation realises because of the sophistication of counterfeiters, and the lack of attention that may be paid by some resellers and end-user organisations to this issue. The risks of using counterfeit software include:
- Not being licensed for the software being used
- Loss of money spent on the counterfeit software
- Being in violation of copyright and trademark legislation through possession of the counterfeit product
The main factors for increased risk of counterfeit software are:
- Status of suppliers and source of product: For some software manufacturers and some licensing programs, the software may be purchased directly from the manufacturers of from authorised resellers. There is no real risk of purchasing counterfeit products directly from the manufacturer, and a significantly reduced risk from an authorised reseller. A reseller with no special status, selling goods that purport to come from the grey market may involve significantly more risk, Grey Market products, in particular, are at high risk of being counterfeit because this is a common way of a reseller tying to explain the low cost of counterfeit products.
- Length of distribution chain: Collateral or proof of license received directly from a software manufacturer is the best guarantee of authenticity. The more tiers there are in the distribution channel between the software manufacturer and the end customer, the greater the risk of counterfeit product. They should take extra measures to ensure they are dealing only with the genuine product. Smaller resellers may be more susceptible to selling counterfeit software, knowingly or unknowingly.
- Geographical location: If the transaction is based in a country with less stringent copyright/trademark laws or enforcement, the risk of counterfeit software increases.
These risk factors are for awareness only – they are not absolute. There are resellers selling genuine products who are small, at the end of long distribution chains and based in countries with weak intellectual property protection. Nevertheless, the buyer has a particular duty of care to ensure that the product is genuine with the increased risk factor.
It’s not possible to give definitive guidance here about how to identify counterfeits. However, the following guidelines are suggested:
- Assess the likelihood of the counterfeit products based on the risks factors involved
- Be knowledgeable about each software manufacturer’s security features designed to fight counterfeiting. Descriptions of these may typically be found on software manufacturers websites.
- Make it clear to your resellers in advance that you will check for the authenticity of the product supplied, especially if the price looks particularly low.
- Review all software collateral received for relevant security features, with a degree of attention corresponding to the risk factors involved.
- Refer to the software manufacturer directly in cases of doubt.
What is proof of license
Proof of license is what a court will accept as proof of a legal entity having a license. However, it should rarely be necessary to resort to court. Each software manufacturer in general states the requirements for their proof of license, so no hard and fast rules can be given here. As a general principle, proof of license requires some form of evidence directly from the software manufacturer. Evidence of payments made to a reseller, or license confirmations produced by a reseller, will not normally constitute acceptable proof of license. The spectrum of types of evidence for having a license includes the following, of which the first three are usually the most important.
- Printed license confirmation documents from software manufacturers ( with security features )
- Electronic license confirmation documents from software manufacturers held on controlled-access websites
- Certificates of Authenticity (COAs) are typically engraved, or with other security features. These may be: – Loose pieces of paper – Pieces of paper pasted onto manual covers – Labels glued onto equipment – Labels printed or glued on retail boxes
Although COAs are important, backup collateral is often required, because under some circumstances a COA may be attached to an illegal/counterfeit copy, e.g. an unlabelled COA for a less expensive product repackaged with a counterfeit more expensive product.
- Media (CDs, disks, DVDs, plus associated jewel case boxes often with serial numbers, especially for retail products).
- Volume purchasing contracts
- Purchasing records or analysis provided by software manufacturers, including proof of payment
- Free-standing letters or other documentation fro software manufacturers confirming a grant of licenses
- Invoices from resellers, including proof of payment
- Sales documentation. It may be desirable to keep copies of sales documentation, e.g. product brochures, to clarify the licenses that are included with specific packaged products, e.g. OEM products. The descriptions given on invoices in such cases are often insufficient to clarify what licenses are included. In the absence of other stronger documentation, this may be important in helping to establish license ownership.
It is important to emphasize that a license confirmation document produced by a reseller is normally not an acceptable proof of license, regardless of how impressive it may seem, sometimes with its own security features. Such documents have been produced by many resellers for a number of reasons, such as the delays in customers getting software manufacturer confirmations. However, they are not proof of license and may create significant legal and financial exposures.
End User License Agreement (EULA) is another term that is often used in licensing, especially for retail products. The EULA should be retained just as contracts are retained. Its main purpose is to document the terms and conditions of a license. It is typically provided in soft copy, or in a printed format without any security features. It generally does not provide proof of license unless it has security features.
The simple rule to follow is to check with the software vendor directly about what they require you to retain. You may well want to renegotiate on this if you feel the administrative tasks would be onerous. Any such special dispensations should be obtained from the vendor writing.
Some types of proof of license are easy to store in traditional filing systems, most notably printed volume licensing confirmations. However, the majority of types of documentation are no more difficult to store.
- OEM operating system licenses: Most OEM operating certificates of authenticity are now physically fixed to a PC, and cannot be removed without effectively destroying them. There is no option for separate physical storage of this document, and it can be controlled only in a database. Barcode readers may be used to capture the relevant information.
- Electronic: Many software manufacturer volume license confirmation documents now are purely electronic. While the online copy is definitive, it is prudent to print a copy and threat the printout as if it were a hard copy original license confirmation, for ease of reference and as a back-up for the electronic online versions.
- Media: This is primarily an issue for older software, or where current license are based on upgrades from an older license. As an example, a company may have purchased large quantities of software via a non-volume channel, so that there is a CD to keep with each. There may have been successive upgrades, including to competitive products, but the original CD is still part of the proof of original license on which all successive upgrades are based.
- Manuals: This is also primarily an issue for older software, or where current licenses are based upon upgrades from older licenses where media formed part of the proof of license. As an example, a company may have purchased large quantities of software via a non-volume channel, so that there is a CD to keep with each. There may have been successive upgrades, including to competitive products, but the original CD is still part of the proof of original license on which all successive upgrades are based.
If you have a large quantity of bulky support collateral for early, such as CDs, it is worth asking the software manufacturer of your latest licenses if they will accept in writing as valid a certificate of destruction from a recognised destruction agent, citing relevant details of the materials destroyed. However, there have been situations where software manufacturers have refused to allow the destruction of CDs even though they were very old.
High risk of loss
There is a high risk of loss of physical licenses, especially in decentralised environments where the importance of physical proof license is not recognised. This is a significant cause of financial loss when organisations cannot prove the licenses that they assume they have purchased and need to repurchase to prove compliance. There is also a heightened risk of loss in centralised environments to a catastrophic event such as a fire. To minimise these risks, a centralized approach is most appropriate, with off-site backup copies of license inventory records kept against the risk of catastrophic events.
Implementation of the physical management system
The physical management system for licenses may be just a filing cabinet in a very small organisation, but for most organisations this will not be sufficient. There would be two separate part of the system, namely a storage system for physical documents and other evidence, and an inventory system to record what is there. Again, in small organisations, the inventory may be kept simple in a spreadsheet, but this will typically be inadequate. What is recommended is a Document Management system that can keep scanned copies of all physical documents. The physical documents can then be filed away securely without any need for formal access, with reliance placed instead on the scanned images.
Some documentation that legally may form part of the proof of license, should already be covered by other document management systems, e.g. invoices and contracts. Depending on the functionality of the relevant systems, there may be no need to do anything further. Alternatively, it may be preferable for practical reasons to include copies of such documentation in the licensing document management system. For example, it is sometimes difficult for organisations to retrieve back copies of invoices when they are needed several years later, after system changes or archiving.