If you rent applications from an application service provider (ASP), who's responsible for making sure you're adequately licensed for the rented applications? More to the point, who's left holding the bag when an antipiracy organization shows up with a federal marshal to perform a software audit and fine you if you're in violation of your license agreements?
"Piracy" is a more frightening term than "inadequate licensing," but the two terms mean more or less the same thing—using software outside the terms of the End User License Agreement (EULA). Although the first thing many people think of when they hear the word piracy is bins full of copied software or files downloaded from warez sites, piracy also refers to loading software onto more computers or making it available to more users than the EULA allows. Several organizations, such as the Software & Information Industry Association (SIIA), the Federation Against Software Theft (FAST), and the Business Software Alliance (BSA), act as watchdogs to make sure no one pirates their members' software. Acting on anonymous tips, these organizations investigate piracy reports and audit companies that seem to be in violation of member EULAs. If a company is in violation, the organizations can fine it for the cost of the software and destroy any unlicensed copies—or even sue the company for damages.
A recent survey of IT managers indicates that about 79 percent of respondents believe that using an ASP is a useful way to eliminate most pirated software in an organization, and 78 percent believe that using an ASP prevents liability (relative to any software the ASP supplies) from illegal employee use. However, the reality isn't cut and dried. Commenting about the survey results, Geoffrey Webster, chief executive of FAST, acknowledges that a majority of companies still believe that using an ASP will protect them from liability. "Unfortunately," he says "this isn't the case."
So if using an ASP doesn't protect you from licensing liability, who is responsible? Peter Beruk, vice president of the SPA's antipiracy programs, says that the ASP is first in line for litigation, but customers also can be responsible if they have reason to know they're underlicensed (e.g., they've turned over licensing to their ASPs). What can ASP customers do to make sure they aren't caught unaware? Beruk suggests that "\[the customer\] should insist on a representation (and warranty) that the software being used from the ASP is licensed in a sufficient quantity so that all customer uses are authorized." Colin Bartram, vice president of product marketing for Vector Networking (one of the companies that commissioned the survey of IT managers' knowledge of piracy liability) suggests a different tack; he says customers should write a guarantee into their contracts that stipulates that the ASP will cover—and is insured to cover—any costs or damages resulting from action a vendor or organization such as the Business Software Alliance might take against the customer.
So it seems that whoever controls product licensing is responsible for licensing liability (and therefore open to fines and even civil charges). If you're not the responsible party, make sure that the company you deal with is adequately licensed. However, as Bartram points out, even if the ASP is liable for licensing violations, you, of course, aren't absolved from responsibility for ALL product licensing. "It is likely that \[ASP\] customers will still be engaged in purchasing, deploying, and using applications \[inhouse\]," he said. "In this scenario, they'll continue to need to audit their desktops."
The bottom line? Define licensing responsibility with your ASP from the start, and don't forget to audit locally installed applications. Outsourcing application delivery doesn't mean you can stop thinking about licensing.