The pain of software audits

Get confidentiality

Martin recommends using a lawyer to shore up "two flavours of confidentiality" before handing license data or network information over to a software vendor.

One flavour is the "typical confidentiality agreement [that] any information that you find on our network is ours, and you have absolutely no right to use that information in any way outside the terms of this agreement," he says.

Martin says it is also important to limit the use of information gleaned from self-reporting or by automated scripts.

"The second flavour of confidentiality is that [the vendor] can come and examine this information and we can use it going back and forth on this negotiation, but if this comes to a point where we have to go in front of a court or in front of an arbitrator, none of this information is admissable," Martin says.

Alan Arnott, a technology lawyer with Sydney firm Arnotts Lawyers, agrees that caution should be exercised in formal audit situations.

"If the vendor is seeking to carry out an audit which is above what they're entitled to do, then the [customer] should seriously consider refusing the audit," he says.

"If there is a dispute around the scope of the audit it might have to be brought before the court for either equitable injunctive relief or other appropriate relief in the circumstances."

Arnott says that customers facing a scripted audit "should argue that it isn't reasonable for an audit to be carried out on sections of the network where there is no possible relevant data for the software developer or company to actually audit".

"What you have to understand is these software vendors carrying out audits are not police. They're not government organisations, generally. They're just another commercial entity operating off an overseas or locally based, and they don't have rights to bulldoze the front door and run in and capture everything on your desk," he says.

"A software company can only audit under the rights provided in a legal contract."

But equally, Arnott cautions against jumping into legal action against a software vendor without being "aware of the court rules relating to discovery and pre-litigation conduct".

"You need to be cognisant if considering disputing a software licensor's right to carry out an audit," he says.

Informants

Information gleaned from self-reporting and formal audits is not the only way licensing cases are mounted.

On some occasions - particularly in cases led by the Business Software Alliance (BSA) - information on alleged infringement is gleaned from informants.

"The BSA generally takes action where it has a report and substantial evidence of copyright infringement involving software owned by the member companies," BSA Australian committee co-chair Clayton Noble says.

"Usually the BSA only brings legal action where two or more vendors have software involved in the infringement, but that's not always the case - sometimes we'll bring action where there's one member who says, 'We'd like you to bring action'."

Noble says that while most of its evidence came from informants, the alliance did take member referrals on occasion.

"Sometimes the BSA does also take cases referred by a member where the member has substantial evidence but for whatever reason prefer BSA to bring action," he says.

Noble says the BSA takes action on the evidence supplied by an informant only where the alliance's members agree that it's the right course.

For example, if the accused customer is involved in a SAM process with the vendor, the BSA may be called off the case.

"The members in the end control the actions by the BSA," Noble says.

Oracle were asked to contribute to this story but referred questions to Red Rock Consulting, citing that they were in a "quiet period". Calls and emails to IBM to participate were not returned.

Have you participated in a SAM process, been told to run scripts on your network, or had a formal audit clause in your contract invoked? What happened?