DRM Accused Of Sending Personal Info To Help With Licensing Shakedown

from the privacy-is-a-one-way-street dept

DRM. Is there nothing evil it can't do? Between installing rootkits and propping open back doors, DRM is a copyright enforcer's best friend. Miguel Pimentel, a Boston-area architect, believes he's stumbled across its latest trick: extracting $150,000 from your wallet via a quick unannounced "phone home" to the nearest copyright cop.

Ima Fish directs our attention to the class action lawsuit, filed March 30, 2011, which alleges that Transmagic's 3-D software came prepackaged with "phone home" DRM that gathered personal user information and passed it on to their copyright enforcement consultants, ITCA (IT Compliance Association). This information (including name, company name and phone number) was used by ITCA in an attempt to extract $10,000+ per year in licensing and maintenance fees.

Pimentel, aware of their seven-day trial period, had downloaded a copy of Transmagic's EXPERT software from an unspecified site. After experimenting with it a few times, he uninstalled it and deleted the software. Ninety days later, he was contacted by Anita Jonjic, a "mediator" employed by ITCA, who accused Pimental of "illegally downloading" the program and informed him that if "he did not agree to purchase the product license and service plan for $10,000 plus annually recurring maintenance fees, Transmagic and ITCA would take legal action against him for $150,000." She also made it clear that she knew where Pimentel worked and would not disclose his "piracy" to his employers as long as the fees were paid.

This lawsuit centers on Licensing Technologies Limited's DRM software (Sheriff), which Pimentel claims "secretly planted 'phone home' code in Transmagic software and used it to conduct surveillance on all Transmagic users in an attempt to detect a few supposedly unauthorized users."

Sheriff Software's site has an unusually large amount of detailed information, most of it in plain English, covering everything from error handling to its EULA. Nowhere in this extensive help section is there any indication that the Sheriff Software does anything more than prohibit use without a registered license key. Of course, DRM software is generally opaque when it comes to backdoors and other nefarious code.

Could Transmagic be supplying this information? Most likely not in Pimentel's case, as he only specifies "a website" in his lawsuit, but it could easily do so if it chose. Their registration screen, which must be filled out before you can download the trial version, requires that all of these fields be filled out: First Name, Last Name, Company Name, Phone Number, Country, and Corporate Website. That's a lot of information for a trial version. Obviously, Transmagic would like to have your contact info in order to sell you its product. Coincidentally, it's also all the information used in Anita Jonjic's phone call to Pimentel, including his place of employment.

The final defendant listed is ITCA, helmed by founder Chris Luitjen, and headquartered in Curacao. (Normally, I would link to it, but its Terms of Service clearly state "You may not create a link to this website from another website or document without ITCA's prior written consent." [It's ITCA.com, in case you don't feel like wading through a seemingly endless list of other companies and associations that use the same acronym.] )

The shadowy ITCA's web page is apparently in a constant state of upgrade and contains nothing more than a link to their online software validation program and some impressive client logos (Microsoft, Siemens and McAfee to name a few). There is a contact page but not a single email address is listed nor is any indication given as to what exactly they do while not enjoying the tropical weather.



However, Chris Luijten has made no effort to hide his real agenda, as evidenced by his partnership with V.i. Labs. V.i. Labs is an organization, which claims it's dedicated to wiping out software piracy. As such, it has taken care to rely on dubious formulas (pirated software x full retail price = amount of lost sales) and acrimonious methodology to try to "turn infringement into leads." Here's a brief explanation of the software tactics that V.i. employs:

V.i. Labs provides the code, which an ISV embeds it into its software via an update or a new version. Then, from V.i. Labs’ dashboard, the ISV can track and monitor where all the cracked and pirated copies of its software go to determine who is using them. Victor DeMarines, vice president of products for V.i. Labs, noted no personal information is obtained through use of the code. “It only runs in a certain condition during piracy use,” he said. “No personal information is transferred, [but] we can find out, ‘Is this an organization?’” Beyond that, DeMarines pointed out that reverse DNS lookup and the domain information of the network running the pirated software actually can be used to generate leads... If the offender is just one user behind an ISP’s IP address, then likely no action will be taken. But if the reverse DNS or domain turns up a big corporation — ISVs now have a real lead.

DeMarines states that "no personal information" is gathered by this code injection, but ITCA's "mediator" had plenty of it, certainly more than V.i. Labs says it gathers. Of course, ITCA may be running its own version which harvests considerably more information. Pimentel's lawsuit goes so far as to suggest that ITCA is seeding sites with cracked software containing their "phone home" coding.

There is also the possibility that ITCA has "broken from the pack" with this thuglike shakedown. Evidence of Luijten's work with V.i. Labs, which was live on V.i.'s site until April 2nd, has been completely removed. When Boston-area blog Universal Hub published a story on the lawsuit on March 31st, their link to a joint webinar by Luijten and DeMarines was still live. By April 3rd, you could only reach the cache. By the 5th, even that was gone, with the link redirecting to this page. (Other evidence remains online, however.) I followed up with V.i. Labs as to the reason behind this removal and received this explanation:

Our relationship with ITCA ended last year and we no longer offer this webinar.

Apparently, it takes a string of coincidences and some unflattering incoming links to remove a webinar you haven't offered in over three months. Oh, and having the webinar mentioned by name in a class action lawsuit (see page 5 of the filing) might have expedited this disappearance.

I contacted several of ITCA's clients to get some insight into how the company works, and was met with a variety of "no comments." Microsoft: "Unfortunately, after connecting with my colleagues, we are not able to provide comment on this issue." Autodesk: "Only the ITCA can make statements about its position on software piracy and license compliance. Please contact ITCA directly for information about the organization's activities and position."

Unfortunately, we may have to wait until this lawsuit shakes out before we can find out what really happened. According to their own statements, ITCA could have been seeding unlicensed versions with their own code. The possibility still remains that Sheriff Software's DRM reports back with more than just the "digital fingerprint" that binds the license to the PC. Whether Transmagic gave ITCA permission to gather this data also remains to be seen. If they did, the release of this personal information would appear to violate the terms of Transmagic's own privacy policy (emphasis mine):

Personal information provided by clients on our Web site will be used for the sole purpose of completing the specific transaction. TransMagic, Inc. will not sell, disclose or rent to third parties individually identifiable user information collected at our web site, through our servers or otherwise obtained by us, other than to provide our product, services and updates as set forth in this privacy policy.

Anita Jonjic appears to have clearly crossed the line with her demands and threats. There is no reason to believe (at this point) that ITCA condones this behavior nor is there any evidence this "method" of recovery has been used before -- though, the "class action" nature of this lawsuit means that someone's certainly going to try to find out.