ads

Thursday, April 26, 2018

How Microsoft helped imprison a man for ‘counterfeiting’ software it gives away for free

In a sickening concession to bad copyright law and Microsoft’s bottom line over basic technical truths and common sense, Eric Lundgren will spend 15 months in prison for selling discs that let people reinstall Windows on licensed machines. A federal appeals court this week upheld the sentence handed down in ignorance by a Florida district judge, for a crime the man never committed.

Now, to be clear, Lundgren did commit a crime, and admitted as much — but not the crime he was convicted for, the crime Microsoft alleges he did, the crime that carries a year-plus prison term. Here’s what happened.

In 2012 feds seized a shipment of discs, which they determined were counterfeit copies of Windows, heading to the U.S., where they were to be sold to retailers by Lundgren. U.S. Prosecutors, backed by Microsoft’s experts, put him on the hook for about $8.3 million — the retail price of Windows multiplied by the number of discs seized.

The only problem with that was that these weren’t counterfeit copies of Windows, and they were worth almost nothing. The confusion is understandable — here’s why.

When you buy a computer, baked into the cost of that computer is usually a license for the software on it — for instance, Windows. And included with that computer is often a disc that, should you have to reinstall that OS for whatever reason (virus infection, general slowdown), allows you to do so. This installation only works, of course, if you feed it your license key, which you’ll probably find on a sticker attached to your computer, its “Certificate of Authenticity.”

But what if you lose that disc? Fortunately, all those years Microsoft itself provided disc images, files that you could use to burn a new copy of the disc at no cost. Look, you can still do it, and you used to be able to get one without a license key. In fact that’s how many Windows installs were created — buy a license key directly from Microsoft or some reseller, then download and burn the install disc yourself.

Of course, if you don’t have a DVD burner (remember, this was a while back — these days you’d use a USB drive), you’d have to get one from a friend who has one, a licensed refurbisher, or your manufacturer (for instance, Dell or Lenovo) for a fee.

This option is still available, and very handy — I’ve used it many times.

What Lundgren did was have thousands of these recovery discs printed so that repair and refurbishing shops could sell them for cheap to anyone who can’t make their own. No need to go call Alienware customer service, just go to a computer store and grab a disc for a couple bucks.

Lundgren, by the way, is not some scammer looking to fleece a few people and make a quick buck. He has been a major figure on the e-waste scene, working to minimize the toxic wages of planned obsolescence and running a company of 100 to responsibly refurbish or recycle old computers and other devices.

His actual crime, which he pleaded guilty to, was counterfeiting the packaging to make the discs pass for Dell-branded ones.

But the fundamental idea that this was counterfeit software, with all that implies, is simply wrong.

Software vs. license

The whole thing revolves around the fact that Microsoft — and every other software maker — doesn’t just plain sell software; they sell licenses to that software. Because software can easily be copied from computer to computer, piracy is easy if you make a program that anyone can just install. It’s more effective to distribute the software itself freely, but only unlock it for use with a special one-off code sold to the customer: a license, or product key.

When you buy a “copy” of Windows, you’re really buying a license to use Windows, not the bits and bytes that make up the OS. The company literally provided up to date disc images of Windows on its website! You could easily install it using those. But without a license key, the OS won’t work properly; it’ll nag you, remove functionality and may shut down entirely. No one would confuse this with a licensed copy of the OS.

This distinction between software and license is a fine one, but important. Not just for overarching discussions of copyright law and where it fails us as technology moves beyond the severely dated DMCA. Because in this case it’s the difference between a box of Windows recovery discs being worth millions of dollars, as prosecutors originally said they were, and being worth essentially nothing, which is what an expert witness and advocates countered.

More importantly, it’s the difference between someone getting 15 months in prison for a nonviolent crime harming no one and causing no actual financial loss, and getting a suitable punishment for counterfeiting labels.

A Microsoft representative told me, reasonably enough, that they want customers to be able to trust their software. So going after counterfeiters is a high priority. After all, if you buy a cheap, fake DVD of Windows on eBay and it turns out the disc has been pre-loaded with malware, that’s bad news for the consumer and hurts the Microsoft brand. Makes sense.

It said in an official statement (then provided an updated one later, which is at the end of the article):

We participate in cases like these because counterfeit software exposes our customers to malware and other forms of cybercrime. There are responsible ways to refurbish computers and save waste, but Mr. Lundgren intentionally deceived people about the software they were buying and put their security at risk.

First, it is worth mentioning that the court record is replete with tests showing these discs were perfectly normal copies of software that Microsoft provides for free. Prosecutors went through the entire install process several times and encountered nothing unusual — in fact, their arguments rely on the fact that these were perfect copies, not a compromised one. This may not affect Microsoft’s reasoning for pursuing the case, but it sure has a bearing on this one.

Lundgren deceived people that this was an official disc from Dell, certainly. That’s a crime and he admitted to it right off the bat. But from what I can tell, the discs were indistinguishable from Dell discs except for inconsistencies in the packaging. There’s nothing in the record to think otherwise. I was told Microsoft declined to look into whether the discs might have had malware because it would have no bearing on the case, which strikes me as ridiculous. It would be trivial to check the integrity and contents of a disc Microsoft itself provides the data for, and malware or the like would provide evidence of criminal intent by Lundgren or his supplier.

If on the other hand the discs were identical to those they are meant to imitate, we would expect to hear little about their content except that they are functional, which is what we see in the record.

From the court records, the discs seized produced ordinary Windows installs when tested by multiple parties.

Furthermore: People weren’t buying software, let alone “counterfeit software.” The discs in question are at best “unauthorized” copies of software provided for free by Microsoft, not really a term that carries a lot of legal or even rhetorical weight. I could make a recovery disc, then make another for my friend who doesn’t have a DVD burner. Is that copy authorized or not? And how could it be unauthorized if it’s an image made available to users specifically for the purpose of burning recovery discs? How can it be counterfeit if it’s just a copy of that image? Furthermore, how can it be “pirated” if the business model requires the end user to purchase a license key to activate the product?

If the data on the disc is worth anything at all, why does Microsoft provide it for free? There was in fact no piracy because no license to use the software, which amounts to the entire value of the software, was ever sold.

What damage?

But how, then, could this freely available software produce damage in the millions, as first alleged, and later in the hundreds of thousands?

What Microsoft alleged, when it became clear that the data on the discs was worth precisely nothing without a license key, as evidenced by its own free distribution thereof, was that the discs Lundgren was selling were intended to short-circuit its official refurbishment program.

That’s the official registered refurbisher program where a company might buy old laptops, wipe them and contact Microsoft saying “Hey, give us 12 Windows 7 Home licenses,” which are then provided for a deep discount — $20-40 each, down from the full retail price of hundreds. It encourages reuse of perfectly good hardware and keeps costs down, both of which are solid goals.

Every disc Lundgren sold to refurbishers, Microsoft argued, caused $20-40 (times .75, the profit ratio) of lost OS sales because it would be used in place of the official licensing process. A simplified version of this ($25 times 28,000 units) was the basis for the $700,000 figure used in part to determine the severity of his crime and sentence.

There are several things wrong with this assertion:

  • Lundgren was not necessarily selling these discs to refurbishers for use in refurbishing computers — the discs would be perfectly useful to any Dell owner who walked in and wanted a recovery disc for their own purposes. The government case rests on an assumption that was not demonstrated by any testimony or evidence.
  • The discs are not what Microsoft charges for. As already established, the disc and the data on it are provided for free. Anyone could download a copy and make their own, including refurbishers. Microsoft charges for a license to activate the software on the disc. The discs themselves are just an easy way to move data around. There’s no reason why refurbishers would not buy discs from Lundgren and order licenses from Microsoft.
  • Dell computers (and most computers from dealers) come with a Certificate of Authenticity with a corresponding Windows product key. So if intentions are to be considered, fundamentally these discs were intended for sale to and use by authorized, licensed users of the OS.
  • Furthermore, since many computers come with COAs, if the refurbishers decide to skip getting a new license use a given computer’s COA, that is not the fault of Lundgren, and could easily be accomplished with the free software Microsoft itself provides.
  • That process — using the COA instead of buying a new license — is not permitted by Microsoft and is murky copyright-wise. But in this case the defendants say it was admitted by U.S. prosecutors that the COA “belongs” to the hardware, not the first buyer. The alternative is that, for example, if I sold a computer to a friend with Windows installed, he would be required to buy a new copy of Windows to install over the first, which is absurd.
  • Naturally no actual damage was actually done. The damage is entirely theoretical and incorrect at that. A copy of Windows cannot be sold because it is freely provided; only a license key can be sold, and those sales are what Microsoft alleges were affected — but Lundgren neither had nor sold any license keys.

In fact an expert witness, Glenn Weadock, who had previously been involved in a 2001 government antitrust case against Microsoft, appeared in court to argue these very points.

Weadock was asked what the value of the discs is without a license or COA. “Zero or near zero,” he said. The value is a “convenience factor,” he said, in that someone can use a pre-made disc instead of burning their own or having the manufacturer provide it.

Real damage

This fact, a difference between selling a license that activates a piece of software and provides its real value, and the distribution of the software itself — again, provided for free to any asker — was completely ignored by the courts:

The government’s expert testified that the lowest amount Microsoft charges buyers in the relevant market—the small registered computer refurbisher market—was $25 per disc. Although the defense expert testified that discs containing the relevant Microsoft OS software had little or no value when unaccompanied by a product key or license, the district court explicitly stated that it did not find that testimony to be credible.

As I’ve already established, discs are free; $25 is the price of the license accompanying the disc. Again, a fine but very important distinction.

Weadock’s testimony and all arguments along these lines were disregarded by the judges, who decided that the “infringing item” “is or appears to be a reasonably informed purchaser to be, identical or substantially equivalent to the infringed item.”

This is fundamentally wrong.

The “infringing” item is a disc. The “infringed” item is a license. The ones confusing the two aren’t purchasers but the judges in this case, with Microsoft’s help.

“[Defendants] cannot claim that Microsoft suffered minimal pecuniary injury,” wrote the judges in the ruling affirming the previous court’s sentencing. “Microsoft lost the sale of its software as a direct consequence of the defendants’ actions.”

Microsoft does not sell discs. It sells licenses.

Lundgren did not sell licenses. He sold discs.

These are two different things with different values and different circumstances.

I don’t know how I can make this any more clear. Right now a man is going to prison for 15 months because these judges didn’t understand basic concepts of the modern software ecosystem. Fifteen months! In prison!

What would a reasonable punishment be for counterfeiting labels to put on software anyone can download for free? I couldn’t say. That would be for a court to decide. Possibly, based on Lundgren’s suggestion that if damages had to be calculated, that $4 per disc was more realistic, he would still face time. But instead the court has made an ignorant decision based on corporate misinformation that will deprive someone of more than a year of his life — not to mention all the time and money that has been spent explaining these things to deaf ears for the last few years.

Microsoft cannot claim that it was merely a victim or bystander here. It has worked with the FBI and prosecutors the whole time pursuing criminal charges for which the defendant could face years in prison. And as you can see, those charges are wildly overstated and produced a sentence far more serious than Lundgren’s actual crime warranted.

The company could at any point have changed its testimony to reflect the facts of the matter. It could have corrected the judges that the infringing and infringed items are strictly speaking completely different things, a fact it knows and understands, since it sells one for hundreds and gives the other away. It could have cautioned the prosecution that copyright law in this case produces a punishment completely out of proportion with the crime, or pursued a civil case on separate lines.

This case has been ongoing for years and Microsoft has supported it from start to finish; it has as much sentenced Lundgren to prison for a crime he didn’t commit as the fools of judges it convinced of its great “pecuniary loss.” I expect the company to push back against this idea, saying that it only had consumers’ best interests in mind, but the bad-faith arguments we have seen above, and which I have heard directly from Microsoft, seem to suggest it was in fact looking for a strong judgment at any cost to deter others.

If it was possible that Microsoft was not aware how bad the optics on this case are, they’ve been warned over and over as the case has worn on. Now that Lundgren is going to prison it seems reasonable to say that his imprisonment is as much a Microsoft product as the OS it accused him wrongly of pirating.

<hr/>

Update: Microsoft later provided an second statement:

Microsoft actively supports efforts to address e-waste and has worked with responsible e-recyclers to recycle more than 11 million kilograms of e-waste since 2006. Unlike most e-recyclers, Mr. Lundgren sought out counterfeit software which he disguised as legitimate and sold to other refurbishers. This counterfeit software exposes people who purchase recycled PCs to malware and other forms of cybercrime, which puts their security at risk and ultimately hurts the market for recycled products.



from TechCrunch https://ift.tt/2r21IVf
via IFTTT

No comments:

Post a Comment

Apple Vision Pro: Day One

It’s Friday, February 2, 2024. Today is the day. You’ve been eyeing the Vision Pro since Tim Cook stepped onstage with the product at last y...