ITAMChannel is a hub of coverage for all the latest news and views within the IT Asset Management Industry

Software Vendor’s “Spyware” Obtains Data that Customer Secretly Destroyed!

SHARE
,

In one of this year’s most interesting cases relating to software piracy, a software vendor has alleged that its customer has fraudulently obtained access to its software via counterfeit, as well as evaluation license keys.

The vendor, Synopsys, Inc. (Synopsys), also alleges that the customer; Ubiquity Networks, Inc. (Ubiquity), also allowed its employees to destroy thousands of files of evidence & incompliance before the lawsuit was filed.

How does Synopsys know all this? Well, it includes piracy tracking software, or as Ubiquity terms it; “spyware”, with its standard software!

Developing case material, new claims and counter-claims continue at pace, as the case, which was filed in March 2018, becomes extremely complex with many facets and legal implications that begin to question the legal validity and moral justification of embedded “piracy tracking” systems.

Ubiquity alleges that the “spyware”, transmitted its Users’ personally identifiable information such as username, email address, software applications & features accessed, dates & times of access and locations, to Synopsys, without prior declaration, Ubiquity knowledge, or authorisation, contrary to agreements like the NDA between both parties and potentially US Federal Law.

However, Synopsys states that the inclusion of its software piracy tracking software was clearly referenced in its click-through End User License Agreement (EULA) and that any deployment, legal or unlicensed, would require the User to accept the EULA before installation.

The case is further confused with the involvement of third parties that have been appointed by Synopsys to aid its license compliance initiatives. Ubiquity alleges that Smartflow Compliance Solutions (Smartflow) and its affiliate; IT Compliance Association, formed an “Enterprise” to include the spyware for the purpose of generating revenues for Synopsys, as it does for other software companies, and that it uses the obtained data to “coerce” excessive fees for the software companies. Synopsys claims that this Enterprise contravenes the Racketeering Influenced & Corrupt Organizations (RICO) Act, which is part of US Federal Law.

Whilst this remarkable case progresses, there are multiple points of concern for all organisations and their CIOs:

–  Of course, there is the matter of license compliance and ensuring all software is fully licensed & sourced via correct channels & deployed by authorised personnel.

–  Security policy must be stringent, and all data sent to any third parties, via software piracy tracking tools must be known and approved/restricted.

–  Software companies should be consulted to check if they have built in any spyware or “phone-home” software into their solution. Scrutinize EULAs.

–  Are there any implications around GDPR or data protection laws for your organisation?

It is therefore imperative that, with the onset of new snooping technologies and new techniques to bypass consent (EULA), your organization mitigates any risk by ensuring the most secure and trustworthy software is deployed in your environment, and that processes are defined, and people are made aware of their duties and responsibilities around SAM & Network/Data Security. This could avoid costly litigation and considerable impact to business reputation.