One common email we have been getting is people notifying us that they see live Humble Bundle key links around the internet on various forums, 4chan, and even Steam! I decided to look into this a little bit and try to guess how big of a phenomenon it is.

After some simple math, I estimate that over 25% of Humble Indie Bundle downloads are 'pirated' -- that is, users download from shared links from forums and other places without actually contributing anything. Note: that is not including BitTorrent and other sources.

How do people pirate the bundle? When I say this bundle is DRM-free -- I really mean DRM-free. Not only do the games themselves have no copy protection (not even a simple serial number check), but the Humble Indie Bundle website has limited copy protection. That means there are no download limits, everything is reachable on the command-line with 'wget', you can resume downloads, and do anything else you would expect to be able to do with a personal download link.

25% seems incredible given that you can simply pay $0.01 to be completely legitimate. Is this figure correct? Let's take a look at some raw download data.



57.3 TB of total bandwidth (49.3 TB of edge traffic) 57.3 TB of total bandwidth (49.3 TB of edge traffic)

The 57.3 TB figure is the total volume, including transfer of the origin data to the edge nodes (learn more about CDNs). The uninflated 49.3 TB figure is the important one as that is the "last-mile" bandwidth from the local edge nodes to the user.

As of this writing, 79,000 people have contributed to the bundle.

When someone contributes to the Humble Indie Bundle, they get the 5 games, plus the Samorost 2 gift. This adds up to about 746.5 MB per platform. I think it is reasonable to assume that not everyone will download every single game for their platform (at least instantly after purchasing or gifting). Is it though?

I sent my friend Eric Samuel, a statistics graduate from Cal, two days worth of raw download data from the CDN for analysis.

He found that on average a given IP address downloads 490.01 MB worth of data from the bundle. This is actually likely overstated due to multiple people downloading from the same modem. For instance, one IP alone downloaded 10.3 GB - not exactly a humble bundle!

So we can divide the 49.3 TB by 490.01 MB and we get 105,497 average downloaders.

Assuming these numbers are reasonable, we get 79,000 / 105,497 = 0.749 are estimated to be legitimate or about 25% have pirated the bundle -- directly from us. There are a lot of assumptions here, but I tried to be as conservative and simple as possible.

Why would you pirate a pay-what-you-want bundle?

So why are people sharing the Humble Bundle, when they could get it just by donating a penny to charity? We can only speculate, but here are some possible reasons:

Some might want to donate, but it seems a whole lot easier to just click on a hyperlink than it is to enter a credit card number. Sure, it only takes a couple seconds, but for many, this is a few seconds too long. The most successful online stores all allow one-click buying, including Amazon, Steam and iTunes. In the words of one gamer, Steam showed him that he "wasn't cheap, just lazy," and I'm sure he's not alone in that realization.

Some users may want to share the bundle with their friends, and decide that it's easier to just make one donation for a larger amount than it is to make separate gift donations.

Some users may live in countries where none of our three processors (PayPal, Google Checkout, and Amazon) are accepted. These users might pay if they could, but they feel that they have no choice but to search for shared copies.

Some users just want to "stick it to the man", and be edgy and rebellious. It doesn't matter if they're sticking it to indie developers, sick children, and online civil liberties... they're sticking it to someone, so they feel cool.

What are we going to do about it?

Not much.

Shouldn't we use a percentage of the proceeds to send our indie-lawyers after them? Perhaps trace their IP addresses?



Standard Operating Procedure For IP Tracing

No -- we will just focus on making cool games, having great customer service, and hope for the best. It sure seems to be working right now!

Should we implement a technical solution to prevent rampant piracy of our download links? That might be optimal -- only if done right though. We have gotten many positive messages (especially from Linux users) about our relaxed edge servers like this one from Don:

Hey thanks for putting the downloads on a plain server with no cookie auth required, I hate it when I can't use wget and resumes. Out in the 3rd world with 256k BURSTABLE DSL that drops on and off at random. Some websites really make it a pain to download stuff trying to block unauthorized folks, even exporting cookies and using the --load-cookies trick in wget won't work.

There is probably a way to get the best of both worlds, but it's not my area of expertise. Making the download experience worse for generous contributors in the name of punishing pirates doesn't really fit with the spirit of the bundle. When considering any kind of DRM, we have to ask ourselves, "How many legitimate users is it ok to inconvenience in order to reduce piracy?" The answer should be none.

I do have one humble request though --

If you are deadset on pirating the bundle, please consider downloading it from BitTorrent instead of using up our bandwidth! Also, even though you are pirating our games, please tell some of your friends about the Humble Indie Bundle. Posting to Facebook, telling your Twitter followers, (or simply talking to someone) sure doesn't require a credit card.